CN115250193A - DoS attack detection method, device and medium for SDN network - Google Patents
DoS attack detection method, device and medium for SDN network Download PDFInfo
- Publication number
- CN115250193A CN115250193A CN202111584038.4A CN202111584038A CN115250193A CN 115250193 A CN115250193 A CN 115250193A CN 202111584038 A CN202111584038 A CN 202111584038A CN 115250193 A CN115250193 A CN 115250193A
- Authority
- CN
- China
- Prior art keywords
- model
- deep
- dos attack
- flow table
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 80
- 230000001133 acceleration Effects 0.000 claims abstract description 38
- 238000012549 training Methods 0.000 claims abstract description 17
- 230000009471 action Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 9
- 238000000034 method Methods 0.000 abstract description 27
- 230000008569 process Effects 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device and a medium for detecting DoS attack facing SDN network, wherein the method comprises the following steps: acquiring flow table data to be detected; calculating a maximum packet matching acceleration value of flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increase quantity of the packet matching number in unit time; when the maximum packet matching acceleration value exceeds a set threshold value, calling a deep FM model to detect the flow table data to be detected; and if the DeepFM model detects the attack flow, determining that the SDN network is attacked by the DoS. Therefore, the maximum packet matching speed increasing and the deep FM model are combined, the attack possibility is judged firstly, detection is realized through model training, the load increase of a controller caused by frequently calling the model is avoided, the better performance is achieved in attack detection, the false alarm rate can be reduced, and the accuracy rate is improved.
Description
Technical Field
The invention relates to the field of network security, in particular to a DoS attack detection method, a device and a medium for an SDN network.
Background
In recent years, the convenience brought by the network has penetrated the aspects of people's life. However, with the development of network technology and network applications, network attacks are becoming more complex, and there are many network security threats, and DoS attacks are one of the main security problems facing the network attacks.
Software Defined Network (SDN) networks are a new Network architecture, and are a way to implement Network virtualization. The control plane and the data plane of the network equipment are separated, the switch in the network is only responsible for forwarding, and the control is responsible for the centralized controller. The architecture is convenient for unified configuration and management of the network, realizes network programmability, is beneficial to the deployment of new services, and provides new opportunities for network attacks. The performance of the global network is greatly affected in case of a failure of the controller or a reduction of the service capacity.
Currently, the most common and effective attack on SDN is a DoS attack from the data plane. DoS attacks represent a major threat to SDN networks, and the implementation of such attacks is very diverse, but essentially exhausts the computing and service resources of the network and hosts by controlling a large number of devices on the network and sending meaningless data packets. This attack takes advantage of the feature of the communication mechanism between the network controller and the switch that sends a large number of carefully constructed data streams to the switch of the target network. Since the OpenFlow switch cannot find a flow table entry matching the attack flow, it will continuously send a request to the controller to obtain a new rule. The controller must respond to the request of the switch and frequently make and issue corresponding rules, resulting in a large amount of resources such as storage, bandwidth, computation, etc. being consumed.
Therefore, how to solve the problem of DoS attack detection and defense facing the SDN network is a technical problem to be urgently solved by those skilled in the art.
Disclosure of Invention
In view of this, the present invention provides a DoS attack detection method, device and medium for an SDN network, which can better detect DoS attacks, reduce loads and improve accuracy. The specific scheme is as follows:
a DoS attack detection method facing an SDN network comprises the following steps:
acquiring flow table data to be detected;
calculating a maximum packet matching acceleration value of the flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increasing quantity of the packet matching number in unit time;
when the maximum packet matching acceleration value exceeds a set threshold value, calling a DeepFM model to detect the data of the flow table to be detected;
and if the DeepFM model detects an attack flow, determining that the SDN network is attacked by the DoS.
Preferably, in the DoS attack detection method provided in the embodiment of the present invention, before the acquiring the data of the flow table to be detected, the method further includes:
constructing a deep FM model; the deep FM model takes flow table data as input and takes a classification detection result for judging whether the DoS attack exists as output.
Preferably, in the DoS attack detection method provided in the embodiment of the present invention, after the constructing the deep fm model, the method further includes:
extracting statistical information of a flow table flow rule counter to obtain a flow rule characteristic sample; the flow rule characteristic samples comprise duration, packet matching number, matching byte number, idle time, logic input ports and actions;
and training the deep FM model by using the flow rule characteristic sample.
