Industrial internet DDoS distributed defense method and system based on model mapping

By deploying a hybrid model and distributed defense strategy on programmable switches, the problem of accurate identification and rapid mitigation of DDoS attacks in the Industrial Internet is solved, achieving efficient DDoS defense and adapting to complex network environments.

CN120979710BActive Publication Date: 2026-06-26SOUTHEAST UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SOUTHEAST UNIV
Filing Date
2025-08-04
Publication Date
2026-06-26

Smart Images

  • Figure CN120979710B_ABST
    Figure CN120979710B_ABST
Patent Text Reader

Abstract

The application discloses an industrial internet DDoS distributed defense method and system based on model mapping, uses an offline data set, trains a hybrid model based on comparative learning and a random forest, obtains a CNN encoder and a random forest classifier, obtains a classification identification model, the model adopts distillation and parameter binary technology, reduces the calculation complexity and storage requirement on the basis of ensuring the model effect, and realizes direct mapping in a programmable switch; each programmable switch identifies the packet type by using the model, stores the attack flow data by adopting a Sketch structure, avoids excessive storage of the switch by LRU cache eviction, a server control plane integrates the result feedback of multiple switches to form a global flow table, data backhaul realizes the state synchronization of each switch, the server formulates a load balancing strategy according to the data entries uploaded by the programmable switch and issues the load balancing strategy, realizes the dynamic redirection of the flow, and realizes accurate detection and high-availability mitigation of DDoS attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the technical field of network security in the Internet, and mainly relates to a distributed defense method and system for DDoS attacks in the industrial Internet based on model mapping. Background Technology

[0002] The Industrial Internet is an industrial and application ecosystem formed by the comprehensive and deep integration of next-generation information technologies such as the Internet, the Internet of Things, and artificial intelligence with industrial systems. It is a key comprehensive information infrastructure for the intelligent development of industry. From a network perspective, the Industrial Internet is a new architecture that integrates OT (Operational Technology) networks and IT (Information Technology) networks. As IT (Information Technology) networks and OT (Operational Technology) networks gradually merge, more and more OT networks and devices are moving from closed to open, and cybersecurity issues have extended to industrial control networks. Related security incidents not only disrupt enterprise production activities and cause huge economic losses, but also pose a significant threat to the personal safety of production workers. Among the many network attack methods, Distributed Denial of Service (DDoS) attacks are widely recognized as one of the most common and difficult to defend against.

[0003] The main method of DDoS attacks is to exhaust the target's computing and storage resources with a large number of network requests, rendering the target unable to provide normal services. Because attackers can launch a large number of DDoS attacks in a short period of time by controlling "botnets," and these attack traffic is indistinguishable from normal traffic, the identification and defense of DDoS attacks has always been a difficult problem.

[0004] Because the emerging industrial internet architecture exposes a large number of poorly defended OT (Operational Technology) devices to IT networks, attackers can more easily use DDoS attacks to infect these devices, rendering them inoperable or allowing them to form large-scale "botnets" to launch DDoS attacks. However, for defenders, identifying DDoS attacks is already a very challenging task. In the industrial internet environment, DDoS defense systems also need to be deployed on industrial equipment with very limited resources. Furthermore, in some industrial scenarios, it is crucial to identify DDoS attacks quickly and promptly to mitigate them. Against this backdrop, researching how to quickly and accurately identify and defend against DDoS attacks in industrial internet scenarios has significant theoretical and practical value.

[0005] Currently, numerous solutions exist for DDoS traffic detection and mitigation, but none are suitable for the Industrial Internet. In attack detection, SDN solutions deploying deep learning models inevitably introduce additional latency, while the emerging programmable switch solutions impose limitations on computing power and storage resources. While solutions exist for mapping machine learning models to programmable switches, they struggle to ensure the accuracy of DDoS traffic identification in complex scenarios. Regarding attack mitigation, single-point defense solutions are flawed in achieving comprehensive monitoring of the entire network traffic, and centralized solutions face high latency issues in communication and processing. Although decentralized defense mechanisms offer new possibilities, effective solutions for disaster recovery and distributed storage remain lacking.

