SDN中一种基于机器学习的DDoS入侵检测与防御方法

近两年分布式拒绝服务攻击（Distributed Denial of Service,DDoS）以平均26%的速率增长,是网络安全的严重威胁之一。论文提出一种适用于软件定义网络（software-define-network,SDN）的DDoS实时入侵检测与即时防御方法RT-XB(Real-Time XGBoost-Bloom Filter)。该方法首先在SDN数据平面使用P4编程,以自定义的方式进行数据包收集;然后对其提取攻击特征向量并做必要的优化处理;再后使用极限梯度增强（extreme gradient boosting,XGBoost）算法构建分类器识别异常数据包,并由此确定攻击源;最后在数据平面构建攻击数据包特征的BF(Bloom Filter)实现对后续攻击数据包的快速识别,并通过修改流表匹配动作的方式做出即时防御。实验结果显示,与现有同类方法相比,RT-XB充分整合了SDN和机器学习的优点,不仅实时检测效率高,假阳性率可控,而且即时防御功能较强。     

基于SDN的DDoS攻击防御系统

软件定义网络（SDN）是一种新兴网络架构,通过将转发层和控制层分离,实现网络的集中管控。控制器作为SDN网络的核心,容易成为被攻击的目标,分布式拒绝服务（DDoS）攻击是SDN网络面临的最具威胁的攻击之一。针对这一问题,本文提出一种基于机器学习的DDoS攻击检测模型。首先基于信息熵监控交换机端口流量来判断是否存在异常流量,检测到异常后提取流量特征,使用SVM+K-Means的复合算法检测DDoS攻击,最后控制器下发丢弃流表处理攻击流量。实验结果表明,本文算法在误报率、检测率和准确率指标上均优于SVM算法和K-Means算法。     

SDN中基于C4.5决策树的DDoS攻击检测

SDN（Software Defined Network,软件定义网络）是一种新兴的网络架构,它的控制与转发分离架构为网络管理带来了极大的便利性和灵活性,但同时也带来新的安全威胁和挑战。攻击者通过对SDN的集中式控制器进行DDoS（Distributed Denial of Service,分布式拒绝服务）攻击,会使信息不可达,造成网络瘫痪。为了检测DDoS攻击,提出了一种基于C4.5决策树的检测方法：通过提取交换机流表项信息,使用C4.5决策树算法训练数据集生成决策树对流量进行分类,实现DDoS攻击的检测,最后通过实验证明了该方法有更高的检测成功率,更低的误警率与较少的检测时间。     

基于流特征相对熵的DDOS攻击检测方法的研究

分布式拒绝服务(DistributedDenialofService,简称DDoS)攻击是互联网的重要威胁之一。笔者通过分析DDoS攻击的原理及其攻击特征,从延长检测响应时间和减少计算复杂度的角度提出了一种DDoS攻击的检测方法。该方法基于DDoS攻击的流量特征,提取有效的流量特征参数,并根据参数变化及时、准确地判断DDoS攻击的发生时间。实验结果证明,该方法能迅速有效地检测到DDoS攻击,并对其他网络安全异常检测具有指导作用。     

基于流量和IP熵特性的DDoS攻击检测方法

针对现有DDoS(Distributed Deny of Service)攻击检测率低、误报率较高等问题进行了深入研究。根据DDoS攻击发生时网络中的流量特性和IP熵特性,建立了相应的流量隶属函数和IP熵隶属函数,隶属函数的上下限参数通过对真实网络环境仿真得到。提出了基于流量和IP熵特性的DDoS攻击检测算法,先判断流量是否异常,再判断熵是否异常,进而判断是否发生了DDoS攻击,提高了。由仿真结果可以看出：单独依靠流量或IP熵都不能很好地检测出DDoS攻击。该算法将流量和IP熵特性综合考虑,准确地检测出了DDoS攻击,降低了误报率,提高了检测率。     

基于软件定义物联网的分布式拒绝服务攻击检测方法

由于物联网（IoT）设备众多、分布广泛且所处环境复杂,相较于传统网络更容易遭受分布式拒绝服务（DDoS）攻击,针对这一问题提出了一种在软件定义物联网（SD-IoT）架构下基于均分取值区间长度-K均值（ELVR-Kmeans）算法的DDoS攻击检测方法。首先,利用SD-IoT控制器的集中控制特性通过获取OpenFlow交换机的流表,分析SD-IoT环境下DDoS攻击流量的特性,提取出与DDoS攻击相关的七元组特征;然后,使用ELVR-Kmeans算法对所获取的流表进行分类,以检测是否有DDoS攻击发生;最后,搭建仿真实验环境,对该方法的检测率、准确率和错误率进行测试。实验结果表明,该方法能够较好地检测SD-IoT环境中的DDoS攻击,检测率和准确率分别达到96.43%和98.71%,错误率为1.29%。     

SDN环境下基于DBN的DDoS攻击检测

软件定义网络(SDN)作为新型网络架构模式,其安全威胁主要来自DDoS攻击,建立高效的DDoS攻击检测系统是网络安全管理的重要内容.在SDN环境下,针对DDoS的入侵检测算法具有支持协议少、实用性差等缺陷,为此,提出一种基于深度信念网络(DBN)的DDoS攻击检测算法.分析SDN环境下DDoS攻击的机制,通过Mininet模拟SDN的网络拓扑结构,并使用Wireshark完成DDoS流量数据包的收集和检测.实验结果表明,与XGBoost、随机森林、支持向量机算法相比,该算法具有攻击检测准确性高、误报率低、检测速率快和易于扩展等优势,综合性能较好.     

SDN环境下基于BP神经网络的DDoS攻击检测方法*

软件定义网络是一种全新的网络架构,集中控制是其主要优势,但若受到DDoS 攻击则会造成信息不可达,也容易造成单点失效。为了有效的识别DDoS攻击,提出了一种SDN环境下基于BP神经网络的DDoS攻击检测方法：该方法获取OpenFlow交换机的流表项,分析SDN环境下DDoS攻击特性,提取出与攻击相关的流表匹配成功率、流表项速率等六个重要特征;通过分析六个相关特征值的变化,采用BP神经网络算法对训练样本进行分类,实现对DDoS攻击的检测。实验结果表明,该方法在有效提高识别率的同时,降低了检测时间。通过在软件定义网络环境中的部署,验证了该方法的有效性。     

基于集成学习的多类型应用层DDoS攻击检测方法

针对应用层分布式拒绝服务（DDoS）攻击类型多、难以同时检测的问题,提出了一种基于集成学习的应用层DDoS攻击检测方法,用于检测多类型的应用层DDoS攻击。首先,数据集生成模块模拟正常和攻击流量,筛选并提取对应的特征信息,并生成表征挑战黑洞（CC）、HTTP Flood、HTTP Post及HTTP Get攻击的47维特征信息;其次,离线训练模块将处理后的有效特征信息输入集成后的Stacking检测模型进行训练,从而得到可检测多类型应用层DDoS攻击的检测模型;最后,在线检测模块通过在线部署检测模型来判断待检测流量的具体流量类型。实验结果显示,与Bagging、Adaboost和XGBoost构建的分类模型相比,Stacking集成模型在准确率方面分别提高了0.18个百分点、0.21个百分点和0.19个百分点,且在最优时间窗口下的恶意流量检测率达到了98%。验证了所提方法对多类型应用层DDoS攻击检测的有效性。     

SDN环境下DDoS攻击检测和缓解系统

分布式拒绝服务攻击(distributed denial of service, DDoS)是网络安全领域的一大威胁. 作为新型网络架构, 软件定义网络(software defined networking, SDN)的逻辑集中和可编程性为抵御DDoS攻击提供了新的思路. 本文设计并实现了一个轻量级的SDN环境下的DDoS攻击检测和缓解系统. 该系统使用熵值检测方法, 并通过动态阈值进行异常判断. 若异常, 系统将使用更精确的决策树模型进行检测. 最后, 控制器通过计算流的包对称率确定攻击源, 并下发阻塞流表项. 实验结果表明, 该系统能够及时响应DDoS攻击, 具有较高的检测成功率, 并能够有效遏制攻击.     

Security challenges in internet of things: Distributed denial of service attack detection using support vector machine-based expert systems

The rapid development of internet of things (IoT) is to be the next generation of the IoT devices are a simple target for attackers due to the lack of security. Attackers can easily hack the IoT devices that can be used to form botnets, which can be used to launch distributed denial of service (DDoS) attack against networks. Botnets are the most dangerous threat to the security systems. Software-defined networking (SDN) is one of the developing filed, which introduce the capacity of dynamic program to the network. Use the flexibility and multidimensional characteristics of SDN used to prevent DDoS attacks. The DDoS attack is the major attack to the network, which makes the entire network down, so that normal users might not avail the services from the server. In this article, we proposed the DDoS attack detection model based on SDN environment by combining support vector machine classification algorithm is used to collect flow table values in sampling time periods. From the flow table values, the five-tuple characteristic values extracted and based on it the DDoS attack can be detected. Based on the experimental results, we found the average accuracy rate is 96.23% with a normal amount of traffic flow. Proposed research offers a better DDoS detection rate on SDN.     

SDN环境下的LDoS攻击检测与防御技术

低速率拒绝服务(LDoS)攻击是一种新型的网络攻击方式,其特点是攻击成本低,隐蔽性强。作为一种新型的网络架构,软件定义网络(SDN)同样面临着LDoS攻击的威胁。但SDN网络的控制与转发分离、网络行为可编程等特点又为LDoS攻击的检测和防御提供了新的思路。提出了一种基于OpenFlow协议的LDoS攻击检测和防御方法。通过对每条OpenFlow数据流的速率单独进行统计,并利用信号检测中的双滑动窗口法实现对攻击流量的检测,一旦检测到攻击流量,控制器便可以通过下发流表的方式实现对攻击行为的实时防御。实验表明,该方法能够有效检测出LDoS攻击,并能够在较短时间内实现对攻击行为的防御。     

基于网络全局流量异常特征的DDoS攻击检测

由于分布式拒绝服务（DDoS）攻击的隐蔽性和分布式特征，提出了一种基于全局网络的DDoS检测方法。与传统检测方法只对单条链路或者受害者网络进行检测的方式不同，该方法对营运商网络中的OD流进行检测。该方法首先求得网络的流量矩阵，利用多条链路中攻击流的相关特性，使用K L变换将流量矩阵分解为正常和异常流量空间，分析异常空间流量的相关特征，从而检测出攻击。仿真结果表明该方法对DDoS攻击的检测更准确、更快速，有利于DDoS攻击的早期检测与防御。     

SDN中基于MS-KNN算法的LFA攻击检测方法

针对一种新型的DDoS攻击—链路泛洪攻击（link-flooding attack,LFA）难以检测的问题,提出了SDN中基于MS-KNN（mean shift-K-nearestneighbor）方法的LFA检测方法。首先通过搭建SDN实验平台,模拟LFA并构建LFA数据集;然后利用改进的加权欧氏距离均值漂移（mean shift,MS）算法对LFA数据集进行分类;最后利用K近邻（K-nearestneighbor,KNN）算法判断分类结果中是否具有LFA数据。实验结果表明,相较于KNN算法,利用MS-KNN不仅得到了更高的准确率,同时也得到了更低的假阳性率。     

K-DDoS-SDN: A distributed DDoS attacks detection approach for protecting SDN environment

Software-defined networking (SDN) is an advanced networking paradigm that decouples forwarding control logic from the data plane. Therefore, it provides a loosely-coupled architecture between the control and data plane. This separation provides flexibility in the SDN environment for addressing any transformations. Further, it delivers a centralized way of managing networks due to control logic embedded in the SDN controller. However, this advanced networking paradigm has been facing several security issues, such as topology spoofing, exhausting bandwidth, flow table updating, and distributed denial of service (DDoS) attacks. A DDoS attack is one of the most powerful menaces to the SDN environment. Further, the central data controller of SDN becomes the primary target of DDoS attacks. In this article, we propose a Kafka-based distributed DDoS attacks detection approach for protecting the SDN environment named K-DDoS-SDN. The K-DDoS-SDN consists of two modules: (i) Network traffic classification (NTClassification) module and (ii) Network traffic storage (NTStorage) module. The NTClassification module is the detection approach designed using scalable H2O ML techniques in a distributed manner and deployed an efficient model on the two-nodes Kafka Streams cluster to classify incoming network traces in real-time. The NTStorage module collects raw packets, network flows, and 21 essential attributes and then systematically stores them in the HDFS to re-train existing models. The proposed K-DDoS-SDN designed and evaluated using the recent and publically available CICDDoS2019 dataset. The average classification accuracy of the proposed distributed K-DDoS-SDN for classifying network traces into legitimate and one of the most popular attacks, such as DDoS_UDP is 99.22%. Further, the outcomes demonstrate that proposed distributed K-DDoS-SDN classifies traffic traces into five categories with at least 81% classification accuracy.     

SDN/NFV security framework for fog-to-things computing infrastructure

Currently, core networking architectures are facing disruptive developments, due to emergence of paradigms such as Software-Defined-Networking (SDN) for control, Network Function Virtualization (NFV) for services, and so on. These are the key enabling technologies for future applications in 5G and locality-based Internet of things (IoT)/wireless sensor network services. The proliferation of IoT devices at the Edge networks is driving the growth of all-connected world of Internet traffic. In the Cloud-to-Things continuum, processing of information and data at the Edge mandates development of security best practices to arise within a fog computing environment. Service providers are transforming their business using NFV-based services and SDN-enabled networks. The SDN paradigm offers an easily programmable model, global view, and control for modern networks, which demand faster response to security incidents and dynamically enforce countermeasures to intrusions and cyberattacks. This article proposes an autonomic multilayer security framework called Distributed Threat Analytics and Response System (DTARS) for a converged architecture of Fog/Edge computing and SDN infrastructures, for emerging applications in IoT and 5G networks. The major detection scheme is deployed within the data plane, consisting of a coarse-grained behavioral, anti-spoofing, flow monitoring and fine-grained traffic multi-feature entropy-based algorithms. We developed exemplary defense applications under DTARS framework, on a malware testbed imitating the real-life DDoS/botnets such as Mirai. The experiments and analysis show that DTARS is capable of detecting attacks in real-time with accuracy more than 95% under attack intensities up to 50 000 packets/s. The benign traffic forwarding rate remains unaffected with DTARS, while it drops down to 65% with traditional NIDS for advanced DDoS attacks. Further, DTARS achieves this performance without incurring additional latency due to data plane overhead.     

基于OpenDayLight的恶意扫描防护技术

针对分布式拒绝服务（DDoS）攻击难以在危害产生之前被检测和防御的问题,提出了一种基于软件定义网络（SDN）的面向恶意扫描的控制层实时防护机制。首先,分析了SDN相比传统网络在网络层防护技术上的优势;其次,针对网络攻击手段——恶意扫描,提出了面向恶意扫描的控制层实时防护机制,该机制在SDN集中控制式架构的基础上,充分利用OpenDayLight （ODL）控制器所提供的表述性状态传递（REST）应用程序编程接口（API）开发外部应用,实现了对底层交换机端口的检测、判定、防护三个环节;最后,对给出的方案在ODL平台上进行了编程实现,并实验测试了恶意扫描的检测防御方案。实验结果表明：当有端口正在对网络进行恶意扫描时,面向恶意扫描的控制层实时防护机制可以及时禁用该端口,实时起到对恶意扫描攻击的防护作用,进而在分布式拒绝服务攻击当中具有破坏性的行为还未开始时就对其进行了预防。