Preferably, in the DoS attack detection method provided in the embodiment of the present invention, the Deep FM model includes a parallel FM part and a Deep part; the FM part is used for learning the combined features among the dense features; the Deep part is used for learning combined features among the discrete features;
the dense features include duration, number of packet matches, number of bytes matched;
the discrete features include idle time, logical input ports, and actions.
Preferably, in the DoS attack detection method provided in the embodiment of the present invention, the FM portion and the Deep portion share a feature embedding portion.
Preferably, in the DoS attack detection method provided in the embodiment of the present invention, after determining that the SDN network is subjected to a DoS attack, the method further includes:
and sending alarm information to a user, and simultaneously disabling related flow table flow rules.
The embodiment of the present invention further provides a DoS attack detection device facing an SDN network, including:
the data acquisition module is used for acquiring the data of the flow table to be detected;
the acceleration value calculating module is used for calculating the maximum packet matching acceleration value of the flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increasing quantity of the packet matching number in unit time;
the threshold detection module is used for calling a deep FM model when the maximum packet matching acceleration value exceeds a set threshold;
the model detection module is used for detecting the data of the flow table to be detected through the DeepFM model; and if the DeepFM model detects an attack flow, determining that the SDN network is attacked by the DoS.
Preferably, in the DoS attack detection apparatus provided in the embodiment of the present invention, the apparatus further includes:
the model building module is used for building a DeepFM model; the deep FM model takes flow table data as input and takes a classification detection result for judging whether the DoS attack exists as output;
the sample acquisition module is used for extracting statistical information of the flow table rule counter and acquiring a flow rule characteristic sample; the flow rule characteristic samples comprise duration, packet matching number, matching byte number, idle time, logic input ports and actions;
and the model training module is used for training the deep FM model by utilizing the flow rule characteristic sample.
The embodiment of the present invention further provides a DoS attack detection device facing an SDN network, including a processor and a memory, where the processor implements the DoS attack detection method provided in the embodiment of the present invention when executing a computer program stored in the memory.
An embodiment of the present invention further provides a computer-readable storage medium, configured to store a computer program, where the computer program, when executed by a processor, implements the DoS attack detection method provided in the embodiment of the present invention.
As can be seen from the above technical solutions, the DoS attack detection method for the SDN network provided by the present invention includes: acquiring flow table data to be detected; calculating a maximum packet matching acceleration value of flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increase quantity of the packet matching number in unit time; when the maximum packet matching acceleration value exceeds a set threshold value, calling a deep FM model to detect the flow table data to be detected; and if the DeepFM model detects the attack flow, determining that the SDN network is attacked by the DoS.
The maximum packet matching acceleration is detected based on the threshold value, the deep FM model is called for further detection after the abnormality is detected, so that the maximum packet matching acceleration is combined with the deep FM model, the possibility of attack is judged firstly, and the detection is realized through model training, so that the load increase of a controller caused by frequently calling the model is avoided, the better performance is achieved in the attack detection, the false alarm rate can be reduced, and the accuracy rate is improved.
In addition, the invention also provides a corresponding device and a computer readable storage medium aiming at the DoS attack detection method, so that the method has higher practicability, and the device and the computer readable storage medium have corresponding advantages.
Drawings
In order to more clearly illustrate the embodiments of the present invention or technical solutions in related arts, the drawings used in the description of the embodiments or related arts will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a DoS attack detection method according to an embodiment of the present invention;
FIG. 2 is a graph of maximum packet match acceleration over time under normal conditions;
FIG. 3 is a graph of maximum packet match acceleration over time after an attack;
fig. 4 is a schematic structural diagram of a DoS attack detection apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a DoS attack detection method facing an SDN network, which comprises the following steps as shown in figure 1:
s101, acquiring flow table data to be detected;
it should be noted that the flow table is one of the most important concepts in the SDN network, and is a carrier of a packet forwarding rule. Each flow table is composed of many flow rules, each flow rule mainly composed of a matching field, a counter, and an action record. Because some flow table entries are obviously changed due to the DoS attack aiming at the user host, the characteristics of the flow table information are more prominent relative to the characteristics of the data layer, and the DoS attack detection method provided by the invention only considers the characteristics of the flow table information.
