WO2021088372A1

WO2021088372A1 - Neural network-based ddos detection method and system in sdn network

Info

Publication number: WO2021088372A1
Application number: PCT/CN2020/096278
Authority: WO
Inventors: 尚凤军; 熊雄; 罗雪兰
Original assignee: 重庆邮电大学
Priority date: 2019-11-04
Filing date: 2020-06-16
Publication date: 2021-05-14
Also published as: CN110784481B; CN110784481A

Abstract

The present invention relates to the technical field of network security, in particular to a neural network-based DDoS detection method and detection system in an SDN network, wherein the system in the present invention comprises an information extraction module, an abnormality warning module, a flow table information collection module, an information processing module and a detection module; the information extraction module is used for extracting source IP address and destination IP address information in a packet_in packet; the abnormality warning module is used for a three-way decision principle, uses a naive Bayesian probability model to obtain an abnormality alarm threshold, and when calculating a probability of the type of the data packet lower than the threshold, then sends an abnormality warning; and the flow table information collection module is used for collecting flow table data; the information processing module is used for standardizing and normalizing the collected OpenFlow flow data, and reducing dimensionality of the collected OpenFlow flow data; and in a software-defined network, the present invention can quickly judge the abnormal information in the network and issue an early warning, and will not cause too much load on the network.

Description

DDoS detection method and system based on neural network in SDN network

This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on November 04, 2019, the application number is 201911063906.7, and the invention title is "DDoS detection method and system based on neural network in SDN network", the entire content of which is incorporated by reference Incorporated in this application.

Technical field

The invention relates to the technical field of network security, in particular to a DDoS detection method and system based on a neural network in an SDN network.

Background technique

In the era of cloud computing and big data, massive data storage and processing require high-performance servers to support, and cloud computing is actually an application after virtualizing a resource pool, based on virtualization technology. Cloud computing and virtualization require centralized control, and the three most important concepts of SDN are: programmable (open API interface), separation of control plane and data plane, and centralized control model. SDN-based network architecture can more easily realize network virtualization, thereby providing support for services related to big data. However, Distributed Denial of Service (DDoS) has always been a key research object in the field of network security. It seriously threatens the development of network security in daily work and has a huge impact on the network environment. DDoS attackers first scan the entire network to find hosts with protocol vulnerabilities or certain problems in the network, and then use these vulnerabilities to control a large number of hosts and send various requests to the target at the same time, which consumes the target’s system resources and makes them attacked. The target is not capable of providing corresponding services to legitimate users. There are many types of distributed denial of service attacks, which can be divided into bandwidth-consuming attacks and resource-consuming attacks according to the object of denial. Bandwidth-consuming attacks are when the victim host is under a DDoS attack, and a large number of data packets flow to the victim host. Network access bandwidth is exhausted, and system resource consumption attacks are system resources (storage resources and computing resources) of the victim host being heavily occupied, or even crashes. The two types of attacks may occur separately or at the same time. The common DDoS attacks include TCP SYN FLOOD attack, ACK FLOOD attack, ICMP attack, and UDP FLOOD attack. In the network disconnection incident that occurred in the United States in 2016, attackers used protocol vulnerabilities to launch large-scale DDoS attacks that caused the server of Dyn, a domestic DNS service provider in the United States, to go down, making it impossible to provide services for legitimate users' normal requests. In China, DDoS attacks are becoming more and more frequent. According to the statistics of the National Internet Emergency Services Center (CNCERT), the proportion of attacks using TCP, UDP and ICMP has increased significantly. Judging from the above incidents, whether it is the limitations of the current network or driven by interests, many reasons have caused the current situation of intensified DDoS attacks. In order to fundamentally solve the current network security problems, new network architectures and network protocols need to be adopted.

In recent years, with the rise of new network technologies such as SD-WAN, more and more network researchers have begun to apply artificial intelligence methods to SDN DDoS detection. For example, they proposed a DDoS detection method through self-organizing mapping. The author proposed a DDoS detection method using SVM, as well as NIDS, which uses SDN architecture and modifies OpenFlow switches to give security monitoring functions. Although the above methods have played a certain role in promoting the research of DDoS detection in a certain period of time. However, more or less there will still be shortcomings in some parties. For example, the first method of using SVM to detect DDoS only uses a small number of data samples for training. It cannot detect new types of attacks that combine multiple methods, and the detection accuracy needs to be improved. More importantly, in actual scenarios, DDoS The amount of data is often 20G or higher, so the actual effect of this method is not good. The second method is to modify the OpenFlow switch to achieve DDoS detection at the network traffic entrance. This approach can indeed handle the DDoS traffic in the most timely manner, but this will greatly increase the cost and violate the decoupling and principle of separation of control and forwarding planes.

Most DDoS detection is based on the principle of intrusion detection, using machine learning algorithms to directly detect. If there is no DDoS attack and such a complex and load-increasing DDoS detection is performed, it will greatly reduce network utilization.

Summary of the invention

In order to improve the detection accuracy without seriously affecting the network efficiency, the present invention proposes a neural network-based DDoS detection method and system in an SDN network. The method includes:

Collect and analyze the packet_in data packets sent by the Openflow switch to the OpenFlow controller;

Perform data packet analysis on the received packet_in packet, and extract all the fields and corresponding values of the data packet;

Based on the three-branch decision-making principle, the Naive Bayesian probability model is used to obtain the abnormal alarm threshold, calculate the probability of the type of data packet, and perform abnormal alarm according to the probability;

When an abnormal warning is issued, collect OpenFlow flow table information, and store the collected OpenFlow flow table in a database or file;

Process the collected flow table information, extract the original features, and combine the DDoS attack features to construct a multi-dimensional feature vector group;

Incremental learning is performed on the constructed multi-dimensional feature vector group, and spatial mapping is performed through the principal component analysis method to form a new feature vector. The new feature vector will be used as the input of the deep neural network to train the deep neural network;

Input real-time data packets into the deep neural network, and then DDoS detection can be performed on the data and the attack type can be obtained.

Furthermore, based on the three-branch decision-making principle, the use of Naive Bayes' probability model to obtain abnormal alarm thresholds includes setting suspicious flow thresholds and abnormal flow thresholds, and judging whether the probability of the type of data packet is greater than the suspicious flow threshold, if it is greater The data packet is a suspicious data packet, and it is determined whether the probability of the type of the data packet is greater than the abnormal flow threshold. If it is greater than the abnormal flow threshold, the data packet is an abnormal data packet; if the data packet is an abnormal flow data packet, if the data packet is For suspicious traffic data packets, after calculating the Bayesian probability, select the optimal suspicious traffic threshold and abnormal traffic threshold by setting several sets of suspicious traffic thresholds and abnormal traffic thresholds and comparing the correct rates of the corresponding classifications. .

Further, the incremental learning of the constructed multi-dimensional feature vector group includes:

Perform data standardization and normalization preprocessing on multi-dimensional feature vectors;

Calculate the covariance matrix of the multi-dimensional eigenvectors after preprocessing, expressed as:

Perform singular value decomposition SVD on the covariance matrix, and finally perform spatial mapping to obtain some features after incremental learning;

Wherein, D represents the multidimensional feature vector after preprocessing; m represents the number of samples; ^X-i is a vector representation of the i-th sample.

Further, the new feature vector will be used as the input of the deep neural network, and the deep neural network obtained by training includes: the neural network is composed of the input layer, the hidden layer, and the output layer. The training of the deep neural network includes the forward propagation of the signal, namely The propagation process from the input layer through the hidden layer to the output layer and the back propagation of errors adjust the weight and bias of the hidden layer to the output layer, that is, adjust the input layer to the hidden layer from the output layer to the hidden layer, and finally to the input layer Weights and biases;

The forward propagation process includes the neuron receiving input signals from n other neurons. These input signals are transmitted through weighted connections. The total input value received by the neuron will be compared with the neuron’s threshold and then activated by Function processing to generate neuron output;

The back-propagation process includes reverse iteration with the sum of squares of errors as the objective function; the method of calculating parameters adopts the gradient descent method, that is, calculating the gradient of all parameters; when the global error is less than the threshold, the training ends, otherwise the iterative training will continue.

The present invention proposes a neural network-based DDoS detection system in an SDN network, which includes a packet_in information extraction module, an abnormal warning module, a flow table information collection module, an information processing module, and a detection module, in which:

The packet_in information extraction module is used to extract the source IP address and destination IP address information in the packet_in packet;

The abnormal warning module is used for the three-branch decision-making principle. It uses Naive Bayes' probability model to obtain the abnormal alarm threshold, and calculates that the probability of the type of data packet is lower than the threshold, then an abnormal warning is issued;

The flow table information collection module is used to collect OpenFlow flow table data required for DDoS detection;

The information processing module is used to standardize, normalize, and reduce dimensionality of the collected OpenFlow flow table data;

The detection module based on the deep neural network is used to perform further in-depth detection using the neural network method after the abnormal alarm is issued in the first detection stage to analyze which type of attack has occurred.

On the one hand, the present invention uses three decision-making as the theoretical basis, combined with the Bayesian probability calculation method to estimate the abnormal threshold. In the software-defined network, the abnormal information in the network can be judged quickly and the warning is issued, and the network will not Cause too much load. On the other hand, forming a new feature vector group after incremental learning will be the input of the DNN detection method, which can further determine whether DDoS occurs.

Description of the drawings

Fig. 1 is a flow chart of the method for detecting DDoS based on neural network in the SDN network of the present invention;

2 is a schematic diagram of the framework of the DDoS detection system based on neural network in the SDN network of the present invention;

FIG. 3 is a process in which the method of principal component analysis in an embodiment of the present invention performs spatial mapping to form a new feature vector;

4 is a working flow chart of the detection module based on the deep neural network of the DDoS detection system based on the neural network in the SDN network of the present invention;

Fig. 5 is a schematic diagram of the forward propagation process of the neural network in the detection module based on the deep neural network of the present invention;

Fig. 6 is a schematic diagram of information interaction between the switch and the controller in the neural network-based DDoS detection system in the SDN network of the present invention.

Detailed ways

The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects, without having to use To describe a specific order or sequence. It should be understood that the data used in this way can be interchanged under appropriate circumstances, so that the embodiments described herein can be implemented in a sequence other than the content illustrated or described herein. In addition, the terms "including" and "having" and any variations of them are intended to cover non-exclusive inclusions. For example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to those clearly listed. Those steps or units may include other steps or units that are not clearly listed or are inherent to these processes, methods, products, or equipment.

The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.

The present invention proposes a DDoS detection method for SDN based on neural network, as shown in Figure 1, including the following steps:

Incremental learning is performed on the constructed multi-dimensional feature vector group, and spatial mapping is performed through the principal component analysis method to form a new feature vector. The new feature vector will be used as the input of the deep neural network to train to obtain the deep neural network;

As shown in Figure 3, in a software-defined network environment, the forwarding of data packets is based on the OpenFlow controller based on the information of the entire network to the flow table issued by the OpenFlow switch. When a large number of data packets do not match the flow table entries, the OpenFlow switch Encapsulate data packets into paket_in packets to the controller, so when a DDoS attack occurs, the controller will receive a large number of packet_in packets.

The information interaction between the host or server and the OpenFlow switch and SDN controller is shown in Figure 2. In SDN, the host sends data to the network. When the data is sent to the OpenFlow switch, if there is a matching item in the OpenFlow switch, the instruction in the matching entry is executed set. If there is no corresponding matching item, the OpenFlow switch encapsulates the data packet into a paket-in data packet and transmits it to the controller through the secure channel between the SDN controller and the OpenFlow switch. The controller processes, analyzes, and detects the received packet-in data packets (here is the detection part described in the article). When DDoS is detected, the SDN controller will send a packet-out packet (OpenFlow flow table) to the OpenFlow switch for cleaning.

The packet_in packet includes at least the source IP address and the destination IP address, which can be used to determine abnormalities. Collecting and analyzing the packet_in data packet sent by the Openflow switch to the OpenFlow controller includes:

The processing of monitored OpenFlow protocol messages is expressed as:

net.floodlightcontroller.core.IListener.Command receive(IOFSwitch sw,OFMessage msg,FloodlightContext cntx)

This statement is responsible for processing the Packet_in message, where sw represents the switch, msg is the information of the switch, and cntx is the controller context;

The packet-in type of the stored data packet, expressed as:

List<String>PacketInType(IOFSwitch sw,OFMessage m,Ethernet eth)

This statement determines whether the packet_in message is of unicast, multicast, broadcast, or Ethernet type and extracts the information from the data link layer to the transport layer;

The statistical analysis is the number of packet-in packets of the UDP protocol, expressed as:

getPACKET_IN_UDP_Count()

This statement is to count the number of packet_in packets received.

Based on the three-branch decision principle, the use of Naive Bayes' probability model to obtain abnormal alarm thresholds includes setting suspicious flow thresholds and abnormal flow thresholds, judging whether the probability of the type of data packet is greater than the suspicious flow threshold, and if it is greater than the data packet Is a suspicious data packet, and judge whether the probability of the type of the data packet is greater than the abnormal flow threshold, if it is greater, the data packet is an abnormal data packet; if the data packet is an abnormal flow data packet, if the data packet is a suspicious flow For data packets, after the Bayesian probability is calculated, the optimal suspicious flow threshold and abnormal flow threshold are selected by setting several sets of suspicious flow thresholds and abnormal flow thresholds and comparing the correct rates of the corresponding classifications.

Most of the current DDoS detection methods regard it as a two-class problem, that is, to determine whether the traffic is normal or abnormal. In actual situations, this view does not take into account the characteristics of the behavior itself. For example, if you send a data packet to detect network bandwidth or test load in the network, the person who sends the data packet is intended to measure the network bandwidth and load, but for the network itself, this is essentially a kind of The attack behavior that interferes with the normal operation of the network is more extreme. If the data packet is sent all the time, its nature becomes a DDoS attack. There are three decision-making theories put forward by scholars in the academic circle. They believe that in the actual decision-making process, people can make quick judgments about things that are fully certain to accept or reject; for things that cannot be made immediately, people tend to postpone the right to make a decision. Judgment of the event, namely: delayed decision-making. Then, to solve the above problems, a hybrid detection model based on three-branch decision-making and neural network is proposed.

Suppose X is a three-element detection model, X=(U,A=S∪L,f), where U={object ₁ ,object ₂ ,object ₃ ,...,object _n } is each pkt_in data packet object, A Represents the attributes of the pkt_in data packet object, where S={v ₁ ,v ₂ ,v ₃ ,...,v _n } is the parsed attribute field of each object, and v _n is the nth attribute field of an object parsed , L is the detection label of the object, and f is the detection decision function.

Set state set

Represents two states: normal and abnormal. For each pkt_in data packet object object, if it is a normal behavior, then object ∈ T, and vice versa

The decision function f here is based on the naive Bayes classifier. Finally, a set of thresholds α and β are introduced, according to the three-branch decision theory. The positive (POS), negative (NEG), and boundary domain (BND) of DDoS pre-detection are defined as follows.

POS={object∈U,P(T|object)≥α}

NEG={object∈U,P(T|object)≤β}

BND={object∈U,β≤P(T|object)≤α}

The above formula expresses the condition that the object is divided into positive domain, negative domain, and boundary domain. P(T|object)≥α indicates normal traffic, P(T|object)≤β indicates abnormal traffic, and β≤P(T|object)≤α indicates suspicious traffic.

In the above formula decision function f is a Bayes formula, assuming independent of each other and each attribute v _i.

In the above formula, n is the number of attribute fields, object _i represents the value of the attribute of the pkt_in object in the i-th field; object represents the data packet; T represents the data packet is normal; P(T|object) represents the data packet Is the probability of normal conditions; P(T) represents the prior probability that the data packet is normal; P(object|T) represents the posterior probability that the data packet is normal; P(object) represents the total probability; P(object _i |T) represents the probability that the data packet is normal under the condition that each attribute objecti of the data packet object is independent of each other.

Setting of α and β thresholds: After calculating the Bayesian probability, select the optimal α and β values by setting several sets of α and β thresholds and comparing the correct rates of the corresponding classifications.

When selecting the optimal value of α and β, consider the accuracy, precision, recall and F value. Through adaptive adjustment of the values of α and β, when the accuracy, precision, recall and F value balance are the best The optimal value is the optimal α and β selected, where:

Accuracy rate (correct rate) = (TP+TN)/total sample;

Accuracy = TP/(TP+FP);

Recall rate=TP/(TP+FN);

F value=accuracy rate*recall rate*2/(accuracy rate+recall rate);

Among them, TP represents the real class, that is, if an instance is a positive class and is predicted to be a positive class; TN represents a true negative class, that is, an instance is a negative class and is predicted to be a negative class; FP represents a false positive class, that is, an instance It is a negative class and is predicted to be a positive class; FN represents a false negative class, that is, an instance is a positive class and is predicted to be a negative class.

After the abnormal alarm is issued, further detection of suspicious and normal traffic is performed. The controller Floodlight periodically sends a flow table request message ofp_flow_status_request to the OpenFlow switch, and the OpenFlow switch sends ofp_flow_status_reply after receiving it; based on this principle, it can be written on linux Shell script to periodically collect flow table information. When setting the sampling period, it should be noted that if the sampling period is set too long, the flow table information does not have continuity, and if the setting is too short, it will increase the controller load.

Redirect the collected flow table information data to a file, and then perform data processing on the original flow table information. FlowData, as a encapsulation class of original information, contains attributes such as duration, packets, bytes, idle_timeout, idle_age, protocol, src_port, dst_port, ip_src, ip_dst, etc., which are used to encapsulate the parsed features.

JsonArray is an array in which Json stores the Josn data type, and the getasJsonObject method is to obtain each Json object in the array and store it in the form of JsonObject. The data after the final processing is encapsulated with FlowData and written into the file.

Extract the characteristics of the processed data, duration, number of data packets n_packet, data packet byte n_byte, idle time idle_timeout, miss time Idle_age, protocol protocol, source IP address src_ip, destination IP address dst_ip, source port Src_port , The destination port dst-port is the extracted original feature.

With the help of semantic analysis, the data set is processed by integrated learning methods to extract features that can better partition DDoS. Semantic analysis is generally widely used in document classification. Its purpose is to analyze words and words in the context. The relationship between the digging out the potential topics in the document. For different language units, the tasks of semantic analysis are different. At the word level, the basic task of semantic analysis is word sense disambiguation (WSD), semantic role labeling (SRL) at the sentence level, and referential disambiguation at the text level, also known as co-referential resolution. In terms of feature selection, for some feature tags with similar meanings or several tags with close dependencies, we can use the idea of semantic analysis to "word sense disambiguation", remove some redundant features, and dig out some important ones. Theme characteristics. In ensemble learning, Bagging and Random Forest can well match the idea of semantic analysis, enabling us to select some better features.

Furthermore, random attribute selection is introduced in the training process of decision tree. This is similar to the idea of using the latent semantic analysis index LSI method to find the text topic characteristics. In the process of selecting the optimal feature attributes, the random forest algorithm will randomly select a subset of k attributes from the attribute set of the base decision tree for each node of the base decision tree, and then select from this subset An optimal attribute is used for division.

The description of the Bagging algorithm is as follows:

In the above algorithm, T is one containing m sampling sets of training samples, D represents a data set, (x _{_n,} y _n) represents a set of training data, where x _n represents the input data, y _n represents the true tag input data; D _bs represents the sampled data set; a base learner h _t (x) is trained based on each sample set, and then these base learners are combined to obtain H(x).

This paper uses the random forest algorithm to extract some important features from the DARPA 2007 data set, then uses the extracted optimal features and combines the flow table information collected in the software-defined network to construct features suitable for DDoS detection in the software-defined network environment; Preferably, the features selected by the present invention in the DARPA 2007 data set according to the Bagging algorithm are grnff, grsd, Abpf, crsp, and crdp; finally, the original features of the flow table are integrated to form a multi-dimensional DDoS feature vector group.

Incremental learning allows machine learning to further have self-learning capabilities, and can make corresponding adjustments to changes in the actual state, making the model more intelligent, and at the same time improving the convergence speed. This design applies incremental learning algorithm to DDoS detection, and the introduction of incremental learning enables the DDoS detection model to realize a dynamic, diversified and continuous data learning process.

In this design, a typical incremental learning algorithm-an incremental algorithm based on principal component analysis is used. The incremental learning of the formed multi-dimensional DDoS feature vector group based on principal component analysis includes the following steps:

Perform singular value decomposition SVD on the covariance matrix, and finally perform spatial mapping. The spatial mapping process is shown in Figure 4, which is a process of multidimensional vector dimensionality reduction, and the features after incremental learning are obtained;

These feature vectors formed after incremental learning will be used as the input of the DNN detection algorithm.

A deep neural network (DNN) is composed of an input layer, a hidden layer, and an output layer. Deep neural networks are mainly divided into two stages in supervised learning. The first stage is the forward propagation of the signal, from the input layer to the hidden layer, and finally to the output layer. The second stage is the back propagation of errors, from the output layer to the hidden layer, and finally to the input layer. The weights and biases from the hidden layer to the output layer and the weights and biases from the input layer to the hidden layer are adjusted in turn.

The algorithm flow of the deep neural network is shown in Figure 5. During the forward propagation process, as shown in Figure 6, the neuron receives input signals from n other neurons. These input signals are transmitted through weighted connections, and the neurons receive The total input value obtained is compared with the threshold of the neuron, and then processed by the activation function to generate the output of the neuron.

In the process of backpropagation in deep neural networks, the error sum of squares

Perform reverse iteration as an objective function. The method of calculating parameters uses the gradient descent method, which calculates the gradient (partial derivative) of all parameters

Finally, when the global error is less than the threshold, the training ends, otherwise iterative training will continue. The model that performed well in the test set will be used as the DDoS detection model in the software-defined network, and will have a better prediction for samples with unknown DDoS attack types.

The present invention proposes an SDN-based DDoS detection system based on integrated learning and neural network, which includes a packet_in information extraction module, an abnormal warning module, a flow table information collection module, an information processing module, and a detection module, in which:

The flow table information collection module is used to collect the OpenFlow flow table data required for DDoS detection; the controller Floodlight periodically sends the flow table request message ofp_flow_status_request to the OpenFlow switch. After the OpenFlow switch receives it, it will send ofp_flow_status_reply. Based on this principle, we can Write a shell script on linux to periodically collect flow table information;

The information processing module is used to standardize, normalize, and reduce dimensionality of the collected OpenFlow flow table data; in this module, the collected flow table information data is redirected to a file, and then the original Flow table information for data processing. FlowData, as an encapsulation class of original information, contains attributes such as duration, packets, bytes, idle_timeout, idle_age, protocol, src_port, dst_port, ip_src, ip_dst, etc., used to encapsulate the parsed features; preferably, in this embodiment, JsonArray is an array in which Json stores the Josn data type. The getasJsonObject method is to obtain each Json object in the array and store it in the form of JsonObject, and finally process the data, encapsulate it with FlowData and write it into the file;

The architecture of the system of the present invention is shown in Figure 2. The packet_in information extraction module is mainly used to extract the source IP address and destination IP address information in the packet_in packet, and the following methods can be used:

Function: This method is responsible for processing the Packet_in message, where sw represents the switch, msg is the information of the switch, and cntx is the controller context; the implemented code is expressed as:

The above code is developed within the SDN controller. This function is used to monitor the information between the SDN control and the OpenFlow switch. When the captured OFMessage is of the Packet-in type, it will be processed to analyze the data link layer, The information contained in the three layers of the network layer and the transport layer (MAC address, IP address, transport layer protocol, port number).

List<String>PacketInType(IOFSwitch sw,OFMessage m,Ethernet eth)

This method judges whether the packet_in message is of unicast, multicast, broadcast, or Ethernet type, and extracts the information from the data link layer to the transport layer.

getPACKET_IN_UDP_Count()

This method is to count the number of packet_in packets received.

The anomaly early warning module is based on three decisions, and the specific implementation is the probabilistic rough set-naive Bayes method to estimate the threshold. When the new pkt_in data packet is parsed, the Bayesian probability is calculated and compared with the thresholds divided into the negative domain and the boundary domain. If it belongs to the negative domain or the boundary domain, the flag flag is set to 0 and an abnormal alarm is issued, including The following process:

Among them, P(T|o _i (v _j )) represents the Bayesian probability that the i-th object (data packet) belongs to T (normal); o _i represents the i-th object (data packet); POS(T ) Represents the positive domain set; o _i (v _j ) represents; NEG(T) represents the negative domain set; BND(T) represents the boundary domain set.

After the abnormal alarm is issued, it will enter the second stage, that is, the detection module based on the deep neural network. The main purpose of this stage is to classify the abnormal situation. The deep neural network has been explained in the method part, so I will not repeat it here.

Although the embodiments of the present invention have been shown and described, those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can be referred to the foregoing method embodiments. The corresponding process in, I won’t repeat it here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes. .

As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the embodiments are modified, or some of the technical features are equivalently replaced; and these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims

The DDoS detection method based on neural network in S DN network is characterized in that it includes:

Collect and analyze the packet_in data packets sent by the Openflow switch to the OpenFlow controller;

Perform data packet analysis on the received packet_in packet, and extract all the fields and corresponding values of the data packet;

Based on the three-branch decision-making principle, the Naive Bayesian probability model is used to obtain the abnormal alarm threshold, calculate the probability of the type of data packet, and perform abnormal alarm according to the probability;

When an abnormal warning is issued, collect OpenFlow flow table information, and store the collected OpenFlow flow table in a database or file;

Process the collected flow table information, extract the original features, and combine the DDoS attack features to construct a multi-dimensional feature vector group;

Incremental learning is performed on the constructed multi-dimensional feature vector group, and spatial mapping is performed through the principal component analysis method to form a new feature vector. The new feature vector will be used as the input of the deep neural network to train the deep neural network;

Input real-time data packets into the deep neural network, and then DDoS detection can be performed on the data and the attack type can be obtained.
The neural network-based DDoS detection method in the SDN network according to claim 1, wherein the collecting and analyzing the packet_in data packet sent by the Openflow switch to the OpenFlow controller comprises:

Process the monitored OpenFlow protocol messages;

Collect and store data packet packet-in type;

Count the number of packet-in packets of the UDP protocol.
The neural network-based DDoS detection method in the SDN network according to claim 1, characterized in that, based on the three-branch decision principle, the use of Naive Bayes' probability model to obtain the threshold of abnormal alarm includes setting the threshold of suspicious traffic and the threshold of abnormal traffic , Determine whether the probability of the type of the data packet is greater than the suspicious flow threshold, if it is greater, the data packet is a suspicious data packet, and determine whether the probability of the type of the data packet is greater than the abnormal flow threshold, if it is greater, the data packet is Abnormal data packet; if the data packet is an abnormal flow data packet, if the data packet is a suspicious flow data packet, after calculating the Bayesian probability, set several sets of suspicious flow thresholds and abnormal flow thresholds and compare the corresponding The correct rate of classification is used to select the optimal suspicious traffic threshold and abnormal traffic threshold.
The neural network-based DDoS detection method in the SDN network according to claim 3, wherein the suspicious traffic threshold is 0.9, and the abnormal traffic threshold is 0.1.
The method for detecting DDoS based on a neural network in an SDN network according to claim 1, wherein the calculating the probability of the type of the data packet comprises:

Among them, object represents the data packet; T represents the data packet is normal; P(T|object) represents the probability that the data packet is normal; P(T) represents the prior probability that the data packet is normal; P(object|T) Represents the posterior probability that the data packet is normal; P(object) represents the total probability; P(object i |T) represents the probability that the data packet is normal under the condition that each attribute objecti of the data packet object is independent of each other; n Is the number of attribute fields.
The neural network-based DDoS detection method in the SDN network according to claim 1, wherein the original features extracted from the flow table information include duration, number of data packets n_packet, data packet bytes n_byte, idle Time idle_timeout, miss time Idle_age, protocol protocol, source IP address src_ip, destination IP address dst_ip, source port Src_port, destination port dst-port; DDoS attack characteristics are DDoS attack characteristics selected by the Bagging algorithm.
The DDoS detection method based on neural network in the SDN network according to claim 1, characterized in that, performing incremental learning on the constructed multi-dimensional feature vector group comprises:

Perform data standardization and normalization preprocessing on multi-dimensional feature vectors;

Calculate the covariance matrix of the multi-dimensional eigenvectors after preprocessing, expressed as:

Perform singular value decomposition SVD on the covariance matrix, and finally perform spatial mapping to obtain some features after incremental learning;

Wherein, D represents the multidimensional feature vector after preprocessing; m represents the number of samples; X-i is a vector representation of the i-th sample.
The DDoS detection method based on neural network in the SDN network according to claim 1, characterized in that the new feature vector will be used as the input of the deep neural network, and the deep neural network obtained by training includes: the neural network is composed of input layer and hidden It consists of layers and output layers. The training of deep neural networks includes the forward propagation of signals, that is, the propagation process from the input layer through the hidden layer and finally to the output layer, as well as the back propagation of errors to adjust the weight and bias from the hidden layer to the output layer. , That is, adjust the weight and bias of the input layer to the hidden layer from the output layer to the hidden layer, and finally to the input layer;

The forward propagation process includes the neuron receiving input signals from n other neurons. These input signals are transmitted through weighted connections. The total input value received by the neuron will be compared with the neuron’s threshold and then activated by Function processing to generate neuron output;

The back-propagation process includes reverse iteration with the sum of squares of errors as the objective function; the method of calculating parameters uses the gradient descent method, which calculates the gradient of all parameters; when the global error is less than the threshold, the training ends, otherwise iterative training will continue.
The neural network-based DDoS detection method in the SDN network according to claim 1, characterized in that it comprises a packet_in information extraction module, an abnormal warning module, a flow meter information collection module, an information processing module, and a detection module, wherein:

The packet_in information extraction module is used to extract the source IP address and destination IP address information in the packet_in packet;

The abnormal warning module is used for the three-branch decision-making principle. It uses Naive Bayes' probability model to obtain the abnormal alarm threshold, and calculates that the probability of the type of data packet is lower than the threshold, then an abnormal warning is issued;

The flow table information collection module is used to collect OpenFlow flow table data required for DDoS detection;

The information processing module is used to standardize, normalize, and reduce dimensionality of the collected OpenFlow flow table data;

The detection module based on the deep neural network is used to perform further in-depth detection using the neural network method after the abnormal alarm is issued in the first detection stage, and output the attack type.