| Compared with the traditional network architecture,Software Defined Network(SDN)separates forwarding logic and control logic,supporting users to customize development through API interface of core control layer.These features improve the centralized management and control capabilities of SDN networks and the flexibility of network configuration,Finally,the network's ability to support business and services has been improved.Distributed Denial of Service(DDoS)attacks have the characteristics of low initiation cost and large destruction area.The main attack principle is to control a large number of zombies and initiate to the target host at the same time,consuming the target host computing resources and network bandwidth.Centralized management of SDN networks makes DDoS attacks one of the major threats to SDN network security.When a large amount of DDoS attack traffic that fails to hit the flows entry reaches the OpenFlow switch,a large number of Packet_in messages are triggered to be uploaded to the SDN controller,which severely consumes the bandwidth resources of the secure channel and the computing resources of the SDN controller,so that the SDN controller is in danger of "single point failure".It can be seen that DDoS attacks are more harmful to SDN networks than traditional IP networks.How to efficiently and accurately detect and prevent DDoS attacks in SDN networks has gradually become an important subject.The centralized management and programmable characteristics of the SDN network make it difficult for SDN networks to detect abnormal traffic compared to traditional IP networks,based on which,this paper proposes a DDoS attack detection and defense mechanism in SDN networks,after that a complete DDoS attack detection and defense system is implemented.At the end of this paper,its effectiveness and reliability are verified in a simulated SDN network.The main work and innovations of this article are as follows:(1)?-entropy is introduced as a new information metric for DDoS attack detection,and its feasibility for DDoS attack detection is demonstrated mathematically.cp-entropy can adjust the sensitivity of the entropy value to the random change of the system by changing the parameter cp.Compared with the traditional Shannon entropy,?-entropy entropy is more flexible.(2)A multi-level detection mechanism based on information entropy and SVM classification algorithm is proposed in this paper.Information entropy-based detection schemes often have the characteristics of fast detection speed,low system overhead,and high false alarm rates;the detection scheme based on SVM classification algorithm has the characteristics of high system overhead,low false alarm rate and high accuracy rate.This article combines the two schemes.First,we use information entropy for initial inspection to filter a large amount of normal traffic,if the entropy value changes significantly within a window,then use the SVM classification algorithm for further detection,taking both accuracy and system overhead into account.(3)A sliding window mechanism is proposed to optimize the calculation of entropy.The window is the unit of calculation for the smallest information entropy.Compared with the fixed window size,the sliding window only adds elements at the head and deletes elements at the tail.The entropy value of the entire sliding window is continuously adjusted dynamically to reduce the repeated calculation.(4)An attack prediction algorithm based on Taylor series is proposed.When a DDoS attack occurs in an SDN network,the OpenFlow switch determines whether to apply for a DDoS attack traffic redirection policy by predicting the number of data packets that cannot be received in the flow table within the next time-period.Simulation experiments prove that the algorithm has a good prediction ability.(5)This article builds a simulated SDN network based on Mininet and implements the above-mentioned DDoS attack detection and defense system.The results show that the system can accurately and timely detect DDoS attack traffic and implement migration. |
PDF Full Text Request