Low-rate denial-of-service attack detection method under software defined network environment

doi:10.11772/j.issn.1001-9081.2021061100

Journal of Computer Applications ›› 2022, Vol. 42 ›› Issue (4): 1301-1307.DOI: 10.11772/j.issn.1001-9081.2021061100

Special Issue: 网络空间安全

• Cyber security • Previous Articles Next Articles

Low-rate denial-of-service attack detection method under software defined network environment

Xiangju LIU, Xiaobao LU(), Xianjin FANG, Linsong SHANG

School of Computer Science and Engineering，Anhui University of Science and Technology，Huainan Anhui 232001，China

Received:2021-06-25 Revised:2021-09-13 Accepted:2021-09-28 Online:2021-10-18 Published:2022-04-10
Contact: Xiaobao LU
About author:LIU Xiangju， born in 1978， M. S.， associate professor. His research interests include Internet of things， software defined network， intelligent control.
FANG Xianjin， born in 1970， Ph. D.， professor. His research interests include network and information security， intelligent computing.
SHANG Linsong， born in 1996， M. S. candidate. His research interests include software defined network， programmable data plane.
Supported by:
National Natural Science Foundation of China(61572034);Anhui Province Science and Technology Major Special Project(18030901025)

软件定义网络环境下的低速率拒绝服务攻击检测方法

刘向举, 路小宝(), 方贤进, 尚林松

安徽理工大学计算机科学与工程学院，安徽淮南 232001

通讯作者: 路小宝
作者简介:刘向举（1978—），男，黑龙江双城人，副教授，硕士，主要研究方向：物联网、软件定义网络、智能控制
方贤进（1970—），男，安徽舒城人，教授，博士，主要研究方向：网络与信息安全、智能计算
尚林松（1996—），男，安徽淮南人，硕士研究生，主要研究方向：软件定义网络、可编程数据平面。
基金资助:
国家自然科学基金资助项目(61572034);安徽省科技重大专项(18030901025)

Abstract

Abstract:

Low-rate Denial of Service （LDoS） attack is an improved form of Denial of Service （DoS） attack， which is difficult to detect due to its low average attack rate and strong concealment. To solve the above difficulty， a LDoS attack detection method based on Weighted Mean-Shift K-Means algorithm （WMS-Kmeans） under the architecture of Software-Defined Network （SDN） was proposed. Firstly， by obtaining the flow table information of OpenFlow switch， the six-tuple characteristics of LDoS attack traffic in SDN environment were analyzed and extracted. Then， the percentage error of average absolute value was used as the weight of the Euclidean distance in the mean shift clustering， and the resulting cluster center was used as the initial center of K-Means to cluster the flow table， so as to realize the detection of LDoS attacks. The experimental results show that the proposed method has high detection performance against LDoS attacks in the SDN environment， with an average detection rate of 99.29%， an average false alarm rate of 1.97% and an average missing alarm rate of 0.69%.

Key words: Software Defined Network (SDN), Low-rate Denial of Service (LDoS) attack, Weighted Mean-Shift K-Means (WMS-Kmeans) algorithm, attack detection

摘要：

低速率拒绝服务（LDoS）攻击是一种拒绝服务（DoS）攻击改进形式，因其攻击平均速率低、隐蔽性强，使得检测LDoS攻击成为难点。针对上述难点，提出了一种在软件定义网络（SDN）的架构下，基于加权均值漂移-K均值算法（WMS-Kmeans）的LDoS攻击检测方法。首先，通过获取OpenFlow交换机的流表信息，分析并提取出SDN环境下LDoS攻击流量的六元组特征；然后，利用平均绝对值百分比误差作为均值漂移聚类中欧氏距离的权值，以此产生的簇心作为K-Means的初始中心对流表进行聚类，从而实现LDoS攻击的检测。实验结果表明：在SDN环境下，所提方法对LDoS攻击具有较好的检测性能，平均检测率达到99.29%，平均误警率和平均漏警率分别为1.97%和0.69%。

关键词: 软件定义网络, 低速率拒绝服务攻击, 加权均值漂移-K均值算法, 攻击检测

CLC Number:

TP393.08

Xiangju LIU, Xiaobao LU, Xianjin FANG, Linsong SHANG. Low-rate denial-of-service attack detection method under software defined network environment[J]. Journal of Computer Applications, 2022, 42(4): 1301-1307.

刘向举, 路小宝, 方贤进, 尚林松. 软件定义网络环境下的低速率拒绝服务攻击检测方法[J]. 《计算机应用》唯一官方网站, 2022, 42(4): 1301-1307.

Figures/Tables 10

Fig. 1 Model of LDoS attack

Fig. 2 Relationship of packet_in packet number and average packet length

Fig. 3 TCP standard deviation change

Fig. 4 Change of entropy

Fig. 5 Experimental topology

Tab. 1 Parameters of LDoS attack

组号	T/s	L/s	R/（ $M b · s - 1$ ）
1	1	0.2	12
2	1	0.2	14
3	1	0.1	12

Tab. 1 Parameters of LDoS attack

组号	T/s	L/s	R/（ $M b · s - 1$ ）
1	1	0.2	12
2	1	0.2	14
3	1	0.1	12

Tab. 2 Changes of three evaluation indexes with different h values

h	I_DR			I_FAR			I_MAR
h	1	2	3	1	2	3	1	2	3
0.2	100.00	98.94	98.95	3.70	2.22	0.00	0.00	1.05	1.04
0.3	97.34	97.89	98.95	3.70	0.00	0.00	2.65	2.10	1.04
0.4	97.34	96.84	96.87	0.00	0.00	0.00	2.65	3.15	3.12
0.5	96.46	96.84	96.87	0.00	0.00	0.00	3.53	3.15	3.12
0.6	90.26	95.78	96.87	0.00	0.00	0.00	9.73	4.21	3.12
0.7	90.26	94.73	96.87	0.00	0.00	0.00	9.73	5.26	3.12

Tab. 3 K-Means algorithm evaluation index（k=5）

组号	I_DR	I_FAR	I_MAR
1	97.34	0.00	2.65
2	98.94	4.44	1.05
3	96.87	1.61	3.12

Tab. 4 Comparative in proposed method and K-Means algorithm

算法	I_DR	I_FAR	I_MAR
K-Means算法	97.71	2.01	2.27
本文方法	99.29	1.97	0.69

Tab. 5 Different detection methods comparison

检测方法	I_DR	I_FAR	I_MAR
CUSUM算法	96.00	8.00	4.00
MF-Adaboost算法	97.32	5.87	2.68
HSMM模型	98.00	4.00	2.00
双滑动窗口法	98.30	1.20	―
本文方法	99.29	1.97	0.69

References 23

1	HE Y X， LIU T， CAO Q， et al. A survey of low-rate denial-of-service attacks［J］. Journal of Frontiers of Computer Science and Technology， 2008， 2（1）：1-19.
2	MONGELLI M， AIELLO M， CAMBIASO E.et al. Detection of DoS attacks through Fourier transform and mutual information［C］//Proceedings of the 2015 IEEE International Conference on Communications. Piscataway： IEEE， 2015：7204-7209. 10.1109/icc.2015.7249476
3	文坤，杨家海，张宾.低速率拒绝服务攻击研究与进展综述［J］.软件学报，2014，25（3）：591-605. 10.13328/j.cnki.jos.004520
	WEN K， YANG J H， ZHANG B. Survey on research and progress of low-rate denial of service attacks［J］. Journal of Software， 2014， 25（3）：591-605. 10.13328/j.cnki.jos.004520
4	KUZMANOVIC A， KNIGHTLY E W. Low-rate TCP-targeted denial of service attacks and counter strategies［J］. IEEE/ACM Transactions on Networking， 2006， 14（4）：683-696. 10.1109/tnet.2006.880180
5	谢升旭，魏伟，邢长友，等.面向SDN拓扑发现的LDoS攻击防御技术研究［J］.计算机工程与应用，2020，56（10）：88-93. 10.1007/978-981-15-9031-3_8
	XIE S X， WEI W， XING C Y， et al. Research on LDoS attack defense technology for SDN topology discovery［J］.Computer Engineering and Applications， 2020， 56（10）：88-93. 10.1007/978-981-15-9031-3_8
6	张朝昆，崔勇，唐翯祎，等.软件定义网络（SDN）研究进展［J］.软件学报，2015，26（1）：62-81. 10.13328/j.cnki.jos.004701
	ZHANG C K， CUI Y， TANG H Y， et al. State-of-the-art survey on software-defined networking （SDN）［J］. Journal of Software， 2015， 26（1）：62-81. 10.13328/j.cnki.jos.004701
7	岳猛，张才峰，吴志军.隐马尔科夫模型检测LDoS攻击方法的研究［J］.信号处理，2015，31（11）：1454-1460. 10.3969/j.issn.1003-0530.2015.11.010
	YUE M， ZHANG C F， WU Z J. The research of detecting LDoS attacks based on hidden Markov model［J］. Journal of Signal Processing， 2015， 31（11）：1454-1460. 10.3969/j.issn.1003-0530.2015.11.010
8	何炎祥，曹强，刘陶，等.一种基于小波特征提取的低速率DoS检测方法［J］.软件学报，2009，20（4）：930-941. 10.3724/SP.J.1001.2009.03302
	HE Y X， CAO Q， LIU T， et al. A low-rate DoS detection method based on feature extraction using wavelet transform［J］. Journal of Software， 2009， 20（4）：930-941. 10.3724/SP.J.1001.2009.03302
9	吴志军，曾化龙，岳猛. 基于时间窗统计的LDoS攻击检测方法的研究［J］.通信学报，2010，31（12）：55-62. 10.3969/j.issn.1000-436X.2010.12.007
	WU Z J， ZENG H L， YUE M. Approach of detecting LDoS attack based on time window statistic ［J］. Journal on Communications， 2010， 31（12）：55-62. 10.3969/j.issn.1000-436X.2010.12.007
10	苟峰，余谅，盛钟松.基于CUSUM算法的LDoS攻击检测方法［J］.四川大学学报（自然科学版），2020，57（3）：476-482. 10.3969/j.issn.0490-6756.2020.03.010
	GOU F， YU L， SHENG Z S. Detecting low-rate DoS attacks based on cumulative sum algorithm ［J］. Journal of Sichuan University（Natural Science Edition）， 2020， 57（3）：476-482. 10.3969/j.issn.0490-6756.2020.03.010
11	吴志军，潘卿波，岳猛.基于ACK序号步长的LDoS攻击检测方法［J］.通信学报，2018，39（7）：139-147. 10.11959/j.issn.1000-436x.2018126
	WU Z J， PAN Q B， YUE M. Detection method of LDoS attack based on ACK serial number step-length ［J］. Journal on Communications， 2018， 39（7）：139-147. 10.11959/j.issn.1000-436x.2018126
12	YUE M， LIU L， WU Z J， et al. Identifying LDoS attack traffic based on wavelet energy spectrum and combined neural network［J］. International Journal of Communication Systems， 2018， 31（2）：e3449. 10.1002/dac.3449
13	吴志军，张景安，岳猛，等.基于联合特征的LDoS攻击检测方法［J］.通信学报，2017，38（5）：19-30. 10.11959/j.issn.1000-436x.2017075
	WU Z J， ZHANG J A， YUE M， et al. Approach of detecting low-rate DoS attack based on combined features［J］. Journal on Communications， 2017， 38（5）：19-30. 10.11959/j.issn.1000-436x.2017075
14	TANG D， TANG L， SHI W， et al. MF-CNN： a new approach for LDoS attack detection based on Multi-feature fusion and CNN［J］. Mobile Networks and Applications， 2021， 26：1705-1722. 10.1007/s11036-019-01506-1
15	TANG D， MAN J P， TANG L， et al. WEDMS： an advanced mean shift clustering algorithm for LDoS attacks detection［J］. Ad Hoc Networks， 2020， 102： 102145. 10.1016/j.adhoc.2020.102145
16	陈兴蜀，滑强，王毅桐，等.云环境下SDN网络低速率DDoS攻击的研究［J］.通信学报，2019，40（6）：210-222. 10.11959/j.issn.1000-436x.2019120
	CHEN X S， HUA Q， WANG Y T， et al. Research on low-rate DDoS attack of SDN network in cloud environment［J］.Journal on Communications， 2019， 40 （6）： 210-222. 10.11959/j.issn.1000-436x.2019120
17	颜通，白志华，高镇，等.SDN环境下的LDoS攻击检测与防御技术［J］.计算机科学与探索，2020，14（4）：566-577. 10.3778/j.issn.1673-9418.1905043
	YAN T， BAI Z H， GAO Z， et al. Detection and defense mechanism of LDoS attack in SDN environment［J］. Journal of Frontiers of Computer Science and Technology， 2020， 14（4）：566-577. 10.3778/j.issn.1673-9418.1905043
18	王文涛，王玲霞，黄烨.SDN环境下基于Renyi熵的低速率分布式拒绝攻击的检测［J］.中南民族大学学报（自然科学版）， 2017，36（3）：131-136. 10.3969/j.issn.1672-4321.2017.03.027
	WANG W T， WANG L X， HUA Y. Detection of low rate DDoS attacks based on Renyi entropy in SDN environment［J］. Journal of South-Central University for Nationalities （Natural Science Edition）， 2017， 36 （3）：131-136. 10.3969/j.issn.1672-4321.2017.03.027
19	徐建峰，王利明，徐震.软件定义网络中资源消耗型攻击及防御综述［J］.信息安全学报，2020，5（4）：72-95. 10.1016/j.comnet.2019.107092
	XU J F， WANG L M， XU Z. Survey on resource consumption attacks and defenses in software-defined networking［J］.Journal of Cyber Security， 2020， 5（4）：72-95. 10.1016/j.comnet.2019.107092
20	MAULIK K， RESNICK S. The self-similar and multifractal nature of a network traffic model［J］. Communications in Statistics Stochastic Models， 2003， 19（4）：549-577. 10.1081/stm-120025404
21	刘向举，刘鹏程，徐辉，等.基于软件定义物联网的分布式拒绝服务攻击检测方法［J］.计算机应用，2020，40（3）：753-759.
	LIU X J， LIU P C， XU H， et al. Software defined internet of things based DDoS attack detection method［J］. Journal of Computer Applications， 2020， 40（3）：753-759.
22	TANG D， TANG L， DAI R， et al. MF-Adaboost： LDoS attack detection based on multi-features and improved Adaboost［J］. Future Generation Computer Systems， 2020， 106：347-359. 10.1016/j.future.2019.12.034
23	吴志军，李红军，刘亮，等.基于小波能谱熵和隐半马尔可夫模型的LDoS攻击检测［J］.软件学报，2020，31（5）：1549-1562.
	WU Z J， LI H J， LIU L， et al. Detection of LDoS attacks based on wavelet energy entropy and hidden semi-Markov models［J］. Journal of Software， 2020， 31（5）：1549-1562.

[1]	Zihao YAO, Yuanming LI, Ziqiang MA, Yang LI, Lianggen WEI. Multi-object cache side-channel attack detection model based on machine learning [J]. Journal of Computer Applications, 2024, 44(6): 1862-1871.
[2]	Chenyang GE, Qinrang LIU, Xue PEI, Shuai WEI, Zhengbin ZHU. Efficient collaborative defense scheme against distributed denial of service attacks in software defined network [J]. Journal of Computer Applications, 2023, 43(8): 2477-2485.
[3]	Yiting SUN, Yue GUO, Changjin LI, Hongjun ZHANG, Kang LIU, Junjiao Liu, Limin SUN. Intrusion detection method for control logic injection attack against programmable logic controller [J]. Journal of Computer Applications, 2023, 43(6): 1861-1869.
[4]	Rongrong DAI, Honghui LI, Xueliang FU. Data center flow scheduling mechanism based on differential evolution and ant colony optimization algorithm [J]. Journal of Computer Applications, 2022, 42(12): 3863-3869.
[5]	Hexiong CHEN, Yuwei LUO, Yunkai WEI, Wei GUO, Feilu HANG, Zhengxiong MAO, Zhenhong ZHANG, Yingjun HE, Zhenyu LUO, Linjiang XIE, Ning YANG. Blockchain-based data frame security verification mechanism in software defined network [J]. Journal of Computer Applications, 2022, 42(10): 3074-3083.
[6]	XU Hongliang, YANG Guiqin, JIANG Zhanjun. Data center adaptive multi-path load balancing algorithm based on software defined network [J]. Journal of Computer Applications, 2021, 41(4): 1160-1164.
[7]	Xiaohang MA, Lingxia LIAO, Zhi LI, Bin QIN, Han-chieh CHAO. Multi-objective optimization based on dynamic mixed flow entry timeouts in software defined network [J]. Journal of Computer Applications, 2021, 41(12): 3658-3665.
[8]	ZHU Mengdi, SHU Yong’an. Verification of control-data plane consistency in software defined network [J]. Journal of Computer Applications, 2020, 40(6): 1751-1754.
[9]	XIANG Xiong, TIAN Jian. P2P transmission scheduling optimization based on software defined network [J]. Journal of Computer Applications, 2020, 40(3): 777-782.
[10]	ZHAO Jihong, WU Doudou, QU Hua, YIN Zhenyu. Survivable virtual network embedding guarantee mechanism based on software defined network [J]. Journal of Computer Applications, 2020, 40(3): 770-776.
[11]	LIU Xiangju, LIU Pengcheng, XU Hui, ZHU Xiaojuan. Distributed denial of service attack detection method based on software defined Internet of things [J]. Journal of Computer Applications, 2020, 40(3): 753-759.
[12]	CHI Yaping, MO Chongwei, YANG Yintan, CHEN Chunxia. Design and implementation of intrusion detection model for software defined network architecture [J]. Journal of Computer Applications, 2020, 40(1): 116-122.
[13]	JIA Mengyao, WANG Xingwei, ZHANG Shuang, YI Bo, HUANG Min. Software defined network based fault tolerant routing mechanism for satellite networks [J]. Journal of Computer Applications, 2019, 39(6): 1772-1779.
[14]	LI Zhaobin, LIU Zeyi, WEI Zhanzhen, HAN Yu. Software defined network path security based on Hash chain [J]. Journal of Computer Applications, 2019, 39(5): 1368-1373.
[15]	ZOU Chengming, LIU Panwen, TANG Xing. Real-time defence against dynamic host configuration protocol flood attack in software defined network [J]. Journal of Computer Applications, 2019, 39(4): 1066-1072.

Low-rate denial-of-service attack detection method under software defined network environment

软件定义网络环境下的低速率拒绝服务攻击检测方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 23

Related Articles 15

Recommended Articles

Metrics