CN115664777A - Slow flow table overflow attack detection and mitigation method based on two-stage threshold - Google Patents
Slow flow table overflow attack detection and mitigation method based on two-stage threshold Download PDFInfo
- Publication number
- CN115664777A CN115664777A CN202211293208.8A CN202211293208A CN115664777A CN 115664777 A CN115664777 A CN 115664777A CN 202211293208 A CN202211293208 A CN 202211293208A CN 115664777 A CN115664777 A CN 115664777A
- Authority
- CN
- China
- Prior art keywords
- flow table
- flow
- overflow
- rules
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for detecting and relieving slow flow table overflow attack based on two-stage threshold values, belonging to the field of network security. Wherein the method comprises: the method comprises the steps of monitoring the occupancy rate of a switch flow table in real time when the switch flow table is deployed on an SDN switch, sampling the flow table and calculating flow table characteristics when the occupancy rate of the flow table reaches a primary threshold value, and then starting attack detection. If the slow flow table overflow attack is detected, entering a malicious flow expelling mode of an attack relieving module, and expelling flow rules classified as malicious; and when the occupancy rate of the flow table reaches a secondary threshold value, entering a flow table overflow prevention mode of the relieving module, expelling suspected malicious flow rules in the flow table in proportion, and vacating the flow table space to prevent overflow. The method can monitor the flow table state of the switch in real time, accurately detect the overflow attack of the slow flow table, has lower missing report rate and false report rate, and can accurately identify the malicious flow rules and expel the malicious flow rules, so the method can effectively detect and alleviate the overflow attack of the slow flow table in the SDN environment.
Description
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a method for detecting and relieving slow flow table overflow attack based on two-stage threshold values.
Background
In order to utilize resources more reasonably, SDN (Software Defined Network) meeting different Network requirements and elastic services is created. With the development of cloud computing technology, the traditional network architecture is slowly updated, and the system is complex and rigid. The SDN decouples the traffic management function and the data packet forwarding function of the network, and provides network programmability, centralized network management, dynamic control of network traffic and automatic deployment.
The SDN data plane and the SDN control plane are separated from each other, and connection and information interaction are achieved through an OpenFlow protocol. But the unique network architecture also has certain safety hazards. The control plane needs to process a large amount of information from the entire network system, and thus requires high performance. The forwarding capability of the data plane is limited by the size of the flow table, and the performance is limited.
The storage and fast lookup of the rules in the flow table depend on a TCAM (Ternary Content Addressable Memory), which has a very limited Memory size due to its high cost and high power consumption. Once the flow table overflows due to attack, normal rules cannot be processed in time, so that the congestion window of the TCP is reduced, and even the throughput of the whole network is reduced. In the slow flow table overflow attack, a data packet which is not matched with the flow table is sent at a low speed to trigger malicious flow rule installation and occupy available space of the flow table, so that overflow of the flow table is caused.
In order to ensure the availability of the flow table and the forwarding efficiency of the normal flow rule, the invention provides a slow flow table overflow attack detection and mitigation method based on two-stage threshold values. According to different emergency degrees of the flow table under the attack of slow flow table overflow, the method sets two-stage threshold values for the flow table occupancy rate, and corresponds to a malicious flow eviction mode of an attack mitigation module and a flow table overflow prevention mode. The method is deployed on an SDN switch to monitor the occupancy rate of a switch flow table in real time, when the occupancy rate of the flow table reaches a primary threshold value, the content of the collected flow table is sampled, the characteristics of the flow table are calculated, and then attack detection is started. If the slow flow table overflow attack is detected, the system enters a malicious flow expelling mode of an attack relieving module to expel flow rules classified as malicious; when the rule number reaches a secondary threshold value, the system directly enters a flow table overflow prevention mode of the relieving module, and expels suspected malicious flow rules in the flow table in proportion, and vacates the flow table space to prevent overflow. The method can monitor the flow table state of the SDN switch in real time, accurately detect the slow flow table overflow attack, has low missing report rate and false report rate, and can accurately identify the malicious flow rules and expel the malicious flow rules, so the method can effectively detect and alleviate the slow flow table overflow attack in the SDN environment.
