CN113630420A - SDN-based DDoS attack detection method - Google Patents
SDN-based DDoS attack detection method Download PDFInfo
- Publication number
- CN113630420A CN113630420A CN202110940617.1A CN202110940617A CN113630420A CN 113630420 A CN113630420 A CN 113630420A CN 202110940617 A CN202110940617 A CN 202110940617A CN 113630420 A CN113630420 A CN 113630420A
- Authority
- CN
- China
- Prior art keywords
- flow
- sdn
- queue
- controller
- conditional entropy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 60
- 238000007637 random forest analysis Methods 0.000 claims abstract description 17
- 238000013145 classification model Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims abstract description 7
- 230000014509 gene expression Effects 0.000 claims description 13
- 238000004364 calculation method Methods 0.000 claims description 12
- 238000000034 method Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 7
- 239000013598 vector Substances 0.000 claims description 7
- 230000003321 amplification Effects 0.000 claims description 6
- 238000003199 nucleic acid amplification method Methods 0.000 claims description 6
- 238000007477 logistic regression Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 abstract description 3
- 230000001960 triggered effect Effects 0.000 abstract 1
- 238000003066 decision tree Methods 0.000 description 4
- 238000012706 support-vector machine Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000000630 rising effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a DDoS attack detection method based on an SDN (software defined network), belonging to the field of software defined networks. The invention uses the queue argument conditional entropy as a coarse-grained detection module of the arrival flow in the SDN environment, uses machine learning as a fine-grained detection module, accurately detects malicious flow from a legal packet, protects a controller from being attacked, and reduces the possibility that a server in a network is attacked. The coarse granularity detection module is composed of two parallel detection modules, the multi-dimensional conditional entropy detection module and the controller entry queue length detection module, fine granularity detection is triggered when the detection result of any module exceeds a threshold value, the fine granularity detection module collects flow table items and counter information to a switch to perform statistical processing based on an OpenFlow protocol, a trained Random Forest (RF) classification model which is arranged in the controller is used for performing final judgment on flow, then attack flow is effectively detected, and the controller is prevented from being damaged.
Description
Technical Field
The invention relates to a DDoS attack detection method based on an SDN (software defined network), belonging to the field of software defined networks.
Background
Software-Defined Networking (SDN) is a new network architecture for logic centralized control, the SDN decouples and separates a control plane and a data plane of a network, abstracts data plane network resources, and supports direct programming control of the network through a uniform interface, and the SDN manages the flow direction of the whole network through control and issuing of flow tables. In an SDN environment, all are managed by a controller, and according to an OpenFlow protocol, when a new Packet comes to a switch, a forwarding table In the switch has no matching routing rule, and the switch encapsulates the Packet _ In data frame and sends the Packet _ In data frame to the controller to request the new routing rule. And after receiving the message, the controller provides a corresponding response strategy, and sends an indication to a corresponding switch through a Packet _ Out message, and the switch processes the message according to the received rule.
While SDN has many advantages over other network architectures, the potential for security concerns that exist remains alarming. Distributed denial of service attacks (DDoS) are an increasingly serious problem on the internet. An attacker aims at some servers (victims), uses a large number of false requests to communicate with the servers, increases the computing load of the servers and occupies memory resources, enables the access of legal users to be unavailable, and meanwhile, aggravates the burden of a controller in an SDN, and finally achieves the purpose of damaging the target servers and an SDN control center. Due to the rapid development of the internet, the accessible terminals grow rapidly, the number of botnet networks controllable by attackers increases greatly, and distributed denial of attack (DDoS) is more common and aggressive than ever before. When DDoS attack occurs, the controller receives a large number of Packet _ In messages, the controller spends a large number of resources to process the messages, the bandwidth between the switch and the controller may be occupied by the increased flow, the network performance is greatly reduced, and legal requests are not responded. At present, most detection methods for DDoS attacks are based on traditional network architecture and cannot be well applied to SDN, and research on DDoS attack detection in SDN environment is still in a primary stage, so that research on DDoS attack detection models in SDN has wide prospect
In recent years, a plurality of schemes for detecting DDoS attacks in the SDN are provided and are aimed at protecting servers, protection on controllers is rarely involved, most of detection schemes are based on statistical analysis or machine learning, the detection accuracy rate is often unsatisfactory, and the characteristics of an SDN network architecture are not fully exerted by a detection mechanism.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a coarse-grained and fine-grained combined DDoS attack detection method under an open flow strategy in an SDN environment. The method adopts a multidimensional conditional entropy and M/M/1 queue theory system as a preliminary detection module of the arrival flow in the SDN, realizes preliminary early warning of flow and protection of a controller, and after the early warning of a coarse-granularity detection module, a fine-granularity detection module immediately collects flow table items and counter information to a key switch for statistical processing, extracts a multidimensional flow characteristic group and starts a trained Random Forest (RF) classification model for identification. Under the detection framework, through testing of a K-nearest neighbor classification (K-NN), Naive Bayes (NB), a Random Forest (RF), a Decision Tree (DT) and a Support Vector Machine (SVM) 5 classification model, the random forest classification model has the best accuracy and the lowest computation time, and the occupation of controller processing resources can be reduced to the greatest extent.
The technical scheme adopted by the invention is as follows: a DDoS attack detection method based on SDN includes the following steps:
(1) calculating a multidimensional conditional entropy threshold according to a public DDoS data set;
(2) calculating a controller entry queue length threshold using an M/M/1 queue theory;
(3) monitoring the SDN state in real time through an SDN controller, and calculating the conditional entropy of each dimension in the arriving flow in real time;
(4) monitoring the queue length of a controller inlet Packet _ In data frame In real time through an SDN controller;
(5) judging whether the DDoS attack exists in the current network or not according to the condition entropy value and the queue length value obtained by real-time calculation, if so, entering the step (6), otherwise, normally issuing routing regulation to a corresponding switch;
(6) sending the Packet _ In data frame to a fine-grained detection module, wherein the module collects flow table items and counter information to a switch sending the Packet _ In data frame based on an OpenFlow protocol for statistical processing, extracts a characteristic vector, judges whether the flow is an attack flow by using a trained random forest classification model, and stores the flow characteristic into an attack flow characteristic database once the flow is judged to be the attack flow;
(7) and when DDoS attacks are detected to reach a certain number of times, calculating the multidimensional conditional entropy of the attack flow characteristic database, and correcting and adjusting the corresponding conditional entropy threshold according to the calculation result.
Specifically, the step (1) includes the steps of:
1.1, selecting conditional entropy characteristic values H (Sip | Dip), H (Sip | Dport) and H (Dport | Dip) according to common characteristics of a large number of public DDoS data sets, wherein the H (Sip | Dip) represents the conditional entropy of a source address relative to a destination address, the randomness between the addresses of the two parties can be distinguished, the H (Sip | Dport) represents the conditional entropy of the source address relative to a destination port, the randomness between the source address and a destination server port can be distinguished, the H (Dport | Dip) represents the conditional entropy between the destination port and the destination address, and the randomness between the destination port and the destination address can be described;
1.2, according to the selected characteristic value, calculating the conditional entropy of the characteristic value by using the window size W, respectively constructing a frequency histogram, and according to a statistical result, using the value when the error rejection rate FRR is equal to the error acceptance rate FAR as the threshold value T of the characteristiciWherein the conditional entropy calculation formula is as follows:
where a, B are random variables, H (a | B) denotes the uncertainty of a given by B, P (a, B) denotes the probability of the joint distribution of a ═ a, B ═ B, and P (B) denotes the probability of B ═ B;
1.3, further obtaining the weight w of each characteristic value according to each characteristic value threshold valueiExpression ofComprises the following steps:
wherein A isiFor the acceptance rate of each feature value, Ai=1-Ei,EiSelecting a threshold T for the featureiThe subsequent identification error rate.
Specifically, the step (2) includes the steps of:
2.1 calculating controller critical service strength according to M/M/1 queue theory
λiAndμcrespectively representing the data packet arrival rate and the controller service rate;
2.2, with LtRepresents a queue length threshold, whose expression is:
Lt=Lq+kσq
wherein L isqRepresenting the number of data frames being queued in the queue, k being the amplification factor, σqIs the queue length standard deviation;
2.3, calculating L according to an M/M/1 queue theory formulaqAnd σqThe expressions are respectively:
pn=ρn(1-ρ)=ρnp0
where n is the number of packets in the queue, pnRepresenting the probability of the state of the system, p, for a queue of length n0Representing the probability that the queue is empty;
2.4, combining the steps 2.1, 2.2 and 2.3 with the probability that the queue length exceeds a set thresholdP calculates queue length threshold Lt,LtThe final expression of (c) and P is:
where s represents the queue length LqGreater than a threshold value LtAmplifying the queue threshold value by using an amplification coefficient k, reducing the probability P exceeding the threshold value into a small probability event, and finally determining the threshold value L under the conditiont。
Specifically, the step (3) includes the steps of:
3.1, extracting and calculating the multidimensional conditional entropy In the step 1.1 In the Packet _ In data frame sent to the controller;
3.2, using the weight w of each eigenvalue calculated in step 1.3 using a logistic regression methodiAnd calculating a multidimensional conditional entropy final score R of the data frame.
Specifically, the step (4) includes the steps of:
4.1, acquiring the length of an entrance queue of the controller in real time;
and 4.2, comparing the length of the ingress queue with the threshold value set in the step (2).
Specifically, the step (5) includes the steps of:
5.1, if the conditional entropy detection module result R exceeds the set threshold, or the queue length detection module result exceeds the threshold LtIf the Flag is equal to 0, a routing rule is issued to the corresponding switch through a Packet _ out data frame in the OpenFlow protocol.
Specifically, the step (6) includes the following steps:
6.1, extracting multidimensional flow table entry vectors in the attack flow to train a random forest model, and placing the trained model into an SDN environment;
and 6.2, checking a Flag warning mark, if the Flag is equal to 1, extracting a corresponding switch identification number In a Packet _ In data frame, extracting the flow table item multidimensional characteristics extracted In the step 6.1 of the switch according to the identification number, evaluating the flow by using a trained classification model, identifying whether the flow is attack flow, if the flow is determined to be attack flow, storing the flow characteristics into an attack flow database, and if the Flag is equal to 0, normally issuing a routing table.
Specifically, the step (7) includes the following steps:
7.1, checking that the Flag bit is set for the number Count;
7.2, after the Count exceeds a certain number of times, using the characteristics of the attack flow database to perform self-adaptive adjustment on the threshold in the step (1).
The invention has the beneficial effects that:
(1) the attack flow detection method comprises the steps of detecting attacks in two stages, comprehensively monitoring attack flow in two stages of coarse grain detection and fine grain detection, detecting the coarse grain detection module in real time in parallel by a conditional entropy detection module and a queue length detection module, triggering the fine grain detection by setting a warning mark when the attacks occur, finally identifying the flow by using a trained high-precision machine learning classification model by the fine grain detection module, feeding the identified attack flow characteristics back to the coarse grain detection module, updating a module threshold by using a self-adaptive algorithm, and eliminating the defect of setting a static threshold.
(2) The invention statistically calculates the conditional entropy threshold values of H (Sip | Dip), H (Sip | Dport) and H (Dport | Dip) in each public DDoS attack data set, objectively obtains the detection threshold value according to the data, and can effectively perform early warning on DDoS attacks.
