面向SDN的攻击流量分配与负载均衡机制  

作　　者：李曼 周华春[1] 徐琪 邓双兴 邹涛 张汝云 LI Man;ZHOU Huachun;XU Qi;DENG Shuangxing;ZOU Tao;ZHANG Ruyun(School of Electronic and Information Engineering,Beijing Jiaotong University,Beijing 100044,China;Zhejiang Lab,Hangzhou 311121,China)

机构地区：[1]北京交通大学电子信息工程学院,北京100044 [2]之江实验室,浙江杭州311121

出　　处：《通信学报》2025年第3期74-93,共20页Journal on Communications

基　　金：国家重点研发计划基金资助项目(No.2018YFA0701604);国家自然科学基金资助项目(No.62341102);浙江省重点研发计划基金资助项目(No.2024SSYS0001);山东省自然科学基金资助项目(No.ZR2023LZH017)。

摘　　要：为了解决软件定义网络(SDN)中传统流量分配算法无法有效识别分布式拒绝服务(DDoS)攻击的问题,提出了一种面向攻击流量的流量分配与负载均衡算法,将流量分配问题建模为马尔可夫决策过程,其中奖励函数考虑了资源消耗和时延。为了优化马尔可夫决策过程,利用基于演员-评论家网络的负载均衡算法,根据流量特征和网络特征,智能分配流量到不同安全路径,以减轻攻击影响,降低负载和时延。实验结果表明,在自生成数据集和公开数据集下,所提算法的奖励值高于对比算法的,表明其在负载均衡方面的性能更优。在吞吐量方面展现出了较高的稳定性,其变化范围相对较小,波动范围为12.95~14.83 Mbit/s;在流量分布方面,所有路径上的流量分布都比较平均;在检测性能方面,识别攻击的平均加权精准率、平均加权召回率和平均加权F1分数分别达到90%、92%和94%。To tackle the problem of traditional traffic allocation methods in software-defined networks(SDN)potentially failing to effectively detect distributed denial of service(DDoS)attacks,a traffic allocation and load balancing mechanism for attack traffic was proposed.The traffic allocation problem was modeled as a Markov decision process(MDP),where the reward function included both resource consumption and delay.To optimize the MDP,a load balancing algorithm based on actor-critic networks was developed.This algorithm allocated traffic to different paths based on traffic and network features with the goal of reducing load and latency.The experimental results demonstrate that,under selfgenerated and public datasets,the proposed method achieves higher reward than the baseline load balancing methods,indicating its superior performance in load balancing.In terms of throughput,it exhibits high stability with a relatively small variation range,fluctuating between 12.95 Mbit/s and 14.83 Mbit/s.Regarding traffic distribution,the traffic is relatively evenly distributed across all paths.In terms of detection performance,the average weighted precision,average weighted recall,and average weighted F1 score are 90%,92%and 94%,respectively.

关 键 词：SDN 流量分配 负载均衡 DDOS攻击 

分 类 号：TN92[电子电信—通信与信息系统]