The Adaptive Detection Prevention System In SDN Based On Neural Network And Trust Value Management

As a new type of network architecture,Software Defined Network(SDN)solves the problem of network and service fragmentation in the traditional network.More importantly,the controller is open to users.Users can write programs through the controller's API,which can be used to implement custom transmission strategies,rules,and network routing.This makes SDN more intelligent and flexible than traditional networks.However,SDN also faces the security problem existing in the traditional network--Distributed Denial of Service(DDoS)attacks.In SDN,due to logically centralized control,once the controller is subjected to DDoS attacks,the harm is better than the traditional network.In this thesis,a detection and defense system is built for DDoS attacks in SDN.The main contributions of this thesis are following.First,for the issue of efficient DDoS detection,considerting the fact that the existed periodic detection system schemes take long detection time of and consume a large amount of controller resources,this thesis proposes an adaptive start detection scheme based on neural network to replace the periodic detection.This scheme can decide whether to start the detection according to the arrival rate of Packet_In,and can start detection quickly when the controller is attacked.A contrast experiment was designed to illustrate the superiority of adaptive startup scheme from three aspects such as CPU usage.Second,after the attacker is detected,it is imperative to take measures against this malicious behaivor.Inspired by the concept of trust values in FlowRanger algorithm,when the controller is attacked,our work reduces trust value of attackers;if the controller is not attacked,increases the trust value of valid user,and according to the user's trust value to sort the request and serve them.Specifically,based on the FlowRanger algorithm,this thesis improves the traditional strategy of discarding the attacker's traffic after discovering the attacker.The improvement is to reduce its trust value.After a period of time,it allows user to gradually increase the trust value to use network service.The improvment raises the QoS of user.However,the FlowRanger algorithm still has the problem of not dealing with attacks without delay.Furthermore,how to accurately find out the attacker and what can represent the user does not explain clearly in the algorithm.So the two improvments are made in our work.(a)This thesis proposes a dynamic defense scheme,which allows the adoption of a securitymiddleware strategy and uses the proposed adaptive start algorithm to forward traffic to security middleware when the controller is suspected of being attacked.Then the security middleware filters out illegal traffic to protect the controller to avoid the problem that controller is down before taking action.We designed a comparative experiment to demonstrate the superiority of the dynamic defense solution by comparing the experiments of the user's communication status under different attack rates without using the dynamic defense scheme and with the dynamic defense scheme.(b)For the FlowRanger algorithm does not explain how to find out the attacker,this thesis uses the MAC address to represent the user,and proposes a traceability algorithm,which finds the attacker through the average of the number of MAC address occurrences in table flow,and users with MAC address occurrences greater than the average are identified as attackers.In Chapter 5,a defense system using a traceability scheme is actually deployed and a DDoS attack is launched.The number of flow entry entries before and after defense can be seen in the flow table.The experimental results demonstrate that the traceability algorithm can accurately identify the attacker.