Research On Moving Target Defense Technology Based On Scanning Attack Detection In SDN

Traditional networks are easy to be targeted by intruders due to their static and predictable attack surface.The asymmetry of information between network administrators and intruders also increases the difficulty of defense.Scanning attack is the first step for attackers to invade,so it is very important to detect and classify scanning traffic and formulate follow-up MTD strategy.Software Define Network(SDN)is a new network architecture.The centralized control and programmability of SDN controller greatly facilitate administrators to manage network equipment,issue forwarding strategies and expand related functions.The purpose of MTD is to generate changing attack surfaces to increase the difficulty of attackers' intrusion,and the related characteristics of SDN network greatly facilitate the implementation of this process.Therefore,in SDN environment,this paper detects the scanning traffic in the network based on DNN model,and designs corresponding MTD technology to protect the security of network equipment according to different detection results.The main work of this paper is as follows:(1)This paper proposes a scanning attack detection model based on PCA-DNN in SDN environment.Utilize the characteristics of the SDN architecture and perform feature extraction based on flow entries.The data acquisition module is designed to extract data from the Open Flow switch,the preprocessing module performs data processing,and the PCA-DNN module completes the functions of dimensionality reduction and classification.In addition,additional parameters are introduced to improve the Re LU activation function.(2)An MTD mechanism based on randomization of response data is proposed,and we combine the programmability of the SDN controller to design and develop related architectures.In order to solve the problem that traditional MTD technology lacks the ability to perceive the network status,it blindly selects the MTD mechanism.On the basis of the detection results in Chapter 3,the relevant principles of scanning attacks are analyzed,and key fields of response data packets are hopped through the controller and Open Flow.Increase the difficulty of the attacker's detection of surviving hosts and open ports in the network,so as to confuse the attacker and protect the security of network equipment.(3)We use Docker+Ryu+OVS to build experiments for simulation test,scapy generates data traffic,and conducts experiments and analyses on the design of this paper.The experimental results show that the accuracy and recall rate of the scanning attack detection module for the four scanning flow entries are both 98%,and the improved Re LU activation function improves the dying Re LU problem during model training.The MTD function module increases the difficulty of the intruder's attack and confuses their scanning results.These prove that the design of this paper is effective.