[0006] Therefore, given the limited generalization ability of existing models and the lack of a sound distributed collaborative defense mechanism for large-scale networks, achieving high-precision detection and high-availability mitigation of DDoS attacks in industrial internet scenarios has significant theoretical and practical value. Summary of the Invention

[0007] This invention addresses the challenges of accurate identification, large network scale, wide attack range, and difficult collaborative defense caused by the numerous variants and combinations of DDoS attacks in industrial internet scenarios. It provides a model-mapping-based distributed DDoS defense method and system for the industrial internet. Using a public network traffic dataset as an offline dataset, a hybrid model based on contrastive learning and random forest is trained to obtain a CNN encoder for traffic feature extraction and a random forest classifier for traffic classification, resulting in a classification and identification model. The model employs distillation and parameter binarization techniques to reduce computational complexity and storage requirements while maintaining model performance, and achieves direct mapping within programmable switches. Each programmable switch uses the model to identify packet types and uses a Sketch structure to store relevant attack traffic data, avoiding excessive storage on the switch through LRU caching. The server control plane integrates the results feedback from multiple switches to form a global flow table, and data backhaul synchronizes the status of each switch. In case of failure, disaster recovery is achieved based on the global view. The server formulates and distributes load balancing strategies based on the data entries uploaded by the programmable switches, enabling dynamic traffic redirection. The method of this invention achieves accurate detection and high availability mitigation of DDoS attacks under conditions of limited computing power, limited memory resources, and difficulties in device coordination.

[0008] To achieve the above objectives, the technical solution adopted by this invention is: a distributed DDoS defense method for the industrial internet based on model mapping, comprising the following steps:

[0009] S1: Using a public network traffic dataset as an offline dataset, a hybrid model based on contrastive learning and random forest is trained to obtain a CNN encoder for traffic feature extraction and a random forest classifier for traffic classification. The CNN encoder is combined with the random forest classifier to obtain a classification and recognition model for traffic classification tasks.

[0010] S2: Perform knowledge distillation and parameter binarization on the classification and recognition model trained in step S1 to achieve direct mapping on the programmable switch. The mapping is transformed into a series of Match-Action tables adapted to the programmable switch and deployed on the data plane of the programmable switch hardware through P4 code program.

[0011] S3: Connect the programmable switch to the network. Each programmable switch analyzes and judges the traffic data packets according to the classification and identification model obtained in step S1. It uses the Sketch structure to store the attack traffic data and uses LRU cache to evict the attackers.

[0012] S4: Repeat step S3 on multiple programmable switches to form a distributed defense system. Each programmable switch asynchronously feeds back the identification results of traffic data packets to the central server, which is the control layer. The central server integrates the data from multiple switches to form a global flow table. After removing redundant items, the status synchronization of multiple programmable switches is achieved through data backhaul.

[0013] S5: The central server formulates and distributes load balancing strategies based on the data entries uploaded by the programmable switch, thereby enabling dynamic traffic redirection.

[0014] As an improvement of the present invention, the contrastive learning stage of the hybrid model training in step S1 adopts the contrastive learning method of SimCLR, which includes at least data augmentation, data encoding, data projection and contrastive loss optimization.

[0015] In the data augmentation, different feature perturbations are applied to each traffic record in the dataset to generate a pair of samples from different perspectives for each original sample.

[0016] In the data encoding process, the enhanced sample pairs are input into the CNN encoder, and after feature extraction, a high-dimensional feature vector is output.

[0017] In the data projection, the high-dimensional feature vector output by the CNN encoder is input into an MLP-based projection head and mapped to low-dimensional projection features.

[0018] In the contrast loss optimization, the normalized temperature-scaled cross-entropy loss is used to optimize the contrast loss function, maximizing the cosine similarity of the feature vectors of the same data pair and minimizing the cosine similarity between different data pairs.

[0019] The classifier training phase of the hybrid model training uses the random forest method, which combines multiple decision trees to perform classification or regression tasks.

[0020] As an improvement of the present invention, in the comparison loss optimization of step S1, the cosine similarity is calculated as follows:

[0021]

[0022] in , Let represent the low-dimensional feature vectors obtained after projection. Represents the vector dot product. The Euclidean norm of a vector;

[0023] The objective function of the normalized temperature-scaled cross-entropy loss is:

[0024]

[0025] in These are the feature vectors output by the same data pair after passing through the projection head. The cosine similarity between two feature vectors is represented by... It is the temperature coefficient. It is the number of samples within a batch. It is an indicator function, when The value is 1.

[0026] As another improvement of the present invention, the knowledge distillation in step S2 is to learn the teacher model by training the student model and to minimize the output difference between the teacher model and the student model using the distillation loss function.

[0027] When the teacher model outputs the final predicted probability, the standard softmax function is replaced with a temperature-controlled softmax: ,in, It is the first output of the model The probability of each category, It is the unnormalized output of the model. The temperature parameter is used to fit the probability distribution output by the teacher model using a student model, and the performance of the student model is evaluated using a loss function, which is: ,in Indicates monitoring losses, Indicates distillation loss, It is a weighting coefficient used to balance the two parts of the loss.

[0028] As another improvement of the present invention, in step S2, the classification and recognition model after knowledge distillation is subjected to parameter binarization processing. This is achieved by restricting the network weights or activation values ​​in the neural network to two discrete values ​​(0, 1 or +1, -1) and discretizing them using a sign function. ,in These are the weights after binarization. These are the original weights.

[0029] As another improvement of the present invention, in step S3, if the programmable switch identifies the traffic data packet as DDoS attack traffic according to the model, it saves the basic information of the traffic into a specific Match-Action table by hash calculation to form a unique identifier. At the same time, the programmable switch uses the asynchronous communication mechanism provided by P4Runtime to encapsulate the newly added DDoS attack traffic entry into a notification message and send it to the control layer. The basic information of the DDoS attack traffic includes, but is not limited to, the source IP address, the destination IP address, the source port, the destination port, and the protocol.

[0030] As another improvement of the present invention, in step S4, the central server broadcasts the updated global flow table to all connected programmable switches at fixed time intervals. After receiving the global flow table, each programmable switch uses it as a basis for supplementing or replacing its local matching table, thereby realizing global state synchronization among nodes in the distributed defense system.

[0031] As a further improvement of the present invention, step S5 specifically includes the following steps:

[0032] S51: The central server counts the number of entries from different programmable switches based on the constructed global flow table. This number is used as an indicator to measure the current processing pressure or network congestion of the programmable switch. Every set time interval, a switch with low congestion is randomly selected as the target redirection node, and the target node information is sent to the corresponding source switch through the P4Runtime interface.

[0033] S52: Each programmable switch uses built-in registers to track the time it takes to process a data packet. At the same time, the number of newly entered data packets into the programmable switch during this time interval is counted. The service strength of a programmable switch is obtained through queuing theory. Take the average value To estimate the congestion level of the programmable switch;

[0034] S53: The programmable switch continuously calculates and detects the congestion level of the port. When the congestion level exceeds the threshold, it triggers a traffic redirection mechanism to directly forward the traffic passing through the port to the designated programmable switch for processing.

[0035] To achieve the above objectives, the present invention also adopts the following technical solution: a model-mapping-based industrial internet DDoS distributed defense system, comprising a computer program, wherein when the computer program is executed by a processor, it implements the steps of a model-mapping-based industrial internet DDoS distributed defense method.

[0036] Compared with the prior art, the present invention has the following beneficial effects:

[0037] (1) The method of this invention proposes for the first time to use multiple programmable switches to form a distributed defense network. Compared with the existing single-point defense mode, distributed collaborative defense can realize the security monitoring of a larger network. At the same time, by using the attack identification results and traffic transmission status of the switches in the defense network, the core functions such as identification synchronization and load balancing are realized, which significantly improves the effectiveness and stability of DDoS defense and meets the deployment requirements under the Industrial Internet.

[0038] (2) This invention distills complex machine learning models to enable direct deployment of models on programmable switches. This improves the accuracy of DDoS identification while ensuring the real-time nature of online DDoS identification, thus meeting the core requirements of a DDoS defense system that is accurate in identification and fast in defense.

[0039] (3) The method of the present invention takes into account the limited storage of programmable switches and specially designs storage information integration and cache eviction strategies to avoid excessive system storage pressure and further improve the stability of the defense system. Attached Figure Description

[0040] Figure 1 This is a system architecture diagram of the industrial internet DDoS distributed defense system based on model mapping according to the present invention;

[0041] Figure 2 This is a flowchart illustrating the steps of the industrial internet DDoS distributed defense method based on model mapping according to the present invention.

[0042] Figure 3 This is a flowchart illustrating the workflow of traffic detection and mitigation in the model mapping-based distributed defense method for DDoS attacks in the industrial internet of this invention. Detailed Implementation

[0043] The present invention will be further illustrated below with reference to the accompanying drawings and specific embodiments. It should be understood that the following specific embodiments are for illustrative purposes only and are not intended to limit the scope of the invention.

