CN113691503A - DDoS attack detection method based on machine learning - Google Patents

Abstract

The invention discloses a DDoS attack detection method based on machine learning, which comprises the steps of obtaining a data set containing SSIP, SDFP, SDFB, SFE and RFIP, training by using an SVM algorithm to obtain an SVM classification model, and building an SDN network topological structure; the method comprises the steps of carrying out real-time DDoS attack detection on an OpenFlow Switch under an SDN network architecture by combining with an SVM algorithm through a CAS-SVM model, and deleting a flow table of the attacked OpenFlow Switch, so that normal communication of the SDN network is ensured, and the problems of network paralysis and the like caused by DDoS attack are avoided. The time for detecting DDoS attack is reduced. The CAS-SVM model can also monitor whether DDoS attacks exist in the SDN in real time, and if the DDoS attacks exist, the flow table of the attacked switch is deleted, so that the SDN can be ensured to be in normal communication, and the problems of switch paralysis, network congestion and the like caused by network attacks are reduced.

Description

DDoS attack detection method based on machine learning

Technical Field

The invention belongs to the technical field of computer network security, and particularly relates to a DDoS attack detection method based on machine learning.

Background

With the continuous advance of the development process of the internet, a future network architecture SDN walks into the field of view. The method has the advantages that the control plane and the data plane are decoupled, so that the limitation of the traditional network architecture is overcome, and the manageability, expandability, controllability and dynamics of the network are greatly improved. However, with the popularization of Software Defined Network (SDN), the security of the SDN Network has become one of the issues to be solved urgently in the SDN field. Distributed Denial of Service (DDoS) attacks, one of the most important security threats faced by today's internet, are especially dangerous in SDN networks due to their strong destructive power, simple implementation, and lack of easy and feasible countermeasures. Therefore, accurately and quickly detecting the DDoS attack is a key point in the security field. Based on the above contents, on the basis of summarizing the framework and the working principle of the SDN, the invention provides a Machine learning-based defense mechanism CAS-SVM and a DDoS attack detection method of the SDN network, and specifically an improved Support Vector Machine CAS-SVM (Capture Attribute structure-Support Vector Machine) is used for detecting DDoS attacks. In addition, an experimental simulation platform is set up, the feasibility of the detection method corresponding to the CAS-SVM model is verified in the SDN network environment, and the attack quantity detected by the SVM and CAS-SVM models at the same time when DDoS attacks are detected is compared.

Disclosure of Invention

Aiming at the problems in the prior art, the invention aims to rapidly detect DDoS attack in a network by using a machine learning technology in an SDN network environment so as to rapidly resist the problems that some hosts in the network have no Internet and the bandwidth of a switch port is completely occupied and the normal communication cannot be realized and the like caused by the DDoS attack, thereby providing a DDoS attack detection method based on machine learning.

In order to achieve the purpose, the invention adopts the following technical scheme:

a DDoS attack detection method based on machine learning comprises the following steps:

step 1, acquiring a data set containing SSIP, SDFP, SDFB, SFE and RFIP, training by using an SVM algorithm to obtain an SVM classification model, and constructing an SDN network topological structure;

step 2, the SDN network topology structure is connected with a remote controller, and an OVS command is used on a data plane to acquire data of a switch in the SDN network topology structure so as to obtain flow table information of the switch;

step 3, calculating by using the flow table information acquired in the step 2 to obtain an SSIP value, an SDFP value, an SDFB value, an SFE value and an RFIP value of the switch;

step 4, taking each switch as a processing object, extracting the SSIP value obtained in the step 3, judging whether the SSIP value is greater than a given threshold value according to a CAS algorithm, and if the SSIP value is greater than the given threshold value, determining that the SSIP value is malicious flow; and if the SSIP value is smaller than a given threshold value, inputting the SSIP value, the SDFP value, the SDFB value, the SFE value and the RFIP value of the switch into the SVM classification model obtained in the step 1 for detection, and judging that the current flow is normal flow or malicious flow.

