Research On Recognition And Detection Of Intrusion Behavior In SDN Network

Under the technical background of the future network,the new network technology represented by Software Defined Network(SDN)breaks the traditional network plane integration structure and separates the control and forwarding functions.Its programmable control and centralized management features provide an excellen t solution to the problem of network expansion,and it has been applied in data center networks,backbone networks,and wide area networks.However,SDN networks still face some security problems in practical applications.When the network is attacked,it is of great significance to quickly and accurately detect and identify intrusion behaviors to ensure the safe operation of the network.In order to solve the problem of heavy monitoring network burden and low detection accuracy in SDN networks,a multi-stage and phased hybrid detection method is proposed,which combines the designed data plane coarse-grained monitoring algorithm with the improved XGBoost fine-grained classification model to detect intrusive traffic.In view of the insufficient pre-judgment of the existing detection mechanism and the high cost of monitoring the global network,by monitoring the CPU usage of the forwarding process of the switch and comparing it with the dynamic historical reference value,the number of abnormal CPU increases in the time series is counted to quickly detect anomalies and locate anomalies the switch.Then combine the Packet_in message mechanism in the SDN network to detect the Packet_in packet rate and the destination IP cross-entropy value sent by the abnormal switch,and compare the detected value with the threshold to determine whether there is attack traffic in the abnormal switch.Finally,using the statistical characteristics of the OpenFlow protocol,the flow characteristics are extracted from the statistical information of the switch flow table and input into the classification model to detect the attack traffic.Aiming at the complicated problem of hyperparameter adjustment of XGBoost algorithm model,the model hyperparameter selection strategy is improved by using Bayesian simulation and reasoning characteristics of uncertainty problems,and an automatic optimization model is constructed to realize the adaptive selection of hyperparameters and improve the detection accuracy of the model.Use the Mininet tool and Opendaylight controller to build a simulated network,use the Iperf tool and Hping3 to achieve background traffic and attack behavior simulation,collect simulated network traffic and public data sets to verify the effectiveness of improved mechanisms and algorithms.The experimental results show that the CPU utilization rate of the vSwitchd forwarding process of the switch is different under different attack intensities.The abnormal switch is detected by monitoring the abnormal number of increase,and the purpose of coarse-grained detection of the network is achieved.In the simulated traffic classification experiment,the detection accuracy rate of the improved XGBoost algorithm is 99.41%,which is 0.52%higher than the original algorithm.At the same time,compared with the KNN and Adaboost algorithm,its detection indicators are better.In the public data set experiment,the improved algorithm model is verified,and the algorithm model has good detection performance.