SDN环境下基于LightGBM的DDoS流量分类

软件定义网络(SDN)以其高度的网络可编程性和灵活性,通过将控制平面与数据平面解耦,克服了传统网络中存在的问题,近年来成为一种新的网络结构。但由于控制器是SDN的核心部分,因此更容易发生攻击,尤其是分布式拒绝服务攻击(DDoS),已经成为SDN环境的最大安全威胁。分布式拒绝服务(DDoS)攻击会使SDN控制器和交换机流表过载,导致网络性能下降,甚至瘫痪整个网络。检测攻击速度快、精度高,误报率低是解决DDoS攻击的关键。为此,我们通过公开的入侵检测数据集IDS2018,使用LightGBM算法训练DDoS分类模型,实现对正常流量和DDoS攻击流量的分类。对比XGBoost算法,改进后的LightGBM算法分类效果更好。使用虚拟环境Mininet构建SDN拓扑,使用Ryu作为SDN控制器。模拟DDoS攻击并通过sFlow RT收集攻击流量,利用训练好的DDoS流量分类模型进行检测,模型五折交叉验证AUC达到0.81。     

全要素SDN指纹攻击及其模糊混淆防御机制研究

软件定义网络（Software-Defined Networking，SDN）的"三层两接口"架构使攻击者可以通过分析数据包往返时延分布规律推测网络类型、控制器类型及关键流规则等指纹信息.目前SDN指纹攻击及其防御研究基本处于空白状态，为此，本文系统构建了全要素SDN指纹攻击链，并在双重时间维度分别设计了概率加扰和控制器混淆调度防御机制，通过渐变概率加扰与最优混淆调度协同提升SDN指纹信息隐藏度.实验结果表明该机制能够在有效隐藏SDN指纹信息的同时减少对网络性能的影响.     

基于SDN的DDoS攻击检测和防护机制研究

随着云计算和大数据等技术的发展,传统网络已经无法满足飞速发展的需求,软件定义网络(SDN)的出现带来了网络发展的变革,虽然SDN已经得到一定的应用,但是其仍处在研究完善阶段.本文阐述了SDN的关键技术以及主要协议,分析了SDN面临的安全问题,提出了一种基于流表特征的DDoS攻击检测方法,并给出了对应的攻击缓解方案.     

基于贝叶斯攻击图的SDN安全预测方法

现有研究者采用威胁建模和安全分析系统的方法评估和预测软件定义网络（software defined network, SDN）安全威胁,但该方法未考虑SDN控制器的漏洞利用概率以及设备在网络中的位置,安全评估不准确。针对以上问题,根据设备漏洞利用概率和设备关键度结合PageRank算法,设计了一种计算SDN中各设备重要性的算法;根据SDN攻击图和贝叶斯理论设计了一种度量设备被攻击成功概率的方法。在此基础上设计了一种基于贝叶斯攻击图的SDN安全预测算法,预测攻击者的攻击路径。实验结果显示,该方法能够准确预测攻击者的攻击路径,为安全防御提供更准确的依据。     

基于贝叶斯攻击图的SDN入侵意图识别算法的研究

针对目前已有的软件定义网络（SDN）安全预测方法中未考虑攻击代价以及控制器漏洞对SDN安全所产生的影响,提出了一种基于贝叶斯攻击图的SDN入侵意图识别算法。利用PageRank算法求出设备关键度,并与漏洞价值、攻击成本、攻击收益以及攻击偏好相结合构建攻击图,建立风险评估模型,对入侵路径进行预测。通过实验对比可以看出,所提模型能更准确地预测入侵路径,有效地保证安全预测的准确性,并为SDN的防御提供依据。     

一种基于软件定义网络的通信网络保护方法

为了应对互联网数据传输过程中的分布式拒绝服务攻击(DDoS),提高互联网数据传输的安全性,通过对SYN泛洪 攻击机理进行分析研究,提出应对SYN泛洪攻击较为有效的软件定义网络(SDN)防御机制,分析其防御机理,建立 SDN信息熵计算模型,并构建了实际仿真计算实验环境, 研究结果证明SDN能够较为快速有效的对SYN泛洪攻击进行防御,同时能够对类似于SYN攻击的其他DDoS攻击进行有效防御。     

SDN中一种基于熵值检测DDoS攻击的方法

软件定义网络(SDN)是一种新型的网络架构,特点是转发控制分离,可以自定义控制器软件。控制器集中控制是SDN的优点之一,但SDN特性也使得其自然成为分布式拒绝服务攻击(DDo S)的目标,容易造成管理网络功能的失效。文中提出了一种基于熵值的DDo S攻击检测算法,该算法利用控制器集中控制的特点,高效地处理数据包的信息,通过计算熵值,检测DDo S攻击并发出警报。实验表明该方法具有较高的准确度。     

一种SDN中基于熵值计算的异常流量检测方法

摘要：软件定义网络（software defined networking,SDN）是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。     

SDN环境下基于条件熵的DDoS攻击检测研究

随着软件定义网络(SDN)研究的发展,其安全性越来越受到重视。由于集中控制和软件可编程的特点,使得SDN容易遭受分布式拒绝服务攻击(DDo S)攻击的威胁。针对基于信息熵的DDo S攻击检测方法的改进,文章提取了流表项中的TTL和源IP地址,得到相同TTL值下源IP地址的条件熵,进一步使用滑动窗口非参数CUSUM算法来分析熵值变化以检测DDo S攻击,最后运用仿真实验验证了其有效性。该方法拥有更低的误报率和更高的敏感度,占用资源少,检测速度快,非常适合SDN环境。     

