云环境中基于SDN的高效DDoS攻击检测与防御方案

何亨; 胡艳; 郑良汉; 薛正元

doi:10.11959/j.issn.1000-436x.2018068

您当前的位置：

首页 >

文章列表页 >

云环境中基于SDN的高效DDoS攻击检测与防御方案

学术论文 | 更新时间：2024-06-05

- 云环境中基于SDN的高效DDoS攻击检测与防御方案
- Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment
- 通信学报 2018年39卷第4期页码：139-151
- 作者机构：
  
  1. 武汉科技大学计算机科学与技术学院，湖北武汉 430065
  2. 武汉科技大学智能信息处理与实时工业系统湖北省重点实验室，湖北武汉 430065
  3. 华中科技大学计算机科学与技术学院，湖北武汉 430074
- 作者简介：
  
  [ "何亨（1981-），男，湖北武汉人，博士，武汉科技大学副教授，主要研究方向为云计算、软件定义网络、网络安全等。" ]
  [ "胡艳（1993-），女，湖北黄冈人，武汉科技大学硕士生，主要研究方向为云计算、软件定义网络、网络安全等。" ]
  [ "郑良汉（1995-），男，湖北武汉人，武汉科技大学硕士生，主要研究方向为云计算、网络安全等。" ]
  [ "薛正元（1989-），男，河南社旗人，华中科技大学博士生，主要研究方向为云计算、大数据技术等。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61602351);国家自然科学基金资助项目(61502359);国家自然科学基金资助项目(61602349);智能信息处理与实时工业系统湖北省重点实验室开放基金资助项目(2016znss10B)
- DOI：10.11959/j.issn.1000-436x.2018068
  中图分类号： TP393
- 网络出版日期：2018-04，
  
  纸质出版日期：2018-04-25
- 稿件说明：
移动端阅览
何亨, 胡艳, 郑良汉, 等. 云环境中基于SDN的高效DDoS攻击检测与防御方案[J]. 通信学报, 2018,39(4):139-151.

Heng HE, Yan HU, Lianghan ZHENG, et al. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment[J]. Journal on communications, 2018, 39(4): 139-151.
何亨, 胡艳, 郑良汉, 等. 云环境中基于SDN的高效DDoS攻击检测与防御方案[J]. 通信学报, 2018,39(4):139-151. DOI： 10.11959/j.issn.1000-436x.2018068.

Heng HE, Yan HU, Lianghan ZHENG, et al. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment[J]. Journal on communications, 2018, 39(4): 139-151. DOI： 10.11959/j.issn.1000-436x.2018068.

摘要

针对云环境中2类典型的分布式拒绝服务（DDoS）攻击问题，提出一种基于软件定义网络架构的DDoS攻击检测与防御方案——SDCC。SDCC综合使用链路带宽和数据流这2种检测方式，利用基于置信度过滤（CBF）的方法计算数据分组CBF分数，将分数低于阈值的数据分组判断为攻击分组，添加其属性信息至攻击流特征库，并通过控制器下发流表将其拦截。仿真实验表明，SDCC能有效检测并防御不同类型DDoS攻击，具有较高检测效率，降低了控制器计算开销，并保持较低误判率。

Abstract

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment

a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection

utilized confidence-based filtering (CBF) method to calculate the CBF score of packets

judged the packet of CBF score below the threshold as an attacking packet

added its attribute information to the attack flow feature library

and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively

and it has high detection efficiency

reduces the controller’s computation overhead

and achieves a low false positive rate.

关键词

Keywords

references

YAN Q , YU F R , GONG Q , et al . Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments:a survey,some research issues,and challenges [J ] . IEEE Communications Surveys ＆ Tutorials , 2016 , 18 ( 1 ): 602 - 622 .

CHEN L C , LONGSTAFF T A , CARLEY K M . Characterization of defense mechanisms against distributed denial of service attacks [J ] . Computers ＆ Security , 2004 , 23 ( 8 ): 665 - 678 .

PENG T , LECKIE C , RAMAMOHANARAO K . Survey of network-based defense mechanisms countering the DoS and DDoS problems [J ] . ACM Computing Surveys , 2007 , 39 ( 1 ): 3 .

TARIQ U , HONG M P , LHEE K . A comprehensive categorization of DDoS attack and DDoS defense techniques [C ] // International Conference on Advanced Data Mining and Applications . 2006 : 1025 - 1036 .

SPECHT S M , LEE R B . Distributed denial of service:taxonomies of attacks,tools,and countermeasures [C ] // The 17th International Conference on Parallel and Distributed Computing Systems . 2004 : 543 - 550 .

KIM Y , LAU W C , CHUAH M C , et al . PacketScore:a statistics-based packet filtering scheme against distributed denial-of-service attacks [J ] . IEEE Transactions on Dependable ＆ Secure Computing , 2006 , 3 ( 2 ): 141 - 155 .

胡汉卿 . 基于云计算DDoS攻击防御研究 [D ] . 南京:南京邮电大学 , 2015 .

HU H Q . Research on DDoS attack defense based on cloud computing [D ] . Nanjing:Nanjing University of Posts and Telecommunications , 2015 .

DOU W , CHEN Q , CHEN J . A confidence-based filtering method for DDoS attack defense in cloud environment [J ] . Future Generation Computer Systems , 2013 , 29 ( 7 ): 1838 - 1850 .

SHAMSOLMOALI P , ALAM M A , BISWAS R . C2DF:high rate DDOS filtering method in cloud computing [J ] . International Journal of Computer Network ＆ Information Security , 2014 , 6 ( 9 ): 43 - 50 .

SAHI A , LAI D , LI Y , et al . An efficient DDoS TCP flood attack detection and prevention system in a cloud environment [J ] . IEEE Access , 2017 , 5 : 6036 - 6048 .

JEYANTHI N , BARDE U , SRAVANI M , et al . Detection of distributed denial of service attacks in cloud computing by identifying spoofed IP [J ] . International Journal of Communication Networks ＆ Distributed Systems , 2013 , 11 ( 3 ): 262 - 279 .

吴志军 , 张东 . 低速率DDoS攻击的仿真和特征提取 [J ] . 通信学报 , 2008 , 29 ( 1 ): 71 - 76 .

WU Z J , ZHANG D . Simulation and feature extraction of low rate DDoS attacks [J ] . Journal on Communications , 2008 , 29 ( 1 ): 71 - 76 .

NAVAZ A S S , SANGEETHA V , PRABHADEVI C . Entropy based anomaly detection system to prevent DDoS attacks in cloud [J ] . International Journal of Computer Applications , 2013 , 62 ( 15 ): 42 - 47 .

WANG B , ZHENG Y , LOU W , et al . DDoS attack protection in the era of cloud computing and software-defined networking [J ] . Computer Networks , 2015 , 81 ( C ): 308 - 319 .

KALLIOLA A , LEE K , LEE H , et al . Flooding DDoS mitigation and traffic management with software defined networking [C ] // International Conference on Cloud Networking . 2015 : 248 - 254 .

ZHANG C , CAI Z , CHEN W , et al . Flow level detection and filtering of low-rate DDoS [J ] . Computer Networks the International Journal of Computer ＆ Telecommunications Networking , 2012 , 56 ( 15 ): 3417 - 3431 .

HOQUE N , BHATTACHARYYA D K , KALITA J K . A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis [C ] // International Conference on Communication Systems and Networks . 2016 : 1 - 2 .

孙义明 , 杨丽萍 . 信息化战争中的战术数据链 [M ] . 北京 : 北京邮电大学出版社 , 2005 .

SUN Y M , YANG L P . Tactical data chain in information warfare [M ] . Beijing : Beijing University of Posts and Telecommunications Press , 2005 .

田开琳 , 李明 . 一种可靠检测低速率DDoS攻击的异常检测系统 [J ] . 现代电子技术 , 2009 , 32 ( 7 ): 68 - 71 .

TIAN K L , LI M . An anomaly detection system for reliable detection of low rate DDoS attacks [J ] . Modern Electronic Technology , 2009 , 32 ( 7 ): 68 - 71 .

左青云 , 陈鸣 , 赵广松 , 等 . 基于 OpenFlow 的 SDN 技术研究 [J ] . 软件学报 , 2013 ( 5 ): 1078 - 1097 .

ZUO Q Y , CHEN M , ZHAO G S , et al . Research of SDN technology based on OpenFlow [J ] . Journal of Software , 2013 ( 5 ): 1078 - 1097 .

LIU T C , YANG B H , ZHANG Y , et al . Data packet processing in SDN [P ] . US20150281127 , 2015 .

FOUNDATION O N . Software-defined networking:the new norm for networks [R ] . ONF White Paper , 2012 .

NADEAU T D , GRAY K . 软件定义网络:SDN与OpenFlow解析 [M ] . 毕军,单业,张绍宇,等译.北京 : 人民邮电出版社 , 2014 .

NADEAU T D , GRAY K . Software defined network:SDN and OpenFlow parsing [M ] . Translated by BI J,SHAN Y,ZHANG S Y,et al . Beijing : Posts ＆ Telecom Press , 2014 .

MOUSAVI S M , STHILAIRE M . Early detection of DDoS attacks against SDN controllers [C ] // International Conference on Computing,NETWORKING and Communications . 2015 : 77 - 81 .

LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks [C ] // ACM Workshop on Hot Topics in Networks . 2010 : 1 - 6 .

浏览量

1899

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于深度学习的SDN异常流量分布式检测方法

基于SDN的物联网边缘节点间数据流零信任管理

ADAFT：SDN大规模流表的适应性深度聚合存储架构

面向软件定义网络的异常流量检测研究综述

MgdFlow：微电网场景下的多粒度数据流管理算法