软件定义网络DDoS联合检测系统
|
摘要
分布式拒绝服务(distributed denial-of-service,DDoS)攻击已成为网络安全的最大威胁之一。传统的对抗方式如入侵检测、流量过滤和多重验证等,受限于静态的网络架构,存在明显的缺陷。软件定义网络(software-defined networking,SDN)作为一种新型动态网络体系,其数控分离、集中控制与动态可编程等特性颠覆了现有的网络架构,为对抗DDoS攻击提供了新的思路。现有基于SDN的DDoS防护方案处于研究的起步阶段,且存在较多问题。针对现有方案中检测周期过小将导致系统开销大的问题,该文提出由触发检测和深度检测相结合的DDoS联合检测方案,将低开销、粗粒度的触发检测算法与高精度、细粒度的深度检测算法相结合,在保障高检测精度的前提下降低了系统的复杂度;同时,在Mininet平台上实现了基于SDN的DDoS攻击检测系统,设计实验对系统进行测试和评估。实验结果表明:该系统具有开销小、检测准确率高的特性,实用价值较强。
Distributed denial-of-service(DDoS)attacks,which are becoming increasingly serious,have become one of the biggest threats to network security.Traditional defense mechanisms such as instruction detection,traffic filtering and multiple authentication are limited to static networks,which leads to obvious drawbacks.Software-defined networking(SDN)is a typical dynamic network that provides defenses against DDoS.The existing SDN-based DDoS protection solutions are still in development with many problems that need improvement.A DDoS detection scheme combined with trigger detection and in-depth detection is given here to shorten the detection period with low system overhead.A low-overhead,coarse-grained trigger detection algorithm is integrated with a precise,fine-grained,in-depth detection algorithm to reduce system complexity while ensuring high detection accuracy.An SDN DDoS detection system has been implemented on the Mininet platform to test and evaluate the system.The test show that the detection system has low system overhead,high detection accuracy,and strong practical value.
Distributed denial-of-service(DDoS)attacks,which are becoming increasingly serious,have become one of the biggest threats to network security.Traditional defense mechanisms such as instruction detection,traffic filtering and multiple authentication are limited to static networks,which leads to obvious drawbacks.Software-defined networking(SDN)is a typical dynamic network that provides defenses against DDoS.The existing SDN-based DDoS protection solutions are still in development with many problems that need improvement.A DDoS detection scheme combined with trigger detection and in-depth detection is given here to shorten the detection period with low system overhead.A low-overhead,coarse-grained trigger detection algorithm is integrated with a precise,fine-grained,in-depth detection algorithm to reduce system complexity while ensuring high detection accuracy.An SDN DDoS detection system has been implemented on the Mininet platform to test and evaluate the system.The test show that the detection system has low system overhead,high detection accuracy,and strong practical value.
引文
[1] DIXIT A,HAO F,MUKHERJEE S,et al.Towards an elastic distributed SDN controller[C]//Proceedings of the2nd ACM SIGCOMM Workshop on Hot Topics in Software DefinedNetworking. HongKong, China:ACM,2013:7-12.
[2] GAO S,LI Z,XIAO B,et al.Security threats in the data plane of software-defined networks[J].IEEE Network,2018,32(4):108-113.
[3] DAO N N,PARK J,PARK M,et al.A feasible method to combat against DDoS attack in SDN network[C]//Proceedings of 2015International Conference on Information Networking.Siem Reap,Cambodia:IEEE,2015:309-311.
[4] GIOTIS K,ARGYROPOULOS C,ANDROULIDAKIS G,et al.Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments[J].Computer Networks,2014,62:122-136.
[5] MOUSAVI S M,ST-HILAIRE M.Early detection of DDoS attacks against SDN controllers[C]//Proceedings of 2015International Conference on Computing, Networking and Communications.Garden Grove,USA:IEEE,2015:77-81.
[6] CONTI M,GANGWAL A,GAUR M S.A comprehensive and effective mechanism for DDoS detection in SDN[C]//Proceedings of 2017 IEEE International Conference on WirelessandMobileComputing, Networkingand Communications.Rome,Italy:IEEE,2017:1-8.
[7] WANG X L,CHEN M,XING C Y,et al.Defending DDoS attacks in software-defined networking based on legitimate source and destination IP address database[J].IEICE TransactionsonInformationandSystems, 2016,99(4):850-859.
[8] BRAGA B R,MOTA M E,PASSITO P A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//Proceedings of the IEEELocal Computer Network Conference.Denver,USA:IEEE,2010:408-415.
[9]肖甫,马俊青,黄洵松,等.SDN环境下基于KNN的DDoS攻击检测方法[J].南京邮电大学学报(自然科学版),2015,35(1):84-88.XIAO F, MA J Q,HUANG X S,et al.DDoS attack detection based on KNN in software defined networks[J].JournalofNanjingUniversityofPostsand Telecommunications(Natural Science Edition), 2015,35(1):84-88.(in Chinese)
[10]GAO S,LI Z,YAO Y,et al.Software-defined firewall:Enabling malware traffic detection and programmable security control[C]//Proceedings of the 2018on Asia Conference on Computer and Communications Security.Songdo,Korea:ACM,2018:413-424.
[11]左青云,陈鸣,王秀磊,等.一种基于SDN的在线流量异常检测方法[J].西安电子科技大学学报(自然科学版),2015,42(1):155-160.ZUO Q Y,CHEN M,WANG X L,et al.Online traffic anomaly detection method for SDN[J].Journal of Xidian University,2015,42(1):155-160.(in Chinese)
[12]XU Y,LIU Y.DDoS attack detection under SDN context[C]//Proceedings of the IEEE INFOCOM 2016—The 35th Annual IEEEInternationalConferenceonComputer Communications.San Francisco,USA:IEEE,2016:1-9.
[13]DA SILVA A S,WICKBOLDT J A,GRANVILLE L Z,et al.ATLANTIC:A framework for anomaly traffic detection,classification,and mitigation in SDN[C]//Proceedings of the NOMS 2016—2016IEEE/IFIP Network Operations and ManagementSymposium. Istanbul, Turkey:IEEE,2016:27-35.
[14]NANDA S,ZAFARI F,DECUSATIS C,et al.Predicting network attack patterns in SDN using machine learning approach[C]//Proceedings of 2016IEEE Conference on Network Function Virtualization and Software Defined Networks.Palo Alto,USA:IEEE,2016:167-172.
[15]GAO S, PENG Z, XIAO B, et al. FloodDefender:Protecting data and control plane resources under SDN-aimed DoS attacks[C]//Proceedings of INFOCOM 2017—IEEE Computer Communications Conference. Atlanta, USA:IEEE,2017:1-9.
[16]BARKI L,SHIDLING A,METI N,et al.Detection of distributed denial of service attacks in software defined networks[C]//Proceedings of 2016International Conference onAdvancesinComputing, Communicationsand Informatics.Jaipur,India:IEEE,2016:2576-2581.
[2] GAO S,LI Z,XIAO B,et al.Security threats in the data plane of software-defined networks[J].IEEE Network,2018,32(4):108-113.
[3] DAO N N,PARK J,PARK M,et al.A feasible method to combat against DDoS attack in SDN network[C]//Proceedings of 2015International Conference on Information Networking.Siem Reap,Cambodia:IEEE,2015:309-311.
[4] GIOTIS K,ARGYROPOULOS C,ANDROULIDAKIS G,et al.Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments[J].Computer Networks,2014,62:122-136.
[5] MOUSAVI S M,ST-HILAIRE M.Early detection of DDoS attacks against SDN controllers[C]//Proceedings of 2015International Conference on Computing, Networking and Communications.Garden Grove,USA:IEEE,2015:77-81.
[6] CONTI M,GANGWAL A,GAUR M S.A comprehensive and effective mechanism for DDoS detection in SDN[C]//Proceedings of 2017 IEEE International Conference on WirelessandMobileComputing, Networkingand Communications.Rome,Italy:IEEE,2017:1-8.
[7] WANG X L,CHEN M,XING C Y,et al.Defending DDoS attacks in software-defined networking based on legitimate source and destination IP address database[J].IEICE TransactionsonInformationandSystems, 2016,99(4):850-859.
[8] BRAGA B R,MOTA M E,PASSITO P A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]//Proceedings of the IEEELocal Computer Network Conference.Denver,USA:IEEE,2010:408-415.
[9]肖甫,马俊青,黄洵松,等.SDN环境下基于KNN的DDoS攻击检测方法[J].南京邮电大学学报(自然科学版),2015,35(1):84-88.XIAO F, MA J Q,HUANG X S,et al.DDoS attack detection based on KNN in software defined networks[J].JournalofNanjingUniversityofPostsand Telecommunications(Natural Science Edition), 2015,35(1):84-88.(in Chinese)
[10]GAO S,LI Z,YAO Y,et al.Software-defined firewall:Enabling malware traffic detection and programmable security control[C]//Proceedings of the 2018on Asia Conference on Computer and Communications Security.Songdo,Korea:ACM,2018:413-424.
[11]左青云,陈鸣,王秀磊,等.一种基于SDN的在线流量异常检测方法[J].西安电子科技大学学报(自然科学版),2015,42(1):155-160.ZUO Q Y,CHEN M,WANG X L,et al.Online traffic anomaly detection method for SDN[J].Journal of Xidian University,2015,42(1):155-160.(in Chinese)
[12]XU Y,LIU Y.DDoS attack detection under SDN context[C]//Proceedings of the IEEE INFOCOM 2016—The 35th Annual IEEEInternationalConferenceonComputer Communications.San Francisco,USA:IEEE,2016:1-9.
[13]DA SILVA A S,WICKBOLDT J A,GRANVILLE L Z,et al.ATLANTIC:A framework for anomaly traffic detection,classification,and mitigation in SDN[C]//Proceedings of the NOMS 2016—2016IEEE/IFIP Network Operations and ManagementSymposium. Istanbul, Turkey:IEEE,2016:27-35.
[14]NANDA S,ZAFARI F,DECUSATIS C,et al.Predicting network attack patterns in SDN using machine learning approach[C]//Proceedings of 2016IEEE Conference on Network Function Virtualization and Software Defined Networks.Palo Alto,USA:IEEE,2016:167-172.
[15]GAO S, PENG Z, XIAO B, et al. FloodDefender:Protecting data and control plane resources under SDN-aimed DoS attacks[C]//Proceedings of INFOCOM 2017—IEEE Computer Communications Conference. Atlanta, USA:IEEE,2017:1-9.
[16]BARKI L,SHIDLING A,METI N,et al.Detection of distributed denial of service attacks in software defined networks[C]//Proceedings of 2016International Conference onAdvancesinComputing, Communicationsand Informatics.Jaipur,India:IEEE,2016:2576-2581.