[0044] Example 1

[0045] A model-mapping-based distributed DDoS defense system for the industrial internet, the specific architecture of which is as follows: Figure 1 As shown, the system is divided into two main parts: a general-purpose server and programmable switches. The general-purpose server is responsible for receiving flow table information sent by the programmable switch group through the standard communication interface (P4Runtime) provided by P4 and maintaining the global flow table. It also assesses the current device load based on the source of flow table entries and selects devices with lighter loads for traffic redirection. When a switch comes online for the first time or experiences an abnormal downtime, the server needs to synchronize the global flow table to the target devices. Each programmable switch is equipped with a traffic identification model for online traffic identification and dynamic updating of the local flow table.

[0046] A distributed DDoS defense method for the industrial internet based on model mapping, such as Figure 2 As shown, the specific steps include:

[0047] Step S1: Introduce a hybrid model combining contrastive learning and random forest on a general server. Use a public network traffic dataset as an offline dataset to train the hybrid model, and finally obtain a CNN encoder for traffic feature extraction and a random forest classifier for traffic classification.

[0048] In the contrastive learning phase of model training, the method of this invention adopts the SimCLR framework. The contrastive learning method of SimCLR is a type of self-supervised learning. Its core idea is to enhance the generalization ability of the model by bringing similar data closer together in the feature space and pushing different types of data further apart. It consists of four steps: data augmentation, data encoding, data projection, and contrastive loss optimization.

[0049] In data augmentation, data transformation methods such as feature perturbation are mainly used to create sample pairs from different perspectives to simulate data changes in the real environment, thereby improving the generalization ability of the model and enabling it to adapt to complex and ever-changing network traffic characteristics. Different feature perturbations are applied to each traffic record (represented as a numerical feature vector) in the dataset to generate a pair of sample pairs from different perspectives for each original sample.

[0050] In data encoding, a CNN is used to construct the encoder, extracting features from the augmented sample pairs and mapping them to a high-dimensional feature space. This ensures that similar samples have similar representations within this space. Essentially, the augmented sample pairs are input into the CNN encoder, which outputs multi-dimensional feature vectors. A CNN mainly consists of convolutional layers, pooling layers, and fully connected layers: convolutional layers extract local features, acquiring spatial or temporal information from the input data through sliding window operations of the convolutional kernel, and reducing computational complexity through parameter sharing; pooling layers reduce feature dimensionality, decrease computational burden, and enhance the model's translation invariance; fully connected layers integrate features and output high-dimensional feature representations.

[0051] In data projection, to further optimize feature representation, the high-dimensional features output by the encoder are transformed into low-dimensional feature vectors by an MLP-based projection head. This enhances feature discrimination, making similar samples appear closer together in the projection space and different samples easier to distinguish. Furthermore, MLPs can adjust feature dimensions to improve the optimization of contrastive losses (such as InfoNCE), thereby enhancing the generalization ability of downstream tasks.

[0052] In the contrastive loss optimization, the batch size and temperature coefficient are set during training, and the normalized temperature-scaled cross-entropy loss function is used for optimization. The model optimizes the feature representation by maximizing the cosine similarity of feature vectors (output by the projector) for the same data pair and minimizing the cosine similarity between different data pairs. The cosine similarity is calculated as follows:

[0053]

[0054] in , Let represent the low-dimensional feature vectors obtained after projection. Represents the vector dot product. This represents the Euclidean norm of the vector. This formula characterizes the similarity of two vectors by measuring the angle between them. In actual training, the normalized temperature-scaled cross-entropy loss formula is used to optimize the objective function: .in It is a temperature coefficient used to control the sharpness of the similarity distribution. This is the number of samples within a batch, with each sample having two views, for a total of 2. indivual, These are the feature vectors output by the same data pair after passing through the projection head. The cosine similarity between two feature vectors is represented by... It is an indicator function, when The value is 1. After training is complete, the CNN encoder is used for feature extraction, combined with a classifier (random forest) for traffic classification tasks.

[0055] In the classifier training phase, this invention employs Random Forest (RF) as the classifier following the contrastive learning encoder. RF is an ensemble learning method that uses a combination of multiple decision trees to perform classification or regression tasks. A Random Forest classifier is trained using the feature vectors extracted by the aforementioned CNN encoder and their corresponding ground truth labels, with the number of decision trees and maximum depth limits specified in advance. When constructing each decision tree, for each node split, selection is based on criteria such as maximizing information gain. Ultimately, for a new traffic sample, its category is determined by the voting results of all decision trees.

[0056] Specifically, random forests first randomly select features to form a feature subset, and then train decision trees on this subset. Within each decision tree, the optimal feature is recursively split according to criteria such as maximizing information gain, until a set depth or other termination condition is reached. For classification tasks, random forests aggregate the predictions from all decision trees and use majority voting to ultimately determine the sample category. The splitting process of the decision tree can be intuitively represented by matching rules, making it suitable for mapping to programmable switches.

[0057] Step S2: In order to deploy the model on a resource-constrained programmable switch, this embodiment performs knowledge distillation on the recognition model (teacher model) trained in step S1 to obtain a lightweight student model, and finally maps the student model to a forwarding table entry in the switch.

[0058] The model trained in step S1 is compressed using the knowledge distillation (KD) technique. This involves training a small model (the student model) to learn the knowledge of a large model (the teacher model), reducing computational overhead while maintaining model performance. The core idea is to utilize the soft labels output by the teacher model—which contain complete probability distribution information, rather than just traditional hard labels (determined classification labels). This allows the student model to learn richer feature representations, going beyond just the final class decision.

[0059] Model distillation typically uses a distillation loss function (such as cross-entropy or Kullback-Leibler divergence) to minimize the output difference between the teacher and student models, and combines it with traditional supervised learning loss during training to ensure that the student model learns both the knowledge from the teacher model and adapts to the constraints of the true labels. When the teacher model outputs the final predicted probability, the standard softmax function is replaced with a temperature-controlled softmax. ,in, It is the first output of the model The probability of each category, It is the unnormalized output of the model. It's a temperature parameter that controls the smoothness of the probability distribution. Generally speaking, Setting it to a value greater than 1 smooths the output probabilities of the teacher model, allowing the student model to grasp the relative probabilities between different categories, rather than just the most likely category. Then, the student model is used to fit the probability distribution of the teacher model's output (the output probabilities are still processed using a temperature-optimized softmax function), and the performance of the student model is evaluated using a loss function consisting of two parts: ,in Indicates monitoring losses, Indicates distillation loss, These are weighting coefficients used to balance the two parts of the loss, and their calculation methods are as follows: ,in It is the probability output of the teacher model. This is the probability output of the student model. A label indicating authenticity.

[0060] The model distillation process achieves a good model compression effect by continuously adjusting the parameters of the student model to minimize the total loss function.

[0061] To further compress the model to fit the switch hardware, the compressed detection model undergoes further processing using parametric binarization. Parametric binarization is a technique used to reduce the computational complexity and storage requirements of neural networks. Its core idea is to restrict the network weights or activation values ​​in the neural network to two discrete values ​​(0, 1 or +1, -1). Compared to storing 32-bit floating-point numbers, binarization parameters only require 1 bit, and matrix operations after binarization can use simple addition and subtraction instead of complex floating-point multiplication and division operations.

[0062] Parameter binarization is typically performed using a sign function for discretization: ,in These are the weights after binarization. These are the original weights. For the gradient calculation problem during backpropagation, the derivative of the sign function is 0 in most regions, and it is not differentiable at 0, causing the gradient to fail to propagate properly. To solve this problem, a Straight-Through Estimator (STE) is used to approximate the gradient, that is, to approximate the gradient as 1, so that the gradient can be updated normally and the weights can be updated effectively, thus ensuring network convergence. Finally, this fully binary student model is converted into a series of Match-Action tables described in P4 language. For example, the operation of a neuron in the first layer of the model can be mapped to a table, where the Match Fields are the binary input features, and the Action is the binary output of the neuron calculated based on the matching result. By converting the operations of all neurons into such table entries and deploying the generated P4 code on a programmable switch, high-speed, real-time traffic classification at the hardware level is achieved.

[0063] The model training and deployment process proposed in this invention is first performed offline. This process trains a complex teacher model on a general-purpose server using a public dataset. First, a CNN encoder with powerful feature extraction capabilities is trained using the SimCLR (Simultaneous Learning) framework. Then, a random forest classifier is trained based on the features output by this encoder. Subsequently, to adapt to resource-constrained hardware environments, the system employs knowledge distillation technology, using the teacher model to guide the training of a simplified, lightweight student model. The network parameters of the student model are binarized to achieve model compression. Finally, this binarized student model is completely mapped to a series of Match-Action tables adapted to programmable switches and deployed to the data plane of the switch hardware via the P4 program. After deployment, the switch can perform high-speed, real-time traffic classification at the hardware level through table matching actions.

[0064] Step S3: Turn on the programmable switch, connect to the network, use the machine learning model deployed on it to identify and process malicious traffic, and record and upload the traffic information.

[0065] This invention employs a defense network composed of programmable switches based on the Tofino architecture, and deploys a machine learning model by running P4 code on the programmable switches. Data packets are parsed within the programmable switches to obtain relevant features of the model, including but not limited to source IP address, destination IP address, port number, protocol type, packet length, flow rate, and connection duration. The model then uses these features as input for traffic classification and judgment.

[0066] If the model identifies the traffic as abnormal (DDoS attack traffic), it needs to hash the basic information of the traffic (source IP address, destination IP address, source port, destination port, protocol) to form a unique identifier and save it in a specific match-action table for subsequent fast matching processing. Simultaneously, the programmable switch uses the asynchronous communication mechanism provided by P4Runtime (e.g., via digest messages) to encapsulate the newly added abnormal traffic entry into a notification message and send it to the control layer. Upon receiving this message, the control layer can further perform operations such as global policy updates, abnormal visualization, or distributed synchronization.

[0067] Finally, the corresponding action is executed based on the identification result. If the traffic is abnormal, it is dropped directly; otherwise, it is forwarded normally. For example, DDoS traffic is dropped.

[0068] Step S4: Repeat step S3 on multiple programmable switches. The control layer integrates the table entry information uploaded by all programmable switches to form a global flow table, and sends some table entries back to the corresponding programmable switches.

[0069] To construct a distributed collaborative defense system, step S3 as described above can be executed on multiple programmable switches deployed at different network boundaries or core nodes, thereby forming a multi-point traffic monitoring and detection network based on programmable switches. In this embodiment, a control layer communication mechanism with each programmable switch is further activated to ensure that the control plane and each data plane node maintain a real-time or near-real-time data exchange connection.

[0070] During system operation, the control layer continuously receives asynchronously uploaded abnormal traffic information from various programmable switches via network communication channels. This information includes identified abnormal flow entries (such as source IP, port, protocol type, etc.) and related metadata (such as identification time, abnormality type, source switch identifier, etc.). The control layer integrates the abnormal flow entries reported by multiple switches to construct a unified global attack flow table. During this integration process, the control layer removes duplicate records (e.g., the same attack source IP from different switches) and associates each global table entry with its source switch number for subsequent tracking and response optimization.

[0071] To ensure consistent anomaly flow detection across different switching nodes in the entire defense system, the control layer broadcasts the updated global attack flow table to all connected programmable switch nodes at fixed time intervals (e.g., every 5 seconds or 1 minute). Upon receiving this global table, each switch can use it as a supplement or replacement for its local matching table, thereby achieving global state synchronization among nodes in the distributed defense system and improving overall collaborative defense efficiency.

[0072] Step S5: The control layer uses the maintained global flow table to count the attack level on each programmable switch, thereby formulating a dynamic traffic redirection policy, which is then sent to the programmable switches at regular intervals. The programmable switches monitor the port traffic congestion level in real time, and if it exceeds the set threshold, they directly forward the traffic according to the redirection policy sent by the control layer to achieve load balancing.

[0073] S51: Based on the established global attack flow table, the control layer counts the number of abnormal flow entries reported by each programmable switch and uses this number as an indicator to measure the current processing pressure of the switch or the degree of network congestion. Statistical indicators may include the number of newly added abnormal flow entries per unit time, the number of historical cumulative entries, or the load factor calculated based on switch resource utilization. The control layer performs a global analysis every set time interval (e.g., 30 seconds) and, for all programmable switches participating in the defense, randomly selects one switch from those with lower congestion levels as the target redirection node, and sends the target node information to the corresponding source switch via the P4Runtime interface.

[0074] S52: Each programmable switch monitors the real-time processing performance of its ports through a register mechanism. When each data packet enters the switch, a timestamp is recorded during the ingress phase. After the packet is forwarded, dropped, or performs other actions, another timestamp is recorded during the egress phase. The processing delay of this data packet can be calculated from this. In addition, the switch also uses registers to record the number of data packets arriving at that port within this time window. This allows us to estimate the packet arrival rate at the current port. By combining queuing theory (such as the M / M / 1 queue model), the current congestion level of the port can be further estimated. ;

[0075] S53: Based on this, the programmable switch continuously monitors the congestion level of its ports in real time. If the congestion level of a port exceeds a preset threshold, the switch will take action. If this occurs, a traffic redirection mechanism is triggered. At this point, the switch, based on the target switch information sent by the control layer, redirects the specific traffic originally planned to be forwarded from the current port directly to the target switch for processing. Because the control layer dynamically updates the redirection target for each node, this traffic migration process is continuous, dynamic, and adaptable to changes in network load.

[0076] Based on the above system and defense method, the workflow of traffic detection and mitigation in the model mapping-based distributed defense method for DDoS attacks in the industrial internet of this invention is as follows: Figure 3 As shown, this process can be divided into two parts: detection and traffic redirection. During detection, the programmable switch's data plane continuously receives network data packets. When the switch receives a data packet, the system call model identifies the packet and determines whether it is an attack type. If it is identified as attack traffic, the packet is discarded, and the relevant attack information is reported to the control layer; if it is identified as normal traffic, it continues to be forwarded to ensure the continuity of network services. During traffic redirection (load balancing), the control layer determines which devices are under high load based on the congestion status reported by multiple programmable switches and selects target devices with lower loads. The control layer sends redirection information to the corresponding switches. The programmable switches continuously monitor the congestion level of each port in real time. At the same time, the switches also receive control information from the control layer to redirect some traffic to designated devices, thereby alleviating the processing pressure on the current switches. This process works in conjunction with the detection mechanism to ensure that the system can dynamically adjust traffic paths when facing large-scale traffic or sudden attacks, improving the overall network stability and defense capabilities.

[0077] In summary, this invention aims to achieve accurate DDoS detection and rapid mitigation in the Industrial Internet. It proposes a model-mapping-based distributed DDoS defense method and system for the Industrial Internet, and designs model distillation optimization to address the limited resources of programmable switches, improving detection accuracy and generalization. A distributed defense strategy is proposed, increasing the coverage of the defense network and improving system stability. Simultaneously, state synchronization and load balancing functions based on the control layer are designed to achieve point-to-point identification and multi-point defense, while also possessing the ability to autonomously and dynamically mitigate traffic congestion, enhancing network availability. This invention effectively solves the problems of large-scale network attacks and difficulties in collaborative defense, achieving accurate DDoS attack detection and high-availability mitigation under conditions of limited computing power, limited memory resources, and difficulties in device coordination.

[0078] It should be noted that the above content merely illustrates the technical concept of the present invention and should not be construed as limiting the scope of protection of the present invention. For those skilled in the art, various improvements and modifications can be made without departing from the principle of the present invention, and all such improvements and modifications fall within the scope of protection of the claims of the present invention.

Claims

1. A distributed DDoS defense method for the industrial internet based on model mapping, characterized in that... It includes the following steps: S1: Using a public network traffic dataset as an offline dataset, a hybrid model based on contrastive learning and random forest is trained to obtain a CNN encoder for traffic feature extraction and a random forest classifier for traffic classification. The CNN encoder is combined with the random forest classifier to obtain a classification and recognition model for traffic classification tasks. In the contrastive learning stage of the hybrid model training, the contrastive learning method of SimCLR is adopted, which includes at least data augmentation, data encoding, data projection and contrastive loss optimization. In the data augmentation, different feature perturbations are applied to each traffic record in the dataset to generate a pair of samples from different perspectives for each original sample. In the data encoding process, the enhanced sample pairs are input into the CNN encoder, and after feature extraction, a high-dimensional feature vector is output. In the data projection, the high-dimensional feature vector output by the CNN encoder is input into an MLP-based projection head and mapped to low-dimensional projection features. In the contrast loss optimization, the normalized temperature-scaled cross-entropy loss is used to optimize the contrast loss function, maximizing the cosine similarity of the feature vectors of the same data pair and minimizing the cosine similarity between different data pairs. The classifier training phase of the hybrid model training uses the random forest method, which combines multiple decision trees to perform classification or regression tasks. S2: Perform knowledge distillation and parameter binarization on the classification and recognition model trained in step S1 to achieve direct mapping on the programmable switch. The mapping is transformed into a series of Match-Action tables adapted to the programmable switch and deployed on the data plane of the programmable switch hardware through P4 code program. S3: Connect the programmable switch to the network. Each programmable switch analyzes and judges the traffic data packets according to the classification and identification model, stores the attack traffic data in a Sketch structure, and evicts them through LRU caching. S4: Repeat step S3 on multiple programmable switches to form a distributed defense system. Each programmable switch asynchronously feeds back the identification results of traffic data packets to the central server, which is the control layer. The central server integrates the data from multiple switches to form a global flow table. After removing redundant items, the status synchronization of multiple programmable switches is achieved through data backhaul. S5: The central server formulates and distributes load balancing strategies based on the data entries uploaded by the programmable switch, thereby enabling dynamic traffic redirection.

2. The industrial internet DDoS distributed defense method based on model mapping as described in claim 1, characterized in that: In the comparison loss optimization of step S1, the cosine similarity is calculated as follows: ; in , Let represent the low-dimensional feature vectors obtained after projection. Represents the dot product of vectors. The Euclidean norm of a vector; The objective function of the normalized temperature-scaled cross-entropy loss is: ; in These are the feature vectors output by the same data pair after passing through the projection head. The cosine similarity between two feature vectors is represented by... It is the temperature coefficient. It is the number of samples within a batch. It is an indicator function, when The value is 1.

3. The industrial internet DDoS distributed defense method based on model mapping as described in claim 1, characterized in that: The knowledge distillation in step S2 involves training the student model to learn the teacher model and using a distillation loss function to minimize the output difference between the teacher model and the student model. When the teacher model outputs the final predicted probability, the standard softmax function is replaced with a temperature-controlled softmax: ,in, It is the first output of the model The probability of each category It is the unnormalized output of the model. The temperature parameter is used to fit the probability distribution output by the teacher model using a student model, and the performance of the student model is evaluated using a loss function, which is: ,in Indicates monitoring losses, Indicates distillation loss, It is the weighting coefficient.

4. The industrial internet DDoS distributed defense method based on model mapping as described in claim 3, characterized in that: In step S2, the classification and recognition model after knowledge distillation undergoes parameter binarization. This is achieved by limiting the network weights or activation values ​​in the neural network to two discrete values, 0 and 1, or +1 and -1, through a sign function. ,in These are the weights after binarization. These are the original weights.

5. The industrial internet DDoS distributed defense method based on model mapping as described in claim 1, characterized in that: In step S3, if the programmable switch identifies the traffic data packet as DDoS attack traffic according to the model, it saves the basic information of the traffic into a specific Match-Action table by hash calculation to form a unique identifier. At the same time, the programmable switch uses the asynchronous communication mechanism provided by P4Runtime to encapsulate the newly added DDoS attack traffic entry into a notification message and send it to the control layer. The basic information of the DDoS attack traffic includes the source IP address, destination IP address, source port, destination port and protocol.

6. The industrial internet DDoS distributed defense method based on model mapping as described in claim 1, characterized in that: In step S4, the central server broadcasts the updated global flow table to all connected programmable switches at fixed time intervals. After receiving the global flow table, each programmable switch uses it as a basis for supplementing or replacing its local matching table, thereby achieving global state synchronization among nodes in the distributed defense system.

7. The industrial internet DDoS distributed defense method based on model mapping as described in claim 1, characterized in that: Step S5 specifically includes the following steps: S51: Based on the constructed global flow table, the central server counts the number of entries from different programmable switches. This number of entries is used as an indicator to measure the current processing pressure or network congestion level of the programmable switch. Every set time interval, a switch with low congestion is randomly selected as the target redirection node, and the target redirection node information is sent to the corresponding source switch through the P4Runtime interface. S52: Each programmable switch uses built-in registers to track the time it takes to process a data packet. At the same time, the number of newly entered data packets into the programmable switch during this time interval is counted. The service strength of a programmable switch is obtained through queuing theory. Take the average value To estimate the congestion level of the programmable switch; S53: The programmable switch continuously calculates and detects the congestion level of the port. When the congestion level exceeds the threshold, it triggers a traffic redirection mechanism to directly forward the traffic passing through the port to the designated programmable switch for processing.

8. A model-mapping-based distributed DDoS defense system for the industrial internet, comprising computer programs, characterized in that: When the computer program is executed by a processor, it implements the steps of the method as described in any one of claims 1-7 above.