CN115834459A - Dynamic cleaning system and method for link flooding attack flow - Google Patents

Dynamic cleaning system and method for link flooding attack flow Download PDF

Info

Publication number
CN115834459A
CN115834459A CN202211236647.5A CN202211236647A CN115834459A CN 115834459 A CN115834459 A CN 115834459A CN 202211236647 A CN202211236647 A CN 202211236647A CN 115834459 A CN115834459 A CN 115834459A
Authority
CN
China
Prior art keywords
flow
attack
cleaning
vnf
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211236647.5A
Other languages
Chinese (zh)
Other versions
CN115834459B (en
Inventor
赵正
赵奇
范晓娅
毛倩
刘洪波
李沐南
王野
解泽强
丰宇凡
蔡博宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dalian Maritime University
Original Assignee
Dalian Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dalian Maritime University filed Critical Dalian Maritime University
Priority to CN202211236647.5A priority Critical patent/CN115834459B/en
Publication of CN115834459A publication Critical patent/CN115834459A/en
Application granted granted Critical
Publication of CN115834459B publication Critical patent/CN115834459B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a dynamic link flooding attack flow cleaning system and a dynamic link flooding attack flow cleaning method, wherein the system comprises a control plane and a data plane, the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a VNF management southbound interface; the control plane comprises an SDN controller; the data plane comprises a P4 programmable switch and a flow cleaning server; the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flows according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flows according to the cleaning rule; and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned in a matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing. The invention dynamically cleans LFA flow based on a P4 exchanger and a flow cleaning VNF.

