Detection And Analysis Of Link Flooding Attack Based On Software-defined Network

Software Defined Network(SDN),as a new type of network architecture,breaks through the bottleneck of high coupling of devices and the limited computing power of a single device in traditional networks,which makes it have broad application prospects.The backbone network is an important application scenario of SDN,because the separation mechanism of SDN can flexibly deploy traffic engineering and effectively improve the link carrying capacity,which provides important technical support for the upgrade of the backbone network technology architecture.But the backbone network plays the role of access network and network interconnection,which makes it the main target of hackers.As a new type of DDo S attack,link flooding attack(LFA)brings greater network security threat to the backbone network due to its higher concealment and complexity.And the SDN architecture exhibits greater vulnerability to such attacks.These security risks restrict the application of SDN technology in the backbone network.Therefore,in the backbone network,how to utilize SDN technology to detect LFA is very challenging but crucial.LFA detection needs to solve two major problems,namely the target link location and attack confirmation on the target link.Target link is the attacked link.The current research mainly detects the congested link as the target link.The disadvantage of the method is that the response speed of the attack is slow,and in the backbone network,the congestion of the link will seriously affect the network service quality.Therefore,this thesis takes advantage of the global view of SDN to detect abnormal links by combining all link states in the network.For the attack confirmation problem,current research mainly relies on single flow characteristics.However,it is difficult to improve the detection accuracy,because the attack flow is a legitimate low-speed flow,which is less different from the normal flow.This thesis aggregates network flows to represent the communication behavior of terminal hosts,and leverages the attack behavior features of bots to determine whether the abnormal link is attacked by LFA.The main contributions and innovations of the thesis are as follows:(1)Research on the link load prediction.On the basis of in-depth analysis of the spatiotemporal characteristics of link traffic in the backbone network,a link load prediction model based on spatiotemporal graph neural network is proposed.Concretely,we first abstract the network topology into a directed graph,and then apply the Digraph Inception Convolutional Networks(Di GCN)model to extract spatial features.Moreover,the long short-term memory(LSTM)is employed to learn temporal features.In this thesis,the prediction model is designed as a Seq2 Seq framework,so that it can support both single-step prediction and multi-step prediction,and an attention mechanism is introduced in the decoding part to alleviate the traffic burst problem.The experimental results show that the single-step prediction decision coefficient R2 can reach 96.67% and the overall error increase of multi-step prediction is the smallest.(2)Research on the abnormal link detection combined with link load prediction.Due to the prediction model has been trained by a large amount of normal network data,it can guarantee the prediction accuracy of the link load under normal conditions.However,when the network is attacked,the attack flow will destroy the spatiotemporal characteristics of the link,resulting in a larger prediction error.Therefore,the thesis detects abnormal links based on the difference of prediction errors in these two states.And in order to improve the sensitivity of the model to perceive network anomalies,the thesis combines the prediction errors of all links to judge whether the network topology is abnormal firstly,and then locate the abnormal links according to the degree of abnormality of the link.The experimental results demonstrate that the degree of link anomaly can be effectively sensed based on the prediction error,and the response speed of the detection system to the attack can be significantly improved by combining all link states.(3)Research on the LFA confirmation based on the attack behavior of bots.Co-occurrence relationship and traffic characteristics are two significant attack behavior features of bots.The attack co-occurrence relationship represents that in multiple alert windows,bots usually appear in the same alert window or communicate with the same decoy server.The traffic features of bots are mainly reflected in the continuity of network flow,the similarity of traffic and the similarity of destination IP address sets between bots.Therefore,the thesis firstly utilizes the feature of the attack co-occurrence relationship to construct a co-occurrence intensity map of client IPs under multiple attack alarm events,and performs non-overlapping community discovery on it.Then we leverage the traffic characteristics of bots to detect LFA based on whether there is a botnet in the community.The experimental results show that our method is able to detect LFA at a precision of 89.22%.(4)Implementation of SDN-based LFA detection system.This thesis combines D-ITG traffic generator,Mininet simulation platform and Ryu controller to realize the system construction.The D-ITG traffic generator is responsible for generating normal background traffic and attack traffic,and the network topology is designed in Mininet.In addition,the traffic monitoring module,attack alarm module and attack detection module are deployed in the Ryu controller.Finally the system displays the detection results visually on the web.