CN113691503A - DDoS attack detection method based on machine learning - Google Patents
DDoS attack detection method based on machine learning Download PDFInfo
- Publication number
- CN113691503A CN113691503A CN202110888851.4A CN202110888851A CN113691503A CN 113691503 A CN113691503 A CN 113691503A CN 202110888851 A CN202110888851 A CN 202110888851A CN 113691503 A CN113691503 A CN 113691503A
- Authority
- CN
- China
- Prior art keywords
- value
- ssip
- switch
- flow
- svm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 28
- 238000010801 machine learning Methods 0.000 title claims abstract description 17
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 15
- 238000012549 training Methods 0.000 claims abstract description 15
- 238000013145 classification model Methods 0.000 claims abstract description 10
- 238000000034 method Methods 0.000 claims abstract description 6
- 230000002452 interceptive effect Effects 0.000 claims description 6
- 238000006073 displacement reaction Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000017105 transposition Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 abstract description 8
- 206010033799 Paralysis Diseases 0.000 abstract description 3
- 238000012706 support-vector machine Methods 0.000 description 43
- 230000008260 defense mechanism Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 239000011159 matrix material Substances 0.000 description 5
- 238000004088 simulation Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101710176296 Switch 2 Proteins 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/245—Classification techniques relating to the decision surface
- G06F18/2451—Classification techniques relating to the decision surface linear, e.g. hyperplane
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a DDoS attack detection method based on machine learning, which comprises the steps of obtaining a data set containing SSIP, SDFP, SDFB, SFE and RFIP, training by using an SVM algorithm to obtain an SVM classification model, and building an SDN network topological structure; the method comprises the steps of carrying out real-time DDoS attack detection on an OpenFlow Switch under an SDN network architecture by combining with an SVM algorithm through a CAS-SVM model, and deleting a flow table of the attacked OpenFlow Switch, so that normal communication of the SDN network is ensured, and the problems of network paralysis and the like caused by DDoS attack are avoided. The time for detecting DDoS attack is reduced. The CAS-SVM model can also monitor whether DDoS attacks exist in the SDN in real time, and if the DDoS attacks exist, the flow table of the attacked switch is deleted, so that the SDN can be ensured to be in normal communication, and the problems of switch paralysis, network congestion and the like caused by network attacks are reduced.
Description
Technical Field
The invention belongs to the technical field of computer network security, and particularly relates to a DDoS attack detection method based on machine learning.
Background
With the continuous advance of the development process of the internet, a future network architecture SDN walks into the field of view. The method has the advantages that the control plane and the data plane are decoupled, so that the limitation of the traditional network architecture is overcome, and the manageability, expandability, controllability and dynamics of the network are greatly improved. However, with the popularization of Software Defined Network (SDN), the security of the SDN Network has become one of the issues to be solved urgently in the SDN field. Distributed Denial of Service (DDoS) attacks, one of the most important security threats faced by today's internet, are especially dangerous in SDN networks due to their strong destructive power, simple implementation, and lack of easy and feasible countermeasures. Therefore, accurately and quickly detecting the DDoS attack is a key point in the security field. Based on the above contents, on the basis of summarizing the framework and the working principle of the SDN, the invention provides a Machine learning-based defense mechanism CAS-SVM and a DDoS attack detection method of the SDN network, and specifically an improved Support Vector Machine CAS-SVM (Capture Attribute structure-Support Vector Machine) is used for detecting DDoS attacks. In addition, an experimental simulation platform is set up, the feasibility of the detection method corresponding to the CAS-SVM model is verified in the SDN network environment, and the attack quantity detected by the SVM and CAS-SVM models at the same time when DDoS attacks are detected is compared.
Disclosure of Invention
Aiming at the problems in the prior art, the invention aims to rapidly detect DDoS attack in a network by using a machine learning technology in an SDN network environment so as to rapidly resist the problems that some hosts in the network have no Internet and the bandwidth of a switch port is completely occupied and the normal communication cannot be realized and the like caused by the DDoS attack, thereby providing a DDoS attack detection method based on machine learning.
In order to achieve the purpose, the invention adopts the following technical scheme:
a DDoS attack detection method based on machine learning comprises the following steps:
Optionally, if the output result of step 4 is malicious flow, deleting the flow table information of the switch, and adding the initialized flow table information to the switch.
Optionally, the switch is an OpenFlow switch.
Optionally, the detecting by the SVM classification model specifically includes:
given training sample set D { (X)1,Y1)(X2,Y2),…,(Xm,Ym)},YiE { -1, +1}, i { -1, 2,3 … … m; finding a hyperplane f (x) ═ ω in the sample space based on the training set DTP + β is 0, where ω and β are model parameters, ρ is the column vector of the sample set, and x represents the input; then carrying out secondary classification;
wherein W is (W)1,W2…Wm) Determining the direction of the hyperplane for the normal vector, and totally counting m samples;
(Xi,Yi) For training sample set D { (X {)1,Y1)(X2,Y2),…,(Xm,Ym)},Yi∈{-1,+1};i=1,2,3…… m;
b is a displacement term, and determines the distance between the hyperplane and the origin;
t is the transposition of the vector;
s.t. is an abbreviation for subject to, meaning "such.
Optionally, the SSIP value, the SDFP value, the SDFB value, the SFE value, and the RFIP value of the switch calculated in step 4 adopt the following formulas:
number of differential IP source: the number of data packets of different source ip addresses;
tperiod: t is cycle time in seconds(s);
packet _ i: the number of data packets received in a T period;
mean _ packets is the average value of the number of all received data packets in the T period;
bytes _ i: taking T as the number of bytes received by the period;
mean _ bytes: the average value of all received byte numbers in the T period;
number of flow entries;
total number of flow in T period, the number of flow tables received in T period;
interactive of flow entries is the number of Interactive flow entries.
Optionally, the SDN network topology includes 1 RYU controller, 4 OpenFlow switches, and 8 hosts.
The invention provides a DDoS attack detection method of a defense mechanism CAS-SVM and an SDN network based on machine learning, which combines the defense mechanism CAS-SVM to automatically classify the flow in the network, compares an SSIP attribute value in SDN network data with a given threshold value, directly judges the current flow as malicious flow if the SSIP value is greater than the given threshold value, and does not need to predict the result of the data in the SDN network by using an SVM model, thereby reducing the time for detecting DDoS attack. The CAS-SVM model can also monitor whether DDoS attacks exist in the SDN in real time, and if the DDoS attacks exist, the flow table of the attacked switch is deleted, so that the SDN can be ensured to be in normal communication, and the problems of switch paralysis, network congestion and the like caused by network attacks are reduced.
The embodiments of the invention will be explained and explained in further detail with reference to the figures and the detailed description.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a schematic diagram of a DDoS attack detection defense architecture under an SDN network architecture designed by the present invention;
FIG. 2 is a schematic diagram of a confusion matrix of an SVM model;
figure 3 is a schematic diagram of an SDN network topology;
fig. 4 is a schematic diagram of a result that a host h4 grabs a DDoS attack packet in a network;
FIG. 5 is a schematic diagram of SDFB, SDFP, SFE, SSIP, and RFIP calculated in the same period by the data of OpenFlow Switch2 in the topology;
FIG. 6 is a diagram illustrating the number of DDoS attacks detected by the CAS-SVM and the SVM within the same time period;
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the embodiments described below are only a part of the embodiments of the present invention, not all embodiments, and do not limit the present invention in any way, and all technical solutions using the embodiments, including simple changes made to the embodiments, belong to the protection scope of the present invention.
The DDoS attack detection method of the defense mechanism CAS-SVM and SDN network based on machine learning comprises the following steps:
and 3, operating the RYU controller, connecting the remote controller by using the virtual SDN network topology structure built in the step 2, and then performing data acquisition on the switches by using an OVS command on a data plane, thereby obtaining flow table information of each switch in the SDN network topology.