Description

Dynamic cleaning system and method for link flooding attack flow
Technical Field
The invention relates to the technical field of network security, in particular to a dynamic link flooding attack flow cleaning system and method.
Background
Link Flooding Attacks (LFAs), such as Coremelt and Crossfire, are a typical network Attack means, which can cut off the connection between a target network and the internet by Flooding key network links, resulting in large-area network paralysis and extremely serious damage to network space. Between 2013 and 2022, LFA occurs on the Internet in large scale for many times, which causes a great amount of Internet service interruption and inestimable loss.
Aiming at LFA, the current main defense method mainly comprises three types of attack flow detection, heavy routing and flow cleaning, wherein the flow cleaning directly discards the attack flow at the edge or inside of the network, and the influence of the attack flow on the network can be effectively reduced. However, the traditional flow cleaning method relies on the prior knowledge of the attack, has serious hysteresis and static properties, is easily identified and bypassed by the attacker, and is difficult to effectively deal with the dynamic LFA with high tissue strength.
Disclosure of Invention
The invention provides a dynamic cleaning system and a dynamic cleaning method for link flooding attack flow, which mainly introduce the idea of Moving Target Defense (MTD) into flow cleaning, lead an attacker not to launch effective attack by periodically and dynamically deploying cleaning rules, and analyze an LFA attack and Defense game by using a game theory, thereby obtaining an optimal Defense strategy and effectively resisting the dynamic LFA with smaller introduced expense.
The technical means adopted by the invention are as follows:
the invention provides a dynamic link flooding attack flow cleaning system which comprises a control plane and a data plane, wherein the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4runtime interface and a virtualized network function management southbound interface;
the control plane comprises an SDN controller;
the data plane comprises a P4 programmable switch and a flow cleaning server, the P4 programmable switch performs data interaction with the SDN controller through a P4runtime, and the flow cleaning server performs data interaction with the SDN controller through a VNF management southbound interface;
the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flows according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flows according to the cleaning rule;
and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned in a matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing.
Further, the traffic cleansing server comprises a traffic inlet, a traffic outlet, a traffic-VNF table, and a plurality of traffic cleansing VNFs;
the flow inlet is used for receiving the flow to be cleaned sent by the P4 programmable switch;
the flow-VNF table is used for realizing flow matching and transmission, and the flow is transmitted to a specific flow cleaning VNF through table lookup;
the traffic cleansing VNF is used for cleansing certain types of attack traffic;
the flow outlet is used for returning the cleaned flow to the P4 programmable switch;
the SDN controller manages a traffic-VNF table and a traffic cleaning VNF through a VNF management southbound interface, and dynamically adds and deletes the traffic cleaning VNF.
Further, the control plane further includes: the system comprises an attack sensing module, a strategy generation module, a switch management module, a flow table management module and a VNF management module;
the attack sensing module is used for sensing the state of the link of the whole network and discovering the attacked network link;
the strategy generation module is used for analyzing an LFA attack and defense game based on a game theory according to an attack and defense state construction state and calculating an optimal cleaning strategy;
the switch management module is used for managing the packet processing logic of the P4 programmable switch;
the flow table management module is used for setting the P4 programmable switch according to the defense strategy and installing a flow cleaning rule to the P4 programmable switch;
and the VNF management module is used for installing/deleting the flow to clean the VNF on the data plane according to the attack flow type.
Further, the strategy generation module is used for analyzing an LFA attack and defense game based on a game theory according to the attack and defense state and calculating an optimal cleaning strategy, and comprises the following steps:
constructing a flow cleaning game TSG according to a supply strategy and a defense strategy acquired by an attack sensing module, wherein the TSG is a quadruple, and TSG = { N, S, D, U }, and the TSG is a quadruple
