共查询到20条相似文献,搜索用时 46 毫秒
1.
随着云计算和大数据等技术的发展,传统网络已经无法满足飞速发展的需求,软件定义网络(SDN)的出现带来了网络发展的变革,虽然SDN已经得到一定的应用,但是其仍处在研究完善阶段.本文阐述了SDN的关键技术以及主要协议,分析了SDN面临的安全问题,提出了一种基于流表特征的DDoS攻击检测方法,并给出了对应的攻击缓解方案. 相似文献
2.
Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack. 相似文献
3.
针对攻防博弈系统中存在攻防策略集和系统运行环境改变等各类随机干扰因素的问题,传统确定性博弈模型无法准确描述攻防博弈过程.利用非线性Itó随机微分方程构建随机演化博弈模型,用于分析攻防随机动态演化过程.通过求解,并根据随机微分方程稳定性判别定理对攻防双方的策略选取状态进行稳定性分析,设计出基于随机攻防演化博弈模型的安全防御策略选取算法.最后,通过仿真验证了不同强度的随机干扰对攻防决策演化速率的影响,且干扰强度越大,防御者更倾向于选择强防御策略,攻击者更倾向于选择强攻击策略.本文模型和方法能够用于网络攻击行为预测和安全防御决策. 相似文献
4.
Software defined networking (SDN) simplifies the network architecture,while the controller is also faced with a security threat of “single point of failure”.Attackers can send a large number of forged data flows that do not exist in the flow tables of the switches,affecting the normal performance of the network.In order to detect the existence of this kind of attack,the DDoS attack detection method based on conditional entropy and GHSOM in SDN (MBCE&G) was presented.Firstly,according to the phased features of DDoS,the damaged switch in the network was located to find the suspect attack flows.Then,according to the diversity characteristics of the suspected attack flow,the quaternion feature vector was extracted in the form of conditional entropy,as the input features of the neural network for more accurate analysis.Finally,the experimental environment was built to complete the verification.The experimental results show that MBCE&G detection method can effectively detect DDoS attacks in SDN network. 相似文献
5.
Mohammad Reza Abbasi Ajay Guleria Mandalika Syamala Devi 《International Journal of Communication Systems》2020,33(2)
Software‐defined networking (SDN) facilitates network programmability through a central controller. It dynamically modifies the network configuration to adapt to the changes in the network. In SDN, the controller updates the network configuration through flow updates, ie, installing the flow rules in network devices. However, during the network update, improper scheduling of flow updates can lead to a number of problems including overflowing of the switch flow table memory and the link bandwidth. Another challenge is minimizing the network update completion time during large‐network updates triggered by events such as traffic engineering path updates. The existing centralized approaches do not search the solution space for flow update schedules with optimal completion time. We proposed a hybrid genetic algorithm‐based flow update scheduling method (the GA‐Flow Scheduler). By searching the solution space, the GA‐Flow Scheduler attempts to minimize the completion time of the network update without overflowing the flow table memory of the switches and the link bandwidth. It can be used in combination with other existing flow scheduling methods to improve the network performance and reduce the flow update completion time. In this paper, the GA‐Flow Scheduler is combined with a stand‐alone method called the three‐step method. Through large‐scale experiments, we show that the proposed hybrid approach could reduce the network update time and packet loss. It is concluded that the proposed GA‐Flow Scheduler provides improved performance over the stand‐alone three‐step method. Also, it handles the above‐mentioned network update problems in SDN. 相似文献
6.
现有研究者采用威胁建模和安全分析系统的方法评估和预测软件定义网络(software defined network, SDN)安全威胁,但该方法未考虑SDN控制器的漏洞利用概率以及设备在网络中的位置,安全评估不准确。针对以上问题,根据设备漏洞利用概率和设备关键度结合PageRank算法,设计了一种计算SDN中各设备重要性的算法;根据SDN攻击图和贝叶斯理论设计了一种度量设备被攻击成功概率的方法。在此基础上设计了一种基于贝叶斯攻击图的SDN安全预测算法,预测攻击者的攻击路径。实验结果显示,该方法能够准确预测攻击者的攻击路径,为安全防御提供更准确的依据。 相似文献
7.