(3) The method calculates the service strength of the SDN controller by using an M/M/1 queue theory, controls the length of the entry queue of the controller by using a reasonable threshold value, detects the attack and simultaneously protects the controller from the attack, so that the normal data packet can obtain better service quality, the normal state of the network is maintained, and the processing of the normal data packet is ensured.
(4) The Random Forest (RF) classification model used by the invention is a classification model which has the highest selection accuracy, the fastest detection speed and the least occupation of controller resources after 5 main flow classification models of K-nearest neighbor classification (K-NN), Naive Bayes (NB), Random Forest (RF), Decision Tree (DT) and Support Vector Machine (SVM) are tested under the framework of the invention, and can provide reliable and effective detection effect after coarse granularity detection and early warning.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a schematic view of the detection structure of the present invention;
FIG. 3 is a diagram illustrating a queue length detection module according to the present invention;
fig. 4 is a schematic structural diagram of an attack in the background art.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments.
Example 1: as shown in fig. 1, a DDoS attack detection method based on SDN includes the following steps:
(1) calculating a multidimensional conditional entropy threshold according to a public DDoS data set;
(2) calculating a controller entry queue length threshold using an M/M/1 queue theory;
(3) monitoring the SDN state in real time through an SDN controller, and calculating the conditional entropy of each dimension in the arriving flow in real time;
(4) monitoring the queue length of a controller inlet Packet _ In data frame In real time through an SDN controller;
(5) judging whether the DDoS attack exists in the current network or not according to the condition entropy value and the queue length value obtained by real-time calculation, if so, entering the step (6), otherwise, normally issuing routing regulation to a corresponding switch;
(6) sending the Packet _ In data frame to a fine-grained detection module, collecting flow table entries and counter information to a switch sending the Packet _ In data frame by the module based on an OpenFlow protocol for statistical processing, extracting a feature vector, judging whether the flow is an attack flow by using a trained random forest classification model, storing the flow feature into an attack flow feature database once the flow is judged to be the attack flow, and normally issuing a routing table if Flag is 0;
(7) when DDoS attack is detected to reach a certain number of times, calculating multidimensional conditional entropy of an attack flow characteristic database, correcting the weight of each characteristic value in the step (3) according to a calculation result, and adjusting a threshold value of the characteristic value by adopting a self-adaptive algorithm;
further, the step (1) in this example includes the steps of:
1.1, selecting conditional entropy characteristic values H (Sip | Dip), H (Sip | Dport) and H (Dport | Dip) according to common characteristics of a large number of public DDoS data sets, wherein the H (Sip | Dip) represents the conditional entropy of a source address relative to a destination address, the randomness between the addresses of the two parties can be distinguished, the H (Sip | Dport) represents the conditional entropy of the source address relative to a destination port, the randomness between the source address and a destination server port can be distinguished, the H (Dport | Dip) represents the conditional entropy between the destination port and the destination address, and the randomness between the destination port and the destination address can be described;
1.2, according to the selected characteristic value, calculating the conditional entropy of the characteristic value by using the window size W as 200, carrying out linear function normalization on the calculation result, and scaling the result data to [0,1 ] in equal proportion]Within the range, counting results, constructing a frequency histogram, and analyzing the occurrence frequency and the distribution condition of each characteristic of the DDoS attack flow and the normal flow according to the distribution condition of the histogram, wherein the smaller the overlapping area of the attack flow and the normal flow is, the smaller the error detection probability is. Using the value of the equal error rejection rate (FRR) and error acceptance rate (FAR) as the threshold T of the feature according to the statistical resultiWherein the conditional entropy calculation formula is as follows:
