CN116232777B

CN116232777B - DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment

Info

Publication number: CN116232777B
Application number: CN202310519682.6A
Authority: CN
Inventors: 荆涛; 殷文静; 周春月; 高青鹤; 霍炎; 乔运华; 赵宏军; 孙嘉玉; 高勃; 朱明皓; 卢燕飞; 王晓轩; 王光宇
Original assignee: Beijing Research Institute of Auotomation for Machinery Industry Co Ltd; Beijing Jiaotong University
Current assignee: Beijing Research Institute of Auotomation for Machinery Industry Co Ltd; Beijing Jiaotong University
Priority date: 2023-05-10
Filing date: 2023-05-10
Publication date: 2023-07-18
Anticipated expiration: 2043-05-10
Also published as: CN116232777A

Abstract

The disclosure provides a DDoS attack detection and defense method and related equipment based on statistical measurement in SDN-IIOT, comprising: acquiring stream statistical information in a network, calculating an entropy value of the data stream information based on a hash table aiming at each piece of data stream information, and judging whether DDoS attack behaviors exist in the network according to the entropy value; in response to the existence of DDoS attack, inputting the flow statistical information into a distributed lifting gradient classification model, and outputting the data flow type of each piece of data flow information based on the distributed lifting gradient classification model; and responding to the data stream type as attack stream information, analyzing the attack stream information to obtain Internet protocol address information, further determining attack equipment corresponding to the attack stream information, and performing defense processing on the attack equipment. The method and the device realize the protection of accurately detecting the attack behaviors and simultaneously reducing the calculation complexity so as to reduce the system overhead and protect the network structure and the performance.

Description

DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment

Technical Field

The disclosure relates to the technical field of network security, in particular to a DDoS attack detection and defense method based on statistical measurement in SDN-IIOT and related equipment.

Background

Due to the diversity of production requirements, the problems of network structure solidification, information isolation between an industrial control system and an information network and the like of the traditional industrial network prevent the further development of the industrial Internet. In order to realize intelligent manufacturing, the traditional industrial network needs to be upgraded and modified, so that equipment resources can be dynamically scheduled, and the intelligent industrial network is suitable for the industrial multilayer heterogeneous network. The industrial Internet realizes reliable operation of the machine by sensing physical resources and monitoring in real time in an intelligent factory. In order to ensure the stability, high efficiency and data security of the industrial network operation, the security problem of the industrial internet is particularly important.

When DDoS attack occurs, a forged source internet protocol address is often used in the attack, tracing is difficult, and the existing tracing algorithm mostly performs attack source positioning according to the abnormal detection result of the flow index by recording network flow path information, and the storage cost is high because the flow information of the path or the switch port of the whole network topology is required to be maintained. Meanwhile, as the difference of legal flow and attack flow is difficult to be linearly separable in a low-dimensional space, most researchers map flow information to a high-dimensional space, analyze flow characteristics and search a linearly separable plane, and increase system overhead. Finally, by quantifying the information distance deviation of the network traffic under different probability distributions to perform anomaly identification, most attack detection technologies rely on observation and experiments to find a proper static threshold, but the static threshold cannot be suitable for network attacks with different intensities, and when the network traffic generates certain fluctuation, the accuracy of a detection algorithm is reduced and false positives are increased.

In view of this, how to accurately detect and defend attack and reduce computation complexity to reduce system overhead and protect network structure and performance becomes an important research problem.

Disclosure of Invention

Accordingly, an objective of the present disclosure is to provide a DDoS attack detection and defense method based on statistical metrics in SDN-IIOT and related devices for solving or partially solving the above-mentioned problems.

Based on the above objects, a first aspect of the present disclosure provides a DDoS attack detection and defense method based on statistical metrics in SDN-IIOT, the method comprising:

acquiring stream statistics information in a network, wherein the stream statistics information comprises at least one piece of data stream information;

calculating entropy values of the data stream information based on a hash table aiming at each piece of data stream information, and judging whether DDoS attack behaviors exist in the network according to the entropy values;

in response to the DDoS attack behavior in the network, inputting the flow statistical information into a distributed lifting gradient classification model, and outputting the data flow type of each piece of data flow information in the flow statistical information based on the distributed lifting gradient classification model, wherein the distributed lifting gradient classification model is a model for classifying each piece of data flow information in the flow statistical information, which is obtained by training the classification model;

And responding to the data stream type as attack stream information, analyzing the attack stream information to obtain internet protocol address information, determining attack equipment corresponding to the attack stream information according to the internet protocol address information, and defending the attack equipment.

Based on the same inventive concept, a second aspect of the present disclosure provides a DDoS attack detection and defense device based on statistical metrics in SDN-IIOT, including:

an information acquisition module configured to acquire flow statistics in a network, wherein the flow statistics include at least one piece of data flow information;

the entropy rate calculation module is configured to calculate an entropy rate value of the data stream information based on a hash table for each piece of data stream information, and judge whether DDoS attack behaviors exist in the network according to the entropy rate value;

the type judging module is configured to respond to the DDoS attack behavior in the network, input the flow statistical information into a distributed lifting gradient classification model, and output the data flow type of each piece of data flow information in the flow statistical information based on the distributed lifting gradient classification model, wherein the distributed lifting gradient classification model is a model for classifying each piece of data flow information in the flow statistical information, which is obtained by training the classification model;

The defending processing module is configured to respond to the data stream type as attack stream information, analyze the attack stream information to obtain internet protocol address information, determine attack equipment corresponding to the attack stream information according to the internet protocol address information, and defend the attack equipment.

Based on the same inventive concept, a third aspect of the present disclosure proposes an electronic device, including a memory, a processor, and a computer program stored on the memory and executable by the processor, the processor implementing a DDoS attack detection and defense method based on statistical metrics in SDN-IIOT as described above when executing the computer program.

Based on the same inventive concept, a fourth aspect of the present disclosure proposes a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a DDoS attack detection and defense method based on statistical metrics in SDN-IIOT as described above.

From the above, it can be seen that the present disclosure proposes a DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment, by acquiring flow statistical information in a network, calculating an entropy value of the data flow information based on a hash table for each piece of data flow information, judging whether DDoS attack exists in the network according to the entropy value, performing primary detection on whether attack exists in the network by the entropy value, and then when the entropy is lower than a threshold, judging that flow of suspected attack is detected, thereby triggering warning and improving accuracy of attack detection. And in response to the DDoS attack behavior in the network, inputting the flow statistical information into a distributed lifting gradient classification model, outputting the data flow type of each piece of data flow information in the flow statistical information based on the distributed lifting gradient classification model, carrying out secondary identification on the flow statistical information, and determining the data flow type, so that the attack flow and the bursty flow can be effectively distinguished. And responding to the data stream type as attack stream information, analyzing the attack stream information to obtain internet protocol address information, determining attack equipment corresponding to the attack stream information according to the internet protocol address information, and defending the attack equipment. If the network has attack, the attack equipment is defended, the network attack is further blocked, and the network structure and the performance are protected.

Drawings

In order to more clearly illustrate the technical solutions of the present disclosure or related art, the drawings required for the embodiments or related art description will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.

Fig. 1 is a flowchart of a DDoS attack detection and defense method based on statistical metrics in SDN-IIOT of an embodiment of the present disclosure;

FIG. 2 is a diagram of an RYU controller architecture employed by embodiments of the present disclosure;

fig. 3 is a schematic diagram of a communication flow between an SDN controller and a switch in an OpenFlow protocol according to an embodiment of the present disclosure;

FIG. 4 is a schematic diagram of a flow entry structure in an embodiment of the disclosure;

FIG. 5 is a flow chart of an embodiment in another application scenario of the present disclosure;

FIG. 6 is a flow chart of an embodiment in another application scenario of the present disclosure;

FIG. 7 is a flow chart of an embodiment in another application scenario of the present disclosure;

fig. 8 is a block diagram of a DDoS attack detection and defense device based on statistical metrics in SDN-IIOT according to an embodiment of the present disclosure;

fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.

Detailed Description

For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.

It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present disclosure should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present disclosure pertains. The terms "first," "second," and the like, as used in embodiments of the present disclosure, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.

The terms involved in this disclosure are explained as follows:

DDoS attack: a distributed denial of service attack (Distributed Denial of Service, DDoS) refers to multiple attackers at different locations simultaneously launching an attack on one or several targets, or an attacker controlling multiple machines at different locations and utilizing these machines to simultaneously launch an attack on a victim.

IP address: the IP address (Internet Protocol Address, IP) refers to an internet protocol address, which is translated into an internet protocol address, and the P address is a uniform address format provided by the IP protocol.

MAC address: a MAC Address (Media Access Control Address, MAC), also called a local area network Address (LAN Address), an Ethernet Address (Ethernet Address) or a Physical Address (Physical Address), is an Address used to confirm the location of a network device.

ARP protocol: the address resolution protocol (Address Resolution Protocol, ARP) is a TCP/IP protocol that obtains a physical address from an IP address.

SDN-IIOT: the industrial Internet (Software Defined Network-Industrial Internet of Things, SDN-IIOT) is defined by software, and the software-defined network technology is applied to an industrial Internet architecture, so that the industrial Internet utilizes the technical advantages of SDN and can realize seamless integration of industrial data through interconnection and interworking of industrial full systems.

RYU frame: the RYU framework is an open source SDN controller framework written based on Python, with complete components, such as an OpenFlow protocol processor, responsible for processing OpenFlow messages from the switch, and updating the switch state accordingly.

OpenFlow protocol: a network communication protocol belongs to a data link layer and can control a forwarding plane of a network switch or a router, thereby changing a network path taken by a network data packet.

TLS security protocol: the transport layer security protocol (Transport Layer Security, TLS) is a security protocol that aims to provide security and data integrity guarantees for internet communications.

As described in the background art, the industrial Internet is a product of a new generation of information technology, such as Internet, big data, artificial intelligence, internet of things, cloud computing and the like, is fused on the basis of a traditional industrial control system, and realizes accurate control on industrial manufacturing by sensing and collecting data in real time by applying various information sensing devices in the manufacturing process, thereby realizing automation and intellectualization of industrial manufacturing and greatly improving industrial production efficiency.

Due to the diversity of production requirements, the problems of network structure solidification, information isolation between an industrial control system and an information network and the like of the traditional industrial network prevent the further development of the industrial Internet. In order to realize intelligent manufacturing, the traditional industrial network needs to be upgraded and modified, so that equipment resources can be dynamically scheduled, and the intelligent industrial network is suitable for the industrial multilayer heterogeneous network.

Software-defined based industrial internet architecture is typically composed of a physical infrastructure layer, a control layer, and an application layer. The physical infrastructure layer is composed of various devices, including a sensor platform, a field bus control network, a core network composed of a base station and a switch or a router, and the like, and information such as the working state of the devices, product data and the like can be transmitted among the device nodes in real time. The control layer enables interaction of the application layer and the physical infrastructure layer. The control layer manages and configures the physical equipment through the southbound interface, is responsible for collecting the real-time state and information of the equipment nodes, and adapts different functions according to the requirements of network bandwidth and real-time performance. Meanwhile, through data acquisition, transmission and processing, the control layer can provide information status reports of the industrial system for the application layer through the northbound interface and the API, so that an administrator can be helped to design an application program. The application layer can customize and provide application services according to requirements, such as equipment fault monitoring, equipment utilization monitoring, product processing state monitoring and the like.

Based on the above description, the present embodiment provides a DDoS attack detection and defense method based on statistical metrics in SDN-IIOT, and an RYU framework is adopted, as shown in fig. 1, where the method includes:

Step 101, obtaining stream statistics information in a network, wherein the stream statistics information comprises at least one piece of data stream information.

In specific implementation, the OpenFlow protocol is adopted to collect flow statistical information in the network, wherein the flow statistical information comprises at least one piece of data flow information. Preferably, the flow statistics information in this embodiment is flow information of a switch directly connected to the host. Through the scheme, the flow statistical information can more intuitively represent the attack flow characteristics, if the attack behavior occurs, the attack flow characteristics are more obvious, the attack flow is easier to detect, whether the attack flow exists in the link connected with the switch or not is judged, the tracing range can be reduced, and the cost is smaller. And acquiring the flow statistical information for subsequent steps to detect the flow statistical information so as to determine whether DDoS attack behaviors exist in the network.