Optionally, if the output result of step 4 is malicious flow, deleting the flow table information of the switch, and adding the initialized flow table information to the switch.

Optionally, the switch is an OpenFlow switch.

Optionally, the detecting by the SVM classification model specifically includes:

given training sample set D { (X)₁,Y₁)(X₂,Y₂),…,(X_m,Y_m)},Y_iE { -1, +1}, i { -1, 2,3 … … m; finding a hyperplane f (x) ═ ω in the sample space based on the training set D^TP + β is 0, where ω and β are model parameters, ρ is the column vector of the sample set, and x represents the input; then carrying out secondary classification;

wherein W is (W)₁，W₂…W_m) Determining the direction of the hyperplane for the normal vector, and totally counting m samples;

(X_i,Y_i) For training sample set D { (X {)₁,Y₁)(X₂,Y₂),…,(X_m,Y_m)},Y_i∈{-1,+1}；i＝1,2,3…… m；

b is a displacement term, and determines the distance between the hyperplane and the origin;

t is the transposition of the vector;

s.t. is an abbreviation for subject to, meaning "such.

Optionally, the SSIP value, the SDFP value, the SDFB value, the SFE value, and the RFIP value of the switch calculated in step 4 adopt the following formulas:

number of differential IP source: the number of data packets of different source ip addresses;

tperiod: t is cycle time in seconds(s);

packet _ i: the number of data packets received in a T period;

mean _ packets is the average value of the number of all received data packets in the T period;

bytes _ i: taking T as the number of bytes received by the period;

mean _ bytes: the average value of all received byte numbers in the T period;

number of flow entries;

total number of flow in T period, the number of flow tables received in T period;

interactive of flow entries is the number of Interactive flow entries.

Optionally, the SDN network topology includes 1 RYU controller, 4 OpenFlow switches, and 8 hosts.

The invention provides a DDoS attack detection method of a defense mechanism CAS-SVM and an SDN network based on machine learning, which combines the defense mechanism CAS-SVM to automatically classify the flow in the network, compares an SSIP attribute value in SDN network data with a given threshold value, directly judges the current flow as malicious flow if the SSIP value is greater than the given threshold value, and does not need to predict the result of the data in the SDN network by using an SVM model, thereby reducing the time for detecting DDoS attack. The CAS-SVM model can also monitor whether DDoS attacks exist in the SDN in real time, and if the DDoS attacks exist, the flow table of the attacked switch is deleted, so that the SDN can be ensured to be in normal communication, and the problems of switch paralysis, network congestion and the like caused by network attacks are reduced.

The embodiments of the invention will be explained and explained in further detail with reference to the figures and the detailed description.

Drawings

The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:

fig. 1 is a schematic diagram of a DDoS attack detection defense architecture under an SDN network architecture designed by the present invention;

FIG. 2 is a schematic diagram of a confusion matrix of an SVM model;

figure 3 is a schematic diagram of an SDN network topology;

fig. 4 is a schematic diagram of a result that a host h4 grabs a DDoS attack packet in a network;

FIG. 5 is a schematic diagram of SDFB, SDFP, SFE, SSIP, and RFIP calculated in the same period by the data of OpenFlow Switch2 in the topology;

FIG. 6 is a diagram illustrating the number of DDoS attacks detected by the CAS-SVM and the SVM within the same time period;

Detailed Description

The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the embodiments described below are only a part of the embodiments of the present invention, not all embodiments, and do not limit the present invention in any way, and all technical solutions using the embodiments, including simple changes made to the embodiments, belong to the protection scope of the present invention.

