CN115834459B - Dynamic cleaning system and method for link flooding attack flow - Google Patents
Dynamic cleaning system and method for link flooding attack flow Download PDFInfo
- Publication number
- CN115834459B CN115834459B CN202211236647.5A CN202211236647A CN115834459B CN 115834459 B CN115834459 B CN 115834459B CN 202211236647 A CN202211236647 A CN 202211236647A CN 115834459 B CN115834459 B CN 115834459B
- Authority
- CN
- China
- Prior art keywords
- attack
- flow
- cleaning
- traffic
- vnf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004140 cleaning Methods 0.000 title claims abstract description 122
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000007123 defense Effects 0.000 claims abstract description 50
- 230000003993 interaction Effects 0.000 claims abstract description 8
- 230000008901 benefit Effects 0.000 claims description 17
- 239000011159 matrix material Substances 0.000 claims description 14
- 238000010276 construction Methods 0.000 claims description 4
- 108091006065 Gs proteins Proteins 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000005406 washing Methods 0.000 description 18
- 238000007726 management method Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 230000003068 static effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000005201 scrubbing Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a dynamic cleaning system and a method for link flooding attack flow, wherein the system comprises a control plane and a data plane, the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4run time and a VNF management southbound interface; the control plane comprises an SDN controller; the data plane comprises a P4 programmable switch and a flow cleaning server; the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flow according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flow according to the cleaning rule; and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned by adopting the matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing. The invention dynamically cleans LFA traffic based on the P4 exchanger and the traffic cleaning VNF.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a dynamic cleaning system and method for link flooding attack flow.
Background
Link flooding attacks (Link Flooding Attack, LFA), such as Coremelt and Crossfire, are a typical type of network attack that can cut off the connection of a target network to the internet through flooding critical network links, causing large area network paralysis and extremely severe network space hazards. In 2013 to 2022, the internet has many times of large-scale LFAs, which causes a large number of internet service interruption and loss cannot be estimated.
Aiming at LFA, the main defense method at present mainly comprises three types of attack traffic detection, rerouting and traffic cleaning, wherein the traffic cleaning directly discards the attack traffic at the edge or inside of the network, and the influence of the attack traffic on the network can be effectively reduced. However, the conventional flow cleaning method relies on prior knowledge of attack, has serious hysteresis and statics, is easily identified and bypassed by an attacker, and is difficult to effectively cope with the organized high-strength dynamic LFA.
Disclosure of Invention
The invention provides a dynamic flow cleaning system and a dynamic flow cleaning method for link flooding attack, which mainly introduce the idea of mobile target defense (Moving Target Defense, MTD) into flow cleaning, enable an attacker to fail to initiate effective attack by periodically and dynamically deploying cleaning rules, analyze LFA attack and defense games by utilizing game theory, thereby obtaining an optimal defense strategy and effectively resisting dynamic LFA with less introduction cost.
The invention adopts the following technical means:
the invention provides a dynamic cleaning system for link flooding attack flow, which comprises a control plane and a data plane, wherein the control plane and the data plane carry out data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a virtualized network function management southbound interface;
the control plane comprises an SDN controller;
the data plane comprises a P4 programmable switch and a flow cleaning server, wherein the P4 programmable switch performs data interaction with the SDN controller through P4run time, and the flow cleaning server manages a southbound interface through a VNF to perform data interaction with the SDN controller;
the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flow according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flow according to the cleaning rule;
and the flow cleaning server receives the attack flow which is sent by the P4 programmable switch and cannot be cleaned by adopting the matching-action mode, and sends the attack flow to the designated flow cleaning VNF for processing.
