Research On Algorithm Of DDOS Attack Detection In SDN Environment

Software-Defined Networking(SDN)is a new network architecture.In the SDN network architecture,the control layer and the data layer are decoupled,and the SDN controller realizes the centralized control of the whole network.Compared with the traditional network architecture,centralized control for network managers and developers makes it much easier to management and development.Developers can achieve a variety of network services and functions with programming interface that SDN controller provides,they are not going to worry about the underlying implementation of network.While SDN network architecture is easier to manage than traditional network architectures,its design also introduces some new security issues.For example,because the SDN controller must manage and control the entire network,this make it be the core of the entire SDN network.When an attacker can send massive packet-in messages to the controller by using the packets that spoofing the source IP address,this will make a single SDN controller overload and let the switch's flow table overflow.Those issues may make the entire SDN network paralyzed,unable to handle new requests.At present,the main detection methods of DDoS for SDN network equipment are based on statistical analysis and machine-based learning in two ways.The former simply transplants DDoS detection algorithm of the traditional network to the SDN network,so this can't give full play to the advantages of SDN.The latter learns longer and requires a lot of storage space for deployment and training,and can't be quickly redeployed.Because SDN itself has many characteristics,such as traffic analysis,centralized control,rich flow items,we can't directly copy the detection algorithm from traditional network architecture to SDN network.In this paper,we first propose a DDoS detection algorithm based on the similarity rate of packet-in messages of boundary switch's port.The algorithm can take full advantage of SDN's centralized control and global topology,and can calculate and find the real DDoS attack source in a short time by calculating the similarity degree of packet-in transmission rate of boundary switch's port and realize fast response and block DDoS attack.Then,this paper proposes a search algorithm that based on cosine similarity and asymmetry of traffic flow to find the real DDoS attacker and the victim.The algorithm does not need to find switches that are attacked layer by layer,reduce lookup time and save more computing resources of the controller.