基于SDS架构的多级DDoS防护机制

随着互联网的高速发展，网络安全的问题越来越严峻。软件定义网络（SDN）的出现为解决网络安全问题提供了全新的解决方案，如软件定义安全（SDS）。在SDS架构的基础上，针对分布式拒绝服务（DDoS）攻击的特点，提出一种新的DDoS防护机制SDS for DDoS。这种防护机制结合了以往检测方式和防护方式的优点，将安全服务原子化，并实现安全策略盒的多级防护策略。在受到DDoS攻击时，机制可以根据检测到的攻击力度进行动态决策，还能先验式地对攻击流量进行阻隔，不仅增加了决策的可信度，还解决了以往所采用的静态防护和后验式防护的不足。实验验证了机制的可行性，能有效地避免服务器受到DDoS攻击，更突出了它在决策时的灵活性和在遭受攻击时的先验性。

Multilevel DDoS protection mechanism based on SDS framework

With the rapid development of Internet, the issues of network security become more and more serious. Software Defined Network（SDN） has provided a new solution to solve the security problem in network, such as Software Defined Security（SDS）. Based on the SDS architecture, aiming at the attack features of Distributed Denial of Service（DDoS）, a new DDoS protection mechanism is proposed, namely SDS for DDoS. The protection mechanism contains the advantages of previous detection and protection approaches, atomizes the security services and realizes a security strategy box of multilevel protection. Under the attacks of DDoS, the mechanism can make a dynamic decision according to the detection of attack intensity and barrier the attacks from the beginning, which dose not only increase the credibility of the decision but solves the shortcomings of static protection and posterior type protection. Experimental results demonstrate the feasibility of the mechanism, which can effectively prevent the server from DDoS attacks, and highlight its flexibility in decision and priori under attacks.