【摘要】：近年來(lái),重大網(wǎng)絡(luò)攻擊事件層見(jiàn)疊出,網(wǎng)絡(luò)安全已上升至國(guó)家安全的戰(zhàn)略層面。與此同時(shí),隨著大數(shù)據(jù)、云計(jì)算等技術(shù)的不斷發(fā)展,軟件定義網(wǎng)絡(luò)(Software Defined Networking,SDN)隨之興起。由于傳統(tǒng)網(wǎng)絡(luò)安全事件對(duì)SDN網(wǎng)絡(luò)依然具有較大的威脅,基于SDN網(wǎng)絡(luò)的攻擊應(yīng)對(duì)研究引起了學(xué)術(shù)界的關(guān)注。不過(guò)目前尚未出現(xiàn)一個(gè)準(zhǔn)確、快速、有效的輕量級(jí)安全方案。根據(jù)傳統(tǒng)網(wǎng)絡(luò)攻擊的分類(lèi),本文的研究?jī)?nèi)容包括:非法報(bào)文攻擊、分布式拒絕服務(wù)(Distributed Denial of Service,DDoS)攻擊和端口掃描的應(yīng)對(duì)研究。為了防止非法報(bào)文攻擊對(duì)目的主機(jī)/服務(wù)器系統(tǒng)造成危害,本文利用非法報(bào)文攻擊包特異性高、區(qū)分明顯的特點(diǎn),提出了基于特征匹配的非法報(bào)文攻擊檢測(cè)應(yīng)對(duì)方案,在控制器進(jìn)行轉(zhuǎn)發(fā)決策前將解析出的packet-in相關(guān)信息與攻擊特征庫(kù)進(jìn)行匹配篩查。仿真結(jié)果表明,非法報(bào)文應(yīng)對(duì)方案能夠準(zhǔn)確識(shí)別IP分片攻擊和Land攻擊包,并將攻擊報(bào)文全部阻塞在攻擊源頭。SDN控制器具有單點(diǎn)脆弱性,DDoS攻擊對(duì)SDN網(wǎng)絡(luò)的影響更加嚴(yán)重。為了準(zhǔn)確檢測(cè)偽造源IP的DDoS攻擊,本文提出了基于熵值的DDoS攻擊應(yīng)對(duì)方案(Entropy-based DDoS Defense Mechanism,EDDM),該方案通過(guò)目的IP熵值的變化區(qū)分異常流量、再根據(jù)源MAC與源IP的對(duì)應(yīng)關(guān)系確認(rèn)攻擊并鎖定攻擊源。針對(duì)偽造了源MAC地址的DDoS攻擊,本文提出了一個(gè)新的DDoS攻擊應(yīng)對(duì)方案(Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM),該方案首次提出將入端口熵值的變化作為攻擊檢測(cè)依據(jù),以目的IP熵值降低、入端口熵低于源IP熵作為攻擊判定標(biāo)準(zhǔn),并根據(jù)入端口與源MAC/源IP的對(duì)應(yīng)關(guān)系鎖定攻擊主機(jī)位置。通過(guò)仿真,證明Upgraded-EDDM方案能夠準(zhǔn)確識(shí)別偽造源MAC的UDP Flood攻擊,將攻擊流量阻塞在入端口,且其總體性能優(yōu)于EDDM方案。分布式反射拒絕服務(wù)(Distributed Reflection Denial of Service,DRDoS)攻擊和端口掃描在入端口、目的IP、目的端口號(hào)等特征的熵值上具有不同的變化特點(diǎn),由于它們具有與DDoS攻擊相同的熵值計(jì)算和異常排查過(guò)程,本文將Upgraded-EDDM方案擴(kuò)展成一個(gè)基于熵值的一體化安全方案(Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM),使其能夠識(shí)別并阻塞多種網(wǎng)絡(luò)攻擊。仿真結(jié)果表明,Integrated-EADM方案能夠快速、準(zhǔn)確地識(shí)別DRDoS攻擊和TCP SYN掃描,并將攻擊流量阻塞在源端。
[Abstract]:In recent years, major network attacks have emerged one after another, and network security has risen to the strategic level of national security. At the same time, with the continuous development of big data, cloud computing and other technologies, software-defined network (Software Defined Networking,SDN (Software definition Network) rises. Because the traditional network security events still pose a great threat to the SDN network, the research on the attack response based on the SDN network has attracted the attention of the academic circles. However, there is not yet an accurate, fast, effective lightweight security scheme. According to the classification of traditional network attacks, the research contents of this paper include: illegal packet attack, distributed denial of Service (Distributed Denial of Service,DDoS) attack and port scanning. In order to prevent the illegal message attack from causing harm to the target host / server system, this paper makes use of the high specificity and distinct distinction of the illegal message attack packet, and puts forward a response scheme of illegal message attack detection based on feature matching. The parsed packet-in correlation information is matched with the attack feature base before the controller makes forwarding decision. Simulation results show that the scheme can accurately identify IP fragmentation attack and Land attack packet, and block all the attack packets at the source of the attack. The DDoS controller has a single point of vulnerability, and the DDoS attack has a more serious impact on the SDN network. In order to detect the DDoS attack of the forgery source IP accurately, this paper proposes an entropy-based DDoS attack response scheme (Entropy-based DDoS Defense Mechanism,EDDM), which distinguishes abnormal traffic by the change of the destination IP entropy value. Then the attack is confirmed and locked according to the corresponding relationship between the source MAC and the source IP. In this paper, a new DDoS attack response scheme (Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM) is proposed for the DDoS attack which forges the source MAC address. In this scheme, the change of the entropy value of the incoming port is first proposed as the basis of attack detection. The target IP entropy is reduced and the inlet entropy is lower than the source IP entropy as an attack criterion. The attack host location is locked according to the corresponding relationship between the inbound port and the source MAC/ source IP. The simulation results show that the Upgraded-EDDM scheme can accurately identify the UDP Flood attack of the forgery source MAC and block the attack traffic at the ingress port. The overall performance of the UDP Flood scheme is superior to that of the EDDM scheme. Distributed Reflectance denial of Service (Distributed Reflection Denial of Service,DRDoS) attacks and port scanning have different entropy values in terms of characteristics such as inbound port, destination IP, destination port number, and so on. Because they have the same entropy calculation and anomaly detection process as the DDoS attack, this paper extends the Upgraded-EDDM scheme to an all-in-one security scheme based on entropy (Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM). Enables it to identify and block multiple network attacks. The simulation results show that the Integrated-EADM scheme can quickly and accurately identify DRDoS attacks and TCP SYN scans, and block the attack traffic at the source end.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 史振華;劉外喜;楊家燁;;SDN架構(gòu)下基于ICMP流量的網(wǎng)絡(luò)異常檢測(cè)方法[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2016年04期

2 舒遠(yuǎn)仲;梅夢(mèng)U，

本文編號(hào)：2460048