Each flow table contains a plurality of flow entries, and the flow entries are composed of 6 basic elements of matching fields, priorities, counters, instructions, timeouts, and cookies. The matching field further includes contents of an input port (Ingress port), a transmission source Ethernet address of the Ethernet frame (Ethernet source address), a destination Ethernet address of the Ethernet frame (Ethernet destination address), a transmission source address (IP source address) in the IPv4 header, a destination address (IP destination address) in the IPv4 header, and the like. The counter included in the flow table is used to count the number information of the processed Packets, wherein the stored information includes the number of Received Bytes (Received Bytes), the number of Received Packets (Received Packets), the number of Transmitted Bytes (Transmitted Bytes), the number of Transmitted Packets (Transmitted Packets), and the like.
The flow table information data obtained in the invention comprises an active IP, a target IP, received byte numbers (Bytes) and received data packet numbers (Packets), and the number of detecting the SDN network is counted as a period number (T _ COUNT); in addition, a program for detecting the SDN network environment is operated, so that the state in the network is monitored, and whether DDoS attack exists in the network is judged;
and step 5, extracting the values of the SSIP in the data files corresponding to the switches in the SDN network calculated in the step 4, judging by combining a defense mechanism CAS-SVM (Capture attribute SSIP-Support Vector Machine) according to the existing SVM model, firstly judging whether the SSIP values are larger than a given threshold value according to a CAS algorithm, directly judging that the current flow is malicious flow if the SSIP values are larger than the given threshold value, and outputting the result. If the current flow rate is smaller than the given threshold value, sending the data files corresponding to all the switches into the SVM model trained in the step 1 for detection, judging whether the current flow rate is normal flow rate or malicious flow rate through the provided data information by the SVM model, outputting a result, and finally caching the result into a file for storage;
and 7, checking whether the result obtained in the step 6 is 1, deleting flow table information corresponding to the attacked OpenFlow switch by using an OVS command on a data plane of the SDN network architecture, and then adding the stored initialized flow table information to the attacked OpenFlow switch again to ensure normal communication of the SDN network.
The first embodiment is as follows:
fig. 1 shows a DDoS attack detection method for a machine learning-based defense mechanism CAS-SVM and an SDN network, which is designed by the present invention, and specifically includes the following steps:
the method judges the result of the SVM classification model through the confusion matrix. Under the classification task, four different combinations exist between the Predicted label (Predicted label) and the correct label (True label) to form a confusion matrix. The 4 different combinations respectively are TP (true Positive) for indicating that the true value is positive, model prediction is the number of positive, FN (false negative) for indicating that the true value is positive, and model prediction is the number of negative, FP (false positive) for indicating that the true value is negative, model prediction is the number of positive, TN (true negative) for indicating that the true value is negative, and model prediction is the number of negative. Through the confusion matrix, 4 indexes can be calculated, namely Accuracy (Accuracy), Precision (Precision), Recall (Recall) and Specificity (Specificity). The calculation formula is as follows,
as shown in fig. 2, the confusion matrix TP, FN, FP, and TN of the SVM model is 379, FN, FP, and TN is 368, accuacy is 0.93, Precision is 0.93, Recall is 0.93, and Specificity is 0.92.
And 2, building an SDN network topology structure as shown in FIG. 3, wherein the topology structure is a custom network topology structure and comprises 1 RYU controller, 4 OpenFlow switches and 8 hosts. The 4 switches are connected in a linear structure, each OpenFlow switch is connected with 2 hosts, 8 hosts are shared, and the IP address ranges from 10.0.0.1 to 10.0.0.8.
And 3, operating the RYU controller, connecting the remote controller by using the virtual SDN network topology structure built in the step 2, and then performing data acquisition on the switches by using an OVS command on a data plane, thereby obtaining flow table information of each switch in the SDN network topology. In addition, a program for detecting the SDN network environment is operated, so that the state in the network is monitored, and whether DDoS attack exists in the network is judged.