where a, B are random variables, H (a | B) denotes the uncertainty of a given by B, P (a, B) denotes the probability of the joint distribution of a ═ a, B ═ B, and P (B) denotes the probability of B ═ B;
1.3 according to the present exampleThe threshold value T of each characteristic value obtained by calculation in the step 1.2iAnd an identification error rate EiObtaining the acceptance rate A of each characteristic valuei(Ai=1-Ei) Obtaining AiThereafter, use wiThe expression calculates the weight of each feature value, and after obtaining the weights, 3 feature values are combined by using a logistic regression method in step 3.2 to exert the highest performance of each feature value:
further, the step (2) in this example includes the steps of:
2.1, as shown in FIG. 3, λiAnd mucRespectively representing the arrival rate of a data Packet and the service rate of a controller, when a new data Packet arrives, a switch sends the data Packet without a route record to the controller through a Packet _ in data frame, the Packet _ in data frame arriving at the controller can be queued at an entrance of the controller, the arrival number of the data Packet in an SDN obeys Poisson distribution, and an M/M/1 queue theory is used for calculating the critical service intensity of the controller
2.2, with LtRepresents a queue length threshold, whose expression is:
Lt=Lq+kσq
wherein L isqRepresenting the number of data frames being queued in the queue, k being the amplification factor, σqIs the queue length standard deviation;
2.3, calculating L according to an M/M/1 queue theory formulaqAnd σqThe expressions are respectively:
pn=ρn(1-ρ)=ρnp0
where n is the number of packets in the queue, pnRepresenting the probability of the state of the system, p, for a queue of length n0Representing the probability that the queue is empty;
2.4 calculating a queue length threshold L, combining the steps 2.1, 2.2, 2.3 with the probability P that the queue length exceeds a set threshold (set to 1% in this example)tI.e. the queue length exceeds the threshold value LtHas a probability of 1%, and requires the queue length to exceed the threshold value LtFor small probability events, a threshold value L under this condition is calculatedtWherein L istThe final expression of (a) and the expression of P are:
where s represents the queue length LqGreater than a threshold value LtUsing an amplification factor k to amplify the queue threshold value, so that the probability of exceeding the threshold value is reduced to 1%, and finally determining the threshold value L under the conditiont;
Further, step (3) in this example includes the following steps:
3.1, extracting and calculating multidimensional conditional entropies of H (Sip | Dip), H (Sip | Dport) and H (Dport | Dip) In the Packet _ In data frame sent to the controller, and if the corresponding conditional entropies In the data exceed the threshold set In the step 1.2, distributing scores s to the conditional entropiesi=1;
3.2, using the weight w of each eigenvalue calculated in step 1.3 using a logistic regression methodiAnd calculating a multi-dimensional conditional entropy final score R of the data frame, wherein the expression is as follows:
if any two characteristic values exceed the threshold value TiI.e. result function R>0.6, the DDoS attack is considered to occur;
further, step (4) in this example includes the following steps:
4.1, as shown in FIG. 3, use of empty queue and controller entry queue LiSynchronization, after DDoS attack, the arrival rate lambda of the data packetiFlow table no match probability pnfRapidly rising, Packet _ in data frame transmission probability pnfλiIs greatly increased, the length L of the entry queueiWill increase rapidly;
4.2 calculating L in real timeiLength, if LiExceeds the threshold L set in step 2.2 of this exampletThe DDoS attack is considered to occur;
further, step (5) in this example includes the following steps:
5.1 if R exceeds the set threshold in step 3.2 or the detection result L in step 4.2iExceeds a threshold value LtIf the Flag is equal to 0, a routing rule is issued to the corresponding switch through a Packet _ out data frame in the OpenFlow protocol;
further, the step (6) in this example includes the following steps:
6.1, extracting multidimensional flow table entry vectors in the attack flow of the public DDoS data set, training a random forest model, and putting the trained model into an SDN environment.
In this example, the extracted flow entry vector includes:
wherein n represents the total number of collected flow table entries, i represents each flow table entry, and matches and lookup respectively represent the successful matching times in the switchAnd the number of times of searching the flow table entry, idle _ tiRepresenting the average idle time between two flows per flow entry.
6.2, checking a Flag warning mark, if the Flag is equal to 1, extracting a corresponding switch identification number In a Packet _ In data frame, extracting the flow table item multidimensional characteristics extracted In the step 6.1 of the switch according to the identification number, evaluating flow by using the classification model arranged In the SDN controller, identifying whether the flow is attack flow, and if the flow is determined to be attack flow, storing each characteristic of the flow into an attack flow database;
further, the step (7) shown in this example includes the steps of:
7.1, checking the set times Count of Flag, and once the Count is more than or equal to 50, calculating the conditional entropies of H (Sip | Dip), H (Sip | Dport) and H (Dport | Dip) of the attack traffic in the attack traffic database and clearing 0 the Count;
7.2, comparing the result obtained by calculation in the step 7.1 with the threshold value set in the step 1.2, if the new threshold value is more inclined to the normal flow value in the frequency histogram of the step 1.2 than the set threshold value, updating the new threshold value and weighting the corresponding characteristic weight wiUpdating to realize self-adaptive adjustment;
in this example, in order to approach a real use scenario of the SDN in the data center, a DDoS attack is simulated through a fat tree network topology structure shown in fig. 4, h1-h30 are legal users and normally access a service provider h1, and h31 and h32 serve as attackers to launch the DDoS attack to h 1.
The invention can be deployed in an SDN network environment supporting an OpenFlow protocol, and can detect whether a controller for detecting DDoS flow in the SDN environment is attacked or not. For a single-point controller, when a DDoS attack occurs, once the controller resources are exhausted, normal network services cannot be processed, so that the whole network is paralyzed, and a huge influence is caused, therefore, along with the development and popularization of an SDN, the detection of the attack is worth considering.
According to the invention, by the design, the problem that how to accurately detect the suspicious Packet _ In data frame message under the condition of meeting the OpenFlow strategy is solved, the network abnormity is found In time and early warning is carried out, and the network communication is further protected, so that the normal data Packet can obtain better service quality. The invention has the advantages of high detection speed, high precision, reasonable structure, easy adjustment according to different network topologies and strong popularization and application values.
While the present invention has been described in detail and with reference to specific examples thereof as illustrated in the accompanying drawings, it will be apparent to one skilled in the art that the invention is not limited to the examples, but is capable of numerous changes within the scope and spirit of the invention as defined by the appended claims.
Claims (8)
1. A DDoS attack detection method based on SDN is characterized in that: the method comprises the following steps:
(1) calculating a multidimensional conditional entropy threshold according to a public DDoS data set;
(2) calculating a controller entry queue length threshold using an M/M/1 queue theory;
(3) monitoring the SDN state in real time through an SDN controller, and calculating the conditional entropy of each dimension in the arriving flow in real time;
(4) monitoring the queue length of a controller inlet Packet _ In data frame In real time through an SDN controller;
(5) judging whether the DDoS attack exists in the current network or not according to the condition entropy value and the queue length value obtained by real-time calculation, if so, entering the step (6), otherwise, normally issuing routing regulation to a corresponding switch;
(6) sending the Packet _ In data frame to a fine-grained detection module, wherein the module collects flow table items and counter information to a switch sending the Packet _ In data frame based on an OpenFlow protocol for statistical processing, extracts a feature vector, judges whether the flow is an attack flow by using a trained random forest classification model, and stores the flow feature into an attack flow feature database once the flow is judged to be the attack flow;
(7) and when DDoS attacks are detected to reach a certain number of times, calculating the multidimensional conditional entropy of the attack flow characteristic database, and correcting and adjusting the corresponding conditional entropy threshold according to the calculation result.
