DDoS attack detection and defense based on hybrid deep learning model in SDN

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.     

Quickest physical‐layer MGD anomaly detection for jamming attacks in centralized modulated wideband converter‐based ROC curve

In wireless communication systems, physical‐layer security menaces have evolved from jammers. Jammers, due to their furtive nature, make wireless communication systems vulnerable. The novelty in this work is to combine centralized modulated wideband converter, which is a networking system developed from the modulated wideband converter–based sub‐Nyquist sampling theory with a multivariate Gaussian distribution (MGD) anomaly detector‐based receiver operating characteristic curve that plot the detection rate (DR) versus false alarm rate (FAR) at various threshold values. We supposed the presence of a group of jammers in the spectrum corrupted with the primary source signal and noise. The received primary signal at each cognitive radio (CR) receiver is converted in to a digital signal using an analog‐to‐information converter. Each CR receiver give minimum number of samples denoted N₁. All these compressed samples from every CR receiver are collected in the form of matrix called compressed sampling matrix, which is considered directly as the input of the MGD detector. The intelligent MGD detector proposed in the level of fusion center is based on the characteristics of the MGD. The numerical results show that this new system of combination detects faster anomalies perfectly in the presence of jammers in the spectrum in real‐time scenarios. Performance evaluation is performed in terms of DR versus FAR at different detection threshold values, under the presence of attacks in the system. By employing well‐known machine learning algorithms called MGD, the performance of this new proposed system shows good.     

Spoofing detection in IEEE 802.15.4 networks based on received signal strength

The shared medium used in wireless networks makes them vulnerable to spoofing attacks, in which an adversary masquerades as one or more legitimate nodes to disturb normal operation of the network. In this paper we present a novel spoofing detection method for static IEEE 802.15.4 networks based on spatial correlation property of received signal strength (RSS). While most existing RSS based techniques directly process RSS values of the received frames and rely on multiple traffic air monitors (AMs) to provide an acceptable detection performance, we extract features of RSS streams to reduce data redundancy and provide a more distinguishable representation of the data. Our algorithm employs two features of RSS streams, summation of detailed coefficients (SDCs) in discrete Haar wavelet transform (DHWT) of the RSS streams and the ratio of out-of-bound frames. We show that in a typical scenario, a single AM with SDC as detection parameter, can theoretically outperform a system with 12 AMs which directly applies RSS values as detection parameter. Using ratio of out-of-bound frames facilitates detection of high rate attacks. In addition, we suggest adaptive learning of legitimate RSS values which enhances the robustness of the attack detector against environmental changes. Using both magnitude and frequency related features, we achieved high detection performance with a single AM; this enables development of preventive measures for spoofing attacks. The performance of our approach was evaluated through an IEEE 802.15.4 testbed in an office environment. Experimental results along with theoretical analysis show that the proposed method outperforms the existing RSS-based spoofing detection solutions. Using a single AM, we were able to attain 94.75% detection rate (DR) with 0.56% false positive rate (FPR). For 4 AMs, the results improved to 99% DR and 0% FPR.     

A meta‐heuristic Bayesian network classification for intrusion detection

Software‐defined networking (SDN) is an innovative network paradigm much in demand today in academics and industry. In this network, the SDN controller must be able to observe and examine traffic flow through the network systems. However, intrusion‐based data packets affect the whole system is a major drawback. To overcome this issue, we propose a Novel Agent Program (NAP) framework for preventing switches from the external compromised attacks. A Meta‐Heuristic Bayesian Network Classification (MHBNC) algorithm for intrusion detection is proposed in this paper. The proposed algorithm follows certain procedures for preprocessing, feature selection, feature optimization, and classification. Normal and anomaly‐based data packets are classified successfully with its improved detection capabilities based on the optimization technique. The simulation results of the proposed ID_MBC (intrusion detection based on meta‐heuristic Bayesian classifier) technique is compared with existing techniques such as the association rule, PSO+GA, and the GA+RVM. The proposed MHBNC classifier performs better than existing methods.     

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.     

