软件定义网络中高效协同防御分布式拒绝服务攻击的方案  被引量：3

作　　者：葛晨洋 刘勤让 裴雪 魏帅 朱正彬 GE Chenyang;LIU Qinrang;PEI Xue;WEI Shuai;ZHU Zhengbin(College of Cyberspace Security,Zhengzhou University,Zhengzhou Henan 450002,China;Institute of Information Technology,Information Engineering University,Zhengzhou Henan 450002,China)

机构地区：[1]郑州大学网络空间安全学院,郑州450002 [2]信息工程大学信息技术研究所,郑州450002

出　　处：《计算机应用》2023年第8期2477-2485,共9页journal of Computer Applications

摘　　要：针对软件定义网络(SDN)中传统的分布式拒绝服务(DDoS)攻击的防御方案往往忽略了降低SDN工作负载的重要性,并且未考虑攻击缓解的及时性的问题,提出一种SDN中高效协同防御DDoS攻击的方案。首先,通过将部分防御任务卸载到数据平面中,降低控制平面的开销并充分利用数据平面的资源;然后,若检测到异常则产生快速数据路径(XDP)规则,以及时缓解攻击,同时将数据平面的统计信息交由控制平面来进一步检测和缓解攻击,从而在提升准确率的同时进一步降低控制器开销;最后,根据控制平面确定的异常源更新XDP规则。为验证所提方案的有效性,利用Hyenae攻击工具产生了3种不同类型的攻击数据。相较于依赖于控制平面的支持向量机(SVM)方案、新架构防御方案和跨平面协作的防御方案,在防御及时性方面,所提方案分别提高了33.33%、28.57%和21.05%;在中央处理器(CPU)消耗方面,所提方案分别降低了33、11和4个百分点。实验结果表明,所提方案能很好地防御DDoS攻击且有较低的性能开销。Aiming at the problem that traditional defense schemes against Distributed Denial of Service(DDoS) attacks in Software Defined Network(SDN) tend to ignore the importance of reducing the workload of SDN,as well as do not consider the timeliness of attack mitigation,an efficient collaborative defense scheme against DDoS attacks in SDN was proposed.Firstly,the overhead of the control plane was reduced and the data plane's resources were entirely used by offloading some of the defense tasks into the data plane.Then,if an anomaly was detected,eXpress Data Path(XDP) rules were generated to mitigate the attack promptly,and the statistical information of the data plane was handed over to the control plane to further detect and mitigate the attack,thereby improving the accuracy and further reducing the controller overhead.Finally,the rules of XDP were updated according to the anomaly source determined by the control plane.To validate the effectiveness of the proposed scheme,the Hyenae attack tool was used to generate three different types of attack data.Compared with the Support Vector Machine(SVM) scheme that relies on the control plane,the new architecture defense scheme,and the cross-plane collaborative defense scheme,the proposed scheme has the timeliness of defense improved by 33.33%,28.57%,and 21.05%,respectively;the proposed scheme has the Central Processing Unit(CPU) consumption reduced by 33,11,and 4 percentage points.Experimental results show that the proposed scheme can defend against DDoS attacks well and has a low performance overhead.

关 键 词：软件定义网络 协同防御 分布式拒绝服务攻击 快速数据路径 Sketch数据结构 

分 类 号：TP393.02[自动化与计算机技术—计算机应用技术]