SDN控制层泛洪防御机制研究：检测与缓解

doi:10.11959/j.issn.1000-436x.2021191

摘要/Abstract

摘要：

针对SDN控制层中的欺骗式泛洪防御问题，提出控制器防御机制（CDM），主要包括基于关键特征多分类的泛洪检测机制和基于SAVI的泛洪缓解机制2个方面。在泛洪检测方面提出控制层泛洪关键特征解析模块，利用Boosting算法将各个关键特征弱分类器加权叠加形成增强型分类器，通过不断降低计算中的残差，达到更准确分类针对控制层的欺骗式泛洪攻击的效果。在泛洪缓解方面，CDM部署基于SAVI的泛洪缓解机制，以绑定和验证的模式为基础执行泛洪数据包的路径过滤，同时以动态轮询的模式实现泛洪攻击安全保障和接入层交换机泛洪关键特征数据的更新，降低冗余的模型更新负载。实验结果表明，所提方法具备开销低、精度高的特点，有效地增加了控制层的安全性，减少了欺骗式泛洪攻击主机分类的时间和对应控制器CPU的消耗。

关键词: 软件定义网络, 控制层防护, 泛洪检测, 源地址验证

Abstract:

Aiming at the problem of spoofing flood defense in the control layer of SDN, a controller defense mechanism (CDM)was proposed, including a flood detection mechanism based on key features multi-classification and a flood mitigation mechanism based on SAVI.The flood feature analysis module of the control layer was designed for flood detection, and boosting algorithm was used to overlay each feature weak classifier to form an enhanced classifier, which can achieve more accurate classification spoofing flooding attack effect by continuously reducing the residual in the calculation.In CDM, a flood mitigation mechanism based on SAVI was deployed to realize flood mitigation, which performed flood packet path filtering based on binding-verification mode, and updated the flood features of access layer switches with dynamic polling mode to reduce redundant model update load.The experimental results show that the proposed method has the characteristics of low overhead and high precision.CDM effectively increases the security of the control layer, and reduces the time of host classification of spoofing flood attack and the CPU consumption of corresponding controller.

Key words: software defined network, control layer protection, flood detection, source address validation

中图分类号:

TP393

周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021, 42(11): 41-53.

Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation[J]. Journal on Communications, 2021, 42(11): 41-53.

图/表 20

图1

图2

图3

图4

图5

图6

图7

表1

XGBoost增强型分类器符号说明"

符号	说明
ζ(Φ)	由多维特征构成的控制层泛洪检测目标数据包
y_i	累加模型的输出
f_k	控制层攻击检测特征
$\sum_{i} l ({\hat{y}}_{i}, y_{i})$	误差函数，使攻击检测模型越来越贴合实验训练数据
$\sum_{k} Ω (f_{k})$	分类检测树的复杂度函数，其值越小复杂度越低，泛化能力越强
γ,λ	正则化函数分裂参数
T	泛洪检测特征叶子节点的个数
w	节点的数值

表1

图8

图9

图10

表2

图11

图12

表3

表4

表5

φ-熵值异常流警报模型最小熵阈值测定"

特征	背景流量的最小熵（minN）	攻击流量A的最大熵（maxA）	$\frac{min N +max A}{2}$
sIP	2.606 9	2.898 7	2.752 8
sPort	2.106 8	2.567 7	2.3372 5

表5

表6

φ-熵值异常流警报模型最大熵阈值测定"

特征	背景流量的最大熵（maxN）	攻击流量A的最小熵（minA）	$\frac{max N + min A}{2}$
dIP	2.424 6	2.192 3	2.308 45
dPort	2.151 3	1.894 8	2.023 05

表6

图13

图14

参考文献 34

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	黄韬, 刘江, 魏亮 ,等. 软件定义网络核心原理与应用实践[J]. 通信学报, 2015,36(3): 288.
	HUANG T , LIU J , WEI L ,et al. SDN core principles and application practice[J]. Journal on Communications, 2015,36(3): 288.
[3]	KUMAR P , TRIPATHI M , NEHRA A ,et al. SAFETY:early detection and mitigation of TCP SYN flood utilizing entropy in SDN[J]. IEEE Transactions on Network and Service Management, 2018,15(4): 1545-1559.
[4]	GAO D Y , LIU Z H , LIU Y ,et al. Defending against Packet-In messages flooding attack under SDN context[J]. Soft Computing, 2018,22(20): 6797-6809.
[5]	RAVI N , SHALINIE S M , LAL C ,et al. AEGIS:detection and mitigation of TCP SYN flood on SDN controller[J]. IEEE Transactions on Network and Service Management, 2021,18(1): 745-759.
[6]	DANG V T , HUONG T T , THANH N H ,et al. SDN-based SYN proxy—a solution to enhance performance of attack mitigation under TCP SYN flood[J]. The Computer Journal, 2019,62(4): 518-534.
[7]	AL MHDAWI A K , AL-RAWESHIDY H S , . iPRDR:intelligent power reduction decision routing protocol for big traffic flood in hybrid-SDN architecture[J]. IEEE Access, 2018,6: 10944-10955.
[8]	MOHAMMADI R , CONTI M , LAL C ,et al. SYN-Guard:an effective counter for SYN flooding attack in software-defined networking[J]. International Journal of Communication Systems, 2019,32(17): e4061.
[9]	DERHAB A , GUERROUMI M , GUMAEI A ,et al. Blockchain and random subspace learning-based IDS for SDN-enabled industrial IoT security[J]. Sensors (Basel,Switzerland), 2019,19(14): 3119.
[10]	XIANG S Q , ZHU H B , XIAO L L ,et al. Modeling and verifying TopoGuard in OpenFlow-based software defined networks[C]// Proceedings of 2018 International Symposium on Theoretical Aspects of Software Engineering (TASE). Piscataway:IEEE Press, 2018: 84-91.
[11]	KAZEMANIAN P , CHANG M , ZENG H Y ,et al. Real time network policy checking using header space analysis[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI '13). Berkeley:USENIX Association, 2013: 99-111.
[12]	TUAN N N , HUNG P H , NGHIA N D ,et al. A robust TCP-SYN flood mitigation scheme using machine learning based on SDN[C]// Proceedings of 2019 International Conference on Information and Communication Technology Convergence (ICTC). Piscataway:IEEE Press, 2019: 363-368.
[13]	SEMERCI M , CEMGIL A T , SANKUR B . An intelligent cyber security system against DDoS attacks in SIP networks[J]. Computer Networks, 2018,136: 137-154.
[14]	GARG S , KAUR K , KUMAR N ,et al. Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN:a social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019,21(3): 566-578.
[15]	PHAAL P , PANCHEN S , MCKEE N . InMon corporation’s flow:a method for monitoring traffic in switched and routed networks[R]. 2001.
[16]	CICIO?LU M , ?ALHAN A , . HUBsFLOW:a novel interface protocol for SDN-enabled WBANs[J]. Computer Networks, 2019,160: 105-117.
[17]	PANDA A , SAMAL S S , TURUK A K ,et al. Dynamic hard timeout based flow table management in openflow enabled SDN[C]// Proceedings of 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN). Piscataway:IEEE Press, 2019: 1-6.
[18]	SHIRALI-SHAHREZA S , GANJALI Y . Delayed installation and expedited eviction:an alternative approach to reduce flow table occupancy in SDN switches[J]. IEEE/ACM Transactions on Networking, 2018,26(4): 1547-1561.
[19]	BASTA A , BLENK A , HOFFMANN K ,et al. Towards a cost optimal design for a 5G mobile core network based on SDN and NFV[J]. IEEE Transactions on Network and Service Management, 2017,14(4): 1061-1075.
[20]	SCHNEPF N , BADONNEL R , LAHMADI A ,et al. Synaptic:a formal checker for SDN-based security policies[C]// Proceedings of NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium. Piscataway:IEEE Press, 2018: 1-2.
[21]	CHEN T , TONG H , BENESTY M . Xgboost:extreme gradient boosting[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD '16. New York:ACM Press, 2016: 1615-1624.
[22]	ELSAYED M S , LE-KHAC N A , JURCUT A D . InSDN:a novel SDN intrusion dataset[J]. IEEE Access, 2020,8: 165263-165284.
[23]	ZHOU Q Z , YU J Q , LI D . A dynamic and lightweight framework to secure source addresses in the SDN-based networks[J]. Computer Networks, 2021,193: 108075.
[24]	BI J , WU J , YAO G ,et al. Source address validation improvement (SAVI) solution for DHCP[R]. RFC Editor, 2015.
[25]	WU J , BI J , BAGNULO M ,et al. Source address validation improvement (SAVI) framework[R]. RFC Editor, 2013.
[26]	LIU B Y , BI J , ZHOU Y . Source address validation in software defined networks[C]// Proceedings of Proceedings of the 2016 ACM SIGCOMM Conference. New York:ACM Press, 2016: 595-596.
[27]	CHEN G L , HU G W , JIANG Y ,et al. SAVSH:IP source address validation for SDN hybrid networks[C]// Proceedings of 2016 IEEE Symposium on Computers and Communication (ISCC). Piscataway:IEEE Press, 2016: 409-414.
[28]	LI C L , WU Q , LI H W ,et al. SDN-Ti:a general solution based on SDN to attacker traceback and identification in IPv6 networks[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-7.
[29]	WU Y C , TSENG H R , YANG W ,et al. DDoS detection and traceback with decision tree and grey relational analysis[C]// Proceedings of 2009 3rd International Conference on Multimedia and Ubiquitous Engineering. Piscataway:IEEE Press, 2009: 306-314.
[30]	BELGIU M , DR?GU? L , . Random forest in remote sensing:a review of applications and future directions[J]. ISPRS Journal of Photogrammetry and Remote Sensing, 2016,114: 24-31.
[31]	ZHANG S C , LI X L , ZONG M ,et al. Efficient kNN classification with different numbers of nearest neighbors[J]. IEEE Transactions on Neural Networks and Learning Systems, 2018,29(5): 1774-1785.
[32]	CHU S C , DAO T K , PAN J S ,et al. Identifying correctness data scheme for aggregating data in cluster heads of wireless sensor network based on naive Bayes classification[J]. EURASIP Journal on Wireless Communications and Networking, 2020,2020(1): 52.
[33]	WANG H W , GU J , WANG S S . An effective intrusion detection framework based on SVM with feature augmentation[J]. Knowledge-Based Systems, 2017,136: 130-139.
[34]	WANG J X , QI H , HE Y ,et al. FlowTracer:an effective flow trajectory detection solution based on probabilistic packet tagging in SDN-enabled networks[J]. IEEE Transactions on Network and Service Management, 2019,16(4): 1884-1898.

算法	准确率	召回率	F1-Score
XGBOOST	96.03%	92.08%	94.01%
DT	95.28%	92.52%	93.88%
SVM	94.79%	90.91%	92.81%
KNN	93.17%	60.11%	73.08%
RF	68.53%	90.03%	77.82%
NB	71.25%	96.56%	81.99%

背景流量	平均熵	标准差	最小熵	最大熵
sIP	2.612	0.005 1	2.606 9	2.617 1
sPort	2.134	0.027 2	2.106 8	2.161 2
dIP	2.406	0.018 6	2.387 4	2.424 6
dPort	2.126	0.025 3	2.100 7	2.151 3

泛洪攻击	平均熵	标准差	最小熵	最大熵
sIP	2.879	0.019 7	2.859 3	2.898 7
sPort	2.539	0.028 7	2.510 3	2.567 7
dIP	2.205	0.012 7	2.192 3	2.217 7
dPort	1.904	0.009 2	1.894 8	1.913 2