SDN控制层泛洪防御机制研究：检测与缓解

周启钊; 于俊清; 李冬

doi:10.11959/j.issn.1000-436x.2021191

您当前的位置：

首页 >

文章列表页 >

SDN控制层泛洪防御机制研究：检测与缓解

专题：计算机通信与网络系统安全技术 | 更新时间：2024-06-05

- SDN控制层泛洪防御机制研究：检测与缓解
- Research on flood defense mechanism of SDN control layer:detection and mitigation
- 通信学报 2021年42卷第11期页码：41-53
- 作者机构：
  
  1. 华中科技大学计算机学院，湖北武汉 430074
  2. 华中科技大学网络与计算中心，湖北武汉 430074
- 作者简介：
  
  [ "周启钊（1991− ），男，湖南长沙人，华中科技大学博士生，主要研究方向为机器学习、软件定义网络、网络安全等" ]
  [ "于俊清（1975− ），男，内蒙古赤峰人，博士，华中科技大学教授、博士生导师，主要研究方向为数字媒体处理与检索、网络安全、多核计算与流编译等" ]
  [ "李冬（1979− ），男，湖北武汉人，博士，华中科技大学讲师，主要研究方向为网络安全、入侵检测、僵尸网络检测、网络流数据挖掘与分析、无线网络跨层优化等" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2018YFB1800405)
- DOI：10.11959/j.issn.1000-436x.2021191
  中图分类号： TP393
- 网络出版日期：2021-11，
  
  纸质出版日期：2021-11-25
- 稿件说明：
移动端阅览
周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021,42(11):41-53.

Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation[J]. Journal on communications, 2021, 42(11): 41-53.
周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021,42(11):41-53. DOI： 10.11959/j.issn.1000-436x.2021191.

Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation[J]. Journal on communications, 2021, 42(11): 41-53. DOI： 10.11959/j.issn.1000-436x.2021191.

摘要

针对SDN控制层中的欺骗式泛洪防御问题，提出控制器防御机制（CDM），主要包括基于关键特征多分类的泛洪检测机制和基于SAVI的泛洪缓解机制2个方面。在泛洪检测方面提出控制层泛洪关键特征解析模块，利用Boosting算法将各个关键特征弱分类器加权叠加形成增强型分类器，通过不断降低计算中的残差，达到更准确分类针对控制层的欺骗式泛洪攻击的效果。在泛洪缓解方面，CDM部署基于SAVI的泛洪缓解机制，以绑定和验证的模式为基础执行泛洪数据包的路径过滤，同时以动态轮询的模式实现泛洪攻击安全保障和接入层交换机泛洪关键特征数据的更新，降低冗余的模型更新负载。实验结果表明，所提方法具备开销低、精度高的特点，有效地增加了控制层的安全性，减少了欺骗式泛洪攻击主机分类的时间和对应控制器CPU的消耗。

Abstract

Aiming at the problem of spoofing flood defense in the control layer of SDN

a controller defense mechanism (CDM)was proposed

including a flood detection mechanism based on key features multi-classification and a flood mitigation mechanism based on SAVI.The flood feature analysis module of the control layer was designed for flood detection

and boosting algorithm was used to overlay each feature weak classifier to form an enhanced classifier

which can achieve more accurate classification spoofing flooding attack effect by continuously reducing the residual in the calculation.In CDM

a flood mitigation mechanism based on SAVI was deployed to realize flood mitigation

which performed flood packet path filtering based on binding-verification mode

and updated the flood features of access layer switches with dynamic polling mode to reduce redundant model update load.The experimental results show that the proposed method has the characteristics of low overhead and high precision.CDM effectively increases the security of the control layer

and reduces the time of host classification of spoofing flood attack and the CPU consumption of corresponding controller.

关键词

Keywords

references

MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al . OpenFlow [J ] . ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 2 ): 69 - 74 .

黄韬 , 刘江 , 魏亮 , 等 . 软件定义网络核心原理与应用实践 [J ] . 通信学报 , 2015 , 36 ( 3 ): 288 .

HUANG T , LIU J , WEI L , et al . SDN core principles and application practice [J ] . Journal on Communications , 2015 , 36 ( 3 ): 288 .

KUMAR P , TRIPATHI M , NEHRA A , et al . SAFETY:early detection and mitigation of TCP SYN flood utilizing entropy in SDN [J ] . IEEE Transactions on Network and Service Management , 2018 , 15 ( 4 ): 1545 - 1559 .

GAO D Y , LIU Z H , LIU Y , et al . Defending against Packet-In messages flooding attack under SDN context [J ] . Soft Computing , 2018 , 22 ( 20 ): 6797 - 6809 .

RAVI N , SHALINIE S M , LAL C , et al . AEGIS:detection and mitigation of TCP SYN flood on SDN controller [J ] . IEEE Transactions on Network and Service Management , 2021 , 18 ( 1 ): 745 - 759 .

DANG V T , HUONG T T , THANH N H , et al . SDN-based SYN proxy—a solution to enhance performance of attack mitigation under TCP SYN flood [J ] . The Computer Journal , 2019 , 62 ( 4 ): 518 - 534 .

AL MHDAWI A K , AL-RAWESHIDY H S , . iPRDR:intelligent power reduction decision routing protocol for big traffic flood in hybrid-SDN architecture [J ] . IEEE Access , 2018 , 6 : 10944 - 10955 .

MOHAMMADI R , CONTI M , LAL C , et al . SYN-Guard:an effective counter for SYN flooding attack in software-defined networking [J ] . International Journal of Communication Systems , 2019 , 32 ( 17 ): e4061 .

DERHAB A , GUERROUMI M , GUMAEI A , et al . Blockchain and random subspace learning-based IDS for SDN-enabled industrial IoT security [J ] . Sensors (Basel,Switzerland) , 2019 , 19 ( 14 ): 3119 .

XIANG S Q , ZHU H B , XIAO L L , et al . Modeling and verifying TopoGuard in OpenFlow-based software defined networks [C ] // Proceedings of 2018 International Symposium on Theoretical Aspects of Software Engineering (TASE) . Piscataway:IEEE Press , 2018 : 84 - 91 .

KAZEMANIAN P , CHANG M , ZENG H Y , et al . Real time network policy checking using header space analysis [C ] // Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI '13) . Berkeley:USENIX Association , 2013 : 99 - 111 .

TUAN N N , HUNG P H , NGHIA N D , et al . A robust TCP-SYN flood mitigation scheme using machine learning based on SDN [C ] // Proceedings of 2019 International Conference on Information and Communication Technology Convergence (ICTC) . Piscataway:IEEE Press , 2019 : 363 - 368 .

SEMERCI M , CEMGIL A T , SANKUR B . An intelligent cyber security system against DDoS attacks in SIP networks [J ] . Computer Networks , 2018 , 136 : 137 - 154 .

GARG S , KAUR K , KUMAR N , et al . Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN:a social multimedia perspective [J ] . IEEE Transactions on Multimedia , 2019 , 21 ( 3 ): 566 - 578 .

PHAAL P , PANCHEN S , MCKEE N . InMon corporation’s flow:a method for monitoring traffic in switched and routed networks [R ] . 2001 .

CICIOĞLU M , ÇALHAN A , . HUBsFLOW:a novel interface protocol for SDN-enabled WBANs [J ] . Computer Networks , 2019 , 160 : 105 - 117 .

PANDA A , SAMAL S S , TURUK A K , et al . Dynamic hard timeout based flow table management in openflow enabled SDN [C ] // Proceedings of 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN) . Piscataway:IEEE Press , 2019 : 1 - 6 .

SHIRALI-SHAHREZA S , GANJALI Y . Delayed installation and expedited eviction:an alternative approach to reduce flow table occupancy in SDN switches [J ] . IEEE/ACM Transactions on Networking , 2018 , 26 ( 4 ): 1547 - 1561 .

BASTA A , BLENK A , HOFFMANN K , et al . Towards a cost optimal design for a 5G mobile core network based on SDN and NFV [J ] . IEEE Transactions on Network and Service Management , 2017 , 14 ( 4 ): 1061 - 1075 .

SCHNEPF N , BADONNEL R , LAHMADI A , et al . Synaptic:a formal checker for SDN-based security policies [C ] // Proceedings of NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium . Piscataway:IEEE Press , 2018 : 1 - 2 .

CHEN T , TONG H , BENESTY M . Xgboost:extreme gradient boosting [C ] // Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD '16 . New York:ACM Press , 2016 : 1615 - 1624 .

ELSAYED M S , LE-KHAC N A , JURCUT A D . InSDN:a novel SDN intrusion dataset [J ] . IEEE Access , 2020 , 8 : 165263 - 165284 .

ZHOU Q Z , YU J Q , LI D . A dynamic and lightweight framework to secure source addresses in the SDN-based networks [J ] . Computer Networks , 2021 , 193 : 108075 .

BI J , WU J , YAO G , et al . Source address validation improvement (SAVI) solution for DHCP [R ] . RFC Editor , 2015 .

WU J , BI J , BAGNULO M , et al . Source address validation improvement (SAVI) framework [R ] . RFC Editor , 2013 .

LIU B Y , BI J , ZHOU Y . Source address validation in software defined networks [C ] // Proceedings of Proceedings of the 2016 ACM SIGCOMM Conference . New York:ACM Press , 2016 : 595 - 596 .

CHEN G L , HU G W , JIANG Y , et al . SAVSH:IP source address validation for SDN hybrid networks [C ] // Proceedings of 2016 IEEE Symposium on Computers and Communication (ISCC) . Piscataway:IEEE Press , 2016 : 409 - 414 .

LI C L , WU Q , LI H W , et al . SDN-Ti:a general solution based on SDN to attacker traceback and identification in IPv6 networks [C ] // Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC) . Piscataway:IEEE Press , 2019 : 1 - 7 .

WU Y C , TSENG H R , YANG W , et al . DDoS detection and traceback with decision tree and grey relational analysis [C ] // Proceedings of 2009 3rd International Conference on Multimedia and Ubiquitous Engineering . Piscataway:IEEE Press , 2009 : 306 - 314 .

BELGIU M , DRĂGUŢ L , . Random forest in remote sensing:a review of applications and future directions [J ] . ISPRS Journal of Photogrammetry and Remote Sensing , 2016 , 114 : 24 - 31 .

ZHANG S C , LI X L , ZONG M , et al . Efficient kNN classification with different numbers of nearest neighbors [J ] . IEEE Transactions on Neural Networks and Learning Systems , 2018 , 29 ( 5 ): 1774 - 1785 .

CHU S C , DAO T K , PAN J S , et al . Identifying correctness data scheme for aggregating data in cluster heads of wireless sensor network based on naive Bayes classification [J ] . EURASIP Journal on Wireless Communications and Networking , 2020 , 2020 ( 1 ): 52 .

WANG H W , GU J , WANG S S . An effective intrusion detection framework based on SVM with feature augmentation [J ] . Knowledge-Based Systems , 2017 , 136 : 130 - 139 .

WANG J X , QI H , HE Y , et al . FlowTracer:an effective flow trajectory detection solution based on probabilistic packet tagging in SDN-enabled networks [J ] . IEEE Transactions on Network and Service Management , 2019 , 16 ( 4 ): 1884 - 1898 .

浏览量

632

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于深度学习的SDN异常流量分布式检测方法

基于SDN的物联网边缘节点间数据流零信任管理

ADAFT：SDN大规模流表的适应性深度聚合存储架构

面向软件定义网络的异常流量检测研究综述

MgdFlow：微电网场景下的多粒度数据流管理算法