Research On Key Technologies Of Malicious Traffic Defense For Software Defined Network

Malicious traffic detection is a commonly used software defined network(SDN)attack defense method,which can not only effectively identify DDo S attacks,network worms and other malicious attack flows,but also predict unknown attack behavior in the network,thus ensuring the design and implementation of early warning response mechanism.However,in recent years,the complexity of network traffic is increasing,the difficulty of malicious traffic attack is gradually reduced,and a variety of new attack methods have emerged.Because of the increasing frequency and scale of such attacks,and the characteristics of concealment and polymorphism,the detection of malicious traffic has brought unprecedented challenges.At present,in SDN network,the research of malicious traffic detection and analysis mainly has the following problems:(1)Traditional traffic analysis technology cannot be directly reused in SDN,and the detection efficiency of SDN specific attack types is not high.(2)Aiming at the malicious traffic attack of SDN,the attack forms and methods are more diversified,the characteristics of concealment and polymorphism are more prominent,and the existing traffic analysis methods are difficult to detect accurately.(3)The existing SDN traffic analysis work mainly focuses on the detection methods,and lacks the research on the response and defense mechanism to the malicious traffic.In view of the above shortcomings,this paper compares and analyzes various current traffic detection technologies,focusing on link monitoring and behavior analysis,threat intelligence guidance,Web Shell attack,and SDN flow table overflow attack.Based on a variety of flow table manipulation methods,this paper realizes the detection and defense of SDN malicious traffic.The main work is summarized as follows:1.A malicious traffic defense method based on link monitoring is proposed.In order to solve the problems of high cost of link monitoring and security analysis performance and difficult detection of malicious switch in current SDN malicious traffic detection technology,the function of link monitoring,behavior analysis and event processing is added to SDN based on network monitoring framework.The function of link monitoring reads and counts the characteristics of network traffic data,and reduces the load of link monitoring by comprehensively considering the duration of data and the burst setting of data transmission frequency and monitoring time length.According to the statistical results of traffic data characteristics,the behavior analysis function uses the multi-path coordinated malicious traffic detection algorithm based on convolutional neural network to detect malicious traffic.At the same time,the malicious switch is detected by analyzing the consistency of switch data forwarding behavior and controller requirements.According to the results of behavior analysis,the event processing function uses threat assessment strategy to evaluate the traffic harm degree,blocks the malicious traffic and isolates the malicious switch.The test results show that the average accuracy of this method for malicious traffic detection is 96.7%,and it can re-plan the data forwarding path and isolate the malicious switch after finding the malicious switch with acceptable performance overhead.2.A malicious traffic defense method based on Network Threat Intelligence(CTI)is proposed.Aiming at the problem of limited attack detection ability of vulnerability-centered malicious traffic detection technology and low utilization rate of security threat intelligence of SDN,firstly,threat intelligence information about SDN is collected from the Internet as the original intelligence data,security concept extraction and data filtering are carried out on the original data to build a knowledge map,and the statistical data of network traffic characteristics are compared with the knowledge map of security threat intelligence.Then,the corresponding response measures are transformed into flow table rules for targeted defense of malicious traffic.In order to improve the efficiency of search and similarity ratio,the entities in knowledge map are mapped to vector space,and the efficiency is improved by the convenience of vector computing.Test results show that the method can effectively identify and block malicious traffic attacks.3.A machine learning based Web Shell traffic defense method is proposed.In view of the problem that the current detection methods cannot fully utilize the advantages of SDN network architecture,this paper uses the characteristics of SDN centralized management and control and unified monitoring of network traffic,adds the edge link security judgment,security analysis and security control coordination strategy in the architecture.The edge link security decision strategy matches and filters HTTP protocol traffic,extracts summary information as input of malicious traffic detection algorithm for deep packet detection,uses machine learning algorithm to realize the judgment of Web Shell malicious traffic and generates threat alarm,and the security control cooperative strategy analysis threat alarm is transformed into flow table rule and sent to the data plane to block the attack traffic of Web Shell.The test results show that the detection accuracy of this method is 94.92%,the performance overhead of each module does not affect the normal operation of the SDN system,and it can block all the attack communications that generate alarms with an average blocking delay of 0.725 s.4.A stochastic differential equation based flow table overflow DDo S attack traffic defense method is proposed.Aiming at the existence of the overflow DDo S attack in SDN and the weak defense ability of current defense methods,we approximates the overflow attack to Brownian motion.Firstly,the drift coefficient and diffusion coefficient of stochastic differential equation are extended and adjusted by Taylor formula,and then the overflow attack of SDN network is weakly converged to approximate two-dimensional Markov diffusion process by limit theorem.Finally,according to the randomness of SDN network attack,the random differential equation is transformed into amplitude equation based on amplitude,and the attack detection scheme is established.In the implementation of the scheme,the normal state and attacked state of the network are distinguished by calculating the network state eigen value based on the flow table statistics,and the validity of the network state eigen value is determined by combining the BP neural network algorithm,so as to identify the malicious traffic of the DDo S attack of the overflow type of the flow table,and at the same time,the flow table space sharing strategy is used to alleviate the overload of the flow table space caused by the attack.The results of comparative test show that the detection accuracy of this method is 99.52%,and the optimization rate of multi-level flow table defense time-consuming is up to 99.7%,which is superior to the comparison test object.5.A prototype system of SDN malicious traffic defense is designed and implemented.This paper takes the mainstream controller floodlight as the underlying controller,the malicious traffic defense method proposed in this paper is designed to realize the SDN malicious traffic defense prototype system.The system is mainly composed of monitoring center and Analysis Center.The monitoring center is deployed in the data plane of SDN architecture,which is the realization of malicious traffic defense methods based on link monitoring.The analysis center is deployed in the control plane of SDN architecture,which is the integration of other three malicious traffic defense methods.The results of verification test show that the system can effectively prevent the flood type DDo S attack traffic,Web Shell traffic and flow table overflow type DDo S attack traffic,detect and isolate the malicious switch,and the performance overhead does not affect the use of the system within a reasonable range.The results of comparative test show that the prototype system is superior to Snort in terms of specific web shell and flow table overflow DDo S attack traffic of SDN network.This paper analyzes the characteristics of SDN network architecture and summarizes the characteristics of attack threat based on network malicious traffic.Through the research of network simulation,deep learning,mathematical modeling,formal analysis and other technical theories,it builds the network attack and defense model,proposes various optimization strategies and algorithms,and verifies the feasibility and effectiveness of the proposed algorithm in the simulation experimental environment.A more comprehensive solution for SDN malicious traffic attack and defense is proposed.