CN116074844A - 5G slice escape attack detection method based on full-flow adaptive detection - Google Patents

5G slice escape attack detection method based on full-flow adaptive detection Download PDF

Info

Publication number
CN116074844A
CN116074844A CN202310357072.0A CN202310357072A CN116074844A CN 116074844 A CN116074844 A CN 116074844A CN 202310357072 A CN202310357072 A CN 202310357072A CN 116074844 A CN116074844 A CN 116074844A
Authority
CN
China
Prior art keywords
detection
flow
features
slice
self
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310357072.0A
Other languages
Chinese (zh)
Other versions
CN116074844B (en
Inventor
刘珍珍
黄康乾
周睿
黄靖茵
胡鑫
向德军
黄志生
李小勇
陈镜冰
高雅丽
袁开国
蔡斌思
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Electric Power Transaction Center Co ltd
Original Assignee
Guangdong Electric Power Transaction Center Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Electric Power Transaction Center Co ltd filed Critical Guangdong Electric Power Transaction Center Co ltd
Priority to CN202310357072.0A priority Critical patent/CN116074844B/en
Publication of CN116074844A publication Critical patent/CN116074844A/en
Application granted granted Critical
Publication of CN116074844B publication Critical patent/CN116074844B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a 5G slice escape attack detection method based on full-flow adaptive detection, which realizes the adaptive detection of slice escape attack; aiming at different points of the intra-slice and inter-slice escape attacks, ten-tuple features are provided, and the intra-slice and inter-slice escape attack detection is realized; a two-stage detection module is introduced, the information entropy technology is utilized to perform quick preliminary detection, and the abnormal flow in the preliminary detection is subjected to second-stage detection rechecking, so that the detection time is greatly shortened; the self-attention mechanism, the long-period memory network and the cooperative detection model are introduced, the self-attention mechanism can help to determine the characteristic weight, the cooperative detection model starts from a propagation link of attack flow, and a final detection result is obtained by cooperatively analyzing characteristic deviation correction of an associated switch, so that the detection accuracy is improved, and the false alarm rate of detection is reduced; by using the sFlow agent technology, the overload of the controller caused by a large amount of message exchange during traffic collection is avoided.

Description

5G slice escape attack detection method based on full-flow adaptive detection
Technical Field
The invention relates to the technical field of 5G network information security, in particular to a 5G slice escape attack detection method based on full-flow self-adaptive detection.
Background
The 5G power transaction private network introduces and uses a 5G slicing technology, brings the advantages of 'reducing cost and improving flexibility', and simultaneously introduces some new safety problems: (1) Malicious terminals possibly existing in the slice can destroy the performance of the whole slice, and can also realize slice escape attack by excessively consuming shared resources which are authorized to be accessed by the slice; (2) When isolation between slices fails or malicious terminals of other slices communicate with the slice through means such as forging IP, the malicious terminals from other slices attack the slice, so that the performance of the slice is reduced or resources are exhausted.
The current research on the safety of 5G slices at home and abroad mainly focuses on how to relieve the safety risk in the slices, has little attention on the safety risk among the slices and how to detect the escape attacks of the slices, and lacks analysis detection on the escape attacks of the slices in the slices and among the slices. The research on the distributed denial of service attack is mostly based on a data set and a software defined network scene, and the detection on a slice scene is not performed, and the detection on the slice escape attack of the slice scene is not performed. For example, in 2020, chen Li et al, a distributed denial of service attack detection model based on a software-defined network is proposed, 6 feature vectors are built as input of the detection model by using flow table entry information of an openflow switch in a software-defined network architecture, and a distributed denial of service attack detection model based on a multi-layer feedforward network trained according to error back propagation is built based on a classification idea. However, the scheme cannot solve the detection problem of inter-slice and intra-slice escape attacks in a 5G slice scene, and the problems of neglecting load balance, low detection speed and high detection false alarm rate when collecting traffic exist.
Disclosure of Invention
The invention aims to provide a 5G slice escape attack detection method based on full-flow adaptive detection, which solves the technical problem of full-flow adaptive detection of slice escape attacks in slices and among slices in a 5G power transaction private network, improves the accuracy of a detection model and reduces the false alarm rate of the detection model.
In order to achieve the above object, the present invention provides the following technical solutions:
the invention provides a 5G slice escape attack detection method based on full-flow self-adaptive detection, which comprises the following steps:
step 1: the first-stage detection module acquires flow table information in a unit time interval from a 5G power transaction private network through an sFlow agent technology; calculating the information entropy of the acquired flow table by using an information entropy technology, normally issuing the flow table item with a normal entropy value, and entering the step 2 for rechecking the flow table item with an abnormal entropy value;
step 2: for the flow table item with abnormal entropy value detected in the step 1, an eleven-tuple feature extraction module in a second-stage detection module is used for extracting eleven-tuple features of the flow table item, wherein the eleven-tuple features comprise four flow features, three inter-slice escape features and four switch association features, the four flow features are respectively the number of data packets, the average size of the data packets, the total number of bytes and the arrival time interval of the data packets, the inter-slice escape three features are respectively the duration median of the flow table, the percentage of IP paired flow table items and the absolute value of single flow table items, and the four switch association features are respectively the maximum inflow of the number of the data packets in unit time, the maximum outflow of the number of the data packets in unit time, the maximum inflow of the bytes in unit time and the maximum outflow of the bytes in unit time; inputting feature vectors and data message segments formed by ten-tuple features into a detection model based on a long-short-term memory network and a self-attention mechanism for detection, and obtaining a detection result P, wherein P is the occurrence probability of slice escape attack; performing corresponding format conversion on four switch associated features in the extracted eleven-tuple features, and inputting the four switch associated features and the obtained detection result P into a cooperative detection model for detection to obtain a detection result of cooperative detection;
step 3: judging whether the obtained cooperative detection result in the step 2 is normal, if so, issuing normally, and if so, entering an abnormality processing module.
Further, the first-stage detection module mainly comprises a flow acquisition module and an information entropy pre-detection module; the flow acquisition module acquires flow table information in the switch by using an sFlow agent technology, and takes the acquired flow table information as input of the information entropy pre-detection module; the information entropy pre-detection module uses an information entropy technology to carry out information entropy calculation on the collected flow in the slice network, preliminarily judges whether the network has abnormality in a period of time through observation of entropy values, and takes flow table information in the period of time as input of the second-stage detection module if the network has abnormality; if no abnormality is determined, the flow table is issued normally.
Further, the specific process of step 1 is as follows:
step 11: acquiring data flow table items in a unit time interval in a 5G power transaction private network through an sFlow agent technology;
step 12: extracting a group of quadruplets I according to the flow table obtained in the step 11, wherein parameters in the quadruplets I are respectively a source address, a destination address, the number of data packets and a protocol;
step 13: calculating the information entropy of the data stream according to the quadruple I and the information entropy calculation formula obtained in the step 12;
step 14: repeating the step 12 and the step 13 for five times, and comparing the information entropy obtained in the five times with the network information entropy threshold value;
step 15: if the five continuous information entropy is smaller than the network information entropy threshold, judging that abnormal flow possibly exists, and inputting the data flow into a second-stage detection model for rechecking; otherwise, judging the flow is normal, and issuing a flow table.
Further, the second-stage detection module comprises a ten-tuple feature extraction module, a detection module based on a long-short-term memory network and a self-attention mechanism and a cooperative detection module, so as to realize intra-slice escape attack detection and inter-slice escape attack detection;
the process for realizing intra-slice patch escape attack detection comprises the following steps: firstly, obtaining general features, namely features of a stream and associated features of a switch through a ten-tuple feature extraction module, taking the features of the stream and a data message segment as input of a detection model based on a long-short-period memory network and a self-attention mechanism, obtaining the probability of the stream being subjected to slice escape attack, processing the associated features of the switch, and forming the input of a collaborative detection model with the output probability of the detection model based on the long-short-period memory network and the self-attention mechanism, wherein the collaborative detection model realizes correction of detection results through the associated features of the comprehensive switch;
the process for realizing the inter-slice escape attack detection comprises the following steps: firstly, the ten-tuple feature extraction module is used for obtaining the features and the targeted features of a general feature flow, namely inter-slice escape features, inputting the features of the flow, the inter-slice escape features and the data message segments into the detection model based on the long-short-term memory network and the self-attention mechanism for detection, obtaining the probability of the flow being attacked by the slice escape, carrying out format conversion on the switch associated features in the eleven-tuple features, and taking the switch associated features and the output probability as the input of a collaborative detection model, wherein the collaborative detection model realizes the correction of the detection result through the integrated switch associated features.
Further, the specific process of step 2 is as follows:
step 21: extracting eleven-tuple characteristics of the data flow which is accessed from the first-stage detection module and needs to be checked;
step 22: the general features, namely the features of the stream and the specific features, namely the inter-slice escape features, and the data message segments are used as the input of a detection model based on a long-short-term memory network and a self-attention mechanism;
step 23: detecting by a detection model based on a long-short-period memory network and a self-attention mechanism to obtain an output result P, wherein the value of P is 0 or 1;
step 24: performing format conversion on four switch associated features in ten-tuple features, and taking the four switch associated features and P obtained in the step 23 as input of a collaborative detection model;
step 25: the final detection result is obtained by the collaborative detection model, the output 1 indicates that the slice escape attack occurs, and the slice escape attack enters an exception processing module; output 0 indicates no exception, and the flow table is normally issued.
Further, in the input layer of the detection model based on the self-attention mechanism and the long-short-term memory network, one or more groups of the extracted eleven-tuple features and the data message segments are input first, the relative importance of each feature is found and the self-adaptive weight is allocated for each feature through the processing of the self-attention mechanism, and meanwhile, the unimportant information in the data message segments is ignored.
Further, in the hidden layer of the detection model based on the self-attention mechanism and the long-short-period memory network, the data processed by the self-attention mechanism is used as the input of the long-short-period memory network model, the long-short-period memory network model consists of three dense layers and two hidden layers, the model is built by a Keras Python library, a result P is finally output, if the result is 0, no slice escape attack occurs, and if the result is 1, the stream is one slice escape attack flow.
Further, the collaborative detection model in step 2 uses a detection model based on a long-short-term memory network and a self-attention mechanism.
Further, the format conversion method for the four switch association features in the ten-tuple features in step 2 is as follows: and replacing the switch number in the extracted switch associated feature with the probability of the switch that the slice escape attack occurs at the moment.
Further, the specific process of step 3 is as follows:
step 31: and (2) for the final detection result obtained in the step (2), if the final detection result is 0, indicating that the detection result is normal flow, and issuing a flow table;
step 32: and (2) if the final detection result obtained in the step (2) is 1, the detection result is an abnormal flow, the flow table is stopped from issuing, and the source address of the flow is added into the table item of the violation number count table and the violation number is recorded;
step 33: and (3) comparing the recorded violation times in the step (32) with a violation times threshold, if the violation times of the data packet sent by the address reach the threshold, shielding all traffic of the address, and if the violation times of the address do not reach the threshold, discarding the violation traffic.
Compared with the prior art, the 5G slice escape attack detection method based on full-flow adaptive detection has the following beneficial effects:
1. aiming at a 5G slice scene, the self-adaptive detection of the slice escape attack can be realized;
2. the invention creatively provides eleven-tuple features aiming at different points of intra-slice and inter-slice escape attacks, and is used for realizing the detection of intra-slice and inter-slice escape attacks;
3. according to the invention, a two-stage detection method is introduced, the information entropy technology is utilized to perform quick preliminary detection, and the abnormal flow in the preliminary detection is subjected to second-stage detection rechecking, so that the detection time is greatly shortened;
4. the invention introduces a self-attention mechanism and a cooperative detection model, wherein the self-attention mechanism can help to determine the characteristic weight, the cooperative detection model starts from a propagation link of attack flow, and a final detection result is obtained by cooperatively analyzing characteristic deviation correction of an associated switch;
5. the invention uses the sFlow agent technology, thereby avoiding the overload of the controller caused by a large amount of message exchange during the flow collection.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
Fig. 1 is a flowchart of a method for detecting 5G slice escape attack based on full-flow adaptive detection according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a two-stage detection module according to an embodiment of the present invention.
Fig. 3 is a flowchart of a first stage detection module according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a second stage detection module according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a detection model based on a self-attention mechanism and a long-short-term memory network according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of a switch feature format conversion according to an embodiment of the present invention.
Fig. 7 is a flowchart of an exception handling module according to an embodiment of the present invention.
Detailed Description
The invention provides a two-stage detection method based on full-flow self-adaptive detection slice escape attack, which improves a detection scheme based on six-tuple flow table characteristics, creatively provides eleven-tuple flow table characteristics, and accordingly realizes self-adaptive detection of intra-slice and inter-slice escape attacks in a 5G power transaction private network, and can improve detection efficiency and reduce false alarm rate.
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides a 5G slice escape attack detection method based on full-flow adaptive detection, which is shown in figure 1 and comprises two parts, namely a two-stage detection module and an exception handling module. The two-stage detection method is divided into a first-stage detection module and a second-stage detection module, and comprises the following detailed steps:
step 1: the first-stage detection module acquires flow table information in a unit time interval from a 5G power transaction private network through an sFlow agent technology; calculating the information entropy of the acquired flow table by using an information entropy technology, normally issuing the flow table item with a normal entropy value, and entering the step 2 for rechecking the flow table item with an abnormal entropy value;
step 2: for the flow table item with abnormal entropy value detected IN the step 1, extracting eleven tuple features by using a second-stage detection module, wherein the eleven tuple features comprise four flow features [ P_N, P_A, B, P_I ], three inter-slice escape features [ FT_D, FE_P, FE_V ] and four switch associated features [ DP_IN, DP_OUT, B_IN, B_OUT ], inputting the eleven tuple features and data message segments into a detection model based on a long-short-period memory network and a self-attention mechanism for detection, and obtaining a detection result P, wherein P is the occurrence probability of slice escape attack; performing corresponding format conversion on four switch associated features in the extracted eleven-tuple features, and inputting the four switch associated features and the obtained detection result P into a cooperative detection model for detection to obtain a detection result of cooperative detection;
step 3: judging whether the obtained cooperative detection result in the step 2 is abnormal, if so, issuing normally, and if so, entering an abnormal processing module.
One-stage and two-stage detection module
Fig. 2 illustrates the structure of the two-stage detection module and the technology mainly used. The two-stage detection module is divided into a first-stage detection module and a second-stage detection module. The detected flow passes through the first-stage detection module first, and if the detected flow is abnormal, the detected flow is checked again through the second-stage detection module. The first-stage detection module mainly uses an information entropy technology and an sFlow agent technology. The second-stage detection module mainly utilizes a self-attention mechanism and a long-short-period memory network technology, and simultaneously introduces an eleven-tuple characteristic scheme and a collaborative detection scheme.
(1) First-stage detection module
As shown in fig. 3, the first-stage detection module mainly includes two parts, namely flow acquisition and information entropy pre-detection. In the flow acquisition part, the centralized control mode of the software defined network controller in the 5G slice causes the load borne by the control plane to be very large, and when a large number of flow requests of the switch and message exchanges between the switch and the controller occur in a large number, overload or unbalanced load of the controller is easily caused. In order to avoid overload of a controller caused by a large amount of message exchange during flow collection, an sFlow agent is used for assisting in collecting flow table information in a switch, so that real-time acquisition and analysis of ultra-large network flow are realized, and the flow table information obtained by the part is used as input of an information entropy pre-detection module. In the information entropy pre-detection part, information entropy technology is used for carrying out information entropy calculation on the flow in the collected slice network, whether the network has an abnormality in a period of time is rapidly and preliminarily judged through observation of entropy values, and if the abnormality exists, flow table information in the period of time is used as input of a second-stage detection module; if no abnormality is determined, the flow table is issued normally. The specific steps of the first-stage detection module are as follows:
step 1: acquiring data flow table items in a unit time interval in a 5G power transaction private network through an sFlow agent technology;
step 2: extracting a group of four-tuple I= < source address, destination address, data packet number and protocol > according to the flow table obtained in the step 1;
step 3: calculating the information entropy of the data stream according to the four-element group I and the shannon information entropy calculation formula obtained in the step 2;
step 4: repeating the step 2 and the step 3 for five times, and comparing the information entropy obtained in the five times with the network information entropy threshold value;
step 5: if the information entropy is smaller than the network information entropy threshold value for five times continuously, judging that abnormal traffic possibly exists, and accessing a second-level detection model for rechecking; otherwise, judging the flow is normal, and issuing a flow table.
(2) Second-stage detection module
The second-stage detection module can be divided into three parts of eleven-tuple feature extraction, a detection model based on a self-attention mechanism and a long-period memory network and a collaborative detection model according to detection steps, and can be divided into an intra-slice escape attack detection module and an inter-slice escape attack detection module according to detection functions. A functional block diagram of the second level detection is shown in fig. 4. The specific steps of the second-stage detection module are as follows:
step 1: extracting eleven-tuple characteristics of the data flow needing rechecking from the first-stage detection module;
step 2: the general features, namely the features of the stream and the specific features, namely the inter-slice escape features, and the data message segments are used as the input of a detection model based on a long-short-term memory network and a self-attention mechanism;
step 3: obtaining an output result P of a detection model based on a long-short-period memory network and a self-attention mechanism, wherein P is 0 or 1;
step 4: performing format conversion on four switch associated features in ten-tuple features, and taking the four switch associated features and P obtained in the step 3 as input of a collaborative detection model;
step 5: the final detection result is obtained by the collaborative detection model, the output 1 indicates that the slice escape attack occurs, and the slice escape attack enters an exception processing module; output 0 indicates no exception, and the flow table is normally issued.
(a) Ten-tuple feature extraction
In the extracted part of the undecylenic group feature, the undecylenic group feature is defined as the input of the detection model, and the listed feature can be extracted through the flow table information input to the second stage detection module by the first stage detection module, wherein the four features of the flow: [ P_N, P_A, B, P_I ], switch association feature four: [ DP_IN, DP_OUT, B_IN, B_OUT ], inter-slice escape feature three: [ FT_D, FE_P, FE_V ]. Specific examples are shown in Table 1.
Table 1 eleven tuple characteristics
Figure SMS_1
(b) Detection model based on self-attention mechanism and long-term and short-term memory network
A schematic block diagram of a Long short-term memory (LSTM) and Self-attention mechanism (Self-attention) based slice escape detection model is shown in fig. 5. In the input layer, firstly, one or more groups of eleven groups of characteristics extracted in the previous step and data message segments are input, and the relative importance of each characteristic is found and the self-adaptive weight is allocated for the characteristic through the processing of a self-attention mechanism, and meanwhile, unimportant information in the data message segments is ignored. The data processed by the self-attention mechanism is used as the input of a long-short-period memory network model, the LSTM model consists of three dense layers and two hidden layers, and the model is constructed by a Keras Python library. And finally outputting a detection result, if the detection result is 0, indicating that no slice escape attack occurs, and if the detection result is 1, indicating that the flow is a slice escape attack flow.
(c) Collaborative detection model
When the slice escape attack occurs, the attack flow can affect the whole link from the source address to the destination address, and the method integrates the collaborative detection of the switch for comprehensively considering the information of the associated switch. A big feature of the method is that it converts the collaborative detection into another machine learning problem, so that a suitable machine learning model needs to be selected. The collaborative detection is also a supervised two-classification problem, and the number of training data is the same as the number of stream table features, and the data size is very huge although the dimension is lower, so that the collaborative detection module still uses a detection model based on a long-short-period memory network and a self-attention mechanism.
The switch association features cannot be used directly because these feature data are only the names or numbers of the switches and need to be converted before use. The controller extracts the flow table characteristics of a group of switches at regular intervals, and each switch has its own corresponding record. The collaborative detection model can obtain the probability of the occurrence of the slice escape attack of the switch corresponding to each record, at the moment, the switch number in the switch associated feature extracted at the same time is replaced by the probability of the occurrence of the slice escape attack of the switch at the moment, and the collaborative detection feature can be formed together with the previous result. Fig. 6 is a schematic diagram of feature format conversion of a switch.
As shown in the figure 7 of the drawings,
Figure SMS_2
represents switch N>
Figure SMS_3
Representing the detection result of the flow extracted by the nth switch. Switch association features [ dp_in, dp_out, b_in, b_out ]]The detection result of the flow extracted by the switch after processing and conversion and the detection result of the detection model based on the long-short-period memory network and the self-attention mechanism for the flow are combined into [
Figure SMS_4
,/>
Figure SMS_5
,/>
Figure SMS_6
,/>
Figure SMS_7
]As the input of the model, the detection result is output as the final detection after the analysis and detection of the modelAs a result.
(d) Intra-slice escape attack detection
The intra-slice escape behavior detection section detects intra-slice escape behavior by extracting two sets of features from the flow table information: the first group is the characteristic of the flow, namely [ P_N, P_A, B, P_I ], the second group is the switch association characteristic, namely [ DP_IN, DP_OUT, B_IN, B_OUT ], after the characteristic of the first group and the data message segment are used as the input of the detection model based on the long-short-period memory network and the self-attention mechanism, the probability P of the flow being attacked by the slice escape can be obtained, the second group of characteristic is processed to form the input of the collaborative detection model with the output P of the detection model based on the long-short-period memory network and the self-attention mechanism, and the collaborative detection module corrects the detection result through the comprehensive switch association characteristic, so that the accuracy of early detection of the slice escape attack is ensured.
(e) Inter-slice escape detection
The inter-slice escape behavior detection part is different from the intra-slice escape behavior detection part in that the inter-slice escape behavior detection module extracts an additional set of features from the flow table information, namely: [ FT_D, FE_P, FE_V ], thereby enabling detection of slice escape behavior across slices.
The inter-slice escape feature set is used for detecting inter-slice escape attacks according to the following conditions:
when an attacker attacks a slice with a cross-slice escape behavior, the IP address (Internet Protocol Address ) is forged and the forged address is continuously replaced, so that there are a large number of flow entries in the flow table of the switch that are not matched by the data packet for a long period of time later. When the duration of a flow entry that is not matched exceeds the stall waiting timeout, the flow entry automatically disappears. When a slice escape attack occurs, a large number of flow entries with a duration less than the "stall waiting timeout" and a lack of flow entries with a duration greater than the "stall waiting timeout" appear in the flow table. Thus, the flow table duration median may reflect the state of the flow and switch, observing whether both are being attacked by the slice escape behavior. Meanwhile, the median can reflect the duration time of the stream table entry, avoid the influence of the maximum value and the minimum value of the abnormality, improve the accuracy and reduce the false alarm rate.
When a cross-slice escape attack occurs, a large number of unpaired flow entries in the flow table may appear. Normally, the flow table entry can find the flow table entry corresponding to the source address and the destination address. Although the use of asymmetric routing mechanisms by a switch for link load balancing may also result in some degree of non-pairwise flow entries under normal circumstances, the proportion is different from when a slice escape attack is encountered, and therefore, the percentage of IP-pairwise flow entries to the total flow entries may reflect whether the switch is subject to a slice escape attack.
To avoid the decrease of detection effect caused by insensitivity of the IP component stream table entry in the total stream table entry when the switch stream table entries are more, the absolute value of the number of the single stream table entries is added.
(II) exception handling Module
The flow chart of the exception handling module is shown in fig. 7. For the flow with normal final detection result, issuing a flow table; and adding the source address of the flow into the violation number count item and recording the violation number of the flow, wherein if the violation number of the data packet sent by the address reaches a threshold, all flows of the address are shielded, and if the violation number of the address does not reach the threshold, the flow is abandoned.
The invention has the following advantages:
(1) Aiming at a 5G slice scene, a set of detection method for slice escape attack is provided, and the self-adaptive detection of the slice escape attack can be realized;
(2) Aiming at different points of intra-slice and inter-slice escape attacks, a ten-tuple feature is innovatively provided for realizing the detection of intra-slice and inter-slice escape attacks;
(3) A two-stage detection module is introduced, the information entropy technology is utilized to perform quick preliminary detection, and the abnormal flow in the preliminary detection is subjected to second-stage detection rechecking, so that the detection time is greatly shortened;
(4) The self-attention mechanism, the long-period memory network and the cooperative detection model are introduced, the self-attention mechanism can help to determine the characteristic weight, the cooperative detection model starts from a propagation link of attack flow, and a final detection result is obtained by cooperatively analyzing characteristic deviation correction of an associated switch, so that the detection accuracy is improved, and the false alarm rate of detection is reduced;
(5) The sFlow agent technology is used to pay attention to load balancing, and overload of a controller caused by a large amount of message exchange during traffic collection is avoided.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may be modified or some technical features may be replaced with others, which may not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A5G slice escape attack detection method based on full-flow adaptive detection is characterized by comprising the following steps:
step 1: the first-stage detection module acquires flow table information in a unit time interval from a 5G power transaction private network through an sFlow agent technology; calculating the information entropy of the acquired flow table by using an information entropy technology, normally issuing the flow table item with a normal entropy value, and entering the step 2 for rechecking the flow table item with an abnormal entropy value;
step 2: for the flow table item with abnormal entropy value detected in the step 1, an eleven-tuple feature extraction module in a second-stage detection module is used for extracting eleven-tuple features of the flow table item, wherein the eleven-tuple features comprise four flow features, three inter-slice escape features and four switch association features, the four flow features are respectively the number of data packets, the average size of the data packets, the total number of bytes and the arrival time interval of the data packets, the inter-slice escape three features are respectively the duration median of the flow table, the percentage of IP paired flow table items and the absolute value of single flow table items, and the four switch association features are respectively the maximum inflow of the number of the data packets in unit time, the maximum outflow of the number of the data packets in unit time, the maximum inflow of the bytes in unit time and the maximum outflow of the bytes in unit time; inputting feature vectors and data message segments formed by ten-tuple features into a detection model based on a long-short-term memory network and a self-attention mechanism for detection, and obtaining a detection result P, wherein P is the occurrence probability of slice escape attack; performing corresponding format conversion on four switch associated features in the extracted eleven-tuple features, and inputting the four switch associated features and the obtained detection result P into a cooperative detection model for detection to obtain a detection result of cooperative detection;
step 3: judging whether the obtained cooperative detection result in the step 2 is normal, if so, issuing normally, and if so, entering an abnormality processing module.
2. The method for detecting the 5G slice escape attack based on the full-flow adaptive detection according to claim 1, wherein the first-stage detection module mainly comprises a flow acquisition module and an information entropy pre-detection module; the flow acquisition module acquires flow table information in the switch by using an sFlow agent technology, and takes the acquired flow table information as input of the information entropy pre-detection module; the information entropy pre-detection module uses an information entropy technology to carry out information entropy calculation on the collected flow in the slice network, preliminarily judges whether the network has abnormality in a period of time through observation of entropy values, and takes flow table information in the period of time as input of the second-stage detection module if the network has abnormality; if no abnormality is determined, the flow table is issued normally.
3. The method for detecting the escape attack of the 5G slice based on the full-flow adaptive detection according to claim 1, wherein the specific process of the step 1 is as follows:
step 11: acquiring data flow table items in a unit time interval in a 5G power transaction private network through an sFlow agent technology;
step 12: extracting a group of quadruplets I according to the flow table obtained in the step 11, wherein parameters in the quadruplets I are respectively a source address, a destination address, the number of data packets and a protocol;
step 13: calculating the information entropy of the data stream according to the quadruple I and the information entropy calculation formula obtained in the step 12;
step 14: repeating the step 12 and the step 13 for five times, and comparing the information entropy obtained in the five times with the network information entropy threshold value;
step 15: if the five continuous information entropy is smaller than the network information entropy threshold, judging that abnormal flow possibly exists, and inputting the data flow into a second-stage detection model for rechecking; otherwise, judging the flow is normal, and issuing a flow table.
4. The full-traffic adaptive detection-based 5G slice escape attack detection method according to claim 1, wherein the second-stage detection module includes a ten-tuple feature extraction module, a detection module based on a long-short-term memory network and a self-attention mechanism, and a cooperative detection module, so as to implement intra-slice escape attack detection and inter-slice escape attack detection;
the process for realizing intra-slice patch escape attack detection comprises the following steps: firstly, obtaining general features, namely features of a stream and associated features of a switch through a ten-tuple feature extraction module, taking the features of the stream and a data message segment as input of a detection model based on a long-short-period memory network and a self-attention mechanism, obtaining the probability of the stream being subjected to slice escape attack, processing the associated features of the switch, and forming the input of a collaborative detection model with the output probability of the detection model based on the long-short-period memory network and the self-attention mechanism, wherein the collaborative detection model realizes correction of detection results through the associated features of the comprehensive switch;
the process for realizing the inter-slice escape attack detection comprises the following steps: firstly, the ten-tuple feature extraction module is used for obtaining the features and the targeted features of a general feature flow, namely inter-slice escape features, inputting the features of the flow, the inter-slice escape features and the data message segments into the detection model based on the long-short-term memory network and the self-attention mechanism for detection, obtaining the probability of the flow being attacked by the slice escape, carrying out format conversion on the switch associated features in the eleven-tuple features, and taking the switch associated features and the output probability as the input of a collaborative detection model, wherein the collaborative detection model realizes the correction of the detection result through the integrated switch associated features.
5. The method for detecting the escape attack of the 5G slice based on the full-flow adaptive detection according to claim 1, wherein the specific process of the step 2 is as follows:
step 21: extracting eleven-tuple characteristics of the data flow which is accessed from the first-stage detection module and needs to be checked;
step 22: the general features, namely the features of the stream and the specific features, namely the inter-slice escape features, and the data message segments are used as the input of a detection model based on a long-short-term memory network and a self-attention mechanism;
step 23: detecting by a detection model based on a long-short-period memory network and a self-attention mechanism to obtain an output result P, wherein the value of P is 0 or 1;
step 24: performing format conversion on four switch associated features in ten-tuple features, and taking the four switch associated features and P obtained in the step 23 as input of a collaborative detection model;
step 25: the final detection result is obtained by the collaborative detection model, the output 1 indicates that the slice escape attack occurs, and the slice escape attack enters an exception processing module; output 0 indicates no exception, and the flow table is normally issued.
6. The method for detecting the escape attack of the 5G slice based on the full-flow self-adaptive detection according to claim 1, wherein in an input layer of a detection model based on a self-attention mechanism and a long-short-term memory network, one or more groups of extracted eleven-tuple features are input first and data message segments are processed by the self-attention mechanism, so that the relative importance of each feature is found and the self-adaptive weight is allocated to each feature, and meanwhile unimportant information in the data message segments is ignored.
7. The method for detecting the 5G slice escape attack based on full-flow adaptive detection according to claim 1, wherein in the hidden layers of the detection model based on the self-attention mechanism and the long-short-term memory network, the data processed by the self-attention mechanism is used as the input of the long-short-term memory network model, the long-short-term memory network model is composed of three dense layers and two hidden layers, the model is constructed by a Keras Python library, the result P is finally output, if the result is 0, no slice escape attack occurs, and if the result is 1, the stream is one slice escape attack flow.
8. The full-traffic adaptive detection-based 5G slice escape attack detection method according to claim 1, wherein the collaborative detection model in step 2 uses a detection model based on a long-short-term memory network and a self-attention mechanism.
9. The method for detecting the escape attack of the 5G slice based on the full-traffic self-adaptive detection according to claim 1, wherein the mode of performing format conversion on four switch association features in ten tuple features is as follows: and replacing the switch number in the extracted switch associated feature with the probability of the switch that the slice escape attack occurs at the moment.
10. The method for detecting the escape attack of the 5G slice based on the full-flow adaptive detection according to claim 1, wherein the specific process of the step 3 is as follows:
step 31: and (2) for the final detection result obtained in the step (2), if the final detection result is 0, indicating that the detection result is normal flow, and issuing a flow table;
step 32: and (2) if the final detection result obtained in the step (2) is 1, the detection result is an abnormal flow, the flow table is stopped from issuing, and the source address of the flow is added into the table item of the violation number count table and the violation number is recorded;
step 33: and (3) comparing the recorded violation times in the step (32) with a violation times threshold, if the violation times of the data packet sent by the address reach the threshold, shielding all traffic of the address, and if the violation times of the address do not reach the threshold, discarding the violation traffic.
CN202310357072.0A 2023-04-06 2023-04-06 5G slice escape attack detection method based on full-flow adaptive detection Active CN116074844B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310357072.0A CN116074844B (en) 2023-04-06 2023-04-06 5G slice escape attack detection method based on full-flow adaptive detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310357072.0A CN116074844B (en) 2023-04-06 2023-04-06 5G slice escape attack detection method based on full-flow adaptive detection

Publications (2)

Publication Number Publication Date
CN116074844A true CN116074844A (en) 2023-05-05
CN116074844B CN116074844B (en) 2023-06-09

Family

ID=86173527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310357072.0A Active CN116074844B (en) 2023-04-06 2023-04-06 5G slice escape attack detection method based on full-flow adaptive detection

Country Status (1)

Country Link
CN (1) CN116074844B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107231384A (en) * 2017-08-10 2017-10-03 北京科技大学 A kind of ddos attack detection defence method cut into slices towards 5g networks and system
CN112949821A (en) * 2021-01-28 2021-06-11 河北师范大学 Network security situation perception method based on double attention mechanism
CN114189865A (en) * 2021-12-31 2022-03-15 广州爱浦路网络技术有限公司 Network attack protection method in communication network, computer device and storage medium
CN114285606A (en) * 2021-12-08 2022-04-05 重庆邮电大学 DDoS (distributed denial of service) multi-point cooperative defense method for Internet of things management
CN114401516A (en) * 2022-01-11 2022-04-26 国家计算机网络与信息安全管理中心 5G slice network anomaly detection method based on virtual network traffic analysis
CN115393265A (en) * 2022-07-06 2022-11-25 北京理工大学 Cross-cloth flaw accurate detection method based on visual field adaptive learning
WO2022267960A1 (en) * 2021-06-24 2022-12-29 长沙理工大学 Federated attention dbn collaborative detection system based on client selections

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107231384A (en) * 2017-08-10 2017-10-03 北京科技大学 A kind of ddos attack detection defence method cut into slices towards 5g networks and system
CN112949821A (en) * 2021-01-28 2021-06-11 河北师范大学 Network security situation perception method based on double attention mechanism
WO2022267960A1 (en) * 2021-06-24 2022-12-29 长沙理工大学 Federated attention dbn collaborative detection system based on client selections
CN114285606A (en) * 2021-12-08 2022-04-05 重庆邮电大学 DDoS (distributed denial of service) multi-point cooperative defense method for Internet of things management
CN114189865A (en) * 2021-12-31 2022-03-15 广州爱浦路网络技术有限公司 Network attack protection method in communication network, computer device and storage medium
CN114401516A (en) * 2022-01-11 2022-04-26 国家计算机网络与信息安全管理中心 5G slice network anomaly detection method based on virtual network traffic analysis
CN115393265A (en) * 2022-07-06 2022-11-25 北京理工大学 Cross-cloth flaw accurate detection method based on visual field adaptive learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汤宁平;: "网络入侵检测系统的分析与研究", 计算机与网络, no. 20, pages 66 - 68 *

Also Published As

Publication number Publication date
CN116074844B (en) 2023-06-09

Similar Documents

Publication Publication Date Title
CN111614627B (en) SDN-oriented cross-plane cooperation DDOS detection and defense method and system
US8001601B2 (en) Method and apparatus for large-scale automated distributed denial of service attack detection
CN111556083B (en) Network attack physical side and information side collaborative source tracing device of power grid information physical system
CN111818037A (en) Vehicle-mounted network flow abnormity detection defense method and system based on information entropy
CN113904862A (en) Distributed train control network intrusion detection method, system and storage medium
CN112134894A (en) Moving target defense method for DDoS attack
CN101364981A (en) Hybrid intrusion detection method based on Internet protocol version 6
CN113810362B (en) Safety risk detection and treatment method
CN107508831A (en) A kind of intrusion detection method based on bus
CN108833430B (en) Topology protection method of software defined network
CN108683686A (en) A kind of Stochastic subspace name ddos attack detection method
CN104734916A (en) Efficient multistage anomaly flow detection method based on TCP
CN110138759A (en) The lightweight self-adapting detecting method and system of Packet-In injection attacks are directed under SDN environment
CN111698209A (en) Network abnormal flow detection method and device
CN115348080A (en) Network equipment vulnerability comprehensive analysis system and method based on big data
CN116074844B (en) 5G slice escape attack detection method based on full-flow adaptive detection
CN112953910B (en) DDoS attack detection method based on software defined network
CN113630420A (en) SDN-based DDoS attack detection method
CN110290124B (en) Switch input port blocking method and device
CN114650166B (en) Fusion anomaly detection system for open heterogeneous network
CN114584345B (en) Rail transit network security processing method, device and equipment
CN112261009B (en) Network intrusion detection method for railway dispatching centralized system
CN113839885A (en) Message flow monitoring system and method based on switch
CN114866350A (en) SDN data plane low-rate attack detection method and system
CN107920077A (en) A kind of rejection service attack determination methods and device for electric power dispatching system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant