基于SDN的DDoS攻击防御研究
发布时间:2018-09-18 15:34
【摘要】:随着传统互联网加速向移动互联网转型,接入网络的节点也从以往的台式机或笔记本转变为更大众化的智能手机。人们只需使用手机即可体验网络带来的各种便利性,足不出户就能在网上商城购买自己心仪的产品,或通过在线视频网站观看自己喜欢的影视作品等。正因为此,网络与日常生活之间的紧密性越来越强,网络服务的可用性也逐渐成为网络用户关注的焦点。计算机网络的运行看似稳定、可靠,实则非常容易遭受攻击进而导致网络服务瘫痪。在种类繁杂的攻击中,DDo S(Distributed Denial-of-service,分布式拒绝服务)是一种极具破坏性、隐蔽性且易于实施的攻击手段。它可以另被攻击的网络服务在一段时间内无法使用,这会给用户的网络体验带来极大的影响。因此,如何防御DDo S攻击保证网络服务持续可用依然是当前互联网安全中一个不可忽视的重要研究方向。首先,针对目前无法有效区分正常流量与攻击流量的问题,本文提出一种基于用户行为模式的DDo S检测方法。先以多个维度对用户访问网络资源的行为进行建模,定义出用于判断用户行为是否正常的判定因子,并根据判定因子收集网络中的相关统计数据。然后,将收集的数据利用Word2Vec向量化后使用CNN进行分类,再利用LSTM将统计数据进行深度学习,以时间为单位得出正常用户的行为模式。此后根据用户的行为模式判断是否发生DDo S攻击。再者,针对现有许多DDo S防御研究无法适用于传统网络架构的问题,本文提出一种基于SDN的DDo S防御架构。从攻击预防、攻击感知、攻击响应三个阶段进行全方位防御。整个架构包括:节点准入、行为感知、行为判定、策略管理、策略响应等模块。其中,节点准入与策略管理负责网络准入控制,行为感知与行为判定判断此刻网络中是否存在DDo S攻击行为,策略响应对攻击流量进行相关处理。缘于SDN的控制平面与数据平面解耦和,本架构可以与传统架构混合使用并可实现平滑过渡。最后本文根据上述理论研究构建一个基于SDN的DDo S原型防御系统,通过该系统验证、测试防御框架的可行性、可靠性以及准确性。
[Abstract]:As the traditional Internet accelerates to the mobile Internet, the nodes connected to the network have changed from desktop computers or laptops to more popular smartphones. People can only use mobile phones to experience all kinds of convenience brought by the network. They can buy their favorite products in online shopping mall or watch their favorite movies and TV works through online video websites. Because of this, the closeness between the network and daily life is becoming stronger and stronger, and the usability of network services has gradually become the focus of attention of network users. The operation of computer network seems stable and reliable, but it is very vulnerable to attack and lead to network service paralysis. DDO S (Distributed Denial-of-service, distributed denial of Service (DDoS) is a very destructive, hidden and easy to implement attack method. It can not be used for a period of time, which will have a great impact on the user's network experience. Therefore, how to protect against DDo S attacks to ensure the continuous availability of network services is still an important research direction in Internet security. First of all, aiming at the problem that normal traffic and attack traffic can not be effectively distinguished at present, a DDo S detection method based on user behavior mode is proposed in this paper. Firstly, the user's behavior of accessing network resources is modeled with multiple dimensions, and the decision factors are defined to judge whether the user's behavior is normal or not, and the relevant statistical data in the network are collected according to the decision factors. Then, the collected data is classified by using Word2Vec vectorization and CNN, and then the statistical data is deeply studied by LSTM, and the normal user's behavior pattern is obtained by time unit. Then the DDo S attack is judged according to the user's behavior mode. Furthermore, to solve the problem that many existing DDo S defense research can not be applied to the traditional network architecture, this paper proposes a DDo S defense architecture based on SDN. From the attack prevention, attack perception, attack response three stages to carry on the omni-directional defense. The whole architecture includes: node access, behavior perception, behavior determination, policy management, policy response and so on. Among them, the node access and policy management is responsible for network access control, behavior perception and behavior judge whether there is an DDo S attack behavior in the network at the moment, and the policy response to deal with the attack traffic. Due to the decoupling of control plane and data plane of SDN, this architecture can be mixed with traditional architecture and can realize smooth transition. Finally, a prototype defense system of DDo S based on SDN is constructed according to the above theory. The feasibility, reliability and accuracy of the defense framework are tested by the system.
【学位授予单位】:杭州电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
本文编号:2248349
[Abstract]:As the traditional Internet accelerates to the mobile Internet, the nodes connected to the network have changed from desktop computers or laptops to more popular smartphones. People can only use mobile phones to experience all kinds of convenience brought by the network. They can buy their favorite products in online shopping mall or watch their favorite movies and TV works through online video websites. Because of this, the closeness between the network and daily life is becoming stronger and stronger, and the usability of network services has gradually become the focus of attention of network users. The operation of computer network seems stable and reliable, but it is very vulnerable to attack and lead to network service paralysis. DDO S (Distributed Denial-of-service, distributed denial of Service (DDoS) is a very destructive, hidden and easy to implement attack method. It can not be used for a period of time, which will have a great impact on the user's network experience. Therefore, how to protect against DDo S attacks to ensure the continuous availability of network services is still an important research direction in Internet security. First of all, aiming at the problem that normal traffic and attack traffic can not be effectively distinguished at present, a DDo S detection method based on user behavior mode is proposed in this paper. Firstly, the user's behavior of accessing network resources is modeled with multiple dimensions, and the decision factors are defined to judge whether the user's behavior is normal or not, and the relevant statistical data in the network are collected according to the decision factors. Then, the collected data is classified by using Word2Vec vectorization and CNN, and then the statistical data is deeply studied by LSTM, and the normal user's behavior pattern is obtained by time unit. Then the DDo S attack is judged according to the user's behavior mode. Furthermore, to solve the problem that many existing DDo S defense research can not be applied to the traditional network architecture, this paper proposes a DDo S defense architecture based on SDN. From the attack prevention, attack perception, attack response three stages to carry on the omni-directional defense. The whole architecture includes: node access, behavior perception, behavior determination, policy management, policy response and so on. Among them, the node access and policy management is responsible for network access control, behavior perception and behavior judge whether there is an DDo S attack behavior in the network at the moment, and the policy response to deal with the attack traffic. Due to the decoupling of control plane and data plane of SDN, this architecture can be mixed with traditional architecture and can realize smooth transition. Finally, a prototype defense system of DDo S based on SDN is constructed according to the above theory. The feasibility, reliability and accuracy of the defense framework are tested by the system.
【学位授予单位】:杭州电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 李爱华;肖金凤;邱朋;;粒子群算法追踪DDoS攻击源技术研究[J];沈阳理工大学学报;2016年02期
2 王秀磊;陈鸣;邢长友;孙志;吴泉峰;;一种防御DDoS攻击的软件定义安全网络机制[J];软件学报;2016年12期
3 王蒙蒙;刘建伟;陈杰;毛剑;毛可飞;;软件定义网络:安全模型、机制及研究进展[J];软件学报;2016年04期
4 张世轩;刘静;赖英旭;何运;杨盼;;基于SDN构架的DoS/DDoS攻击检测与防御体系[J];电子技术应用;2015年12期
5 方峰;蔡志平;肇启佳;林加润;朱明;;使用Spark Streaming的自适应实时DDoS检测和防御技术[J];计算机科学与探索;2016年05期
6 肖甫;马俊青;黄洵松;王汝传;;SDN环境下基于KNN的DDoS攻击检测方法[J];南京邮电大学学报(自然科学版);2015年01期
7 崔竞松;郭迟;陈龙;张雅娜;Dijiang HUANG;;创建软件定义网络中的进程级纵深防御体系结构[J];软件学报;2014年10期
8 许建真;何丹;;基于多阈值包过滤策略的DDoS防范机制研究[J];南京邮电大学学报(自然科学版);2012年05期
9 张永铮;肖军;云晓春;王风宇;;DDoS攻击检测和控制方法[J];软件学报;2012年08期
10 胡尊美;;分布式拒绝服务攻击防御技术研究[J];计算机安全;2010年04期
相关硕士学位论文 前1条
1 常丽娜;分布式拒绝服务攻击分析与防范技术研究[D];中国海洋大学;2011年
,本文编号:2248349
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2248349.html
