基于SDN的网络安全技术研究
发布时间:2019-04-18 12:41
【摘要】:近年来,重大网络攻击事件层见叠出,网络安全已上升至国家安全的战略层面。与此同时,随着大数据、云计算等技术的不断发展,软件定义网络(Software Defined Networking,SDN)随之兴起。由于传统网络安全事件对SDN网络依然具有较大的威胁,基于SDN网络的攻击应对研究引起了学术界的关注。不过目前尚未出现一个准确、快速、有效的轻量级安全方案。根据传统网络攻击的分类,本文的研究内容包括:非法报文攻击、分布式拒绝服务(Distributed Denial of Service,DDoS)攻击和端口扫描的应对研究。为了防止非法报文攻击对目的主机/服务器系统造成危害,本文利用非法报文攻击包特异性高、区分明显的特点,提出了基于特征匹配的非法报文攻击检测应对方案,在控制器进行转发决策前将解析出的packet-in相关信息与攻击特征库进行匹配筛查。仿真结果表明,非法报文应对方案能够准确识别IP分片攻击和Land攻击包,并将攻击报文全部阻塞在攻击源头。SDN控制器具有单点脆弱性,DDoS攻击对SDN网络的影响更加严重。为了准确检测伪造源IP的DDoS攻击,本文提出了基于熵值的DDoS攻击应对方案(Entropy-based DDoS Defense Mechanism,EDDM),该方案通过目的IP熵值的变化区分异常流量、再根据源MAC与源IP的对应关系确认攻击并锁定攻击源。针对伪造了源MAC地址的DDoS攻击,本文提出了一个新的DDoS攻击应对方案(Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM),该方案首次提出将入端口熵值的变化作为攻击检测依据,以目的IP熵值降低、入端口熵低于源IP熵作为攻击判定标准,并根据入端口与源MAC/源IP的对应关系锁定攻击主机位置。通过仿真,证明Upgraded-EDDM方案能够准确识别伪造源MAC的UDP Flood攻击,将攻击流量阻塞在入端口,且其总体性能优于EDDM方案。分布式反射拒绝服务(Distributed Reflection Denial of Service,DRDoS)攻击和端口扫描在入端口、目的IP、目的端口号等特征的熵值上具有不同的变化特点,由于它们具有与DDoS攻击相同的熵值计算和异常排查过程,本文将Upgraded-EDDM方案扩展成一个基于熵值的一体化安全方案(Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM),使其能够识别并阻塞多种网络攻击。仿真结果表明,Integrated-EADM方案能够快速、准确地识别DRDoS攻击和TCP SYN扫描,并将攻击流量阻塞在源端。
[Abstract]:In recent years, major network attacks have emerged one after another, and network security has risen to the strategic level of national security. At the same time, with the continuous development of big data, cloud computing and other technologies, software-defined network (Software Defined Networking,SDN (Software definition Network) rises. Because the traditional network security events still pose a great threat to the SDN network, the research on the attack response based on the SDN network has attracted the attention of the academic circles. However, there is not yet an accurate, fast, effective lightweight security scheme. According to the classification of traditional network attacks, the research contents of this paper include: illegal packet attack, distributed denial of Service (Distributed Denial of Service,DDoS) attack and port scanning. In order to prevent the illegal message attack from causing harm to the target host / server system, this paper makes use of the high specificity and distinct distinction of the illegal message attack packet, and puts forward a response scheme of illegal message attack detection based on feature matching. The parsed packet-in correlation information is matched with the attack feature base before the controller makes forwarding decision. Simulation results show that the scheme can accurately identify IP fragmentation attack and Land attack packet, and block all the attack packets at the source of the attack. The DDoS controller has a single point of vulnerability, and the DDoS attack has a more serious impact on the SDN network. In order to detect the DDoS attack of the forgery source IP accurately, this paper proposes an entropy-based DDoS attack response scheme (Entropy-based DDoS Defense Mechanism,EDDM), which distinguishes abnormal traffic by the change of the destination IP entropy value. Then the attack is confirmed and locked according to the corresponding relationship between the source MAC and the source IP. In this paper, a new DDoS attack response scheme (Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM) is proposed for the DDoS attack which forges the source MAC address. In this scheme, the change of the entropy value of the incoming port is first proposed as the basis of attack detection. The target IP entropy is reduced and the inlet entropy is lower than the source IP entropy as an attack criterion. The attack host location is locked according to the corresponding relationship between the inbound port and the source MAC/ source IP. The simulation results show that the Upgraded-EDDM scheme can accurately identify the UDP Flood attack of the forgery source MAC and block the attack traffic at the ingress port. The overall performance of the UDP Flood scheme is superior to that of the EDDM scheme. Distributed Reflectance denial of Service (Distributed Reflection Denial of Service,DRDoS) attacks and port scanning have different entropy values in terms of characteristics such as inbound port, destination IP, destination port number, and so on. Because they have the same entropy calculation and anomaly detection process as the DDoS attack, this paper extends the Upgraded-EDDM scheme to an all-in-one security scheme based on entropy (Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM). Enables it to identify and block multiple network attacks. The simulation results show that the Integrated-EADM scheme can quickly and accurately identify DRDoS attacks and TCP SYN scans, and block the attack traffic at the source end.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
[Abstract]:In recent years, major network attacks have emerged one after another, and network security has risen to the strategic level of national security. At the same time, with the continuous development of big data, cloud computing and other technologies, software-defined network (Software Defined Networking,SDN (Software definition Network) rises. Because the traditional network security events still pose a great threat to the SDN network, the research on the attack response based on the SDN network has attracted the attention of the academic circles. However, there is not yet an accurate, fast, effective lightweight security scheme. According to the classification of traditional network attacks, the research contents of this paper include: illegal packet attack, distributed denial of Service (Distributed Denial of Service,DDoS) attack and port scanning. In order to prevent the illegal message attack from causing harm to the target host / server system, this paper makes use of the high specificity and distinct distinction of the illegal message attack packet, and puts forward a response scheme of illegal message attack detection based on feature matching. The parsed packet-in correlation information is matched with the attack feature base before the controller makes forwarding decision. Simulation results show that the scheme can accurately identify IP fragmentation attack and Land attack packet, and block all the attack packets at the source of the attack. The DDoS controller has a single point of vulnerability, and the DDoS attack has a more serious impact on the SDN network. In order to detect the DDoS attack of the forgery source IP accurately, this paper proposes an entropy-based DDoS attack response scheme (Entropy-based DDoS Defense Mechanism,EDDM), which distinguishes abnormal traffic by the change of the destination IP entropy value. Then the attack is confirmed and locked according to the corresponding relationship between the source MAC and the source IP. In this paper, a new DDoS attack response scheme (Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM) is proposed for the DDoS attack which forges the source MAC address. In this scheme, the change of the entropy value of the incoming port is first proposed as the basis of attack detection. The target IP entropy is reduced and the inlet entropy is lower than the source IP entropy as an attack criterion. The attack host location is locked according to the corresponding relationship between the inbound port and the source MAC/ source IP. The simulation results show that the Upgraded-EDDM scheme can accurately identify the UDP Flood attack of the forgery source MAC and block the attack traffic at the ingress port. The overall performance of the UDP Flood scheme is superior to that of the EDDM scheme. Distributed Reflectance denial of Service (Distributed Reflection Denial of Service,DRDoS) attacks and port scanning have different entropy values in terms of characteristics such as inbound port, destination IP, destination port number, and so on. Because they have the same entropy calculation and anomaly detection process as the DDoS attack, this paper extends the Upgraded-EDDM scheme to an all-in-one security scheme based on entropy (Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM). Enables it to identify and block multiple network attacks. The simulation results show that the Integrated-EADM scheme can quickly and accurately identify DRDoS attacks and TCP SYN scans, and block the attack traffic at the source end.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
【参考文献】
相关期刊论文 前4条
1 史振华;刘外喜;杨家烨;;SDN架构下基于ICMP流量的网络异常检测方法[J];计算机系统应用;2016年04期
2 舒远仲;梅梦U,
本文编号:2460048
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2460048.html