融合DDoS威胁过滤与路由优化的SDN通信质量保障策略

提出了将DDoS威胁识别与路由优化有机结合的软件定义网络(SDN)通信质量保障策略,即在DDoS攻击造成部分网络链路拥塞的情况下,对异常数据分组进行识别过滤,同时生成最优路径,以保障网络通信质量.首先,设计了一种SDN架构下的分布式入侵检测系统,实现了对欺骗报文、异常报文以及破坏报文3类DDoS威胁的检测识别和过滤处理.其次,实现了一种最优路径的生成算法.实验测试结果表明,部署了通信质量保障策略的SDN可有效识别并滤除DDoS攻击数据分组,且处理过程中网络平均传输时延无激增.     

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.     

TPAAD: Two-phase authentication system for denial of service attack detection and mitigation using machine learning in software-defined network

Software-defined networking (SDN) has received considerable attention and adoption owing to its inherent advantages, such as enhanced scalability, increased adaptability, and the ability to exercise centralized control. However, the control plane of the system is vulnerable to denial-of-service (DoS) attacks, which are a primary focus for attackers. These attacks have the potential to result in substantial delays and packet loss. In this study, we present a novel system called Two-Phase Authentication for Attack Detection that aims to enhance the security of SDN by mitigating DoS attacks. The methodology utilized in our study involves the implementation of packet filtration and machine learning classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Instead of completely deactivating the host, the emphasis lies on preventing harmful communication. Support vector machine and K-nearest neighbours algorithms were utilized for efficient detection on the CICDoS 2017 dataset. The deployed model was utilized within an environment designed for the identification of threats in SDN. Based on the observations of the banned queue, our system allows a host to reconnect when it is no longer contributing to malicious traffic. The experiments were run on a VMware Ubuntu, and an SDN environment was created using Mininet and the RYU controller. The results of the tests demonstrated enhanced performance in various aspects, including the reduction of false positives, the minimization of central processing unit utilization and control channel bandwidth consumption, the improvement of packet delivery ratio, and the decrease in the number of flow requests submitted to the controller. These results confirm that our Two-Phase Authentication for Attack Detection architecture identifies and mitigates SDN DoS attacks with low overhead.     

DDoS attack detection and defense based on hybrid deep learning model in SDN

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.     

Secure access of resources in software‐defined networks using dynamic access control list

Software‐defined networking (SDN) creates a platform to dynamically configure the networks for on‐demand services. SDN can easily control the data plane and the control plane by implementing the decoupling concept. SDN controller will regulate the traffic flow and creates the new flow label based on the packet dump received from the OpenFlow virtual switches. SDN governs both data information and control information toward the destination based on flow label, but it does not contain security measure to restrict the malicious traffic. The malicious denial‐of‐service (DoS) attack traffic is generated inside the SDN environment; it leads to the service unavailability. This paper is mainly focused on the detection of DoS attacks and also mitigates the malicious traffic by dynamically configuring the firewall. The SDN with dynamic access control list properties is emulated by mininet, and the experimental results exemplify the service unavailable gap between acceptance and rejection ratio of the packets.     

软件定义网络中基于密码标识的报文转发验证机制

针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。     

Challenge-based collaborative intrusion detection in software-defined networking: an evaluation

Software-Defined Networking (SDN) is an emerging architecture that enables a computer network to be intelligently and centrally controlled via software applications. It can help manage the whole network environment in a consistent and holistic way, without the need of understanding the underlying network structure. At present, SDN may face many challenges like insider attacks, i.e., the centralized control plane would be attacked by malicious underlying devices and switches. To protect the security of SDN, effective detection approaches are indispensable. In the literature, challenge-based Collaborative Intrusion Detection Networks (CIDNs) are an effective detection framework in identifying malicious nodes. It calculates the nodes’ reputation and detects a malicious node by sending out a special message called a challenge. In this work, we devise a challenge-based CIDN in SDN and measure its performance against malicious internal nodes. Our results demonstrate that such a mechanism can be effective in SDN environments.     

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.     

Security in Software-Defined Networking: Threats and Countermeasures

In recent years, Software-Defined Networking (SDN) has been a focus of research. As a promising network architecture, SDN will possibly replace traditional networking, as it brings promising opportunities for network management in terms of simplicity, programmability, and elasticity. While many efforts are currently being made to standardize this emerging paradigm, careful attention needs to be also paid to security at this early design stage. This paper focuses on the security aspects of SDN. We begin by discussing characteristics and standards of SDN. On the basis of these, we discuss the security features as a whole and then analyze the security threats and countermeasures in detail from three aspects, based on which part of the SDN paradigm they target, i.e., the data forwarding layer, the control layer and the application layer. Countermeasure techniques that could be used to prevent, mitigate, or recover from some of such attacks are also described, while the threats encountered when developing these defensive mechanisms are highlighted.     

Collaborative Detection and Mitigation of Distributed Denial-of-Service Attacks on Software-Defined Network

Mobile Networks and Applications - This paper presents a collaborative technique to detect and mitigate Distributed Denial-of-Service (DDoS) flooding attacks on Software-Defined Network (SDN). This...