在基于OpenFlow的软件定义网络(SDN)中,应用被部署时,相应的流表策略将被下发到OpenFlow交换机中,不同应用的流表项之间如果产生冲突,将会影响交换机的实际转发行为,进而扰乱特定应用的正确部署以及SDN的安全。随着SDN规模的扩大以及需要部署应用的数量的剧增,交换机中的流表数量呈现爆炸式增长。此时若采用传统的流表冲突检测算法,交换机将会耗费大量的系统计算时间。结合深度学习,首次提出了一种适合SDN中超大规模应用部署的智能流表冲突检测方法。实验结果表明,第一级深度学习模型的AUC达到97.04%,第二级模型的AUC达到99.97%,同时冲突检测时间与流表规模呈现线性增长关系。 相似文献
8.
For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate. 相似文献
9.
摘要:软件定义网络(software defined networking,SDN)是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。 相似文献
10.
《电子学报:英文版》2016,(5):817-823
After studying the routing and forwarding process of network stream and the implementation of SDN,we propose a retractable management model for flow table.A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network.The parallel tables share the same storage resources.Thanks to the separation of data plane and control plane,control plane owns more computing resources than traditional device.It evaluates the role of nodes and the action of network flows,makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries.Through simulation,it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding,especially existing blocking attack. 相似文献
11.
软件定义网络(Software-Defined Networking,SDN)的"三层两接口"架构使攻击者可以通过分析数据包往返时延分布规律推测网络类型、控制器类型及关键流规则等指纹信息.目前SDN指纹攻击及其防御研究基本处于空白状态,为此,本文系统构建了全要素SDN指纹攻击链,并在双重时间维度分别设计了概率加扰和控制器混淆调度防御机制,通过渐变概率加扰与最优混淆调度协同提升SDN指纹信息隐藏度.实验结果表明该机制能够在有效隐藏SDN指纹信息的同时减少对网络性能的影响. 相似文献
12.
13.
软件定义网络(SDN)被誉为下一代网络的关键技术。近年来,SDN已经成为学术界与工业界的热点。广域网是SDN应用到工业界的一个重要的场景。基于SDN的广域网被称为软件定义广域网(SD-WAN)。在SD-WAN中,SDN控制器通过控制流转发路径上的SDN交换机来实现流的路径可编程性。然而,控制器失效是SD-WAN中一种常见的现象。当控制器失效时,流转发路径上的交换机会失去控制,流的路径可编程性将无法得到保障,从而无法实现对网络流量的灵活调度,导致网络性能下降。该文对SD-WAN控制器失效场景下保证路径可编程性的研究工作进行了综述。该文首先阐述了当控制器失效时,SD-WAN中路径可编程性保障研究的背景及意义。随后,在查阅分析了国内外相关文献的基础上,介绍了当前在控制器失效时SD-WAN对交换机的主流控制方案。最后,对现有研究成果可能的进一步提高之处进行了总结,并对此研究的未来发展与研究前景进行了展望。 相似文献
14.
Khan Sikandar Akram Adeel Alsaif Haitham Usman Muhammad 《Wireless Personal Communications》2021,118(1):75-92
SDN enables a new networking paradigm probable to improve system efficiency where complex networks are easily managed and controlled. SDN allows network virtualization and advance programmability for customizing the behaviour of networking devices with user defined features even at run time. SDN separates network control and data planes. Intelligently controlled network management and operation, such that routing is eliminated from forwarding elements (switches) while shifting the routing logic in a centralized module named SDN Controller. Mininet is Linux based network emulator which is cost effective for implementing SDN having in built support of OpenFlow switches. This paper presents practical implementation of Mininet with ns-3 using Wi-Fi. Previous results reported in literature were limited upto 512 nodes in Mininet. Tests are conducted in Mininet by varying number of nodes in two distinct scenarios based on scalability and resource capabilities of the host system. We presented a low cost and reliable method allowing scalability with authenticity of results in real time environment. Simulation results show a marked improvement in time required for creating a topology designed for 3 nodes with powerful resources i.e. only 0.077 sec and 4.512 sec with limited resources, however with 2047 nodes required time is 1623.547 sec for powerful resources and 4615.115 sec with less capable resources respectively.
相似文献15.
Pengpeng Wu Lin Yao Chi Lin Guowei Wu Mohammad S. Obaidat 《International Journal of Communication Systems》2018,31(9)
Software‐defined networking (SDN) emerges as the next generation of networking architecture, aiming to improve the network manageability and adaptability. However, because of the centralized control policy, SDN is liable to suffering from the denial of service attack in both the data plane and the control plane. To resist the attack and prevent the network from being paralyzed, we propose a novel mitigation scheme named flow migration defense, which uses a slave controller as a substitution to endure flooding requests mitigated from the master controller. Considering the special case that the normal requests may be regarded as the malicious ones, these requests are reforwarded back to the master controller on the basis of the round‐robin scheduling. To prevent the master controller from being flooded by the reforwarded requests, we design the adaptive rate adjustment method to adjust the reforwarding rate. Compared with multilevel feedback queue and FloodDefender, simulations demonstrate that flow migration defense can mitigate the SDN‐aimed denial of service attack efficiently with a better performance in terms of request response time, packet loss rate, and mitigation time. 相似文献
16.
Most of the existing stochastic games are based on the assumption of complete information,which are not consistent with the fact of network attack and defense.Aiming at this problem,the uncertainty of the attacker’s revenue was transformed to the uncertainty of the attacker type,and then a stochastic game model with incomplete information was constructed.The probability of network state transition is difficult to determine,which makes it impossible to determine the parameter needed to solve the equilibrium.Aiming at this problem,the Q-learning was introduced into stochastic game,which allowed defender to get the relevant parameter by learning in network attack and defense and to solve Bayesian Nash equilibrium.Based on the above,a defense decision algorithm that could learn online was designed.The simulation experiment proves the effectiveness of the proposed method. 相似文献
17.
18.
Software‐defined networking (SDN) creates a platform to dynamically configure the networks for on‐demand services. SDN can easily control the data plane and the control plane by implementing the decoupling concept. SDN controller will regulate the traffic flow and creates the new flow label based on the packet dump received from the OpenFlow virtual switches. SDN governs both data information and control information toward the destination based on flow label, but it does not contain security measure to restrict the malicious traffic. The malicious denial‐of‐service (DoS) attack traffic is generated inside the SDN environment; it leads to the service unavailability. This paper is mainly focused on the detection of DoS attacks and also mitigates the malicious traffic by dynamically configuring the firewall. The SDN with dynamic access control list properties is emulated by mininet, and the experimental results exemplify the service unavailable gap between acceptance and rejection ratio of the packets. 相似文献
19.
Aiming at the problems of low-rate DDoS attack detection accuracy in cloud SDN network and the lack of unified framework for data plane and control plane low-rate DDoS attack detection and defense,a unified framework for low-rate DDoS attack detection was proposed.First of all,the validity of the data plane DDoS attacks in low rate was analyzed,on the basis of combining with low-rate of DDoS attacks in the aspect of communications,frequency characteristics,extract the mean value,maximum value,deviation degree and average deviation,survival time of ten dimensions characteristics of five aspects,to achieve the low-rate of DDoS attack detection based on bayesian networks,issued by the controller after the relevant strategies to block the attack flow.Finally,in OpenStack cloud environment,the detection rate of low-rate DDoS attack reaches 99.3% and the CPU occupation rate is 9.04%.It can effectively detect and defend low-rate DDoS attacks. 相似文献