| The difference from the closed and integrated traditional network is that the Software Defined Network(SDN)has the advantages of being open and easy to program.In the era of more and more diversified network development,SDN has become the main trend of future network development.In SDN,the control plane and data plane are decoupled,and the controller realizes centralized control in the network.Because the controller plays an extremely important function in SDN,network attackers attack the controller more rampantly.In Distributed Denial of Service(DDoS)attack,the attacker controls the botnet so that it consumes resources for the victim,and ultimately makes the victim unable to provide services for its normal users.Once the controller in the SDN is attacked,the entire network is prone to collapse,so the defense against DDoS attacks in the SDN is very important.In this thesis,DDoS attacks in SDN are divided into two parts:attack detection and defense.In the research of DDoS attack detection under SDN network,this thesis proposes a combination of three models:Random Forest(RF),Support Vector Machines(SVM)and Incremental Learning(IL).The RF-SVM-IL detection model is divided into two modules,RF-SVM double-layer detection module and Incremental Learning sample screening module.In terms of improving the detection accuracy,the RF-SVM module firstly uses the advantage of Random Forest to process large-scale data in parallel to initially detect the attack data.At the same time,in order to avoid the misclassification of the samples in the SVM,the Mmargin(x)values of the samples are calculated and sorted in descending order.It is sorted in descending order,the samples with smallerMmargin()xvalue are eliminated,and other data are input into SVM for secondary detection,and the two parameters of SVM are optimized by Particle Swarm Algorithm(PSO).In terms of improving the detection rate,due to the continuous increase in the amount of attack data that the network bears,the incremental learning sample screening module screens the new samples according to the positive and negative vector similarity of the samples,which increases the dynamic adaptability of the entire detection model,and passes reducing the amount of data processed by the model achieves a reduction in detection time.Aiming at the remarkable characteristics of large traffic and high flow rate of DDoS attacks,according to the detection results of the RF-SVM-IL module,this thesis proposes two defense methods,the adaptive port rate limiting and the traffic cleaning.Use the s Flow traffic monitoring tool to detect ports in the network and observe whether the ports are attacked in real time.For attacks with high data packet sending rate,this thesis uses command operation and the meter table to limit the traffic rate of the victim port,and mainly uses the Exponentially Weighted Moving-Average(EWMA)algorithm to predict the flow rate of normal and attack data,so as to calculate the adaptive rate limit threshold.For attacks with large packet size,the priority-action matching mechanism of the OpenFlow flow table and the Ov S instruction are used to clean the traffic.During the experiment,this thesis uses five performance indicators such as detection accuracy and detection time to measure the detection model of various machine learning fusions.The experimental proves that the RF-SVM-IL proposed in this thesis can achieve high-precision,short-time attack detection,and implant it in the controller to realize real-time detection.According to the detection results,the defense scheme of traffic cleaning or adaptive port rate limit is invoked.The experiment proves that the model proposed in this thesis can achieve a better DDoS attack defense effect under the SDN network. |
PDF Full Text Request