SDN场景中基于双向流量特征的DDoS攻击检测方法
|
摘要
传统网络资源的分布式特性使得管理员较难实现网络的集中管控,在分布式拒绝服务攻击发生时难以快速准确地检出攻击并溯源。针对这一问题,结合软件定义网络集中管控、动态管理的优势和分布式拒绝服务攻击特点,引入双向流量概念,提出了攻击检测四元组特征,并利用增长型分层自组织映射算法对网络流中提取的四元组特征向量快速准确地分析并分类,同时提出了一种通过自适应改变监控流表粒度以定位潜在受害者的检测方法。仿真实验结果表明,提出的四元组特征及下发适量监控流表项的检测算法能以近似96%的准确率检出攻击并定位受害者,且对控制器造成的计算开销较小。
The distributed nature of traditional network resources makes it more difficult for administrators to realize the centralized control of the network. It is difficult to quickly and accurately detect and trace the DDoS attacks when distributed denial of service attacks occur. To solve this problem,combined with the advantages of centralized management and control of software defined network,the advantages of dynamic management and the characteristics of DDoS attacks,this paper first introduced the concept of bidirectional traffic feature,put forward the four-tuple characteristics of attack detection and made use of the growth hierarchical self-organizing map algorithm to analyze and classify the quaternion eigenvectors extracted from network flows quickly and accurately. At the same time,this paper proposed a new detection method that located potential victims by adaptively changing the granularity of flow table. Simulation results show that the four-tuple features,as well as the detection algorithm issuing the monitoring flow entry,can detect DDoS attacks and pinpoint the victim with accuracy of nearly 96%,and the computational overhead for the controller is small.
The distributed nature of traditional network resources makes it more difficult for administrators to realize the centralized control of the network. It is difficult to quickly and accurately detect and trace the DDoS attacks when distributed denial of service attacks occur. To solve this problem,combined with the advantages of centralized management and control of software defined network,the advantages of dynamic management and the characteristics of DDoS attacks,this paper first introduced the concept of bidirectional traffic feature,put forward the four-tuple characteristics of attack detection and made use of the growth hierarchical self-organizing map algorithm to analyze and classify the quaternion eigenvectors extracted from network flows quickly and accurately. At the same time,this paper proposed a new detection method that located potential victims by adaptively changing the granularity of flow table. Simulation results show that the four-tuple features,as well as the detection algorithm issuing the monitoring flow entry,can detect DDoS attacks and pinpoint the victim with accuracy of nearly 96%,and the computational overhead for the controller is small.
引文
[1] Zhang Ying. An adaptive flow counting method for anomaly detection in SDN[C]//Proc of the 9th ACM Conference on Emerging Networking Experiments and Technologies. New York:ACM Press,2013:25-30.
[2] 2017年Q3全球DDo S攻击情况汇总[EB/OL].(2017-05-17).http://www. 199it. com/archives/656282. html.(Summary of Q3global DDo S attacks in 2017[EB/OL].(2017-05-17). http://www.199it. com/archives/656282. html.)
[3] Kandoi R,Antikainen M. Denial-of-service attacks in OpenFlow SDN networks[C]//Proc of IFIP/IEEE International Symposium on Integrated Network Management. Piscataway,NJ:IEEE Press,2015:1322-1326.
[4] Braga R,Mota E,Passito A. Lightweight DDo S flooding attack detection using NOX/OpenFlow[C]//Proc of the 35th Annual IEEE Conference on Local Computer Networks. Washington DC:IEEE Computer Society,2010:408-415.
[5] Mousavi S M,St-Hilaire M. Early detection of DDo S attacks against SDN controllers[C]//Proc of International Conference on Computing,Networking and Communications. Piscataway,NJ:IEEE Press,2015:77-81.
[6] Yan Qiao,Gong Qingxiang,Deng Fangan. Detection of DDo S attacks against wireless SDN controllers based on the fuzzy synthetic evaluation decision-making model[J]. Ad Hoc&Sensor Wireless Networks,2016,33(1):275-299.
[7]姚琳元,董平,张宏科.基于对象特征的软件定义网络分布式拒绝服务攻击检测方法[J].电子与信息学报,2017,39(2):381-388.(Yao Linyuan,Dong Ping,Zhang Hongke. Distributed denial of service attack detection based on object character in software defined network[J]. Journal of Electronics&Information Technology,2017,39(2):381-388.)
[8]武泽慧,魏强,任开磊,等.基于OpenFlow交换机洗牌的DDo S攻击动态防御方法[J].电子与信息学报,2017,39(2):397-404.(Wu Zehui,Wei Qiang,Ren Kailei,et al. Dynamic defense for DDo S attack using OpenFlow-based switch shuffling approach[J].Journal of Electronics&Information Technology,2017,39(2):397-404.)
[9] Open Flow specification[EB/OL].(2014). http://www. opennetworking. org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1. 3. 0. pdf.
[10]Dozono H,Nakakuni M,Kabashima T,et al. Analysis of packet traffics and detection of abnormal traffics using Pareto learning self organizing maps[M]//Neural Information Processing:Models and Applications. Berlin:Springer,2010:329-336.
[11]Huang S Y,Huang Y. Network forensic analysis using growing hierarchical SOM[C]//Proc of the 13th IEEE International Conference on Data Mining Workshop. Piscataway,NJ:IEEE Press,2013:536-543.
[12]Liu Chao,Zhang Shunyi. A bidirectional-based DDo S detection mechanism[C]//Proc of the 5th International Conference on Wireless Communications,Networking and Mobile Computing. Piscataway,NJ:IEEE Press,2009:1-4.
[13]Yan Ruoyu,Zheng Qinghua,Li Haifei. Combining adaptive filtering and IF flows to detect DDo S attacks within a router[J]. KSII Trans on Internet&Information Systems,2010,4(3):428-451.
[14]Sheu R L,Ting M J,Wang I L. Maximum flow problem in the distribution network[J]. Journal of Industrial&Management Optimization,2017,2(3):237-254.
[15]Ford L R J,Fulkerson D R. Maximal flow through a network[J]. Canadian Journal of Mathematics,1956,8(3):399-404.
[16]Cho K. MAWI working group traffic archive[EB/OL].(2016). http://mawi. wide. ad. jp/mawi/.
[2] 2017年Q3全球DDo S攻击情况汇总[EB/OL].(2017-05-17).http://www. 199it. com/archives/656282. html.(Summary of Q3global DDo S attacks in 2017[EB/OL].(2017-05-17). http://www.199it. com/archives/656282. html.)
[3] Kandoi R,Antikainen M. Denial-of-service attacks in OpenFlow SDN networks[C]//Proc of IFIP/IEEE International Symposium on Integrated Network Management. Piscataway,NJ:IEEE Press,2015:1322-1326.
[4] Braga R,Mota E,Passito A. Lightweight DDo S flooding attack detection using NOX/OpenFlow[C]//Proc of the 35th Annual IEEE Conference on Local Computer Networks. Washington DC:IEEE Computer Society,2010:408-415.
[5] Mousavi S M,St-Hilaire M. Early detection of DDo S attacks against SDN controllers[C]//Proc of International Conference on Computing,Networking and Communications. Piscataway,NJ:IEEE Press,2015:77-81.
[6] Yan Qiao,Gong Qingxiang,Deng Fangan. Detection of DDo S attacks against wireless SDN controllers based on the fuzzy synthetic evaluation decision-making model[J]. Ad Hoc&Sensor Wireless Networks,2016,33(1):275-299.
[7]姚琳元,董平,张宏科.基于对象特征的软件定义网络分布式拒绝服务攻击检测方法[J].电子与信息学报,2017,39(2):381-388.(Yao Linyuan,Dong Ping,Zhang Hongke. Distributed denial of service attack detection based on object character in software defined network[J]. Journal of Electronics&Information Technology,2017,39(2):381-388.)
[8]武泽慧,魏强,任开磊,等.基于OpenFlow交换机洗牌的DDo S攻击动态防御方法[J].电子与信息学报,2017,39(2):397-404.(Wu Zehui,Wei Qiang,Ren Kailei,et al. Dynamic defense for DDo S attack using OpenFlow-based switch shuffling approach[J].Journal of Electronics&Information Technology,2017,39(2):397-404.)
[9] Open Flow specification[EB/OL].(2014). http://www. opennetworking. org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1. 3. 0. pdf.
[10]Dozono H,Nakakuni M,Kabashima T,et al. Analysis of packet traffics and detection of abnormal traffics using Pareto learning self organizing maps[M]//Neural Information Processing:Models and Applications. Berlin:Springer,2010:329-336.
[11]Huang S Y,Huang Y. Network forensic analysis using growing hierarchical SOM[C]//Proc of the 13th IEEE International Conference on Data Mining Workshop. Piscataway,NJ:IEEE Press,2013:536-543.
[12]Liu Chao,Zhang Shunyi. A bidirectional-based DDo S detection mechanism[C]//Proc of the 5th International Conference on Wireless Communications,Networking and Mobile Computing. Piscataway,NJ:IEEE Press,2009:1-4.
[13]Yan Ruoyu,Zheng Qinghua,Li Haifei. Combining adaptive filtering and IF flows to detect DDo S attacks within a router[J]. KSII Trans on Internet&Information Systems,2010,4(3):428-451.
[14]Sheu R L,Ting M J,Wang I L. Maximum flow problem in the distribution network[J]. Journal of Industrial&Management Optimization,2017,2(3):237-254.
[15]Ford L R J,Fulkerson D R. Maximal flow through a network[J]. Canadian Journal of Mathematics,1956,8(3):399-404.
[16]Cho K. MAWI working group traffic archive[EB/OL].(2016). http://mawi. wide. ad. jp/mawi/.