SDN控制层泛洪防御机制研究：检测与缓解

doi:10.11959/j.issn.1000-436x.2021191

Abstract

Abstract:

Aiming at the problem of spoofing flood defense in the control layer of SDN, a controller defense mechanism (CDM)was proposed, including a flood detection mechanism based on key features multi-classification and a flood mitigation mechanism based on SAVI.The flood feature analysis module of the control layer was designed for flood detection, and boosting algorithm was used to overlay each feature weak classifier to form an enhanced classifier, which can achieve more accurate classification spoofing flooding attack effect by continuously reducing the residual in the calculation.In CDM, a flood mitigation mechanism based on SAVI was deployed to realize flood mitigation, which performed flood packet path filtering based on binding-verification mode, and updated the flood features of access layer switches with dynamic polling mode to reduce redundant model update load.The experimental results show that the proposed method has the characteristics of low overhead and high precision.CDM effectively increases the security of the control layer, and reduces the time of host classification of spoofing flood attack and the CPU consumption of corresponding controller.

Key words: software defined network, control layer protection, flood detection, source address validation

CLC Number:

TP393

Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation[J]. Journal on Communications, 2021, 42(11): 41-53.

Figures/Tables 20

符号	说明
ζ(Φ)	由多维特征构成的控制层泛洪检测目标数据包
y_i	累加模型的输出
f_k	控制层攻击检测特征
$\sum_{i} l ({\hat{y}}_{i}, y_{i})$	误差函数，使攻击检测模型越来越贴合实验训练数据
$\sum_{k} Ω (f_{k})$	分类检测树的复杂度函数，其值越小复杂度越低，泛化能力越强
γ,λ	正则化函数分裂参数
T	泛洪检测特征叶子节点的个数
w	节点的数值

特征	背景流量的最小熵（minN）	攻击流量A的最大熵（maxA）	$\frac{min N +max A}{2}$
sIP	2.606 9	2.898 7	2.752 8
sPort	2.106 8	2.567 7	2.3372 5

特征	背景流量的最大熵（maxN）	攻击流量A的最小熵（minA）	$\frac{max N + min A}{2}$
dIP	2.424 6	2.192 3	2.308 45
dPort	2.151 3	1.894 8	2.023 05

