SDN中基于统计与集成自编码器的DDoS攻击检测模型  被引量：1

作　　者：李春江 尹少平[1] 池浩田 杨静[1,3] 耿海军 LI Chunjiang;YIN Shaoping;CHI Haotian;YANG Jing;GENG Haijun(School of Automation and Software Engineering,Shanxi University,Taiyuan 030006,China;School of Computer and Information Technology,Shanxi University,Taiyuan 030006,China;Industry of Big Data Science and Industry,Shanxi University,Taiyuan 030006,China)

机构地区：[1]山西大学自动化与软件学院,太原030006 [2]山西大学计算机与信息技术学院,太原030006 [3]山西大学大数据科学与产业研究院,太原030006

出　　处：《计算机科学》2024年第11期389-399,共11页Computer Science

基　　金：山西省应用基础研究计划(20210302123444);山西省高等学校科技创新项目(2022L002);中国高校产学研创新基金项目(2021FNA02009);国家自然科学基金(61702315);山西省重点研发计划(201903D421003,202202020101004);国家重点研发计划(2018YFB1800401)。

摘　　要：软件定义网络(Software-defined Networking,SDN)是一种提供细颗粒集中网络管理服务的新型网络体系结构,主要有控制与转发分离、集中控制和开放接口基本特征。SDN由于控制层的集中管理逻辑,控制器被攻击者作为理想的分布式拒绝服务攻击(Distributed Denial-of-Service,DDoS)目标。然而,传统的基于统计的DDoS攻击检测算法常存在误报率高、阈值固定等问题;基于机器学习模型的检测算法常存在计算资源消耗大、泛化性差等问题。为此,文中提出了一种基于统计特征与集成自编码器的DDoS攻击双层检测模型。基于统计的方法提取Rényi熵特征,设置动态阈值判断可疑流量;基于集成自编码器算法对可疑流量进行更精确的DDoS攻击判断。双层检测模型不仅提升了检测效果,解决了误报率高的问题,同时还有效地缩短了检测时间,从而减少了计算资源的消耗。实验结果表明,该模型在不同网络环境下都有较高的准确率,不同数据集检测的F1值最低都达到了98.5%以上,表现出了很强的泛化性。Software-defined networking(SDN)is a novel network architecture that provides fine-grained centralized network management services.It is characterized by control and forwarding separation,centralized control,and open interface characteristics.Due to the centralized management logic of the control layer,controllers have becom the prime targets for distributed denial-of-service(DDoS)attacks.Traditional statistics-based DDoS attack detection algorithms often have problems such as high false-positive rates and fixed thresholds,while detection algorithms based on machine learning models are often involved in substantial computational resource consumption and poor generalization.To address these challenges,this study proposes a two-tier DDoS attack detection model based on statistical features and ensemble autoencoders.The statistics-based method extracts Rényi entropy features and sets a dynamic threshold to judge suspicious traffic.The ensemble autoencoder algorithm is then applied for a more accurate DDoS attack judgment of suspicious traffic.The double-layered model not only enhances detection performance and solves the problem of high false alarm rates,but also effectively shortens the detection time,thereby reducing the consumption of computational resources.Experimental results show that the model achieves high accuracy in different network environments,with the lowest F1 score on various datasets is more than 98.5%,demonstrating a strong generalization capability.

关 键 词：软件定义网络 分布式拒绝服务攻击 Rényi熵 动态阈值 自编码器 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]