The DDoS attack detection method of the defense mechanism CAS-SVM and SDN network based on machine learning comprises the following steps:

step 1, training an SVM classification model by using an SVM algorithm according to an existing data set comprising SSIP, SDFP, SDFB, SFE and RFIP attributes, and then storing the model; SSIP represents the number of source IP addresses in unit time; SDFP represents the standard deviation of the packet over time T; the SDFB represents the standard deviation of the number of bytes corresponding to the flow table in the T time; SFE represents the number of flow table items in unit time; RFIP represents the interaction ratio of the flow table entries;

step 2, constructing an SDN network topological structure, wherein the SDN network topological structure comprises 1 RYU controller, 4 OpenFlow switches and 8 hosts respectively;

and 3, operating the RYU controller, connecting the remote controller by using the virtual SDN network topology structure built in the step 2, and then performing data acquisition on the switches by using an OVS command on a data plane, thereby obtaining flow table information of each switch in the SDN network topology.

Each flow table contains a plurality of flow entries, and the flow entries are composed of 6 basic elements of matching fields, priorities, counters, instructions, timeouts, and cookies. The matching field further includes contents of an input port (Ingress port), a transmission source Ethernet address of the Ethernet frame (Ethernet source address), a destination Ethernet address of the Ethernet frame (Ethernet destination address), a transmission source address (IP source address) in the IPv4 header, a destination address (IP destination address) in the IPv4 header, and the like. The counter included in the flow table is used to count the number information of the processed Packets, wherein the stored information includes the number of Received Bytes (Received Bytes), the number of Received Packets (Received Packets), the number of Transmitted Bytes (Transmitted Bytes), the number of Transmitted Packets (Transmitted Packets), and the like.

The flow table information data obtained in the invention comprises an active IP, a target IP, received byte numbers (Bytes) and received data packet numbers (Packets), and the number of detecting the SDN network is counted as a period number (T _ COUNT); in addition, a program for detecting the SDN network environment is operated, so that the state in the network is monitored, and whether DDoS attack exists in the network is judged;

step 4, calculating by using the data in the SDN network acquired in the step 3, respectively calculating data of SSIP, SDFP, SDFB, SFE and RFIP corresponding to each OpenFlow switch, and then caching the data extracted in real time into a file for storage;

and step 5, extracting the values of the SSIP in the data files corresponding to the switches in the SDN network calculated in the step 4, judging by combining a defense mechanism CAS-SVM (Capture attribute SSIP-Support Vector Machine) according to the existing SVM model, firstly judging whether the SSIP values are larger than a given threshold value according to a CAS algorithm, directly judging that the current flow is malicious flow if the SSIP values are larger than the given threshold value, and outputting the result. If the current flow rate is smaller than the given threshold value, sending the data files corresponding to all the switches into the SVM model trained in the step 1 for detection, judging whether the current flow rate is normal flow rate or malicious flow rate through the provided data information by the SVM model, outputting a result, and finally caching the result into a file for storage;

step 6, checking the result output in the step 5, and if the output result is 0, indicating that the switch is not attacked currently; if the output result is 1, the switch is attacked by DDoS;

and 7, checking whether the result obtained in the step 6 is 1, deleting flow table information corresponding to the attacked OpenFlow switch by using an OVS command on a data plane of the SDN network architecture, and then adding the stored initialized flow table information to the attacked OpenFlow switch again to ensure normal communication of the SDN network.

The first embodiment is as follows:

fig. 1 shows a DDoS attack detection method for a machine learning-based defense mechanism CAS-SVM and an SDN network, which is designed by the present invention, and specifically includes the following steps:

step 1, processing data through feature engineering according to an existing data set comprising SSIP, SDFP, SDFB, SFE and RFIP attributes, training an SVM classification model by using an SVM algorithm, and storing the model;

the method judges the result of the SVM classification model through the confusion matrix. Under the classification task, four different combinations exist between the Predicted label (Predicted label) and the correct label (True label) to form a confusion matrix. The 4 different combinations respectively are TP (true Positive) for indicating that the true value is positive, model prediction is the number of positive, FN (false negative) for indicating that the true value is positive, and model prediction is the number of negative, FP (false positive) for indicating that the true value is negative, model prediction is the number of positive, TN (true negative) for indicating that the true value is negative, and model prediction is the number of negative. Through the confusion matrix, 4 indexes can be calculated, namely Accuracy (Accuracy), Precision (Precision), Recall (Recall) and Specificity (Specificity). The calculation formula is as follows,

as shown in fig. 2, the confusion matrix TP, FN, FP, and TN of the SVM model is 379, FN, FP, and TN is 368, accuacy is 0.93, Precision is 0.93, Recall is 0.93, and Specificity is 0.92.