And 4, calculating by using the data in the SDN network acquired in the step 3, respectively calculating the data of SSIP, SDFP, SDFB, SFE and RFIP corresponding to each OpenFlow switch, and caching the data extracted in real time into a file for storage. In a simulation experiment, DDoS attack is added when the period is 10, the host PC4 connected with the OpenFlowSwitch2 is attacked, and DDoS attack is cancelled when the period is 50, and the host PC2 and the PC6, the PC7 and the PC5, and the PC8 and the PC3 in the network keep communication, so that SDFB, SDFP, SFE, SSIP, and RFIP data of the OpenFlowSwitch2 are calculated as shown in fig. 5;
wherein SSIP (Source IP speed) represents the number of source IP addresses in unit time; SDFP (Standard development of Flow packets) represents the standard Deviation of the packet during time T; SDFB (Standard development of Flow bytes) represents the standard Deviation of the corresponding byte number of the Flow table in T time; SFE (speed of Flow entries) represents the number of Flow entries per unit time; RFIP (Ratio of Pair-Flow Entries) represents the interaction Ratio of Flow Entries;
the calculation formula of each attribute is as follows,
number of differential IP source: the number of packets for different source ip addresses (because more than one flow table is sent in the network, multiple flow tables are received, and each flow table contains multiple flow table entries, one flow table entry having one source ip address);
tperiod: t is cycle time in seconds(s);
packet _ i: the number of data packets received in a T period;
mean _ packets is the average value of the number of all received data packets in the T period;
bytes _ i: taking T as the number of bytes received by the period;
mean _ bytes: the average value of all received byte numbers in the T period;
number of flow entries;
total number of flow in T period, the number of flow tables received in T period;
interactive of flow entries number of Interactive flow table entries;
and step 5, extracting the values of the SSIP in the data files corresponding to the switches in the SDN network calculated in the step 4, judging by combining a defense mechanism CAS-SVM (Capture attribute SSIP-Support Vector Machine) according to the existing SVM model, firstly judging whether the SSIP values are larger than a given threshold value according to a CAS algorithm, directly judging that the current flow is malicious flow if the SSIP values are larger than the given threshold value, and outputting the result. If the current flow rate is smaller than the given threshold value, sending the data files corresponding to all the switches into the SVM model trained in the step 1 for detection, judging whether the current flow rate is normal flow rate or malicious flow rate through the provided data information by the SVM model, outputting a result, and finally caching the result into a file for storage;
the CAS-SVM algorithm principle is as follows:
(1) SVM: a Support Vector Machine (SVM) algorithm is a supervised learning algorithm that trains models using labeled data. The support vector machine model will compute decision boundaries between the marker data, also referred to as hyperplanes. These points near the hyperplane are called extreme points. The algorithm optimizes these decision boundaries by establishing the boundaries of the hyperplane, several kernels for optimizing these decision boundaries. Linear, RBF, polynomial and Sigmoid are the most commonly used kernels. Real world data may be one-dimensional or multi-dimensional. These data sets are not always linearly separable. Linear kernels may handle linearly separated datasets, for non-linear datasets other kernels may be used to convert and classify non-linear datasets into linear datasets. The support vector machine is an effective memory efficiency model in multidimensional datasets. The present invention uses an SVM linear kernel.
When the training samples are linearly separable, a linear classifier, namely a support vector machine of a linear kernel, is learned through hard interval maximization. Given training sample set D { (X)1,Y1)(X2,Y2),…,(Xm,Ym)},YiE { -1, +1}, i { -1, 2,3 … … m; finding hyperplane f (x) ═ ω in sample space based on training set DTρ + β is 0 plane (where ω and β are model parameters and ρ is the column vector of the sample set), and then two classifications are performed;
note: w ═ W1,W2…Wn) Determining the direction of the hyperplane for the normal vector, and totally counting m samples;
(Xi,Yi) For training sample set D { (X {)1,Y1)(X2,Y2),…,(Xm,Ym)},Yi∈{-1,+1},i=1,2,3…… m;
b is a displacement term, and determines the distance between the hyperplane and the origin;
t is the transposition of the vector;
s.t. is an abbreviation for subject to, meaning "such.
