| With the increasing emphasis on cyber security in China,cyberspace security has now become one of the national strategies.Software Defined Networking(SDN),as a new architecture,logically concentrates the control functions of traditional networks on a unified control plane.Although this forwarding and control separation architecture brings the advantages of network programmability to SDN,it also makes SDN the target of numerous saturation attacks,exposing it to saturation attack threats.Therefore,it is significant to study saturation attack detection techniques in SDN to improve SDN security.High and low speed saturation attacks in SDN switches and controllers are one of the main security issues in SDN.In fact,detecting the above saturation attack belongs to a multi-classification problem,which usually combines the ideas of D-S(DempsterShafer)theory,integrated learning,and OVO(One-vs-One)strategy.However,when using D-S theory for decision fusion,the simple mutual information calculation may lead to information loss,which causes the decrease of detection accuracy.To address the above problems,this paper proposes a saturation attack detection scheme based on image mutual information in SDN-KIND.First,KIND converts the probability matrix output from each base classifier into a single-channel grayscale map in a nonlinear manner.Second,the BPA(Basic Probability Assignment)based on image mutual information is calculated by corresponding image structure similarity,thus correcting the original evidence.Finally,the corrected BPA is used as the input of D-S evidence theory for decision fusion and to determine whether the unknown traffic is a high and low speed saturation attack against switches and controllers in SDN.The experimental results show that KIND achieves high detection performance in terms of accuracy,precision,confusion matrix,chi-square test,and quantitative policy test,and outperforms other comparative methods.Based on KIND,this paper designs a saturation attack detection system based on integrated learning.The system is based on B-S architecture and implemented using Flask framework.The business interaction part(front-end)and the business processing part(back-end)of the system communicate through Ajax and Web Socket technologies.The front-end includes the data collection and feature calculation page,the saturation attack online detection page,and the saturation attack suppression page.The back-end of the system is the core part of this paper,and the internal switches and controllers communicate through Open Flow protocol.The backend includes a saturation attack detection module and a suppression module based on mutual information of images.The detection module includes eight parts: feature calculation,base learner construction,probability matrix construction,probability matrix visualization,image mutual information calculation,BPA generation based on image mutual information,D-S theory decision fusion,and detection of unknown saturation attacks.The suppression module includes three steps of obtaining attacker IP,adding blocking flow table entries,and discarding blocking flow table entries. |
