Efficient collaborative defense scheme against distributed denial of service attacks in software defined network

doi:10.11772/j.issn.1001-9081.2022060940

Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (8): 2477-2485.DOI: 10.11772/j.issn.1001-9081.2022060940

Special Issue: 网络空间安全

• Cyber security • Previous Articles Next Articles

Efficient collaborative defense scheme against distributed denial of service attacks in software defined network

Chenyang GE¹^,², Qinrang LIU², Xue PEI², Shuai WEI², Zhengbin ZHU²

^1.College of Cyberspace Security，Zhengzhou University，Zhengzhou Henan 450002，China
^2.Institute of Information Technology，Information Engineering University，Zhengzhou Henan 450002，China

Received:2022-06-28 Revised:2022-09-20 Accepted:2022-09-22 Online:2022-10-11 Published:2023-08-10
Contact: Chenyang GE
About author:LIU Qinrang， born in 1975， Ph. D.， professor. His research interests include cyberspace mimic defense， chip design.
PEI Xue， born in 1992， M. S.， research assistant. Her research interests include software collaborative compilation， software-defined interconnect chip SDK development.
WEI Shuai， born in 1985， Ph. D.， professor. His research interests include cyberspace mimic defense， embedded design.
ZHU Zhengbin， born in 1996， Ph. D. candidate. His research interests include cyberspace mimic defense， software defined network.

软件定义网络中高效协同防御分布式拒绝服务攻击的方案

葛晨洋¹^,², 刘勤让², 裴雪², 魏帅², 朱正彬²

^1.郑州大学网络空间安全学院，郑州 450002
^2.信息工程大学信息技术研究所，郑州 450002

通讯作者: 葛晨洋
作者简介:刘勤让（1975—），男，河南商丘人，教授，博士，主要研究方向：网络空间拟态防御、芯片设计
裴雪（1992—），女，河南新乡人，助理研究员，硕士，主要研究方向：软件协同编译、软件定义互连芯片软件开发工具包开发
魏帅（1985—），男，河南南阳人，教授，博士，主要研究方向：网络空间拟态防御、嵌入式设计
朱正彬（1996—），男，湖北荆门人，博士研究生，主要研究方向：网络空间拟态防御、软件定义网络。

Abstract

Abstract:

Aiming at the problem that traditional defense schemes against Distributed Denial of Service （DDoS） attacks in Software Defined Network （SDN） tend to ignore the importance of reducing the workload of SDN， as well as do not consider the timeliness of attack mitigation， an efficient collaborative defense scheme against DDoS attacks in SDN was proposed. Firstly， the overhead of the control plane was reduced and the data plane’s resources were entirely used by offloading some of the defense tasks into the data plane. Then， if an anomaly was detected， eXpress Data Path （XDP） rules were generated to mitigate the attack promptly， and the statistical information of the data plane was handed over to the control plane to further detect and mitigate the attack， thereby improving the accuracy and further reducing the controller overhead. Finally， the rules of XDP were updated according to the anomaly source determined by the control plane. To validate the effectiveness of the proposed scheme， the Hyenae attack tool was used to generate three different types of attack data. Compared with the Support Vector Machine （SVM） scheme that relies on the control plane， the new architecture defense scheme， and the cross-plane collaborative defense scheme， the proposed scheme has the timeliness of defense improved by 33.33%， 28.57%， and 21.05%， respectively； the proposed scheme has the Central Processing Unit （CPU） consumption reduced by 33， 11， and 4 percentage points. Experimental results show that the proposed scheme can defend against DDoS attacks well and has a low performance overhead.

Key words: Software Defined Network (SDN), collaborative defense, Distributed Denial of Service (DDoS) attack, eXpress Data Path (XDP), Sketch data structure

摘要：

针对软件定义网络（SDN）中传统的分布式拒绝服务（DDoS）攻击的防御方案往往忽略了降低SDN工作负载的重要性，并且未考虑攻击缓解的及时性的问题，提出一种SDN中高效协同防御DDoS攻击的方案。首先，通过将部分防御任务卸载到数据平面中，降低控制平面的开销并充分利用数据平面的资源；然后，若检测到异常则产生快速数据路径（XDP）规则，以及时缓解攻击，同时将数据平面的统计信息交由控制平面来进一步检测和缓解攻击，从而在提升准确率的同时进一步降低控制器开销；最后，根据控制平面确定的异常源更新XDP规则。为验证所提方案的有效性，利用Hyenae攻击工具产生了3种不同类型的攻击数据。相较于依赖于控制平面的支持向量机（SVM）方案、新架构防御方案和跨平面协作的防御方案，在防御及时性方面，所提方案分别提高了33.33%、28.57%和21.05%；在中央处理器（CPU）消耗方面，所提方案分别降低了33、11和4个百分点。实验结果表明，所提方案能很好地防御DDoS攻击且有较低的性能开销。

关键词: 软件定义网络, 协同防御, 分布式拒绝服务攻击, 快速数据路径, Sketch数据结构

CLC Number:

TP393.02

Chenyang GE, Qinrang LIU, Xue PEI, Shuai WEI, Zhengbin ZHU. Efficient collaborative defense scheme against distributed denial of service attacks in software defined network[J]. Journal of Computer Applications, 2023, 43(8): 2477-2485.

葛晨洋, 刘勤让, 裴雪, 魏帅, 朱正彬. 软件定义网络中高效协同防御分布式拒绝服务攻击的方案[J]. 《计算机应用》唯一官方网站, 2023, 43(8): 2477-2485.

Figures/Tables 15

Fig.1 OVS data flow

Fig.2 Principle of XDP

Fig.3 XDP experimental effect

Fig.4 Architecture of efficient and collaborative defense system against DDoS attacks

Fig.5 Process of data plane anomaly detection

Fig.6 Reversible Sketch structure of Chinese remainder theorem

Fig.7 Flow of coarse-grained real-time anomaly detection

Fig.8 Flow of control plane anomaly detection

Tab.1 Accuracy and detection time comparison of different machine learning algorithms

机器学习算法	训练准确率/%	测试准确率/%	检测耗时/ms
SVM	99.7	96.7	0.212
Logistic	99.8	97.7	0.265
RF	99.7	99.9	134.360

Fig.9 Architecture of collaborative mitigation module

Fig.10 Experimental topology

Fig. 11 Defense effects of different schemes under three types of attacks

Tab.2 Accuracy and F1 comparison of different schemes

方案	准确率	F1
依赖控制器的SVM方案	0.966	0.936
跨平面协作防御方案	0.989	0.964
本文方案	0.992	0.983
新架构防御方案	0.996	0.987

Fig.12 Number of switch flow table entries under same attack type

Fig.13 Ultilization of the controller’s CPU under same attack type

References 25

1	VISHWAKARMA R， JAIN A K. A survey of DDoS attacking techniques and defence mechanisms in the IoT network［J］. Telecommunication Systems， 2020， 73（1）： 3-25. 10.1007/s11235-019-00599-z
2	KREUTZ D， RAMOS F M V， VERISSIMO P. Towards secure and dependable software-defined networks［C］// Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York： ACM， 2013： 55-60. 10.1145/2491185.2491199
3	贾锟，王君楠，刘峰. SDN环境下的DDoS检测与缓解机制［J］. 信息安全学报， 2021， 6（1）：17-31. 10.1186/s42400-022-00128-7
	JIA K， WANG J N， LIU F. DDoS detection and mitigation framework in SDN［J］. Journal of Cyber Security， 2021， 6（1）：17-31. 10.1186/s42400-022-00128-7
4	BERTRONE M， MIANO S， RISSO F， et al. Accelerating Linux security with eBPF iptables［C］// Proceedings of the 2018 ACM SIGCOMM Conference： Posters and Demos. New York： ACM， 2018： 108-110. 10.1145/3234200.3234228
5	胡小龙. 面向SDN控制器的DDoS攻击检测与防御技术研究［D］. 哈尔滨：哈尔滨工程大学， 2017：21-36.
	HU X L. DDoS attack detection and defense technology research for SDN controller［D］. Harbin： Harbin Engineering University， 2017：21-36.
6	KALKAN K， ALTAY L， GÜR G， et al. JESS： joint entropy-based DDoS defense scheme in SDN［J］. IEEE Journal on Selected Areas in Communications， 2018， 36（10）： 2358-2372. 10.1109/jsac.2018.2869997
7	CHEN Z， JIANG F， CHENG Y J， et al. XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud［C］// Proceedings of the 2018 IEEE International Conference on Big Data and Smart Computing. Piscataway： IEEE， 2018： 251-256. 10.1109/bigcomp.2018.00044
8	YE J， CHENG X Y， ZHU J， et al. A DDoS attack detection method based on SVM in software defined network［J］. Security and Communication Networks， 2018， 2018： No.9804061. 10.1155/2018/9804061
9	DONG S， SAREM M. DDoS attack detection method based on improved KNN with the degree of DDoS attack in software-defined networks［J］. IEEE Access， 2020， 8： 5039-5048. 10.1109/access.2019.2963077
10	ZHENG J， LI Q， GU G F， et al. Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis［J］. IEEE Transactions on Information Forensics and Security， 2018， 13（7）： 1838-1853. 10.1109/tifs.2018.2805600
11	FOULADI R F， ERMIŞ O， ANARIM E. A DDoS attack detection and defense scheme using time-series analysis for SDN［J］. Journal of Information Security and Applications， 2020， 54： No.102587. 10.1016/j.jisa.2020.102587
12	CAO Y Y， JIANG H， DENG Y C， et al. Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network［J］. IEEE Transactions on Dependable and Secure Computing， 2022， 19（6）：3855-3872. 10.1109/tdsc.2021.3108782
13	SAHAY R， BLANC G， ZHANG Z H， et al. Towards autonomic DDoS mitigation using software defined networking［C］// Proceedings of the 2015 NDSS Workshop on Security of Emerging Networking Technologies. Reston， VA： Internet Society， 2015：1-7. 10.14722/sent.2015.23004
14	YANG X R， HAN B， SUN Z G， et al. SDN-based DDoS attack detection with cross-plane collaboration and lightweight flow monitoring［C］// Proceedings of the 2017 IEEE Global Communications Conference. Piscataway： IEEE， 2017： 1-6. 10.1109/glocom.2017.8254079
15	曹永轶，金伟正，吴静，等. 一种面向SDN的跨平面协作DDoS检测与防御方法［J］. 计算机工程， 2020， 46（11）：148-156.
	CAO Y Y， JIN W Z， WU J， et al. A DDoS detection and defense method based on cross plane cooperation for SDN［J］. Computer Engineering， 2020， 46（11）： 148-156.
16	TAN L， PAN Y， WU J， et al. A new framework for DDoS attack detection and defense in SDN environment［J］. IEEE Access， 2020， 8： 161908-161919. 10.1109/access.2020.3021435
17	CHEN K Y， LIU S， XU Y， et al. SDNShield： NFV-based defense framework against DDoS attacks on SDN control plane［J］. IEEE/ACM Transactions on Networking， 2022， 30（1）： 1-17. 10.1109/tnet.2021.3105187
18	ADIGA B S， SHASTRY R， CHANDRA M G， et al. A reversible sketch based on Chinese Remainder Theorem： scheme and performance study［J］. International Journal of Computer Science and Network Security， 2011， 11（8）： 59-65.
19	CORMODE G， MUTHUKRISHNAN M. Approximating data with the count-min sketch［J］. IEEE Software， 2012， 29（1）： 64-69. 10.1109/ms.2011.127
20	YANG X， HAN B， SUN Z， et al. SDN-based DDoS attack detection with cross-plane collaboration and lightweight flow monitoring［C］// Proceedings of the 2017 IEEE Global Communications Conference. Piscataway： IEEE， 2017： 1-6. 10.1109/glocom.2017.8254079
21	BOITE J， NARDIN P A， REBECCHI F， et al. StateSec： stateful monitoring for DDoS protection in software defined networks［C］// Proceedings of the 2017 IEEE Conference on Network Softwarization. Piscataway： IEEE， 2017： 1-9. 10.1109/netsoft.2017.8004113
22	YOU X， FENG Y， SAKURAI K. Packet in message based DDoS attack detection in SDN network using openflow［C］// Proceedings of the 5th International Symposium on Computing and Networking. Piscataway： IEEE， 2017： 522-528. 10.1109/candar.2017.93
23	HINTJENS P. ZeroMQ： Messaging for Many Applications［M］. Sebastopol， CA： O’Reilly Media， Inc.， 2013： 81-133.
24	GHEORGHE L. Designing and Implementing Linux Firewalls and QoS using Netfilter， Iproute2， NAT and L7-filter［M］. Birmingham： Packt Publishing， 2006： 10-23.
25	BERTIN G. XDP in practice： integrating XDP into our DDoS mitigation pipeline［C/OL］// Proceedings of the Technical Conference on Linux Networking 2.1 ［2022-04-21］..

[1]	Xiangju LIU, Xiaobao LU, Xianjin FANG, Linsong SHANG. Low-rate denial-of-service attack detection method under software defined network environment [J]. Journal of Computer Applications, 2022, 42(4): 1301-1307.
[2]	Rongrong DAI, Honghui LI, Xueliang FU. Data center flow scheduling mechanism based on differential evolution and ant colony optimization algorithm [J]. Journal of Computer Applications, 2022, 42(12): 3863-3869.
[3]	Yingzhi LI, Man LI, Ping DONG, Huachun ZHOU. Multi‑type application‑layer DDoS attack detection method based on integrated learning [J]. Journal of Computer Applications, 2022, 42(12): 3775-3784.
[4]	Hexiong CHEN, Yuwei LUO, Yunkai WEI, Wei GUO, Feilu HANG, Zhengxiong MAO, Zhenhong ZHANG, Yingjun HE, Zhenyu LUO, Linjiang XIE, Ning YANG. Blockchain-based data frame security verification mechanism in software defined network [J]. Journal of Computer Applications, 2022, 42(10): 3074-3083.
[5]	XU Hongliang, YANG Guiqin, JIANG Zhanjun. Data center adaptive multi-path load balancing algorithm based on software defined network [J]. Journal of Computer Applications, 2021, 41(4): 1160-1164.
[6]	Xiaohang MA, Lingxia LIAO, Zhi LI, Bin QIN, Han-chieh CHAO. Multi-objective optimization based on dynamic mixed flow entry timeouts in software defined network [J]. Journal of Computer Applications, 2021, 41(12): 3658-3665.
[7]	ZHU Mengdi, SHU Yong’an. Verification of control-data plane consistency in software defined network [J]. Journal of Computer Applications, 2020, 40(6): 1751-1754.
[8]	ZHAO Jihong, WU Doudou, QU Hua, YIN Zhenyu. Survivable virtual network embedding guarantee mechanism based on software defined network [J]. Journal of Computer Applications, 2020, 40(3): 770-776.
[9]	XIANG Xiong, TIAN Jian. P2P transmission scheduling optimization based on software defined network [J]. Journal of Computer Applications, 2020, 40(3): 777-782.
[10]	LIU Xiangju, LIU Pengcheng, XU Hui, ZHU Xiaojuan. Distributed denial of service attack detection method based on software defined Internet of things [J]. Journal of Computer Applications, 2020, 40(3): 753-759.
[11]	CHI Yaping, MO Chongwei, YANG Yintan, CHEN Chunxia. Design and implementation of intrusion detection model for software defined network architecture [J]. Journal of Computer Applications, 2020, 40(1): 116-122.
[12]	ZHOU Aiping, ZHU Chengang. Detection method for network-wide persistent flow based on sketch data structure [J]. Journal of Computer Applications, 2019, 39(8): 2354-2358.
[13]	JIA Mengyao, WANG Xingwei, ZHANG Shuang, YI Bo, HUANG Min. Software defined network based fault tolerant routing mechanism for satellite networks [J]. Journal of Computer Applications, 2019, 39(6): 1772-1779.
[14]	LI Zhaobin, LIU Zeyi, WEI Zhanzhen, HAN Yu. Software defined network path security based on Hash chain [J]. Journal of Computer Applications, 2019, 39(5): 1368-1373.
[15]	ZOU Chengming, LIU Panwen, TANG Xing. Real-time defence against dynamic host configuration protocol flood attack in software defined network [J]. Journal of Computer Applications, 2019, 39(4): 1066-1072.

Efficient collaborative defense scheme against distributed denial of service attacks in software defined network

软件定义网络中高效协同防御分布式拒绝服务攻击的方案

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 25

Related Articles 15

Recommended Articles

Metrics