Research On DDoS Attack Detection And Defense Method In SDN Environment

With the rapid development of the Internet,it has become an indispensable part of our lives.While enjoying the convenience that the Internet brings to our life,people are also facing serious network security problems.Traditional network architecture is complex and its scalability is poor,unable to meet the requirements of flexible and efficient network management.Software Defined Network(SDN)is a new type of network architecture that breaks the vertical integration of traditional network architecture.Its core idea is the separation of control and forwarding functions,which decouples the control functions and data forwarding functions of the underlying devices.Network security issues have become more frequent in recent years,among the many attack methods,Distributed Denial of Service(DDoS)is a kind of attacking method with strong destructive power,which has a wide attack range and is easy to implement,DDoS is one of the main security threats faced by SDN.With the increasing use of SDN architecture in cloud data centers,how to ensure the security of SDN has become the focus of research.This thesis mainly studies the detection and defense of DDoS attacks in SDN environment.The specific research work is as follows:Firstly,for the DDoS attack that consumes SDN controller resources,a DDoS attack detection method based on machine learning algorithm is proposed,including abnormal detection module,flow feature extraction module and attack detection algorithm module.By analyzing the characteristics of DDoS attacks,the destination addresses of DDoS attack packets are usually the same,and the entropy of the destination address is lower.Using the entropy value of the destination address as the abnormal detection method,a trigger mechanism of the DDoS attack detection algorithm is set.Due to the simple calculation of the entropy value,the detection method uses less CPU resources,which reduces the burden on the network.By extracting the four features of the flow to form the feature vector as the input of the attack detection algorithm,the normal flow and the attack flow can be well distinguished.The DDoS attack detection algorithm combines the results of the Support Vector Machine(SVM)and K-means algorithms to avoid the deviation of the results of a single machine learning algorithm on different training data sets.The results of the detection are also used as input data sets to train SVM and K-means,and the algorithm is optimized by model retraining.Secondly,when it is detected that the network is suffering from DDoS attacks,a backtracking-based DDoS attack defense method is proposed,including attack source tracing and attack mitigation.Combined with the characteristics of SDN,the traditional probabilistic packet marking algorithm(PPM)is improved,and the 40-bit bits used in the IP packet are used as the marking space of the data packet,and the marking space is sufficient and the impact of the network is small.The attack source tracing includes two parts:packet marking and attack path reconstruction.The packet marking process utilizes the label record table maintained in the SDN switches,and does not need to construct a network topology.Using dynamic mark probabilities to mark packets speeds up the marking rate of packets and the space occupied by mark information is small.The path reconstruction algorithm starts from the victim.The mark information of the data packet and the label record table of the SDN switches are used to reconstruct the attack path,which is short in time and high in traceability.After the attack source tracing process is completed,combined with the characteristics of SDN and existing DDoS attack mitigation methods,such as Access Control List(ACL)and traffic management strategy,a DDoS attack mitigation methods suitable for SDN environment is designed.The effectiveness of the proposed DDoS attack detection model and defense mechanism is verified by the simulation of the real SDN network environment through the Mininet simulation platform.