SDN环境下的DDoS检测与缓解机制

软件定义网络(Software-defined Network,SDN)以可编程的形式定义路由,对传统网络架构进行了一次彻底颠覆.通过采用中心化的拓扑结构,SDN有效实现了对网络基础设施的全局控制.然而这种中心化的拓扑极易受到网络攻击的威胁,如分布式拒绝服务攻击(Distributed Denial of Servic...     

Investigation of application layer DDoS attacks in legacy and software-defined networks: A comprehensive review

International Journal of Information Security - Rapid growth of network technologies necessitates the evolution and reconfiguration of network policies. The rigid nature of legacy networks is a...     

Collaborative detection and filtering of shrew DDoS attacks using spectral analysis

This paper presents a new spectral template-matching approach to countering shrew distributed denial-of-service (DDoS) attacks. These attacks are stealthy, periodic, pulsing, and low-rate in attack volume, very different from the flooding type of attacks. They are launched with high narrow spikes in very low frequency, periodically. Thus, shrew attacks may endanger the victim systems for a long time without being detected. In other words, such attacks may reduce the quality of services unnoticeably. Our defense method calls for collaborative detection and filtering (CDF) of shrew DDoS attacks. We detect shrew attack flows hidden in legitimate TCP/UDP streams by spectral analysis against pre-stored template of average attack spectral characteristics. This novel scheme is suitable for either software or hardware implementation.The CDF scheme is implemented with the NS-2 network simulator using real-life Internet background traffic mixed with attack datasets used by established research groups. Our simulated results show high detection accuracy by merging alerts from cooperative routers. Both theoretical modeling and simulation experimental results are reported here. The experiments achieved up to 95% successful detection of network anomalies along with a low 10% false positive alarms. The scheme cuts off malicious flows containing shrew attacks using a newly developed packet-filtering scheme. Our filtering scheme retained 99% of legitimate TCP flows, compared with only 20% TCP flows retained by using the Drop Tail algorithm. The paper also considers DSP, FPGA, and network processor implementation issues and discusses limitations and further research challenges.     

SDN环境下基于BP神经网络的DDoS攻击检测方法*

软件定义网络是一种全新的网络架构,集中控制是其主要优势,但若受到DDoS 攻击则会造成信息不可达,也容易造成单点失效。为了有效的识别DDoS攻击,提出了一种SDN环境下基于BP神经网络的DDoS攻击检测方法：该方法获取OpenFlow交换机的流表项,分析SDN环境下DDoS攻击特性,提取出与攻击相关的流表匹配成功率、流表项速率等六个重要特征;通过分析六个相关特征值的变化,采用BP神经网络算法对训练样本进行分类,实现对DDoS攻击的检测。实验结果表明,该方法在有效提高识别率的同时,降低了检测时间。通过在软件定义网络环境中的部署,验证了该方法的有效性。     

Wavelet against random forest for anomaly mitigation in software-defined networking

Security and availability of computer networks remain critical issues even with the constant evolution of communication technologies. In this core, traffic anomaly detection mechanisms need to be flexible to detect the growing spectrum of anomalies that may hinder proper network operation. In this paper, we argue that Software-defined Networking (SDN) provides a suitable environment for the design and implementation of more robust and comprehensive anomaly detection approaches. Aiming towards automated management to detect and prevent potential problems, we present an anomaly identification mechanism based on Discrete Wavelet Transform (DWT) and compare it with another detection model based on Random Forest. These methods generate a normal traffic profile, which is compared with actual real network traffic to recognize abnormal events. After a threat is detected, mitigation measures are activated so that the harmful effects of the malicious event are contained. We assess the effectiveness of the proposed anomaly detection methods and mitigation schemes using Distributed Denial of Service (DDoS) and port scan attacks. Our results confirm the effectiveness of both methods as well as the mitigation routines. In particular, the correspondence between the detection rates confirms that both methods enhance the detection of anomalous behavior by maintaining a satisfactory false-alarm rate.     

RADS: a real-time anomaly detection model for software-defined networks using machine learning

International Journal of Information Security - Software-defined networks (SDN) are no more a new technology as many industries are adopting it in a hybrid or full stack mode. SDN has already...     

Development of an adaptive routing mechanism in software-defined networks

The purpose of this paper is to develop of a single mechanism of the adaptive routing of different types of traffic based on the current quality of service requirements. Software-defined networking is a technology of the future. The current development trend of communication systems constantly confirms this fact. However, to date, the use of this technology in its current form is only justified in large networks of major technology companies and service providers. Currently, a large number of dynamic routing protocols have been developed in communication networks. Our task is to create a solution that can make it possible to use the ability of each node to make a decision on the transmission of information by every possible means for each type of traffic. This task can be accomplished by solving the problem of the development of generalized metric that characterizes the communication channels between devices in the network in detail and the problem of the development of a mechanism of adaptive network logical topology reconfiguration (route control) in order to ensure the high quality of service of the whole network that meets current quality requirements for a particular type of service.     

Multi-criteria decision-making for controller placement in software-defined wide-area networks

The Journal of Supercomputing - Software-defined networks have many benefits such as more control over the control plane and reduced operating costs through separating the control plane from the...     

Enhancing the performance of futurewireless networks with software-defined networking

To provide ubiquitous Internet access under the explosive increase of applications and data traffic, the current network architecture has become highly heterogeneous and complex, making network management a challenging task. To this end, software-defined networking (SDN) has been proposed as a promising solution. In the SDN architecture, the control plane and the data plane are decoupled, and the network infrastructures are abstracted and managed by a centralized controller. With SDN, efficient and flexible network control can be achieved, which potentially enhances network performance. To harvest the benefits of SDN in wireless networks, the software-defined wireless network (SDWN) architecture has been recently considered. In this paper, we first analyze the applications of SDN to different types of wireless networks. We then discuss several important technical aspects of performance enhancement in SDN-based wireless networks. Finally, we present possible future research directions of SDWN.     

Collaborative Detection of DDoS Attacks over Multiple Network Domains

This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.     

Increasing multicast transmission rate with localized multipath in software-defined networks

Network layer multicast is a highly efficient oneto- many transmission mode. Data rates supported by different group members may differ if these members are located in different network environments. Currently there are roughly two types of methods solving the problem, one is limiting the data rate so that every group member can sustain transmissions, and the other is building multiple trees to increase the provision of network bandwidth. The former is inefficient in bandwidth usage, and the latter adds too many states in the network, which is a serious problem in Software-Defined Networks. In this paper, we propose to build localized extra path(s) for each bottleneck link in the tree. By providing extra bandwidth to reinforce the bottleneck links, the overall data rate is increased. As extra paths are only built in small areas around the bottleneck links, the number of states added in the network is restrained to be as small as possible. Experiments on Mininet verify the effectiveness of our solution.     

分布式拒绝服务攻击特征分析与检测

检测分布式拒绝服务攻击（DDoS）的关键是能够找到反映攻击流和正常流本质区别的特征,并使用简单高效的算法,在线识别这些特征,就可以实现在低虚警率和低漏警率下对DDoS进行在线检测。根据DDoS攻击包的特性,提出了单边连接密度（OWCD）的概念,在使用“距离测度”进行DDoS识别的原则指导下,提出了使用OWCD序列来识别DDoS的算法。实验表明,该检测方法克服了使用二分类方法来识别DDoS攻击的弊端,对识别不同强度的DDoS攻击,有很好的检测效果。     

Adapted stream region for packet marking based on DDoS attack detection in vehicular ad hoc networks

The Journal of Supercomputing - Vehicular ad hoc networks (VANETs) are a group of nodes that remain dynamically and randomly situated. VANETs are considered as one of the most prominent...     

Performance computation and implementation of distributed controllers for reliable software-defined networks

The Journal of Supercomputing - Software-defined networks (SDNs) are designed to cover the dynamic operations of network factors and the complex role of controlling components to achieve...     

DDoS攻击检测综述

结合DDoS攻击检测方法的最新研究情况,对DDoS攻击检测技术进行系统分析和研究,对不同检测方法进行比较,讨论了当前该领域存在的问题及今后研究的方向。     

基于Agent的DDoS协同防御实体行为建模

现有分布式拒绝服务(DDoS)协同防御实体行为建模逼真度较低,且形式化描述不规范.针对上述问题,提出一种基于Agent 的DDoS协同防御实体行为建模方法.采用基于Agent的建模思想及输入-输出映射原理,建立包含自主行为和交互行为的实体行为概念模型,设计改进的Agent行为形式化描述方法,从自适应性、自学习性和交互性3个因素考虑,构建协同防御实体行为模型,准确描述防御实体的智能行为.     

Toward secure software-defined networks against distributed denial of service attack

The Journal of Supercomputing - The newly emerged software-defined networking (SDN) paradigm provides a flexible network management by decoupling the network control logic from the data plane,...     

Flow level detection and filtering of low-rate DDoS

The recently proposed TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism. They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows. A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach – one of the most efficient approaches in detecting LDDoS attacks. We also provide experimental guidance to choose the CPR threshold in practice.     

应用非迭代Apriori算法检测分布式拒绝服务攻击

提出了一种非迭代Apriori算法,无需多次扫描事务数据库,使用一步交集操作处理同一时间段的网络数据包,通过挖掘各数据包之间的强关联规则,可较快检测分布式拒绝服务（DDoS）攻击。与现有算法相比,检测DDoS攻击的时间和空间性能较优。在DARPA数据集上的实验结果表明应用该算法能有效检测DDoS攻击。     

混合型网络中DDoS攻击的入侵扫描研究

现有网络中网络地址转换（NAT）的存在使得其后网络中的主机对外部网络变得不可见,IPv6庞大的地址空间也使得攻击者利用传统的随机地址扫描策略很难找到有漏洞主机。概述当前DDoS攻击的基本原理,具体分析了随着因特网体系结构的变化,网络NAT等设施的出现对DDoS攻击所带来的影响。针对传统理论在研究DDoS攻击过程中的一些不足,提出了一种基于搜索引擎技术和Teredo服务的新型扫描策略,以及对NAT后主机实施DDoS攻击的具体方法。仿真实验证明这种新型DDoS入侵攻击更加有效,对复杂网络环境的适应性也更强。