CN114363065A

CN114363065A - DDoS detection method based on GSODNN and SDN

Info

Publication number: CN114363065A
Application number: CN202210003465.7A
Authority: CN
Inventors: 尚凤军; 邹亮亮
Original assignee: Chongqing University of Post and Telecommunications
Current assignee: Chongqing University of Post and Telecommunications
Priority date: 2022-01-04
Filing date: 2022-01-04
Publication date: 2022-04-15
Anticipated expiration: 2042-01-04
Also published as: CN114363065B

Abstract

The invention relates to the field of computers, In particular to a DDoS detection method based on GSODNN and SDN, which comprises the steps that an SDN controller counts the number of Packet In data packets In each switch time T to judge whether the switch is abnormal, the source IP address entropy value of the Packet In data packets In the abnormal switch time T is calculated to judge whether the abnormality is possible to be DDoS attack, if the abnormality is possible to be DDoS attack, flow table characteristics and related network flow characteristics are extracted, an optimal characteristic set is selected by adopting an MIC-FCBF algorithm, and the characteristic sensitive to the DDoS attack is constructed; inputting the selected optimal feature set and constructed features sensitive to DDoS attack into a deep neural network based on an artificial firefly swarm optimization algorithm to perform DDoS attack detection; the invention removes data redundancy, DDoS attack detection avoids instability of manual tuning, shortens training time and improves detection accuracy.

Description

DDoS detection method based on GSODNN and SDN

Technical Field

The invention relates to the field of computers, in particular to a DDoS (distributed denial of service) detection method of a Deep Neural Network (Deep Neural Network Based on Wiwworm Swarm Optimization Algorithm, GSODNN) and Software Defined Network (SDN) Based on an artificial firefly Swarm Optimization Algorithm.

Background

Network security is always a hotspot in network research in recent years, how to better avoid DDoS attacks is researched by many researchers, and many methods are proposed. Although there are many researches on DDoS attacks, there are many problems to be overcome due to the limitations of technology and practical situations, and there are many challenges to be met, and there are the following problems at present:

(1) when to collect traffic information for DDoS attack detection. The user of the rhyme congratulation adopts a mode of continuously polling the controller to extract needed information from a message management queue of the switch for processing, and the information is used as a detection basis to detect whether DDoS attack occurs or not. The disadvantage of this method is that the use of polling to extract traffic information additionally loads the controller and fails to detect the occurrence of DDoS attacks in real time.

(2) And selecting SDN flow characteristics. In an actual application scenario, the flow characteristic selection of DDoS determines the effectiveness and efficiency of detection. The infusate and the like adopt SDN network traffic information with high correlation with DDoS attack as model input, and the method may have redundant characteristics and does not fully utilize DDoS attack characteristics. Tankian et al constructs some flow characteristics sensitive to DDoS for this point, which does not have good effect, but does not consider the situation completely, and may cause false detection for normal flow scenes (such as FC flow) similar to DDoS attack.

(3) And designing a DDoS attack detection model. Muxianghua et al adopts a method based on information entropy to detect DDoS, and sends packet information to an SDN controller through analysis, and judges whether the DDoS attack is suffered according to random changes of destination addresses of packets in a normal network environment and a DDoS attack network environment. And the bear and the male and the like adopt a deep neural network as a DDoS detection model, although the DDoS detection model has higher accuracy, the training time is longer, the optimization of model parameters is too dependent on the experience of experimenters, and the DDoS detection model has instability.

Disclosure of Invention

Aiming at the problems, the invention provides a DDoS detection method based on GSODNN and SDN, which comprises the following steps:

the SDN controller counts the number of Packet In data packets In each switch time T to judge whether the switch is abnormal, and if the switch is abnormal, the SDN controller calculates the source IP address entropy value of the Packet In data packets In the abnormal switch time T to judge whether the abnormality is possible to be DDoS attack;

for a data packet which is possibly DDoS attack, extracting flow table characteristics and related network flow characteristics of an abnormal switch by an SDN controller, selecting an optimal characteristic set by adopting an MIC-FCBF algorithm, and constructing characteristics sensitive to the DDoS attack;

and inputting the selected optimal feature set and the constructed features sensitive to DDoS attack into a deep neural network based on an artificial firefly swarm optimization algorithm to perform DDoS attack detection.

Further, the process of the controller for performing DDoS attack pre-detection includes:

the switch uploads a packet _ in data packet with a flow table unsuccessfully matched to the controller;

the controller calculates the number of packet _ in data packets of each switch in a set time period;

if the number of packet _ in data packets of each switch does not exceed a set threshold, delivering the corresponding data to a controller for subsequent processing; otherwise, calculating the entropy value of the source IP address of the data packet;

judging whether the entropy value of the source IP address of the data packet exceeds a set threshold value or not, and if not, delivering the corresponding data to a controller for subsequent processing; otherwise, DDoS attack detection is carried out.

Further, the entropy value of the source IP address of the packet is expressed as:

wherein h (x) is the entropy value of the source IP address of the packet; x is the set of source IP addresses of the data packets; p is a radical of_iThe number proportion of the ith source IP address in the source IP address set is, and n is the number of the set elements of the source IP address of the data packet.

Further, the process of selecting the optimal feature set by adopting the MIC-FCBF algorithm comprises the following steps:

101. calculating the maximum mutual information coefficient of the flow characteristic and the target characteristic, and recording as MIC_YiSelecting m features with the maximum mutual information coefficient value;

102. taking the feature with the maximum mutual information coefficient value maximum with the target feature as the main feature F_YiSequentially calculating the maximum mutual information coefficient value between the selected other features and the main feature, and recording as MIC_ij；

103. If MIC_ij≥MIC_YiIf the feature j is the redundant feature of the main feature i, deleting the feature j;

104. and (4) selecting the characteristic with the highest maximum mutual information coefficient value of the flow characteristic and the target characteristic as a main characteristic, and repeating the steps of 102-103.

Further, the calculation of the maximum mutual information coefficient value between the two features comprises:

wherein MIC (X, Y) represents a maximum mutual information coefficient value between feature X and feature Y; IG (X | Y) is information gain between the information entropy of the feature X and the conditional entropy H (X | Y) of the feature X under the premise that the feature Y is known; h (X) is the information entropy of the feature X; h (Y) is the information entropy of feature Y.

Further, the process of constructing the features sensitive to DDoS attacks includes:

the average number of bytes of the weighted data packet is expressed as:

a weighted flow distribution entropy value represented as:

the weighted flow entry rate of increase, expressed as:

a weighted source IP address entropy value represented as:

wherein, DST_numiAnd i belongs to {1,2,3, …, n } and is the destination address DST in the switch flow table entry_iNumber of (2), DST_numallFor the total number of switch flow table entries, ε is a weight value of the feature, ε ∈ (1, 2)]；packet_byteiI ∈ {1,2,3, …, n } is the number of bytes of the ith Packet In time T, Packet_numThe total number of Packet In data packets In time T; flow (W)_{i_num}The number of ith data streams in a flow data collecting stage for detecting DDoS attack, wherein FE _ num is the total number of the data streams in the network;

is t₀The total number of switch flow table entries at a point in time,

is t₀The total number of switch flow tables at the time point of + Δ t, and Δ t infinitely approaches 0; srcip_{i_num}The number of ith source IP addresses in the switch flow table is represented by i ∈ {1,2,3, …, n }, and n is the total number of the source IP addresses; FE _ num is the total number of switch flow entries.

Further, the process of inputting the features sensitive to DDoS attack, which are selected from the optimal feature set and constructed, into the deep neural network based on the artificial firefly swarm optimization algorithm for DDoS attack detection includes:

carrying out normalization processing on the selected optimal feature set and constructed features sensitive to DDoS attack;

inputting the normalized features into a pre-trained deep neural network based on an artificial firefly swarm optimization algorithm to perform DDoS attack detection, judging whether DDoS attacks exist or not, and if so, taking corresponding defense measures; otherwise, the data packet is delivered to the controller for subsequent processing.

Further, the training process of the deep neural network based on the artificial firefly swarm optimization algorithm comprises the following steps:

initializing basic parameters of an artificial firefly swarm optimization algorithm, and taking the accuracy of deep neural network training as a target function;

giving a value range of each parameter of the deep neural network, taking the range as a search space of an artificial firefly swarm optimization algorithm, and randomly initializing n fireflies in the search range, wherein each firefly corresponds to a parameter combination of the deep neural network;

importing training data into deep neural networks corresponding to n fireflies for training respectively, and calculating a target function value corresponding to each fireflies;

updating the fluorescein value of each firefly, and taking other fireflies of which the fluorescein value is larger than that of the current firefly as neighbors of the current firefly;

calculating the selection probability of each firefly in the neighbor set of the current firefly by using a roulette strategy, obtaining a random number through a random function, moving the current firefly to the firefly with the probability of each firefly in the neighbor set, wherein the cumulative value of the probability of each firefly selection is closest to the random number, and updating the position of the current firefly;

updating the dynamic decision threshold value of each firefly, judging whether the iteration times of the artificial firefly group optimization algorithm reach the maximum value or reach a set error threshold value, and if one iteration time reaches the maximum value, ending the iteration process;

and (4) solving the firefly with the highest fluorescein value in the last iteration, and taking the deep neural network parameter combination corresponding to the firefly as the deep neural network parameter.

The invention has the following beneficial effects:

1. the invention adopts a pre-detection method based on entropy situation, judges whether the network flow is abnormal by using the entropy of the flow characteristics which obviously change when the DDoS attack occurs, so as to achieve the effect of flow abnormity pre-detection, and further triggers an SDN controller to collect the relevant flow characteristics to carry out DDoS attack detection.

2. The invention adopts MIC-FCBF algorithm to extract the characteristics of the flow and rebuild the effective characteristics. The quality of the flow characteristic selection is a key factor for determining the accuracy of the detection model, so that the SDN flow characteristic is preprocessed and reconstructed in the technical consideration. And carrying out correlation analysis on the flow characteristics and whether the DDoS attack occurs or not, selecting the characteristics which have larger influence on DDoS attack detection, and reconstructing the flow characteristics according to the more obvious network flow change when the DDoS attack occurs and the different points of the DDoS attack flow and the FC flow so as to achieve the effects of removing data redundancy and efficiently and accurately detecting.

3. The invention adopts a deep neural network based on an artificial firefly swarm optimization algorithm as a DDoS attack detection model. In the traditional neural network parameter optimization, parameters are adjusted manually according to training results and experience each time through continuous training, and finally a better classification or prediction effect is achieved. However, this approach does not necessarily lead to an optimal neural network model, and manual parameter adjustment is too dependent on experiential experience, resulting in a good quality model with too long training time. Therefore, the artificial firefly swarm optimization algorithm in the intelligent optimization algorithm is adopted to help the neural network to train, parameters of the neural network (the number of layers of hidden layers, the number of neurons of the hidden layers, the learning rate, the Dropout value, the activation function, the optimizer and the like) are used as firefly individuals, the neural network training result is used as the fitness function of the artificial firefly swarm optimization algorithm, and the neural network model with the optimal parameters is found through repeated iterative training. Therefore, the instability of manual tuning is avoided, the training time is shortened, and the detection accuracy can be improved.

Drawings

FIG. 1 is a flow chart of a DDoS detection method based on GSODNN and SDN according to the present invention;

FIG. 2 is a schematic diagram of anomaly detection in the switch of the present invention;

FIG. 3 is a schematic diagram of entropy-based pre-detection of the present invention;

FIG. 4 is a flow chart of flow characteristic selection based on MIC-FCBF algorithm of the present invention;

FIG. 5 is a flow chart of the feature extraction and processing of the present invention;

FIG. 6 is a diagram of a neuron architecture employed in the present invention;

FIG. 7 is a diagram of a neural network architecture employed in the present invention;

FIG. 8 is a deep neural network training flow diagram;

FIG. 9 is a flow chart of an artificial firefly population optimization algorithm;

FIG. 10 is a flowchart of the deep neural network algorithm based on the artificial firefly population optimization algorithm of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The invention provides a DDoS detection method based on GSODNN and SDN, which comprises the following steps:

In this embodiment, the method of the present invention is divided into two parts, namely, a DDoS attack pre-detection module and a DDoS attack detection module. The DDoS attack pre-detection module has the main functions of sensing in time when DDoS attack occurs and triggering the DDoS attack detection module to collect relevant information for attack detection. The method comprises the steps of calculating the number of Packet In data packets In each switch within a certain time, judging whether the number of the Packet In data packets exceeds a specified threshold value, and if the number of the Packet In data packets exceeds the specified threshold value, enabling the data packets processed by the switch to be abnormal. At this time, entropy values of source IP addresses of all data packets processed within a certain time by the switch exceeding a threshold are calculated, whether the entropy values exceed a specified threshold is judged, if yes, DDoS attack is judged to possibly occur, and a DDoS attack detection module is triggered to work. The DDoS attack detection module mainly comprises the steps of feature collection, feature selection, feature reconstruction, feature processing and DDoS attack detection. The characteristic collection is that after the DDoS attack pre-detection module detects that the DDoS attack is possible to be abnormal, the controller collects flow table information and related flow information of an abnormal switch and provides data support for DDoS attack detection; the feature selection is to select features by adopting an MIC-FCBF algorithm, remove irrelevant features and remove redundant features; the characteristic reconstruction means reconstructing flow change characteristics which change obviously when DDoS attack occurs and effective characteristics which can distinguish DDoS attack and FC flow so as to improve the effectiveness and accuracy of detection; the characteristic processing means that normalization operation is carried out on the characteristics so as to improve the convergence speed and the detection precision of the detection model; DDoS attack detection is to adopt a trained deep neural network model based on an artificial firefly swarm optimization algorithm to carry out secondary classification on processed characteristic data so as to judge whether DDoS attack occurs or not. As shown in fig. 1, the method specifically includes:

one) DDoS attack pre-detection module

The module is mainly responsible for sensing DDoS attack in advance, marking a switch which possibly receives a DDoS attack packet, and triggering the operation of the DDoS attack module.

1. Judging whether the data flow in the network is normal

Data packets In the SDN network are matched and forwarded according to a flow table In a switch, and if a data Packet which cannot be matched is encountered, the switch cannot process the data Packet, and the data Packet can only be forwarded to a controller for processing In a Packet In manner. As shown in fig. 2, after the controller finishes processing, it issues a corresponding flow table instruction to the switch, so that both the packet and the packet conforming to the matching rule can be forwarded according to the flow table entry. When a DDoS attack occurs, a large number of attack packets are generated, and the source IP addresses of the attack packets are often forged and cannot be matched In a switch, so that a large number of Packet In data packets are generated and transferred to a controller for processing, and thus, the controller is overloaded and even down. For the attack characteristics of DDoS, we number the switch ID, denoted as Si, i ═ 1,2, …, N, where N is the number of switches. Then, the number of Packet In packets of each switch within a certain time T is counted and recorded as Psi ═ Ps1, Ps2, Ps3, …, Psn }, where sn is the switch number. And comparing the data flow with a set threshold value P, if the number of Packet In data packets of the switch is greater than P within the time T, determining that the data flow of the switch is abnormal, recording the ID of the switch, and taking the ID as the object of the next verification. The threshold value P is obtained by simulating various DDoS attacks for many times and analyzing the transmission rate change rule of Packet In data packets of the abnormal switch.

2. Determining whether a DDoS attack is likely

In view of the fact that Packet In packets are increased In many cases, and the possibility of DDoS attack is not high, it is necessary to further determine whether the abnormal traffic is likely to be DDoS attack flow. In order to further determine whether the abnormal traffic is likely to be DDoS attack flow, as shown In fig. 3, entropy H (Si _ SIP) of a source IP address of a Packet In data Packet of the switches within time T is respectively calculated and compared with a specified threshold H, and if the value is greater than H, it is determined that DDoS attack is likely to occur, and operation of a DDoS detection module is triggered, otherwise, normal processing is performed. The threshold value H is obtained by simulating various DDoS attacks for many times and statistically analyzing the entropy change rule of the source IP address of the Packet In data Packet of the abnormal switch In the time T.

The entropy mentioned above refers to the entropy of information, which is used to measure the degree of uncertainty of the information contained within the system. In the field of mathematics, information entropy is defined as the expectation of the amount of information used to determine the uncertainty of a variable, the larger the uncertainty, the larger its entropy value. Based on this characteristic, the information entropy may be used to measure a degree of uncertainty of network traffic characteristics in the SDN network. The formula of the information entropy is as follows.

For a random variable X, the value set is X ═ { X ═ X₁,x₂,x₃,…,x_nThe probability distribution of each value xi is P ═ P₁,p₂,p₃,…,p_nTherein of

The entropy formula of the random variable X is:

generally, DDoS attacks employ means of IP spoofing, that is, a source IP address is forged, and a large number of attack packets are sent to a destination host, so as to achieve the purpose of consuming network system resources. When a DDoS attack occurs, a large number of source IP address data packets which do not occur before are generated, so that the source IP addresses are particularly dispersed, the information entropy of the source IP addresses becomes larger, the source IP addresses of Packet In data packets of an abnormal switch within time T can be extracted, the entropy value of a source IP address set is calculated, and if the entropy value is larger than a given threshold value, it is judged that the DDoS attack may occur, and the operation of a DDoS detection module is triggered.

Two) DDoS attack detection module

The module has the main functions that when possible DDoS attacks are detected in a DDoS attack pre-detection stage, flow table characteristics and flow characteristics required by detection are collected and extracted, new effective characteristics are constructed, normalization processing is carried out on the characteristics, and finally the processed characteristic data are transmitted into a trained GSODNN model to be detected so as to judge whether the possible DDoS really occurs, namely whether the network has the DDoS attacks or not is detected. However, the traffic characteristics in the network are excessive, such as the characteristics of the data packets, the characteristics of the flows, the characteristics of the flow tables, etc., which characteristics are a loop that is critical for detection. In this embodiment, network features are selected according to the MIC-FCBF algorithm, and then the features are processed to remove features with low correlation and simultaneously remove redundant features, so that effective features required for detection can be obtained.

1. Flow characteristic selection based on MIC-FCBF algorithm

With the development of internet technology and the arrival of big data era, a large amount of data is generated every day, and network data is no exception. In an SDN network, each network traffic is accompanied by a large number of traffic characteristics. When DDoS attack occurs, the related and changed flow characteristics may be only a small part, so that irrelevant characteristics and redundant characteristics need to be removed for DDoS attack detection, and thus, the dimension reduction is performed on the characteristics, so as to achieve the purposes of reducing the time complexity of the algorithm and improving the detection accuracy. The flow characteristics are selected based on the MIC-FCBF algorithm.

The FCBF algorithm is based on a remarkable idea, adopts a feature selection method for quickly and effectively searching an optimal feature subset by adopting a backward sequence search strategy, and adopts symmetry uncertainty SU (symmetry uncertainty) to measure whether a feature is related to a target variable or not and to judge whether the features are repeated or redundant or not.

In the description of the pre-detection stage, a formula for calculating the entropy of a random variable X, which is the entropy of a single variable, is known and represents the uncertainty of the value set of the variable. On the premise that another variable Y is known, the uncertainty of the variable X may be reduced, that is, the entropy value of X decreases under the condition of Y, which is called conditional entropy and is denoted as H (X | Y), and the calculation formula is as follows:

H(X|Y)＝∑p(x)H(Y|X＝x)＝-∑p(x)∑p(y|x)log(y|x)

as can be seen from the above, the conditional entropy of the variable X under the condition of Y is H (X | Y), the entropy is smaller than the information entropy of the variable X, and the magnitude of the reduced entropy is called information gain IG (X | Y), and the calculation formula is as follows:

IG(X|Y)＝H(X)-H(X|Y)

it is known from the definition of the information gain IG (X | Y) that it can represent the degree of influence of one variable on the other, i.e. a measure for the correlation between two variables. However, in the FCBF algorithm, the correlations between different features and between a feature and a target variable need to be compared, and the types of the features are different, the value ranges thereof are not determined, and the comparison is not easy, so that the information gain needs to be normalized to su (symmetric uncertainty) symmetry uncertainty, and the calculation formula thereof is as follows:

the Symmetric Uncertainty (SU) is a measurement standard for the correlation between two variables in the FCBF algorithm, but experiments show that the normalization form of the Information gain IG (X | Y) by this method may result in an excessively small normalized value, and the experimental result cannot achieve the expected effect, so the present invention uses the maximum Mutual Information Coefficient (MIC) instead of SU as the standard for measuring the correlation between variables in the FCBF algorithm, and the calculation formula is as follows:

in this case, min (H (X), H (Y)) < (H (X)) + H (Y))/2, so that the normalized value in this format can be made larger, and the experimental results can be improved.

Based on the above description, the MIC-FCBF algorithm is divided into two steps, removing irrelevant features and removing redundant features, as shown in fig. 4, and the specific principle of the algorithm is as follows:

the first stage is as follows: removing irrelevant features to obtain relevant featuresA subset. For a feature set F ═ F₁,F₂,F₃,…,F_nN is the number of features, and each feature F is calculated separately_iMIC with target variable Y_YiValue, where i ∈ [1, n ]]. When MIC_YiT (t is a threshold set in advance), it is considered as a feature related to the target variable, and it is added to F_YIn the collection. After traversing all the features, the feature subset F related to the target variable can be obtained_Y＝{F_Y1,F_Y2,F_Y3,…,F_YmWhere m is the number of features associated with the target variable, 0. ltoreq. m.ltoreq.n.

And a second stage: and removing redundant features to obtain an optimal feature subset. The following are all based on the relevant feature subset F obtained in the first stage_YAnd (5) carrying out operation.

Selecting F_YMiddle MIC_YiMaximum value of feature F_YiAs a main feature;

② in F_YIn turn select MIC_YjValue less than the main characteristic MIC_YiOther features of value F_YjSeparately calculating the feature F_YjAnd main feature F_YiMIC of_ijValue and compare it with the main feature F_YiMIC with target variable Y_YiComparing the values;

(iii if MIC)_ij≥MIC_YiThen the feature F_YjIs a main characteristic F_YiIs characterized by redundancy in F_YRemoving;

fourthly, F is performed after traversing_YAfter the set, the redundant features corresponding to the main features of the wheel are removed, and the third step is executed repeatedly, wherein the previously selected main features cannot be selected as the main features;

(v) set F_YNo main feature is selectable, the algorithm flow ends, at which point set F_YThe remaining features in (a) constitute the optimal feature subset.

2. Feature construction

Through the step 1, an optimal network feature set for detecting DDoS attack is obtained, but the DDoS attack is detected only according to the correlation between the flow characteristics and whether the DDoS attack occurs, the method is too comprehensive and has no convincing power, DDoS attack flow and FC flow cannot be distinguished, and misjudgment may be caused. Therefore, in this embodiment, 5 features are reconstructed according to the flow characteristics that change obviously when DDoS attack occurs and the difference between DDoS attack flow and FC flow, and the 5 features are combined with the optimal feature set obtained in step 1 to serve as the feature input of the GSODNN detection model, so as to achieve the effect of improving the validity and accuracy of model detection. The following detailed description is made for each of the 5 constructed features:

(1) weighted destination IP Maximum Proportion (MPDI)

Generally, DDoS attacks are initiated against one or several fixed hosts/servers, so when a DDoS attack occurs, destination IP addresses of network traffic data packets are more concentrated on one or several IP addresses, that is, the occupation ratio of some destination IP addresses in switch flow entries will increase rapidly, and the maximum occupation ratio of the destination IP will also increase accordingly. Therefore, whether the DDoS attack occurs or not can be judged according to the MPDI, and a calculation formula is as follows:

wherein, DST_numiAnd i belongs to {1,2,3, …, n } and is the destination address DST in the switch flow table entry_iNumber of (2), DST_numallFor the total number of switch flow table entries, ε is the weighted value of the feature, ε ∈ (1, 2)]The feature is analyzed to be more important than other flow features, so that a weight greater than 1 is added to the feature.

(2) Weighted Packet average byte count (PAB)

When a DDoS attack is launched, an attacker often sends a large number of data packets with small byte length (the data packets generally only include a data packet header and a very small amount of data) in order to improve the attack efficiency. Therefore, the PAB can more obviously sense whether the DDoS attack occurs, and the calculation formula is as follows:

wherein, packet_byteiI ∈ {1,2,3, …, n } is the number of bytes of the ith Packet In time T, Packet_numIs the total number of Packet In packets In time T, ε is the weight of the feature, ε ∈ (1, 2)]The feature is analyzed to be more important than other flow features, so that a weight greater than 1 is added to the feature.

(3) Weighted flow distribution Entropy (ENF):

in an SDN network environment, under the condition of normal traffic, the number of flows in the network and the state of the flows are relatively stable, and generally, most of newly added flows are the flows that have appeared before. However, when DDoS occurs, a large number of flows that have not occurred before occur in the network, so that the network flow set becomes very dispersed, and its entropy value becomes large. Therefore, ENF can be used as an important feature for distinguishing whether the flow rate is DDoS attack flow, and the calculation formula is as follows:

wherein, flow_{i_num}In the stage of collecting flow data for detecting DDoS attack, the number of ith data flow belongs to {1,2,3, …, n }, FE _ num is the total number of data flows in the network, epsilon is the weighted value of the characteristic, and epsilon belongs to (1, 2)]The feature is analyzed to be more important than other flow features, so that a weight greater than 1 is added to the feature.

(4) Weighted flow table entry Increase rate (IFE):

research shows that DDoS attackers adopt a source IP address forgery means to cover real attack host addresses, so that when DDoS attacks are launched, a large number of attack packets cannot be successfully matched in a switch flow table, and only can be handed to a controller to find an optimal forwarding port and issue corresponding flow table entries, so that a large number of flow table entries are newly added to switches through which the attack packets flow. For the FC flow, the data packets flowing through the switch will also increase rapidly, but most of the data packets matched before can be successfully matched in the switch flow table, and will not have a great influence on the increase of the flow entry. Thus, IFE is an important feature not only for detecting DDoS attacks, but also for distinguishing DDoS attack flows from FC traffic. The calculation formula is as follows:

wherein the content of the first and second substances,

is t₀The total number of switch flow table entries at a point in time,

is t₀The total number of switch flow tables at the time point of + Δ t, Δ t infinitely approaches to 0, and ε is the weighted value of the characteristic, and ε ∈ (1, 2)]The feature is analyzed to be more important than other flow features, so that a weight greater than 1 is added to the feature.

(5) Weighted Source IP Address Entropy (SIAE)

DDoS attacks forge a large number of source IP addresses, that is, a large number of source IP address data packets that do not appear before are generated, so a large number of new source IP address flow entries are added in the switch flow table, which causes the source IP to become very dispersed, and the information entropy thereof also becomes large. When FC traffic is generated, a large number of packets are generated, but the source IP addresses of the packets are often present, and the dispersion degree of the source IP addresses in the switch flow table is not greatly affected. Thus, SIAE not only can be well aware of the characteristics of a DDoS attack, but can also be used to distinguish DDoS attack flows from FC traffic. The calculation formula is as follows:

wherein SrcIp_{i_num}For the number of ith source IP address in the switch flow table, i belongs to {1,2,3, …, n }, n is the total number of source IP addresses, FE _ num is the total number of the switch flow table entries, epsilon is the weighted value of the feature, epsilon belongs to (1, 2)]The feature is analyzed to be more important than other flow features, so that a weight greater than 1 is added to the feature.

3. Feature extraction and processing

All characteristics for detecting DDoS attacks are obtained through the steps 1 and 2. The features are extracted from the public data set in the model training stage, and extracted and processed from the data flow and the switch flow table in the DDoS detection stage. However, the scale sizes of the features are not consistent, and the sizes of most features are not an order of magnitude, which affects the result of the model training analysis. In order to solve the problem, the data needs to be normalized, and all the characteristics of the original data after data normalization are in the same order of magnitude, so that the method is suitable for comprehensive comparison and evaluation. The following is the formula for feature normalization:

wherein x is_i' normalized value, x, for a certain sample of the ith feature_iThe value of a certain sample for the ith feature, max (x)_i) Is the maximum of all samples of the ith feature, min (x)_i) And theta is a perturbation factor larger than 0 and is the minimum value of all samples of the ith feature, so that the denominator is 0 is avoided, and the fluctuation of the feature is increased.

As shown in fig. 5, after the desired features are extracted, they are normalized and then input into a model for training and detection.

4. DDoS attack detection model based on GSODNN

After all network features are extracted, constructed and processed, the two categories are used as the input of a detection model and whether DDoS attack occurs or not, and whether DDoS attack occurs or not in the network can be known. And the quality of the detection model often determines the quality of the detection result, so that the embodiment provides the deep neural network detection model based on the artificial firefly swarm optimization algorithm. Because the training process of the traditional deep neural network needs the experimenter to manually adjust the parameters, the experimenter's experience is excessively relied on, a high-quality model cannot be obtained necessarily, the model has instability, and meanwhile, the training time is long due to the fact that the model needs to be continuously adjusted manually. Therefore, the global optimization capability of the artificial firefly swarm optimization algorithm is utilized, the parameter set of the deep neural network is used as the firefly individual, the trained good and bad values are used as the target function, and the deep neural network is assisted to train, so that a high-quality model can be obtained more stably, the training time can be shortened, and the detection accuracy of the model is improved. The following is a detailed description of the detection model:

(1) deep neural network

1) Structure of deep neural network

The deep neural network is a more classical and common model in deep learning, and is good at mining hidden complex relationships between feature data and tag values. Deep neural networks are composed of neurons, also known as perceptrons, that conduct external information to the neurons through a plurality of connections (synapses) and then react accordingly according to an activation function. The deep neural network mainly comprises an input layer, a hidden layer and an output layer, wherein the number of neurons in the input layer is determined by the number of input features, the number of neurons in the output layer is determined by classifying results into several categories, the layers are directly connected in a full-connection mode, each connection is provided with a corresponding weight, and the output of each neuron is determined by an input value and a weight value of the connection connected with the neuron, and a bias value and an activation function of the neuron. The output result of each layer is transmitted to the next layer by means of forward propagation until reaching the output layer. The basic structure diagrams of the neurons and the deep neural network are shown in fig. 6 and fig. 7.

2) Training of deep neural networks

The training optimization of the deep neural network is based on the evaluation function of each training result, a gradient descent method is adopted, and the weight matrix and the offset vector of each layer are reversely adjusted according to the direction which can enable the value of the evaluation function to be more optimal, so that the next training result of the deep neural network is more optimal. Thus, the model is repeatedly trained by using a large amount of data to achieve a relatively high-quality result. The deep neural network training process is shown in fig. 8, and can be divided into the following steps:

firstly, initializing parameters: the basic structure of the model and relevant parameters are initialized, wherein the parameters comprise a weight matrix, a bias, an activation function, a gradient descent learning rate, a loss function, a training end threshold value and the like.

Forward propagation of data: and inputting the processed characteristics into the model, and calculating the data layer by layer from the input layer according to the initial parameters until the result is output to the output layer.

③ reversely adjusting parameters: and calculating the cost according to the output result of the output layer and the loss function, and reversely adjusting the parameters layer by layer according to an optimization strategy (gradient descent is adopted in the process).

Fourthly, repeated training: and (4) repeatedly executing the steps II and III by using the training set data until the preset training times are exceeded or the training effect reaches an end threshold value.

Model evaluation: and calculating the accuracy, the F1 value, the recall rate and the like of the trained model according to the test set data so as to evaluate the advantages and the disadvantages of the model and adjust the basis of the model parameters.

(2) Artificial firefly group optimization algorithm

The artificial firefly Swarm Optimization (GSO) algorithm is an intelligent Optimization algorithm provided by Indian scholars K.N.Krishnanand and D.Ghose for simulating firefly lighting behaviors in nature in 2005, and has a good application prospect in solving an optimal solution in a continuous space. In nature, the tail part of the firefly emits flashing fluorescence when searching for a prey or attracting a spouse, the higher the brightness of the fluorescence is, the higher the attraction to the prey or the spouse is, wherein each firefly approaches to the firefly with the larger attraction in the self sensing range. The firefly algorithm simulates the natural phenomenon of firefly, one solution in the solution space is regarded as the firefly, the solution represents the brightness of the corresponding firefly to the high-quality degree of the objective function, the firefly with weak light emission moves to the firefly with strong light emission, and then the process is iterated continuously, so that the brightest firefly is obtained finally, namely the optimal solution is obtained.

Fig. 9 shows an algorithm flow chart of the artificial firefly population optimization algorithm, and for the GSO algorithm, the invention proposes three rules:

it is assumed that all fireflies are sex-independent, i.e., all fireflies are attractive to each other.

Secondly, the luminance of the fireflies determines the attraction of the fireflies, the fireflies move by attraction with brighter luminance with darker luminance, and move randomly if the fireflies brightest.

And the brightness of the firefly is in direct proportion to the objective function, namely the better the objective function value is, the brighter the firefly brightness is.

(3) Deep neural network detection model based on artificial firefly swarm optimization algorithm

The basic structure and the training process of the deep neural network and the basic concept and the algorithm flow of the artificial firefly swarm optimization algorithm are known through the two parts, and the part will explain how the deep neural network obtains an optimal detection model by means of the global optimization capability of the firefly algorithm, as shown in fig. 10, the basic steps are as follows:

initializing basic parameters of an artificial firefly swarm optimization algorithm, including the number n of fireflies, the iteration number m of the algorithm, an optimization threshold epsilon, and initial fluorescein (representative light intensity) h of each firefly₀Initial dynamic decision Range r₀A domain threshold value z, an initial step length l, a fluorescein disappearance rate a, a fluorescein update rate b, a dynamic decision domain update rate c, a firefly perception range r_sAnd (4) an objective function optimized by an algorithm (wherein the objective function is the accuracy of deep neural network training in each iteration).

Secondly, the value ranges of all parameters of the deep neural network are given, and the value ranges of the parameters are just the search space (solution) of the artificial firefly swarm optimization algorithmSpace), and at the same time, randomly initializing n fireflies in the search range, wherein each fireflies corresponds to a parameter combination of the deep neural network, namely a parameter vector of the deep neural network, and is recorded as X_iWherein X is_iFor the ith firefly, i ∈ {1,2, …, n }.

Importing the processed DDoS training set characteristic data into deep neural networks corresponding to n fireflies for training respectively to obtain corresponding training accuracy, namely the objective function value corresponding to each fireflies is recorded as D (x)_i) Wherein D (x)_i) For the target function value of the ith firefly, i ∈ {1,2, …, n }.

Updating the fluorescein value of each firefly, wherein the calculation formula is as follows:

h_i(t)＝(1-a)h_i(t-1)+b D(x_i(t))

wherein h is_i(t) fluorescein of ith firefly after the updating of the t iteration, h_i(t-1) fluorescein for the ith firefly in the t-1 iteration, D (x)_i(t)) is the objective function value for the ith firefly at the t-th iteration.

Searching the neighbor of each firefly (namely, the neighbor is in the firefly sensing range, and the fluorescein value of the neighbor is larger than that of other fireflies of the firefly), wherein the calculation formula is as follows:

Q_i(t)＝{j:||X_j(t)-X_i(t)||<r_i(t),h_j(t)>h_i(t)}

wherein Q is_i(t) is the set of neighbors of the ith firefly in the t iteration, | | X_j(t)-X_i(t) | | is the distance between two fireflies at the t-th iteration, r_i(t) is the radius of the perceptual domain of the ith firefly at the tth iteration.

Sixthly, the moving direction of each firefly is determined by using a roulette strategy, taking the ith firefly as an example. Firstly, calculating the neighbor set Q of the ith firefly_i(t) the probability of each firefly being selected is calculated as follows:

after the probability that each firefly is selected in the ith firefly neighbor set is obtained, the probability values are accumulated to obtain the probability value range of each neighbor, the range of the probability value range is [0,1], then a random value in [0,1] is obtained by utilizing a random function, the random value falls into the probability range of which neighbor, the direction in which the neighbor is located is the direction in which the ith firefly selects to move, and the neighbor is marked as j.

Seventhly, updating the position of each firefly, wherein the calculation formula is as follows:

wherein X_i(t) is the updated position of the ith firefly at the t iteration, X_i(t-1) location of the ith firefly at iteration t-1.

Updating the dynamic decision domain value of each firefly, wherein the calculation formula is as follows:

r_i(t)＝min{r_s,max{0,r_i(t-1),c(z-|Q_i(t-1)|)}}

wherein r is_i(t) is the dynamic decision threshold value of the ith firefly updated at the t iteration, r_i(t-1) dynamic decision threshold, QQ, of firefly i at iteration t-1_i(t-1) | is the number of neighbors of the ith firefly at iteration t-1.

Ninthly, judging whether the iteration times t of the artificial firefly group optimization algorithm reach m or whether the optimization threshold reaches epsilon, if one iteration time t reaches m or the optimization threshold reaches epsilon, ending the iteration process, otherwise, continuing the step (c), (c) and (c) iterating.

And (c) calculating firefly with the highest fluorescein value in the last iteration, wherein the deep neural network formed by the deep neural network parameter combination corresponding to the firefly is the optimal detection model.

Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims

1. A DDoS detection method based on GSODNN and SDN is characterized by comprising the following steps:

2. The DDoS detection method based on GSODNN and SDN according to claim 1, wherein the process of the controller performing DDoS attack pre-detection comprises:

3. The GSODNN and SDN based DDoS detection method according to claim 2, wherein the entropy of the source IP address of the packet is expressed as:

4. The DDoS detection method based on GSODNN and SDN as claimed in claim 1, wherein the process of selecting the optimal feature set by using MIC-FCBF algorithm comprises:

103. If MIC_ij≥MIC_YiIf yes, the characteristic j is a redundant characteristic classification number of the main characteristic i, and the characteristic j is deleted;

5. The method of claim 4, wherein the computing of the maximum mutual information coefficient value between two features comprises:

wherein MIC (X, Y) represents the maximum mutual information coefficient between feature X and feature Y; IG (X | Y) is information gain between the information entropy of the feature X and the conditional entropy H (X | Y) of the feature X under the premise that the feature Y is known; h (X) is the information entropy of the feature X; h (Y) is the information entropy of feature Y.

6. The DDoS detection method based on GSODNN and SDN as claimed in claim 1, wherein the process of constructing the features sensitive to DDoS attack comprises:

the weighted destination IP maximum ratio is expressed as:

the average number of bytes of the weighted data packet is expressed as:

a weighted flow distribution entropy value represented as:

the weighted flow entry rate of increase, expressed as:

a weighted source IP address entropy value represented as:

wherein, DST_numiAnd i belongs to {1,2,3, …, n } and is the destination address DST in the switch flow table entry_iNumber of (2), DST_numallAggregating flow entries for a switchQuantity, ε being a weight value of a feature, ε ∈ (1, 2)]；packet_byteiI ∈ {1,2,3, …, n } is the number of bytes of the ith Packet In time T, Packet_numThe total number of Packet In data packets In time T; flow (W)_{i_num}The number of ith data streams in a flow data collecting stage for detecting DDoS attack, wherein FE _ num is the total number of the data streams in the network;

is t₀The total number of switch flow table entries at a point in time,

7. The DDoS detection method based on the GSODNN and the SDN as claimed in claim 1, wherein the process of inputting the selected optimal feature set and the constructed features sensitive to DDoS attack into the deep neural network based on the artificial firefly swarm optimization algorithm for DDoS attack detection comprises:

8. The DDoS detection method based on GSODNN and SDN according to claim 7, wherein the normalization processing of the features in the feature set comprises:

wherein x is_i' normalized value, x, for a certain sample of the ith feature_iThe value of a certain sample for the ith feature, max (x)_i) Is the maximum of all samples of the ith feature, min (x)_i) And theta is the minimum value of all samples of the ith characteristic and is a perturbation factor larger than 0.

9. The DDoS detection method based on GSODNN and SDN as claimed in claim 1, wherein the training process of the deep neural network based on the artificial firefly swarm optimization algorithm comprises: