Research On SDN-oriented DDoS Attack Detection And Defense Technology

As an emerging network architecture,Software-Defined Networking(SDN)faces many security issues during its development.One of the most typical security issues is distributed denial of service attacks(DDo S),which seriously hinders the development and application of SDN.At present,most research on SDN-oriented DDo S attack detection and defense technology mainly focuses on detection methods,traceability methods and related mitigation mechanisms.The capabilities of detection efficiency,defense efficiency and response to distributed DDo S attacks need to be improved.This paper focuses on the detection triggering algorithm and attack tracing algorithm,the main work is as follows:(1)Designing an SDN-oriented DDo S attack detection and defense overall framework,including detection trigger module,attack detection module,attack traceability module and attack mitigation module.Using neural network and graph theory to complete the design and implementation of related modules.(2)A multi-mechanism detection trigger algorithm is proposed,aming at the shortcomings of the periodic trigger method.The algorithm uses the SDN-specific PACKET?IN data packet,and uses extra-STORM and other algorithms to complete multiple abnormal judgments on the three indicators of packet flow rate,average packet number of the stream,and average byte number of the packet.On the basis of solving the problem of cycle selection,the purpose of improving trigger accuracy and trigger efficiency is achieved.(3)A new attack traceback mechanism was designed and implemented,aiming at the problem of single mode and low efficiency in the past traceback mode,including an attack core search algorithm based on kernel degree theory and a tag-based attack source traceback method,of which the former The combination of kernel theory and graph theory knowledge is used to locate the attack core.The attack mitigation module prioritizes the malicious traffic in the attack core to improve the system's mitigation efficiency.The latter combines tagging technology with the global topology of the network to trace the source of the attack.The attack mitigation module can prevent the next attack from the source by cleaning up the attack source.(4)A prototype system for DDo S detection and defense is completed.Through the system integrity test,the effectiveness of the related algorithms proposed in this paper is verified.The control experiment set at the same time shows that the trigger algorithm in this paper can improve the detection response speed,and at the same time reduce the controller consumption to avoid affecting the normal process in the system when triggering.