引用本文
  • 贾锟,王君楠,刘峰.SDN环境下的DDoS检测与缓解机制[J].信息安全学报,2021,6(1):17-31    [点击复制]
  • JIA Kun,WANG Junnan,LIU Feng.DDoS detection and mitigation Framework in SDN[J].Journal of Cyber Security,2021,6(1):17-31   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

←前一篇|后一篇→

过刊浏览    高级检索

本文已被:浏览 6170次   下载 5893 本文二维码信息
码上扫一扫!
SDN环境下的DDoS检测与缓解机制
贾锟1,2, 王君楠1,2, 刘峰2
0
(1.中国科学院大学网络空间安全学院 北京 中国 100093;2.中国科学院信息工程研究所 北京 中国 100093)
摘要:
软件定义网络(Software-defined Network,SDN)以可编程的形式定义路由,对传统网络架构进行了一次彻底颠覆。通过采用中心化的拓扑结构,SDN有效实现了对网络基础设施的全局控制。然而这种中心化的拓扑极易受到网络攻击的威胁,如分布式拒绝服务攻击(Distributed Denial of Service,DDoS)。传统的DDoS通过堵塞交换机带宽,消耗控制器计算资源的方式实现拒绝服务。近年来,又有新型的DDoS变种通过攻击控制器与交换机通信的南向通道,攻击交换机流表的方式实现拒绝服务。为了缓解传统DDoS和新型DDoS带来的安全问题,本文提出了一个面向SDN的轻量化DDoS检测防御框架SDDetector (SoftwareDefined Detector)。可以在粗粒度和细粒度两种模式下运行,粗粒度模式通过提取SDN交换机中的统计特征对可疑的攻击行为进行阈值警报;触发警报后,细粒度模式再进行二次特征提取,并利用熵检测算法和SVM检测算法做进一步地攻击判别。研究发现,熵检测算法擅长处理采用源IP伪造技术的DDoS攻击以及针对SDN的新型DDoS攻击;而SVM检测算法擅长处理基于应用层协议的、需要交互的DDoS攻击。SDDetector以近似并行的模式运行两种算法,自动使特征提取速度最快的算法来完成攻击检测,从而大幅降低了系统对攻击的响应时间。经过实验验证发现,在特定场景下,本文提出的模型能够比单一的检测方案少用75%的响应时间。
关键词:  分布式拒绝服务攻击  软件定义网络  RYU  MiniNet  轻量化  机器学习  人工智能
DOI:10.19363/J.cnki.cn10-1380/tn.2021.01.02
投稿时间:2020-09-30修订日期:2020-11-16
基金项目:国家重点研发计划(No.2018YFC0806900)和北京市科学技术委员会(No.Z191100007119009)支持。
DDoS detection and mitigation Framework in SDN
JIA Kun1,2, WANG Junnan1,2, LIU Feng2
(1.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China;2.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China)
Abstract:
Software-defined Network (SDN) overturns traditional network framework thoroughly with programmability and centralized management. While history tells us that centralized topology may easily incur single-failure considering the key role of controller. Distributed Denial of Service (DDoS) is such a threat to SDN. Traditional DDoS forces servers to stop service through flooding bandwidth or exhausting computing resource. This can still make sense if the attacking target is SDN switches or controllers. Besides, recently some new DDoS type try to specially make use of vulnerability of SDN, such as southern channel and rule tables. The new DDoS can achieve denial of service with less traffic and less time. To solve this problem, we present a lightweight detection framework called SDDetector (Software Defined Detector). It can work in coarse or finely modes. The former collects coarse statistic information and check whether they are exceeding thresholds. If it’s determined as an anomaly, controller will send an alarm to switches and ask for a finely statistic information. Then the entropy detection algorithm and SVM detection algorithm start to work. Research shows that entropy detection algorithm can give a faster response in new DDoS and traditional DDoS with IP-Spoofing technique. While the SVM works better when facing with DDoS based on the application layer, because real IP needs to be used to communication. SDDetector runs two detection algorithms almost simultaneously, and the one who gives faster response domains the result. After that, controller will push a new flow rule in order to redirect the attacking traffic. Experiment shows that our method can give a significant 75% reduction in reaction time comparing to others in some attacking types.
Key words:  distributed denial of service  software defined network  RYU  MiniNet  lightweight  machine learning  artificial intelligence