基于可编程协议无关报文处理的分布式拒绝服务攻击检测

传统软件定义网络（SDN）中的分布式拒绝服务（DDoS）攻击检测方法需要控制平面与数据平面进行频繁通信，这会导致显著的开销和延迟，而目前可编程数据平面由于语法无法实现复杂检测算法，难以保证较高检测效率。针对上述问题，提出了一种基于可编程协议无关报文处理（P4）可编程数据平面的DDoS攻击检测方法。首先，利用基于P4改进的信息熵进行初检，判断是否有可疑流量发生；然后再利用P4提取特征只需微秒级时长的优势，提取可疑流量的六元组特征导入数据标准化—深度神经网络（data standardization-deep neural network，DS-DNN）复检模块，判断其是否为DDoS攻击流量；最后，模拟真实环境对该方法的各项评估指标进行测试。实验结果表明，该方法能够较好地检测SDN环境下的DDoS攻击，在保证较高检测率与准确率的同时，有效降低了误报率，并将检测时长缩短至毫秒级别。

Distributed denial of service attack detection based on programming protocol-independent packet processors

The distributed denial of service(DDoS) attack detection method in traditional software defined network(SDN) requires frequent communication between the control plane and the data plane, which will lead to significant overhead and delay, and the current programmable data plane can not implement complex detection algorithms, so it is difficult to ensure high detection efficiency. To solve the above problems, this paper proposed a DDoS attack detection method based on programming protocol-independent packet processors(P4) programmable data plane. First of all, the method used the improved information entropy based on P4 as initial detection to determine whether suspicious traffic occured. Then, it taked advantage of the microsecond time required for feature extraction by P4 to extract the six-tuple features of suspicious traffic, and imported them into the data standardization-deep neural network(DS-DNN) reinspection module to determine whether they were DDoS attack traffic. Finally, it tested the evaluation indicators of the method in simulating the real environment. The experimental results show that this method can better detect DDoS attacks in SDN environments, ensure high detection rate and accuracy, effectively reduce the false alarm rate, and shorten the detection time to millisecond level.