WO2021227322A1 - 一种SDN环境DDoS攻击检测防御方法 - Google Patents
一种SDN环境DDoS攻击检测防御方法 Download PDFInfo
- Publication number
- WO2021227322A1 WO2021227322A1 PCT/CN2020/115251 CN2020115251W WO2021227322A1 WO 2021227322 A1 WO2021227322 A1 WO 2021227322A1 CN 2020115251 W CN2020115251 W CN 2020115251W WO 2021227322 A1 WO2021227322 A1 WO 2021227322A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- feature
- detection
- detecting
- sdn environment
- message
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 230000007123 defense Effects 0.000 title description 4
- 238000012549 training Methods 0.000 claims description 20
- 238000003066 decision tree Methods 0.000 claims description 15
- 230000000903 blocking effect Effects 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 10
- 238000012360 testing method Methods 0.000 claims description 9
- 230000008859 change Effects 0.000 claims description 8
- 230000009467 reduction Effects 0.000 claims description 3
- 230000008030 elimination Effects 0.000 abstract description 2
- 238000003379 elimination reaction Methods 0.000 abstract description 2
- 238000000926 separation method Methods 0.000 abstract description 2
- 238000013138 pruning Methods 0.000 description 8
- 230000000875 corresponding effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000012535 impurity Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/143—Denial of service attacks involving systematic or selective dropping of packets
Definitions
- the invention relates to the technical field of network security, in particular to a method for detecting and defending DDoS attacks in an SDN environment.
- SDN Software-defined networking proposes a solution to separate the data plane and the control plane, which solves the problems of high reliability, scalability and flexibility that traditional networks cannot solve, but it also brings new innovations in business aspects. Security challenges.
- the business control and security control in the SDN controller are highly coupled and interact with each other.
- the security control mechanism that controls the security of the entire network through the flow table needs to be improved, and all security controls can only reach the data forwarding layer, and there is no direct interaction with security devices or nodes. Make the safety control ability limited.
- the first type is a detection scheme based on statistical analysis. This type of scheme requires less computing resources, but often has low accuracy.
- the second type is a scheme based on machine learning. This type of scheme usually deploys the detection module on the controller, which greatly consumes the computing resources of the controller, so that the controller cannot send control to the switch normally, and the controller becomes a network. Bottleneck.
- DDoS Distributed Denial of Service
- the attacker sends a large number of unknown data packets, which may cause the switch to buffer a large number of useless data packets and add a large number of useless flows. The entry eventually causes the flow table to overflow. What's more dangerous is that the switch sends a large number of requests to the controller, causing the controller to denial of service, making the entire network paralyzed.
- the purpose of the present invention is to provide a DDoS attack detection and defense method in an SDN environment to solve the problems of high resource occupation or low detection accuracy existing in the prior art.
- the present invention provides a method for detecting and defending DDoS attacks in an SDN environment, including:
- the agent module constructs the acquired data message into a characteristic message
- the agent module executes control operations according to the decision instructions.
- the agent module constructs the acquired data message as a characteristic message, it also includes:
- the pre-detection module preprocesses the data stream.
- the pre-detection module preprocesses the data stream, which specifically includes:
- the port rate is limited to ensure the normal operation of detection and control delivery.
- the method for constructing the detection model includes the following steps:
- the data message includes one or more of a request sent by the switch to the controller, a statistical message, and data held by the controller.
- the characteristic message includes an index part and a characteristic domain part
- the feature domain part includes control information and combined features
- the combined characteristics include one or more of the average number of data packets of the flow, the average number of bytes per flow, the average duration of each flow, the proportion of symmetric flow, the rate of change of asymmetric flow, and the amount of port change. .
- the method of constructing a data set through characteristic messages includes the following steps:
- the labeled samples are divided into a training sample set and a test sample set, that is, a data set.
- the method for feature selection of the data set includes the following steps:
- the feature weight is filtered according to the absolute value after sorting.