Further, the traffic washing server includes a traffic inlet, a traffic outlet, a traffic-VNF table, and a plurality of traffic washing VNFs;
the flow inlet is used for receiving flow to be cleaned sent by the P4 programmable switch;
the flow-VNF table is used for realizing flow matching and transmission, and transmitting the flow to a specific flow cleaning VNF through a table lookup;
the traffic cleaning VNF is used for cleaning specific types of attack traffic;
the flow outlet is used for returning the cleaned flow to the P4 programmable switch;
the SDN controller manages a flow-VNF table and a flow cleaning VNF through a VNF management southbound interface, and dynamically adds and deletes the flow cleaning VNF.
Further, the control plane further includes: the system comprises an attack sensing module, a strategy generating module, a switch management module, a flow table management module and a VNF management module;
the attack sensing module is used for sensing the state of the whole network link and finding out the attacked network link;
the strategy generation module is used for analyzing LFA attack and defense games based on game theory according to the attack and defense state construction state and calculating an optimal cleaning strategy;
the switch management module is used for managing the packet processing logic of the P4 programmable switch;
the flow table management module is used for setting a P4 programmable switch according to a defense strategy and installing flow cleaning rules for the P4 programmable switch;
the VNF management module is configured to install/delete a traffic cleaning VNF on a data plane according to an attack traffic type.
Further, the policy generation module is configured to analyze LFA attack and defense games based on game theory according to the attack and defense state, and calculate an optimal cleaning policy, including:
constructing a traffic cleaning game TSG according to a supply strategy and a defense strategy acquired by an attack sensing module, wherein the TSG is a four-tuple, TSG= { N, S, D, U }, and the TSG is a four-tuple, wherein the TSG is a four-tuple of the TSG = { N, S, D, U }, and the TSG is a four-tuple of the TSG
(5) N= { a, D } is the office space, where a is the attacker, D is the defender,
(6)is an attacker policy space, for s a ∈S a ,/>And s is more than or equal to 0 a G is less than or equal to g, which represents the number of attack streams selected by an attacker,
(7)is a defender policy space, for s d ∈S d ,/>And s is more than or equal to 0 d G is less than or equal to g, which represents the number of attack streams which can be selected by an defender for cleaning,
(8)U={U a ,U d the utility matrix set of people in office, U a ,U d Respectively represent attackerThe utility matrix of defenders can be expressed as
Wherein,and->Respectively represent the policy of selecting among attackers->Defender selection strategy->The utility of both the attack and the defense;
the construction of the attacker utility function is as follows:
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
wherein E is a (s a ,s d ) To attack the benefits, AC (s a ) For the attack cost, lambda is the weight of generating benefits for an attacker by unwashed attack flows, g is the size of an attack flow set, and alpha is the cost weight of the attack flow;
the defender utility function is constructed as follows:
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
wherein E is d (s a ,s d ) To defend against revenues, DC (s d ) For defending costs, μ is the weight of the cleaned stream that yields to defenders, β is the cost weight of cleaning the attack stream;
according to the attacker utility matrix and the defender utility matrix, pure strategy Nash equilibrium and mixed strategy Nash equilibrium of the TSG are solved by using the utility matrix, and the defender optimal cleaning strategy is obtained.
Further, any of the P4 programmable switches is connected as a network node to an independent traffic washing server.
The invention also provides a dynamic cleaning method for the link flooding attack flow, which is realized based on the dynamic cleaning system for the link flooding attack flow and comprises the following steps:
the defender configures the programmable switch according to the attack traffic class;
the defender utilizes game balance to construct the optimal cleaning strategy;
the defender installs the volume cleaning VNF on the traffic cleaning server and dynamically deploys traffic cleaning rules in the network, combining the programmable switch and the VNF to clean the offending traffic.
Further, the method also comprises the following steps:
and randomly selecting a subset from the attack flow set to defend according to the optimal cleaning strategy every other fixed period.
Compared with the prior art, the invention has the following advantages:
the MTD concept is introduced into flow cleaning, and attack flow is dynamically cleaned in a data plane programmable network environment, so that an attacker is difficult to form effective attack. Specifically:
firstly, an LFA traffic cleaning architecture based on P4 language and virtualized network functions (Virtualized Network Function, VNF) is constructed, and a programmable data plane is utilized to clean various LFA attack traffic locally on a network.