2. The SDN-based DDoS attack detection method of claim 1, wherein: the step (1) comprises the following steps:
1.1, selecting conditional entropy characteristic values H (Sip | Dip), H (Sip | Dport) and H (Dport | Dip) according to common characteristics of a large number of public DDoS data sets, wherein the H (Sip | Dip) represents the conditional entropy of a source address relative to a destination address, the randomness between the addresses of the two parties can be distinguished, the H (Sip | Dport) represents the conditional entropy of the source address relative to a destination port, the randomness between the source address and a destination server port can be distinguished, the H (Dport | Dip) represents the conditional entropy between the destination port and the destination address, and the randomness between the destination port and the destination address can be described;
1.2, according to the selected characteristic value, calculating the conditional entropy of the characteristic value by using the window size W, respectively constructing a frequency histogram, and according to a statistical result, using the value when the error rejection rate FRR is equal to the error acceptance rate FAR as the threshold value T of the characteristiciWherein the conditional entropy calculation formula is as follows:
where a, B are random variables, H (a | B) denotes the uncertainty of a given by B, P (a, B) denotes the probability of the joint distribution of a ═ a, B ═ B, and P (B) denotes the probability of B ═ B;
1.3, further obtaining the weight w of each characteristic value according to each characteristic value threshold valueiThe expression is as follows:
wherein A isiFor the acceptance rate of each feature value, Ai=1-Ei,EiSelecting a threshold T for the featureiThe latter recognition error rate.
3. The SDN-based DDoS attack detection method of claim 1, wherein: the step (2) comprises the following steps:
2.1 calculating controller critical service strength according to M/M/1 queue theory
λiAnd mucRespectively representing the data packet arrival rate and the controller service rate;
2.2, with LtRepresents a queue length threshold, whose expression is:
Lt=Lq+kσq
wherein L isqRepresenting the number of data frames being queued in the queue, k being the amplification factor, σqIs the queue length standard deviation;
2.3, calculating L according to an M/M/1 queue theory formulaqAnd σqThe expressions are respectively:
pn=ρn(1-ρ)=ρnp0
where n is the number of packets in the queue, pnRepresenting the probability of the state of the system, p, for a queue of length n0Representing the probability that the queue is empty;
2.4, calculating a queue length threshold value L by combining the steps 2.1, 2.2 and 2.3 with the probability P that the queue length exceeds a set threshold valuet,LtThe final expression of (c) and P is:
where s represents the queue length LqGreater than a threshold value LtAmplifying the queue threshold value by using an amplification coefficient k, reducing the probability P exceeding the threshold value into a small probability event, and finally determining the threshold value L under the conditiont。
4. The SDN-based DDoS attack detection method of claim 3, wherein: the step (3) comprises the following steps:
3.1, extracting and calculating the multidimensional conditional entropy In the step 1.1 In the Packet _ In data frame sent to the controller;
3.2, using the weight w of each eigenvalue calculated in step 1.3 using a logistic regression methodiAnd calculating a multidimensional conditional entropy final score R of the data frame.
5. The SDN-based DDoS attack detection method of claim 4, wherein: the step (4) comprises the following steps:
4.1, acquiring the length of an entrance queue of the controller in real time;
and 4.2, comparing the length of the ingress queue with the threshold value set in the step (2).
6. The SDN-based DDoS attack detection method of claim 1, wherein: the step (5) comprises the following steps:
5.1, if the conditional entropy detection module result R exceeds the set threshold, or the queue length detection module result exceeds the threshold LtThen it is considered that the occurrence in the network has occurredAnd in DDoS attack, setting a warning Flag to be 1, recording the number Count of times that the Flag is set to be 1, and if the Flag is 0, issuing a routing rule to a corresponding switch through a Packet _ out data frame in an OpenFlow protocol.
7. The SDN-based DDoS attack detection method of claim 1, wherein: the step (6) comprises the following steps:
6.1, extracting multidimensional flow table entry vectors in the attack flow to train a random forest model, and putting the trained model into an SDN environment;
and 6.2, checking a Flag warning Flag, if the Flag is equal to 1, extracting a corresponding switch identification number In a Packet _ In data frame, extracting the multi-dimensional features of the flow table item extracted In the step 6.1 of the switch according to the identification number, evaluating the flow by using a trained classification model, identifying whether the flow is attack flow, if the flow is determined to be attack flow, storing the features of the flow into an attack flow database, and if the Flag is equal to 0, normally issuing a routing table.
