[1]陈永,李致远.软件定义网络中饱和攻击的探测与预防机制[J].常州大学学报(自然科学版),2022,34(06):63-74.[doi:10.3969/j.issn.2095-0411.2022.06.008]
 CHEN Yong,LI Zhiyuan.Saturation Attack Detection and Defense Mechanism in Software Defined Networking[J].Journal of Changzhou University(Natural Science Edition),2022,34(06):63-74.[doi:10.3969/j.issn.2095-0411.2022.06.008]
点击复制

软件定义网络中饱和攻击的探测与预防机制()
分享到:

常州大学学报(自然科学版)[ISSN:2095-0411/CN:32-1822/N]

卷:
第34卷
期数:
2022年06期
页码:
63-74
栏目:
计算机与信息工程
出版日期:
2022-11-28

文章信息/Info

Title:
Saturation Attack Detection and Defense Mechanism in Software Defined Networking
文章编号:
2095-0411(2022)06-0063-12
作者:
陈永1李致远2
(1.江苏海事职业技术学院信息工程学院,江苏南京211112;2.江苏大学计算机科学与通信工程学院,江苏镇江212013)
Author(s):
CHEN Yong1 LI Zhiyuan2
(1.School of Information Engineering, Jiangsu Maritime Institute, Nanjing 211112, China; 2.School of Computer Science and Telecommunication Engineering, Jiangsu University, Zhenjiang 212013, China)
关键词:
软件定义网络 网络安全 拒绝服务攻击检测 子网温度 饱和攻击
Keywords:
software defined networking network security denial of service attack detection sub network temperature saturation attack
分类号:
TP 393
DOI:
10.3969/j.issn.2095-0411.2022.06.008
文献标志码:
A
摘要:
SDN(软件定义网络:Software defined networking)是一种具有网络可编程、数据平面与控制平面分离功能的网络架构技术。SDN中的安全问题伴随着SDN网络的产生备受业界关注,基于SDN网络架构的特点,饱和攻击在众多安全问题中尤为突出。为解决①传统网络下的饱和攻击检测在SDN环境下难以适应、检出率低,②需要大量的历史数据、系统计算与硬件资源不足等问题,文章提出一种基于子网温度的SDN网络环境下的饱和攻击检测方法。首先通过子网概念进行网络划分,将检测细粒度缩小,提高检测效率,减少检测所需资源; 之后,使用子网温度作为衡量饱和攻击发生的判读标准,结和子网温度的检测方法给出一种饱和攻击的防御方案; 最后,在Mininet,Ryu,sFlow相结合的实验平台上进行仿真对比。实验结果表明:与其他传统检测技术相比,文章提出的饱和攻击检测算法在使用较少系统资源的同时能够保证较高检测准确率,可靠性更高,检测数据完整,具有高检出率、低误警率特点。
Abstract:
Software defined networking(SDN)is a network architecture technology with the functions of network programming and separation of data plane and control plane. The security issues in SDN have attracted much attention in the industry along with the emerging of SDN networks. Due to the characteristics of SDN network architecture, saturation attack is particularly prominent among many security problems. To solve these problems ① saturation attack detection under traditional networks is difficult to adapt to in the SDN environment, and the detection rate is low; ② The use of machine learning-based saturation attack detection method requires a large amount of historical data, which has certain requirements for the system's computing and hardware resources, this paper proposes a saturation attack detection method based on subnet temperature in SDN network environment. Firstly, the network was divided by the concept of subnet, which reduces the detection granularity, improves the detection efficiency and reduces the resources required for detection. After that, the subnet temperature was used as the judgment standard to measure the occurrence of saturation attack, and the detection method of junction and subnet temperature gives a defense scheme for saturation attack. Finally, the simulation comparison was made on the experimental platform of Mininet, Ryu and sFlow. The experimental results showed that compared with other traditional detection technologies, the saturation attack detection algorithm proposed in this paper can ensure higher detection accuracy, higher reliability, complete detection data, high detection rate and low false alarm rate while using fewer system resources.

参考文献/References:

[1] 郑毅, 华一强, 何晓峰. SDN的特征、发展现状及趋势[J]. 电信科学, 2013, 29(9): 102-107.
[2] 王丽娜, 王斐, 刘维杰. 面向SDN的安全威胁及其对抗技术研究[J]. 武汉大学学报(理学版), 2019, 65(2): 153-164.
[3] 王月, 吕光宏, 曹勇. 软件定义网络安全研究[J]. 计算机技术与发展, 2018, 28(4): 128-132.
[4] 高晓楠. 软件定义网络中DDoS攻击研究综述[J]. 电子技术与软件工程, 2019(9): 214-216.
[5] VELLIANGIRI S, PREMALATHA J. Intrusion detection of distributed denial of service attack in cloud[J]. Cluster Computing, 2019, 22(5): 10615-10623.
[6] 杨盾, 王小鹏. 应对DDoS攻击的SDN网络安全特性研究[J]. 软件, 2018, 39(3): 175-180.
[7] 陆悠, 奚雪峰, 吴宏杰, 等. 基于拓扑划分的SDN多控制器部署方法[J]. 计算机应用研究, 2017, 34(11): 3388-3393.
[8] AMBROSIN M, CONTI M, DE GASPARI F, et al. LineSwitch[J]. IEEE/ACM Transactions on Networking(TON), 2017, 25(2): 1206-1219.
[9] LATAH M, TOKER L. A novel intelligent approach for detecting DoS flooding attacks in software-defined networks[J]. International Journal of Advances in Intelligent Informatics, 2018, 4(1): 11-20.
[10] LI H D, WEI F, HU H X. Enabling dynamic network access control with anomaly-based IDS and SDN[J]. Security in Software Defined Networks & Network Function Virtualization, 2019: 13-16.
[11] LATIF Y A, MOUSA H M, MAHMOUD H. Improved DDoS detection utilizing deep neural networks and feedforward neural networks as autoencoder[J]. Future Internet, 2022, 14(8): 240.
[12] 田俊峰, 齐鎏岭. SDN中基于条件熵和GHSOM的DDoS攻击检测方法[J]. 通信学报, 2018, 39(8): 140-149.
[13] LI Z Y, XING W J, SAMER K, et al. Detecting saturation attacks based on self-similarity of OpenFlow traffic[J]. IEEE Transactions on Network and Service Management, 2020, 17(1): 607-621.
[14] KHAMAISEH S, SERRA E, LI Z Y, et al. Detecting saturation attacks in SDN via machine learning[C]//2019 4th International Conference on Computing, Communications and Security(ICCCS). Rome: IEEE, 2019: 1-8.
[15] KHAMAISEH S Y, ALSMADI I, AL-ALAJ A. Deceiving machine learning-based saturation attack detection systems in SDN[C]//2020 IEEE Conference on Network Function Virtualization and Software Defined Networks(NFV-SDN). Leganes: IEEE, 2020: 44-50.
(责任编辑:谭晓荷)

备注/Memo

备注/Memo:
收稿日期: 2022-07-31。
基金项目: 国家自然科学基金资助项目(62076136); 江苏省自然科学基金资助项目(BK20201415)。
作者简介: 陈永(1979—), 男, 江苏徐州人, 硕士, 副教授。 E-mail: jscy800@qq.com
更新日期/Last Update: 1900-01-01