(2) CAS-SVM: the method comprises the steps that a CAS-SVM (Capture attribute SSIP-Support Vector Machine) firstly captures SSIP attribute values calculated by data of all switches in an SDN network, then compares the SSIP attribute values with a given threshold value, and if the SSIP is larger than the given threshold value, judges that the current detected flow is malicious flow, namely DDoS attack is received; if the SSIP is smaller than a given threshold value, loading an SVM model, and predicting a result according to data in the SDN network.
The time of the model is optimized when DDoS attacks are detected through the description of the CAS-SVM (Algorithm 1), and if a large number of DDoS attacks exist in the network, the network state at the moment can be directly obtained through the comparison result of the SSIP attribute value and the threshold value, so that the time consumption caused by loading an SVM model and operating an SVM model prediction result is avoided. Meanwhile, when the result cannot be accurately obtained by comparing the SSIP attribute value with the threshold value, the SVM model is used for prediction, so that the accuracy of the CAS-SVM model in detecting DDoS attacks is ensured.
and 7, checking whether the result obtained in the step 6 is 1, deleting flow table information corresponding to the attacked OpenFlow switch by using an OVS command on a data plane of the SDN network architecture, and then adding the stored initialized flow table information to the attacked OpenFlow switch again to ensure normal communication of the SDN network.
Example two:
and comparing the performance of DDoS attack detection under the SDN network architecture by using a simulation experiment through an SVM (support vector machine) and a Decision Tree model. In order to simulate a real SDN network environment, a RYU controller is executed using Pycharm 2021.1.1 on a local Windows 10X 64 system, and a mininet2.2.1 is used on an ubuntu 18.0464bit system to simulate the data plane of an SDN.
In simulation experiments, a program sending a SYN packet was written using the Scapy toolkit in order to simulate DDoS attacks. When proceeding to step 3, a monitoring program is run to detect the state in the SDN network. In the experiment, a CAS-SVM and SVM model is used for SDN network state detection, software wireshark is used in the network to display the result of the DDoS attack data packet grabbed by the host h4, and the result is shown in figure 4. In the invention, each OpenFlow switch in the network is detected for 60 minutes in a simulation experiment, and a host PC1 and a host PC5 send SYN packets to a host PC4 during the detection period, thereby simulating and realizing DDoS attack; meanwhile, the host PCs 2 ping PC6, PC7 ping PC5 and PC8 ping PC3 are allowed to realize communication between networks.
After DDoS attacks are sent to the network, detection is performed by using an SVM and a CAS-SVM model, as shown in fig. 6, when each switch in the SDN network is detected for 60 minutes, 1200 DDoS attacks can be detected by using the SVM model; and when the CAS-SVM model is used, 1400 times of DDoS attacks can be detected, so that the SCS-SVM model can detect more DDoS attacks than the SVM model in the same detection time, and the CAS-SVM model is better than the SVM model in detecting the DDoS attacks through comparison.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that, in the foregoing embodiments, various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various combinations that are possible in the present disclosure are not described again.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.
Claims (6)
1. A DDoS attack detection method based on machine learning is characterized by comprising the following steps:
step 1, acquiring a data set containing SSIP, SDFP, SDFB, SFE and RFIP, training by using an SVM algorithm to obtain an SVM classification model, and constructing an SDN network topological structure;
step 2, the SDN network topology structure is connected with a remote controller, and an OVS command is used on a data plane to acquire data of a switch in the SDN network topology structure so as to obtain flow table information of the switch;
step 3, calculating by using the flow table information acquired in the step 2 to obtain an SSIP value, an SDFP value, an SDFB value, an SFE value and an RFIP value of the switch;
step 4, taking each switch as a processing object, extracting the SSIP value obtained in the step 3, judging whether the SSIP value is greater than a given threshold value according to a CAS algorithm, and if the SSIP value is greater than the given threshold value, determining that the SSIP value is malicious flow; and if the SSIP value is smaller than a given threshold value, inputting the SSIP value, the SDFP value, the SDFB value, the SFE value and the RFIP value of the switch into the SVM classification model obtained in the step 1 for detection, and judging that the current flow is normal flow or malicious flow.
