DDoS attack detection and defense based on hybrid deep learning model in SDN

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.     

基于深度学习的实时DDoS攻击检测

分布式拒绝服务(DDoS)攻击是一种分布式、协作式的大规模网络攻击方式,提出了一种基于深度学习的DDoS攻击检测方法,该方法包含特征处理和模型检测两个阶段:特征处理阶段对输入的数据分组进行特征提取、格式转换和维度重构;模型检测阶段将处理后的特征输入深度学习网络模型进行检测,判断输入的数据分组是否为DDoS攻击分组.通过ISCX2012数据集训练模型,并通过实时的DDoS攻击对模型进行验证.结果表明,基于深度学习的DDoS攻击检测方法具有高检测精度、对软硬件设备依赖小、深度学习网络模型易于更新等优点.     

基于SDN的DDoS攻击检测和防护机制研究

随着云计算和大数据等技术的发展,传统网络已经无法满足飞速发展的需求,软件定义网络(SDN)的出现带来了网络发展的变革,虽然SDN已经得到一定的应用,但是其仍处在研究完善阶段.本文阐述了SDN的关键技术以及主要协议,分析了SDN面临的安全问题,提出了一种基于流表特征的DDoS攻击检测方法,并给出了对应的攻击缓解方案.     

DDoS Attack Detection and Wavelets

This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a spike when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.     

分布式拒绝服务攻击及IP溯源技术探析

拒绝服务攻击已经成为威胁互联网安全的重要攻击手段,本文介绍了分布式拒绝服务（DDoS）攻击的概念,分析了DDoS攻击的原理;最后介绍了多种IP溯源技术的优缺点。     

Supervised learning‐based DDoS attacks detection: Tuning hyperparameters

Two supervised learning algorithms, a basic neural network and a long short‐term memory recurrent neural network, are applied to traffic including DDoS attacks. The joint effects of preprocessing methods and hyperparameters for machine learning on performance are investigated. Values representing attack characteristics are extracted from datasets and preprocessed by two methods. Binary classification and two optimizers are used. Some hyperparameters are obtained exhaustively for fast and accurate detection, while others are fixed with constants to account for performance and data characteristics. An experiment is performed via TensorFlow on three traffic datasets. Three scenarios are considered to investigate the effects of learning former traffic on sequential traffic analysis and the effects of learning one dataset on application to another dataset, and determine whether the algorithms can be used for recent attack traffic. Experimental results show that the used preprocessing methods, neural network architectures and hyperparameters, and the optimizers are appropriate for DDoS attack detection. The obtained results provide a criterion for the detection accuracy of attacks.     

Real-Time Method for DDoS Attacks Detection Based on Self-Similarity and Wavelet Analysis

Traditional wavelet methods are not efficient to detect the real-time traffic anomaly. To address this drawback, on the basis of self-similarity and wavelet analysis, this paper proposes one real-time method for DDoS attacks detection. Firstly, to effectively analyze new network state, we extracted data packets from network monitor in backward time direction. Secondly, for reducing admissible computing time, we applied time scale selfadjust according to last packets arrival speed. Finally, we adopted three parallel computing strategies to improve real-time performance. Experimental results show that proposed method can quickly and accurately detect DDoS attacks.     

A deep learning approach with Bayesian optimization and ensemble classifiers for detecting denial of service attacks

Detecting malicious behavior is important for preventing security threats in a computer network. Denial of Service (DoS) is among the popular cyber attacks targeted at web sites of high‐profile organizations and can potentially have high economic and time costs. In this paper, several machine learning methods including ensemble models and autoencoder‐based deep learning classifiers are compared and tuned using Bayesian optimization. The autoencoder framework enables to extract new features by mapping the original input to a new space. The methods are trained and tested both for binary and multi‐class classification on Digiturk and Labris datasets, which were introduced recently for detecting various types of DDoS attacks. The best performing methods are found to be ensembles though deep learning classifiers achieved comparable level of accuracy.     

一种基于资源感知的小流量DDoS攻击防御方法

分布式拒绝服务攻击（DDoS）对网络具有极大的破坏性,严重影响现网的正常运营。虽然现网已经部署针对DDoS的流量清洗系统,然而小流量的攻击较洪水型攻击更难以被感知,进而不能得到有效的清洗。本文分析了网络中小流量DDoS攻击的原理和防御现状,并提出一种基于资源感知的小流量DDoS攻击防御方法。     

融合DDoS威胁过滤与路由优化的SDN通信质量保障策略

提出了将DDoS威胁识别与路由优化有机结合的软件定义网络(SDN)通信质量保障策略,即在DDoS攻击造成部分网络链路拥塞的情况下,对异常数据分组进行识别过滤,同时生成最优路径,以保障网络通信质量.首先,设计了一种SDN架构下的分布式入侵检测系统,实现了对欺骗报文、异常报文以及破坏报文3类DDoS威胁的检测识别和过滤处理.其次,实现了一种最优路径的生成算法.实验测试结果表明,部署了通信质量保障策略的SDN可有效识别并滤除DDoS攻击数据分组,且处理过程中网络平均传输时延无激增.     

Improving Resilience against DDoS Attack in Unstructured P2P Networks

In unstructured peer-to-peer （P2P） systems such as Gnutella, a general routing search algorithm is used to blindly flood a query through network among peers. But unfortunately, malicious nodes could easily make use of the search approach launching distributed denial of service （DDoS） attack which aims at the whole network. In order to alleviate or minimize the bad effect due to behavior of malicious nodes using the flooding search mechanism, the paper proposes a Markov-based evaluation model which exerts the trust and reputation mechanism to computing the level of trustworthy of nodes having the information requested by evaluation of the nodes＇ history behavior. Moreover, it can differentiate malicious nodes as early as possible for isolating and controlling the ones＇ message transmitted. The simulation results of the algorithm proposed show that it could effectively isolate malicious nodes, and hold back the transmission of vicious messages so that it could enhance tolerance of DDoS based on flooding in Guutella-like P2P network.     

基于自相似检测DDoS攻击的小波分析方法

针对传统检测方法不能有效检测弱DDoS攻击和区分繁忙业务和攻击的问题,在研究 DDOS攻击对网络流量自相似性影响的基础上,提出了小波分析检测DDoS攻击的方法,并设计了采用该方法检测DDoS攻击的模型,解决了方法实现过程中小波选择、求解Hurst参数的一些关键问题,实验表明,提出的方法能够识别繁忙业务、检测到弱DDoS攻击引起的Hurst参数值的变化,比传统的检测方法准确灵敏.     

基于对象特征的软件定义网络分布式拒绝服务攻击检测方法

软件定义网络(SDN)受到分布式拒绝服务(DDoS)攻击时,攻击方会发送大量数据包,产生大量新的终端标识占用网络连接资源,影响网络正常运转。为准确发现受攻击对象,检测被占用资源,利用GHSOM技术,该文提出基于对象特征的DDoS攻击检测方法。首先,结合SDN网络及攻击特点,提出基于目的地址的检测7元组,并以此作为判断目标地址是否受到DDoS攻击的检测元素;然后,采用模块化设计,将GHSOM算法应用于SDN网络DDoS攻击的分析检测中,并在OpenDayLight的仿真平台上完成了仿真实验。实验结果显示,该文提出的检测7元组可有效检测目标对象是否受到DDoS攻击。     

基于流媒体服务DDoS攻击防范研究

分布式拒绝服务（Distributed Deny of Service,DDoS）攻击是目前最难解决的网络安全问题之一。在研究RTSP（Real-Time Streaming Protocol）协议漏洞基础上,提出一种有效防御流媒体服务DDoS攻击防御方案。该方案基于时间方差图法（Variance-TimePlots,VTP）,计算自相似参数Hurst值,利用正常网络流量符合自相似模型的特性来进行DDoS攻击检测,并综合采用黑白名单技术对流量进行处理。最后通过MATLAB仿真工具进行了模拟实验,并对结果进行了分析,在协议分析基础上能合理控制流量,使得DDoS攻击检测准确率、实时性高,目标流媒体服务器带宽和资源得到了有效保护。     

Machine learning approach for secure communication in wireless video sensor networks against denial‐of‐service attacks

Mobile ad hoc networks (MANETs) own a flexible framework with the absence of a server, where conventional security components fail to compensate the level of MANET security conditions since it is confined to a particular environment, its data transfer potential, and battery and memory constrains. MANET provides a well‐grounded path and an efficiency in communication, but the confidentiality of the trust parameters remains a great challenge since it may be overheard by the impostor. This demands the need of exchanging the encrypted mathematical values. The proposed machine learning security paradigm provides firm and trustworthy network in spite of establishment over additional network platform. The QoS is improved through support vector machine for denial‐of‐service attack. The node has to be clustered to accomplish its respective task. The clustering is done with the help of LEACH protocol, where cluster head and Cluster member are fixed to transfer the data in the network. Low Energy adaptive clustering heirarchy (LEACH) propagates energy to abstain from draining of battery and malignant network. A secure framework is built along with encryption and decoding to protect from denial‐of‐service attack. Acknowledgement‐based flooding attack has been focused with the help of support vector machine algorithm. The messages are encoded in from the source node and coded again during transmission phase to obtain the original message. Defending the traditional methodologies, the proposed work provides excellent QoS when compared and tested with other protocols. The results obtained ensure its efficiency when support vector machine technique is combined with encryption scheme.     

DDoS attack detection method based on conditional entropy and GHSOM in SDN

Software defined networking (SDN) simplifies the network architecture,while the controller is also faced with a security threat of “single point of failure”.Attackers can send a large number of forged data flows that do not exist in the flow tables of the switches,affecting the normal performance of the network.In order to detect the existence of this kind of attack,the DDoS attack detection method based on conditional entropy and GHSOM in SDN (MBCE&G) was presented.Firstly,according to the phased features of DDoS,the damaged switch in the network was located to find the suspect attack flows.Then,according to the diversity characteristics of the suspected attack flow,the quaternion feature vector was extracted in the form of conditional entropy,as the input features of the neural network for more accurate analysis.Finally,the experimental environment was built to complete the verification.The experimental results show that MBCE&G detection method can effectively detect DDoS attacks in SDN network.     

BotCatcher:botnet detection system based on deep learning

Machine learning technology has wide application in botnet detection.However,with the changes of the forms and command and control mechanisms of botnets,selecting features manually becomes increasingly difficult.To solve this problem,a botnet detection system called BotCatcher based on deep learning was proposed.It automatically extracted features from time and space dimension,and established classifier through multiple neural network constructions.BotCatcher does not depend on any prior knowledge which about the protocol and the topology,and works without manually selecting features.The experimental results show that the proposed model has good performance in botnet detection and has ability to accurately identify botnet traffic .     

Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment

For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering (CBF) method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.     

Software-defined networking QoS optimization based on deep reinforcement learning

To solve the problem that the QoS optimization schemes which based on heuristic algorithm degraded often due to the mismatch between parameters and network characteristics in software-defined networking scenarios,a software-defined networking QoS optimization algorithm based on deep reinforcement learning was proposed.Firstly,the network resources and state information were integrated into the network model,and then the flow perception capability was improved by the long short-term memory,and finally the dynamic flow scheduling strategy,which satisfied the specific QoS objectives,were generated in combination with deep reinforcement learning.The experimental results show that,compared with the existing algorithms,the proposed algorithm not only ensures the end-to-end delay and packet loss rate,but also improves the network load balancing by 22.7% and increases the throughput by 8.2%.     

网络安全中的DDos攻击的检测与防御研究 ——以用户访问权益为优先考虑的DDOS防御策略

现代社会,互联网成为了人民生活的基础设施,网络安全就显得尤为重要。DDOS攻击给网络服务的正常运行会带来不可估量的损失,而现有的DDOS攻击防御方法以保护服务器为初衷,使得过度保护而影响了用户使用权益。文章设计并提出在以用户访问权益为优先考虑的情况下,通过网络数据包捕获、分析与功能限制模组、验证码、黑名单四大模块实现,缓解DDos攻击对服务器造成的过大伤害并使服务器维持运行持续提高服务的方法,通过实验可以有效保障服务器运行的同时抵抗DDOS攻击带来的风险。