| Recently,with the rapid development of cloud computing and computer network technology,the requests and traffic generated by accessing services from users increase drastically.Satisfying people's demands is quite a challenge in traditional networks.As an emerging network architecture,Software Defined Network(SDN)is software-programmable,globally visable,and network virtulization capable.Therefore,SDN has been widely used in data center,wide area network,local area network and wireless communication.Nowadays,the researchers of acdemica and industry have admitted SDN as the next generation network architecture.SDN architecture has promoted the rapid development of the computer network technology.However,computer network is facing with some servious network security issues(e.g.network intrusion,malicious attack,and so on).Especially,in recent years,the Advanced Persistent Threat(APT)has emerged and became a more nefarious threaten.APT is aimed at stealing confidential information and it has high insidious and high threat.Once APT occurs,it will cause significant damage at country,company,and organization.In order to detect APT in SDN,an APT detection scheme including the scanning detection method and covert communication detection method is proposed based on the characteristics of SDN and data mining.The main contribution is summarized as follows:A scanning detection mechanism is designed based on the analysis of the scanning attack in APT.When detecting scan,this mechanism firstly uses sFlow to capture the transmitted traffic from the network and sends these packets to the SDN controller.Subsequently,the controller extracts eigenvalue matrix and classifies the matrix using Bayesian algorithm.At last,this mechanism judges whether there is scanning attack in the underlying network.A covert communication detection mechanism is designed based on analyzing the covert communication in APT.When detecting covert communication,this mechanism firstly captures the transmitted traffic from the underlying network.Subsequently,it extracts SSL certificates from the captured packets and calculates several eigenvalues of the extracted SSL certificates.At last,using isolation forest algorithm,it detects whether these SSL certificates are abnormal taking advantages of the extracted eigenvalues.The proposed APT detection scheme has been implemented.In the implemented system,the primary modules are traffic collection module which is designed based on sFlow,illegal scanning detection algorithm module,traffic collection module designed based on OpenFlow,covert communication detection algorithm module based on i Forest and traceability inhibition module.Finally,the implemented APT detection system has been evaluated on Mininet.Simulation results verifies that the proposed scheme can improve the detection accuracy and reduce the false positive of scanning detection and covert communication detecti on in SDN. |
PDF Full Text Request