基于联邦增量学习的SDN环境下DDoS攻击检测模型

Federated Incremental Learning Based DDoS Attack Detection Model in SDN Environment

SDN是一种被广泛应用的网络范式.面对DDoS攻击等网络安全威胁,在SDN中集成高效的DDoS攻击检测方法尤为重要.由于SDN集中控制的特性,集中式DDoS攻击检测方法在SDN环境中存在较高的安全风险,使得SDN的控制平面安全性受到了巨大挑战.此外,SDN环境中流量数据不断增加,导致复杂流量特征的更复杂化、不同实体之间严重的Non-IID分布等问题.这些问题对现有的基于联邦学习的检测模型准确性与鲁棒性的进一步提高造成严重阻碍.针对上述问题,本文提出了一种基于联邦增量学习的SDN环境下DDoS攻击检测模型.首先,为解决集中式DDoS攻击检测的安全风险与数据增量带来的Non-IID分布问题,本文提出了一种基于联邦增量学习的加权聚合算法,使用动态调整聚合权重的方式个性化适应不同子数据集增量情况,提高增量聚合效率.其次,针对SDN环境中复杂的流量特征,本文设计了一种基于LSTM的DDoS攻击检测方法,通过统计SDN环境中流量数据的时序特征,提取并学习数据的时序关特征的相关性,实现对流量特征数据的实时检测.最后,本文结合SDN集中管控特点,实现了SDN环境下的DDoS实时防御决策,根据DDoS攻击检测结果与网络实体信息,实现流规则实时下发,达到有效阻断DDoS攻击流量、保护拓扑重要实体并维护拓扑流量稳定的效果.本文将提出的模型在增量式DDoS攻击检测任务上与FedAvg、FA-FedAvg和FIL-IIoT三种方法进行性能对比实验.实验结果表明,本文提出方法相比于其他方法,在DDoS攻击检测准确率上提升5.06%~12.62%,F1-Score提升0.0565~0.1410.

Software-Defined Networking(SDN)is a widely adopted network paradigm characterized by the separation of the control plane from the data plane.In light of network security threats,particularly Distributed Denial of Service(DDoS)attacks,the integration of effective DDoS attack detection methods within SDN is of paramount importance.The centralized control characteristic of SDN presents significant security risks when employing centralized DDoS attack detection methods,thereby posing considerable challenges to the security of the control plane in SDN environments.Furthermore,the growing volume of traffic data in SDN environments results in challenges related to more intricate traffic characterization and a pronounced Non-Independent and Identically Distributed(Non-IID)distribution among various entities.These issues present significant barriers to enhancing the accuracy and robustness of current federated learning-based detection models.The separation of management and control in SDN facilitates the creation of new flow rules by users,which enhances the efficiency of message routing control.However,current methodologies for flow detection face difficulties in preserving the knowledge of original features while simultaneously adapting to the distribution of newly generated features within the SDN environment.This challenge contributes to a phenomenon known as data forgetting.Furthermore,the imposition of flow rules restricts the forwarding targets of messages,resulting in variability in the data messages that can be collected by different host entities.The Non-IID distribution problem significantly undermines the performance and robustness of DDoS attack detection models that utilize artificial intelligence.To address these challenges,we propose a federated incremental learning-based model for DDoS attack detection within an SDN environment.This model integrates incremental learning and federated learning to accommodate new data inputs through incremental model updates,thereby eliminating the need for global re-training of the entire model.To mitigate the security risks associated with centralized DDoS attack detection methods and to address the Non-IID distribution issues arising from data increments,we introduce a weighted aggregation algorithm grounded in federated incremental learning.This algorithm personalizes adaptation to different subdataset increments by dynamically adjusting aggregation weights,thereby enhancing the efficiency of incremental aggregation.Additionally,in response to the complex traffic features inherent in SDN networks,we propose a DDoS attack detection methodology that employs Long Short-Term Memory(LSTM)networks.This approach enables real-time detection of traffic features by extracting and learning the temporal correlations present in the data,utilizing statistical analysis of the temporal characteristics of traffic data within SDN networks.Finally,by integrating the unique characteristics of SDN networks,we facilitate real-time decision-making for DDoS defense.This integration combines the results of DDoS attack detection with information pertaining to network entities,enabling the real-time deployment of flow rules.Concurrently,this approach effectively mitigates malicious DDoS attack traffic,safeguards critical entities,and ensures the stability of network topology.In this study,we evaluate the performance of the proposed method against existing techniques,including FedAvg,FA-FedAvg,and FIL-IIoT,in the context of an incremental DDoS attack detection task.The experimental results indicate that the proposed method enhances the accuracy of DDoS attack detection by an improvement range of 5.06%to 12.62%and increases the F1-Score by 0.0565 to 0.1410 when compared to alternative methods.