The architecture of the RYU controller in the RYU framework is shown in fig. 2, and the RYU controller performs communication interaction with the application layer through a northbound interface, where the northbound interface refers to that the controller provides network information to an upper layer application program, such as a Web server, and the upper layer application program typically sends a request to the controller through the northbound interface, so as to obtain a network state, perform operations such as network management, and the like. The southbound interface is an interface where the controller communicates and interacts with underlying network devices (e.g., switches, routers, etc.). The controller controls the network equipment by issuing a command through the southbound interface, thereby realizing the dynamic control and management of the network. The southbound interface protocol allows SDN controllers to communicate and interact with different types of network devices, the most commonly used protocol being the OpenFlow protocol.

The communication flow between the SDN controller and the switch in the OpenFlow protocol includes the following steps, as shown in fig. 3:

step A, establishing connection and negotiating protocol version: the controller establishes TCP connection with the switch through the OpenFlow protocol and confirms, and in order to ensure safety, the two parties carry out identity authentication through the TLS safety protocol. After the connection is successfully established, the two parties negotiate the communication protocol version and keep the consistency.

Step B, obtaining exchanger information: the controller sends a REQUEST message to the switch, wherein the REQUEST message is OFPT_FEATURES_REQUEST, the basic characteristic information of the switch is requested, and the switch packages the information such as the buffer size, the port information, the switch ID and the like in the OFPT_FEATURES_REPLY message for REPLY.

Step C, the exchanger processes the data packet: when the data PACKET arrives at the switch, but the switch can not process the data PACKET, the data PACKET information and the reason why the data PACKET can not be processed are packaged IN a packet_in message and uploaded to the controller, and the controller issues the packet_out message to inform the forwarding output port information of the data PACKET.

Step D, modifying the flow table item: the controller issues a flow entry to tell the switch how to forward the packet. The data forwarding rules of the switch are based on the matching conditions of the flow entries and the corresponding processing operations. The match condition specifies how the packets are matched and the processing operation specifies which actions the switch should perform when a matching conditional packet is matched. And the method can also be used for adding, deleting and modifying the flow table items so as to change the processing of the data flow by the switch. The specific structure of the flow table entry is shown in fig. 4.

Step 102, calculating an entropy value of the data stream information based on a hash table according to each piece of data stream information, and judging whether a distributed denial of service attack exists in the network according to the entropy value.

In the implementation, for each piece of data stream information in the collected stream statistics information, entropy rate calculation is carried out by means of a hash table (namely HashMap), so that an entropy rate value corresponding to each piece of data stream is obtained, and whether a distributed denial of service attack behavior exists in the network is judged according to the entropy rate value.

Step 103, in response to the existence of a distributed denial of service attack in the network, inputting the flow statistical information into a distributed lifting gradient classification model, and outputting the data flow type of each piece of data flow information in the flow statistical information based on the distributed lifting gradient classification model, wherein the distributed lifting gradient classification model is a model for classifying each piece of data flow information in the flow statistical information, which is obtained by training the classification model.

When the DDoS attack exists in the network, the flow statistical information is input into a distributed lifting gradient classification model, wherein the distributed lifting gradient classification model is a model for classifying each piece of data flow information in the flow statistical information, which is obtained by training the classification model. By the scheme, the flow statistical information is input into the distributed lifting gradient classification model, and different data flow types, especially the bursty data flow and the attack data flow, can be accurately distinguished by the model. And obtaining an attack data stream for subsequent defense processing of the attack data stream.

And 104, responding to the data stream type as attack stream information, analyzing the attack stream information to obtain internet protocol address information, determining attack equipment corresponding to the attack stream information according to the internet protocol address information, and defending the attack equipment.

When the data stream type is determined to be the attack stream information, the attack stream information is analyzed to obtain the IP address information. And determining the attack equipment corresponding to the attack flow information according to the IP address information, and performing defense processing on the attack equipment. Through the scheme, when the existence of the attack flow is detected, the attack equipment is determined and defensive processing is carried out, so that the network structure and the performance are protected.

According to the scheme, the flow statistical information in the network is obtained, the entropy value of the data flow information is calculated based on the hash table for each piece of data flow information, whether the distributed denial of service attack behavior exists in the network is judged according to the entropy value, the first detection is carried out on whether the attack behavior exists in the network through the entropy value, and then when the entropy value is lower than the threshold value, the flow of the suspected attack is judged to be detected, so that warning is triggered, and the accuracy of attack behavior detection is improved. And in response to the existence of the distributed denial of service attack behavior in the network, inputting the flow statistical information into a distributed lifting gradient classification model, outputting the data flow type of each piece of data flow information in the flow statistical information based on the distributed lifting gradient classification model, carrying out secondary identification on the flow statistical information, and determining the data flow type, so that the attack flow and the bursty flow can be effectively distinguished. And responding to the data stream type as attack stream information, analyzing the attack stream information to obtain internet protocol address information, determining attack equipment corresponding to the attack stream information according to the internet protocol address information, and defending the attack equipment. If the network has attack, the attack equipment is defended, the network attack is further blocked, and the network structure and the performance are protected.

In some embodiments, before step 102, the method specifically further includes:

and step 10A, carrying out data processing on the stream statistical information.

In particular, there are multiple types of traffic packets in the network, and in this embodiment, the RYU framework is used, so only IPv4 packets are considered. And filtering the acquired flow statistical information, and filtering the flow except for IPv 4. By the scheme, useless information in the original stream statistical information is removed, and data redundancy is reduced.

In some embodiments, the training process of the distributed lifting gradient classification model in step 103 includes:

obtaining a training data stream, wherein the training data stream type comprises at least one of the following: normal data stream, bursty data stream, and attack data stream.

Extracting flow characteristics of the training data stream, wherein the flow characteristics include at least one of: the method comprises the steps of source IP address entropy, destination IP address entropy, interactive data packet quantity difference, average data packet of a data stream, average byte number of the data packet and interactive stream duty ratio. The flow characteristics of the different data streams are shown below:

source IP address entropy: the attack data stream uses false IP addresses, resulting in an increase in the number of source IP addresses in the network, and a consequent increase in source IP address entropy.

Destination IP address entropy: when the attack flow attacks the victim host, the destination IP address presents aggregated flow distribution, and the entropy of the destination IP address is relatively reduced.

The number of interactive data packets is poor: the attack flow does not receive any reply, and the quantity difference of the interactive data packets is large; the bursty data flow has stronger interactivity and smaller quantity difference of the interactive data packets.

Average packet of data flow: when burst data flows exist, the average access time of normal equipment is relatively long, the duration of the data flows is long, and the average data packets of the data flows are larger.

Interactive flow duty cycle: the attack data stream does not receive any reply from the target host, but the burst data stream has strong interactivity, so that the attack data stream and the burst data stream have large difference in interactive stream ratio.

And building a characteristic data pool according to the flow characteristics of the training data flow, and training a classification model according to the data of the characteristic data pool to obtain a distributed lifting gradient classification model.

Through the scheme, the classification model is trained through different types of flow characteristics to obtain the distributed lifting gradient classification model, and then the data flow type is output according to the distributed lifting gradient classification model, so that the attack flow and the bursty flow can be effectively distinguished.

In some embodiments, step 101 specifically includes:

step 1011, obtaining a soft timeout time interval of a switch flow table, and sending a request message to the switch according to the time interval, wherein the request message is a message for requesting to query flow statistical information in the switch.

When the method is implemented, a soft timeout time interval of a switch flow table is obtained, and an OFPFlowStatsRequest message is sent to the switch according to the time interval, so that the switch can receive the message to inquire flow statistical information in the switch flow table item.

Step 1012, receiving a response message sent by the switch, and analyzing the response message to obtain flow statistics information contained in the response message.

When the method is implemented, after receiving the request message, the switch inquires stream statistical information in the stream table entry and packages and sends the stream statistical information. And receiving an OPFFlowStatsReply response message which is sent by the switch and contains the flow statistical information, and analyzing to obtain the flow statistical information contained in the OPFFlowStatsReply response message.

According to the scheme, sampling is carried out according to the soft timeout time interval of the switch flow table, so that the problem that the detection precision is reduced due to overlong sampling time is avoided, and the problem that the communication overhead of a southbound interface is increased due to too short sampling time is avoided.

In some embodiments, the calculating, for each piece of data stream information in step 102, the entropy value of each piece of data stream information based on the hash table specifically includes:

and 1021, analyzing the stream statistics information to obtain the source internet protocol address information of each piece of data stream information in the stream statistics information.

Step 1022, counting the occurrence number of each piece of source internet protocol address information, and inputting the source internet protocol address information and the occurrence number of the source internet protocol address information into the initialized hash table.

Step 1023, calculating a probability distribution of each piece of source internet protocol address information based on the Ha Xisan list, and calculating an entropy value of each piece of data stream information according to the probability distribution.

In specific implementation, initializing a hash table, and analyzing and processing stream statistical information to obtain source IP address information of each piece of data stream information, wherein the number of the source IP address information is at least one. Counting the occurrence times of each source IP address information, taking each source IP address as a key, and inputting the occurrence times corresponding to each source IP address as a value into the initialized hash table. And calculating to obtain probability distribution corresponding to each source IP address through the Ha Xisan list, calculating to obtain shannon entropy based on the probability distribution, and calculating to obtain the entropy value of each data stream information according to the shannon entropy.

In statistics, information entropy is used to measure randomness in a physical system, representing the amount of information obtained by observing a disordered system. The shannon entropy is formulated as:

，

wherein, the liquid crystal display device comprises a liquid crystal display device,entropy of shannon, n isNumber of elements (I)>And the probability distribution corresponding to the source IP address corresponding to the ith data flow.

Calculating an entropy value of each piece of data stream information according to the shannon entropy, wherein the entropy value is expressed as follows by a formula:

，

wherein, the liquid crystal display device comprises a liquid crystal display device,is the entropy value.

In some embodiments, the determining in step 102 whether there is a distributed denial of service attack in the network according to the entropy rate value specifically includes:

step 1023, obtaining a normal stream entropy rate average value of the network, and calculating an entropy rate information distance of the data stream information according to the entropy rate value and the normal stream entropy rate average value.

And when the method is implemented, injecting normal flow into the network in advance, and calculating the average value of the normal flow entropy rate in the network. Acquiring the normal stream entropy rate average value, and according to the entropy rate information distance corresponding to the data stream information obtained by calculation in the steps, expressing the entropy rate information distance as follows by a formula:

，

Wherein, the liquid crystal display device comprises a liquid crystal display device,Pfor the distance of the entropy rate information,is a preset tolerance factor, ">，/>Is the normal stream entropy rateThe value of the sum of the values,for entropy value, < >>Is a preset variance value.

Through the scheme, the entropy rate considers the conflict between the source IP entropy and the flow quantity change, the normal flow entropy rate value is continuously updated in the detection process, the network volatility is dynamically adapted, and the accuracy of attack behavior detection is improved.

In step 1024, in response to the entropy rate information distance being less than or equal to a preset distance, a distributed denial of service attack exists in the network.

In specific implementation, judging the magnitude relation between the entropy rate information distance and the preset distance, and determining that DDoS attack behaviors exist in the network in response to the fact that the entropy rate information distance is smaller than or equal to the preset distance. In this embodiment, the preset distance is preferably 1.

And in response to the entropy rate information distance being greater than a preset distance, the network is normal, the entropy rate value is added into the normal entropy rate value, and the normal entropy rate average value is updated.

In some embodiments, before step 103, the method specifically further includes:

step 10a, obtaining input device information and input port information of each data stream in the stream statistics information, wherein the input device information comprises an internet protocol address and a physical address of an input device.

When the host accesses the network through the switch, the input device information and the input port information of each data stream in the stream statistics information are obtained, wherein the input device information comprises the IP address and the MAC address of the input device.

Step 10b, a record table of the switch corresponding to the flow statistical information is obtained, and whether the record table contains the input port information is judged.

In implementation, a record table of the switch corresponding to the flow statistical information is obtained, wherein the record table comprises port information, a host IP address and a host MAC address. And inquiring whether the record table contains the input port information corresponding to the flow statistical information.

And step 10c, responding to the record table containing the input port information, and storing the input device information of the data streams corresponding to the input port information into the record table, wherein the input port information and the input device information of each data stream are stored in the same position of the record table.

When the record table contains the input port information, the input port is a port of the switch, the input device information of the data stream corresponding to the input port information is stored in the record table, and the input port information and the input device information are correspondingly stored in the record table. And when the record table does not contain the input port information, the input port is not a port of the switch, and the data flow information corresponding to the input port information is not allowed to access the network through the switch.

In some embodiments, step 10c specifically comprises:

step 10c1, determining whether the input port information location stored in the record table contains initial input device information.

Step 10c2, in response to the initial input device information being included, replacing the initial input device information with input device information of a data stream corresponding to the input port information; or, in response to not including the initial input device information, directly storing the input device information of the data stream corresponding to the input port information into the record table.

In specific implementation, whether the initial input device information is contained in the record table at the position corresponding to the input port information is judged. And in response to the inclusion of the initial input device information, performing overlay processing on the initial input device information, namely replacing the initial input device information with the input device information of the data stream corresponding to the input port information, thereby realizing the update of the record table.

In some embodiments, step 103 specifically includes:

step 1031, for each piece of data stream information in the stream statistics, extracts a traffic characteristic included in the data stream information.

Step 1032, inputting the flow characteristic to the distributed lifting gradient classification model, and outputting a data flow type of the data flow information based on the distributed lifting gradient classification model, wherein the data flow type comprises attack flow information and normal flow information.

In implementation, extracting a flow characteristic included in each piece of data flow information in the flow statistical information, where the flow characteristic includes: the method comprises the steps of source IP address entropy, destination IP address entropy, interactive data packet quantity difference, average data packet of a data stream, average byte number of the data packet and interactive stream duty ratio. And inputting the flow characteristics into the distributed lifting gradient classification model, and outputting the data flow type of the data flow information based on the distributed lifting gradient classification model.

In some embodiments, in step 104, the analyzing the attack flow information to obtain internet protocol address information, and determining the attack device corresponding to the attack flow information according to the internet protocol address information specifically includes:

step 1041, analyzing the attack flow information to obtain destination internet protocol address information and source internet protocol address information corresponding to the attack flow information.

Step 1042, determining the victim switch corresponding to the attack stream information according to the destination internet protocol address information based on the pre-constructed location information table.

Step 1043, obtaining an attack path of the attack flow information, and determining an attack switch through the attack path and the victim switch.

And in specific implementation, analyzing the attack flow information to obtain a destination IP address and a source IP address corresponding to the attack flow information. And obtaining a pre-constructed position information table, wherein the position information table comprises a switch number, an IP address of a host and an MAC address of the host. And determining a victim switch corresponding to the target IP address based on the position information table according to the target IP address corresponding to the attack flow. And acquiring an attack path of the attack flow information, and determining an attack switch according to the attack path and the victim switch.

Step 1044, collecting statistical information of at least one data flow contained in the attack switch and port information contained in the attack switch, where the statistical information of each data flow contains a port number, a number of received data packets and a number of transmitted data packets corresponding to the statistical information of the data flow;

Step 1045, matching the port number with the port information to obtain statistical information of the data flow corresponding to each port;

step 1046, calculating an in-out ratio corresponding to each port according to the statistical information, where the in-out ratio is a ratio of the number of the sent data packets to the number of the received data packets.

In implementation, at least one piece of flow statistical information contained in the attack switch and port information contained in the attack switch are collected, wherein the statistical information comprises port numbers, the number of received data packets and the number of transmitted data packets corresponding to the statistical information of the data flow. And carrying out matching processing on the port number and the port information to obtain the statistical information of the data flow corresponding to each port. And calculating an in-out flow ratio corresponding to each port, wherein the in-out flow ratio is a ratio of the number of the sent data packets to the number of the received data packets.

Step 1047, extracting a traffic characteristic of the attack flow, where the traffic characteristic of the attack flow includes at least one of the following: destination internet protocol address information entropy and source internet protocol address information entropy;

step 1048, calculating an address entropy ratio according to the destination internet protocol address information entropy and the source internet protocol address information entropy.

In some embodiments, step 1048 further comprises, after:

104A, respectively carrying out weighted operation on the access flow ratio corresponding to each port and the address entropy ratio to obtain at least one operation result;

and 104B, sequencing the at least one operation result, and determining that the port corresponding to the largest operation result is the attack port corresponding to the attack flow information.

In the specific implementation, the address entropy ratio is calculated by extracting the flow characteristics of the attack flow. And respectively carrying out weighted calculation according to the access flow ratio corresponding to each port and the address entropy ratio to obtain at least one operation result. Illustratively, the weights are taken as 0.5, respectively, i.e., the operation is formulated as:

wherein, the liquid crystal display device comprises a liquid crystal display device,Sin order to obtain the result of the operation,for address entropy ratio, ++>Is the ratio of the in-out flow of the ports.

Ordering the at least one operation result, wherein the ordering mode comprises at least one of the following steps: positive order ordering or reverse order ordering. And taking the operation result with the maximum operation result value as an attack port corresponding to the attack flow information.

104C, acquiring a record table of the attack switch, and determining an Internet protocol address corresponding to the attack port according to the attack port based on the record table of the attack switch;

And 104D, determining the attack equipment corresponding to the attack flow information according to the Internet protocol address corresponding to the attack port.

In specific implementation, a record table of the attack switch is obtained, and an IP address corresponding to the attack port is determined according to the attack port based on the record table of the attack switch. Because each host device corresponds to a unique IP address, the attack device corresponding to the attack flow information is determined according to the IP address corresponding to the attack port.

In some embodiments, the defending processing for the attack apparatus in step 104 specifically includes:

and 104a, judging the network attack intensity according to a preset network attack threshold value.

104b, in response to the network attack intensity being higher than a preset network attack threshold, sending flow table filtering information to the attack switch, redirecting the flow sent to the victim switch, and sending the flow to a preset honey pot host; or, in response to the network attack intensity being lower than a preset network attack threshold, sending flow table filtering information to the attack switch.

In specific implementation, a preset network attack threshold is obtained, and the network attack intensity is judged according to the network attack threshold. Responding to the network attack intensity being higher than a preset network attack threshold, sending flow table filtering information to the attack switch, redirecting the flow sent to the victim switch, and sending the flow to a preset honeypot host; or, in response to the network attack intensity being lower than a preset network attack threshold, sending flow table filtering information to the attack switch.

In some embodiments, step 104b further comprises:

and 104c, collecting the attack flow traffic.

When the network attack intensity is higher than a preset network attack threshold, the attack equipment and the victim equipment are subjected to defending treatment, and attack traffic is collected, so that the attack traffic is conveniently analyzed later, and the attack intention is further known.

In some embodiments, after step 104, the method specifically further includes: step 105, obtaining a preset detection threshold value;

and step 106, responding to the continuous output of the distributed lifting gradient classification model, wherein the times that the data flow type of each piece of data flow information in the flow statistical information is normal flow information is larger than the detection threshold value, the network does not contain attack flow information, and the flow statistical information is stopped from being input into the distributed lifting gradient classification model.

In specific implementation, a detection threshold is preset, the detection threshold is exemplified as 20, and when the data stream type output by the distributed lifting gradient classification model is normal stream continuously exceeding 20 times, the stream statistical information is stopped from being input into the distributed lifting gradient classification model.

Based on the same inventive concept, an embodiment of the present disclosure in another application scenario is shown in fig. 5, and specifically includes:

step 501, obtaining a soft timeout time interval of a switch flow table, and sending a request message to the switch according to the time interval, wherein the request message is a message for requesting to inquire flow statistical information in the switch; and receiving a response message sent by the switch, and analyzing the response message to acquire stream statistical information contained in the response message.

In the implementation, an OpenFlow protocol is adopted to collect flow statistical information in a network, a soft timeout time interval of a switch flow table is obtained, and an OFPFlowStatsRequest message is sent to the switch according to the time interval so that the switch can receive the message to inquire the flow statistical information in the switch flow table item. After receiving the request message, the switch queries the flow statistical information in the flow table entry and packages and sends the flow statistical information. And receiving an OPFFlowStatsReply response message which is sent by the switch and contains the flow statistical information, and analyzing to obtain the flow statistical information contained in the OPFFlowStatsReply response message.

And step 502, performing data processing on the stream statistics information.

Step 503, analyzing the flow statistical information to obtain source IP address information of each piece of data flow information in the flow statistical information, and inputting the source IP address information into the initialized hash table.

In specific implementation, initializing a hash table, and analyzing and processing stream statistical information to obtain source IP address information of each piece of data stream information, wherein the number of the source IP address information is at least one. Counting the occurrence times of each source IP address information, taking each source IP address as a key, and inputting the occurrence times corresponding to each source IP address as a value into the initialized hash table.

And step 504, calculating the probability distribution of each piece of source internet protocol address information based on the Ha Xisan list, and calculating the entropy value of each piece of data stream information according to the probability distribution.

In the specific implementation, the probability distribution corresponding to each source IP address is calculated through the Ha Xisan list, the shannon entropy is calculated based on the probability distribution, and the entropy value of each data stream information is calculated according to the shannon entropy.

Step 505, obtaining a normal stream entropy rate average value of the network, calculating an entropy rate information distance of the data stream information according to the entropy rate value and the normal stream entropy rate average value, and judging the magnitude relation between the entropy rate information distance and a preset distance.

And when the method is implemented, injecting normal flow into the network in advance, and calculating the average value of the normal flow entropy rate in the network. And acquiring the normal stream entropy rate average value, and judging the magnitude relation between the entropy rate information distance and the preset distance according to the entropy rate information distance corresponding to the normal stream entropy rate average value and the data stream information obtained through calculation in the steps.

In step 5061, in response to the entropy rate information distance being less than or equal to a preset distance, a distributed denial of service attack exists in the network.

In implementation, in response to the entropy rate information distance being smaller than or equal to the preset distance, determining that DDoS attack behaviors exist in the network. In this embodiment, the preset distance is preferably 1.

Step 5062, in response to the entropy rate information distance being greater than a preset distance, the network is normal, the entropy rate value is added to the normal entropy rate value, and the normal entropy rate average is updated.

Based on the same inventive concept, an embodiment of the present disclosure in another application scenario is shown in fig. 6, and specifically includes:

step 601, acquiring input device information and input port information of each data stream in the stream statistics information, acquiring a record table of a switch corresponding to the stream statistics information, and judging whether the record table contains the input port information. And responding to the record table containing the input port information, and storing the input device information of the data streams corresponding to the input port information into the record table, wherein the input port information and the input device information of each data stream are stored in the same position of the record table.

When the host accesses the network through the switch, the input device information and the input port information of each data stream in the stream statistics information are obtained, wherein the input device information comprises the IP address and the MAC address of the input device. And acquiring a record table of the switch corresponding to the flow statistical information, wherein the record table comprises port information, a host IP address and a host MAC address, and inquiring whether the record table contains input port information corresponding to the flow statistical information. When the record table contains the input port information, the input port is a port of the switch, input device information of a data stream corresponding to the input port information is stored in the record table, and the input port information and the input device information are correspondingly stored in the record table. And when the record table does not contain the input port information, the input port is not a port of the switch, and the data flow information corresponding to the input port information is not allowed to access the network through the switch.

Step 602, obtaining flow statistics information in a network, wherein the flow statistics information comprises at least one piece of data flow information.

In specific implementation, the OpenFlow protocol is adopted to collect flow statistical information in the network, wherein the flow statistical information comprises at least one piece of data flow information.

Step 603, extracting, for each piece of data flow information in the flow statistics information, a flow characteristic included in the data flow information.

Step 604, inputting the flow characteristic to the distributed lifting gradient classification model, and outputting a data flow type of the data flow information based on the distributed lifting gradient classification model, wherein the data flow type comprises attack flow information and normal flow information.

Step 605, it is determined whether the data stream type is attack stream information.

In step 6061, in response to the data stream type being attack stream information, analyzing the attack stream information to obtain internet protocol address information, determining attack equipment corresponding to the attack stream information according to the internet protocol address information, and performing defense processing on the attack equipment.

In step 6062, in response to the data stream type not being the attack stream information, the number of times of the normal stream type in the counter is updated.

Step 60621, obtaining a preset detection threshold, responding to continuous output of the distributed lifting gradient classification model, wherein the number of times that the data flow type of each piece of data flow information in the flow statistical information is normal flow information is larger than the detection threshold, the network does not contain attack flow information, and stopping inputting the flow statistical information into the distributed lifting gradient classification model.

Based on the same inventive concept, an embodiment of the present disclosure in another application scenario is shown in fig. 7, and specifically includes:

and step 701, analyzing the attack flow information to obtain destination internet protocol address information and source internet protocol address information corresponding to the attack flow information. And determining a victim switch corresponding to the attack flow information according to the destination internet protocol address information based on a pre-constructed position information table. And acquiring an attack path of the attack flow information, and determining an attack switch through the attack path and the victim switch.

Step 702, collecting statistical information of at least one data flow contained in the attack switch and port information contained in the attack switch, wherein the statistical information of each data flow contains a port number, the number of received data packets and the number of transmitted data packets corresponding to the statistical information of the data flow.

And step 703, matching the port number with the port information to obtain the statistical information of the data flow corresponding to each port.

Step 704, calculating an in-out flow ratio corresponding to each port according to the statistical information, extracting flow characteristics of the attack flow, and calculating an address entropy ratio according to the flow characteristics. Respectively carrying out weighting operation on the access flow ratio corresponding to each port and the address entropy ratio to obtain at least one operation result; and sequencing the at least one operation result, and determining that the port corresponding to the largest operation result is the attack port corresponding to the attack flow information. Acquiring a record table of the attack switch, and determining an Internet protocol address corresponding to the attack port according to the attack port based on the record table of the attack switch; and determining the attack equipment corresponding to the attack flow information according to the Internet protocol address corresponding to the attack port.

In implementation, at least one piece of flow statistical information contained in the attack switch and port information contained in the attack switch are collected, wherein the statistical information comprises port numbers, the number of received data packets and the number of transmitted data packets corresponding to the statistical information of the data flow.

And carrying out matching processing on the port number and the port information to obtain the statistical information of the data flow corresponding to each port. And calculating an in-out flow ratio corresponding to each port, wherein the in-out flow ratio is a ratio of the number of the sent data packets to the number of the received data packets.

The traffic characteristics of the attack stream include at least one of: destination internet protocol address information entropy and source internet protocol address information entropy; and calculating according to the destination internet protocol address information entropy and the source internet protocol address information entropy to obtain an address entropy ratio.

The in-out flow ratio is the ratio of the number of the sent data packets to the number of the received data packets. And extracting the flow characteristics of the attack flow, and calculating to obtain an address entropy ratio. And respectively carrying out weighted calculation according to the access flow ratio corresponding to each port and the address entropy ratio to obtain at least one operation result.

Step 705, judging the network attack intensity according to the preset network attack threshold value.

Step 7061, in response to the network attack intensity being higher than a preset network attack threshold, sending flow table filtering information to the attack switch, redirecting the flow sent to the victim switch, and sending the flow to a preset honeypot host.

Step 7062, in response to the network attack intensity being lower than a preset network attack threshold, sending flow table filtering information to the attack switch.

And step 70611, collecting the attack flow traffic.

It should be noted that the method of the embodiments of the present disclosure may be performed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of embodiments of the present disclosure, the devices interacting with each other to accomplish the methods.

It should be noted that the foregoing describes some embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Based on the same inventive concept, the present disclosure also provides a DDoS attack detection and defense device based on statistical metrics in SDN-IIOT, corresponding to the method of any embodiment.

Referring to fig. 8, fig. 8 is a DDoS attack detection and defense device based on statistical metrics in SDN-IIOT of an embodiment, including:

an information acquisition module 801 configured to acquire flow statistics in a network, wherein the flow statistics include at least one piece of data flow information;

an entropy rate calculation module 802 configured to calculate, for each piece of data stream information, an entropy rate value of the data stream information based on a hash table, and determine whether a distributed denial of service attack exists in the network according to the entropy rate value;

a type judging module 803 configured to input the flow statistics information into a distributed lifting gradient classification model in response to the existence of a distributed denial of service attack behavior in the network, and output a data flow type of each piece of data flow information in the flow statistics information based on the distributed lifting gradient classification model, wherein the distributed lifting gradient classification model is a model for classifying each piece of data flow information in the flow statistics information, which is obtained by training the classification model;

the defending processing module 804 is configured to respond to the data stream type as attack stream information, analyze the attack stream information to obtain internet protocol address information, determine attack equipment corresponding to the attack stream information according to the internet protocol address information, and defend the attack equipment.

For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of the various modules may be implemented in the same one or more pieces of software and/or hardware when implementing the present disclosure.

The device of the foregoing embodiment is configured to implement the DDoS attack detection and defense method based on the statistical measure in the corresponding SDN-IIOT in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein.

Based on the same inventive concept, corresponding to the method of any embodiment, the disclosure further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the DDoS attack detection and defense method based on statistical metrics in any embodiment.

Fig. 9 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.

The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.

The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.

The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.

Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).

Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).

It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.

The electronic device of the foregoing embodiment is configured to implement the DDoS attack detection and defense method based on the statistical measure in the corresponding SDN-IIOT in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein.

Based on the same inventive concept, corresponding to any of the above embodiment methods, the present disclosure further provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to execute the DDoS attack detection and defense method based on statistical metrics in SDN-IIOT as described in any of the above embodiments.

The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.

The computer instructions stored in the storage medium of the foregoing embodiments are configured to cause the computer to execute the DDoS attack detection and defense method based on the statistical metric in the SDN-IIOT described in any one of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein.

Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined under the idea of the present disclosure, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in details for the sake of brevity.

Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present disclosure. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present disclosure, and this also accounts for the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform on which the embodiments of the present disclosure are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.

While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.

The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Accordingly, any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the embodiments of the disclosure, are intended to be included within the scope of the disclosure.

Claims

1. A DDoS attack detection and defense method based on statistical metrics in SDN-IIOT, comprising:

acquiring stream statistical information in a network, wherein the stream statistical information comprises at least one piece of data stream information, the stream statistical information is collected by adopting an OpenFlow protocol, and the stream statistical information is of a switch directly connected with a host;

In response to the DDoS attack behavior existing in the network, inputting the flow statistical information into a distributed lifting gradient classification model, and outputting a data flow type of each piece of data flow information in the flow statistical information based on the distributed lifting gradient classification model, wherein the distributed lifting gradient classification model is a model for classifying each piece of data flow information in the flow statistical information, which is obtained by training the classification model, and the data flow type comprises at least one of the following: normal data flow, bursty data flow and attack data flow;

responding to the data stream type as attack stream information, analyzing the attack stream information to obtain internet protocol address information, determining attack equipment corresponding to the attack stream information according to the internet protocol address information, and defending the attack equipment;

the training process of the distributed lifting gradient classification model comprises the following steps:

obtaining a training data stream, wherein the training data stream type comprises at least one of the following: normal data flow, bursty data flow and attack data flow;

extracting flow characteristics of the training data stream, wherein the flow characteristics include at least one of: the method comprises the steps of source IP address entropy, destination IP address entropy, interactive data packet quantity difference, average data packet of data flow, average byte number of data packet and interactive flow duty ratio;

Establishing a characteristic data pool according to the flow characteristics of the training data flow, and training a classification model according to the data of the characteristic data pool to obtain a distributed lifting gradient classification model;

the analyzing the attack flow information to obtain internet protocol address information, and determining the attack equipment corresponding to the attack flow information according to the internet protocol address information, including:

analyzing the attack flow information to obtain destination Internet protocol address information and source Internet protocol address information corresponding to the attack flow information;

determining a victim switch corresponding to the attack flow information according to the destination internet protocol address information based on a pre-constructed position information table;

acquiring an attack path of attack flow information, and determining an attack switch through the attack path and the victim switch;

the defending processing for the attack equipment comprises the following steps:

judging the network attack intensity according to a preset network attack threshold value;

responding to the network attack intensity being higher than a preset network attack threshold, sending flow table filtering information to the attack switch, redirecting the flow sent to the victim switch, and sending the flow to a preset honeypot host; or alternatively, the process may be performed,

And sending flow table filtering information to an attack switch in response to the network attack intensity being lower than a preset network attack threshold.

2. The method of claim 1, wherein the obtaining the data flow information in the network comprises:

acquiring a soft timeout time interval of a switch flow table, and sending a request message to the switch according to the time interval, wherein the request message is a message for requesting to inquire flow statistical information in the switch;

and receiving a response message sent by the switch, and analyzing the response message to acquire stream statistical information contained in the response message.

3. The method of claim 1, wherein said calculating, for each piece of data stream information, an entropy value for said each piece of data stream information based on a hash table, comprises:

analyzing the stream statistical information to obtain source internet protocol address information of each piece of data stream information in the stream statistical information;

counting the occurrence times of each piece of source internet protocol address information, and inputting the source internet protocol address information and the occurrence times of the source internet protocol address information into an initialized hash table;

And calculating the probability distribution of each piece of source internet protocol address information based on the Ha Xisan list, and calculating the entropy value of each piece of data stream information according to the probability distribution.

4. A method according to claim 3, wherein said determining whether DDoS attack is present in the network based on the entropy value comprises:

obtaining a normal stream entropy rate average value of the network, and calculating an entropy rate information distance of the data stream information according to the entropy rate value and the normal stream entropy rate average value, wherein the entropy rate information distance is expressed as follows by a formula:

，

wherein, the liquid crystal display device comprises a liquid crystal display device,Pfor the distance of the entropy rate information,is a preset tolerance factor, ">，/>Is the average value of the normal stream entropy rate>For entropy value, < >>Is a preset variance value;

and responding to the entropy rate information distance being smaller than or equal to a preset distance, wherein DDoS attack behaviors exist in the network.

5. The method of claim 1, wherein before inputting the flow statistics into a distributed lifting gradient classification model, further comprising:

acquiring input equipment information and input port information of each data stream in the stream statistics information, wherein the input equipment information comprises an internet protocol address and a physical address of an input equipment;

Acquiring a record table of the switch corresponding to the flow statistical information, and judging whether the record table contains the input port information or not;

and responding to the record table containing the input port information, and storing the input device information of the data streams corresponding to the input port information into the record table, wherein the input port information and the input device information of each data stream are stored in the same position of the record table.

6. The method according to claim 5, wherein storing the input device information of the data stream corresponding to the input port information in the record table includes:

judging whether the position storing the input port information in the record table contains initial input equipment information or not;

in response to the initial input device information being included, replacing the initial input device information with input device information of a data stream corresponding to the input port information; or alternatively, the process may be performed,

and in response to the fact that the initial input device information is not included, directly storing the input device information of the data stream corresponding to the input port information into the record table.

7. The method of claim 1, wherein said inputting the flow statistics into a distributed lifting gradient classification model, outputting a data flow type for each piece of data flow information in the flow statistics based on the distributed lifting gradient classification model, comprises:

Extracting flow characteristics contained in the data stream information aiming at each piece of data stream information in the stream statistics information;

inputting the flow characteristics into the distributed lifting gradient classification model, and outputting the data flow type of the data flow information based on the distributed lifting gradient classification model, wherein the data flow type comprises attack flow information and normal flow information.

8. The method according to claim 1, wherein the analyzing the attack flow information to obtain internet protocol address information, determining the attack device corresponding to the attack flow information according to the internet protocol address information, includes:

collecting statistical information of at least one data stream contained in the attack switch and port information contained in the attack switch, wherein the statistical information of each data stream contains a port number, the number of received data packets and the number of transmitted data packets corresponding to the statistical information of the data stream;

matching the port number with port information to obtain statistical information of data flow corresponding to each port;

calculating an in-out flow ratio corresponding to each port according to the statistical information, wherein the in-out flow ratio is a ratio of the number of the sent data packets to the number of the received data packets;

Extracting traffic characteristics of the attack flow, wherein the traffic characteristics of the attack flow comprise at least one of the following: destination internet protocol address information entropy and source internet protocol address information entropy;

calculating according to the destination internet protocol address information entropy and the source internet protocol address information entropy to obtain an address entropy ratio;

respectively carrying out weighting operation on the access flow ratio corresponding to each port and the address entropy ratio to obtain at least one operation result;

sequencing the at least one operation result, and determining that the port corresponding to the largest operation result is the attack port corresponding to the attack flow information;

acquiring a record table of the attack switch, and determining an Internet protocol address corresponding to the attack port according to the attack port based on the record table of the attack switch;

and determining the attack equipment corresponding to the attack flow information according to the Internet protocol address corresponding to the attack port.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a DDoS attack detection and defense method based on statistical metrics in an SDN-IIOT as set forth in any one of claims 1 to 8 when the program is executed by the processor.