- the training method includes the following steps:
- the recursive above process is to repeatedly select a feature
- the decision instruction includes one or more of blocking the host, blocking the port, and isolating the host.
- the method of controlling the state of the controller according to the decision instruction includes the following steps:
- the controller performs the operation of discarding the attacking data packet
- the controller executes the operation of blocking the responding attack port
- the controller performs the operation of discarding all data packets from the attack source host.
- the present invention discloses the following technical effects:
- the present invention proposes a DDoS attack detection and defense method in SDN environment.
- an entropy-based pre-detection module is added at the entrance of the switch port to ensure that SDN network facilities will not prematurely produce denial of service behavior when they are attacked by DDoS;
- a proxy module is added to the controller program to achieve the separation of security and control, to ensure that the detection itself will not occupy too much controller and switch resources;
- RFE recursive feature elimination
- CART Classification And Regression Tree
- Figure 1 is a schematic diagram of a module according to an embodiment of the present invention.
- FIG. 2 is a schematic diagram of a detection process according to an embodiment of the present invention.
- Figure 3 is a schematic diagram of a feature message format according to an embodiment of the present invention.
- FIG. 4 is a schematic diagram of a flow of RFE feature selection according to an embodiment of the present invention.
- Fig. 5 is a schematic diagram of a CART training process according to an embodiment of the present invention.
- the purpose of the present invention is to provide a DDoS attack detection and defense method in an SDN environment to solve the problems of high resource occupation or low detection accuracy existing in the prior art.
- the present invention provides a method for detecting and defending DDoS attacks in an SDN environment.
- the specific steps of the method are as follows:
- Step 1 The pre-detection module preprocesses the data
- the port rate is limited
- the pre-detection process is shown in Figure 2.
- a lightweight entropy detection algorithm is used to detect the destination address entropy of each incoming port. If the entropy is greater than the threshold in three consecutive windows, there is a potential Attacks are possible, and the corresponding port rate should be limited to wait for the control layer to detect to ensure that the SDN network will not immediately crash when it is attacked by DDoS, and to ensure that the subsequent detection and control delivery can proceed normally.
- Step 2 The agent module constructs the acquired data message as a characteristic message
- the agent module on the controller side constructs characteristic messages according to the request sent by the switch to the controller, statistical messages and the data held by the controller side, and forwards these messages to the high-performance computer running the detection algorithm;
- the characteristic message includes an index part and a characteristic domain part
- the feature domain part includes control information and combined features
- the combined characteristics include the average number of data packets per flow, the average number of bytes per flow, the average duration of each flow, the percentage of symmetric flow, the increase of unidirectional flow, the amount of port change, and the rate of change of asymmetric flow ;
- this message mainly contains two parts: the first part is the index part, including the Index field and the metadata field; the Index field includes the Datapath_ID of the switch and the OpenFlow matching field; the metadata field includes some additional information, including the timestamp and the origin of the flow information;
- the second part is the characteristic domain, which is mainly divided into two categories.
- the first category is the control information directly obtained through the OpenFlow control protocol.
- the switch will send the statistics information of the current switch to the controller at regular intervals. These messages can be It is directly extracted from the data packet;
- the second type is combined features, which are calculated by predefined formulas. These features are often unique to SDN networks, and can make full use of the advantages of SDN networks, such as computing How much traffic can be output to its associated port;
- the average number of data packets of the flow One of the main features of DDoS attacks is source IP spoofing, which makes the task of tracking the source of the attack very difficult.
- One side effect is that the generated stream has only a small number of packets, that is, there are about 3 packets per stream. Considering that normal traffic usually contains more data packets, the median is calculated. Before calculating this value, the streams are sorted in ascending order according to the number of packets in each stream. The formula is as follows:
- Num_Packages(n/2) is the number of data packets in the n/2th stream
- Num_Packages ((n+1)/2) is the number of data packets in the (n+1)/2th stream
- n is the number of data packets in the stream The total amount
- flow byte i is the number of bytes of the i-th flow
- Duration ((n+1)/2) is the duration of the (n+1)/2th stream
- Symmetric flow proportion This function allows to verify how much convection flows in the flow within a certain interval. For example, given any two flows, check the following conditions to verify whether these flows constitute a symmetric flow: 1The source IP of flow one is equal to the destination IP of flow two; 2The destination IP of flow one is equal to the source IP of flow two; 3Two The streams have the same communication protocol. DDoS attacks increase the number of single streams entering the network because they send packets with fake IPs. In order to calculate the percentage of this occurrence, the formula is as follows:
- Num - Pair-flows is the number of symmetric flows
- Asymmetric flow rate of change At the beginning of a DDoS attack, the number of flows may increase sharply. In order to calculate this increase, it is necessary to subtract the total number of flows by two times the paired flow, and then divide by the time interval for analyzing the flow characteristics:
- interval is the time interval
- Port changes Like IP spoofing caused by DDoS attacks, ports can also be randomly generated through attacks. Calculate the following formula as the characteristic of the measurement port change;
- Num_ports is the total number of destination ports counted in the unit time interval
- Step 3 Send the characteristic message to the pre-built detection model to obtain the detection result
- the construction method of the detection model includes the following steps:
- the method includes the following steps:
- the server After a period of time, the server has collected enough messages from the controller and started to build the data set. First divide these into several groups of samples, each group of samples represents each port and its corresponding characteristics. Then, each sample needs to be marked. No attack is marked as 0, DDoS attacks launched through IP address forgery are marked as 1, SYN flooding is marked as 2, UDP flooding is marked as 3, and ICMP flooding is marked as 4. Do the corresponding treatment according to the type of DDoS attack. After the marking is completed, the data set is divided into a training sample set and a test sample set. The training sample set is named train.txt, and the test sample set is named test.txt;
- the method of feature selection includes the following steps:
- REF selects features by repeatedly constructing models, and recursively considers smaller and smaller feature sets to select features. After multiple iterations, the optimal feature subset can be obtained. This can ensure the accuracy of detection and speed up the detection process.
- Figure 4 it is a flowchart of RFE feature selection. Each iteration includes the following steps:
- the training method includes the following steps:
- Gini coefficient Take the training set and the threshold of the Gini coefficient (Gini coefficient) as input;
- Gini coefficient mainly measures the impurity of the data partition or the training data set D. The smaller the Gini coefficient, the higher the purity of the sample (that is, the higher the probability that the sample belongs to the same class).
- the Gini Split info (Gini split information) of the feature can be obtained, that is, Gini Gain (Gini gain).
- the formula is as follows:
- Gini(p) is the Gini coefficient of the probability distribution
- p k is the probability that the selected sample belongs to category k
- K is the number of categories in the sample set D.
- sample set D if it is divided into two parts according to a certain feature (such as the average number of bytes of the stream): set D1 and set D2. It can be expressed as the following formula:
- A represents a feature of the divided data set
- Gini(D1) represents the uncertainty of the set D1
- Gini(D2) represents the uncertainty of the set D2
- Gini(D,A) represents the set D divided by A Uncertainty.
- Gini (D) is the Gini coefficient before splitting
- Gini A (D) is the Gini coefficient after splitting according to feature A
- ⁇ A (D) is the difference between before and after splitting
- the root node contains all training tuples, and each tuple is composed of multiple attributes. By calculating the difference of the Gini index after splitting several times, the best splitting criterion and splitting value can be obtained after comparison. Next, the node is divided into two from this split value.
- CART uses a cost-complexity method (Cost-Complexity Pruning, CCP) for pruning.
- CCP Cost-Complexity Pruning
- a trained decision tree has several child nodes under each node t, then the loss function C ⁇ (t) before pruning is:
- C(t) is the prediction error in the case of no penalty term
- ⁇ is the regularization parameter.
- ⁇ is the regularization parameter.
- the originally generated CART tree is the optimal subtree.
- the loss function C ⁇ (T t ) after pruning is:
- C(T t ) is the prediction error of the training data
- is the number of leaf nodes of the subtree T
- T t is the tree with t as the root node.
- the method of calculating the error gain of ⁇ is: ⁇ starts from 0 and increases to a certain value to make the loss functions before and after pruning exactly equal.
- the formula is as follows:
- the error gain is calculated, the t with the smallest ⁇ is selected for pruning, the subtree T1 is obtained and the above process is recursively performed, and finally ⁇ T 0 , T 1 , T 2 ,..., T n ⁇ ;
- Step 4 Make decision instructions based on the test results
- Decision-making instructions include blocking the host, blocking the port and isolating the host;
- Step 5 The agent module executes the control operation according to the decision instruction
- the method of execution includes the following steps:
- the controller performs the operation of discarding the attacking data packet
- the controller executes the operation of blocking the responding attack port
- the controller performs the operation of discarding all data packets from the attack source host.
- the decision-making module After CART decision tree training is completed, it can be used to detect DDoS attacks.
- the decision-making module is used to make corresponding actions according to the type of DDoS attack after detecting the attack to alleviate the impact caused by the DDoS attack.
- the decision-making module realizes the function of controlling the data plane through the agent.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (10)
- 一种SDN环境DDoS攻击检测防御方法,其特征在于,所述方法包括如下步骤:代理模块将获取的数据消息构建为特征消息;将特征消息发送至预先构建的检测模型中获得检测结果;根据检测结果做出决策指令;代理模块根据决策指令执行控制操作。
- 根据权利要求1所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,所述检测模型的构建方法包括如下步骤:通过特征消息构建数据集;对数据集进行特征选择以及训练得到特征子集;对特征子集进行迭代获得检测模型。
- 根据权利要求2所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,所述数据消息包括交换机向控制器发送的请求、统计消息以及控制器端持有的数据中的一种或多种。
- 根据权利要求1所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,所述特征消息包括索引部分和特征域部分,所述特征域部分包括控制信息以及组合特征;所述组合特征包括流的平均数据包数量、每条流的平均字节数、每个流的平均持续时间、对称流占比、非对称流变化率以及端口变化量中的一种或多种。
- 根据权利要求2所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,根据特征消息构建数据集的方法包括如下步骤:通过特征消息生成若干组样本;对每组样本进行标记;将标记后的若干样本划分为训练样本集和测试样本集,即为数据集。
- 根据权利要求2所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,对数据集进行特征选择的方法包括如下步骤:通过分类器对数据集进行分类,并对得到的特征分类权重;将特征权重取绝对值后进行排序;根据排序后的绝对值对特征权重进行筛选。
- 根据权利要求2所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,所述训练的方法包括如下步骤:以训练集、基尼系数的阈值作为输入;选取一个特征,根据特征的类型计算它每个属性的基尼系数,最后选择基尼系数最小的特征及其对应属性作为***依据;将样本集划分到子节点中,递归上述过程,直到基尼系数小于阈值或没有特征,则输出决策树;对决策树进行减枝操作,生成检测模型。
- 根据权利要求1所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,将获取的消息发送至预先构建的检测模型中获得检测结果的方法包括如下步骤:获取数据包在流入端口时的目的地址熵;将获取的熵与阈值进行比较;当存在不少于3个端口的熵值大于阈值时,判定存在攻击,则对端口进行限速。
- 根据权利要求1所述的一种SDN环境DDoS攻击检测防御方法,其特征在于,所述的决策指令包括阻塞主机、阻塞端口以及隔离主机中的一种或多种。
- 根据权利要求1所述的一种SDN环境DDoS攻击检测防御方法, 其特征在于,根据决策指令控制控制器的状态的方法包括如下步骤:当获取的决策指令为阻塞主机时:控制器执行丢弃攻击数据包的操作;当获取的决策指令为阻塞端口时:控制器执行阻塞响应的攻击端口的操作;当获取的决策指令为隔离主机时:控制器执行丢弃来自攻击源主机的所有数据包的操作。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/321,535 US11848959B2 (en) | 2020-05-13 | 2021-05-17 | Method for detecting and defending DDoS attack in SDN environment |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010401640.9A CN111740950A (zh) | 2020-05-13 | 2020-05-13 | 一种SDN环境DDoS攻击检测防御方法 |
CN202010401640.9 | 2020-05-13 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/321,535 Continuation-In-Part US11848959B2 (en) | 2020-05-13 | 2021-05-17 | Method for detecting and defending DDoS attack in SDN environment |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021227322A1 true WO2021227322A1 (zh) | 2021-11-18 |
Family
ID=72647145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/115251 WO2021227322A1 (zh) | 2020-05-13 | 2020-09-15 | 一种SDN环境DDoS攻击检测防御方法 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111740950A (zh) |
WO (1) | WO2021227322A1 (zh) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114115068A (zh) * | 2021-12-03 | 2022-03-01 | 东南大学 | 一种内生安全交换机的异构冗余防御策略下发方法 |
CN114531273A (zh) * | 2022-01-11 | 2022-05-24 | 北京理工大学 | 一种防御工业网络***分布式拒绝服务攻击的方法 |
CN114745194A (zh) * | 2022-04-25 | 2022-07-12 | 东北林业大学 | 一种SDN环境下基于集成学习的DDoS检测方法、装置、电子设备及存储介质 |
CN114866291A (zh) * | 2022-04-18 | 2022-08-05 | 浙江大学 | SDN下基于深度强化学习的DDoS防御***及方法 |
CN115102767A (zh) * | 2022-06-24 | 2022-09-23 | 天津大学 | 一种基于分布式协作学习的DDoS主动防御***及方法 |
CN115580480A (zh) * | 2022-10-25 | 2023-01-06 | 湖南大学 | 基于卡尔曼滤波和随机森林的fto攻击检测缓解方法 |
CN115589326A (zh) * | 2022-10-25 | 2023-01-10 | 湖南大学 | FIN的LDoS攻击实时检测与缓解方法 |
CN115695041A (zh) * | 2022-11-17 | 2023-02-03 | 安超云软件有限公司 | 基于sdn的ddos攻击检测与防护的方法及应用 |
CN116055182A (zh) * | 2023-01-28 | 2023-05-02 | 北京特立信电子技术股份有限公司 | 基于访问请求路径分析的网络节点异常识别方法 |
CN116489741A (zh) * | 2023-06-19 | 2023-07-25 | 南昌大学 | 一种无线传感网络跨层节能方法及*** |
CN117596597A (zh) * | 2024-01-18 | 2024-02-23 | 北京邮电大学 | DRDoS攻击主动防御方法及装置 |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113268735B (zh) * | 2021-04-30 | 2022-10-14 | 国网河北省电力有限公司信息通信分公司 | 分布式拒绝服务攻击检测方法、装置、设备和存储介质 |
CN113452695A (zh) * | 2021-06-25 | 2021-09-28 | 中国舰船研究设计中心 | 一种SDN环境下的DDoS攻击检测和防御方法 |
CN113839926B (zh) * | 2021-08-31 | 2023-09-22 | 哈尔滨工业大学 | 一种基于灰狼算法特征选择的入侵检测***建模方法、***及装置 |
CN114050928B (zh) * | 2021-11-10 | 2023-02-03 | 湖南大学 | 一种基于机器学习的sdn流表溢出攻击检测与缓解方法 |
CN115051830B (zh) * | 2022-04-29 | 2023-12-26 | 国网浙江省电力有限公司宁波供电公司 | 一种电力靶场隐患数据安全监控***及方法 |
CN115499340A (zh) * | 2022-09-29 | 2022-12-20 | 吉林大学 | 一种车载canfd网络异常状态的双重检测技术 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109120630A (zh) * | 2018-09-03 | 2019-01-01 | 上海海事大学 | 一种基于优化BP神经网络的SDN网络DDoS攻击检测方法 |
WO2019148576A1 (zh) * | 2018-02-05 | 2019-08-08 | 重庆邮电大学 | 一种工业SDN网络DDoS攻击检测与缓解方法 |
CN110225022A (zh) * | 2019-06-05 | 2019-09-10 | 东南大学 | 一种SDN流表驱动的DDoS攻击检测方案 |
US10637886B2 (en) * | 2016-10-17 | 2020-04-28 | Foundation Of Soongsil University Industry Cooperation | Software defined network capable of detecting DDoS attacks and switch included in the same |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107231384B (zh) * | 2017-08-10 | 2020-11-17 | 北京科技大学 | 一种面向5g网络切片的DDoS攻击检测防御方法及*** |
CN107959690B (zh) * | 2018-01-16 | 2019-07-05 | 中国人民解放军国防科技大学 | 基于软件定义网络的DDoS攻击跨层协同防御方法 |
-
2020
- 2020-05-13 CN CN202010401640.9A patent/CN111740950A/zh active Pending
- 2020-09-15 WO PCT/CN2020/115251 patent/WO2021227322A1/zh active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10637886B2 (en) * | 2016-10-17 | 2020-04-28 | Foundation Of Soongsil University Industry Cooperation | Software defined network capable of detecting DDoS attacks and switch included in the same |
WO2019148576A1 (zh) * | 2018-02-05 | 2019-08-08 | 重庆邮电大学 | 一种工业SDN网络DDoS攻击检测与缓解方法 |
CN109120630A (zh) * | 2018-09-03 | 2019-01-01 | 上海海事大学 | 一种基于优化BP神经网络的SDN网络DDoS攻击检测方法 |
CN110225022A (zh) * | 2019-06-05 | 2019-09-10 | 东南大学 | 一种SDN流表驱动的DDoS攻击检测方案 |
Non-Patent Citations (1)
Title |
---|
XU CHUANFENG; LIN HUI; WU YULEI; GUO XUANCHENG; LIN WENZHONG: "An SDNFV-Based DDoS Defense Technology for Smart Cities", IEEE ACCESS, IEEE, USA, vol. 7, 1 January 1900 (1900-01-01), USA , pages 137856 - 137874, XP011748499, DOI: 10.1109/ACCESS.2019.2943146 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114115068A (zh) * | 2021-12-03 | 2022-03-01 | 东南大学 | 一种内生安全交换机的异构冗余防御策略下发方法 |
CN114531273A (zh) * | 2022-01-11 | 2022-05-24 | 北京理工大学 | 一种防御工业网络***分布式拒绝服务攻击的方法 |
CN114531273B (zh) * | 2022-01-11 | 2024-05-14 | 北京理工大学 | 一种防御工业网络***分布式拒绝服务攻击的方法 |
CN114866291A (zh) * | 2022-04-18 | 2022-08-05 | 浙江大学 | SDN下基于深度强化学习的DDoS防御***及方法 |
CN114745194A (zh) * | 2022-04-25 | 2022-07-12 | 东北林业大学 | 一种SDN环境下基于集成学习的DDoS检测方法、装置、电子设备及存储介质 |
CN115102767A (zh) * | 2022-06-24 | 2022-09-23 | 天津大学 | 一种基于分布式协作学习的DDoS主动防御***及方法 |
CN115102767B (zh) * | 2022-06-24 | 2023-06-30 | 天津大学 | 一种基于分布式协作学习的DDoS主动防御***及方法 |
CN115580480B (zh) * | 2022-10-25 | 2024-04-02 | 湖南大学 | 基于卡尔曼滤波和随机森林的fto攻击检测缓解方法 |
CN115580480A (zh) * | 2022-10-25 | 2023-01-06 | 湖南大学 | 基于卡尔曼滤波和随机森林的fto攻击检测缓解方法 |
CN115589326A (zh) * | 2022-10-25 | 2023-01-10 | 湖南大学 | FIN的LDoS攻击实时检测与缓解方法 |
CN115589326B (zh) * | 2022-10-25 | 2024-04-19 | 湖南大学 | FIN的LDoS攻击实时检测与缓解方法 |
CN115695041A (zh) * | 2022-11-17 | 2023-02-03 | 安超云软件有限公司 | 基于sdn的ddos攻击检测与防护的方法及应用 |
CN116055182A (zh) * | 2023-01-28 | 2023-05-02 | 北京特立信电子技术股份有限公司 | 基于访问请求路径分析的网络节点异常识别方法 |
CN116055182B (zh) * | 2023-01-28 | 2023-06-06 | 北京特立信电子技术股份有限公司 | 基于访问请求路径分析的网络节点异常识别方法 |
CN116489741B (zh) * | 2023-06-19 | 2023-09-01 | 南昌大学 | 一种无线传感网络跨层节能方法及*** |
CN116489741A (zh) * | 2023-06-19 | 2023-07-25 | 南昌大学 | 一种无线传感网络跨层节能方法及*** |
CN117596597A (zh) * | 2024-01-18 | 2024-02-23 | 北京邮电大学 | DRDoS攻击主动防御方法及装置 |
CN117596597B (zh) * | 2024-01-18 | 2024-04-12 | 北京邮电大学 | DRDoS攻击主动防御方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN111740950A (zh) | 2020-10-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021227322A1 (zh) | 一种SDN环境DDoS攻击检测防御方法 | |
CN110753064B (zh) | 机器学习和规则匹配融合的安全检测*** | |
CN107231384B (zh) | 一种面向5g网络切片的DDoS攻击检测防御方法及*** | |
CN107959690B (zh) | 基于软件定义网络的DDoS攻击跨层协同防御方法 | |
Alshamkhany et al. | Botnet attack detection using machine learning | |
CN107483512B (zh) | 基于时间特征的SDN控制器DDoS检测与防御方法 | |
CN107222491B (zh) | 一种基于工业控制网络变种攻击的入侵检测规则创建方法 | |
CN104618377A (zh) | 基于NetFlow的僵尸网络检测***与检测方法 | |
CN110868404B (zh) | 一种基于tcp/ip指纹的工控设备自动识别方法 | |
CN109194608B (zh) | 一种基于流的DDoS攻击与闪拥事件检测方法 | |
CN108183917A (zh) | 基于软件定义网络的DDoS攻击跨层协同检测方法 | |
US11848959B2 (en) | Method for detecting and defending DDoS attack in SDN environment | |
CN110213280A (zh) | 一种SDN环境下基于LDMDBF的DDoS攻击检测方法 | |
CN110011983A (zh) | 一种基于流表特征的拒绝服务攻击检测方法 | |
CN110336806B (zh) | 一种结合会话行为和通信关系的隐蔽通信检测方法 | |
CN108667804B (zh) | 一种基于SDN架构的DDoS攻击检测及防护方法和*** | |
Min et al. | Online Internet traffic identification algorithm based on multistage classifier | |
Tang et al. | FTODefender: An efficient flow table overflow attacks defending system in SDN | |
Singhal et al. | State of the art review of network traffic classification based on machine learning approach | |
Kousar et al. | DDoS attack detection system using Apache spark | |
CN117014182A (zh) | 一种基于lstm的恶意流量检测方法及装置 | |
CN109510805B (zh) | 一种基于安全基线模型的网络数据安全检测方法及*** | |
Tang et al. | Intelligent awareness of delay-sensitive internet traffic in digital twin network | |
Meamarian et al. | A Robust, Lightweight Deep Learning Approach for Detection and Mitigation of DDoS Attacks in SDN | |
CN114915444B (zh) | 基于图神经网络的DDoS攻击检测方法及装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20935968 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20935968 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20935968 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 03/07/2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20935968 Country of ref document: EP Kind code of ref document: A1 |