Disclosure of Invention
Aiming at the defects of low attack detection rate, incapability of timely processing malicious flow rules, overhigh system overhead and the like of the slow flow table overflow attack detection and mitigation method, and the condition that normal rules cannot be timely processed when a flow table is attacked and overflowed, even the throughput of the whole network is reduced, the slow flow table overflow attack detection and mitigation method based on the two-stage threshold is provided. The method can monitor the flow table state of the SDN switch in real time, accurately detect the slow flow table overflow attack, has low missing report rate and false report rate, and can accurately identify the malicious flow rules and expel the malicious flow rules, so the method can effectively detect and alleviate the slow flow table overflow attack in the SDN environment.
The technical scheme adopted by the invention for realizing the aim is as follows: the slow flow table overflow attack detection and mitigation method mainly comprises five steps: flow table occupancy rate monitoring, flow table data sampling, flow table feature calculation, attack detection and attack mitigation.
1. And monitoring the occupancy rate of the flow table. The method comprises the steps of acquiring the flow rule number in a switch in real time in the SDN, polling the flow rule number in a switch flow table in the SDN by using an OpenvSwitch command script at a time interval of 1.0 second, and calculating the occupancy rate of a current flow table according to the total capacity of the flow table.
2. Flow table data sampling. Setting a secondary threshold value as 75% of the total capacity of the flow table, namely when the flow table occupancy rate calculated in the step 1 reaches 75% of the total capacity of the flow table, acquiring the content of the SDN switch flow table by using an OpenvSwitch command script to obtain original flow table data, and if the flow table occupancy rate does not reach the secondary threshold value, repeating the step 1 to continuously monitor the flow table occupancy rate.
3. And (4) flow table characteristic calculation. Dividing the flow table into three states to distinguish whether the current flow table is attacked by slow flow table overflow and the different attacked states: the state 1 is not attacked, the state 2 is that the flow table is attacked but not overflowed, and the state 3 is that the flow table is attacked and continuously overflowed; and (3) calculating the average value of the packet arrival interval time of all the flow rules in the flow table based on the flow table information collected in the step (2), and selecting the average value of the packet arrival interval time and the number of the flow rules in the flow table as flow table characteristics to represent different states of the flow table.
4. And (5) attack detection. And when the occupancy rate of the flow table is between the secondary threshold and the primary threshold, inputting the flow table features calculated in the step 3 into a trained Catboost classification model 1, if the model judges that the current flow table is in a state 1, judging that the current flow table is not attacked, and if the flow table is judged to be in a state 2 or a state 3, judging that the flow table is attacked by slow flow table overflow.
5. And (5) attack mitigation. The flow table occupancy rate is higher than a first-level threshold value, a flow table overflow prevention mode is started, the feature accumulated byte number, the average packet arrival interval time and the average data packet size of the flow rules in the flow table are input into a Catboost sequencing model, the probability that each flow rule belongs to a malicious flow rule is calculated, a certain proportion of flow rules are expelled from high to low according to the probability, and the flow table space is vacated to prevent overflow; if the number of the flow rules is between the secondary threshold value and the primary threshold value, and the attack detection module judges that the current flow table is subjected to slow flow table overflow attack, a malicious flow eviction mode is started, the feature accumulated byte number, the average packet arrival interval time and the average data packet size of the flow rules in the flow table are input into a Catboost classification model 2, and the model is judged to be malicious flow rule eviction.
Advantageous effects
By analyzing the attack principle and different effects generated by different stages of attack, the method selects flow table characteristics capable of representing different states of a flow table to detect the overflow attack of the slow flow table; by comparing the difference between the normal flow and the malicious flow, the method selects the characteristics of the flow rules to identify the malicious flow rules; and then, the two-stage threshold based on the flow table occupancy rate is used for carrying out the eviction of the malicious flow rules in different proportions under different emergency situations suffering from the slow flow table overflow attack, and a slow flow table overflow attack detection and mitigation method based on the two-stage threshold is formed so as to carry out the real-time detection and mitigation on the slow flow table overflow attack. The method can monitor the flow table state of the SDN switch in real time, accurately detect the slow flow table overflow attack, has low missing report rate and false report rate, and can accurately identify the malicious flow rules and expel the malicious flow rules, so the method can effectively detect and alleviate the slow flow table overflow attack in the SDN environment.
Drawings
Fig. 1 shows the change of the characteristics of two flow tables in different states of the flow table. The switch is time-sequenced to be attacked by a slow flow table overflow. In the process from the state 1 to the state 3, the flow rule number in the flow table is gradually increased, and finally, the flow table overflows; because the average packet arrival interval time of the malicious flow rules is longer than that of the normal flow rules, when a large number of malicious flow rules are installed in the flow table, the average packet arrival interval time value in the whole flow table also rises along with the increase of the malicious flow rules.
Fig. 2 shows the distribution of two flow table characteristics in three network states. Points in different states are distributed in different areas, so that the points are distinguished more obviously, and the two flow table characteristics selected by the method can be used as the distinguishing basis of different network states.
Fig. 3 shows the distribution of the characteristics of the three flow rules in one flow table. The points with dark colors and light colors in the graph respectively represent malicious streams and normal streams, and the points with light colors are distributed in an area with a larger average packet arrival time interval and smaller accumulated byte number and average data packet size in a set mode, so that the characteristics selected by the method can reflect the difference between the normal stream rules and the malicious stream rules and can be used as the basis for identifying the malicious stream rules.
Fig. 4 is a flowchart of a slow flow table overflow attack detection and mitigation method based on two-stage thresholds.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 4, the slow flow table overflow attack detection and mitigation method mainly includes five steps: flow table occupancy rate monitoring, flow table data sampling, flow table feature calculation, attack detection and attack mitigation.
1. And monitoring the occupancy rate of the flow table. Polling the flow rule number in the switch flow table in the SDN by using an OpenvSwitch command script at a time interval of 1 second, and calculating the occupancy rate of the current flow table according to the total capacity of the flow table.
The flow table occupancy rate is the ratio of the number of flow rules in the flow table to the total capacity of the flow table.
According to the method, two-stage threshold values are occupied for the flow table utilization rate according to different emergency degrees of the flow table under the attack of slow flow table overflow. In the method, the secondary threshold value is set to be 75% of the total capacity of the flow table, and the primary threshold value is set to be 90% of the total capacity of the flow table.
When the method is started, the network is in a monitoring stage, and when the flow rule number is smaller than a secondary threshold value, the method considers that the network is in a normal state, and the flow table is not attacked by the overflow of the slow flow table. Because the network has no attack most of the time, in order to reduce the overhead of collecting network data and calculating, the method only polls the flow rule number in the switch flow table every second in the initial monitoring stage.
2. Flow table data sampling. And if the flow table occupancy rate reaches a secondary threshold value, acquiring the content of the SDN switch flow table by using the OpenvSwitch command script to obtain original flow table data.
Only when the flow table occupancy rate exceeds the set secondary threshold value, the slow flow table overflow attack is considered to possibly exist in the network, and further flow table data sampling and subsequent attack detection are started.
This step collects the flow table contents of the switch including the duration, accumulated packet number and accumulated byte number of each flow rule for identification of malicious flow rules at step 5.
3. Flow table feature calculation. Flow table characteristics are calculated based on flow rule information in the current flow table to indicate whether the flow table is under a slow flow table overflow attack and the different stages of the attack.
In order to distinguish whether an attack occurs and the state of the flow table, the method divides the state of the flow table into three categories, and the specific situations and characteristics are as follows:
state 1: the current network is not attacked by overflow of the slow flow table, the number of rules in the flow table fluctuates in a normal range, and the average packet arrival interval time of the flow table is short;
and 2, state: the current network is just subjected to a slow flow table overflow attack (namely, in the first stage of the slow flow table overflow attack), the number of rules in the flow table is gradually increased in fluctuation, but the rules are not overflowed, and the average packet arrival interval time of the flow table is gradually increased;
and a state 3: the slow flow table overflow attack suffered by the current network lasts for a period of time (namely, in the second stage of the slow flow table overflow attack), and the number of rules in the flow table reaches the maximum value which can be held by the flow table, namely, the flow table overflow occurs; at this time, the number of malicious flow rules in the flow table is basically not changed, so the average packet arrival interval time of the flow table also basically stops increasing, and fluctuates in a small range around a value higher than the normal interval.
In order to better detect the slow flow table overflow attack when the slow flow table overflow attack is just initiated and the network is not seriously influenced, the method subdivides the slow flow table overflow attack into two stages. Meanwhile, in the actual operation process of the method, the attack relieving module can expel the rules classified into the malicious flows, so that the flow table is in the first stage of the slow flow table overflow attack for a long time, and the attack can be more accurately detected by dividing the slow flow table overflow attack into two stages.
