Researches On DDoS Attack Detection And Defense Methods Using Machine Learning In SDN

Software-Defined Networking(hereinafter referred to as SDN)is a new type of network structure.In SDN,the forwarding logic and control logic are separated into two independent planes:a distributed data plane and a centralized control plane.The centralized control plane helps SDN managers detect network status more accurately,respond to user requests more quickly,and orchestrate application services more efficiently.The forwarding-control separation feature and the centralized control plane give SDN the flexibility,agility and programmability that traditional networks lack.Therefore,SDN is widely used in Internet-of-Things(IoT)and data center networks,which significantly enhances network performance.At the same time,SDN has become one of the most important basic technologies in the 5G network deployment process.However,the centralized control plane,which is one of the features of SDN,is both an advantage and a weakness.The failure of the control plane will lead to a flaw in the entire network,i.e.a single point of failure.Especially in the case of distributed denial of service(DDoS)attacks,the security of the control plane and the entire SDN will be greatly threatened.Therefore,detecting and defending DDoS attacks against the security of SDN controllers is an important issue that cannot be ignored in the SDN deployment process.This thesis introduces and analyzes the DDoS attacks against controllers in SDN,and proposes two methods based on machine learning to detect and defend against the problem that controllers may suffer DDoS attacks and lead to network defects.(1)The first solution is a time-based DDoS attack detection and defense scheme.The detection mechanism of the scheme extracts temporal features from the traffic statistics of the OpenFlow switch,and uses the time feature to train the Back Propagation Neural Network(BPNND)to obtain the temporal feature pattern in the OpenFlow switch at the initial stage of the attack.The time feature patterns and BPNN obtained by training can be used to detect DDoS attacks.The defense mechanism achieves the purpose of blocking malicious traffic by blocking the source port,and reduces the impact of port ban on normal services through dynamic port recovery.Due to the use of time features,the scheme can prevent DDoS attacks in the initial stage of the attack by detecting the trend of DDoS attacks,thereby reducing the harm caused by the attacks.After testing through the common data set,the program showed a more comprehensive,accurate and fast detection effect,and effectively achieved the defense and recovery functions.(2)The second option is a DDoS attack detection and defense scheme based on traffic distribution.In this scheme,the detection algorithm is replaced with the K-Means clustering algorithm(K-Means)for the condition that BPNN needs to be trained in advance,and realizes the adaptability of the detection mechanism.Since K-Means is an "unsupervised" machine learning algorithm,the features used are replaced from time features to traffic distribution features.Flow entries are clustered by K-Means and generate category distribution.Since each flow entry represents a data stream,the categories generated by the cluster represent different types of data streams,and the category distribution can represent the traffic distribution.Due to the use of the unsupervised machine learning algorithm,the scheme reduces the training process compared to the previous scheme,and classifies the traffic patterns by the real-time characteristics of the current network.Therefore,the scheme has better adaptability under different network conditions.At the same time,the defense mechanism is replaced from blocking traffic to filter traffic,which improves the availability of various network services during the defense process.