Abnormal Traffic Detection Technology In Software-Defined Network

The rapid development of the Internet brings much convenience to human lives,but it has also led to many security problems.How to identify abnormal network traffic accurately is one of the topics of network security researches.Software-Defined Network(SDN)is a famous network architecture recently,which realizes the separation of forwarding control,network programmable,and high flexibility.These characteristics provide new methods for abnormal traffic detection.The machine learning method is crucial in traffic anomaly detection.It has many advantages such as a standard learning process,abundant statistical learning algorithms,active Q&A community,many toolboxes,and evaluation benchmark for reference.However,the implementation of a machine learning model still faces many challenges.Firstly,the performance of machine learning methods is highly dependent on feature design.Abnormal traffic contains various non-standard and complex traffic patterns,which requires researchers to use their experience to select feature sets.Secondly,abnormal traffic detection is often an online task,where batch processing algorithms need the extra design to deal with large-scale data.Moreover,the well-trained static model is unable to cope with traffic pattern changes in data flow scenarios.Based on the above analysis,this paper chooses the decision tree and its derivation method in machine learning to detect abnormal traffic and concentrate on improving traffic anomaly detection performance utilizing SDN modules.The main work is as follows:1.To detect the Distributed Denial of Service(DDoS)attack quickly and accurately,this paper proposes an improved algorithm Modified DEcision Tree(MODET),based on the C4.5 decision tree and the imprecise probability in the Walley's Imprecise Dirichlet Model(IDM).MODET chooses either information gain rate or imprecise information gain for feature partitioning according to the number of node samples and the size of values of the feature partitioned.Besides,MODET constrains the number of split child nodes.These improvements enable MODET to classify instances with scattered feature values rapidly and also maintain high predicting accuracy.2.To extract appropriate features for online traffic anomaly detection,this paper extracts the top 10 vital statistical features from the OVS switch and the flow monitoring and collection software Sflow,referring to the idea of statistical features extraction from the KDD CUP99 data set.Then it uses the MODET algorithm to detect DDoS attacks and a white list mechanism to filter the malicious attack traffic to guarantee the supply of network service.3.To make traffic anomaly detection work better in data flow scenarios,this paper proposes Optimised Hoeffding Tree(OHT)algorithm based on the Hoeffding tree algorithm in data mining.OHT algorithm has better conformance dealing with continuous arriving data,unlimited scale data,and limited computing resources.According to the information gain,OHT chooses whether to conduct feature partitioning or branches pruning when a new flow arrived.Thus OHT algorithm generates a non-static decision tree model by updating it when each flow arrives.Besides,a multi-classification predictor integrated with multiple binary OHT trees predicts the classes of new flows.The decision-making is based on all OHT trees' classification results,thus improving the class detection rate of multi-classification tasks.