Fig. 2 shows the distribution of two flow table characteristics in three network states. In the figure, the network is in a normal state 1 before the 100 th second, the network is attacked by the overflow of the slow flow table at the 100 th second, and the state 2 is entered, while the flow table is filled at the 137 th second, and the network enters the state 3. In three different states, the number of rules in the flow table and the average packet inter-arrival time of the flow table exhibit different distribution ranges. According to the change conditions of the two characteristic values, whether the flow table is attacked by the slow flow table overflow can be detected, and the stage of the flow table attacked by the slow flow table overflow can be divided.
In order to distinguish whether the switch is attacked by the slow flow table overflow and different stages of the attack, the module selects two flow table features to represent the overall state of the current flow table, and the change condition of the current flow table in different flow table states is shown in fig. 1.
When the switch is attacked by the overflow of the slow flow table, the number of malicious flow rules in the flow table is gradually increased, which causes the number of flow rules in the flow table to be increased, and finally the overflow of the flow table occurs. The flow rule number in the flow table reflects the adverse effect of the flow table after being attacked by the overflow of the slow flow table, and is the most intuitive characteristic for detecting the overflow attack of the slow flow table.
Most of the traffic in the network is short, and the packet arrival time interval is short. In order to make the attacking flow as small as possible while refreshing the idle timeout of the malicious flow rule, an attacker generally sets the attack period as close as possible to the idle timeout, so that the average packet arrival interval time of the malicious flow rule is longer than that of the normal flow rule. When a large number of malicious flow rules are installed in the flow table, the average packet arrival interval time in the whole flow table also rises along with the increase of the malicious flow rules, which reflects the period duration of the slow flow table overflow attack on the installed malicious flow rules. The average packet inter-arrival time mean is the mean of the packet inter-arrival time of each flow rule in the flow table, and is calculated by dividing the mean of the duration of the flow rule in the flow table by the mean of the number of packets of the flow rule.
4. And (5) attack detection. And when the occupancy rate of the flow table is between the secondary threshold and the primary threshold, inputting the flow table features calculated in the step 3 into a trained Catboost classification model 1, if the model judges that the current flow table is in a state 1, judging that the current flow table is not attacked, and if the flow table is judged to be in a state 2 or a state 3, judging that the flow table is attacked by slow flow table overflow.
The method uses a Catboost algorithm as a network state classification and malicious flow rule identification algorithm. The Catboost algorithm improves a GBDT algorithm framework, uses a symmetric decision tree as a base classifier, and adopts unbiased estimation of gradient step length in the stage of selecting a tree structure, thereby reducing overfitting caused by gradient deviation. The Catboost algorithm adopts an improved Ordered boosting algorithm to resist noise points in a training set, so that the problem of prediction deviation is solved, and the robustness of the model is improved.
5. And (5) attack mitigation. According to different relations between the flow table occupancy rate and the two-stage threshold value and the attack detection result, in order to properly deal with the slow flow table overflow attacks with different emergency degrees, different mitigation modes are started to mitigate the slow flow table overflow attacks: a malicious flow eviction mode and a flow table overflow prevention mode.
The flow rule features used for classifying and sequencing the flow rules are as follows: accumulated number of bytes, average packet inter-arrival time, and average packet size.
The short flows that are the majority of the network have shorter lifetimes in the flow tables and fewer accumulated matches. And because the attacker intermittently sends data packets to continuously refresh the idle timeout of the malicious flow rule, the data packets exist in the flow table for a long time, and the accumulated matching byte number of the malicious flow rule is continuously increased. The accumulated number of bytes of the flow rule can be used as a feature for identifying malicious flow rules.
The average packet inter-arrival time is the ratio of the duration of each flow rule to its number of data packets.
The average packet size is the ratio of the number of bytes per flow rule to the number of packets.
When the occupancy rate of the flow table is greater than a first-level threshold value, the flow table is about to be filled, the condition that the flow table is attacked is urgent, the attack is not detected any more, besides the flow rule which is judged to be malicious by the algorithm needs to be evicted, rules of some suspected malicious flow rules need to be evicted according to the proportion to prevent the flow table from overflowing, and therefore the flow table is ensured to have enough space for installing new flow rules.
If the flow table occupancy rate is higher than a first-level threshold value, starting a flow table overflow prevention mode, inputting the characteristics of the flow rules in the flow table into a Catboost sequencing model, calculating the probability that each flow rule belongs to a malicious flow rule, sequencing the flow rules from high to low according to the probability, selecting the flow rules accounting for a certain proportion of the total number of the flow rules, setting the proportion to be 15-30%, and avoiding deleting excessive normal flow rules while relieving flow table overflow.