And 2, building an SDN network topology structure as shown in FIG. 3, wherein the topology structure is a custom network topology structure and comprises 1 RYU controller, 4 OpenFlow switches and 8 hosts. The 4 switches are connected in a linear structure, each OpenFlow switch is connected with 2 hosts, 8 hosts are shared, and the IP address ranges from 10.0.0.1 to 10.0.0.8.

And 3, operating the RYU controller, connecting the remote controller by using the virtual SDN network topology structure built in the step 2, and then performing data acquisition on the switches by using an OVS command on a data plane, thereby obtaining flow table information of each switch in the SDN network topology. In addition, a program for detecting the SDN network environment is operated, so that the state in the network is monitored, and whether DDoS attack exists in the network is judged.

And 4, calculating by using the data in the SDN network acquired in the step 3, respectively calculating the data of SSIP, SDFP, SDFB, SFE and RFIP corresponding to each OpenFlow switch, and caching the data extracted in real time into a file for storage. In a simulation experiment, DDoS attack is added when the period is 10, the host PC4 connected with the OpenFlowSwitch2 is attacked, and DDoS attack is cancelled when the period is 50, and the host PC2 and the PC6, the PC7 and the PC5, and the PC8 and the PC3 in the network keep communication, so that SDFB, SDFP, SFE, SSIP, and RFIP data of the OpenFlowSwitch2 are calculated as shown in fig. 5;

wherein SSIP (Source IP speed) represents the number of source IP addresses in unit time; SDFP (Standard development of Flow packets) represents the standard Deviation of the packet during time T; SDFB (Standard development of Flow bytes) represents the standard Deviation of the corresponding byte number of the Flow table in T time; SFE (speed of Flow entries) represents the number of Flow entries per unit time; RFIP (Ratio of Pair-Flow Entries) represents the interaction Ratio of Flow Entries;

the calculation formula of each attribute is as follows,

number of differential IP source: the number of packets for different source ip addresses (because more than one flow table is sent in the network, multiple flow tables are received, and each flow table contains multiple flow table entries, one flow table entry having one source ip address);

tperiod: t is cycle time in seconds(s);

packet _ i: the number of data packets received in a T period;

mean _ packets is the average value of the number of all received data packets in the T period;

bytes _ i: taking T as the number of bytes received by the period;

mean _ bytes: the average value of all received byte numbers in the T period;

number of flow entries;

total number of flow in T period, the number of flow tables received in T period;

interactive of flow entries number of Interactive flow table entries;

and step 5, extracting the values of the SSIP in the data files corresponding to the switches in the SDN network calculated in the step 4, judging by combining a defense mechanism CAS-SVM (Capture attribute SSIP-Support Vector Machine) according to the existing SVM model, firstly judging whether the SSIP values are larger than a given threshold value according to a CAS algorithm, directly judging that the current flow is malicious flow if the SSIP values are larger than the given threshold value, and outputting the result. If the current flow rate is smaller than the given threshold value, sending the data files corresponding to all the switches into the SVM model trained in the step 1 for detection, judging whether the current flow rate is normal flow rate or malicious flow rate through the provided data information by the SVM model, outputting a result, and finally caching the result into a file for storage;

the CAS-SVM algorithm principle is as follows:

(1) SVM: a Support Vector Machine (SVM) algorithm is a supervised learning algorithm that trains models using labeled data. The support vector machine model will compute decision boundaries between the marker data, also referred to as hyperplanes. These points near the hyperplane are called extreme points. The algorithm optimizes these decision boundaries by establishing the boundaries of the hyperplane, several kernels for optimizing these decision boundaries. Linear, RBF, polynomial and Sigmoid are the most commonly used kernels. Real world data may be one-dimensional or multi-dimensional. These data sets are not always linearly separable. Linear kernels may handle linearly separated datasets, for non-linear datasets other kernels may be used to convert and classify non-linear datasets into linear datasets. The support vector machine is an effective memory efficiency model in multidimensional datasets. The present invention uses an SVM linear kernel.

When the training samples are linearly separable, a linear classifier, namely a support vector machine of a linear kernel, is learned through hard interval maximization. Given training sample set D { (X)₁,Y₁)(X₂,Y₂),…,(X_m,Y_m)},Y_iE { -1, +1}, i { -1, 2,3 … … m; finding hyperplane f (x) ═ ω in sample space based on training set D^Tρ + β is 0 plane (where ω and β are model parameters and ρ is the column vector of the sample set), and then two classifications are performed;

note: w ═ W₁，W₂…W_n) Determining the direction of the hyperplane for the normal vector, and totally counting m samples;

(X_i,Y_i) For training sample set D { (X {)₁,Y₁)(X₂,Y₂),…,(X_m,Y_m)},Y_i∈{-1,+1}，i＝1,2,3…… m；

b is a displacement term, and determines the distance between the hyperplane and the origin;

t is the transposition of the vector;

s.t. is an abbreviation for subject to, meaning "such.

(2) CAS-SVM: the method comprises the steps that a CAS-SVM (Capture attribute SSIP-Support Vector Machine) firstly captures SSIP attribute values calculated by data of all switches in an SDN network, then compares the SSIP attribute values with a given threshold value, and if the SSIP is larger than the given threshold value, judges that the current detected flow is malicious flow, namely DDoS attack is received; if the SSIP is smaller than a given threshold value, loading an SVM model, and predicting a result according to data in the SDN network.

The time of the model is optimized when DDoS attacks are detected through the description of the CAS-SVM (Algorithm 1), and if a large number of DDoS attacks exist in the network, the network state at the moment can be directly obtained through the comparison result of the SSIP attribute value and the threshold value, so that the time consumption caused by loading an SVM model and operating an SVM model prediction result is avoided. Meanwhile, when the result cannot be accurately obtained by comparing the SSIP attribute value with the threshold value, the SVM model is used for prediction, so that the accuracy of the CAS-SVM model in detecting DDoS attacks is ensured.

Step 6, checking the result information output in the step 5, and if the output result is 0, indicating that the switch is not attacked currently; if the output result is 1, the switch is attacked by DDoS;

and 7, checking whether the result obtained in the step 6 is 1, deleting flow table information corresponding to the attacked OpenFlow switch by using an OVS command on a data plane of the SDN network architecture, and then adding the stored initialized flow table information to the attacked OpenFlow switch again to ensure normal communication of the SDN network.

Example two:

and comparing the performance of DDoS attack detection under the SDN network architecture by using a simulation experiment through an SVM (support vector machine) and a Decision Tree model. In order to simulate a real SDN network environment, a RYU controller is executed using Pycharm 2021.1.1 on a local Windows 10X 64 system, and a mininet2.2.1 is used on an ubuntu 18.0464bit system to simulate the data plane of an SDN.

In simulation experiments, a program sending a SYN packet was written using the Scapy toolkit in order to simulate DDoS attacks. When proceeding to step 3, a monitoring program is run to detect the state in the SDN network. In the experiment, a CAS-SVM and SVM model is used for SDN network state detection, software wireshark is used in the network to display the result of the DDoS attack data packet grabbed by the host h4, and the result is shown in figure 4. In the invention, each OpenFlow switch in the network is detected for 60 minutes in a simulation experiment, and a host PC1 and a host PC5 send SYN packets to a host PC4 during the detection period, thereby simulating and realizing DDoS attack; meanwhile, the host PCs 2 ping PC6, PC7 ping PC5 and PC8 ping PC3 are allowed to realize communication between networks.

