| Since the birth of computer networks in the mid-1950s,the Internet has brought many conveniences to people,but the rapid development of the network also contains many huge threats,among which distributed denial of service(DDoS)attacks are the most important.One of the destructive cyber threats.DDoS attacks have the characteristics of multiple attack methods,low attack cost,large attack impact,etc.,and it is difficult to detect and defend.Therefore,DDoS attacks are mostly used in network extortion,malicious competition,information theft and even network wars.As the threshold for initiating DDOS attacks has become lower and lower,more and more network hackers are selling DDoS attack services,and there are more and more open source DDoS tools.This has led to more threats to our current network environment.Come bigger.Existing DDoS attack detection methods have the shortcomings of high time delay and low detection rate,and they are inadequate in the face of increasing DDoS attacks.This paper proposes a DDoS attack detection method based on abnormal network behavior under SDN network architecture.According to the characteristics of flooding attacks(DDoS attacks),this method sets up an alarm program on the network edge switch.When an abnormality is found,an alarm is sent to the SDN controller,and then the network traffic is filtered by the controller,leaving only "many-to-one" In order to reduce the interference from normal network traffic,it then classifies abnormal network behaviors to improve detection accuracy.Finally,a DDoS attack detection method based on the VIST model is established.This article uses the network anomaly characteristic value VIST to reflect the status changes of the IP address and the new IP address of the "many-to-one" network flow to identify the abnormal status of the network traffic caused by DDoS attacks.Experiments show that compared with similar methods,this method has lower time delay,higher detection rate and lower false alarm rate. |
PDF Full Text Request