通信学报 ›› 2021, Vol. 42 ›› Issue (11): 41-53.doi: 10.11959/j.issn.1000-436x.2021191
周启钊1, 于俊清1,2, 李冬2
修回日期:
2021-09-13
出版日期:
2021-11-25
发布日期:
2021-11-01
作者简介:
周启钊(1991− ),男,湖南长沙人,华中科技大学博士生,主要研究方向为机器学习、软件定义网络、网络安全等基金资助:
Qizhao ZHOU1, Junqing YU1,2, Dong LI2
Revised:
2021-09-13
Online:
2021-11-25
Published:
2021-11-01
Supported by:
摘要:
针对SDN控制层中的欺骗式泛洪防御问题,提出控制器防御机制(CDM),主要包括基于关键特征多分类的泛洪检测机制和基于SAVI的泛洪缓解机制2个方面。在泛洪检测方面提出控制层泛洪关键特征解析模块,利用Boosting算法将各个关键特征弱分类器加权叠加形成增强型分类器,通过不断降低计算中的残差,达到更准确分类针对控制层的欺骗式泛洪攻击的效果。在泛洪缓解方面,CDM部署基于SAVI的泛洪缓解机制,以绑定和验证的模式为基础执行泛洪数据包的路径过滤,同时以动态轮询的模式实现泛洪攻击安全保障和接入层交换机泛洪关键特征数据的更新,降低冗余的模型更新负载。实验结果表明,所提方法具备开销低、精度高的特点,有效地增加了控制层的安全性,减少了欺骗式泛洪攻击主机分类的时间和对应控制器CPU的消耗。
中图分类号:
周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究:检测与缓解[J]. 通信学报, 2021, 42(11): 41-53.
Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation[J]. Journal on Communications, 2021, 42(11): 41-53.
[1] | MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74. |
[2] | 黄韬, 刘江, 魏亮 ,等. 软件定义网络核心原理与应用实践[J]. 通信学报, 2015,36(3): 288. |
HUANG T , LIU J , WEI L ,et al. SDN core principles and application practice[J]. Journal on Communications, 2015,36(3): 288. | |
[3] | KUMAR P , TRIPATHI M , NEHRA A ,et al. SAFETY:early detection and mitigation of TCP SYN flood utilizing entropy in SDN[J]. IEEE Transactions on Network and Service Management, 2018,15(4): 1545-1559. |
[4] | GAO D Y , LIU Z H , LIU Y ,et al. Defending against Packet-In messages flooding attack under SDN context[J]. Soft Computing, 2018,22(20): 6797-6809. |
[5] | RAVI N , SHALINIE S M , LAL C ,et al. AEGIS:detection and mitigation of TCP SYN flood on SDN controller[J]. IEEE Transactions on Network and Service Management, 2021,18(1): 745-759. |
[6] | DANG V T , HUONG T T , THANH N H ,et al. SDN-based SYN proxy—a solution to enhance performance of attack mitigation under TCP SYN flood[J]. The Computer Journal, 2019,62(4): 518-534. |
[7] | AL MHDAWI A K , AL-RAWESHIDY H S , . iPRDR:intelligent power reduction decision routing protocol for big traffic flood in hybrid-SDN architecture[J]. IEEE Access, 2018,6: 10944-10955. |
[8] | MOHAMMADI R , CONTI M , LAL C ,et al. SYN-Guard:an effective counter for SYN flooding attack in software-defined networking[J]. International Journal of Communication Systems, 2019,32(17): e4061. |
[9] | DERHAB A , GUERROUMI M , GUMAEI A ,et al. Blockchain and random subspace learning-based IDS for SDN-enabled industrial IoT security[J]. Sensors (Basel,Switzerland), 2019,19(14): 3119. |
[10] | XIANG S Q , ZHU H B , XIAO L L ,et al. Modeling and verifying TopoGuard in OpenFlow-based software defined networks[C]// Proceedings of 2018 International Symposium on Theoretical Aspects of Software Engineering (TASE). Piscataway:IEEE Press, 2018: 84-91. |
[11] | KAZEMANIAN P , CHANG M , ZENG H Y ,et al. Real time network policy checking using header space analysis[C]// Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI '13). Berkeley:USENIX Association, 2013: 99-111. |
[12] | TUAN N N , HUNG P H , NGHIA N D ,et al. A robust TCP-SYN flood mitigation scheme using machine learning based on SDN[C]// Proceedings of 2019 International Conference on Information and Communication Technology Convergence (ICTC). Piscataway:IEEE Press, 2019: 363-368. |
[13] | SEMERCI M , CEMGIL A T , SANKUR B . An intelligent cyber security system against DDoS attacks in SIP networks[J]. Computer Networks, 2018,136: 137-154. |
[14] | GARG S , KAUR K , KUMAR N ,et al. Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN:a social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019,21(3): 566-578. |
[15] | PHAAL P , PANCHEN S , MCKEE N . InMon corporation’s flow:a method for monitoring traffic in switched and routed networks[R]. 2001. |
[16] | CICIO?LU M , ?ALHAN A , . HUBsFLOW:a novel interface protocol for SDN-enabled WBANs[J]. Computer Networks, 2019,160: 105-117. |
[17] | PANDA A , SAMAL S S , TURUK A K ,et al. Dynamic hard timeout based flow table management in openflow enabled SDN[C]// Proceedings of 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN). Piscataway:IEEE Press, 2019: 1-6. |
[18] | SHIRALI-SHAHREZA S , GANJALI Y . Delayed installation and expedited eviction:an alternative approach to reduce flow table occupancy in SDN switches[J]. IEEE/ACM Transactions on Networking, 2018,26(4): 1547-1561. |
[19] | BASTA A , BLENK A , HOFFMANN K ,et al. Towards a cost optimal design for a 5G mobile core network based on SDN and NFV[J]. IEEE Transactions on Network and Service Management, 2017,14(4): 1061-1075. |
[20] | SCHNEPF N , BADONNEL R , LAHMADI A ,et al. Synaptic:a formal checker for SDN-based security policies[C]// Proceedings of NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium. Piscataway:IEEE Press, 2018: 1-2. |
[21] | CHEN T , TONG H , BENESTY M . Xgboost:extreme gradient boosting[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD '16. New York:ACM Press, 2016: 1615-1624. |
[22] | ELSAYED M S , LE-KHAC N A , JURCUT A D . InSDN:a novel SDN intrusion dataset[J]. IEEE Access, 2020,8: 165263-165284. |
[23] | ZHOU Q Z , YU J Q , LI D . A dynamic and lightweight framework to secure source addresses in the SDN-based networks[J]. Computer Networks, 2021,193: 108075. |
[24] | BI J , WU J , YAO G ,et al. Source address validation improvement (SAVI) solution for DHCP[R]. RFC Editor, 2015. |
[25] | WU J , BI J , BAGNULO M ,et al. Source address validation improvement (SAVI) framework[R]. RFC Editor, 2013. |
[26] | LIU B Y , BI J , ZHOU Y . Source address validation in software defined networks[C]// Proceedings of Proceedings of the 2016 ACM SIGCOMM Conference. New York:ACM Press, 2016: 595-596. |
[27] | CHEN G L , HU G W , JIANG Y ,et al. SAVSH:IP source address validation for SDN hybrid networks[C]// Proceedings of 2016 IEEE Symposium on Computers and Communication (ISCC). Piscataway:IEEE Press, 2016: 409-414. |
[28] | LI C L , WU Q , LI H W ,et al. SDN-Ti:a general solution based on SDN to attacker traceback and identification in IPv6 networks[C]// Proceedings of ICC 2019 - 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-7. |
[29] | WU Y C , TSENG H R , YANG W ,et al. DDoS detection and traceback with decision tree and grey relational analysis[C]// Proceedings of 2009 3rd International Conference on Multimedia and Ubiquitous Engineering. Piscataway:IEEE Press, 2009: 306-314. |
[30] | BELGIU M , DR?GU? L , . Random forest in remote sensing:a review of applications and future directions[J]. ISPRS Journal of Photogrammetry and Remote Sensing, 2016,114: 24-31. |
[31] | ZHANG S C , LI X L , ZONG M ,et al. Efficient kNN classification with different numbers of nearest neighbors[J]. IEEE Transactions on Neural Networks and Learning Systems, 2018,29(5): 1774-1785. |
[32] | CHU S C , DAO T K , PAN J S ,et al. Identifying correctness data scheme for aggregating data in cluster heads of wireless sensor network based on naive Bayes classification[J]. EURASIP Journal on Wireless Communications and Networking, 2020,2020(1): 52. |
[33] | WANG H W , GU J , WANG S S . An effective intrusion detection framework based on SVM with feature augmentation[J]. Knowledge-Based Systems, 2017,136: 130-139. |
[34] | WANG J X , QI H , HE Y ,et al. FlowTracer:an effective flow trajectory detection solution based on probabilistic packet tagging in SDN-enabled networks[J]. IEEE Transactions on Network and Service Management, 2019,16(4): 1884-1898. |
[1] | 王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. |
[2] | 沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40. |
[3] | 燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35. |
[4] | 吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100. |
[5] | 李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT:一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142. |
[6] | 吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83. |
[7] | 常朝稳, 金建树, 韩培胜, 祝现威. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021, 42(6): 131-144. |
[8] | 李硕朋, 方娟, 陈肯. 基于SRv6的确定性网络服务共享保护方案[J]. 通信学报, 2021, 42(10): 32-42. |
[9] | 姚蓝,兰巨龙. 基于联盟博弈的自适应SDN交换机迁移机制[J]. 通信学报, 2020, 41(8): 1-10. |
[10] | 王耀民,王霞,董易,张松海,施心陵. 基于斐波那契树优化算法的数据中心流量调度策略[J]. 通信学报, 2020, 41(6): 112-127. |
[11] | 韩珍珍,赵国锋,徐川,周文涛,周洋洋. 基于时延的LEO卫星网络SDN控制器动态放置方法[J]. 通信学报, 2020, 41(3): 126-135. |
[12] | 赖英旭,蒲叶玮,刘静. 基于最小代价路径的交换机迁移方法研究[J]. 通信学报, 2020, 41(2): 131-142. |
[13] | 柯文龙,王勇,叶苗,陈俊奇. Ceph云存储网络中一种业务优先级区分的多播流调度方法[J]. 通信学报, 2020, 41(11): 40-51. |
[14] | 张海波,王子心,贺晓帆. SDN和MEC架构下V2X卸载与资源分配[J]. 通信学报, 2020, 41(1): 114-124. |
[15] | 董芳,胡宇翔,李鸥. 基于SDN的自组织网络路由框架及构建方法[J]. 通信学报, 2019, 40(9): 33-44. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|