CN115834459B - Dynamic cleaning system and method for link flooding attack flow - Google Patents

Dynamic cleaning system and method for link flooding attack flow Download PDF

Info

Publication number
CN115834459B
CN115834459B CN202211236647.5A CN202211236647A CN115834459B CN 115834459 B CN115834459 B CN 115834459B CN 202211236647 A CN202211236647 A CN 202211236647A CN 115834459 B CN115834459 B CN 115834459B
Authority
CN
China
Prior art keywords
traffic
attack
cleaning
flow
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211236647.5A
Other languages
Chinese (zh)
Other versions
CN115834459A (en
Inventor
赵正
赵奇
范晓娅
毛倩
刘洪波
李沐南
王野
解泽强
丰宇凡
蔡博宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dalian Maritime University
Original Assignee
Dalian Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dalian Maritime University filed Critical Dalian Maritime University
Priority to CN202211236647.5A priority Critical patent/CN115834459B/en
Publication of CN115834459A publication Critical patent/CN115834459A/en
Application granted granted Critical
Publication of CN115834459B publication Critical patent/CN115834459B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a dynamic cleaning system and a method for link flooding attack flow, wherein the system comprises a control plane and a data plane, the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4run time and a VNF management southbound interface; the control plane comprises an SDN controller; the data plane comprises a P4 programmable switch and a flow cleaning server; the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flow according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flow according to the cleaning rule; and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned by adopting the matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing. The invention dynamically cleans LFA traffic based on the P4 exchanger and the traffic cleaning VNF.