基于深度学习的僵尸网络检测技术研究

入侵检测系统通过分析网络流量来学习正常和异常行为,并能够检测到未知的攻击。一个入侵检测系统的性能高度依赖于特征的设计,而针对不同入侵的特征设计则是一个很复杂的问题。因此,提出了一种基于深度学习检测僵尸网络的系统。该系统利用卷积神经网络(Convolutional Neural Network,CNN)和长短期记忆网络(Long Short-Term Memory,LSTM)分别学习网络流量的空间特征和时序特征,而特征学习的整个过程由深度神经网络自动完成,不依赖于人工设计特征。实验结果表明,该系统在僵尸网络检测方面具有良好的表现。     

A distributed cross-layer intrusion detection system forad hoc networks

Most existing intrusion detection systems (Idss) for ad hoc networks are proposed for single layer detection. Although they may apply to other layers of network protocol stack, individual layers of data is still being analyzed separately. In addition, most have not been able to emphasize localization of attack source. In this paper, we propose an anomaly-based ids that utilizes cross-layer features to detect attacks, and localizes attack sources within onehop perimeter. Specifically, we suggest a compact feature set that incorporate intelligence from bothMac layer and network layer to profile normal behaviors of mobile nodes; we adapt a data mining anomaly detection technique from wired networks to ad hoc networks; and we develop a novel collaborative detection scheme that enables theIds to correlate local and global alerts. We validate our work through ns-2 simulation experiments. Experimental results demonstrate the effectiveness of our method.     

Research on low-rate DDoS attack of SDN network in cloud environment

Aiming at the problems of low-rate DDoS attack detection accuracy in cloud SDN network and the lack of unified framework for data plane and control plane low-rate DDoS attack detection and defense,a unified framework for low-rate DDoS attack detection was proposed.First of all,the validity of the data plane DDoS attacks in low rate was analyzed,on the basis of combining with low-rate of DDoS attacks in the aspect of communications,frequency characteristics,extract the mean value,maximum value,deviation degree and average deviation,survival time of ten dimensions characteristics of five aspects,to achieve the low-rate of DDoS attack detection based on bayesian networks,issued by the controller after the relevant strategies to block the attack flow.Finally,in OpenStack cloud environment,the detection rate of low-rate DDoS attack reaches 99.3% and the CPU occupation rate is 9.04%.It can effectively detect and defend low-rate DDoS attacks.     

DDoS attack detection method based on conditional entropy and GHSOM in SDN

Software defined networking (SDN) simplifies the network architecture,while the controller is also faced with a security threat of “single point of failure”.Attackers can send a large number of forged data flows that do not exist in the flow tables of the switches,affecting the normal performance of the network.In order to detect the existence of this kind of attack,the DDoS attack detection method based on conditional entropy and GHSOM in SDN (MBCE&G) was presented.Firstly,according to the phased features of DDoS,the damaged switch in the network was located to find the suspect attack flows.Then,according to the diversity characteristics of the suspected attack flow,the quaternion feature vector was extracted in the form of conditional entropy,as the input features of the neural network for more accurate analysis.Finally,the experimental environment was built to complete the verification.The experimental results show that MBCE&G detection method can effectively detect DDoS attacks in SDN network.     

基于深度特征学习的网络流量异常检测方法

针对网络流量异常检测过程中提取的流量特征准确性低、鲁棒性差导致流量攻击检测率低、误报率高等问题,该文结合堆叠降噪自编码器(SDA)和softmax,提出一种基于深度特征学习的网络流量异常检测方法。首先基于粒子群优化算法设计SDA结构两阶段寻优算法:根据流量检测准确率依次对隐藏层层数及每层节点数进行寻优,确定搜索空间中的最优SDA结构,从而提高SDA提取特征的准确性。然后采用小批量梯度下降算法对优化的SDA进行训练,通过最小化含噪数据重构向量与原始输入向量间的差异,提取具有较强鲁棒性的流量特征。最后基于提取的流量特征对softmax进行训练构建异常检测分类器,从而实现对流量攻击的高性能检测。实验结果表明:该文所提方法可根据实验数据及其分类任务动态调整SDA结构,提取的流量特征具有更高的准确性和鲁棒性,流量攻击检测率高、误报率低。     

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.     

基于K—means聚类的网络流量异常检测

针对网络异常检测领域存在的漏报率和误报率较高的问题,提出一种基于K—means聚类的网络流量异常检测方法。选择了多个不同维度上的特征;计算各维特征在滑动窗口中的局部均值偏差,以保证在实时动态变化的网络中的检测准确度;利用由K—means聚类算法产生的检测模型对各维特征进行综合评判,有效地降低了漏报率和误报率。在网络流量数据集上对所提方法进行了验证并和已有方法进行了对比,所提方法在精度和效率方面取得了较好的实验效果。     

