DDOS attack detection method based on software defined network

Abstract

The invention proposes a DDoS attack detection method based on a software-defined network, which is used to solve the technical problems of low accuracy and high delay when detecting DDoS attacks in an SDN network in the prior art. The implementation steps are: constructing a software-defined network DDoS attack detection architecture of the network, each OpenFlow switch S in the data layer m Receive data packets and forward them, the packet capture module in the SDN controller captures data packets and forwards them, the stream data processing module in the SDN controller obtains stream data sets, and the DDoS attack detection module in the SDN controller obtains DDoS attack detection result. The software-defined network-based DDoS attack detection framework and DDoS attack detection module adopted by the present invention detect DDoS attacks by combining entropy and network self-similarity, which can significantly improve the accuracy of DDoS attack detection and reduce time delay.

Description

technical field [0001] The invention belongs to the field of computer network security, and relates to a DDoS attack detection method, in particular to a distributed denial of service DDoS attack detection method based on a software-defined network SDN. Background technique [0002] With the rapid development of computer network technology, the destructive behavior of network attacks is also increasing. Among them, the DDoS (Distributed Denial of Service) attack has amazing destructive power and huge impact, and is a serious threat to network security. DDoS attacks refer to deliberately attacking the flaws in the implementation of network protocols or directly exhausting the resources of the attack target, so that the attack target cannot provide normal services or stop responding or even collapse completely. [0003] SDN (Software Defined Network) is a new type of network architecture. Its core technology is to separate control and forwarding. Control is realized by the co...

AI Technical Summary

Problems solved by technology

But, (1) the one-level detection DDoS attack method in this invention only filters suspicious traffic by comparing the relation of source IP entropy value and its setting threshold value, can cause suspicious traffic to be misjudged as normal traffic filtering, thereby reduces detection Accuracy

(2) The second-level detection DDoS attack method in this invention adopts a method based on machine learning, and the training data set it adopts is the traffic in the experimental network and the normal traffic and attack traffic in the existing DARPA data set, and produces a DDoS attack by training If the detection function is used, the second-level detection can only detect DDoS attacks that conform to the function, and cannot detect strong concealment or new DDoS attacks, resulting in a decrease in detection accuracy.

(3) In this invention, the sliding window mechanism is adopted to calculate the entropy value, counting the five-element eigenvalues ​​of each current window will cause repeated counting of the five-element eigenvalues ​​of the data packet, and the amount of calculation is huge, resulting in a delay in detection. When large, DDoS attacks have already occurred, resulting in invalid detection

Images