8. The SDN-based DDoS attack detection method of claim 1, wherein: the step (7) comprises the following steps:
7.1, checking that the Flag bit is set for the number Count;
7.2, after the Count exceeds a certain number of times, using the characteristics of the attack flow database to perform self-adaptive adjustment on the threshold in the step (1).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110940617.1A CN113630420A (en) | 2021-08-17 | 2021-08-17 | SDN-based DDoS attack detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110940617.1A CN113630420A (en) | 2021-08-17 | 2021-08-17 | SDN-based DDoS attack detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113630420A true CN113630420A (en) | 2021-11-09 |
Family
ID=78385907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110940617.1A Withdrawn CN113630420A (en) | 2021-08-17 | 2021-08-17 | SDN-based DDoS attack detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113630420A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114422235A (en) * | 2022-01-18 | 2022-04-29 | 福州大学 | P4-based industrial internet hidden attack defense method |
| CN115065519A (en) * | 2022-06-09 | 2022-09-16 | 河北大学 | Distributed edge-end cooperative DDoS attack real-time monitoring method |
-
2021
- 2021-08-17 CN CN202110940617.1A patent/CN113630420A/en not_active Withdrawn
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114422235A (en) * | 2022-01-18 | 2022-04-29 | 福州大学 | P4-based industrial internet hidden attack defense method |
| CN115065519A (en) * | 2022-06-09 | 2022-09-16 | 河北大学 | Distributed edge-end cooperative DDoS attack real-time monitoring method |
| CN115065519B (en) * | 2022-06-09 | 2023-08-15 | 河北大学 | Distributed side-end cooperative DDoS attack real-time monitoring method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109617931B (en) | DDoS attack defense method and system of SDN controller | |
| CN107483512B (en) | SDN controller DDoS detection and defense method based on time characteristics | |
| US9171151B2 (en) | Reputation-based in-network filtering of client event information | |
| CN108632224B (en) | APT attack detection method and device | |
| WO2009135396A1 (en) | Network attack processing method, processing device and network analyzing and monitoring center | |
| CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
| CN113630420A (en) | SDN-based DDoS attack detection method | |
| CN107770132A (en) | A kind of method and device detected to algorithm generation domain name | |
| Yao et al. | Detection and defense of cache pollution attacks using clustering in named data networks | |
| CN109194608B (en) | DDoS attack and flash congestion event detection method based on flow | |
| CN111262849A (en) | Method for identifying and blocking network abnormal flow behaviors based on flow table information | |
| CN113114694A (en) | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene | |
| CN110138759A (en) | The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment | |
| CN113923041A (en) | DDoS attack flow identification and detection method under SDN network | |
| Celesova et al. | Enhancing security of SDN focusing on control plane and data plane | |
| CN110289992B (en) | Message processing method and device | |
| CN108667804B (en) | DDoS attack detection and protection method and system based on SDN architecture | |
| CN112953910B (en) | DDoS attack detection method based on software defined network | |
| CN117118738B (en) | DDoS attack risk quantification defense method and system in software defined network | |
| CN113765896A (en) | Internet of things implementation system and method based on artificial intelligence | |
| CN112637224A (en) | DDoS attack detection method based on subspace and relative entropy in autonomous system | |
| CN111885089A (en) | DNS server DDoS attack defense method based on analytic hierarchy process | |
| CN115580490B (en) | Industrial Internet edge device behavior detection method, device, equipment and medium | |
| US11941626B2 (en) | System and method for associating a cryptocurrency address to a user | |
| CN118138374B (en) | Network security protection method and system based on cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211109 |