Description

Dynamic cleaning system and method for link flooding attack flow
Technical Field
The invention relates to the technical field of network security, in particular to a dynamic cleaning system and method for link flooding attack flow.
Background
Link flooding attacks (Link Flooding Attack, LFA), such as Coremelt and Crossfire, are a typical type of network attack that can cut off the connection of a target network to the internet through flooding critical network links, causing large area network paralysis and extremely severe network space hazards. In 2013 to 2022, the internet has many times of large-scale LFAs, which causes a large number of internet service interruption and loss cannot be estimated.
Aiming at LFA, the main defense method at present mainly comprises three types of attack traffic detection, rerouting and traffic cleaning, wherein the traffic cleaning directly discards the attack traffic at the edge or inside of the network, and the influence of the attack traffic on the network can be effectively reduced. However, the conventional flow cleaning method relies on prior knowledge of attack, has serious hysteresis and statics, is easily identified and bypassed by an attacker, and is difficult to effectively cope with the organized high-strength dynamic LFA.
Disclosure of Invention
The invention provides a dynamic flow cleaning system and a dynamic flow cleaning method for link flooding attack, which mainly introduce the idea of mobile target defense (Moving Target Defense, MTD) into flow cleaning, enable an attacker to fail to initiate effective attack by periodically and dynamically deploying cleaning rules, analyze LFA attack and defense games by utilizing game theory, thereby obtaining an optimal defense strategy and effectively resisting dynamic LFA with less introduction cost.
The invention adopts the following technical means:
the invention provides a dynamic cleaning system for link flooding attack flow, which comprises a control plane and a data plane, wherein the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a virtualized network function management southbound interface;
the control plane comprises an SDN controller;
the data plane comprises a P4 programmable switch and a flow cleaning server, wherein the P4 programmable switch performs data interaction with the SDN controller through P4run time, and the flow cleaning server manages a southbound interface through a VNF to perform data interaction with the SDN controller;
the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flow according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flow according to the cleaning rule;
and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned by adopting the matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing.
Further, the traffic washing server includes a traffic inlet, a traffic outlet, a traffic-VNF table, and a plurality of traffic washing VNFs;
the flow inlet is used for receiving flow to be cleaned sent by the P4 programmable switch;
the flow-VNF table is used for realizing flow matching and transmission, and transmitting the flow to a specific flow cleaning VNF through a table lookup;
the traffic cleaning VNF is used for cleaning specific types of attack traffic;
the flow outlet is used for returning the cleaned flow to the P4 programmable switch;
the SDN controller manages a flow-VNF table and a flow cleaning VNF through a VNF management southbound interface, and dynamically adds and deletes the flow cleaning VNF.
Further, the control plane further includes: the system comprises an attack sensing module, a strategy generating module, a switch management module, a flow table management module and a VNF management module;
the attack sensing module is used for sensing the state of the whole network link and finding out the attacked network link;
the strategy generation module is used for analyzing LFA attack and defense games based on game theory according to the attack and defense state construction state and calculating an optimal cleaning strategy;
the switch management module is used for managing the packet processing logic of the P4 programmable switch;
the flow table management module is used for setting a P4 programmable switch according to a defense strategy and installing flow cleaning rules for the P4 programmable switch;
the VNF management module is configured to install/delete a traffic cleaning VNF on a data plane according to an attack traffic type.
Further, the policy generation module is configured to analyze LFA attack and defense games based on game theory according to the attack and defense state, and calculate an optimal cleaning policy, including:
constructing a traffic cleaning game TSG according to a supply strategy and a defense strategy acquired by an attack sensing module, wherein the TSG is a four-tuple, TSG= { N, S, D, U }, and the TSG is a four-tuple, wherein the TSG is a four-tuple of the TSG = { N, S, D, U }, and the TSG is a four-tuple of the TSG
(5) N= { a, D } is the office space, where a is the attacker, D is the defender,
(6)is an attacker policy space, for s a ∈S a ,/>And s is more than or equal to 0 a G is less than or equal to g, which represents the number of attack streams selected by an attacker,
(7)is a defender policy space, for s d ∈S d ,/>And s is more than or equal to 0 d G is less than or equal to g, which represents the number of attack streams which can be selected by an defender for cleaning,
(8)U={U a ,U d the utility matrix set of people in office, U a ,U d Respectively represent attackerThe utility matrix of defenders can be expressed as
Wherein,and->Respectively represent the policy of selecting among attackers->Defender selection strategy->The utility of both the attack and the defense;
