摘要
针对云环境中2类典型的分布式拒绝服务(DDo S)攻击问题,提出一种基于软件定义网络架构的DDo S攻击检测与防御方案——SDCC。SDCC综合使用链路带宽和数据流这2种检测方式,利用基于置信度过滤(CBF)的方法计算数据分组CBF分数,将分数低于阈值的数据分组判断为攻击分组,添加其属性信息至攻击流特征库,并通过控制器下发流表将其拦截。仿真实验表明,SDCC能有效检测并防御不同类型DDo S攻击,具有较高检测效率,降低了控制器计算开销,并保持较低误判率。
For addressing the problem of two typical types of distributed denial of service(DDoS)attacks in cloud environment,a DDoS attack detection and prevention scheme called SDCC based on software defined network(SDN)architecture was proposed.SDCC used a combination of bandwidth detection and data flow detection,utilized confidence-based filtering(CBF)method to calculate the CBF score of packets,judged the packet of CBF score below the threshold as an attacking packet,added its attribute information to the attack flow feature library,and sent the flow table to intercept it through SDN controller.Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively,and it has high detection efficiency,reduces the controller’s computation overhead,and achieves a low false positive rate.
作者
何亨
胡艳
郑良汉
薛正元
HE Heng;HU Yan;ZHENG Lianghan;XUE Zhengyuan(School of Computer Science and Technology,Wuhan University of Science and Technology,Wuhan 430065,China;Hubei Province Key Laboratory of Intelligent Information Processing and Real Time Industrial System,Wuhan University of Science and Technology,Wuhan 430065,China;School of Computer Science and Technology,Huazhong University of Science and Technology,Wuhan 430074,China)
出处
《通信学报》
EI
CSCD
北大核心
2018年第4期139-151,共13页
Journal on Communications
基金
国家自然科学基金资助项目(No.61602351
No.61502359
No.61602349)
智能信息处理与实时工业系统湖北省重点实验室开放基金资助项目(No.2016znss10B)~~
关键词
云环境
DDOS攻击
软件定义网络
基于置信度过滤
cloud environment
DDoS attack
software defined network
confidence-based filtering