References 34

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	黄韬, 刘江, 魏亮 ,等. 软件定义网络核心原理与应用实践[J]. 通信学报, 2015,36(3): 288.
	HUANG T , LIU J , WEI L ,et al. SDN core principles and application practice[J]. Journal on Communications, 2015,36(3): 288.
[3]	KUMAR P , TRIPATHI M , NEHRA A ,et al. SAFETY:early detection and mitigation of TCP SYN flood utilizing entropy in SDN[J]. IEEE Transactions on Network and Service Management, 2018,15(4): 1545-1559.
[4]	GAO D Y , LIU Z H , LIU Y ,et al. Defending against Packet-In messages flooding attack under SDN context[J]. Soft Computing, 2018,22(20): 6797-6809.
[5]	RAVI N , SHALINIE S M , LAL C ,et al. AEGIS:detection and mitigation of TCP SYN flood on SDN controller[J]. IEEE Transactions on Network and Service Management, 2021,18(1): 745-759.
[6]	DANG V T , HUONG T T , THANH N H ,et al. SDN-based SYN proxy—a solution to enhance performance of attack mitigation under TCP SYN flood[J]. The Computer Journal, 2019,62(4): 518-534.
[7]	AL MHDAWI A K , AL-RAWESHIDY H S , . iPRDR:intelligent power reduction decision routing protocol for big traffic flood in hybrid-SDN architecture[J]. IEEE Access, 2018,6: 10944-10955.
[8]	MOHAMMADI R , CONTI M , LAL C ,et al. SYN-Guard:an effective counter for SYN flooding attack in software-defined networking[J]. International Journal of Communication Systems, 2019,32(17): e4061.
[9]	DERHAB A , GUERROUMI M , GUMAEI A ,et al. Blockchain and random subspace learning-based IDS for SDN-enabled industrial IoT security[J]. Sensors (Basel,Switzerland), 2019,19(14): 3119.
[10]	XIANG S Q , ZHU H B , XIAO L L ,et al. Modeling and verifying TopoGuard in OpenFlow-based software defined networks[C]// Proceedings of 2018 International Symposium on Theoretical Aspects of Software Engineering (TASE). Piscataway:IEEE Press, 2018: 84-91.
[11]	KAZEMANIAN P , CHANG M , ZENG H Y ,et al. Real time network policy checking using header space analysis[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI '13). Berkeley:USENIX Association, 2013: 99-111.
[12]	TUAN N N , HUNG P H , NGHIA N D ,et al. A robust TCP-SYN flood mitigation scheme using machine learning based on SDN[C]// Proceedings of 2019 International Conference on Information and Communication Technology Convergence (ICTC). Piscataway:IEEE Press, 2019: 363-368.
[13]	SEMERCI M , CEMGIL A T , SANKUR B . An intelligent cyber security system against DDoS attacks in SIP networks[J]. Computer Networks, 2018,136: 137-154.
[14]	GARG S , KAUR K , KUMAR N ,et al. Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN:a social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019,21(3): 566-578.
[15]	PHAAL P , PANCHEN S , MCKEE N . InMon corporation’s flow:a method for monitoring traffic in switched and routed networks[R]. 2001.
[16]	CICIO?LU M , ?ALHAN A , . HUBsFLOW:a novel interface protocol for SDN-enabled WBANs[J]. Computer Networks, 2019,160: 105-117.
[17]	PANDA A , SAMAL S S , TURUK A K ,et al. Dynamic hard timeout based flow table management in openflow enabled SDN[C]// Proceedings of 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN). Piscataway:IEEE Press, 2019: 1-6.
[18]	SHIRALI-SHAHREZA S , GANJALI Y . Delayed installation and expedited eviction:an alternative approach to reduce flow table occupancy in SDN switches[J]. IEEE/ACM Transactions on Networking, 2018,26(4): 1547-1561.
[19]	BASTA A , BLENK A , HOFFMANN K ,et al. Towards a cost optimal design for a 5G mobile core network based on SDN and NFV[J]. IEEE Transactions on Network and Service Management, 2017,14(4): 1061-1075.
[20]	SCHNEPF N , BADONNEL R , LAHMADI A ,et al. Synaptic:a formal checker for SDN-based security policies[C]// Proceedings of NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium. Piscataway:IEEE Press, 2018: 1-2.
[21]	CHEN T , TONG H , BENESTY M . Xgboost:extreme gradient boosting[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD '16. New York:ACM Press, 2016: 1615-1624.
[22]	ELSAYED M S , LE-KHAC N A , JURCUT A D . InSDN:a novel SDN intrusion dataset[J]. IEEE Access, 2020,8: 165263-165284.
[23]	ZHOU Q Z , YU J Q , LI D . A dynamic and lightweight framework to secure source addresses in the SDN-based networks[J]. Computer Networks, 2021,193: 108075.
[24]	BI J , WU J , YAO G ,et al. Source address validation improvement (SAVI) solution for DHCP[R]. RFC Editor, 2015.
[25]	WU J , BI J , BAGNULO M ,et al. Source address validation improvement (SAVI) framework[R]. RFC Editor, 2013.
[26]	LIU B Y , BI J , ZHOU Y . Source address validation in software defined networks[C]// Proceedings of Proceedings of the 2016 ACM SIGCOMM Conference. New York:ACM Press, 2016: 595-596.
[27]	CHEN G L , HU G W , JIANG Y ,et al. SAVSH:IP source address validation for SDN hybrid networks[C]// Proceedings of 2016 IEEE Symposium on Computers and Communication (ISCC). Piscataway:IEEE Press, 2016: 409-414.
[28]	LI C L , WU Q , LI H W ,et al. SDN-Ti:a general solution based on SDN to attacker traceback and identification in IPv6 networks[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-7.
[29]	WU Y C , TSENG H R , YANG W ,et al. DDoS detection and traceback with decision tree and grey relational analysis[C]// Proceedings of 2009 3rd International Conference on Multimedia and Ubiquitous Engineering. Piscataway:IEEE Press, 2009: 306-314.
[30]	BELGIU M , DR?GU? L , . Random forest in remote sensing:a review of applications and future directions[J]. ISPRS Journal of Photogrammetry and Remote Sensing, 2016,114: 24-31.
[31]	ZHANG S C , LI X L , ZONG M ,et al. Efficient kNN classification with different numbers of nearest neighbors[J]. IEEE Transactions on Neural Networks and Learning Systems, 2018,29(5): 1774-1785.
[32]	CHU S C , DAO T K , PAN J S ,et al. Identifying correctness data scheme for aggregating data in cluster heads of wireless sensor network based on naive Bayes classification[J]. EURASIP Journal on Wireless Communications and Networking, 2020,2020(1): 52.
[33]	WANG H W , GU J , WANG S S . An effective intrusion detection framework based on SVM with feature augmentation[J]. Knowledge-Based Systems, 2017,136: 130-139.
[34]	WANG J X , QI H , HE Y ,et al. FlowTracer:an effective flow trajectory detection solution based on probabilistic packet tagging in SDN-enabled networks[J]. IEEE Transactions on Network and Service Management, 2019,16(4): 1884-1898.

Metrics

Recommended 0

No Suggested Reading articles found!

算法	准确率	召回率	F1-Score
XGBOOST	96.03%	92.08%	94.01%
DT	95.28%	92.52%	93.88%
SVM	94.79%	90.91%	92.81%
KNN	93.17%	60.11%	73.08%
RF	68.53%	90.03%	77.82%
NB	71.25%	96.56%	81.99%

背景流量	平均熵	标准差	最小熵	最大熵
sIP	2.612	0.005 1	2.606 9	2.617 1
sPort	2.134	0.027 2	2.106 8	2.161 2
dIP	2.406	0.018 6	2.387 4	2.424 6
dPort	2.126	0.025 3	2.100 7	2.151 3

泛洪攻击	平均熵	标准差	最小熵	最大熵
sIP	2.879	0.019 7	2.859 3	2.898 7
sPort	2.539	0.028 7	2.510 3	2.567 7
dIP	2.205	0.012 7	2.192 3	2.217 7
dPort	1.904	0.009 2	1.894 8	1.913 2

Research on flood defense mechanism of SDN control layer:detection and mitigation

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 20

References 34

Related Articles 15

Metrics

Recommended 0

[1]	Dongbin WANG, Dongzhe WU, Hui ZHI, Kun GUO, Xu ZHANG, Jinqiao SHI, Yu ZHANG, Yueming LU. Preventing flow table overflow against denial of service attack in software defined network [J]. Journal on Communications, 2023, 44(2): 1-11.
[2]	Zongxuan SHA, Ru HUO, Chuang SUN, Shuo WANG, Tao HUANG. Forwarding efficiency aware traffic scheduling algorithm based on deep reinforcement learning [J]. Journal on Communications, 2022, 43(8): 30-40.
[3]	Binghao YAN, Qinrang LIU, Jianliang SHEN, Xiantuo TANG, Dong LIANG. Fast loop-free path migration strategy in software defined network [J]. Journal on Communications, 2022, 43(5): 24-35.
[4]	Chuanhuang LI, Yangting CHEN, Jingjing TANG, Jiali LOU, Renhua XIE, Chuntao FANG, Weiming WANG, Chao CHEN. QL-STCT: an intelligent routing convergence method for SDN link failure [J]. Journal on Communications, 2022, 43(2): 131-142.
[5]	Shuopeng LI, Juan FANG, Ken CHEN. DetNet service share protection scheme based on SRv6 [J]. Journal on Communications, 2021, 42(10): 32-42.
[6]	Haibo ZHANG,Zixin WANG,Xiaofan HE. V2X offloading and resource allocation under SDN and MEC architecture [J]. Journal on Communications, 2020, 41(1): 114-124.
[7]	Fang DONG,Yuxiang HU,Ou LI. Routing framework and creation algorithm in Ad Hoc based SDN [J]. Journal on Communications, 2019, 40(9): 33-44.
[8]	Zhongnan ZHAO,Jian WANG,Hongwei GUO. Adaptive routing and wavelength assignment method based on SDN [J]. Journal on Communications, 2019, 40(9): 95-105.
[9]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[10]	Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN. SDN control and forwarding method based on identity attribute [J]. Journal on Communications, 2019, 40(11): 1-18.
[11]	Junfeng TIAN,Liuling QI. DDoS attack detection method based on conditional entropy and GHSOM in SDN [J]. Journal on Communications, 2018, 39(8): 140-149.
[12]	Chuanhuang LI,Yan WU,Zhengzhe QIAN,Zhengjun SUN,Weiming WANG. DDoS attack detection and defense based on hybrid deep learning model in SDN [J]. Journal on Communications, 2018, 39(7): 176-187.
[13]	Tao HUANG,Jiang LIU,Chen ZHANG,Liang WEI,Yunjie LIU. Survey on SDN-based network testbeds [J]. Journal on Communications, 2018, 39(6): 155-168.
[14]	Heng HE,Yan HU,Lianghan ZHENG,Zhengyuan XUE. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment [J]. Journal on Communications, 2018, 39(4): 139-151.
[15]	Xi QIN,Guodong TANG,Chaowen CHANG. SDN security control and forwarding method based on cipher identification [J]. Journal on Communications, 2018, 39(2): 31-42.