the construction of the attacker utility function is as follows:
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
wherein E is a (s a ,s d ) To attack the benefits, AC (s a ) For the attack cost, lambda is the weight of generating benefits for an attacker by unwashed attack flows, g is the size of an attack flow set, and alpha is the cost weight of the attack flow;
the defender utility function is constructed as follows:
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
wherein E is d (s a ,s d ) To defend against revenues, DC (s d ) For defending costs, μ is the weight of the cleaned stream that yields to defenders, β is the cost weight of cleaning the attack stream;
according to the attacker utility matrix and the defender utility matrix, pure strategy Nash equilibrium and mixed strategy Nash equilibrium of the TSG are solved by using the utility matrix, and the defender optimal cleaning strategy is obtained.
Further, any of the P4 programmable switches is connected as a network node to an independent traffic washing server.
The invention also provides a dynamic cleaning method for the link flooding attack flow, which is realized based on the dynamic cleaning system for the link flooding attack flow and comprises the following steps:
the defender configures the programmable switch according to the attack traffic class;
the defender utilizes game balance to construct the optimal cleaning strategy;
the defender installs the volume cleaning VNF on the traffic cleaning server and dynamically deploys traffic cleaning rules in the network, combining the programmable switch and the VNF to clean the offending traffic.
Further, the method also comprises the following steps:
and randomly selecting a subset from the attack flow set to defend according to the optimal cleaning strategy every other fixed period.
Compared with the prior art, the invention has the following advantages:
the MTD concept is introduced into flow cleaning, and attack flow is dynamically cleaned in a data plane programmable network environment, so that an attacker is difficult to form effective attack. Specifically:
firstly, an LFA traffic cleaning architecture based on P4 language and virtualized network functions (Virtualized Network Function, VNF) is constructed, and a programmable data plane is utilized to clean various LFA attack traffic locally on a network.
Secondly, a dynamic traffic cleaning (Dynamic Traffic Scrubbing, DTS) method based on the MTD is provided, a subset is randomly selected from an attack flow set for defense according to a defense strategy every other fixed period, and dynamic selection of traffic deployment cleaning rules is realized, so that an attacker cannot launch targeted attack.
Finally, an LFA attack flow dynamic cleaning method is provided, and an attacker cannot initiate effective FLA attack by dynamically deploying flow cleaning rules in a network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a DTS frame in an embodiment of the invention.
Fig. 2 is a DTS system architecture according to an embodiment of the present invention.
FIG. 3 is a flow cleaning engine architecture according to an embodiment of the present invention.
FIG. 4 is a flow cleaning server architecture according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Defending a high-strength LFA requires deployment of a large number of cleaning rules, however, the defender can only clean part of the attack traffic, subject to the switch flow table space limitations. Therefore, an attacker can avoid being washed and prolong the attack duration by adjusting the attack flow. In contrast, if the defender constantly and randomly changes the target flow for cleaning, the attacker can be prevented from adjusting the attack flow in a targeted manner under the condition of limited flow table space, so that the attacker cannot achieve the attack effect.
The DTS framework proposed in the present application is shown in fig. 1, where each node of the network is a programmable switch and is connected to an independent traffic washing server. And the attacker uses the zombie host group owned by the attacker to send a large amount of attack traffic to the target link so as to congestion the target link. The defender configures a programmable switch according to the attack traffic category, washes the VNF on the installation quantity of the traffic washing server, dynamically deploys traffic washing rules in the network, and washes the attack traffic by combining the programmable switch and the VNF. And an attacker periodically adjusts the attack traffic to avoid the attack traffic from being cleaned. In the process, assuming that both the attack and the defense are aware of the opposite information and the attack and the defense are not orderly, the LFA and the defense form a complete information static game, and an defender can construct an optimal cleaning strategy by using game balance.
In order to achieve the above functions, the invention provides a dynamic cleaning system for link flooding attack traffic, which comprises a control plane and a data plane, wherein the control plane and the data plane perform data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a VNF management southbound interface.
Specifically, the present application designs an LFA traffic dynamic cleaning system DTS based on P4, and its architecture is shown in fig. 2. The DTS architecture is mainly divided into a control plane, a data plane and a southbound interface, wherein the southbound interface manages the southbound interface by using p4run and VNF. The control plane is composed of an SDN controller and five core modules, wherein the attack sensing module senses the state of the whole network link and discovers the attacked network link; the strategy generation module analyzes LFA attack and defense games based on the game theory according to the attack and defense states, and calculates an optimal cleaning strategy; the switch management module manages packet processing logic of the P4 switch; the flow table management module sets a P4 switch according to the defense strategy and installs flow cleaning rules for the P4 switch; the VNF management module installs/deletes traffic cleaning VNFs in the data plane according to the attack traffic type.
Specifically, in the LFA attack and defense game, an attacker initiates and continuously adjusts attack flow to form attack, and an defender selects part of attack flow to clean, so that the attacker cannot form an attack effect, the benefits of both the attack and the defense can be influenced by the strategy of the other party, and actions favorable for the attacker can be taken, and the self benefits are maximized. Assuming that both the attack and the defense know the information of the other party and take actions without sequencing, the process can be modeled as a complete information static game, and according to the game theory, nash equilibrium is an equilibrium solution of the game, and both the attack and the defense cannot obtain higher benefits from independent deviation equilibrium solutions. Therefore, nash equilibrium solution is the optimal cleaning strategy for the defender. From the above analysis, a traffic purge game TSG (Traffic Scrubbing Game) can be constructed. Specifically:
definition tsg is a quadruple,wherein the method comprises the steps of
(1) N= { a, D } is the attack and defense game participant space, where a is the attacker and D is the defender;
(2)is an attacker policy space, for s a ∈S a ,/>And s is more than or equal to 0 a G is less than or equal to the number of attack streams selected by an attacker;
(3)is a defender policy space, for s d ∈S d ,/>And s is more than or equal to 0 d G is less than or equal to g, which represents the number of attack streams which can be selected to be cleaned by an defender;
(4)U={U a ,U d the utility matrix U of the attacker and defender is the utility matrix set of the participators a And U d Can be expressed as formula (2) and formula (3), respectively.
Wherein the method comprises the steps ofAnd->Respectively represent the policy of selecting among attackers->Defender selection strategy->The utility of both parties is attacked.
In TSG, attack utility = attack benefit-attack cost, defense utility = defense benefit-defense cost. In order to obtain the attack and defense utility matrix, attack benefits, attack cost, defense benefits and defense cost are defined.
Definition 2 attack benefit E a (s a ,s d ) Selecting s for an attacker a The attack flow initiates the attack, the defender selects s d And when the attack flows are cleaned, the expectations of benefits generated by the attack flows which are not cleaned by the defenders are expected. Let the attack returns be linear with the attack flows not washed by defenders, the number of unsupervised successful flows is expected to be h k Then E a (s a ,s d )=λh k ,0≤s a ≤g,0≤s d ≤g。
Definition 3 attack cost AC (s a ) Selecting s for an attacker a Cost incurred when an attack is initiated by an attack flow. If the attack cost and the attack flow number selected by the attacker are in linear relation
AC(s a )=αs a ,0≤s a ≤g。
Definition 4 defensive benefits E d (s a ,s d ) Finger attacker selection s a The attack flow initiates the attack, and the defender selects s d When the attack flow is cleaned, the defender can successfully clean the attack flow to generate the expected benefits. Defending deviceThe benefit is linearly related to the desired number of cleaned streams, the number of cleaned streams being h d Then E a (s a ,s d )=μh d ,0≤s a ≤g,0≤s d ≤g。
Definition 5 defense cost DC(s) d ) Select s for defenders d Cost incurred when cleaning individual attack flows. If the defense cost is linearly related to the number of defenders' selected cleaning attacks, DC (s d )=βs d ,0≤s d ≤g。
Based on the above definition, the following theorem can be inferred.
Theorem 1. Assume that an attacker randomly selects s from g attack flows a Attack is initiated, defender randomly selects s d The flow is cleaned, and under all attack and defense states, the flow quantity and flow quantity selected by an attacker
Theorem 2. Assume that an attacker randomly selects s from g attack flows a Attack is initiated by the defender randomly selecting s d The individual flows are cleaned, so that the defender defends the total number of successful attack flows in all attack and defense states
In TSG, if an attacker randomly selects s a The probability of each attack state when each attack flow initiates an attackIf defender randomly selects s d The probability of each defending state is +.>
Theorem 3. Assume that an attacker randomly selects s from g attack flows a Attack is initiated by the defender randomly selecting s d The attacker expects benefits E by cleaning the attack flows a (s a ,s d )=λ*s a *(g-s d )/g。
Theorem 4. Assume that an attacker randomly selects s from g attack flows a Attack is initiated by the defender randomly selecting s d The attack flows are cleaned, and expected benefits E of defenders d (s a ,s d )=μ*s a *(s d /g)。
To sum up, the attacker utility function
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
Defender utility function
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
According to u a And u d And obtaining utility matrixes of both the attack and the defense, and solving Nash equilibrium solution of the TSG by using the utility matrixes. The invention designs the algorithms psNE and msNE to solve the pure strategy Nash equilibrium and the mixed strategy Nash equilibrium respectively, as shown in the algorithm 1 and the algorithm 2. The algorithm 1 firstly initializes an attack strategy set and a defense strategy set (1-2); initializing utility functions (3-4) of both the attack and defense parties according to game parameters, and generating utility matrixes of both the attack and defense parties by using the utility functions; and finally, solving a pure strategy Nash equilibrium solution (5-8) by utilizing the maximum value of the utility matrix of both the attack and the defense, returning to the Nash equilibrium solution if the solution exists, and returning to the null (9-12) if the solution does not exist. Algorithm 2 solves the hybrid strategy of gaming using linear programming.
tsgNE gives the beth equalization solution for the game according to the pure and mixed strategy nash equalization for TSG games, as shown in algorithm 3. If the pure strategy Nash equilibrium solution exists, returning the pure strategy Nash equilibrium solution, and if the pure strategy Nash equilibrium solution does not exist, returning the mixed strategy Nash equilibrium solution.
Pure strategy Nash equilibrium solving algorithm for algorithm 1 TSG game
Mixed strategy Nash equilibrium solving algorithm of algorithm 2 TSG game
Algorithm 3 TSG gaming Nash equalization algorithm
Further, the data plane is composed of P4 switches and traffic washing VNFs. The P4 switch forwards network traffic, detects and identifies attack flow according to flow processing logic configured by the controller, and cleans the attack flow according to cleaning rules. For the attack flow which can not be cleaned by adopting the matching-action mode, the P4 switch sends the attack flow to the traffic cleaning server for processing. And the traffic washing server sends traffic to a designated traffic washing VNF for processing, and the VNF is realized by adopting DPDK to realize personalized attack flow washing task.
The P4 switch has very high packet processing speed and throughput, can support stateful packet processing, can carry out high-speed traffic cleaning in a network, but can only clean part of attack traffic in a matching-action mode due to limited packet processing logic, so that the traffic cleaning engine is constructed by combining the P4 switch and the VNF and distributed and flexibly deployed in the network.
As shown in fig. 3, each P4 switch is connected to an independent traffic washing server in the DTS, and the traffic washing server may dynamically deploy a washing server VNF to complete washing of traffic in cooperation with the P4 switch. Both are centrally controlled by the SDN controller to form a flow cleaning engine. The SDN controller configures a flow cleaning engine according to the network state and the defense strategy to clean the attack flow.
LFA traffic cleansing rules can be categorized into two categories depending on whether a "match-action" mode can be translated. The cleaning logic which can be converted into a 'matching-action' mode is equivalently converted into message processing logic supported by a switch based on a P4 data plane programming language and is deployed on a data plane; the cleaning logic which cannot be realized in the 'matching-action' mode is realized in a software form, and is flexibly deployed in the network through the VNF to finish flow cleaning together with the programmable switch. In order to reduce load of the switches and the traffic washing server, the SDN controller deploys traffic washing rules and VNF (virtual network function) on a plurality of nodes in the network according to the idle space of the flow table of the switches on the attack traffic path, so that load balance among the switches is realized.
Further, as shown in fig. 4, the traffic washing server includes a traffic inlet, a traffic outlet, a traffic-VNF table, and a plurality of traffic washing VNFs. The traffic inlet receives traffic to be flushed sent by the P4 programmable switch. The SDN controller manages a flow-VNF table and a flow cleaning VNF through the VNF management southbound interface. The flow-VNF table is responsible for flow matching and delivery, which delivers flow to a particular flow cleaning VNF by looking up a table; the traffic cleaning VNF is responsible for cleaning specific types of attack traffic and may be dynamically added and deleted by the SDN controller. The cleaned flow is returned to the P4 programmable exchanger through the flow outlet.
The invention also discloses a dynamic cleaning method for the link flooding attack flow, which is realized based on the dynamic cleaning system for any one of the link flooding attack flow, and comprises the following steps:
the defender configures the programmable switch according to the attack traffic class;
the defender utilizes game balance to construct the optimal cleaning strategy;
the defender installs the volume cleaning VNF on the traffic cleaning server and dynamically deploys traffic cleaning rules in the network, combining the programmable switch and the VNF to clean the offending traffic.
Further, the method also comprises the following steps:
and randomly selecting a subset from the attack flow set to defend according to the optimal cleaning strategy every other fixed period.
The link flooding attack traffic dynamic cleaning method according to the embodiment of the present invention is relatively simple in description, and the relevant similarities refer to the description of the link flooding attack traffic dynamic cleaning device part in the above embodiment, and will not be described in detail here.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.

Claims (6)

1.一种链路泛洪攻击流量动态清洗系统,其特征在于,包括控制平面和数据平面,所述控制平面和数据平面通过南向接口进行数据交互,所述南向接口包括p4runtime和虚拟化网络功能管理南向接口;1. A link flooding attack traffic dynamic cleaning system, characterized in that it includes a control plane and a data plane. The control plane and the data plane interact with each other through a southbound interface. The southbound interface includes p4runtime and virtualization. Network function management southbound interface; 所述控制平面包括SDN控制器;The control plane includes an SDN controller; 所述数据平面包括P4可编程交换机和流量清洗服务器,所述P4可编程交换机通过p4runtime与SDN控制器进行数据交互,所述流量清洗服务器通过VNF管理南向接口与SDN控制器进行数据交互;The data plane includes a P4 programmable switch and a traffic cleaning server. The P4 programmable switch interacts with the SDN controller through p4runtime. The traffic cleaning server interacts with the SDN controller through the VNF management southbound interface. 所述P4可编程交换机用于根据SDN控制器下发的防御策略和流清洗规则转发网络流量、检测和识别攻击流,并按照清洗规则清洗攻击流量;The P4 programmable switch is used to forward network traffic according to the defense strategy and flow cleaning rules issued by the SDN controller, detect and identify attack flows, and clean the attack traffic according to the cleaning rules; 所述流量清洗服务器接收P4可编程交换机发送的无法采用“匹配-动作”模式清洗的攻击流,并将攻击流发送给指定流量清洗VNF处理,所述流量清洗服务器包括流量入口、流量出口、流量-VNF表和多个流量清洗VNF;The traffic cleaning server receives the attack flow sent by the P4 programmable switch that cannot be cleaned using the "match-action" mode, and sends the attack flow to the designated traffic cleaning VNF for processing. The traffic cleaning server includes a traffic inlet, a traffic outlet, and a traffic flow. -VNF table and multiple traffic cleaning VNFs; 所述流量入口用于接收由P4可编程交换机发送的待清洗流量;The traffic inlet is used to receive the traffic to be cleaned sent by the P4 programmable switch; 所述流量-VNF表用于实现流量匹配和传递,通过查表将流量传递给特定流量清洗VNF;The traffic-VNF table is used to achieve traffic matching and transfer, and transfer the traffic to the specific traffic cleaning VNF through table lookup; 所述流量清洗VNF用于清洗特定类型的攻击流量;The traffic cleaning VNF is used to clean specific types of attack traffic; 所述流量出口用于将清洗后的流量回送给P4可编程交换机;The traffic outlet is used to return the cleaned traffic to the P4 programmable switch; 所述SDN控制器通过VNF管理南向接口管理流量-VNF表和流量清洗VNF,并对所述流量清洗VNF进行动态增删。The SDN controller manages the traffic-VNF table and traffic cleaning VNF through the VNF management southbound interface, and dynamically adds or deletes the traffic cleaning VNF. 2.根据权利要求1所述的一种链路泛洪攻击流量动态清洗系统,其特征在于,所述控制平面还包括:攻击感知模块、策略生成模块、交换机管理模块、流表管理模块以及VNF管理模块;2. A link flooding attack traffic dynamic cleaning system according to claim 1, characterized in that the control plane further includes: an attack perception module, a policy generation module, a switch management module, a flow table management module and a VNF. Management module; 所述攻击感知模块用于感知全网链路状态,发现被攻击的网络链路;The attack sensing module is used to sense the status of the entire network link and discover the attacked network link; 所述策略生成模块用于根据攻防状态构建状态基于博弈论分析LFA攻防博弈,计算最优清洗策略;The strategy generation module is used to construct a state according to the offensive and defensive states, analyze the LFA offensive and defensive game based on game theory, and calculate the optimal cleaning strategy; 所述交换机管理模块用于管理P4可编程交换机的包处理逻辑;The switch management module is used to manage the packet processing logic of the P4 programmable switch; 所述流表管理模块用于根据防御策略设置P4可编程交换机并对其安装流清洗规则;The flow table management module is used to set up the P4 programmable switch according to the defense strategy and install flow cleaning rules on it; 所述VNF管理模块用于根据攻击流量类型在数据平面安装/删除流量清洗VNF。The VNF management module is used to install/delete traffic cleaning VNFs on the data plane according to attack traffic types. 3.根据权利要求2所述的一种链路泛洪攻击流量动态清洗系统,其特征在于,所述策略生成模块用于根据攻防状态基于博弈论分析LFA攻防博弈,计算最优清洗策略,包括:3. A link flooding attack traffic dynamic cleaning system according to claim 2, characterized in that the policy generation module is used to analyze the LFA attack and defense game based on game theory according to the attack and defense status, and calculate the optimal cleaning strategy, including : 根据攻击感知模块获取的供给策略和防御策略构建流量清洗博弈TSG,所述TSG是一个四元组,TSG={N,S,D,U},其中Construct a traffic cleaning game TSG based on the supply strategy and defense strategy obtained by the attack awareness module. The TSG is a four-tuple, TSG = {N, S, D, U}, where (1)N={A,D}是局中人空间,其中A为攻击者,D为防御者,(1) N = {A, D} is the player space, where A is the attacker and D is the defender. (2)是攻击者策略空间,对sa∈Sa,/>且0≤sa≤g,表示攻击者选择的攻击流数量,(2) is the attacker's strategy space, for s a ∈ S a ,/> And 0≤s a ≤g, indicating the number of attack flows selected by the attacker, (3)是防御者策略空间,对sd∈Sd,/>且0≤sd≤g,表示防御者可选择清洗的攻击流数目,(3) is the defender's strategy space, for s d ∈S d ,/> And 0 ≤ s d ≤ g, indicating the number of attack flows that the defender can choose to clean, (4)U={Ua,Ud}是局中人的效用矩阵集合,Ua,Ud分别表示攻击者和防御者的效用矩阵,可表示为(4) U={U a , U d } is the set of utility matrices of the players, U a , U d represent the utility matrices of the attacker and defender respectively, which can be expressed as 其中,和/>分别表示在攻击者选择策略/>防御者选择策略/>时攻防双方的效用;in, and/> Respectively represent the attacker’s choice of strategy/> Defender selection strategy/> The effectiveness of both offense and defense; 构建攻击者效用函数为:Construct the attacker utility function as: ua(sa,sd)=Ea(sa,sd)-AC(sa)=λ*sa*(g-sd)/g-αsa u a (s a , s d )=E a (s a , s d )-AC(s a )=λ*s a *(gs d )/g-αs a 其中,Ea(sa,sd)为攻击收益,AC(sa)为攻击成本,λ为未被清洗攻击流给攻击者产生收益的权重,g为攻击流集合的大小,α为攻击流的成本权重;Among them, E a (s a , s d ) is the attack revenue, AC (s a ) is the attack cost, λ is the weight of the uncleaned attack flow that generates revenue for the attacker, g is the size of the attack flow set, and α is the attack The cost weight of the flow; 构建防御者效用函数为:Construct the defender utility function as: ud(sa,sd)=Ed(sa,sd)-DC(sd)=μ*sa*(sd/g)-βsd u d (s a , s d )=E d (s a , s d )-DC(s d )=μ*s a *(s d /g)-βs d 其中,Ed(sa,sd)为防御收益,DC(sd)为防御成本,μ为被清洗流的给防御者产生收益的权重,β为清洗攻击流的成本权重;Among them, E d (s a , s d ) is the defense benefit, DC (s d ) is the defense cost, μ is the weight of the cleaned flow that generates benefits for the defender, and β is the cost weight of cleaning the attack flow; 根据攻击者效用矩阵和防御者效用矩阵,利用效用矩阵求解TSG的纯策略纳什均衡和混合策略纳什均衡获取防御者最优清洗策略。According to the attacker's utility matrix and the defender's utility matrix, the utility matrix is used to solve the pure strategy Nash equilibrium and mixed strategy Nash equilibrium of TSG to obtain the defender's optimal cleaning strategy. 4.根据权利要求1所述的一种链路泛洪攻击流量动态清洗系统,其特征在于,任意所述P4可编程交换机作为网络节点连接独立的流量清洗服务器。4. A link flooding attack traffic dynamic cleaning system according to claim 1, characterized in that any of the P4 programmable switches serves as a network node connected to an independent traffic cleaning server. 5.一种链路泛洪攻击流量动态清洗方法,基于权利要求1-4中任意一项链路泛洪攻击流量动态清洗系统实现,其特征在于,包括以下步骤:5. A method for dynamic cleaning of link flooding attack traffic, implemented based on the dynamic cleaning system of link flooding attack traffic in any one of claims 1-4, characterized in that it includes the following steps: 防御者根据攻击流量类别配置可编程交换机;Defenders configure programmable switches based on attack traffic categories; 防御者利用博弈均衡构建其最优清洗策略;The defender uses the game equilibrium to construct its optimal cleaning strategy; 防御者对流量清洗服务器安装量清洗VNF,并在网络中动态部署流量清洗规则,结合可编程交换机和VNF对攻击流量进行清洗。The defender cleans the VNFs installed on the traffic cleaning server, dynamically deploys traffic cleaning rules in the network, and combines programmable switches and VNFs to clean attack traffic. 6.根据权利要求5所述的一种链路泛洪攻击流量动态清洗方法,其特征在于,还包括以下步骤:6. A method for dynamic cleaning of link flooding attack traffic according to claim 5, characterized in that it further includes the following steps: 每隔一个固定周期,根据最优清洗策略在攻击流集合中随机选择一个子集进行防御。Every fixed period, a subset is randomly selected from the attack flow set for defense based on the optimal cleaning strategy.
CN202211236647.5A 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow Active CN115834459B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211236647.5A CN115834459B (en) 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211236647.5A CN115834459B (en) 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow

Publications (2)

Publication Number Publication Date
CN115834459A CN115834459A (en) 2023-03-21
CN115834459B true CN115834459B (en) 2024-03-26

Family

ID=85524525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211236647.5A Active CN115834459B (en) 2022-10-10 2022-10-10 Dynamic cleaning system and method for link flooding attack flow

Country Status (1)

Country Link
CN (1) CN115834459B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
CN111447182A (en) * 2020-03-05 2020-07-24 清华大学 The defense method of link flooding attack and the simulation method of link flooding attack
WO2020199780A1 (en) * 2019-04-04 2020-10-08 中兴通讯股份有限公司 Traffic collection method and device, network apparatus and storage medium
CN113411351A (en) * 2021-06-07 2021-09-17 中国人民解放军空军工程大学 DDoS attack elastic defense method based on NFV and deep learning
CN114422235A (en) * 2022-01-18 2022-04-29 福州大学 P4-based industrial internet hidden attack defense method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10834004B2 (en) * 2018-09-24 2020-11-10 Netsia, Inc. Path determination method and system for delay-optimized service function chaining
US12034770B2 (en) * 2018-11-26 2024-07-09 The University Of Akron 3S-chain: smart, secure, and software-defined networking (SDN)-powered blockchain-powered networking and monitoring system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109491668A (en) * 2018-10-11 2019-03-19 浙江工商大学 A kind of the mimicry defence framework and method of SDN/NFV service arrangement
WO2020199780A1 (en) * 2019-04-04 2020-10-08 中兴通讯股份有限公司 Traffic collection method and device, network apparatus and storage medium
CN111447182A (en) * 2020-03-05 2020-07-24 清华大学 The defense method of link flooding attack and the simulation method of link flooding attack
CN113411351A (en) * 2021-06-07 2021-09-17 中国人民解放军空军工程大学 DDoS attack elastic defense method based on NFV and deep learning
CN114422235A (en) * 2022-01-18 2022-04-29 福州大学 P4-based industrial internet hidden attack defense method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
基于SDN技术的DDoS防御系统简析;马铮;张小梅;夏俊杰;王光全;;邮电设计技术;20160120(01) *
徐建峰 ; 王利明 ; 徐震 ; .软件定义网络中资源消耗型攻击及防御综述.信息安全学报.2020,(04), *
软件定义网络中资源消耗型攻击及防御综述;徐建峰;王利明;徐震;;信息安全学报;20200715(04) *
马铮 ; 张小梅 ; 夏俊杰 ; 王光全 ; .基于SDN技术的DDoS防御系统简析.邮电设计技术.2016,(01), *

Also Published As

Publication number Publication date
CN115834459A (en) 2023-03-21

Similar Documents

Publication Publication Date Title
Cao et al. The {CrossPath} attack: Disrupting the {SDN} control channel via shared links
CN110113435B (en) Method and equipment for cleaning flow
Singh et al. GOAL: a load-balanced adaptive routing algorithm for torus networks
Hales et al. Slacer: A self-organizing protocol for coordination in peer-to-peer networks
CN109491668B (en) Mimicry defense framework and method for SDN/NFV service deployment
WO2021248740A1 (en) Mimic router execution entity scheduling method, and mimic router
Sancho et al. Improving the up*/down* routing scheme for networks of workstations
CN113992539B (en) Network security dynamic route hopping method and system
Skeie et al. LASH-TOR: A generic transition-oriented routing algorithm
Rauf et al. Formal approach for resilient reachability based on end-system route agility
Zahavi et al. Distributed adaptive routing for big-data applications running on data center networks
Misra et al. Distributed information-based cooperative strategy adaptationin opportunistic mobile networks
Foerster et al. Grafting arborescences for extra resilience of fast rerouting schemes
Eliyan et al. Demi: a solution to detect and mitigate DoS attacks in SDN
Wu et al. Traffic-driven epidemic spreading in networks: considering the transition of infection from being mild to severe
CN115834459B (en) Dynamic cleaning system and method for link flooding attack flow
Bahnasy et al. DeepBGP: A machine learning approach for BGP configuration synthesis
Yébenes et al. Improving non-minimal and adaptive routing algorithms in slim fly networks
CN111786967B (en) Defense method, system, node and storage medium for DDoS attack
Wu et al. Dynamic behavior analysis of an internet flow interaction model under cascading failures
Zhao et al. Deploying default paths by joint optimization of flow table and group table in SDNs
Novak et al. Steiner tree based distributed multicast routing in networks
Walters et al. A framework for mitigating attacks against measurement-based adaptation mechanisms in unstructured multicast overlay networks
CN114745322A (en) Video Stream Routing Method Based on Genetic Algorithm in SDN Environment
Chen et al. Server selection with delay constraints for online games

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant