SDN网络中DDoS攻击监测与防御方法研究
Research on DDoS Real-Time Monitoring and Mitigating in SDN Network
DOI: 10.12677/CSA.2019.94082, PDF,    国家科技经费支持
作者: 李 冬*, 周启钊:华中科技大学网络与计算中心,湖北 武汉
关键词: 拒绝服务攻击软件定义网络流表梯度决策分类DDoS SDN Flow Table Gradient Decision Tree
摘要: 软件定义网络(SDN)是一种新型的网络架构,具有全局视角,能够实现网络的集中管控。本文研究了SDN网络中DDoS攻击的特点和危害,设计实现了SDN网络中DDoS攻击实时监测和防御机制。在实时监测方面,本文综合分析了DDoS攻击的传统网络行为特征和SDN流表项数据特征后,提出了SDN网络中DDoS攻击检测特征,在进行特征去噪及降维优化后,利用梯度决策分类算法(GBDT)训练分类模型,对产生的SDN流表项数据进行异常分类。而攻击防御方面,针对SDN流表项数据的异常情况,利用SDN的全局视角配置相关参数,实时下发流表项,抑制DDoS攻击。模拟实验结果表明本文提出的DDoS攻击实时监测和防御机制能够有效地检测和缓解SDN网络中的DDoS攻击。
Abstract: SDN is a novel network architecture which provides centralized control of the whole network with global perspective. This paper establishes a mechanism to monitor and mitigate DDoS attack in SDN network. To detect DDoS attack in real time, characteristics of DDoS attack in traditional network and SDN network are devised as a vector. Based on the devised vector, the data collection module of SDN controller is modified and gradient decision classification algorithm (GBDT) is used to train model for anomaly data classification. To mitigate DDoS attack, according to the classified abnormal data of flow table, the network security policy can be performed by SDN controller. Simulated experiments demonstrate that the mechanism proposed by this paper can detect and mitigate the DDoS attack in SDN network effectively.
文章引用:李冬, 周启钊. SDN网络中DDoS攻击监测与防御方法研究[J]. 计算机科学与应用, 2019, 9(4): 721-730. https://doi.org/10.12677/CSA.2019.94082

参考文献

[1] Sood, K., Karmakar, K.K., Varadharajan, V., et al. (2019) Analysis of Policy-Based Security Management System in Software-Defined Networks. IEEE Communications Letters, 1. [Google Scholar] [CrossRef
[2] Montida, P., Ruan, H., Qipeng, S., et al. (2018) NFV Security Survey: From Use Case Driven Threat Analysis to State-of-the-Art Countermeasures. IEEE Communications Surveys & Tutorials, 20, 3330-3368. [Google Scholar] [CrossRef
[3] Li, W., Meng, W. and Kwok, L.F. (2016) A Survey on Open Flow-Based Software Defined Networks: Security Challenges and Countermeasures. Journal of Network & Computer Applications, 68, 126-139. [Google Scholar] [CrossRef
[4] Bates, A., Butler, K., Haeberlen, A., et al. (2014) Let SDN Be Your Eyes: Secure Forensics in Data Center Networks. The Workshop on Security of Emerging NETWORKING Technologies. [Google Scholar] [CrossRef
[5] Yang, L., Ng, B. and Seah, W.K.G. (2016) Heavy Hitter Detection and Identifica-tion in Software Defined Networking. 2016 25th International Conference on Computer Communication and Networks (ICCCN), Waikoloa, 1-4 August 2016, 1-10. [Google Scholar] [CrossRef
[6] Tu, R., Wang, X., Zhao, J., et al. (2015) Design of a Load-Balancing Middle Box Based on SDN for Data Centers. 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Hong Kong, 26 April-1 May 2015, 480-485. [Google Scholar] [CrossRef
[7] Xie, J., Yu, F.R., Huang, T., et al. (2018) A Survey of Machine Learn-ing Techniques Applied to Software Defined Networking (SDN): Research Issues and Challenges. IEEE Communications Surveys & Tutorials, 21, 393-430. [Google Scholar] [CrossRef
[8] Edwards, T.G. and Belkin, W. (2014) Using SDN to Facilitate Precisely Timed Actions on real-Time Data Streams. Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, Chica-go, 22 August 2014, 55-60. [Google Scholar] [CrossRef
[9] Schwabe, A. and Karl, H. (2014) Using MAC Addresses as Efficient Routing Labels in Data Centers. Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, Chicago, Illinois, 22 Au-gust 2014, 115-120. [Google Scholar] [CrossRef
[10] Lin, P.C., Liu, J.C. and Chiou, P.R. (2015) An Event-Based SDN Architecture for Network Security Analysis. 2015 International Carnahan Conference on Security Technology (ICCST), 21-24 September 2015, Taipei, 159-164. [Google Scholar] [CrossRef
[11] Chen, T. and Guestrin, C. (2016) XGBoost: A Scalable Tree Boosting System. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining Pages, San Francisco, 13-17 August 2016, 785-794. [Google Scholar] [CrossRef