(5) N = { a, D } is a local player space, where a is an attacker, D is a defender,
(6)
Figure RE-GDA0004015156320000031
is the attacker's policy space, for s a ∈S a
Figure RE-GDA0004015156320000032
And 0 is less than or equal to s a G is less than or equal to g, the number of attack flows selected by an attacker is represented,
(7)
Figure RE-GDA0004015156320000033
is a defender's policy space, to s d ∈S d
Figure RE-GDA0004015156320000034
And 0 is less than or equal to s d G is less than or equal to g, which represents the number of attack flows that defenders can choose to clean,
(8)U={U a ,U d is the set of utility matrices for people in the office, U a ,U d The utility matrix, which represents the attacker and defender respectively, can be expressed as
Figure RE-GDA0004015156320000035
Figure RE-GDA0004015156320000036
Wherein the content of the first and second substances,
Figure RE-GDA0004015156320000037
and
Figure RE-GDA0004015156320000038
respectively representing selection strategies at the attacker
Figure RE-GDA0004015156320000039
Defender selection strategy
Figure RE-GDA00040151563200000310
The effectiveness of both attacking and defending;
constructing an attacker utility function as follows:
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
wherein, E a (s a ,s d ) For attack revenue, AC(s) a ) For attack cost, lambda is the weight of unwashed attack flow to generate profit for an attacker, g is the size of an attack flow set, and alpha isCost weight of attack flow;
constructing a defender utility function as follows:
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
wherein, E d (s a ,s d ) For defense gains, DC(s) d ) Mu is the weight of the cleaned flow for generating profit for the defender, and beta is the weight of the cost for cleaning the attack flow;
and according to the attacker utility matrix and the defender utility matrix, the utility matrix is utilized to solve the pure strategy Nash balance and the mixed strategy Nash balance of the TSG to obtain the defender optimal cleaning strategy.
Further, any P4 programmable switch is used as a network node to be connected with an independent traffic cleaning server.
The invention also provides a dynamic cleaning method of the link flooding attack flow, which is realized based on the dynamic cleaning system of the link flooding attack flow and comprises the following steps:
the defender configures the programmable switch according to the type of the attack traffic;
the defender utilizes game balance to construct an optimal cleaning strategy;
and the defender cleans the VNF of the installation quantity of the flow cleaning server, dynamically deploys flow cleaning rules in the network, and cleans attack flow by combining the programmable switch and the VNF.
Further, the method also comprises the following steps:
and randomly selecting a subset from the attack flow set for defense according to the optimal cleaning strategy every other fixed period.
Compared with the prior art, the invention has the following advantages:
the method introduces the MTD idea into flow cleaning, and dynamically cleans attack flow under the data plane programmable network environment, so that an attacker is difficult to form effective attack. Specifically, the method comprises the following steps:
firstly, an LFA flow cleaning framework based on a P4 language and a Virtualized Network Function (VNF) is constructed, and various LFA attack flows are cleaned locally on a Network by utilizing a programmable data plane.
Secondly, a Dynamic Traffic Scrubbing (DTS) method based on MTD is provided, wherein a subset is randomly selected from an attack flow set for defense according to a defense strategy every other fixed period, so that Dynamic selection of a Traffic deployment and cleaning rule is realized, and an attacker cannot launch targeted attack.
Finally, an LFA attack flow dynamic cleaning method is provided, and an attacker cannot initiate effective FLA attack by dynamically deploying flow cleaning rules in a network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to these drawings without creative efforts.
Fig. 1 is a DTS frame in an embodiment of the invention.
Fig. 2 is a DTS system architecture according to an embodiment of the present invention.
FIG. 3 is a flow cleansing engine architecture in accordance with an embodiment of the present invention.
FIG. 4 is a flow cleansing server architecture in an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
Defending against a strong LFA requires a large number of cleansing rules to be deployed, however, the defender can only cleanse against partial attack traffic, subject to the switch flow table space constraints. Therefore, an attacker can avoid being cleaned and prolong the attack duration by adjusting the attack flow. In contrast, if the defender continuously and randomly changes the target flow rate of cleaning, the defender can prevent the defender from pertinently adjusting the attack flow rate under the condition of limited flow table space, so that the defender cannot achieve the attack effect.
The DTS framework proposed in this application is shown in fig. 1, where each node of the network is a programmable switch and is connected to an independent traffic cleansing server. The attacker utilizes the zombie host group owned by the attacker to send a large amount of attack flow to the target link, so that the target link is congested. The defender configures the programmable switch according to the attack traffic category, cleans the VNF of the traffic cleaning server installation volume, dynamically deploys traffic cleaning rules in the network, and cleans the attack traffic by combining the programmable switch and the VNF. The attacker periodically adjusts the attack traffic to avoid the attack traffic being cleaned. In the process, if the attacking and defending parties know the opposite party information and the attacking and defending parties are not in sequence, the LFA and the defending form a complete information static game, and a defender can utilize the game to construct an optimal cleaning strategy of the defender in a balanced mode.
In order to realize the functions, the invention provides a dynamic link flooding attack traffic cleaning system which comprises a control plane and a data plane, wherein the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a VNF management southbound interface.
Specifically, the present application designs an LFA flow dynamic cleaning system DTS based on P4, and the architecture thereof is shown in fig. 2. The DTS architecture is mainly divided into a control plane, a data plane and a southbound interface, wherein the southbound interface adopts p4runtime and VNF to manage the southbound interface. The control plane consists of an SDN controller and five core modules, wherein an attack sensing module senses the state of a whole network link and discovers an attacked network link; the strategy generation module analyzes an LFA attack and defense game based on a game theory according to the attack and defense state and calculates an optimal cleaning strategy; the switch management module manages the packet processing logic of the P4 switch; the flow table management module sets a P4 switch according to the defense strategy and installs a flow cleaning rule on the P4 switch; and the VNF management module is used for installing/deleting the flow to clean the VNF on the data plane according to the attack flow type.
Specifically, in the LFA attack and defense game, an attacker launches and continuously adjusts attack flow to form attack, a defender selects part of the attack flow to clean, so that the attacker cannot form an attack effect, profits of both attack and defense parties are influenced by a strategy of the other party, actions beneficial to the attacker can be taken, and the profits of the attacker are maximized. Assuming that both the attacking and defending parties know the information of the other party and take actions in a non-sequential order, the process can be modeled into a complete information static game, according to the game theory, nash equilibrium is the equilibrium solution of the game, and both the attacking and defending parties cannot obtain higher income from the single deviation of the equilibrium solution. Therefore, the Nash equilibrium solution is the optimal cleaning strategy for defenders. Based on the above analysis, a Traffic cleansing gaming TSG (Traffic cleansing Game) can be constructed. Specifically, the method comprises the following steps:
definition 1. The tsg is a quadruple,
Figure RE-GDA0004015156320000061
wherein
(1) N = { A, D } is attacking and defending game participant space, wherein A is an attacker and D is a defender;
(2)
Figure RE-GDA00040151563200000611
is the attacker's policy space, for s a ∈S a
Figure RE-GDA0004015156320000062
And 0 is less than or equal to s a G is less than or equal to the sum of the attack flows selected by the attacker;
(3)
Figure RE-GDA0004015156320000063
is a defender's policy space, to s d ∈S d
Figure RE-GDA0004015156320000064
And 0 is less than or equal to s d G is less than or equal to g, which represents the number of attack flows that the defender can select to clean;
(4)U={U a ,U d is the set of utility matrices for the participants, the utility matrices for the attackers and defenders U a And U d Can be expressed as formula (2) and formula (3), respectively.
Figure RE-GDA0004015156320000065
Figure RE-GDA0004015156320000066
Wherein
Figure RE-GDA0004015156320000067
And
Figure RE-GDA0004015156320000068
respectively representing selection strategies at the attacker
Figure RE-GDA0004015156320000069
Defender selection strategy
Figure RE-GDA00040151563200000610
The effectiveness of both attacking and defending.
In TSG, attack utility = attack profit-attack cost, and defense utility = defense profit-defense cost. In order to obtain the attack and defense utility matrix, attack income, attack cost, defense income and defense cost are defined.
Definition 2. Attack revenue E a (s a ,s d ) Choosing s for the attacker a The attack flow initiates the attack, and the defender selects s d And (3) the expectation of the benefit generated by the attack flow which is not cleaned by the defender when the attack flow is cleaned. Period for which attack yield is linear with attack flow which is not cleared by defender, number of flows which are not defended successfullyInspection is h k Then E is a (s a ,s d )=λh k ,0≤s a ≤g,0≤s d ≤g。
Definitions 3 cost of attack AC(s) a ) Choosing s for the attacker a The cost incurred when an attack is launched by an individual attack flow. If the attack cost is linearly related to the number of attack streams selected by the attacker, the attack cost is determined
AC(s a )=αs a ,0≤s a ≤g。
Definitions 4. Defense benefits E d (s a ,s d ) Finger attacker selection s a The attack flow initiates the attack, and the defender selects s d When the attack flow is cleaned, the defender can successfully clean the expectation of the profit generated by the attack flow. The yield of defense is linear to the amount of flow to be cleaned, h d Then E is a (s a ,s d )=μh d ,0≤s a ≤g,0≤s d ≤g。
Definitions 5 defense cost DC(s) d ) For defenders selecting s d The cost of cleaning the attack flow. Given that the defense cost is linear with the number of defenders selecting a cleaning attack stream, DC(s) d )=βs d ,0≤s d ≤g。
According to the above definition, the following theorem can be derived.
Theorem 1, assume that an attacker randomly chooses s from g attack streams a Randomly selecting s by attack defender d The flow is cleaned, and the quantity and the sum of the flows selected by the attacker are calculated in all the attack and defense states
Figure RE-GDA0004015156320000071
Theorem 2, assume that an attacker randomly selects s from g attack streams a Attack is initiated, and random selection s is given by defender d The flow is cleaned, and the defender defends the successful attack flow sum under all attack and defense states
Figure RE-GDA0004015156320000072
In TSG, if an attacker randomly chooses s a The probability of each attack state if each attack flow initiates an attack
Figure RE-GDA0004015156320000073
If defender randomly selects s d The probability of each defense state is cleaned by each attack flow
Figure RE-GDA0004015156320000074
Theorem 3, suppose an attacker randomly chooses s from g attack streams a The individual initiates an attack, defends the person to choose s at random d The attack flow is cleaned, and the attacker expects a profit E a (s a ,s d )=λ*s a *(g-s d )/g。
Theorem 4, suppose an attacker randomly chooses s from g attack streams a The individual initiates an attack, defends the person to choose s at random d Cleaning the attack flow, defending the expected income E of the defender d (s a ,s d )=μ*s a *(s d /g)。
In summary, the attacker utility function
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
Defender utility function
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
According to u a And u d And obtaining utility matrixes of the attacking and defending parties, and solving the Nash equilibrium solution of the TSG by using the utility matrixes. The invention designs algorithms psNE and msNE respectively to solve pure strategy Nash equilibrium and mixed strategy Nash equilibrium, as shown in algorithm 1 and algorithm 2. The algorithm 1 firstly initializes an attack strategy set and a defense strategy set (1-2); then, the effects of the attacking and defending parties are initialized according to game parametersUsing the functions (3-4) and the utility functions to generate utility matrixes of the attacking and defending parties; and finally, solving a pure strategy Nash equilibrium solution (5-8) by using the maximum value of the utility matrix of the attacking and defending parties, returning the Nash equilibrium solution if the Nash equilibrium solution exists, and returning to a null state (9-12) if the Nash equilibrium solution does not exist. Algorithm 2 solves the hybrid strategy of the game using linear programming.
tsgine gives the nash equilibrium solution for the game based on the pure policy nash equilibrium and the hybrid policy nash equilibrium for the TSG game, as shown in algorithm 3. And if the pure strategy Nash equilibrium solution exists, returning the pure strategy Nash equilibrium solution, and if the pure strategy Nash equilibrium solution does not exist, returning the mixed strategy Nash equilibrium solution.
Pure strategy Nash equilibrium solving algorithm for algorithm 1 TSG game
Figure RE-GDA0004015156320000081
Mixed strategy Nash equilibrium solving algorithm for algorithm 2 TSG game
Figure RE-GDA0004015156320000082
Figure RE-GDA0004015156320000091
Nash equalization algorithm of algorithm 3 TSG game
Figure RE-GDA0004015156320000092
Further, the data plane consists of P4 switches and traffic cleansing VNFs. The P4 switch forwards the network flow, detects and identifies the attack flow according to the flow processing logic configured by the controller, and cleans the attack flow according to the cleaning rule. For the attack flow which can not be cleaned by adopting the matching-action mode, the P4 switch sends the attack flow to the flow cleaning server for processing. And the flow cleaning server sends the flow to a designated flow cleaning VNF for processing, and the VNF is realized by adopting DPDK, so that a personalized attack flow cleaning task is realized.
The P4 switch has high packet processing speed and throughput, can support stateful packet processing, and can perform high-speed traffic cleansing in the network, but because the achievable packet processing logic is limited, only part of types of attack traffic can be cleansed in a matching-action mode, so that the traffic cleansing engine is constructed by combining the P4 switch and the VNF, and is distributed and flexibly deployed in the network.
As shown in fig. 3, each P4 switch in the DTS is connected to an independent traffic cleansing server, and the traffic cleansing server may dynamically deploy a cleansing server VNF to cooperate with the P4 switch to complete cleansing of traffic. Both are managed and controlled by the SDN controller in a centralized mode to form a flow cleaning engine. And the SDN controller configures a flow cleaning engine according to the network state and the defense strategy to clean attack flow.
LFA traffic cleansing rules can be divided into two categories depending on whether they can be translated into a "match-action" pattern. For the cleaning logic which can be converted into a matching-action mode, converting the equivalent of the cleaning logic into message processing logic supported by a switch based on a P4 data plane programming language, and deploying on a data plane; and the cleaning logic which cannot be realized in a matching-action mode is realized in a software form, and flexibly deployed in a network through the VNF to finish flow cleaning together with the programmable switch. In order to reduce the load of the switches and the traffic cleaning server, the SDN controller deploys traffic cleaning rules and VNFs on a plurality of nodes in a network according to the flow table free space of the switches on an attack traffic path, so that the load among the switches is balanced.
Further, as shown in fig. 4, the traffic cleansing server includes a traffic ingress, a traffic egress, a traffic-VNF table, and a plurality of traffic cleansing VNFs. The traffic ingress receives traffic to be purged sent by the P4 programmable switch. The SDN controller manages a southbound interface management flow-VNF table and a flow cleaning VNF through the VNF. The flow-VNF table is responsible for flow matching and transfer, which transfers flow to a specific flow cleaning VNF through table lookup; the traffic cleaning VNF is responsible for cleaning specific types of attack traffic and can be dynamically added and deleted by the SDN controller. The cleaned flow is returned to the P4 programmable switch through the flow outlet.
The invention also discloses a dynamic link flooding attack flow cleaning method which is realized based on any one of the dynamic link flooding attack flow cleaning systems and comprises the following steps:
the defender configures the programmable switch according to the type of the attack traffic;
the defender utilizes game balance to construct an optimal cleaning strategy;
and the defender cleans the VNF of the installation quantity of the flow cleaning server, dynamically deploys flow cleaning rules in the network and cleans attack flow by combining the programmable switch and the VNF.
Further, the method also comprises the following steps:
and randomly selecting a subset from the attack flow set for defense every other fixed period according to the optimal cleaning strategy.
For the dynamic link flooding attack traffic cleaning method according to the embodiment of the present invention, since it corresponds to the dynamic link flooding attack traffic cleaning apparatus in the above embodiment, the description is relatively simple, and for the relevant similarities, please refer to the description of the dynamic link flooding attack traffic cleaning apparatus in the above embodiment, and details are not described here.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (7)

1. The dynamic link flooding attack flow cleaning system is characterized by comprising a control plane and a data plane, wherein the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a virtualized network function management southbound interface;
the control plane comprises an SDN controller;
the data plane comprises a P4 programmable switch and a flow cleaning server, the P4 programmable switch performs data interaction with the SDN controller through a P4runtime, and the flow cleaning server performs data interaction with the SDN controller through a VNF management southbound interface;
the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flows according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flows according to the cleaning rule;
and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned by adopting a matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing.
2. The system according to claim 1, wherein the traffic cleansing server comprises a traffic ingress, a traffic egress, a traffic-VNF table, and a plurality of traffic cleansing VNFs;
the flow inlet is used for receiving the flow to be cleaned sent by the P4 programmable switch;
the flow-VNF table is used for realizing flow matching and transmission, and the flow is transmitted to the specific flow cleaning VNF through table look-up;
the traffic cleansing VNF is used for cleansing certain types of attack traffic;
the flow outlet is used for returning the cleaned flow to the P4 programmable exchanger;
the SDN controller manages a flow-VNF table and a flow cleaning VNF through a VNF management southward interface, and dynamically adds and deletes the flow cleaning VNF.
3. The system according to claim 1, wherein the control plane further comprises: the device comprises an attack sensing module, a strategy generation module, a switch management module, a flow table management module and a VNF management module;
the attack sensing module is used for sensing the state of the link of the whole network and discovering the attacked network link;
the strategy generation module is used for analyzing an LFA attack and defense game based on a game theory according to an attack and defense state construction state and calculating an optimal cleaning strategy;
the switch management module is used for managing the packet processing logic of the P4 programmable switch;
the flow table management module is used for setting the P4 programmable switch according to the defense strategy and installing a flow cleaning rule to the P4 programmable switch;
the VNF management module is used for installing/deleting the flow cleaning VNF on the data plane according to the attack flow type.
4. The system according to claim 3, wherein the policy generation module is configured to calculate an optimal cleaning policy by analyzing an LFA attack and defense game based on a game theory according to the attack and defense state, and includes:
constructing a flow cleaning game TSG according to a supply strategy and a defense strategy acquired by an attack sensing module, wherein the TSG is a quadruple, and TSG = { N, S, D, U }, and the TSG is a quadruple
(1) N = { A, D } is a local man-in-the-office space, where A is an attacker, D is a defender,
(2)
Figure FDA0003883246790000021
is the attacker's policy space, for s a ∈S a
Figure FDA0003883246790000022
And 0 is less than or equal to s a G is less than or equal to the total number of attack flows selected by an attacker,
(3)
Figure FDA0003883246790000023
is a defender's policy space, to s d ∈S d
Figure FDA0003883246790000024
And 0 is less than or equal to s d Less than or equal to g, which represents the number of attack flows that defenders can select to clean,
(4)U={U a ,U d is the set of utility matrices for people in the office, U a ,U d The utility matrix, which represents the attacker and defender respectively, can be expressed as
Figure FDA0003883246790000025
Figure FDA0003883246790000026
Wherein the content of the first and second substances,
Figure FDA0003883246790000027
and
Figure FDA0003883246790000028
respectively representing selection strategies at the attacker
Figure FDA0003883246790000029
Defender selection strategy
Figure FDA00038832467900000210
The effectiveness of both attacking and defending;
constructing an attacker utility function as follows:
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
wherein E is a (s a ,s d ) For attack revenue, AC(s) a ) For the attack cost, lambda is the weight of the unwashed attack flow for generating revenue for an attacker, g is the size of the attack flow set, and alpha is the cost weight of the attack flow;
constructing a defender utility function as follows:
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
wherein E is d (s a ,s d ) For defense gains, DC(s) d ) Mu is the weight of the cleaned flow for generating profit for the defender, and beta is the weight of the cost for cleaning the attack flow;
and according to the attacker utility matrix and the defender utility matrix, the utility matrix is utilized to solve the pure strategy Nash equilibrium and the mixed strategy Nash equilibrium of the TSG to obtain the defender optimal cleaning strategy.
5. The system according to claim 1, wherein any of said P4 programmable switches is connected as a network node to a separate traffic cleansing server.
6. A dynamic link flooding attack traffic cleaning method is realized based on the dynamic link flooding attack traffic cleaning system in any one of claims 1 to 5, and is characterized by comprising the following steps of:
the defender configures the programmable switch according to the attack traffic type;
the defender utilizes game balance to construct an optimal cleaning strategy;
and the defender cleans the VNF of the installation quantity of the flow cleaning server, dynamically deploys flow cleaning rules in the network and cleans attack flow by combining the programmable switch and the VNF.
7. The method of claim 6, further comprising the steps of:
and randomly selecting a subset from the attack flow set for defense every other fixed period according to the optimal cleaning strategy.
CN202211236647.5A 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow Active CN115834459B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211236647.5A CN115834459B (en) 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211236647.5A CN115834459B (en) 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow

Publications (2)

Publication Number Publication Date
CN115834459A true CN115834459A (en) 2023-03-21
CN115834459B CN115834459B (en) 2024-03-26

Family

ID=85524525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211236647.5A Active CN115834459B (en) 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow

Country Status (1)

Country Link
CN (1) CN115834459B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
US20200099625A1 (en) * 2018-09-24 2020-03-26 Netsia, Inc. Path determination method and system for delay-optimized service function chaining
CN111447182A (en) * 2020-03-05 2020-07-24 清华大学 Method for defending link flooding attack and method for simulating link flooding attack
WO2020199780A1 (en) * 2019-04-04 2020-10-08 中兴通讯股份有限公司 Traffic collection method and device, network apparatus and storage medium
CN113411351A (en) * 2021-06-07 2021-09-17 中国人民解放军空军工程大学 DDoS attack elastic defense method based on NFV and deep learning
US20220030031A1 (en) * 2018-11-26 2022-01-27 The University Of Akron 3s-chain: smart, secure, and software-defined networking (sdn)-powered blockchain-powered networking and monitoring system
CN114422235A (en) * 2022-01-18 2022-04-29 福州大学 P4-based industrial internet hidden attack defense method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200099625A1 (en) * 2018-09-24 2020-03-26 Netsia, Inc. Path determination method and system for delay-optimized service function chaining
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
US20220030031A1 (en) * 2018-11-26 2022-01-27 The University Of Akron 3s-chain: smart, secure, and software-defined networking (sdn)-powered blockchain-powered networking and monitoring system
WO2020199780A1 (en) * 2019-04-04 2020-10-08 中兴通讯股份有限公司 Traffic collection method and device, network apparatus and storage medium
CN111447182A (en) * 2020-03-05 2020-07-24 清华大学 Method for defending link flooding attack and method for simulating link flooding attack
CN113411351A (en) * 2021-06-07 2021-09-17 中国人民解放军空军工程大学 DDoS attack elastic defense method based on NFV and deep learning
CN114422235A (en) * 2022-01-18 2022-04-29 福州大学 P4-based industrial internet hidden attack defense method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
徐建峰;王利明;徐震;: "软件定义网络中资源消耗型攻击及防御综述", 信息安全学报, no. 04, 15 July 2020 (2020-07-15) *
马铮;张小梅;夏俊杰;王光全;: "基于SDN技术的DDoS防御系统简析", 邮电设计技术, no. 01, 20 January 2016 (2016-01-20) *

Also Published As

Publication number Publication date
CN115834459B (en) 2024-03-26

Similar Documents

Publication Publication Date Title
Hales et al. Slacer: A self-organizing protocol for coordination in peer-to-peer networks
Mittal et al. Shadowwalker: peer-to-peer anonymous communication using redundant structured topologies
Wu et al. On modeling and simulation of game theory-based defense mechanisms against DoS and DDoS attacks
Liu et al. Umbrella: Enabling ISPs to offer readily deployable and privacy-preserving DDoS prevention services
Dingledine et al. Synchronous batching: From cascades to free routes
Wang et al. Dependent link padding algorithms for low latency anonymity systems
EP1388235A4 (en) Apparatus and methods for efficient multicassting of data packets
Zhang et al. An intelligent route mutation mechanism against mixed attack based on security awareness
Jamali et al. Defense against SYN flooding attacks: a particle swarm optimization approach
Zahavi et al. Distributed adaptive routing for big-data applications running on data center networks
Cheng et al. NAMP: Network-aware multipathing in software-defined data center networks
Jaggard et al. Onions in the Crosshairs: When The Man really is out to get you
Rauf et al. Formal approach for resilient reachability based on end-system route agility
Tariq et al. Botnet classification using centralized collection of network flow counters in software defined networks
CN113810405A (en) SDN network-based path jump dynamic defense system and method
CN115834459A (en) Dynamic cleaning system and method for link flooding attack flow
Wu et al. Dynamic behavior analysis of an internet flow interaction model under cascading failures
Sharara et al. Utilizing social influence in content distribution networks
Mödinger et al. 3P3: Strong flexible privacy for broadcasts
Chen et al. On the game server network selection with delay and delay variation constraints
Lu et al. STOP: A service oriented internet purification against link flooding attacks
Rubin et al. Performance analysis and design of CQBT algorithm for a ring network with spatial reuse
Katangur et al. Analyzing the performance of optical multistage interconnection networks with limited crosstalk
Mahajan et al. Attacks in software-defined networking: a review
Biswas et al. Cost-Aware Optimal Filter Assignment Policy Against Distributed Denial-of-Service Attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant