摘要
在软件定义网络(SDN)架构下,传统的分布式拒绝服务(DDoS)攻击检测机制多数是基于中间插件或SDN控制器,不仅缺乏网络全局范围的监控信息,还存在较大的南向接口通信开销和检测延迟。为此,提出一种SDN架构下跨平面协作的DDoS攻击检测与防御方法。该方法利用OpenFlow交换机CPU的计算能力,将一部分检测任务从控制平面卸载到数据平面,进而通过数据平面粗粒度方法和控制平面细粒度方法配合协作完成整个检测,控制器根据检测结果制定网络全局范围的防御策略。实验结果表明,相比支持向量机方法,该方法提高了检测效率和准确率,减小了检测延迟和南向接口通信开销,并降低了控制器CPU负荷。
In the Software Defined Network(SDN)architecture,most of the traditional Distributed Denial of Service(DDoS)attack detection mechanisms are based on the middle plug-ins or SDN controllers,which lacks the global network monitoring information and generates the high southbound interface communication overhead and detection delay.To address the problem,this paper proposes a DDoS attack detection and defense method based on cross plane cooperation in SDN architecture.The method uses the computing power of CPU of OpenFlow switch to offload part of the detection task from the control plane to the data plane,and then complete the whole detection task through the cooperation of the coarse-grained method of the data plane and the fine-grained method of the control plane.Based on the detection result,the controller formulates the defense strategy of the global scope of the network.Experimental results show that compared with the Support Vector Machine(SVM)method,the proposed method improves the detection efficiency and accuracy,decreases the detection delay and southbound interface communication overhead,and reduces the CPU load of the controller.
作者
曹永轶
金伟正
吴静
罗威
朱博
CAO Yongyi;JIN Weizheng;WU Jing;LUO Wei;ZHU Bo(School of Electronic Information,Wuhan University,Wuhan 430072,China;China Ship Development and Design Center,Wuhan 430064,China)
出处
《计算机工程》
CAS
CSCD
北大核心
2020年第11期148-156,共9页
Computer Engineering
基金
国家重点研发计划(2017YFB0504103)。