If the flow rule number is between the secondary threshold value and the primary threshold value, and the attack detection module judges that the current flow table is attacked by the overflow of the slow flow table, a malicious flow eviction mode is started. At this time, there is a part of remaining space in the flow table, and it is not urgent to attack the flow table, and therefore only the flow rule classified as malicious is evicted in this mode.
In a malicious flow eviction mode, for each flow rule in a current flow table, the method selects accumulated byte number, average packet arrival interval time and average data packet size as characteristics, a Catboost classification model 2 which is trained by the flow table and collected under the same network environment is used for classifying normal flow rules and malicious flow rules, a classification label 0 represents the normal flow rules, a label 1 represents the malicious flow rules, and if the output result of the Catboost classification model 2 is 1, the flow rules are judged to be the malicious flow rules and are deleted from the flow table.
Claims (6)
1. The slow flow table overflow attack detection and mitigation method based on the two-stage threshold is characterized by comprising the following five steps of:
step 1, flow table occupancy rate monitoring: the method comprises the steps of acquiring the flow rule number in a switch in real time in an SDN, polling the flow rule number in a switch flow table in the SDN by using an OpenvSwitch command script at a time interval of 1.0 second, and calculating the occupancy rate of a current flow table according to the total capacity of the flow table;
step 2, flow table data sampling: setting a secondary threshold value as 75% of the total capacity of the flow table, namely when the flow table occupancy rate calculated in the step 1 reaches 75% of the total capacity of the flow table, acquiring the content of the SDN switch flow table by using an OpenvSwitch command script to obtain original flow table data, and if the flow table occupancy rate does not reach the secondary threshold value, repeating the step 1 to continuously monitor the flow table occupancy rate;
step 3, flow table feature calculation: calculating flow table characteristics based on flow rule information in the current flow table to represent whether the flow table is attacked by slow flow table overflow or not and different stages of attack;
step 4, attack detection: when the flow table occupancy rate is between the secondary threshold value and the primary threshold value, inputting the flow table characteristics into a Catboost classification model 1, and judging whether the current flow table is attacked by the overflow of the slow flow table according to the label value obtained by classification;
step 5, attack mitigation: according to different relations between the flow table occupancy rate and the two-stage threshold value and the attack detection result, in order to properly deal with the slow flow table overflow attacks with different emergency degrees, different mitigation modes are started to mitigate the slow flow table overflow attacks:
step 5.1, if the occupancy rate of the flow table is higher than a first-level threshold value, starting a flow table overflow prevention mode, inputting the feature accumulated byte number, the average packet arrival interval time and the average data packet size of the flow rules in the flow table into a Catboost sequencing model, calculating the probability of each flow rule belonging to a malicious flow rule, and expelling a certain proportion of flow rules from high to low according to the probability to vacate the flow table space to prevent overflow;
and 5.2, if the number of the flow rules is between the secondary threshold and the primary threshold, and the attack detection module judges that the current flow table is attacked by overflow of the slow flow table, starting a malicious flow eviction mode, inputting the feature accumulated byte number, the average packet arrival interval time and the average data packet size of the flow rules in the flow table into a Catboost classification model 2, and judging the model as malicious flow rule eviction.
2. The method of claim 1, wherein the flow table is divided into three states in step 3 to distinguish whether the current flow table is under a slow flow table overflow attack and the different states of the slow flow table overflow attack: state 1 is not under attack, state 2 is under attack but not overflowing, state 3 is under attack and the flow table continues to overflow.
3. The slow flow table overflow attack detection and mitigation method of claim 1, wherein in step 3, the average of the packet inter-arrival times of all the flow rules in the flow table is calculated based on the flow table information collected in step 2, and the average of the packet inter-arrival times and the number of flow rules in the flow table are selected as the flow table characteristics to represent different states of the flow table.
4. The method for detecting and mitigating overflow attacks on a slow flow table according to claim 1, wherein the first-level threshold is set in step 4 to be 90% of the total capacity of the flow table, that is, when the flow table occupancy calculated in step 1 is between 75% and 90% of the total capacity of the flow table, the flow table characteristics calculated in step 3 are input to a trained Catboost classification model 1, and if the model determines that the current flow table is in state 1, the current flow table is considered to be not attacked, and if the flow table is determined to be in state 2 or state 3, the flow table is considered to be attacked by overflow attacks on the slow flow table.
5. The slow flow table overflow attack detection and mitigation method according to claim 1, wherein in step 5.1, when the flow table occupancy is higher than 90% of the total flow table capacity, the characteristics of the flow rules in the flow table are input into a trained Catboost sorting model, the probability that each flow rule belongs to a malicious flow rule is calculated, the flow rules are sorted from high to low according to the probability, and a flow rule accounting for a certain proportion of the total number of the flow rules is selected, the proportion is set to 15% to 30%, so that the overflow of the flow table can be alleviated while the deletion of excessive normal flow rules is avoided.
6. The method according to claim 1, wherein in step 5.2, when the occupancy of the flow table is between 75% and 90% and it is determined that the flow table is under attack in step 4, the characteristics of the flow rules in the flow table are input into a trained Catboost classification model 2 to classify the normal flow rules and the malicious flow rules, the classification tag 0 represents the normal flow rules, the tag 1 represents the malicious flow rules, and if the result output by the Catboost classification model 2 is 1, it is determined that the flow rules are the malicious flow rules and deleted from the flow table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211293208.8A CN115664777A (en) | 2022-10-21 | 2022-10-21 | Slow flow table overflow attack detection and mitigation method based on two-stage threshold |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211293208.8A CN115664777A (en) | 2022-10-21 | 2022-10-21 | Slow flow table overflow attack detection and mitigation method based on two-stage threshold |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115664777A true CN115664777A (en) | 2023-01-31 |
Family
ID=84988815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211293208.8A Pending CN115664777A (en) | 2022-10-21 | 2022-10-21 | Slow flow table overflow attack detection and mitigation method based on two-stage threshold |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664777A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117254978A (en) * | 2023-11-16 | 2023-12-19 | 苏州元脑智能科技有限公司 | Processing method and device for abnormal scanning behaviors |
-
2022
- 2022-10-21 CN CN202211293208.8A patent/CN115664777A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117254978A (en) * | 2023-11-16 | 2023-12-19 | 苏州元脑智能科技有限公司 | Processing method and device for abnormal scanning behaviors |
| CN117254978B (en) * | 2023-11-16 | 2024-02-09 | 苏州元脑智能科技有限公司 | Processing method and device for abnormal scanning behaviors |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614627B (en) | SDN-oriented cross-plane cooperation DDOS detection and defense method and system | |
| CN114050928B (en) | SDN flow table overflow attack detection and mitigation method based on machine learning | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN110505179B (en) | Method and system for detecting network abnormal flow | |
| CN109729090B (en) | Slow denial of service attack detection method based on WEDMS clustering | |
| CN110677324B (en) | Elephant flow two-stage detection method based on sFlow sampling and controller active update list | |
| CN108833376B (en) | DoS attack detection method for software defined network | |
| CN112788062B (en) | ET-EDR-based LDoS attack detection and mitigation method in SDN | |
| CN109726553B (en) | SNN-LOF algorithm-based slow denial of service attack detection method | |
| CN109194608B (en) | DDoS attack and flash congestion event detection method based on flow | |
| CN115664777A (en) | Slow flow table overflow attack detection and mitigation method based on two-stage threshold | |
| CN110825545A (en) | Cloud service platform anomaly detection method and system | |
| CN110719272A (en) | LR algorithm-based slow denial of service attack detection method | |
| CN114021135A (en) | LDoS attack detection and defense method based on R-SAX | |
| CN110719270A (en) | FCM algorithm-based slow denial of service attack detection method | |
| CN111224984B (en) | Snort improvement method based on data mining algorithm | |
| CN111930526A (en) | Load prediction method, load prediction device, computer equipment and storage medium | |
| CN116150688A (en) | Lightweight Internet of things equipment identification method and device in smart home | |
| CN113225319A (en) | Software defined network abnormal flow detection method | |
| Liu et al. | POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks | |
| CN115664752B (en) | ARIMAGINI-DT-based slow flow table overflow attack detection and mitigation method | |
| CN116015847A (en) | Self-adaptive SFTO attack detection and alleviation method based on flow entry number prediction | |
| CN112312590A (en) | Equipment communication protocol identification method and device | |
| CN111654479A (en) | Flooding attack detection method based on random forest and XGboost | |
| Zhang et al. | Analyzing network traffic for protocol identification: An ensemble online active learning method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |