SDN环境下基于LightGBM的DDoS流量分类

DDoS Attack Traffic Classification Method Based on LightGBM in SDN Environment

软件定义网络(SDN)以其高度的网络可编程性和灵活性,通过将控制平面与数据平面解耦,克服了传统网络中存在的问题,近年来成为一种新的网络结构。但由于控制器是SDN的核心部分,因此更容易发生攻击,尤其是分布式拒绝服务攻击(DDoS),已经成为SDN环境的最大安全威胁。分布式拒绝服务(DDoS)攻击会使SDN控制器和交换机流表过载,导致网络性能下降,甚至瘫痪整个网络。检测攻击速度快、精度高,误报率低是解决DDoS攻击的关键。为此,我们通过公开的入侵检测数据集IDS2018,使用LightGBM算法训练DDoS分类模型,实现对正常流量和DDoS攻击流量的分类。对比XGBoost算法,改进后的LightGBM算法分类效果更好。使用虚拟环境Mininet构建SDN拓扑,使用Ryu作为SDN控制器。模拟DDoS攻击并通过sFlow RT收集攻击流量,利用训练好的DDoS流量分类模型进行检测,模型五折交叉验证AUC达到0.81。

Software defined network(SDN) has become a new network structure in recent years because of its high network programmability and flexibility. It overcomes the problems existing in traditional networks by decoupling the control plane from the data plane. However, as the controller is the core part of SDN, it is more prone to attacks, especially distributed denial of service(DDoS) attacks, which have become the biggest security threat to the SDN environment. Distributed denial of Service(DDoS) attacks can overload the flow tables of SDN controllers and switches, causing network performance to degrade or even paralyze the entire network. Fast attack detection, high accuracy, and low false positive rate are the key to solving DDoS attacks.To this end, we use the public intrusion detection data set IDS2018 to train the DDoS classification model with the improved LightGBM algorithm to classify normal traffic and DDoS attack traffic. Compared with XGBoost algorithm, the improved LightGBM algorithm has better classification effect. In addition, the virtual environment Mininet was used to construct the SDN topology, and Ryu was used as the SDN controller. DDoS attack was simulated and attack traffic was collected by sFlow RT, and the trained DDoS traffic classification model was used for detection. The AUC of model five-fold cross verification reached 0.81.