基于联邦增量学习的SDN环境下DDoS攻击检测模型  

作　　者：刘延华[1,2,4,5] 方文昱 郭文忠 赵宝康[3] 黄维 LIU Yan-Hua;FANG Wen-Yu;GUO Wen-Zhong;ZHAO Bao-Kang;HUANG Wei(College of Computer and Data Science,Fuzhou University,Fuzhou 350108;Zhicheng College,Fuzhou University,Fuzhou 350002;College of Computer,National University of Defense Technology,Changsha 410073;Engineering Research Center of Big Data Intelligence,Ministry of Education,Fuzhou 350108;Fujian Key Laboratory of Network Computing and Intelligent Information Processing(Fuzhou University),Fuzhou 350108)

机构地区：[1]福州大学计算机与大数据学院,福州350108 [2]福州大学至诚学院,福州350002 [3]国防科技大学计算机学院,长沙410073 [4]大数据智能教育部工程研究中心,福州350108 [5]福建省网络计算与智能信息处理重点实验室(福州大学),福州350108

出　　处：《计算机学报》2024年第12期2852-2866,共15页Chinese Journal of Computers

基　　金：国家自然科学基金重点项目(U21A20472,U22B2005);国家自然科学基金青年科学基金项目(62406070);国家重点研发计划项目(2021YFB3600503);福建省自然科学基金项目(2021J01625,2021J01616);福建省科技重大专项(2021HZ022007);福建省技术创新重点攻关及其产业化项目(2024G018);福州市科技重大项目(2023-ZD-003)资助.

摘　　要：SDN是一种被广泛应用的网络范式.面对DDoS攻击等网络安全威胁,在SDN中集成高效的DDoS攻击检测方法尤为重要.由于SDN集中控制的特性,集中式DDoS攻击检测方法在SDN环境中存在较高的安全风险,使得SDN的控制平面安全性受到了巨大挑战.此外,SDN环境中流量数据不断增加,导致复杂流量特征的更复杂化、不同实体之间严重的Non-IID分布等问题.这些问题对现有的基于联邦学习的检测模型准确性与鲁棒性的进一步提高造成严重阻碍.针对上述问题,本文提出了一种基于联邦增量学习的SDN环境下DDoS攻击检测模型.首先,为解决集中式DDoS攻击检测的安全风险与数据增量带来的Non-IID分布问题,本文提出了一种基于联邦增量学习的加权聚合算法,使用动态调整聚合权重的方式个性化适应不同子数据集增量情况,提高增量聚合效率.其次,针对SDN环境中复杂的流量特征,本文设计了一种基于LSTM的DDoS攻击检测方法,通过统计SDN环境中流量数据的时序特征,提取并学习数据的时序关特征的相关性,实现对流量特征数据的实时检测.最后,本文结合SDN集中管控特点,实现了SDN环境下的DDoS实时防御决策,根据DDoS攻击检测结果与网络实体信息,实现流规则实时下发,达到有效阻断DDoS攻击流量、保护拓扑重要实体并维护拓扑流量稳定的效果.本文将提出的模型在增量式DDoS攻击检测任务上与FedAvg、FA-FedAvg和FIL-IIoT三种方法进行性能对比实验.实验结果表明,本文提出方法相比于其他方法,在DDoS攻击检测准确率上提升5.06%~12.62%,F1-Score提升0.0565~0.1410.Software-Defined Networking(SDN)is a widely adopted network paradigm characterized by the separation of the control plane from the data plane.In light of network security threats,particularly Distributed Denial of Service(DDoS)attacks,the integration of effective DDoS attack detection methods within SDN is of paramount importance.The centralized control characteristic of SDN presents significant security risks when employing centralized DDoS attack detection methods,thereby posing considerable challenges to the security of the control plane in SDN environments.Furthermore,the growing volume of traffic data in SDN environments results in challenges related to more intricate traffic characterization and a pronounced Non-Independent and Identically Distributed(Non-IID)distribution among various entities.These issues present significant barriers to enhancing the accuracy and robustness of current federated learning-based detection models.The separation of management and control in SDN facilitates the creation of new flow rules by users,which enhances the efficiency of message routing control.However,current methodologies for flow detection face difficulties in preserving the knowledge of original features while simultaneously adapting to the distribution of newly generated features within the SDN environment.This challenge contributes to a phenomenon known as data forgetting.Furthermore,the imposition of flow rules restricts the forwarding targets of messages,resulting in variability in the data messages that can be collected by different host entities.The Non-IID distribution problem significantly undermines the performance and robustness of DDoS attack detection models that utilize artificial intelligence.To address these challenges,we propose a federated incremental learning-based model for DDoS attack detection within an SDN environment.This model integrates incremental learning and federated learning to accommodate new data inputs through incremental model updates,thereby eliminating the need for global re-train

关 键 词：联邦学习 联邦增量学习 网络安全 DDOS攻击检测 软件定义网络 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]