S102, calculating a maximum packet matching acceleration value of flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increase quantity of the packet matching number in unit time;
it should be noted that the number of packet matches (n _ packets) is a count field carried by each flow rule for recording the total number of packets matched by the flow rule. Since DoS attacks against subscriber hosts are high-rate single-source IP attacks, there must be a high-rate data flow in the attacking network. FIG. 2 is a graph showing the rate of increase of maximum packet match over time under normal conditions;
fig. 3 shows a graph of the maximum packet matching speed-up over time after an attack, and it can be seen that the number of packet matches is normally small, and increases rapidly to several hundred k after an attack. Therefore, in the present invention, the increased number of packet matching numbers per unit time (i.e., the packet matching acceleration rate) is used as a basis for determining the possible presence or absence of a DoS attack on the subscriber host.
S103, judging whether the maximum packet matching acceleration value exceeds a set threshold value or not; if yes, go to step S104; if not, determining that the SDN is not attacked by the DoS;
s104, calling a DeepFM model to detect the data of the flow table to be detected;
in practical application, deep FM is a deep learning method, and can be regarded as an algorithm derived based on FM (Factorization Machine), and the problem of data feature combination can be solved. By virtue of its characteristic of being able to obtain excellent performance and effect even in the case of large data volume and sparse features, FM can be applied to many prediction tasks, such as regression, classification, sorting, and the like. In the invention, the DeepFM can improve the capability of extracting information, and can realize classified detection of DoS attacks through an output layer (namely a classifier). When the packet matching acceleration rate exceeds a set threshold value, the deep FM model is called to carry out detection, and a threshold detection method and a characteristic detection method are combined, so that the two-step detection method can reduce the system load and improve the accuracy.
S105, judging whether the DeepFM model detects an attack flow; if yes, go to step S106; if not, determining that the SDN is not attacked by the DoS;
and S106, determining that the SDN is attacked by the DoS.
In the DoS attack detection method provided by the embodiment of the invention, the maximum packet matching speed is detected based on the threshold value, the deep fm model is called for further detection after abnormality is detected, so that the maximum packet matching speed is combined with the deep fm model, the possibility of attack is judged firstly, and detection is realized through model training, so that the load increase of a controller caused by frequently calling the model is avoided, better performance is achieved in attack detection, the false alarm rate can be reduced, and the accuracy is improved.
Further, in specific implementation, in the DoS attack detection method provided in the embodiment of the present invention, before the step S101 is executed to acquire the data of the flow table to be detected, the method may further include: constructing a deep FM model; the deep FM model takes flow table data as input and takes a classification detection result for judging whether the DoS attack exists as output. The deep FM model designed in the way can well detect DoS attacks and has high efficiency.
It will be appreciated that in the flow rule, the task of the matching domain is to synchronize the data flow, which contains all network identifiers from the data link layer to the network layer to the transport layer; the set of actions is related to a packet forwarding policy for the matching packet. The action may be to drop the packet, forward the packet to the appropriate port, forward the packet to the controller, etc. The counter is used to record some statistical information of the flow rule, which may include duration (duration), n _ packets (number of packet matches), n _ bytes (number of matching bytes), idle _ timeout (soft timeout), and idle _ age (idle time); duration is the survival time of a flow rule, specifically the time that the flow rule survives in a flow table from appearance to present, and is taken as a unit of second; n _ packets is the total number of data flows matched by the flow rule, specifically, the flow rule matches a plurality of data packets in the period of time; n _ bytes is the total size of the data stream matched by the stream rule, specifically, how many bytes of the data stream are processed by the stream rule in the period of time; idle _ timeout is the idle timeout time of a flow rule, i.e. the so-called soft timeout time, which specifically refers to the longest time that the flow rule can be in an unmatched state, and once the unmatched time exceeds the idle timeout time, the flow rule is automatically deleted, and the default state is 10s in seconds; the idle _ age is the time interval from the last time the stream rule is matched, and refers to the time interval from the time point of last matching data packet to the current time, and is measured in seconds.
