KR101772292B1 - Software Defined Network based Network Flooding Attack Detection/Protection Method and System - Google Patents

Software Defined Network based Network Flooding Attack Detection/Protection Method and System Download PDF

Info

Publication number
KR101772292B1
KR101772292B1 KR1020150173129A KR20150173129A KR101772292B1 KR 101772292 B1 KR101772292 B1 KR 101772292B1 KR 1020150173129 A KR1020150173129 A KR 1020150173129A KR 20150173129 A KR20150173129 A KR 20150173129A KR 101772292 B1 KR101772292 B1 KR 101772292B1
Authority
KR
South Korea
Prior art keywords
attack
network
sdn
policy
switches
Prior art date
Application number
KR1020150173129A
Other languages
Korean (ko)
Other versions
KR20170066907A (en
Inventor
김경백
최덕재
Original Assignee
전남대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 전남대학교산학협력단 filed Critical 전남대학교산학협력단
Priority to KR1020150173129A priority Critical patent/KR101772292B1/en
Publication of KR20170066907A publication Critical patent/KR20170066907A/en
Application granted granted Critical
Publication of KR101772292B1 publication Critical patent/KR101772292B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/022Capturing of monitoring data by sampling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A software defined network based network flooding attack detection / prevention method and system is provided. The network flooding attack detection and defense system according to the embodiment of the present invention samples a network flooding attack packet applied to the SDN and detects a network flooding attack based on a sample packet. As a result, monitoring overhead can be reduced through optional switch monitoring based on packet sampling, and it is easy to expand due to various network flooding attacks based on software attack detection / attacker detection.

Description

Software Defined Network Based Network Flooding Attack Detection / Protection Method and System

FIELD OF THE INVENTION The present invention relates to software defined networks, and more particularly to a method and system for automatically detecting and defending a flooding attack on this network.

SDN (Software Defined Network) is a network that provides high level of flexibility by dynamically controlling the configuration and operation of the network using a network controller that utilizes the open API provided by OpenFlow.

With the high flexibility of SDN, it is expected to solve the high cost and complexity problems required to build a network infrastructure, helping to shorten the time to deliver new services to the market, as well as to provide innovative network services. Much research is under way for network solutions.

Security is a very important factor in network operation, especially Denial of Service (DoS) attacks can cause serious traffic to the network, have.

Typical network-level denial-of-service attacks include TCP SYN flooding attacks, UDP flooding attacks, and ICMP flooding attacks.

In the case of TCP SYN Flooding attack, it consumes network and computing resources of attacked computer by exploiting TCP's 3-way handshake and loophole which must maintain half-open state.

UDP Flooding and ICMP Flooding attacks are attacks that increase the load on the network by creating large quantities of User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) packets, which are connectionless services.

DoS attacks can also be fatal to the SDN environment. In SDN, when a packet that is not understood by the current network switch is detected, the packet is transmitted to the network controller to set the processing method to the switch. Therefore, if a DoS attack using the IP spoofing technique that modifies information of a packet occurs in the SDN, the SDN network controller may consume computing resources as well as attacked hosts, thereby adversely affecting the operation of the entire SDN network.

In order to detect DoS attacks in existing network infrastructure, it is necessary to collect packets passing through a switch, router or server and analyze the collected traffic. If it is difficult to collect packets, it collects the service access log on the server side and deduce a DoS attack through it.

Although this detection can be performed automatically in the existing system, it is necessary to protect the detected DoS attack by using a host or a switch that is estimated to generate the attack with the help of an ISP (Internet Service Provider) It is troublesome to prevent the interface traffic through access control.

In the SDN environment, the network controller can constantly monitor the information and traffic information of the network switch through the OpenFlow open API. The collected information can be used to detect DoS attacks and automatically control access to network flow traffic associated with detected DoS attacks.

However, when performing such on-the-fly monitoring, as the resources of the SDN network controller are consumed by the monitoring, it may interfere with the operation of the SDN.

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a sampling-based network flooding attack detection / defense system for reducing resource consumption of an SDN controller for monitoring, Method and system.

According to an aspect of the present invention, there is provided a network flooding attack detection and defense system, including: a packet sampler for sampling a network flooding attack packet applied to an SDN (Software Defined Network); And an IDS (Intrusion Detection System) for detecting a network flooding attack based on the sample packet.

The packet sampler may receive packet samples from packet sampling agents installed in the switches constituting the SDN.

Also, the sampling period can be set and adjusted.

The IDS may set a rule for detecting network flooding and generate an attack event based on the collected sample packets.

Also, a network flooding attack detection and defense system according to an embodiment of the present invention includes: a controller for controlling an SDN; And an attack automatic defense unit for applying a policy for automatically blocking a network flooding attack to the SDN through the controller.

The network flooding attack detection and defense system according to an embodiment of the present invention may further include an attack event DB for storing a detected attack event, and the attack automatic defense unit may include an attack event storage unit It is possible to apply a policy to automatically block the network flow to the switch of the SDN associated with the attack.

In addition, the attack automatic defense unit may extract parameters necessary for generating a policy in an attack event, analyze the extracted parameters and SDN topology information, and generate a network flow blocking policy for defending the detected attack.

The policy may be applied to select switches to be blocked among the switches constituting the SDN.

Also, the attack automatic defense unit may set the valid period of the policy, and apply the network flow blocking policy to the switches selected by the policy.

According to another aspect of the present invention, there is provided a network flooding attack detection and prevention method comprising the steps of: sampling a network flooding attack packet applied to an SDN (Software Defined Network); And detecting a network flooding attack based on the sample packet.

As described above, according to the embodiments of the present invention, monitoring overhead can be reduced through selective monitoring of switches based on packet sampling, and various network flooding attacks based on software attack detection / easy expansion due to attacker detection Do.

In addition, according to the embodiments of the present invention, it is possible to manage and inquire effective attack information using an attack event database, and to enable automatic attack defense using attack defense automatic defense software for software defined networks.

In addition, according to embodiments of the present invention, it is possible to increase the use efficiency of the flow table of the switch according to the application of the selective attack blocking policy, and reduce the influence of IP spoofing using the network policy manager.

FIG. 1 illustrates an SDN-based network flooding attack detection / defense system according to an embodiment of the present invention; FIG.
FIG. 2 shows a detailed configuration of attack defense automatic defense software for SDN,
Figure 3 is a flow chart provided in the description of the process performed by the attack automatic defense software for SDN to automatically defend the detected attack.

Hereinafter, the present invention will be described in detail with reference to the drawings.

FIG. 1 is a diagram illustrating a Software Defined Network (SDN) based network flooding attack detection / defense system according to an embodiment of the present invention.

In order to reduce resource consumption of the SDN controller required for monitoring, the network flooding attack detection / defense system according to the embodiment of the present invention detects a network flooding attack based on sampling. In addition, the network flooding attack detection / defense system according to the embodiment of the present invention has a configuration for automating the detection and defense of a network flooding attack.

1, the network flooding attack detection / defense system according to an exemplary embodiment of the present invention includes a packet sampler 110, a software IDS (Intrusion Detection System) 120, DB 130, attack defense automatic defense software 140 for SDN, and SDN controller (SDN Controller)

For ease of understanding and explanation, FIG. 1 shows SDN in addition to the network flooding attack detection / defense system according to an embodiment of the present invention. The SDN consists of OpenFlow switches 10 and is operated through the SDN controller 150. [

The SDN controller 150 is implemented in software, and the network operator can operate the network using the Web UI or Consol UI provided by the SDN controller 150.

As described above, the network flooding attack detection / defense system according to the embodiment of the present invention does not monitor all the packets passing through the switch 10, but samples packets according to a given condition.

To this end, a packet sampling agent is selectively installed in the switch 10 to be monitored, and packet samples are transmitted to the packet sampler 110. The sampling period can be set according to need and demand, or it can be set dynamically.

The software IDS 120 analyzes the packet samples collected in the packet sampler 110 to detect whether there is a network flooding attack that exploits TCP SYN, ICMP, or UDP. Specifically, the software IDS 120 sets up a rule for detecting TCP SYN, ICMP, and UDP network flooding, and detects an attack by generating an event message based on the collected packets.

In order to store and manage the information of the detected attack, the attack event DB 130 is operated. The software IDS 120 stores the information of the detected attack in the attack event DB 130, thereby enabling more efficient attack log management and attack countermeasure in the future.

Attack defense automatic defense software (140) for automatic defense of the detected attack. The SDN attack defense automatic defense software 140 automatically applies a flow policy that can block the related network flow to the switch 10 related to the attack when it recognizes that a new attack event is stored in the attack event DB 130. [

For this purpose, the attack defense automatic defense software 140 for SDN utilizes the service and application interface provided by the SDN controller 150. The detailed configuration of the attack defense automatic defense software 140 for SDN is shown in FIG.

2, attack defense automatic defense software 140 for SDN includes a network flow policy generator 141, an SDN topology manager 142, a network flow policy manager 143, a sampling agent manager 144, An event DB connection manager 145, an SDN controller connection manager 146, and a user interface 147.

The attack event DB connection manager 145 is configured to secure newly detected attack information from the attack event database 130 and manages the connection for reading the newly stored attack event in the attack event DB 130. [

The SDN controller connection manager 146 manages the connections needed to obtain or transfer topology information and policy information from the SDN controller 150.

The SDN topology manager 142 collects the information of the OpenFlow switches 10 and the user hosts collected from the SDN controller 150 and generates / manages topology information for the entire SDN.

The network flow policy generator 141 analyzes the SDN topology information and the attack event information in the case of a newly detected attack, and creates a network flow blocking policy for protecting the attack.

The policy generated by the network flow policy generator 141 is not applied to all the network switches 10 but is a policy for selectively blocking only the optimal switch 10 for blocking an attack based on the network topology information .

The network flow policy manager 143 manages the network flow policies created for blocking the attack. In particular, the validity period of the network flow policy and the switch information to which the policy is applied are managed.

Also, in order to reduce the influence of IP spoofing, the network flow policy manager 143 sets a home network domain managed by the SDN controller 150, and when the source IP of the packets generated in the corresponding network is forged, To manage network policies.

The sampling agent manager 144 manages the operation of selecting a network switch 10 to perform attack detection and defense and installing a packet sampling agent in the selected network switch 10.

The user interface 147 is a means for performing environment setting, inquiry, and the like of the attack defense automatic defense software 140 for SDN.

FIG. 3 is a flowchart provided for explaining a process performed by the SDN attack automatic defense software 140 to automatically defend the detected attack.

3, the attack event DB connection manager 145 of the SDN attack automatic defense software 140 periodically checks the attack event DB 130 to determine whether a new attack event has occurred S210).

If it is determined in step S210 that a new attack event has occurred (S220-Y), the network flow policy generator 141 extracts parameters such as a MAC address, an IP address, and Port numbers necessary for establishing a network policy in the attack event information (S230).

Then, the network flow policy generator 141 analyzes the parameters extracted in step S230 and the SDN topology information, and creates a network flow blocking policy for defending the detected attack (S240).

After generating the blocking policy, the network flow policy generator 141 selects the switches 10 to which the blocking policy is to be applied (S250). The selection in step S250 is made with reference to the SDN topology information generated / managed by the SDN topology manager 142.

Then, the network flow policy manager 143 sets the valid period of the blocking policy (S260), and applies the network flow blocking policy to the switches selected in operation S250 (S270).

So far, a preferred embodiment of the SDN-based network flooding attack detection / prevention method and system has been described in detail.

According to the SDN-based network flooding attack detection / defense method and system according to the embodiment of the present invention, monitoring overhead can be reduced through optional switch monitoring based on packet sampling, and various network flooding attack / Extension by detection is easy.

In addition, effective attack information management and inquiry using the attack event DB 130 can be performed, and automatic attack defense using the attack automatic defense software for SDN is possible.

Furthermore, according to the selective attack blocking policy of the switch, the use efficiency of the flow table of the switch is high, and the influence of IP spoofing can be reduced by using the network flow policy manager.

The SDN-based network flooding attack detection / defense method and system according to an embodiment of the present invention can be utilized in a cloud data center or the like, and can be utilized for an Internet service, a communication service, and the like.

A simple and high impact attack such as a network attack in the SDN is one of the problems to be solved in utilizing the network. The SDN-based network flooding attack detection / It is a technology that automatically detects and defends flooding, and can be used in software firewall products for local networks and in the cloud.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes and modifications may be made by those skilled in the art without departing from the spirit and scope of the present invention.

110: packet sampler
120: Software Intrusion Detection System (IDS)
130: Attack event DB
140: Attack automatic defense software for SDN
150: SDN controller

Claims (10)

A packet sampler for sampling and collecting network flooding attack packets applied to a plurality of switches constituting a Software Defined Network (SDN);
An IDS (Intrusion Detection System) for detecting network flooding attacks by analyzing sample packets collected from a plurality of switches;
An attack event DB storing detected attack events;
A controller for controlling the SDN; And
And an attack automatic defense unit for applying a policy for automatically blocking a network flooding attack to the SDN through the controller,
The attack auto-
If it is recognized that an attack event has been stored in the attack event database, a policy for automatically blocking the network flow to the switches of the SDN related to the attack is applied,
It extracts the parameters needed to create the policy in the attack event, analyzes the extracted parameters and SDN topology information, creates a network flow blocking policy for defending the detected attack, and selects the switches related to the blocking policy Network flooding attack detection and defense system.
The method according to claim 1,
Wherein the packet sampler comprises:
And receives packet samples from packet sampling agents installed in the switches constituting the SDN.
The method of claim 2,
In the sampling period,
Wherein the network flooding attack detection and defense system is configured and adjustable.
delete delete delete delete The method according to claim 1,
The policy includes:
And a switch for blocking a packet related to the attack event, the switch being selectively applied to a switch related to an attack among switches constituting the SDN.
The method of claim 8,
The attack auto-
Setting a valid period of the policy, and applying a network flow blocking policy to the switches selected by the policy.
Sampling and aggregating a network flooding attack packet applied to a plurality of switches constituting an SDN (Software Defined Network);
Analyzing sample packets collected from a plurality of switches to detect a network flooding attack;
Storing the detected attack event; And
And applying a policy for automatically blocking a network flooding attack to the SDN through a controller controlling the SDN,
Wherein the application step comprises:
If the attack event is recognized, the policy that can block the network flow to the switches of the SDN related to the attack is automatically applied, but the parameters necessary for generating the policy in the attack event are extracted, and the extracted parameters and the SDN topology information And generating a network flow blocking policy for defending the detected attack, and selecting switches related to the blocking policy.
KR1020150173129A 2015-12-07 2015-12-07 Software Defined Network based Network Flooding Attack Detection/Protection Method and System KR101772292B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150173129A KR101772292B1 (en) 2015-12-07 2015-12-07 Software Defined Network based Network Flooding Attack Detection/Protection Method and System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150173129A KR101772292B1 (en) 2015-12-07 2015-12-07 Software Defined Network based Network Flooding Attack Detection/Protection Method and System

Publications (2)

Publication Number Publication Date
KR20170066907A KR20170066907A (en) 2017-06-15
KR101772292B1 true KR101772292B1 (en) 2017-08-29

Family

ID=59217752

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150173129A KR101772292B1 (en) 2015-12-07 2015-12-07 Software Defined Network based Network Flooding Attack Detection/Protection Method and System

Country Status (1)

Country Link
KR (1) KR101772292B1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102024267B1 (en) * 2017-09-11 2019-09-23 숭실대학교산학협력단 Elastic intrusion detection system and method for managing the same
KR102006553B1 (en) * 2017-11-01 2019-08-01 숭실대학교산학협력단 Forensic server and Method for identifying the cause of attack on software defined network

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015024528A1 (en) * 2013-08-23 2015-02-26 Hangzhou H3C Technologies Co., Ltd. Calculating spanning tree

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015024528A1 (en) * 2013-08-23 2015-02-26 Hangzhou H3C Technologies Co., Ltd. Calculating spanning tree

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Rui Wang 외 2명, "An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking", 2015 IEEE (2015.08.20-22.)

Also Published As

Publication number Publication date
KR20170066907A (en) 2017-06-15

Similar Documents

Publication Publication Date Title
Giotis et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments
US11563772B2 (en) Detection and mitigation DDoS attacks performed over QUIC communication protocol
Dharma et al. Time-based DDoS detection and mitigation for SDN controller
US11729209B2 (en) Distributed denial-of-service attack mitigation with reduced latency
US20180367566A1 (en) Prevention and control method, apparatus and system for network attack
AU2004282937B2 (en) Policy-based network security management
US10911473B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US11005865B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
KR101156005B1 (en) System and method for network attack detection and analysis
Luo et al. A defense mechanism for distributed denial of service attack in software-defined networks
Iqbal et al. Wireshark as a tool for detection of various LAN attacks
Schehlmann et al. COFFEE: a Concept based on OpenFlow to Filter and Erase Events of botnet activity at high-speed nodes
Sanjeetha et al. Mitigating HTTP GET FLOOD DDoS attack using an SDN controller
Seo et al. A study on efficient detection of network-based IP spoofing DDoS and malware-infected Systems
Saad et al. A study on detecting ICMPv6 flooding attack based on IDS
Toprak et al. Detection of DHCP starvation attacks in software defined networks: A case study
Ashutosh An insight in to network traffic analysis using packet sniffer
Munther et al. Scalable and secure SDN based ethernet architecture by suppressing broadcast traffic
KR101772292B1 (en) Software Defined Network based Network Flooding Attack Detection/Protection Method and System
Mohammadi et al. Practical extensions to countermeasure dos attacks in software defined networking
WO2009064114A2 (en) Protection method and system for distributed denial of service attack
Satrya et al. The detection of ddos flooding attack using hybrid analysis in ipv6 networks
Khellah Control plane packet-in arrival rate analysis for denial-of-service saturation attacks detection and mitigation in software-defined networks
Chang A proactive approach to detect IoT based flooding attacks by using software defined networks and manufacturer usage descriptions
Vidya et al. ARP storm detection and prevention measures

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant