Research On DDoS Attack Detection And Defense Strategy In Software Defined Network

The emergence of SDN makes the network architecture change from forwarding and control coupling mode to forwarding and control decoupling mode,which has become a hot branch in the field of network research.In this architecture,the network device at the data layer no longer has a decision-making function,and it needs to process packets according to the commands issued by the control layer,which makes network management more flexible.SDN has been applied in many network scenarios,such as data center and cloud,enterprise network and campus network,wide area network,wireless network.While SDN brings convenience to network management,DDoS attacks have become a major network security threat it faces.This thesis draws on previous results to carry out research on DDoS attack prevention in SDN from the two dimensions of detection and defense.The main contents of research are as follows:1.Based on ARIMA and random forest,a two-level joint detection method for DDoS attacks is designed,which effectively avoids the problems of high false positive rate and high resource consumption.In the first-level detection stage,ARIMA model is introduced to represent the normal state of the network;information entropy is used to measure the concentration of destination IP addresses received by the controller;adaptive threshold is used to analyze the error between the predicted destination IP address information entropy and the actual value.If the error is large,it is considered that there is abnormal traffic in the SDN network,and the next level detection is performed.In the second-level detection stage,the controller requests the flow table data,and constructs a 6-tuple feature representing the current network state.This thesis uses the random forest model to judge whether the SDN network is under DDoS attack based on the 6-tuple feature.The SDN network topology is built through Mininet for simulation experiments,and the validity of the detection method is verified from the aspects of detection performance and CPU occupancy.2.A DDoS attack defense mechanism based on source tracing and mitigation is designed.In the source tracing stage,firstly,according to the flow table information extracted in the detection stage,the path sample characteristics from all edge switches to the victim host are constructed,then the K-means algorithm is used to cluster the paths,and finally the attack source is found by statistical analysis.In the mitigation phase,a packet symmetric rate mechanism is introduced to analyze the attack flows existing in the SDN.Controller change the rules of these flows to discard operations,and use a blacklist to record the source IP addresses of these flows.When the network is in a normal state,use the whitelist to record the source IP addresses that have appeared.When the data packets reach the SDN network,they are matched with the blacklist and whitelist respectively.If the match is successful,controller discard or forward these packets,otherwise perform rate-limited forwarding.