云环境中基于SDN的高效DDoS攻击检测与防御方案

doi:10.11959/j.issn.1000-436x.2018068

通信学报 ›› 2018, Vol. 39 ›› Issue (4): 139-151.doi: 10.11959/j.issn.1000-436x.2018068

云环境中基于SDN的高效DDoS攻击检测与防御方案

何亨^1,²,胡艳^1,²,郑良汉^1,²,薛正元³

¹ 武汉科技大学计算机科学与技术学院，湖北武汉 430065
² 武汉科技大学智能信息处理与实时工业系统湖北省重点实验室，湖北武汉 430065
³ 华中科技大学计算机科学与技术学院，湖北武汉 430074

出版日期:2018-04-01 发布日期:2018-04-29
作者简介:何亨（1981-），男，湖北武汉人，博士，武汉科技大学副教授，主要研究方向为云计算、软件定义网络、网络安全等。|胡艳（1993-），女，湖北黄冈人，武汉科技大学硕士生，主要研究方向为云计算、软件定义网络、网络安全等。|郑良汉（1995-），男，湖北武汉人，武汉科技大学硕士生，主要研究方向为云计算、网络安全等。|薛正元（1989-），男，河南社旗人，华中科技大学博士生，主要研究方向为云计算、大数据技术等。
基金资助:
国家自然科学基金资助项目(61602351);国家自然科学基金资助项目(61502359);国家自然科学基金资助项目(61602349);智能信息处理与实时工业系统湖北省重点实验室开放基金资助项目(2016znss10B)

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

Heng HE^1,²,Yan HU^1,²,Lianghan ZHENG^1,²,Zhengyuan XUE³

¹ School of Computer Science and Technology,Wuhan University of Science and Technology,Wuhan 430065,China
² Hubei Province Key Laboratory of Intelligent Information Processing and Real Time Industrial System,Wuhan University of Science and Technology,Wuhan 430065,China
³ School of Computer Science and Technology,Huazhong University of Science and Technology,Wuhan 430074,China

Online:2018-04-01 Published:2018-04-29
Supported by:
The National Natural Science Foundation of China(61602351);The National Natural Science Foundation of China(61502359);The National Natural Science Foundation of China(61602349);The Open Foundation of Hubei Province Key Laboratory of Intelligent Information Processing and Real-Time Industrial System(2016znss10B)

摘要/Abstract

摘要：

针对云环境中2类典型的分布式拒绝服务（DDoS）攻击问题，提出一种基于软件定义网络架构的DDoS攻击检测与防御方案——SDCC。SDCC综合使用链路带宽和数据流这2种检测方式，利用基于置信度过滤（CBF）的方法计算数据分组CBF分数，将分数低于阈值的数据分组判断为攻击分组，添加其属性信息至攻击流特征库，并通过控制器下发流表将其拦截。仿真实验表明，SDCC能有效检测并防御不同类型DDoS攻击，具有较高检测效率，降低了控制器计算开销，并保持较低误判率。

关键词: 云环境, DDoS攻击, 软件定义网络, 基于置信度过滤

Abstract:

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.

Key words: cloud environment, DDoS attack, software defined network, confidence-based filtering

中图分类号:

TP393

何亨,胡艳,郑良汉,薛正元. 云环境中基于SDN的高效DDoS攻击检测与防御方案[J]. 通信学报, 2018, 39(4): 139-151.

Heng HE,Yan HU,Lianghan ZHENG,Zhengyuan XUE. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment[J]. Journal on Communications, 2018, 39(4): 139-151.

图/表 17

图1

图2

图3

图4

图5

表1

图6

图7

图8

图9

图10

图11

图12

图13

图14

表2

图15

参考文献 25

[1]	YAN Q , YU F R , GONG Q ,et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments:a survey,some research issues,and challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 602-622.
[2]	CHEN L C , LONGSTAFF T A , CARLEY K M . Characterization of defense mechanisms against distributed denial of service attacks[J]. Computers ＆ Security, 2004,23(8): 665-678.
[3]	PENG T , LECKIE C , RAMAMOHANARAO K . Survey of network-based defense mechanisms countering the DoS and DDoS problems[J]. ACM Computing Surveys, 2007,39(1): 3.
[4]	TARIQ U , HONG M P , LHEE K . A comprehensive categorization of DDoS attack and DDoS defense techniques[C]// International Conference on Advanced Data Mining and Applications. 2006: 1025-1036.
[5]	SPECHT S M , LEE R B . Distributed denial of service:taxonomies of attacks,tools,and countermeasures[C]// The 17th International Conference on Parallel and Distributed Computing Systems. 2004: 543-550.
[6]	KIM Y , LAU W C , CHUAH M C ,et al. PacketScore:a statistics-based packet filtering scheme against distributed denial-of-service attacks[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2006,3(2): 141-155.
[7]	胡汉卿 . 基于云计算DDoS攻击防御研究[D]. 南京:南京邮电大学, 2015.
	HU H Q . Research on DDoS attack defense based on cloud computing[D]. Nanjing:Nanjing University of Posts and Telecommunications, 2015.
[8]	DOU W , CHEN Q , CHEN J . A confidence-based filtering method for DDoS attack defense in cloud environment[J]. Future Generation Computer Systems, 2013,29(7): 1838-1850.
[9]	SHAMSOLMOALI P , ALAM M A , BISWAS R . C2DF:high rate DDOS filtering method in cloud computing[J]. International Journal of Computer Network ＆ Information Security, 2014,6(9): 43-50.
[10]	SAHI A , LAI D , LI Y ,et al. An efficient DDoS TCP flood attack detection and prevention system in a cloud environment[J]. IEEE Access, 2017,5: 6036-6048.
[11]	JEYANTHI N , BARDE U , SRAVANI M ,et al. Detection of distributed denial of service attacks in cloud computing by identifying spoofed IP[J]. International Journal of Communication Networks ＆ Distributed Systems, 2013,11(3): 262-279.
[12]	吴志军, 张东 . 低速率DDoS攻击的仿真和特征提取[J]. 通信学报, 2008,29(1): 71-76.
	WU Z J , ZHANG D . Simulation and feature extraction of low rate DDoS attacks[J]. Journal on Communications, 2008,29(1): 71-76.
[13]	NAVAZ A S S , SANGEETHA V , PRABHADEVI C . Entropy based anomaly detection system to prevent DDoS attacks in cloud[J]. International Journal of Computer Applications, 2013,62(15): 42-47.
[14]	WANG B , ZHENG Y , LOU W ,et al. DDoS attack protection in the era of cloud computing and software-defined networking[J]. Computer Networks, 2015,81(C): 308-319.
[15]	KALLIOLA A , LEE K , LEE H ,et al. Flooding DDoS mitigation and traffic management with software defined networking[C]// International Conference on Cloud Networking. 2015: 248-254.
[16]	ZHANG C , CAI Z , CHEN W ,et al. Flow level detection and filtering of low-rate DDoS[J]. Computer Networks the International Journal of Computer ＆ Telecommunications Networking, 2012,56(15): 3417-3431.
[17]	HOQUE N , BHATTACHARYYA D K , KALITA J K . A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis[C]// International Conference on Communication Systems and Networks. 2016: 1-2.
[18]	孙义明, 杨丽萍 . 信息化战争中的战术数据链[M]. 北京: 北京邮电大学出版社, 2005.
	SUN Y M , YANG L P . Tactical data chain in information warfare[M]. Beijing: Beijing University of Posts and Telecommunications Press, 2005.
[19]	田开琳, 李明 . 一种可靠检测低速率DDoS攻击的异常检测系统[J]. 现代电子技术, 2009,32(7): 68-71.
	TIAN K L , LI M . An anomaly detection system for reliable detection of low rate DDoS attacks[J]. Modern Electronic Technology, 2009,32(7): 68-71.
[20]	左青云, 陈鸣, 赵广松 ,等. 基于 OpenFlow 的 SDN 技术研究[J]. 软件学报, 2013(5): 1078-1097.
	ZUO Q Y , CHEN M , ZHAO G S ,et al. Research of SDN technology based on OpenFlow[J]. Journal of Software, 2013(5): 1078-1097.
[21]	LIU T C , YANG B H , ZHANG Y ,et al. Data packet processing in SDN[P]. US20150281127, 2015.
[22]	FOUNDATION O N . Software-defined networking:the new norm for networks[R]. ONF White Paper, 2012.
[23]	NADEAU T D , GRAY K . 软件定义网络:SDN与OpenFlow解析[M]. 毕军,单业,张绍宇,等译.北京: 人民邮电出版社, 2014.
	NADEAU T D , GRAY K . Software defined network:SDN and OpenFlow parsing[M]. Translated by BI J,SHAN Y,ZHANG S Y,et al. Beijing: Posts ＆ Telecom Press, 2014.
[24]	MOUSAVI S M , STHILAIRE M . Early detection of DDoS attacks against SDN controllers[C]// International Conference on Computing,NETWORKING and Communications. 2015: 77-81.
[25]	LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks[C]// ACM Workshop on Hot Topics in Networks. 2010: 1-6.

参数	参数描述	参数取值
Interval	时间间隔/s	1
WindowSize	窗口大小	50
AttackThreshold	攻击阈值	80
DiscardThreshold	丢弃阈值	0.3
AttackRatio	攻击比例	50%（非攻击状态下）
		25%（攻击状态下）

数据流类型	CPU占用率
数据流类型	SDCC	CBF
正常数据流	5.1%	7.7%
低速率式DDoS攻击数据流	7.2%	18.3%
洪泛式DDoS攻击数据流	15.8%	35.5%

云环境中基于SDN的高效DDoS攻击检测与防御方案

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 17

参考文献 25

相关文章 15

Metrics

推荐阅读 0

[1]	王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.
[2]	沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40.
[3]	燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35.
[4]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[5]	李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT：一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142.
[6]	吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83.
[7]	常朝稳, 金建树, 韩培胜, 祝现威. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021, 42(6): 131-144.
[8]	周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021, 42(11): 41-53.
[9]	李硕朋, 方娟, 陈肯. 基于SRv6的确定性网络服务共享保护方案[J]. 通信学报, 2021, 42(10): 32-42.
[10]	姚蓝,兰巨龙. 基于联盟博弈的自适应SDN交换机迁移机制[J]. 通信学报, 2020, 41(8): 1-10.
[11]	王耀民,王霞,董易,张松海,施心陵. 基于斐波那契树优化算法的数据中心流量调度策略[J]. 通信学报, 2020, 41(6): 112-127.
[12]	韩珍珍,赵国锋,徐川,周文涛,周洋洋. 基于时延的LEO卫星网络SDN控制器动态放置方法[J]. 通信学报, 2020, 41(3): 126-135.
[13]	赖英旭,蒲叶玮,刘静. 基于最小代价路径的交换机迁移方法研究[J]. 通信学报, 2020, 41(2): 131-142.
[14]	柯文龙,王勇,叶苗,陈俊奇. Ceph云存储网络中一种业务优先级区分的多播流调度方法[J]. 通信学报, 2020, 41(11): 40-51.
[15]	张海波,王子心,贺晓帆. SDN和MEC架构下V2X卸载与资源分配[J]. 通信学报, 2020, 41(1): 114-124.