Research And Application Of Intrusion Prevention Technology Based On Three-Way Decisions In SDN

Network security has always been a key problem to be solved urgently in the network world.With the intellectualization of the network,the traditional method like firewall and intrusion detection system(IDS)have been unable to solve the more diverse and complicated network Intrusion behaviors nowadays.Intrusion Prevention System(IPS)combines the advantages of the IDS and firewall block can analyze the flow of network intrusion at a deeper level,and can detect intrusion behavior.The intrusion behavior can be blocked in time to ensure the realization of network security,which effectively makes up the defect that the intrusion detection system cannot detect and deal with the attack intelligently.To address these deficiencies,IPS based on SDN has been studied in depth,a kind of intrusion prevention system based on three-way decisions under SDN is proposed,which effectively improves the performance of intrusion prevention system.SDN decouples the control layer and data layer of the network,and realizes the unified management and control of the network by the controller,which makes the network deployment and maintenance easy and conforms to the direction of future network development.However,its own special architecture also has security problems.The controller faces the risk of single point failure.Distribute Denial of Service(DDo S)attack is one of the main security threats under SDN.There are many ways to deal with DDo S attacks in SDN,but the existing intrusion detection algorithms are usually two-way decisions,that is,network traffic is divided into two categories: normal data and intrusion data.However,in the actual intrusion detection process,the data is easily misclassified due to insufficient data or insufficient features.Faced with the classification risks that may be caused by the two-way decisions,the three-way decisions introduces a boundary domain,that is,an uncertain data domain,in addition to the positive domain(normal data)and the negative domain(attack data).The data in the domain can be used to make decisions again to some extent to solve the classification risk.An intrusion detection algorithm(DBN-TWD)based on DBN and three-way decisions proposed by this paper,combining the Deep Belief Networks(DBN)with three-way decisions,aiming at the limitations of the existing intrusion detection methods under SDN,such as low efficiency and insufficient classification accuracy of two-way decisions.First,DBN is used to extract the features of flow table entries under SDN,a multi-granularity feature space was established,and then the model based on DBN-TWD algorithm is used for intrusion detection.Simulation results show that the proposed algorithm can not only improve the intrusion detection rate but also reduce the false alarm rate of the detection system.Based on the DBN-TWD algorithm,an attack defense system is designed for DDo S attacks.The system includes three modules: flow table collection,attack detection,and attack mitigation.After DDo S attacks are detected,measures such as service redirection and flow flushing are taken to ensure that the normal operation of the network.Finally,based on the Mininet simulator and Floodlight controller,the SDN network environment is simulated,and the performance of the intrusion prevention system is verified by experiments.The results prove that the proposed intrusion prevention system can effectively detect DDo S attacks and take appropriate defense measures.