Design And Implementation Of Dynamic Network Defense System Based On SDN

With the development of network technology,people are more dependent to network to send and get message.The static configuration of network results in a situation where attacker can find weak victims easily and implement an attack.Recent years,Attack happened frequently,which arised the attention of society.There are so many potencial threats in the network,so that people and companys,even countries have to take actions to avoid being attacked.Software Defined Network(SDN),a new technology,provides an opportunity to virtual security,for its strong power to control network.This thesis studies a kind of defense system based on the SDN architecture.It collects traffic status information first to detect abnormal traffic flow,and then dynamiccally update the configuration of network to avoid attack.The system has two modules: Abnormal detection and Dynamic defense.The key of abnormal detection is to calculate traffic matrix precisely,while the key to Dynamic defense is the method which can dynamically change the network configuration such as IP address,port,routing.Also,we verify the feasibility of system by experiment.The main work of this thesis is concluded as follows:(1)propose two algorithms for the estimation of traffic matrix: the maximum fluctuation value first algorithm and the flow rule load balance algorithm.Combining these two algorithms together can make the evaluation og traffic matrix more accurate.First,we get the initial traffic matrix by the flow rule load balance algorithm.Next,choose the first k flows which have the maximum fluctuation value for measuring.Last,the idea of maximizing the matching of the bipartite graphs is used to allocate the flow items.(2)The idea of moving target defense is used to provide dynamic hopping for three network configuration: IP address,port and routing.IP address hopping is based on two-level frequency algorithm,which aims to maximize the unpredictability of IP addresses.Route hopping is based on the weighted routing algorithm,which can avoid the single-node vulnerability situation where a large number of data traffic routes to a small number of nodes.Finally,D-ITG is used to simulate the actual traffic data to evaluate the performance of the system.Experiment data shows that the precision of the data flow with the first k fluctuation values is beyond 70%,and indicates that the maximum fluctuation priority algorithm can effectively reduce the estimation error of the flow matrix.The experimental simulation of dynamic target defense,also proves that network configuration hopping can maximize the unpredictability of network configuration and can also effectively prevent network reconnaissance.