A network traffic anomaly detection and defense method

Abstract

The invention discloses a network traffic anomaly detection and prevention method, comprising the following steps: S1, establishing a network traffic anomaly detection and prevention structure, and collecting flow table item information; wherein the network traffic anomaly detection and prevention architecture comprises a Ryu controller unit, an anomaly detection unit based on a BP neural network,an OpenvSwitch switches based on the OpenFlow protocol and an access devices. The Ryu controller unit comprises a flow table information collecting module, a flow table feature extracting module anda defensive flow table item generating module. The flow table information collecting module requests all flow table item information from an OpenvSwitch switch in a cycle T1. A source port, estinationport, source IP, destination IP, number of forwarded packets, number of forwarded bytes and duration of network traffic informationcan be conveniently extracted, d, and the method can make full use of SDN architecture can dynamically update the flow rules, when detecting an exception, automatically generate Action is Drop flow table entries, blocking subsequent traffic.

Description

technical field [0001] The invention relates to the technical field of network traffic detection, in particular to a network traffic anomaly detection and defense method. Background technique [0002] With the rapid development of the Internet and the continuous expansion of network scale, network management and security control become more and more difficult. Software-defined network (SDN) is a new type of network architecture, which uses the idea of ​​layering to decouple the network into application layer, control layer, and data forwarding layer, and build an open and programmable network environment. The control layer provides northbound interfaces to develop network-related applications, such as firewalls, IDS, and traffic monitoring, while the control layer provides southbound interfaces to manage and configure forwarding switches on the data plane. SDN transforms the traditional network architecture from distributed control to centralized control and management, and...

AI Technical Summary

Problems solved by technology

[0005] (1) Literature (Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX / OpenFlow[C] / / Local Computer Networks (LCN), 2010IEEE 35thConference on.IEEE, 2010: 408-415) proposed a method based on The DDoS attack detection method of the machine learning algorithm Self-Organizing Maps (SOM) extracts APf (Average of Packets per flow), ABf (Average of Bytes per flow), ADf (Average of Duration perflow), PPf (Percentage of Pair-flows), GSf (Growth of Single-flows), and GDP (Growth of Different Ports) six-tuples are used as the input feature vector of the SOM algorithm. After that, how to mitigate or prevent the attack;

[0006] (2) Literature (Mehdi S A, Khalid J, Khayam S A. Revisiting traffic anomaly detection using software defined networking [C] / / International workshop on recent advances in intrusion detection. Springer, Berlin, Heidelberg, 2011: 161-180) using SDN network Programmable features, the traditional TRW-CB (Threshold Random Walk with CreditBased Rate Limiting), Rate Limiting, Maximum Entropy Detector, NETAD algorithms are implemented on the NOX controller to detect internal host active scanning attacks, malicious data packets and Filter illegal traffic, but it is mainly aimed at office and home network environments, and the amount of communication data is small;

[0007] (3) Literature (Giotis K, Argyropoulos C, Androulidakis G, et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments [J]. Computer Networks, 2014, 62: 122-136) proposed a The detection and defense method based on the OpenFlow protocol and the sFlow protocol uses the data packet sampling capability of the sFlow technology to collect flow table statistics from the OpenFlow switch to the detection module, reducing the communication traffic of collecting the flow table entry statistics of the OpenFlow switch and The load of the controller, in addition, the detection module adopts the detection technology based on information entropy, mainly according to the change of the entropy value of the source port, destination port, source IP and destination IP to determine whether it is abnormal traffic, the detection objects include DDoS, worm propagation and port scanning, and use the pre-defined whitelist to filter out normal traffic. At the same time, the controller issues flow rules to the OpenFlow switch that all traffic packets except the whitelist are discarded. However, the frequency of flow table sampling may affect to the accuracy of anomaly detection;

[0008] (4) Literature (Tang T A, Mhamdi L, McLernon D, et al. Deep learning approach for network intrusion detection in software defined networking [C] / / WirelessNetworks and Mobile Communications (WINCOM), 2016International Conference on. IEEE, 2016: 258-263 ) proposed an intrusion detection method based on deep learning, which used the kddcup1999 data set as a method feasibility verification set, but it was not tested in the actual SDN environment;

[0009] (5) Literature (Wang Xiaorui, Zhuang Lei, Hu Ying, Wang Guoqing, Martin, Jing Chenkai. DDoS attack detection method based on BP neural network in SDN environment [J]. Computer Application Research, 2018 (03): 1-2 ) proposed a DDoS attack detection method based on BP neural network, which also used APf, ABf, ADf, PPf, GSf, and GDP six-tuples as the input feature vector of BP neural network, but did not make any contribution to how to defend Research

Images