A Two-stage DDoS Attack Detection and Defense Method in Software Defined Network

doi:10.3969/j.issn.1671-1122.2022.01.001

Abstract

Abstract:

Distributed denial of service (DDoS) attacks have always been a major threat to Internet. In SDN network, it will lead to the exhaustion of controller resources and affect the normal operation of the entire network. Aiming at mitigating DDoS attacks in SDN network, a two-stage attack detection and defense method is designed and implemented, which firstly collects flow data based on the controller's northbound interface to extract direct and derived features, and uses sequential probability ratio test (SPRT) and light gradient boosting machine (LightGBM) to locate attacks quickly and differentiate attack types accurately, at last filters the attack traffic in real time by installing flow rules. Experimental results show that this attack detection method can quickly locate the attack port and classify the attack traffic which accuracy reaches to 98%, and attack defense method can install defense flow rules in time to filter the attack traffic within 2 s after attack happens to protect the safety of SDN network effectively.

Key words: software defined network, distributed denial of service attack, sequential probability ratio test, light gradient boosting machine

CLC Number:

TP309

YU Junqing, LI Zizun, WU Chi, ZHAO Yizhu. A Two-stage DDoS Attack Detection and Defense Method in Software Defined Network[J]. Netinfo Security, 2022, 22(1): 1-8.

Figures/Tables 19

References 15

[1]	TAO Han, SYED R U J, TAN Zhiyuan, et al. A Comprehensive Survey of Security Threats and Their Mitigation Techniques for Next-generation SDN Controllers[J]. Concurrency and Computation: Practice and Experience, 2020, 32(16):1-21. doi: 10.1002/cpe.v32.22 URL
[2]	QIAO Yan, RICHARD F Y, GONG Qingxiang, et al. SDN and Distributed DDoS Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges[J]. IEEE Communications Surveys & Tutorials, 2016, 18(1):602-622.
[3]	RAMIN F F, ORHAN E, EMIN A. A DDoS Attack Detection and Defense Scheme Using Time-series Analysis for SDN[J]. Journal of Information Security and Applications, 2020, 54(10):1-11.
[4]	OUSSAMA H, MOHAMED C B. Neural Network-based Approach for Detection and Mitigation of DDoS Attacks in SDN Environments[J]. International Journal of Information Security and Privacy (IJISP), 2020, 14(3):50-71.
[5]	MYO M O, SINCHAI K, THOSSAPORN K, et al. Advanced Support Vector Machine Based Detection for Distributed Denial of Service Attack on Software Defined Networking[J]. Journal of Computer Networks and Communications, 2019, 5(4):1-12.
[6]	KÜBRA K, LEVENT A, GÜRKAN G, et al. JESS: Joint Entropy-based DDoS Defense Scheme in SDN[J]. IEEE Journal on Selected Areas in Communications, 2018, 36(10):2358-2372. doi: 10.1109/JSAC.2018.2869997 URL
[7]	YE Jin, CHENG Xiangyang, ZHU Jian, et al. A DDoS Attack Detection Method Based on SVM in Software Defined Network[J]. Security and Communication Networks, 2018, 10(5):1-8.
[8]	RENEILSON S, DANILO S, WALTER S, et al. Machine Learning Algorithms to Detect DDoS Attacks in SDN[J]. Concurrency and Computation: Practice and Experience, 2020, 32(16):1-14. doi: 10.1002/cpe.v32.22 URL
[9]	CHEN Zhou, JIANG Fu, CHENG Yijun, et al. XGBoost Classifier for DDoS Attack Detection and Analysis in SDN-based Cloud[C]// IEEE, 2018 IEEE International Conference on Big Data and Smart Computing (BigComp), January 15-17, 2018, Shanghai, China. New York: IEEE, 2018: 251-256.
[10]	FICHERA S, GALLUCCIO L, GRANCAGNOLO S C, et al. OPERETTA: An OpenFlow-based Remedy to Mitigate TCP SYN FLOOD Attacks against Web Servers[J]. Computer Networks, 2015, 92(9):89-100. doi: 10.1016/j.comnet.2015.08.038 URL
[11]	CUI Jie, WANG Mingjun, LUO Yonglong, et al. DDoS Detection and Defense Mechanism Based on Cognitive-inspired Computing in SDN[J]. Future Generation Computer Systems, 2019, 97(3):275-283. doi: 10.1016/j.future.2019.02.037 URL
[12]	CUI Yunhe, YAN Lianshan, LI Saifei, et al. SD-Anti-DDoS: Fast and Efficient DDoS Defense in Software-defined Networks[J]. Journal of Network and Computer Applications, 2016, 68(4):65-79. doi: 10.1016/j.jnca.2016.04.005 URL
[13]	JUAN P, SANTIAGO Z. Using One Class SVM to Counter Intelligent Attacks against an SPRT Defense Mechanism[J]. Ad Hoc Networks, 2019, 94(11):1-9.
[14]	DONG Ping, DU Xiaojiang, ZHANG Hongke, et al. A Detection Method for a Novel DDoS Attack against SDN Controllers by Vast New Low-traffic Flows[C]// IEEE. International Conference on Communications, July 14, 2016, Kuala Lumpur, Malaysia. New York: IEEE, 2016: 1-6.
[15]	KE Guolin, MENG Qi, FINLEY T, et al. Lightgbm: A Highly Efficient Gradient Boosting Decision Tree[J]. Advances in Neural Information Processing Systems, 2017, 30(4):3146-3154.

流量类型		描述
正常流量	Normal	正常网络通信流量
攻击流量	DDoS	分布式拒绝服务攻击
	Probe	恶意的网络探测活动
	R2L	来自远程的恶意登录

序号	特征	描述
1	eth_src	以太网源地址
2	eth_dst	以太网目的地址
3	eth_type	以太网类型
4	in_port	入端口
5	ip_proto	IP协议
6	ipv4_src	源IP地址
7	ipv4_dst	目的IP地址
8	ovs_tcp_flags	TCP标志位
9	tcp_src	TCP源端口
10	tcp_dst	TCP目的地址
11	udp_src	UDP源端口
12	udp_dst	UDP目的端口
13	priority	优先级
14	byte_count	流匹配字节数
15	packet_count	流匹配数据包数
16	duration	持续时间
17	hard_timeout_s	严格超时时间
18	idle_timeout_s	空闲超时时间

序号	特征	描述
1	byte_cnt_min	流匹配字节数最小值
2	byte_cnt_max	流匹配字节数最大值
3	byte_cnt_mean	流匹配字节数平均值
4	byte_cnt_std	流匹配字节数标准差
5	pkt_cnt_min	流匹配数据包数最小值
6	pkt_cnt_max	流匹配数据包数最大值
7	pkt_cnt_mean	流匹配数据包数平均值
8	pkt_cnt_std	流匹配数据包数标准差
9	duration_min	流持续时间最小值
10	durationt_max	流持续时间最大值
11	duration_mean	流持续时间平均值
12	duration_std	流持续时间标准差
13	src_ip_cnt	源IP数量
14	dst_ip_cnt	目的IP数量
15	src_port_cnt	源端口数量
16	dst_port_cnt	目的端口数量
17	URG_flag_cnt	URG标志位数量
18	ACK_flag_cnt	ACK标志位数量
19	PSH_flag_cnt	PSH标志位数量
20	RST_flag_cnt	RST标志位数量
21	SYN_flag_cnt	SYN标志位数量
22	FIN_flag_cnt	FIN标志位数量

参数	描述	参数值
num_iterations	迭代次数,即生成决策树的数量	100
num_leaves	决策树的最大叶子数	30
max_depth	决策树的最大深度	50
learning_rate	学习率	0.1
bagging_fraction	数据采样比例,取值在0~1之间	0.8
feature_fraction	特征采样比例,取值在0~1之间	0.7