Therefore, in specific implementation, in the DoS attack detection method provided in the embodiment of the present invention, after the above steps are performed to construct the deep fm model, the method may further include: first, a flow table is extractedThe statistical information of the flow rule counter is used for obtaining a flow rule characteristic sample; the flow rule feature samples include n _ byte (number of matching bytes), duration (duration), n _ packet (number of packet matches), idle _ age (idle time), in _ port (logical input port), and actions; then, the deep FM model is trained by using the flow rule characteristic sample. That is, in the present invention, in the course of training the deep fm model, the feature relation between flow entries is fully considered, and the input of the feature is at least six, that is, the flow rule feature sample may be X = { X = 1 ,x 2 ,…,x 6 },x 1 To x 6 Respectively, duration, n _ packet, n _ byte, idle _ age, in _ port, and actions.
Since each feature is considered independently in a general linear model, the correlation between features is not considered. In practice, however, there is a correlation between a large number of features in a network attack. For example, in the low-rate DDoS attack flow rule feature for the data layer, the number of matching packets and the number of matching bytes are often related, and generally, the larger the number of matching packets is, the larger the number of matching bytes is. Therefore, in specific implementation, in the DoS attack detection method provided in the embodiment of the present invention, in consideration of high-order and low-order features of flow table data, the Deep FM model may include parallel FM parts and Deep parts, the FM parts are used as low-order combinations between features, the Deep parts (i.e., deep NN modules) are used as high-order combinations between features, and the two methods are combined in a parallel manner.
Such an architecture has the following features: obtaining a hidden vector without pre-training FM; manual feature engineering is not required; the combined features of the low order and the high order can be learned simultaneously; the FM part and the Deep part share a Feature Embedding (Feature Embedding) part, so that the training can be faster, and the training learning can be more accurate.
In particular implementation, when the flow table entries are divided into dense features and discrete features, the FM portion is used to learn combined features among the dense features; the Deep section is used to learn combined features between discrete features. Since the duration, n _ packets, and n _ bytes have a continuously varying characteristic in time, the dense features may include the duration, n _ packets, and n _ bytes; since in _ port, idle _ age, and actions are relatively discrete and have poor relevance, the discrete features may include in _ port, idle _ age, and actions.
In addition, in specific implementation, after determining that the SDN network is subjected to a DoS attack, the method for detecting a DoS attack according to the embodiment of the present invention may further include: and sending alarm information to a user, and simultaneously disabling related flow table flow rules. Therefore, the network performance is further improved, and the network security is ensured.
Based on the same inventive concept, embodiments of the present invention further provide a DoS attack detection device for an SDN network, and because the principle of the device for solving the problem is similar to the DoS attack detection method, the implementation of the device may refer to the implementation of the DoS attack detection method, and repeated details are not repeated.
In specific implementation, the DoS attack detection device for the SDN network according to the embodiment of the present invention, as shown in fig. 4, specifically includes:
the data acquisition module 11 is configured to acquire flow table data to be detected;
the acceleration value calculating module 12 is used for calculating a maximum packet matching acceleration value of the flow table data to be measured; the maximum packet matching acceleration value is the maximum value of the increase quantity of the packet matching number in unit time;
the threshold detection module 13 is configured to invoke the deep fm model when the maximum packet matching acceleration value exceeds a set threshold;
the model detection module 14 is configured to detect the flow table data to be detected through the deep fm model; and if the DeepFM model detects an attack flow, determining that the SDN network is attacked by the DoS.
In the DoS attack detection device provided by the embodiment of the invention, the maximum packet matching speed increase and the deep fm model can be combined through the interaction of the four modules, the attack existence possibility is judged firstly, and then the detection is realized through model training, so that the load increase of the controller caused by frequently calling the model is avoided, the better performance is achieved in the attack detection, the false alarm rate can be reduced, and the accuracy rate is improved.
Further, in specific implementation, in the DoS attack detection apparatus provided in the embodiment of the present invention, the DoS attack detection apparatus may further include:
the model building module is used for building a DeepFM model; the deep FM model takes flow table data as input to judge whether the DoS attack exists or not, and takes a classification detection result as output;
the sample acquisition module is used for extracting the statistical information of the flow table flow rule counter and acquiring a flow rule characteristic sample; the flow rule characteristic sample comprises duration, packet matching number, matching byte number, idle time, a logic input port and action;
and the model training module is used for training the deep FM model by using the flow rule characteristic sample.
For more specific working processes of the modules, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Correspondingly, the embodiment of the invention also discloses a DoS attack detection device, which comprises a processor and a memory; wherein the processor implements the DoS attack detection method disclosed in the foregoing embodiments when executing the computer program stored in the memory.
For more specific processes of the above method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
Further, the present invention also discloses a computer readable storage medium for storing a computer program; the computer program, when executed by a processor, implements the DoS attack detection method disclosed previously.
For more specific processes of the above method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
In the present specification, the embodiments are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts between the embodiments are referred to each other. The device and the storage medium disclosed in the embodiment correspond to the method disclosed in the embodiment, so the description is simple, and the relevant points can be referred to the description of the method part.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
To sum up, a DoS attack detection method for an SDN network according to an embodiment of the present invention includes: acquiring flow table data to be detected; calculating a maximum packet matching acceleration value of flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increase quantity of the packet matching number in unit time; when the maximum packet matching acceleration value exceeds a set threshold value, calling a deep FM model to detect the flow table data to be detected; and if the DeepFM model detects the attack flow, determining that the SDN network is attacked by the DoS. The maximum packet matching acceleration is detected based on the threshold value, the deep FM model is called for further detection after the abnormality is detected, so that the maximum packet matching acceleration is combined with the deep FM model, the possibility of attack is judged firstly, and the detection is realized through model training, so that the load increase of a controller caused by frequently calling the model is avoided, the better performance is achieved in the attack detection, the false alarm rate can be reduced, and the accuracy rate is improved. In addition, the invention also provides a corresponding device and a computer readable storage medium aiming at the DoS attack detection method, so that the method has higher practicability, and the device and the computer readable storage medium have corresponding advantages.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The DoS attack detection method, device and medium for SDN network provided by the present invention are introduced in detail above, and a specific example is applied in the present document to explain the principle and implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A DoS attack detection method facing an SDN network is characterized by comprising the following steps:
acquiring flow table data to be detected;
calculating a maximum packet matching acceleration value of the flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increasing quantity of the packet matching number in unit time;
when the maximum packet matching acceleration rate value exceeds a set threshold value, calling a deep FM model to detect the flow table data to be detected;
and if the DeepFM model detects an attack flow, determining that the SDN network is attacked by the DoS.
2. The DoS attack detection method according to claim 1, further comprising, before the obtaining of the flow table data to be tested:
constructing a DeepFM model; the deep FM model takes flow table data as input and takes a classification detection result for judging whether the DoS attack exists as output.
3. The DoS attack detection method of claim 2, further comprising, after the constructing the DeepFM model:
extracting statistical information of a flow table flow rule counter to obtain a flow rule characteristic sample; the flow rule characteristic samples comprise duration, packet matching number, matching byte number, idle time, logic input ports and actions;
and training the deep FM model by using the flow rule characteristic sample.
4. The DoS attack detection method of claim 3, wherein the Deep FM model includes parallel FM and Deep portions; the FM part is used for learning the combined features among the dense features; the Deep part is used for learning combined features among discrete features;
the dense features include duration, number of packet matches, number of bytes matched;
the discrete features include idle time, logical input ports, and actions.
5. The DoS attack detection method of claim 4, wherein the FM portion and the Deep portion share a feature embedding portion.
6. The DoS attack detection method of claim 5, after determining that the SDN network is subject to a DoS attack, further comprising:
and sending alarm information to the user, and simultaneously disabling the related flow table flow rules.
7. A DoS attack detection device facing an SDN network is characterized by comprising:
the data acquisition module is used for acquiring the data of the flow table to be detected;
the acceleration value calculating module is used for calculating the maximum packet matching acceleration value of the flow table data to be detected; the maximum packet matching acceleration value is the maximum value of the increasing quantity of the packet matching number in unit time;
the threshold detection module is used for calling a deep FM model when the maximum packet matching acceleration value exceeds a set threshold;
the model detection module is used for detecting the flow table data to be detected through the deep FM model; and if the DeepFM model detects an attack flow, determining that the SDN network is attacked by the DoS.
8. The DoS attack detection device of claim 7, further comprising:
the model building module is used for building a deep FM model; the deep FM model takes flow table data as input and takes a classification detection result for judging whether the DoS attack exists as output;
the sample acquisition module is used for extracting the statistical information of the flow table flow rule counter and acquiring a flow rule characteristic sample; the flow rule characteristic samples comprise duration, packet matching number, matching byte number, idle time, logic input ports and actions;
and the model training module is used for training the deep FM model by utilizing the flow rule characteristic sample.
9. A DoS attack detection apparatus facing an SDN network, comprising a processor and a memory, wherein the processor, when executing a computer program stored in the memory, implements the DoS attack detection method according to any one of claims 1 to 6.
10. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the DoS attack detection method as claimed in any of claims 1 to 6.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111584038.4A CN115250193B (en) | 2021-12-22 | 2021-12-22 | DoS attack detection method, device and medium for SDN network |
| PCT/CN2022/099297 WO2023115845A1 (en) | 2021-12-22 | 2022-06-17 | Dos attack detection method and apparatus for sdn, and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111584038.4A CN115250193B (en) | 2021-12-22 | 2021-12-22 | DoS attack detection method, device and medium for SDN network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115250193A true CN115250193A (en) | 2022-10-28 |
| CN115250193B CN115250193B (en) | 2024-02-23 |
Family
ID=83698884
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111584038.4A Active CN115250193B (en) | 2021-12-22 | 2021-12-22 | DoS attack detection method, device and medium for SDN network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115250193B (en) |
| WO (1) | WO2023115845A1 (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180013787A1 (en) * | 2015-03-24 | 2018-01-11 | Huawei Technologies Co., Ltd. | SDN-Based DDOS Attack Prevention Method, Apparatus, and System |
| CN107800711A (en) * | 2017-06-16 | 2018-03-13 | 南京航空航天大学 | A kind of method that OpenFlow controllers resist ddos attack |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| US20180324212A1 (en) * | 2017-05-02 | 2018-11-08 | Shenzhen University | METHOD AND DEVICE FOR SIMULATING AND DETECTING DDoS ATTACKS IN SOFTWARE DEFINED NETWORKING |
| CN108833376A (en) * | 2018-05-30 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Software-oriented defines the DoS attack detection method of network |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| CN110011983A (en) * | 2019-03-19 | 2019-07-12 | 中国民航大学 | A kind of Denial of Service attack detection method based on flow table feature |
| CN110995761A (en) * | 2019-12-19 | 2020-04-10 | 长沙理工大学 | Method and device for detecting false data injection attack and readable storage medium |
| CN111800419A (en) * | 2020-07-06 | 2020-10-20 | 东北大学 | DDoS attack detection system and method in SDN environment |
| US20210092153A1 (en) * | 2018-02-05 | 2021-03-25 | Chongqing University Of Posts And Telecommunications | Ddos attack detection and mitigation method for industrial sdn network |
| WO2021088372A1 (en) * | 2019-11-04 | 2021-05-14 | 重庆邮电大学 | Neural network-based ddos detection method and system in sdn network |
| CN113268735A (en) * | 2021-04-30 | 2021-08-17 | 国网河北省电力有限公司信息通信分公司 | Distributed denial of service attack detection method, device, equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181939B (en) * | 2019-12-20 | 2022-02-25 | 广东工业大学 | Network intrusion detection method and device based on ensemble learning |
| CN112668688B (en) * | 2020-12-30 | 2022-09-02 | 江西理工大学 | Intrusion detection method, system, equipment and readable storage medium |
-
2021
- 2021-12-22 CN CN202111584038.4A patent/CN115250193B/en active Active
-
2022
- 2022-06-17 WO PCT/CN2022/099297 patent/WO2023115845A1/en unknown
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180013787A1 (en) * | 2015-03-24 | 2018-01-11 | Huawei Technologies Co., Ltd. | SDN-Based DDOS Attack Prevention Method, Apparatus, and System |
| US20180324212A1 (en) * | 2017-05-02 | 2018-11-08 | Shenzhen University | METHOD AND DEVICE FOR SIMULATING AND DETECTING DDoS ATTACKS IN SOFTWARE DEFINED NETWORKING |
| CN107800711A (en) * | 2017-06-16 | 2018-03-13 | 南京航空航天大学 | A kind of method that OpenFlow controllers resist ddos attack |
| CN108123931A (en) * | 2017-11-29 | 2018-06-05 | 浙江工商大学 | Ddos attack defence installation and method in a kind of software defined network |
| US20210092153A1 (en) * | 2018-02-05 | 2021-03-25 | Chongqing University Of Posts And Telecommunications | Ddos attack detection and mitigation method for industrial sdn network |
| CN108833376A (en) * | 2018-05-30 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Software-oriented defines the DoS attack detection method of network |
| CN110011983A (en) * | 2019-03-19 | 2019-07-12 | 中国民航大学 | A kind of Denial of Service attack detection method based on flow table feature |
| CN109981691A (en) * | 2019-04-30 | 2019-07-05 | 山东工商学院 | A kind of real-time ddos attack detection system and method towards SDN controller |
| WO2021088372A1 (en) * | 2019-11-04 | 2021-05-14 | 重庆邮电大学 | Neural network-based ddos detection method and system in sdn network |
| CN110995761A (en) * | 2019-12-19 | 2020-04-10 | 长沙理工大学 | Method and device for detecting false data injection attack and readable storage medium |
| CN111800419A (en) * | 2020-07-06 | 2020-10-20 | 东北大学 | DDoS attack detection system and method in SDN environment |
| CN113268735A (en) * | 2021-04-30 | 2021-08-17 | 国网河北省电力有限公司信息通信分公司 | Distributed denial of service attack detection method, device, equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| WANG J等: ""DoS Attack Detection Based on Deep Factorization Machine in SDN"", 《DOS ATTACK DETECTION BASED ON DEEP FACTORIZATION MACHINE IN SDN》, 3 November 2022 (2022-11-03) * |
| Y. JI AND X. LI: ""An efficient intrusion detection model based on deepFM"", 《020 IEEE 4TH INFORMATION TECHNOLOGY, NETWORKING, ELECTRONIC AND AUTOMATION CONTROL CONFERENCE (ITNEC)》, 4 May 2020 (2020-05-04) * |
| 王晓瑞;庄雷;胡颖;王国卿;马丁;景晨凯;: "SDN环境下基于BP神经网络的DDoS攻击检测方法", 计算机应用研究, no. 03, 21 March 2017 (2017-03-21) * |
| 邓广慧;唐贤瑛;夏卓群;: "基于FCM和RBF网络的入侵检测研究", 电脑与信息技术, no. 01, 28 February 2006 (2006-02-28) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115250193B (en) | 2024-02-23 |
| WO2023115845A1 (en) | 2023-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chen et al. | XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| He et al. | Software-defined-networking-enabled traffic anomaly detection and mitigation | |
| CN110784481A (en) | DDoS detection method and system based on neural network in SDN network | |
| Sofi et al. | Machine learning techniques used for the detection and analysis of modern types of ddos attacks | |
| Chkirbene et al. | A combined decision for secure cloud computing based on machine learning and past information | |
| CN113821793B (en) | Multi-stage attack scene construction method and system based on graph convolution neural network | |
| Patcha et al. | Network anomaly detection with incomplete audit data | |
| CN111835681A (en) | Large-scale abnormal flow host detection method and device | |
| Zhang et al. | Novel DDoS Feature Representation Model Combining Deep Belief Network and Canonical Correlation Analysis. | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| Tang et al. | A new detection method for ldos attacks based on data mining | |
| Najafimehr et al. | DDoS attacks and machine‐learning‐based detection methods: A survey and taxonomy | |
| Wang et al. | Abnormal traffic detection system in SDN based on deep learning hybrid models | |
| Patil et al. | Software Defined Network: DDoS Attack Detection | |
| Sooden et al. | A dynamic hybrid timeout method to secure flow tables against DDoS attacks in SDN | |
| Aung et al. | Anomaly detection in sdn’s control plane using combining entropy with svm | |
| CN115250193A (en) | DoS attack detection method, device and medium for SDN network | |
| TW202017337A (en) | Method and system for backbone network flow anomaly detection | |
| Callegari et al. | Sketch-based multidimensional IDS: A new approach for network anomaly detection | |
| Shafiq et al. | Robust feature selection for im applications at early stage traffic classification using machine learning algorithms | |
| CN114362972B (en) | Botnet hybrid detection method and system based on flow abstract and graph sampling | |
| Fadel et al. | HDLIDP: A Hybrid Deep Learning Intrusion Detection and Prevention Framework. | |
| Wen et al. | Traffic identification algorithm based on improved LRU | |
| CN114915444B (en) | DDoS attack detection method and device based on graph neural network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |