[1]闫巧,龚庆祥,于非.软件定义网络中的分布式拒绝服务攻击抑制模型[J].深圳大学学报理工版,2017,34(No.6(551-660)):562-569.[doi:10.3724/SP.J.1249.2017.06562]
 Yan Qiao,Gong Qingxiang,and Yu Fei.The inhibition model of DDoS attacks in SDN networks[J].Journal of Shenzhen University Science and Engineering,2017,34(No.6(551-660)):562-569.[doi:10.3724/SP.J.1249.2017.06562]
点击复制

软件定义网络中的分布式拒绝服务攻击抑制模型()
分享到:

《深圳大学学报理工版》[ISSN:1000-2618/CN:44-1401/N]

卷:
第34卷
期数:
2017年No.6(551-660)
页码:
562-569
栏目:
电子与信息科学
出版日期:
2017-11-20

文章信息/Info

Title:
The inhibition model of DDoS attacks in SDN networks
文章编号:
201706003
作者:
闫巧龚庆祥于非
深圳大学计算机与软件学院,广东深圳 518060
Author(s):
Yan Qiao Gong Qingxiang and Yu Fei
College of Computer Science and Software Engineering, Shenzhen University, Shenzhen 518060, Guangdong Province, P.R.China
关键词:
通信系统软件定义网络OpenFlow协议分布式拒绝服务攻击模糊综合评判决策模型
Keywords:
communication system software defined networking OpenFlow protocol distributed denial of service attack attacks fuzzy synthetic evaluation decision-making model
分类号:
TP 393
DOI:
10.3724/SP.J.1249.2017.06562
文献标志码:
A
摘要:
针对软件定义网络(software defined networking, SDN)中控制器受到分布式拒绝服务(distributed denial of service, DDoS)攻击致使SDN网络可能面临单点失效的威胁,提出抑制SDN网络中DDoS攻击的模型.该模型主要是在SDN应用层上扩展DDoS检测模块和MSlot(multiple timeslot)算法模块.在DDoS攻击检测上,DDoS检测模块采用模糊综合评判决策模型,通过综合多个流特征指标实时检测DDoS的发生,并使用DDoS综合评判分数描述DDoS攻击的强度.在应对DDoS攻击流策略上,MSlot算法模块根据检测结果采取相应的时间片分配策略,确保SDN网络在DDoS攻击下可有效保护合法用户的通信.为测试DDoS抑制模型,通过仿真模拟不同攻击强度的DDoS攻击.结果表明,在SDN网络中,相比某些基于单因素评判指标的DDoS攻击检测算法,采用模糊综合评判决策模型在检测率和精确度上更有优势;在DDoS攻击时,MSlot算法模块根据检测结果采取相应的时间片分配策略相比某些只使用多个逻辑队列轮询机制的SDN控制器调度算法可更有效地保护合法用户的通信质量.
Abstract:
In software defined networking (SDN), the controller may suffer from distributed denial of service (DDoS) attack, which may cause the threat of single point of failure. In this paper, a model is proposed to defend against DDoS attacks in SDN. In the model, DDoS detection module and multiple timeslot (MSlot) algorithm module are extended in the application layer. For DDoS attack detection, DDoS detection module is based on fuzzy synthetic evaluation decision-making model. It can detect the occurrence of DDoS in real time according to the multiple flow characteristic indexes and use the DDoS comprehensive evaluation scores to describe the strength of DDoS attack. For the strategy of defeating DDoS attacks, MSlot algorithm module is designed to decide when applying the time slice allocation strategy to get the detection result from DDoS detection module. The strategy can effectively protect the communication of legitimate users under the DDoS attacks. In order to test the model, we simulate DDoS attacks with different intensities. The results from different intensities of DDoS attacks show that in SDN networks, compared with some other DDoS attacks detection algorithms based on single flow characteristic index, ‘DDoS detection module’ has better detection rate and accuracy by using the fuzzy comprehensive evaluation decision model. Compared with some other SDN controller scheduling algorithms which only use multiple logical queue and polling mechanism, the communication quality of legitimate users can be protected more effectively by MSlot algorithm module.

参考文献/References:

[1] Kreutz D, Ramos F M V, Verissimo P E, et al. Software-defined networking: a comprehensive survey[J]. Proceedings of the IEEE, 2015, 103(1): 14-76.
[2] Jain S, Kumar A, Mandal S, et al. B4: experience with a globally-deployed software defined WAN[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4): 3-14.
[3] Yan Qiao, Yu Fei, Gong Qingxiang, et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges[J]. IEEE Communications Surveys & Tutorials, 2016, 18(1): 602-622.
[4] 于洋,王之梁,毕军,等.软件定义网络中北向接口语言综述[J].软件学报,2016,27(4):993-1008.
Yu Yang, Wang Zhiliang, Bi Jun, et al. Survey on the languages in the northbound interface of software defined networking[J]. Journal of Software, 2016, 27(4): 993-1008.(in Chinese ).
[5] Lad N, Baria J. DDoS prevention on rest based web services[J]. International Journal of Computer Science and Information Technologies, 2014, 5(6):7314-7317.
[6] Dao N N, Park J, Park M, et al. A feasible method to combat against DDoS attack in SDN network[C]// International Conference on Information Networking (ICOIN). Siem Reap, Cambodia: IEEE, 2015: 309-311.
[7] Lim S, Ha J, Kim H, et al. A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]// The 6th International Conference on Ubiquitous and Future Networks (ICUFN). Shanghai, China: IEEE, 2014: 63-68.
[8] Yan Qiao, Huang Wenyao. A DDoS detection and mitigation system framework based on spark and SDN[C]// International Conference on Smart Computing and Communication (SmartCom). Shenzhen, China: Springer, 2016: 350-358.
[9] Mousavi S M, St-Hilaire M. Early detection of DDoS attacks against SDN controllers[C]// International Conference on Computing, Networking and Communications (ICNC). Anaheim, USA: IEEE, 2015: 77-81.
[10] Lim S, Yang S, Kim Y, et al. Controller scheduling for continued SDN operation under DDoS attacks[J]. Electronics Letters, 2015, 51(16): 1259-1261.
[11] Yan Qiao, Gong Qingxiang, Deng Fang-an. Detection of DDoS Attacks against wireless SDN controllers based on the fuzzy synthetic evaluation decision-making model[J]. Ad Hoc & Sensor Wireless Networks, 2016, 33(1/2/3/4): 275-299.
[12] Yan Qiao, Gong Qingxiang, Yu Fei. Effective software-defined networking controller scheduling method to mitigate DDoS attacks[J]. Electronics Letters, 2017, 53(7): 469-471.

相似文献/References:

[1]宋小全,胡鹏,宋福晓.基于随机网络编码的无线网络可靠性研究[J].深圳大学学报理工版,2014,31(No.1(001-110)):52.[doi:10.3724/SP.J.1249.2014.01052]
 Song Xiaoquan,Hu Peng,and Song Fuxiao.Research on reliability based on random network coding in wireless network[J].Journal of Shenzhen University Science and Engineering,2014,31(No.6(551-660)):52.[doi:10.3724/SP.J.1249.2014.01052]

备注/Memo

备注/Memo:
Received:2017-02-09;Accepted:2017-06-01
Foundation:National Natural Science Foundation of China (61672358)
Corresponding author:Professor Yan Qiao. E-mail: yanq@szu.edu.cn
Citation:Yan Qiao, Gong Qingxiang, Yu Fei. The inhibition model of DDoS attacks in SDN networks[J]. Journal of Shenzhen University Science and Engineering, 2017, 34(6): 562-569.(in Chinese)
基金项目:国家自然科学基金资助项目 (61672358)
作者简介:闫巧(1972—),女,深圳大学教授.研究方向:网络空间安全.E-mail:yanq@szu.edu.cn
引文:闫巧,龚庆祥,于非.软件定义网络中的分布式拒绝服务攻击抑制模型[J]. 深圳大学学报理工版,2017,34(6):562-569.
更新日期/Last Update: 2017-10-10