After DDoS attacks are sent to the network, detection is performed by using an SVM and a CAS-SVM model, as shown in fig. 6, when each switch in the SDN network is detected for 60 minutes, 1200 DDoS attacks can be detected by using the SVM model; and when the CAS-SVM model is used, 1400 times of DDoS attacks can be detected, so that the SCS-SVM model can detect more DDoS attacks than the SVM model in the same detection time, and the CAS-SVM model is better than the SVM model in detecting the DDoS attacks through comparison.

The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.

It should be noted that, in the foregoing embodiments, various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various combinations that are possible in the present disclosure are not described again.

In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (6)

1. A DDoS attack detection method based on machine learning is characterized by comprising the following steps:

step 1, acquiring a data set containing SSIP, SDFP, SDFB, SFE and RFIP, training by using an SVM algorithm to obtain an SVM classification model, and constructing an SDN network topological structure;

step 2, the SDN network topology structure is connected with a remote controller, and an OVS command is used on a data plane to acquire data of a switch in the SDN network topology structure so as to obtain flow table information of the switch;

step 3, calculating by using the flow table information acquired in the step 2 to obtain an SSIP value, an SDFP value, an SDFB value, an SFE value and an RFIP value of the switch;

step 4, taking each switch as a processing object, extracting the SSIP value obtained in the step 3, judging whether the SSIP value is greater than a given threshold value according to a CAS algorithm, and if the SSIP value is greater than the given threshold value, determining that the SSIP value is malicious flow; and if the SSIP value is smaller than a given threshold value, inputting the SSIP value, the SDFP value, the SDFB value, the SFE value and the RFIP value of the switch into the SVM classification model obtained in the step 1 for detection, and judging that the current flow is normal flow or malicious flow.

2. A DDoS attack detection method based on machine learning according to claim 1, wherein if the output result of step 4 is malicious traffic, the flow table information of the switch is deleted, and initialization flow table information is added to the switch.

3. A DDoS attack detection method based on machine learning according to claim 1 or 2, characterized in that said switch is an OpenFlow switch.

4. The machine learning-based DDoS attack detection method according to claim 1 or 2, wherein the detection by the SVM classification model specifically comprises:

given training sample set D { (X)₁,Y₁)(X₂,Y₂),…,(X_m,Y_m)},Y_iE { -1, +1, i ═ 1,2,3 … … m; finding a hyperplane f (x) ═ ω in the sample space based on the training set D^TP + β is 0, where ω and β are model parameters, ρ is the column vector of the sample set, and x represents the input; then carrying out secondary classification;

wherein W is (W)₁，W₂…W_m) Determining the direction of the hyperplane for the normal vector, and totally counting m samples;

(X_i,Y_i) For training sample set D { (X {)₁,Y₁)(X₂,Y₂),…,(X_m,Y_m)},Y_i∈{-1,+1]；i＝1,2,3……m；

b is a displacement term, and determines the distance between the hyperplane and the origin;

t is the transposition of the vector;

s.t. is an abbreviation for subject to, meaning "such.

5. A method for detecting DDoS attack based on machine learning according to claim 1 or 2, wherein the SSIP value, SDFP value, SDFB value, SFE value and RFIP value calculated in step 4 are calculated by the following formulas:

number of differential IP source: the number of data packets of different source ip addresses;

tperiod: t is cycle time in seconds(s);

packet _ i: the number of data packets received in a T period;

mean _ packets is the average value of the number of all received data packets in the T period;

bytes _ i: taking T as the number of bytes received by the period;

mean _ bytes: the average value of all received byte numbers in the T period;

number of flow entries;

total number of flow in T period, the number of flow tables received in T period;

interactive of flow entries is the number of Interactive flow entries.

6. A machine learning based DDoS attack detection method according to claim 1 or 2, wherein said SDN network topology comprises 1 RYU controller, 4 OpenFlow switches and 8 hosts.

Images