Real-time detection of traffic anomalies in wireless mesh networks

Anomaly detection is emerging as a necessary component as wireless networks gain popularity. Anomaly detection has been addressed broadly in wired networks and powerful methods have been developed for correct detection of a variety of known attacks and other anomalies. In this paper, we propose a real-time anomaly detection and identification scheme for wireless mesh networks (WMN) using components from previous methods developed for wired networks. Experiments over a WMN testbed show the effectiveness of the proposed scheme in isolating different types of anomalies, such as Denial-of-service attacks, port scan attacks, etc. Our scheme uses Chi-square statistics and it is based on similar ideas as the scheme presented by Lakhina et al. although it has lower computational complexity. The original method by Lakhina et al. was developed for wired networks and used Principal Component Analysis (PCA) for reducing the dimensions of observed data and Hotelling’s t ² statistics to distinguish between normal and abnormal traffic conditions. However, in our studies we found that dimension reduction is the most computationally intensive process of the scheme. In this paper we propose an alternative way of reducing dimensions using flow variances in a Chi-square test. Experimental results show that the Chi-square test performs similarly well to the PCA-based method at merely a fraction of the computations. Moreover, we propose an automatic identification scheme to pin-point the cause of the detected anomaly and its contribution in terms of additional or lack of traffic. Our results and comparison with other statistical tools show that the Chi-square test and the PCA-based method with identification scheme make powerful tools for real-time detection of various anomalies in an interference prone wireless networking environment.     

Learning an attention-aware parallel sharing network for facial attribute recognition

Existing multi-task learning based facial attribute recognition (FAR) methods usually employ the serial sharing network, where the high-level global features are used for attribute prediction. However, the shared low-level features with valuable spatial information are not well exploited for multiple tasks. This paper proposes a novel Attention-aware Parallel Sharing network termed APS for effective FAR. To make full use of the shared low-level features, the task-specific sub-networks can adaptively extract important features from each block of the shared sub-network. Furthermore, an effective attention mechanism with multi-feature soft-alignment modules is employed to evaluate the compatibility of the local and global features from the different network levels for discriminating attributes. In addition, an adaptive Focal loss penalty scheme is developed to automatically assign weights to handle the problems of class imbalance and hard example mining for FAR. Experiments demonstrate that the proposed method achieves better performance than the state-of-the-art FAR methods.     

Secure access of resources in software‐defined networks using dynamic access control list

Software‐defined networking (SDN) creates a platform to dynamically configure the networks for on‐demand services. SDN can easily control the data plane and the control plane by implementing the decoupling concept. SDN controller will regulate the traffic flow and creates the new flow label based on the packet dump received from the OpenFlow virtual switches. SDN governs both data information and control information toward the destination based on flow label, but it does not contain security measure to restrict the malicious traffic. The malicious denial‐of‐service (DoS) attack traffic is generated inside the SDN environment; it leads to the service unavailability. This paper is mainly focused on the detection of DoS attacks and also mitigates the malicious traffic by dynamically configuring the firewall. The SDN with dynamic access control list properties is emulated by mininet, and the experimental results exemplify the service unavailable gap between acceptance and rejection ratio of the packets.     

Vehicular HetNet load distribution using centralized control of software‐defined network

Current vehicular communication systems experience from nonflexible and costly devices, complicated control‐plane protocols, and vendor‐specific configuration interfaces. In the next generation vehicular communication, a mobile device (MD) will be installed on a car capable of accessing multiple services from different networks. So heterogeneous networks (HetNets) may play a vital role in vehicular communication. Despite heterogeneity, flawless connectivity between different systems is a basic need of the travellers. The key challenge for seamless connectivity is the design of a vertical handover (VHO) scheme. We claim that software‐defined networking (SDN) can make things easier in the design and supervision of VHO in vehicular HetNet. The proposed method maximizes the HetNet utilization with lesser handover by balancing the load among the HetNets. Simulation results performed in MATLAB justified that this novel architecture with proper VHO technique boosts the performance by balancing the load, reducing unnecessary VHO, etc. Performance is analyzed by considering four studies, ie, handover served ratio (HSR), on board units (OBUs), OBU served ratio (OSR), and total throughput and total capacities of road side units (RSUs) to serve handover demands from OBUs. It is observed that the HSR increases rapidly as the number of OBUs increases, which indicates almost all the handover requested OBUs are allocated resources by a connected RSU. We also studied the served total throughput by considering VHO with SDN, without SDN in the average case and without SDN in the best case, and it is observed that with SDN as a central controller, the total OSR and total throughput is increased.     

E-Replacement: Efficient scanner data collection method in P4-based software-defined networks

Internet of things (IoT) botnets such as Mirai are rampant in the past years. Port scanning is a well-known behavior of botnets for searching targets in networks. To detect port scanning, a detector requires network statistics with high discriminatory power. In P4-based software-defined network (SDN), switches take charge of recording characteristics about scanning behaviors, and controllers pull the statistics from the switches periodically for anomaly detection. Given storage resources in switches are limited, we proposed a scanner data collection method, 0-Replacement, in P4-based SDN to efficiently collect scanner data and improve the detection rate. 0-Replacement, however, does not consider performance degradation caused by the hash collision. In this paper, we combine the conception of Hashpipe with 0-Replacement and propose a new scanner data collection method named E-Replacement. By leveraging the conception of Hashpipe, E-Replacement can mitigate the performance degradation caused by the hash collision. Through simulations, we show that E-Replacement improves the detection rate by up to 6.73% and 210.82% compared to 0-Replacement and the traditional sample and hold method, respectively. Besides, E-Replacement improves the precision by around 528.2% compared to the count-min sketch and k-ary sketch methods. The memory usage in E-Replacement is the same as 0-Replacement. In simulations, E-Replacement can detect around 93.4% of scanners in a class B network with only 4.02-Mb SRAM. After implementing E-Replacement on a software P4 switch, BMv2, we observe the extra forwarding latency for E-Replacement is not greater than a millisecond.     

Method for Overflow Attack Defense of SDN Network Flow Table Based on Stochastic Differential Equation

In order to avoid the overflow problem of network flow table caused by hackers attacking the network in the process of using the network, a method for overflow attack defense of SDN network flow table based on stochastic differential equation is proposed. In this method, the stochastic differential equation is first proposed, and the drift coefficient and diffusion coefficient of the equation are expanded and adjusted by Taylor. By using the limit theorem, the spillover attack of SDN network is weakly converged to an approximate two-dimensional Markov diffusion process, and the improved stochastic differential equation is obtained. Then, according to the stochastic nature of SDN network attack, the stochastic differential equation is transformed into an amplitude equation, which is based on the amplitude. The equation establishes a SDN attack detection scheme based on flow table statistics, which detects the spillover attacks of SDN network flow tables. Finally, according to the test results, it is proposed to use other switches instead of network flow table overflow switches to control the data upload rate, thus reducing the possibility of network crash and meeting the attack defense requirements of flow table overflow. The simulation results show that the proposed method has better detection performance and shorter running time, and can provide help for network security related work.

     

Anomaly Detection System in Cloud Environment Using Fuzzy Clustering Based ANN

Cloud computing affords lot of resources and computing facilities through Internet. Cloud systems attract many users with its desirable features. In spite of them, Cloud systems may experience severe security issues. Thus, it is essential to create an Intrusion Detection System (IDS) to detect both insider and outsider attacks with high detection accuracy in cloud environment. This work proposes an anomaly detection system at the hypervisor layer named Hypervisor Detector that uses a hybrid algorithm which is a mixture of Fuzzy C-Means clustering algorithm and Artificial Neural Network (FCM-ANN) to improve the accuracy of the detection system. The proposed system is implemented and compared with Naïve Bayes classifier and Classic ANN algorithm. The DARPA’s KDD cup dataset 1999 is used for experiments. Based on extensive theoretical and performance analysis, it is evident that the proposed system is able to detect the anomalies with high detection accuracy and low false alarm rate even for low frequent attacks thereby outperforming Naïve Bayes classifier and Classic ANN.     

Video anomaly detection using CycleGan based on skeleton features

Anomaly detection is a challenging task in the field of intelligent video surveillance. It aims to identify anomalous events by monitoring the video captured by visual sensors. The main difficulty of this task is that the definition of anomalies is ambiguous. In recent years, most anomaly detection methods use a two-stage learning strategy, i.e., feature extraction and model building. In this paper, with the idea of refactoring, we propose an end-to-end anomaly detection framework using cyclic consistent adversarial networks (CycleGAN). Dynamic skeleton features are used as network constraints to alleviate the inaccuracy of feature extraction algorithms of a single generative adversarial network. In the training phase, only normal video frames and the corresponding skeleton features are used to train the generator and discriminator. In the testing phase, anomalous behaviors with high reconstruction errors can be filtered out by manually set thresholds. To the best of our knowledge, this is the first time CycleGAN has been used for video anomaly detection. Experimental results on challenging datasets show that our method can accurately detect anomalous behaviors in videos collected by video surveillance systems and is comparable to the current state-of-the-art methods.