摘要: |
软件定义网络(Software-defined Network,SDN)以可编程的形式定义路由,对传统网络架构进行了一次彻底颠覆。通过采用中心化的拓扑结构,SDN有效实现了对网络基础设施的全局控制。然而这种中心化的拓扑极易受到网络攻击的威胁,如分布式拒绝服务攻击(Distributed Denial of Service,DDoS)。传统的DDoS通过堵塞交换机带宽,消耗控制器计算资源的方式实现拒绝服务。近年来,又有新型的DDoS变种通过攻击控制器与交换机通信的南向通道,攻击交换机流表的方式实现拒绝服务。为了缓解传统DDoS和新型DDoS带来的安全问题,本文提出了一个面向SDN的轻量化DDoS检测防御框架SDDetector (SoftwareDefined Detector)。可以在粗粒度和细粒度两种模式下运行,粗粒度模式通过提取SDN交换机中的统计特征对可疑的攻击行为进行阈值警报;触发警报后,细粒度模式再进行二次特征提取,并利用熵检测算法和SVM检测算法做进一步地攻击判别。研究发现,熵检测算法擅长处理采用源IP伪造技术的DDoS攻击以及针对SDN的新型DDoS攻击;而SVM检测算法擅长处理基于应用层协议的、需要交互的DDoS攻击。SDDetector以近似并行的模式运行两种算法,自动使特征提取速度最快的算法来完成攻击检测,从而大幅降低了系统对攻击的响应时间。经过实验验证发现,在特定场景下,本文提出的模型能够比单一的检测方案少用75%的响应时间。 |
关键词: 分布式拒绝服务攻击 软件定义网络 RYU MiniNet 轻量化 机器学习 人工智能 |
DOI:10.19363/J.cnki.cn10-1380/tn.2021.01.02 |
Received:September 30, 2020Revised:November 16, 2020 |
基金项目:国家重点研发计划(No.2018YFC0806900)和北京市科学技术委员会(No.Z191100007119009)支持。 |
|
DDoS detection and mitigation Framework in SDN |
JIA Kun,WANG Junnan,LIU Feng |
School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China |
Abstract: |
Software-defined Network (SDN) overturns traditional network framework thoroughly with programmability and centralized management. While history tells us that centralized topology may easily incur single-failure considering the key role of controller. Distributed Denial of Service (DDoS) is such a threat to SDN. Traditional DDoS forces servers to stop service through flooding bandwidth or exhausting computing resource. This can still make sense if the attacking target is SDN switches or controllers. Besides, recently some new DDoS type try to specially make use of vulnerability of SDN, such as southern channel and rule tables. The new DDoS can achieve denial of service with less traffic and less time. To solve this problem, we present a lightweight detection framework called SDDetector (Software Defined Detector). It can work in coarse or finely modes. The former collects coarse statistic information and check whether they are exceeding thresholds. If it’s determined as an anomaly, controller will send an alarm to switches and ask for a finely statistic information. Then the entropy detection algorithm and SVM detection algorithm start to work. Research shows that entropy detection algorithm can give a faster response in new DDoS and traditional DDoS with IP-Spoofing technique. While the SVM works better when facing with DDoS based on the application layer, because real IP needs to be used to communication. SDDetector runs two detection algorithms almost simultaneously, and the one who gives faster response domains the result. After that, controller will push a new flow rule in order to redirect the attacking traffic. Experiment shows that our method can give a significant 75% reduction in reaction time comparing to others in some attacking types. |
Key words: distributed denial of service software defined network RYU MiniNet lightweight machine learning artificial intelligence |