SDN下基于深度学习混合模型的DDoS攻击检测与防御

doi:10.11959/j.issn.1000-436x.2018128

通信学报 ›› 2018, Vol. 39 ›› Issue (7): 176-187.doi: 10.11959/j.issn.1000-436x.2018128

SDN下基于深度学习混合模型的DDoS攻击检测与防御

李传煌,吴艳,钱正哲,孙正君,王伟明

浙江工商大学信息与电子工程学院，浙江杭州 310018

修回日期:2018-05-16 出版日期:2018-07-01 发布日期:2018-08-08
作者简介:李传煌（1980-），男，江西九江人，博士，浙江工商大学副教授、硕士生导师，主要研究方向为软件定义网络、深度学习、开放可编程网络、系统性能预测和分析模型。|吴艳（1995-），女，安徽宣城人，浙江工商大学硕士生，主要研究方向为软件定义网络、深度学习。|钱正哲（1994-），男，浙江杭州人，浙江工商大学硕士生，主要研究方向为软件定义网络、深度学习。|孙正君（1993-），男，安徽滁州人，浙江工商大学硕士生，主要研究方向为软件定义网络、深度学习。|王伟明（1964-），男，浙江遂昌人，博士，浙江工商大学教授、硕士生导师，主要研究方向为新一代网络架构、开放可编程网络。
基金资助:
国家重点研发计划基金资助项目(2017YFB0803202);目江省自然科学基金资助项目(LY18F010006);浙江省新型网络标准与应用技术重点实验室基金资助项目(2013E10012);浙江省重点研发计划基金资助项目(2017C03058)

DDoS attack detection and defense based on hybrid deep learning model in SDN

Chuanhuang LI,Yan WU,Zhengzhe QIAN,Zhengjun SUN,Weiming WANG

School of Information and Electronic Engineering,Zhejiang Gongshang University,Hangzhou 310018,China

Revised:2018-05-16 Online:2018-07-01 Published:2018-08-08
Supported by:
The National Key Research and Development Program of China(2017YFB0803202);The Natural Science Foundation of Zhejiang Province(LY18F010006);The Key Laboratory of New Network Standards and Technologies of Zhejiang Province(2013E10012);The National Key Research and Development Program of Zhejiang Province(2017C03058)

摘要/Abstract

摘要：

软件定义网络（SDN,software defined network）作为一种新兴的网络架构，其安全问题一直是SDN领域研究的热点，如SDN控制通道安全性、伪造服务部署及外部分布式拒绝服务（DDoS,distributed denial of service）攻击等。针对SDN安全中的外部DDoS攻击问题进行研究，提出了一种基于深度学习混合模型的DDoS攻击检测方法——DCNN-DSAE。该方法在构建深度学习模型时，输入特征除了从数据平面提取的21个不同类型的字段外，同时设计了能够区分流类型的5个额外流表特征。实验结果表明，该方法具有较高的精确度，优于传统的支持向量机和深度神经网络等机器学习方法，同时，该方法还可以缩短分类检测的处理时间。将该检测模型部署于控制器中，利用检测结果产生新的安全策略，下发到OpenFlow交换机中，以实现对特定DDoS攻击的防御。

关键词: 分布式拒绝服务, 软件定义网络, 攻击检测, 深度学习

Abstract:

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.

Key words: distributed denial of service, software defined network, attack detection, deep learning

中图分类号:

TP393

李传煌,吴艳,钱正哲,孙正君,王伟明. SDN下基于深度学习混合模型的DDoS攻击检测与防御[J]. 通信学报, 2018, 39(7): 176-187.

Chuanhuang LI,Yan WU,Zhengzhe QIAN,Zhengjun SUN,Weiming WANG. DDoS attack detection and defense based on hybrid deep learning model in SDN[J]. Journal on Communications, 2018, 39(7): 176-187.

图/表 21

表1

表2

图1

图2

图3

图4

表3

图5

表4

表5

图6

图7

图8

图9

图10

表6

表7

图11

图12

表8

表9

参考文献 21

[1]	YAN Q , YU F R , GONG Q ,et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments:a survey,some research issues,and challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 602-622.
[2]	RADWARE.2017-2018 global application ＆ network security report[R]. 2018.
[3]	AKAMAI.[State of the Internet]/security Q4 2017 executive summary[R]. 2017.
[4]	VOELLMY A , WANG J . Scalable software defined network controllers[J]. ACM SIGCOMM Computer Communication Review, 2012,42(4): 289-290.
[5]	PENG T , LECKIE C , RAMAMOHANARAO K . Survey of network-based defense mechanisms countering the DoS and DDoS problems[J]. ACM Computing Surveys, 2007,39(1):3.
[6]	MIRKOVIC J , MARTIN J , REIHER P . A taxonomy of DDoS attacks and DDoS defense mechanisms[J]. ACM SIGCOMM Computer Communication Review, 2001,34(2): 39-53.
[7]	LI D , LI J , HUANG J ,et al. Recent advances in deep learning for speech research at Microsoft[C]// 2013 IEEE International Conference on Acoustics,Speech and Signal Processing. 2013: 8604-8608.
[8]	YU K , . Large-scale deep learning at Baidu[C]// 22nd ACM international conference on Information ＆ Knowledge Management. 2013: 2211-2212.
[9]	杨余旺, 杨静宇, 孙亚民 . 分布式拒绝服务攻击的实现机理及其防御研究[J]. 计算机工程与设计, 2004,25(5): 657-660.
	YANG Y W , YANG J Y , SUN Y M . Defense study and implementation mechanism of distributed denial of service attack[J]. Computer Engineering and Design, 2004,25(5): 657-660.
[10]	孟江涛, 冯登国, 薛锐 ,等. 分布式拒绝服务攻击的原理与防范[J]. 中国科学院大学学报, 2004,21(1): 90-94.
	MENG J T , FENG D G , XUE R ,et al. Distributed denial of service attacks:principle and defense[J]. Journal of the Graduate School of the Chinese Academy of Sciences, 2004,21(1): 90-94.
[11]	GIL T M , POLETTO M . MULTOPS:a data-structure for bandwidth attack detection[C]// 10th Usenix Security Symposium. 2001: 23-38.
[12]	MOUSAVI S M , ST-HILAIRE M , . Early detection of DDoS attacks against SDN controllers[C]// 2015 International Conference on Computing,Networking and Communications (ICNC). 2015: 77-81.
[13]	WANG R , JIA Z , JU L . An entropy-based distributed DDoS detection mechanism in software-defined networking[C]// 2015 IEEE Trustcom/BigDataSE/ISPA. 2015: 310-317.
[14]	JADIDI Z , MUTHUKKUMARASAMY V , SITHIRASENAN E ,et al. Flow-based anomaly detection using neural network optimized with GSA algorithm[C]// 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops. 2013: 76-81.
[15]	WINTER P , HERMANN E , ZEILINGER M . Inductive intrusiondetection in flow-based network data using one-class support vector machines[C]// 2011 4th IFIP International Conference on New Technologies,Mobility and Security. 2011: 1-5.
[16]	TRUNG P V , HUONG T T , DANG V T ,et al. A multi-criteria-based DDoS-attack prevention solution using software defined networking[C]// 2015 International Conference on Advanced Technologies for Communications (ATC). 2015: 308-313.
[17]	YUAN X Y , LI C H , LI X . DeepDefense:identifying DDoS attack via deep learning[C]// 2017 IEEE International Conference on Smart Computing (SMARTCOMP). 2017: 1-8.
[18]	李传煌, 孙正君, 袁小雍 ,等. 基于深度学习的实时 DDoS 攻击检测[J]. 电信科学, 2017,33(7): 53-65.
	LI C H , SUN Z J , YUAN X Y ,et al. Real-time DDoS attack detection based on deep learning[J]. Telecommunications Science, 2017,33(7): 53-65.
[19]	LIU C , SUN W , CHAO W . Convolution neural network for relation extraction[C]// International Conference on Advanced Data Mining and Applications (ADMA 2013). 2013: 231-242.
[20]	HINTON G E , SRIVASTAVA N , KRIZHEVSKY A ,et al. Improving neural networks by preventing co-adaptation of feature detectors[J]. Computer Science, 2012,3(4): 212-223.
[21]	SRIVASTAVA N , HINTON G , KRIZHEVSKY A ,et al. Dropout:a simple way to prevent neural networks from overfitting[J]. Journal of Machine Learning Research, 2014,15(1): 1929-1958.

特征名称	描述
durationSeconds	持续时间
packetCount	每条流中数据分组数量
byteCount	每条流中数据分组比特数
match.eth_type	匹配的以太网类型
match.eth_dst	匹配的以太网目的地址
match.eth_src	匹配的以太网源地址
match.in_port	匹配的入端口
priority	优先级
match.ipv4_src	匹配的源IP
match.ipv4_dst	匹配的目的IP
match.udp_dst	匹配的UDP目的端口
match.udp_dst	匹配的UDP源端口
match.tcp_dst	匹配的TCP目的端口
match.tcp_dst	匹配的TCP源端口
idleTimeoutSec	空闲超时
match.ip_proto	匹配的IP协议
durationNSeconds	持续时间
cookie	Cookie
tableId	表ID
hardTimeoutSec	严格超时
actions.actions	动作

特征名称	描述
growth rate of single flow (grsf)	单流增长速率
growth rate of different port (grdp)	不同端口增长速率
average packets per flow (appf)	流表平均数据分组量
average bytes per flow (abpf)	流表平均比特数
average durations per flow (adpf)	流量平均持续时间

数据集	正常流特征/条	DDoS流特征/条
训练集	43 000	47 000
测试集	28 000	32 000

模型名称							模型结构
	卷积层1	批标准化1	池化层1	卷积层2	批标准化2	池化层2	卷积层3	批标准化3	池化层3	全连接层（2）	全连接层（4）	激活函数
C3P2F2	1	1	1	1	1	1	1	0	0	1	0	ReLU,Softplus
C3P3F2	1	1	1	1	1	1	1	1	1	1	0	ReLU,Softplus
C2P2F2	1	1	1	1	1	1	0	0	0	1	0	ReLU,Softplus
C2P2F4	1	1	1	1	1	1	0	0	0	0	0	ReLU,Softplus

模型名称	Acc	P	R	F₁
C3P2F2	97.73%	98.11%	97.93%	97.30%
C3P3F2	97.74%	97.17%	97.22%	97.02%
C2P2F2	96.43%	97.42%	97.54%	96.93%
C2P2F4	96.37%	97.07%	96.98%	97.01%

SDN下基于深度学习混合模型的DDoS攻击检测与防御

DDoS attack detection and defense based on hybrid deep learning model in SDN

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 21

参考文献 21

相关文章 15

Metrics

推荐阅读 0

模型名称	Acc	P	R	F₁
SAE3	97.67%	97.41%	97.63%	97.30%
SAE4	98.11%	97.77%	97.74%	97.62%
SAE5	96.43%	97.72%	97.44%	96.95%

模型名称	Acc	P	R	F₁
SVM	96.72%	96.47%	95.84%	96.77%
DCNN-DSAE	98.53%	98.17%	97.94%	98.12%
C3P2F2	97.73%	98.11%	97.93%	97.30%
SAE4	97.44%	97.12%	97.87%	97.53%
DNN	94.47%	95.82%	93.74%	93.55%

特征数量/个	Acc	P	R	F₁
5	88.33%	89.15%	89.97%	90.07%
10	94.21%	94.19%	93.77%	94.04%
15	95.13%	95.20%	94.94%	94.85%
21	92.47%	92.57%	93.10%	92.20%
26	98.53%	98.17%	97.64%	98.12%
30	98.51%	98.20%	97.59%	98.11%

[1]	陈东昱, 陈华, 范丽敏, 付一方, 王舰. 基于深度学习的随机性检验策略研究[J]. 通信学报, 2023, 44(6): 23-33.
[2]	李荣鹏, 汪丙炎, 张宏纲, 赵志峰. 知识增强的语义通信接收端设计[J]. 通信学报, 2023, 44(6): 70-76.
[3]	马帅, 裴科, 祁华艳, 李航, 曹雯, 王洪梅, 熊海良, 李世银. 基于生成模型的地磁室内高精度定位算法研究[J]. 通信学报, 2023, 44(6): 211-222.
[4]	王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.
[5]	沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40.
[6]	杨洁, 董标, 付雪, 王禹, 桂冠. 基于轻量化分布式学习的自动调制分类方法[J]. 通信学报, 2022, 43(7): 134-142.
[7]	杨秀璋, 彭国军, 李子川, 吕杨琦, 刘思德, 李晨光. 基于Bert和BiLSTM-CRF的APT攻击实体识别及对齐研究[J]. 通信学报, 2022, 43(6): 58-70.
[8]	燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35.
[9]	廖勇, 王世义. 高速移动环境下基于RM-Net的大规模MIMO CSI反馈算法[J]. 通信学报, 2022, 43(5): 166-176.
[10]	廖育荣, 王海宁, 林存宝, 李阳, 方宇强, 倪淑燕. 基于深度学习的光学遥感图像目标检测研究进展[J]. 通信学报, 2022, 43(5): 190-203.
[11]	赵增华, 童跃凡, 崔佳洋. 基于域自适应的Wi-Fi指纹设备无关室内定位模型[J]. 通信学报, 2022, 43(4): 143-153.
[12]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[13]	李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT：一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142.
[14]	谢丽霞, 李雪鸥, 杨宏宇, 张良, 成翔. 基于样本特征强化的APT攻击多阶段检测方法[J]. 通信学报, 2022, 43(12): 66-76.
[15]	廖勇, 程港, 李玉杰. 基于深度展开的大规模MIMO系统CSI反馈算法[J]. 通信学报, 2022, 43(12): 77-88.

模型名称			模型结构
模型名称	自编码（128-64）	自编码（64-32）	自编码（32-16）	自编码（16-8）	自编码（8-4）	softmax
SAE3	1	1	1	0	0	1
SAE4	1	1	1	1	0	1
SAE5	1	1	1	1	1	1