2. A DDoS attack detection method based on machine learning according to claim 1, wherein if the output result of step 4 is malicious traffic, the flow table information of the switch is deleted, and initialization flow table information is added to the switch.
3. A DDoS attack detection method based on machine learning according to claim 1 or 2, characterized in that said switch is an OpenFlow switch.
4. The machine learning-based DDoS attack detection method according to claim 1 or 2, wherein the detection by the SVM classification model specifically comprises:
given training sample set D { (X)1,Y1)(X2,Y2),…,(Xm,Ym)},YiE { -1, +1, i ═ 1,2,3 … … m; finding a hyperplane f (x) ═ ω in the sample space based on the training set DTP + β is 0, where ω and β are model parameters, ρ is the column vector of the sample set, and x represents the input; then carrying out secondary classification;
wherein W is (W)1,W2…Wm) Determining the direction of the hyperplane for the normal vector, and totally counting m samples;
(Xi,Yi) For training sample set D { (X {)1,Y1)(X2,Y2),…,(Xm,Ym)},Yi∈{-1,+1];i=1,2,3……m;
b is a displacement term, and determines the distance between the hyperplane and the origin;
t is the transposition of the vector;
s.t. is an abbreviation for subject to, meaning "such.
5. A method for detecting DDoS attack based on machine learning according to claim 1 or 2, wherein the SSIP value, SDFP value, SDFB value, SFE value and RFIP value calculated in step 4 are calculated by the following formulas:
number of differential IP source: the number of data packets of different source ip addresses;
tperiod: t is cycle time in seconds(s);
packet _ i: the number of data packets received in a T period;
mean _ packets is the average value of the number of all received data packets in the T period;
bytes _ i: taking T as the number of bytes received by the period;
mean _ bytes: the average value of all received byte numbers in the T period;
number of flow entries;
total number of flow in T period, the number of flow tables received in T period;
interactive of flow entries is the number of Interactive flow entries.
6. A machine learning based DDoS attack detection method according to claim 1 or 2, wherein said SDN network topology comprises 1 RYU controller, 4 OpenFlow switches and 8 hosts.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110888851.4A CN113691503A (en) | 2021-08-03 | 2021-08-03 | DDoS attack detection method based on machine learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110888851.4A CN113691503A (en) | 2021-08-03 | 2021-08-03 | DDoS attack detection method based on machine learning |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113691503A true CN113691503A (en) | 2021-11-23 |
Family
ID=78578999
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110888851.4A Pending CN113691503A (en) | 2021-08-03 | 2021-08-03 | DDoS attack detection method based on machine learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113691503A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114513365A (en) * | 2022-02-28 | 2022-05-17 | 北京启明星辰信息安全技术有限公司 | Detection and defense method for SYN Flood attack |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180152475A1 (en) * | 2016-11-30 | 2018-05-31 | Foundation Of Soongsil University-Industry Cooperation | Ddos attack detection system based on svm-som combination and method thereof |
CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
CN111294342A (en) * | 2020-01-17 | 2020-06-16 | 深圳供电局有限公司 | Method and system for detecting DDos attack in software defined network |
CN111756719A (en) * | 2020-06-17 | 2020-10-09 | 哈尔滨工业大学 | DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture |
CN112995202A (en) * | 2021-04-08 | 2021-06-18 | 昆明理工大学 | SDN-based DDoS attack detection method |
-
2021
- 2021-08-03 CN CN202110888851.4A patent/CN113691503A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180152475A1 (en) * | 2016-11-30 | 2018-05-31 | Foundation Of Soongsil University-Industry Cooperation | Ddos attack detection system based on svm-som combination and method thereof |
CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
CN111294342A (en) * | 2020-01-17 | 2020-06-16 | 深圳供电局有限公司 | Method and system for detecting DDos attack in software defined network |
CN111756719A (en) * | 2020-06-17 | 2020-10-09 | 哈尔滨工业大学 | DDoS attack detection method combining SVM and optimized LSTM model under SDN network architecture |
CN112995202A (en) * | 2021-04-08 | 2021-06-18 | 昆明理工大学 | SDN-based DDoS attack detection method |
Non-Patent Citations (2)
Title |
---|
SHIMAA EZZAT KOTB等: "SGuard: machine learning-based Distrbuted Denial-of-Service Detection Scheme for Software Defined Network", 《2021 INTERNATIONAL MOBILE, INTELLIGENT, AND UBIQUITOUS COMPUTING CONFERENCE (MIUCC)》 * |
安颖等: "基于OpenFlow的SDN网络环境下DDoS攻击检测系统", 《东南大学学报(自然科学版)》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114513365A (en) * | 2022-02-28 | 2022-05-17 | 北京启明星辰信息安全技术有限公司 | Detection and defense method for SYN Flood attack |
CN114513365B (en) * | 2022-02-28 | 2023-06-30 | 北京启明星辰信息安全技术有限公司 | Detection and defense method for SYN Flood attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alkasassbeh et al. | Detecting distributed denial of service attacks using data mining techniques | |
CN107959690B (en) | DDoS attack cross-layer cooperative defense method based on software defined network | |
Qin et al. | Line-speed and scalable intrusion detection at the network edge via federated learning | |
CN107483512B (en) | SDN controller DDoS detection and defense method based on time characteristics | |
CN104836702B (en) | Mainframe network unusual checking and sorting technique under a kind of large traffic environment | |
Liu et al. | Software-defined DDoS detection with information entropy analysis and optimized deep learning | |
CN113364752B (en) | Flow abnormity detection method, detection equipment and computer readable storage medium | |
Li et al. | Using SVM to detect DDoS attack in SDN network | |
Wang et al. | A DDoS attack detection method based on information entropy and deep learning in SDN | |
Moustaf et al. | Creating novel features to anomaly network detection using DARPA-2009 data set | |
Chiba et al. | New anomaly network intrusion detection system in cloud environment based on optimized back propagation neural network using improved genetic algorithm | |
CN113452676A (en) | Detector allocation method and Internet of things detection system | |
Mohsin et al. | Performance evaluation of SDN DDoS attack detection and mitigation based random forest and K-nearest neighbors machine learning algorithms | |
CN113691503A (en) | DDoS attack detection method based on machine learning | |
Tang et al. | SFTO-Guard: Real-time detection and mitigation system for slow-rate flow table overflow attacks | |
Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
Wang et al. | Abnormal traffic detection system in SDN based on deep learning hybrid models | |
Halman et al. | MCAD: A Machine learning based cyberattacks detector in Software-Defined Networking (SDN) for healthcare systems | |
Shalini et al. | DOCUS-DDoS detection in SDN using modified CUSUM with flash traffic discrimination and mitigation | |
CN112491801B (en) | Incidence matrix-based object-oriented network attack modeling method and device | |
CN115643108A (en) | Safety assessment method, system and product for industrial Internet edge computing platform | |
Li et al. | Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks | |
CN115580480B (en) | FTO attack detection and mitigation method based on Kalman filtering and random forest | |
Alhamami et al. | DDOS attack detection using machine learning algorithm in SDN network | |
CN114745194B (en) | Integrated learning-based DDoS detection method and device in SDN environment, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20211123 |
|
WD01 | Invention patent application deemed withdrawn after publication |