Secondly, a dynamic traffic cleaning (Dynamic Traffic Scrubbing, DTS) method based on the MTD is provided, a subset is randomly selected from an attack flow set for defense according to a defense strategy every other fixed period, and dynamic selection of traffic deployment cleaning rules is realized, so that an attacker cannot launch targeted attack.
Finally, an LFA attack flow dynamic cleaning method is provided, and an attacker cannot initiate effective FLA attack by dynamically deploying flow cleaning rules in a network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a DTS frame in an embodiment of the invention.
Fig. 2 is a DTS system architecture according to an embodiment of the present invention.
FIG. 3 is a flow cleaning engine architecture according to an embodiment of the present invention.
FIG. 4 is a flow cleaning server architecture according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Defending a high-strength LFA requires deployment of a large number of cleaning rules, however, the defender can only clean part of the attack traffic, subject to the switch flow table space limitations. Therefore, an attacker can avoid being washed and prolong the attack duration by adjusting the attack flow. In contrast, if the defender constantly and randomly changes the target flow for cleaning, the attacker can be prevented from adjusting the attack flow in a targeted manner under the condition of limited flow table space, so that the attacker cannot achieve the attack effect.
The DTS framework proposed in the present application is shown in fig. 1, where each node of the network is a programmable switch and is connected to an independent traffic washing server. And the attacker uses the zombie host group owned by the attacker to send a large amount of attack traffic to the target link so as to congestion the target link. The defender configures a programmable switch according to the attack traffic category, washes the VNF on the installation quantity of the traffic washing server, dynamically deploys traffic washing rules in the network, and washes the attack traffic by combining the programmable switch and the VNF. And an attacker periodically adjusts the attack traffic to avoid the attack traffic from being cleaned. In the process, assuming that both the attack and the defense are aware of the opposite information and the attack and the defense are not orderly, the LFA and the defense form a complete information static game, and an defender can construct an optimal cleaning strategy by using game balance.
In order to achieve the above functions, the invention provides a dynamic cleaning system for link flooding attack traffic, which comprises a control plane and a data plane, wherein the control plane and the data plane perform data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a VNF management southbound interface.
Specifically, the present application designs an LFA traffic dynamic cleaning system DTS based on P4, and its architecture is shown in fig. 2. The DTS architecture is mainly divided into a control plane, a data plane and a southbound interface, wherein the southbound interface manages the southbound interface by using p4run and VNF. The control plane is composed of an SDN controller and five core modules, wherein the attack sensing module senses the state of the whole network link and discovers the attacked network link; the strategy generation module analyzes LFA attack and defense games based on the game theory according to the attack and defense states, and calculates an optimal cleaning strategy; the switch management module manages packet processing logic of the P4 switch; the flow table management module sets a P4 switch according to the defense strategy and installs flow cleaning rules for the P4 switch; the VNF management module installs/deletes traffic cleaning VNFs in the data plane according to the attack traffic type.
Specifically, in the LFA attack and defense game, an attacker initiates and continuously adjusts attack flow to form attack, and an defender selects part of attack flow to clean, so that the attacker cannot form an attack effect, the benefits of both the attack and the defense can be influenced by the strategy of the other party, and actions favorable for the attacker can be taken, and the self benefits are maximized. Assuming that both the attack and the defense know the information of the other party and take actions without sequencing, the process can be modeled as a complete information static game, and according to the game theory, nash equilibrium is an equilibrium solution of the game, and both the attack and the defense cannot obtain higher benefits from independent deviation equilibrium solutions. Therefore, nash equilibrium solution is the optimal cleaning strategy for the defender. From the above analysis, a traffic purge game TSG (Traffic Scrubbing Game) can be constructed. Specifically:
definition tsg is a quadruple,wherein the method comprises the steps of
(1) N= { a, D } is the attack and defense game participant space, where a is the attacker and D is the defender;
(2)is an attacker policy space, for s a ∈S a ,/>And s is more than or equal to 0 a G is less than or equal to the number of attack streams selected by an attacker;
(3)is a defender policy space, for s d ∈S d ,/>And s is more than or equal to 0 d G is less than or equal to g, which represents the number of attack streams which can be selected to be cleaned by an defender;
(4)U={U a ,U d the utility matrix U of the attacker and defender is the utility matrix set of the participators a And U d Can be expressed as formula (2) and formula (3), respectively.
Wherein the method comprises the steps ofAnd->Respectively represent the policy of selecting among attackers->Defender selection strategy->The utility of both parties is attacked.
In TSG, attack utility = attack benefit-attack cost, defense utility = defense benefit-defense cost. In order to obtain the attack and defense utility matrix, attack benefits, attack cost, defense benefits and defense cost are defined.
Definition 2 attack benefit E a (s a ,s d ) Selecting s for an attacker a The attack flow initiates the attack, the defender selects s d And when the attack flows are cleaned, the expectations of benefits generated by the attack flows which are not cleaned by the defenders are expected. Let the attack returns be linear with the attack flows not washed by defenders, the number of unsupervised successful flows is expected to be h k Then E a (s a ,s d )=λh k ,0≤s a ≤g,0≤s d ≤g。
Definition 3 attack cost AC (s a ) Selecting s for an attacker a Cost incurred when an attack is initiated by an attack flow. If the attack cost and the attack flow number selected by the attacker are in linear relation
AC(s a )=αs a ,0≤s a ≤g。
Definition 4 defensive benefits E d (s a ,s d ) Finger attacker selection s a The attack flow initiates the attack, and the defender selects s d When the attack flow is cleaned, the defender can successfully clean the attack flow to generate the expected benefits. Defending deviceThe benefit is linearly related to the desired number of cleaned streams, the number of cleaned streams being h d Then E a (s a ,s d )=μh d ,0≤s a ≤g,0≤s d ≤g。
Definition 5 defense cost DC(s) d ) Select s for defenders d Cost incurred when cleaning individual attack flows. If the defense cost is linearly related to the number of defenders' selected cleaning attacks, DC (s d )=βs d ,0≤s d ≤g。
Based on the above definition, the following theorem can be inferred.
Theorem 1. Assume that an attacker randomly selects s from g attack flows a Attack is initiated, defender randomly selects s d The flow is cleaned, and under all attack and defense states, the flow quantity and flow quantity selected by an attacker
Theorem 2. Assume that an attacker randomly selects s from g attack flows a Attack is initiated by the defender randomly selecting s d The individual flows are cleaned, so that the defender defends the total number of successful attack flows in all attack and defense states
In TSG, if an attacker randomly selects s a The probability of each attack state when each attack flow initiates an attackIf defender randomly selects s d The probability of each defending state is +.>
Theorem 3. Assume that an attacker randomly selects s from g attack flows a Attack is initiated by the defender randomly selecting s d The attacker expects benefits E by cleaning the attack flows a (s a ,s d )=λ*s a *(g-s d )/g。
Theorem 4. Assume that an attacker randomly selects s from g attack flows a Attack is initiated by the defender randomly selecting s d The attack flows are cleaned, and expected benefits E of defenders d (s a ,s d )=μ*s a *(s d /g)。
To sum up, the attacker utility function
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
Defender utility function
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
According to u a And u d And obtaining utility matrixes of both the attack and the defense, and solving Nash equilibrium solution of the TSG by using the utility matrixes. The invention designs the algorithms psNE and msNE to solve the pure strategy Nash equilibrium and the mixed strategy Nash equilibrium respectively, as shown in the algorithm 1 and the algorithm 2. The algorithm 1 firstly initializes an attack strategy set and a defense strategy set (1-2); initializing utility functions (3-4) of both the attack and defense parties according to game parameters, and generating utility matrixes of both the attack and defense parties by using the utility functions; and finally, solving a pure strategy Nash equilibrium solution (5-8) by utilizing the maximum value of the utility matrix of both the attack and the defense, returning to the Nash equilibrium solution if the solution exists, and returning to the null (9-12) if the solution does not exist. Algorithm 2 solves the hybrid strategy of gaming using linear programming.
tsgNE gives the beth equalization solution for the game according to the pure and mixed strategy nash equalization for TSG games, as shown in algorithm 3. If the pure strategy Nash equilibrium solution exists, returning the pure strategy Nash equilibrium solution, and if the pure strategy Nash equilibrium solution does not exist, returning the mixed strategy Nash equilibrium solution.
Pure strategy Nash equilibrium solving algorithm for algorithm 1 TSG game
Mixed strategy Nash equilibrium solving algorithm of algorithm 2 TSG game
Algorithm 3 TSG gaming Nash equalization algorithm
Further, the data plane is composed of P4 switches and traffic washing VNFs. The P4 switch forwards network traffic, detects and identifies attack flow according to flow processing logic configured by the controller, and cleans the attack flow according to cleaning rules. For the attack flow which can not be cleaned by adopting the matching-action mode, the P4 switch sends the attack flow to the traffic cleaning server for processing. And the traffic washing server sends traffic to a designated traffic washing VNF for processing, and the VNF is realized by adopting DPDK to realize personalized attack flow washing task.
The P4 switch has very high packet processing speed and throughput, can support stateful packet processing, can carry out high-speed traffic cleaning in a network, but can only clean part of attack traffic in a matching-action mode due to limited packet processing logic, so that the traffic cleaning engine is constructed by combining the P4 switch and the VNF and distributed and flexibly deployed in the network.
As shown in fig. 3, each P4 switch is connected to an independent traffic washing server in the DTS, and the traffic washing server may dynamically deploy a washing server VNF to complete washing of traffic in cooperation with the P4 switch. Both are centrally controlled by the SDN controller to form a flow cleaning engine. The SDN controller configures a flow cleaning engine according to the network state and the defense strategy to clean the attack flow.
LFA traffic cleansing rules can be categorized into two categories depending on whether a "match-action" mode can be translated. The cleaning logic which can be converted into a 'matching-action' mode is equivalently converted into message processing logic supported by a switch based on a P4 data plane programming language and is deployed on a data plane; the cleaning logic which cannot be realized in the 'matching-action' mode is realized in a software form, and is flexibly deployed in the network through the VNF to finish flow cleaning together with the programmable switch. In order to reduce load of the switches and the traffic washing server, the SDN controller deploys traffic washing rules and VNF (virtual network function) on a plurality of nodes in the network according to the idle space of the flow table of the switches on the attack traffic path, so that load balance among the switches is realized.
Further, as shown in fig. 4, the traffic washing server includes a traffic inlet, a traffic outlet, a traffic-VNF table, and a plurality of traffic washing VNFs. The traffic inlet receives traffic to be flushed sent by the P4 programmable switch. The SDN controller manages a flow-VNF table and a flow cleaning VNF through the VNF management southbound interface. The flow-VNF table is responsible for flow matching and delivery, which delivers flow to a particular flow cleaning VNF by looking up a table; the traffic cleaning VNF is responsible for cleaning specific types of attack traffic and may be dynamically added and deleted by the SDN controller. The cleaned flow is returned to the P4 programmable exchanger through the flow outlet.
The invention also discloses a dynamic cleaning method for the link flooding attack flow, which is realized based on the dynamic cleaning system for any one of the link flooding attack flow, and comprises the following steps:
the defender configures the programmable switch according to the attack traffic class;
the defender utilizes game balance to construct the optimal cleaning strategy;
the defender installs the volume cleaning VNF on the traffic cleaning server and dynamically deploys traffic cleaning rules in the network, combining the programmable switch and the VNF to clean the offending traffic.
Further, the method also comprises the following steps:
and randomly selecting a subset from the attack flow set to defend according to the optimal cleaning strategy every other fixed period.
The link flooding attack traffic dynamic cleaning method according to the embodiment of the present invention is relatively simple in description, and the relevant similarities refer to the description of the link flooding attack traffic dynamic cleaning device part in the above embodiment, and will not be described in detail here.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (6)
1. The dynamic cleaning system for the link flooding attack flow is characterized by comprising a control plane and a data plane, wherein the control plane and the data plane conduct data interaction through a southbound interface, and the southbound interface comprises a p4runtime and a virtualized network function management southbound interface;
the control plane comprises an SDN controller;
the data plane comprises a P4 programmable switch and a flow cleaning server, wherein the P4 programmable switch performs data interaction with the SDN controller through P4run time, and the flow cleaning server manages a southbound interface through a VNF to perform data interaction with the SDN controller;
the P4 programmable switch is used for forwarding network traffic, detecting and identifying attack flow according to a defense strategy and a flow cleaning rule issued by the SDN controller, and cleaning the attack flow according to the cleaning rule;
the flow cleaning server receives an attack flow which is sent by the P4 programmable switch and cannot be cleaned by adopting a matching-action mode, and sends the attack flow to a designated flow cleaning VNF for processing, wherein the flow cleaning server comprises a flow inlet, a flow outlet, a flow-VNF table and a plurality of flow cleaning VNs;
the flow inlet is used for receiving flow to be cleaned sent by the P4 programmable switch;
the flow-VNF table is used for realizing flow matching and transmission, and transmitting the flow to a specific flow cleaning VNF through a table lookup;
the traffic cleaning VNF is used for cleaning specific types of attack traffic;
the flow outlet is used for returning the cleaned flow to the P4 programmable switch;
the SDN controller manages a flow-VNF table and a flow cleaning VNF through a VNF management southbound interface, and dynamically adds and deletes the flow cleaning VNF.
2. The link flooding attack traffic dynamic cleaning system according to claim 1, wherein the control plane further comprises: the system comprises an attack sensing module, a strategy generating module, a switch management module, a flow table management module and a VNF management module;
the attack sensing module is used for sensing the state of the whole network link and finding out the attacked network link;
the strategy generation module is used for analyzing LFA attack and defense games based on game theory according to the attack and defense state construction state and calculating an optimal cleaning strategy;
the switch management module is used for managing the packet processing logic of the P4 programmable switch;
the flow table management module is used for setting a P4 programmable switch according to a defense strategy and installing flow cleaning rules for the P4 programmable switch;
the VNF management module is configured to install/delete traffic cleaning VNF on the data plane according to the attack traffic type.
3. The dynamic cleaning system for link flooding attack traffic according to claim 2, wherein the policy generation module is configured to analyze LFA attack and defense games based on game theory according to the attack and defense states, and calculate an optimal cleaning policy, and the method comprises:
constructing a traffic cleaning game TSG according to a supply strategy and a defense strategy acquired by an attack sensing module, wherein the TSG is a four-tuple, TSG= { N, S, D, U }, and the TSG is a four-tuple, wherein the TSG is a four-tuple of the TSG = { N, S, D, U }, and the TSG is a four-tuple of the TSG
(1) N= { a, D } is the office space, where a is the attacker, D is the defender,
(2)is an attacker policy space, for s a ∈S a ,/>And s is more than or equal to 0 a G is less than or equal to g, which represents the number of attack streams selected by an attacker,
(3)is a defender policy space, for s d ∈S d ,/>And s is more than or equal to 0 d G is less than or equal to g, which represents the number of attack streams which can be selected by an defender for cleaning,
(4)U={U a ,U d the utility matrix set of people in office, U a ,U d The utility matrix, which represents the aggressor and defender respectively, can be expressed as
Wherein,and->Respectively represent the policy of selecting among attackers->Defender selection strategy->The utility of both the attack and the defense;
the construction of the attacker utility function is as follows:
u a (s a ,s d )=E a (s a ,s d )-AC(s a )=λ*s a *(g-s d )/g-αs a
wherein E is a (s a ,s d ) To attack the benefits, AC (s a ) For the attack cost, lambda is the weight of generating benefits for an attacker by unwashed attack flows, g is the size of an attack flow set, and alpha is the cost weight of the attack flow;
the defender utility function is constructed as follows:
u d (s a ,s d )=E d (s a ,s d )-DC(s d )=μ*s a *(s d /g)-βs d
wherein E is d (s a ,s d ) To defend against revenues, DC (s d ) For defending costs, μ is the weight of the cleaned stream that yields to defenders, β is the cost weight of the cleaned attack stream;
according to the attacker utility matrix and the defender utility matrix, the pure strategy Nash equilibrium and the mixed strategy Nash equilibrium of the TSG are solved by using the utility matrix to obtain the optimal defender cleaning strategy.
4. A link flooding attack traffic dynamic cleaning system according to claim 1, wherein any of said P4 programmable switches is connected as a network node to a separate traffic cleaning server.
5. The dynamic cleaning method for the link flooding attack flow is realized based on the dynamic cleaning system for the link flooding attack flow in any one of claims 1-4, and is characterized by comprising the following steps:
the defender configures the programmable switch according to the attack traffic class;
the defender utilizes game balance to construct the optimal cleaning strategy;
the defender installs the volume cleaning VNF on the traffic cleaning server and dynamically deploys traffic cleaning rules in the network, combining the programmable switch and the VNF to clean the offending traffic.
6. The method for dynamically cleaning link flooding attack traffic according to claim 5, further comprising the steps of:
and randomly selecting a subset from the attack flow set to defend according to the optimal cleaning strategy every other fixed period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211236647.5A CN115834459B (en) | 2022-10-10 | 2022-10-10 | Dynamic cleaning system and method for link flooding attack flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211236647.5A CN115834459B (en) | 2022-10-10 | 2022-10-10 | Dynamic cleaning system and method for link flooding attack flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115834459A CN115834459A (en) | 2023-03-21 |
| CN115834459B true CN115834459B (en) | 2024-03-26 |
Family
ID=85524525
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211236647.5A Active CN115834459B (en) | 2022-10-10 | 2022-10-10 | Dynamic cleaning system and method for link flooding attack flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834459B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109491668A (en) * | 2018-10-11 | 2019-03-19 | 浙江工商大学 | A kind of the mimicry defence framework and method of SDN/NFV service arrangement |
| CN111447182A (en) * | 2020-03-05 | 2020-07-24 | 清华大学 | Method for defending link flooding attack and method for simulating link flooding attack |
| WO2020199780A1 (en) * | 2019-04-04 | 2020-10-08 | 中兴通讯股份有限公司 | Traffic collection method and device, network apparatus and storage medium |
| CN113411351A (en) * | 2021-06-07 | 2021-09-17 | 中国人民解放军空军工程大学 | DDoS attack elastic defense method based on NFV and deep learning |
| CN114422235A (en) * | 2022-01-18 | 2022-04-29 | 福州大学 | P4-based industrial internet hidden attack defense method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10834004B2 (en) * | 2018-09-24 | 2020-11-10 | Netsia, Inc. | Path determination method and system for delay-optimized service function chaining |
| US12034770B2 (en) * | 2018-11-26 | 2024-07-09 | The University Of Akron | 3S-chain: smart, secure, and software-defined networking (SDN)-powered blockchain-powered networking and monitoring system |
-
2022
- 2022-10-10 CN CN202211236647.5A patent/CN115834459B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109491668A (en) * | 2018-10-11 | 2019-03-19 | 浙江工商大学 | A kind of the mimicry defence framework and method of SDN/NFV service arrangement |
| WO2020199780A1 (en) * | 2019-04-04 | 2020-10-08 | 中兴通讯股份有限公司 | Traffic collection method and device, network apparatus and storage medium |
| CN111447182A (en) * | 2020-03-05 | 2020-07-24 | 清华大学 | Method for defending link flooding attack and method for simulating link flooding attack |
| CN113411351A (en) * | 2021-06-07 | 2021-09-17 | 中国人民解放军空军工程大学 | DDoS attack elastic defense method based on NFV and deep learning |
| CN114422235A (en) * | 2022-01-18 | 2022-04-29 | 福州大学 | P4-based industrial internet hidden attack defense method |
Non-Patent Citations (4)
| Title |
|---|
| 基于SDN技术的DDoS防御系统简析;马铮;张小梅;夏俊杰;王光全;;邮电设计技术;20160120(01) * |
| 徐建峰 ; 王利明 ; 徐震 ; .软件定义网络中资源消耗型攻击及防御综述.信息安全学报.2020,(04), * |
| 软件定义网络中资源消耗型攻击及防御综述;徐建峰;王利明;徐震;;信息安全学报;20200715(04) * |
| 马铮 ; 张小梅 ; 夏俊杰 ; 王光全 ; .基于SDN技术的DDoS防御系统简析.邮电设计技术.2016,(01), * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115834459A (en) | 2023-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Liu et al. | Deep reinforcement learning based smart mitigation of DDoS flooding in software-defined networks | |
| CN110113435B (en) | Method and equipment for cleaning flow | |
| Hales et al. | Slacer: A self-organizing protocol for coordination in peer-to-peer networks | |
| Singh et al. | GOAL: a load-balanced adaptive routing algorithm for torus networks | |
| Domke et al. | Deadlock-free oblivious routing for arbitrary topologies | |
| Zhang et al. | An intelligent route mutation mechanism against mixed attack based on security awareness | |
| Wang et al. | Deep learning for securing software-defined industrial internet of things: attacks and countermeasures | |
| Bensoussan et al. | A game-theoretical approach for finding optimal strategies in a botnet defense model | |
| Rauf et al. | Formal approach for resilient reachability based on end-system route agility | |
| Zhu et al. | Deployment and exploitation of deceptive honeybots in social networks | |
| Zahavi et al. | Distributed adaptive routing for big-data applications running on data center networks | |
| CN115834459B (en) | Dynamic cleaning system and method for link flooding attack flow | |
| Wu et al. | Traffic-driven epidemic spreading in networks: Considering the transition of infection from being mild to severe | |
| Eliyan et al. | DeMi: A Solution to Detect and Mitigate DoS Attacks in SDN | |
| Chen et al. | Server selection with delay constraints for online games | |
| Zhao et al. | Deploying default paths by joint optimization of flow table and group table in SDNs | |
| Chen et al. | On the game server network selection with delay and delay variation constraints | |
| Dolev et al. | Trawling traffic under attack overcoming ddos attacks by target-controlled traffic filtering | |
| Figueiredo et al. | On the analysis of the predecessor attack on anonymity systems | |
| Biswas et al. | Cost-Aware Optimal Filter Assignment Policy Against Distributed Denial-of-Service Attack | |
| Dejmal et al. | Reinforcement Learning for Vulnerability Assessment in Peer-to-Peer Networks. | |
| Peng et al. | Trust-Aware Resource Management for Secure and Optimal Network Slicing in 5G Mobile Edge Networks | |
| Zhao et al. | An SDN based hopping multicast communication against DoS attack | |
| Liu et al. | An ECA Regret Learning Game for Cross-Tier Computation Offloading Against Swarm Attacks in Sensor Edge Cloud | |
| Paterson et al. | A hybrid approach to network robustness optimization using edge rewiring and edge addition |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |