云环境中基于SDN的高效DDoS攻击检测与防御方案

doi:10.11959/j.issn.1000-436x.2018068

Abstract

Abstract:

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.

Key words: cloud environment, DDoS attack, software defined network, confidence-based filtering

CLC Number:

TP393

Heng HE,Yan HU,Lianghan ZHENG,Zhengyuan XUE. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment[J]. Journal on Communications, 2018, 39(4): 139-151.

Figures/Tables 17

References 25

[1]	YAN Q , YU F R , GONG Q ,et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments:a survey,some research issues,and challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 602-622.
[2]	CHEN L C , LONGSTAFF T A , CARLEY K M . Characterization of defense mechanisms against distributed denial of service attacks[J]. Computers ＆ Security, 2004,23(8): 665-678.
[3]	PENG T , LECKIE C , RAMAMOHANARAO K . Survey of network-based defense mechanisms countering the DoS and DDoS problems[J]. ACM Computing Surveys, 2007,39(1): 3.
[4]	TARIQ U , HONG M P , LHEE K . A comprehensive categorization of DDoS attack and DDoS defense techniques[C]// International Conference on Advanced Data Mining and Applications. 2006: 1025-1036.
[5]	SPECHT S M , LEE R B . Distributed denial of service:taxonomies of attacks,tools,and countermeasures[C]// The 17th International Conference on Parallel and Distributed Computing Systems. 2004: 543-550.
[6]	KIM Y , LAU W C , CHUAH M C ,et al. PacketScore:a statistics-based packet filtering scheme against distributed denial-of-service attacks[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2006,3(2): 141-155.
[7]	胡汉卿 . 基于云计算DDoS攻击防御研究[D]. 南京:南京邮电大学, 2015.
	HU H Q . Research on DDoS attack defense based on cloud computing[D]. Nanjing:Nanjing University of Posts and Telecommunications, 2015.
[8]	DOU W , CHEN Q , CHEN J . A confidence-based filtering method for DDoS attack defense in cloud environment[J]. Future Generation Computer Systems, 2013,29(7): 1838-1850.
[9]	SHAMSOLMOALI P , ALAM M A , BISWAS R . C2DF:high rate DDOS filtering method in cloud computing[J]. International Journal of Computer Network ＆ Information Security, 2014,6(9): 43-50.
[10]	SAHI A , LAI D , LI Y ,et al. An efficient DDoS TCP flood attack detection and prevention system in a cloud environment[J]. IEEE Access, 2017,5: 6036-6048.
[11]	JEYANTHI N , BARDE U , SRAVANI M ,et al. Detection of distributed denial of service attacks in cloud computing by identifying spoofed IP[J]. International Journal of Communication Networks ＆ Distributed Systems, 2013,11(3): 262-279.
[12]	吴志军, 张东 . 低速率DDoS攻击的仿真和特征提取[J]. 通信学报, 2008,29(1): 71-76.
	WU Z J , ZHANG D . Simulation and feature extraction of low rate DDoS attacks[J]. Journal on Communications, 2008,29(1): 71-76.
[13]	NAVAZ A S S , SANGEETHA V , PRABHADEVI C . Entropy based anomaly detection system to prevent DDoS attacks in cloud[J]. International Journal of Computer Applications, 2013,62(15): 42-47.
[14]	WANG B , ZHENG Y , LOU W ,et al. DDoS attack protection in the era of cloud computing and software-defined networking[J]. Computer Networks, 2015,81(C): 308-319.
[15]	KALLIOLA A , LEE K , LEE H ,et al. Flooding DDoS mitigation and traffic management with software defined networking[C]// International Conference on Cloud Networking. 2015: 248-254.
[16]	ZHANG C , CAI Z , CHEN W ,et al. Flow level detection and filtering of low-rate DDoS[J]. Computer Networks the International Journal of Computer ＆ Telecommunications Networking, 2012,56(15): 3417-3431.
[17]	HOQUE N , BHATTACHARYYA D K , KALITA J K . A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis[C]// International Conference on Communication Systems and Networks. 2016: 1-2.
[18]	孙义明, 杨丽萍 . 信息化战争中的战术数据链[M]. 北京: 北京邮电大学出版社, 2005.
	SUN Y M , YANG L P . Tactical data chain in information warfare[M]. Beijing: Beijing University of Posts and Telecommunications Press, 2005.
[19]	田开琳, 李明 . 一种可靠检测低速率DDoS攻击的异常检测系统[J]. 现代电子技术, 2009,32(7): 68-71.
	TIAN K L , LI M . An anomaly detection system for reliable detection of low rate DDoS attacks[J]. Modern Electronic Technology, 2009,32(7): 68-71.
[20]	左青云, 陈鸣, 赵广松 ,等. 基于 OpenFlow 的 SDN 技术研究[J]. 软件学报, 2013(5): 1078-1097.
	ZUO Q Y , CHEN M , ZHAO G S ,et al. Research of SDN technology based on OpenFlow[J]. Journal of Software, 2013(5): 1078-1097.
[21]	LIU T C , YANG B H , ZHANG Y ,et al. Data packet processing in SDN[P]. US20150281127, 2015.
[22]	FOUNDATION O N . Software-defined networking:the new norm for networks[R]. ONF White Paper, 2012.
[23]	NADEAU T D , GRAY K . 软件定义网络:SDN与OpenFlow解析[M]. 毕军,单业,张绍宇,等译.北京: 人民邮电出版社, 2014.
	NADEAU T D , GRAY K . Software defined network:SDN and OpenFlow parsing[M]. Translated by BI J,SHAN Y,ZHANG S Y,et al. Beijing: Posts ＆ Telecom Press, 2014.
[24]	MOUSAVI S M , STHILAIRE M . Early detection of DDoS attacks against SDN controllers[C]// International Conference on Computing,NETWORKING and Communications. 2015: 77-81.
[25]	LANTZ B , HELLER B , MCKEOWN N . A network in a laptop:rapid prototyping for software-defined networks[C]// ACM Workshop on Hot Topics in Networks. 2010: 1-6.

Metrics

Recommended 0

No Suggested Reading articles found!

参数	参数描述	参数取值
Interval	时间间隔/s	1
WindowSize	窗口大小	50
AttackThreshold	攻击阈值	80
DiscardThreshold	丢弃阈值	0.3
AttackRatio	攻击比例	50%（非攻击状态下）
		25%（攻击状态下）

数据流类型	CPU占用率
数据流类型	SDCC	CBF
正常数据流	5.1%	7.7%
低速率式DDoS攻击数据流	7.2%	18.3%
洪泛式DDoS攻击数据流	15.8%	35.5%

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 25

Related Articles 15

Metrics

Recommended 0

[1]	Dongbin WANG, Dongzhe WU, Hui ZHI, Kun GUO, Xu ZHANG, Jinqiao SHI, Yu ZHANG, Yueming LU. Preventing flow table overflow against denial of service attack in software defined network [J]. Journal on Communications, 2023, 44(2): 1-11.
[2]	Zongxuan SHA, Ru HUO, Chuang SUN, Shuo WANG, Tao HUANG. Forwarding efficiency aware traffic scheduling algorithm based on deep reinforcement learning [J]. Journal on Communications, 2022, 43(8): 30-40.
[3]	Binghao YAN, Qinrang LIU, Jianliang SHEN, Xiantuo TANG, Dong LIANG. Fast loop-free path migration strategy in software defined network [J]. Journal on Communications, 2022, 43(5): 24-35.
[4]	Chuanhuang LI, Yangting CHEN, Jingjing TANG, Jiali LOU, Renhua XIE, Chuntao FANG, Weiming WANG, Chao CHEN. QL-STCT: an intelligent routing convergence method for SDN link failure [J]. Journal on Communications, 2022, 43(2): 131-142.
[5]	Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation [J]. Journal on Communications, 2021, 42(11): 41-53.
[6]	Shuopeng LI, Juan FANG, Ken CHEN. DetNet service share protection scheme based on SRv6 [J]. Journal on Communications, 2021, 42(10): 32-42.
[7]	Haibo ZHANG,Zixin WANG,Xiaofan HE. V2X offloading and resource allocation under SDN and MEC architecture [J]. Journal on Communications, 2020, 41(1): 114-124.
[8]	Fang DONG,Yuxiang HU,Ou LI. Routing framework and creation algorithm in Ad Hoc based SDN [J]. Journal on Communications, 2019, 40(9): 33-44.
[9]	Zhongnan ZHAO,Jian WANG,Hongwei GUO. Adaptive routing and wavelength assignment method based on SDN [J]. Journal on Communications, 2019, 40(9): 95-105.
[10]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[11]	Hongyan QIAN,Hao XUE,Ming CHEN. UDM:NFV-based prevention mechanism against DDoS attack on SDN controller [J]. Journal on Communications, 2019, 40(3): 116-124.
[12]	Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN. SDN control and forwarding method based on identity attribute [J]. Journal on Communications, 2019, 40(11): 1-18.
[13]	Junfeng TIAN,Liuling QI. DDoS attack detection method based on conditional entropy and GHSOM in SDN [J]. Journal on Communications, 2018, 39(8): 140-149.
[14]	Chuanhuang LI,Yan WU,Zhengzhe QIAN,Zhengjun SUN,Weiming WANG. DDoS attack detection and defense based on hybrid deep learning model in SDN [J]. Journal on Communications, 2018, 39(7): 176-187.
[15]	Tao HUANG,Jiang LIU,Chen ZHANG,Liang WEI,Yunjie LIU. Survey on SDN-based network testbeds [J]. Journal on Communications, 2018, 39(6): 155-168.