Research On Denial Of Service Attack Detection In Software-Defined Networking

Although the centralized intelligent control and dynamic open programmability of software-defined networking(SDN)bring many advantages,they indirectly provide attackers with convenient and effective attack methods and methods,resulting in many security challenges for SDN services and applications.Among them,the denial of service(DoS)attack is one of the most common and harmful threats.In SDN,the centrally managed control plane,the data plane with limited network equipment capabilities,and the southbound communication interface have become the most attractive targets for attackers to carry out DoS attacks.The network is at risk of being paralyzed.SDN cannot apply DoS attack detection methods directly in traditional networks as innovative network architecture.At the same time,due to the diversity and complexity of DoS attack types,the existing solutions can not cover all possible problems.In addition,SDN has some inherent defects in design and communication mechanism,so the new DoS attack utilization method still needs to be further explored and analyzed.This thesis focuses on different forms of DoS attacks in SDN.It makes a systematic and in-depth study on three aspects:detection of the new-flow-based DoS attack,detection of the DoS attack based on packet injection,and detection of the low-rate DoS(LDoS)attack for overflow of the flow table.The main research achievements are as follows:1.Aiming to lack an effective authentication mechanism in SDN,attackers can easily forge new flows to implement the high-rate DoS attack.This thesis proposed DoSGuard,a detection scheme that integrates fast anomaly location and accurate attack detection.On the one hand,DoSGuard built a mapping relationship between data plane switches and hosts.By analyzing the consistency of Packet-In messages and mapping information,it can discover suspicious hosts quickly.On the other hand,based on the fused OpenFlow message and data flow features,DoSGuard implemented an accurate attack detection model to verify questionable information further.When the attack confirming,with the help of the SDN software’s ability to control the network,DoSGuard issued blocking rules for the attack flow to mitigate the attack’s impact.This thesis implemented a prototype of DoSGuard on an open controller and evaluated the scheme’s effectiveness in a software environment.The experimental results showed that the proposed method could achieve effective attack detection with low load overhead,and the accuracy rate reaches 98.72%,which is better than the comparison schemes.2.For the vulnerability of SDN data forwarding and topology management mechanisms,this thesis revealed a new attack form and proposes a detection scheme for the latest attack method.This thesis firstly proposed a packet injection exploiting attack model and proved the feasibility and effectiveness of the DoS attack based on the proposed attack model through experiments.Precisely,the attacker can inject false nodes into the SDN network by forging the MAC address of the host to generate a zombie topology.Then,craft specific data packets directed to fake nodes to implement DoS attacks.To detect and defend against the packet injection exploiting attack,this thesis extended the functions of SDN controller and designed a lightweight detection framework PIEDefender.This solution did not require additional hardware device support,nor did it make any modifications to the data plane.By authenticating the core messages of the OpenFlow protocol and analyzing the typical message and traffic characteristics,PIEDefender can realize the instant discovery and accurate detection of injection behaviors and attack behaviors.The experimental results showed that this scheme achieves a detection accuracy of 97.8%with limited overhead,and the indicators such as precision,recall,and false-positive rate are significantly better than the comparison schemes.At the same time,this thesis further discussed the scheme’s applicability.Analyzing the common threat types in SDN proved that the proposed scheme can detect packet injection exploiting attacks and defend against other typical attack types.3.To solve the problem that the LDoS attack in the SDN data plane is destructive and difficult to detect,this thesis first analyzed the current research work and then proposed a flow table overflow LDoS attack detection scheme named TDM.TDM consists of three components:dynamic timeout,attack detection,and attack mitigation.The dynamic timeout component implemented a timeout allocation strategy based on the historical behavior of flow table rules and the usage of switch flow table space,which improved the utilization of flow table space and increased the difficulty for attackers to infer the configuration of data plane capabilities.The attack detection component used each rule as a sample for detection and can identify specific flow rules as attack flow rules,which improved the granularity and accuracy of detection.When the flow table space was insufficient,the attack mitigation component implemented different strategies according to whether there was an attack.This thesis evaluated the efficiency and effectiveness of TDM in a software environment.The experimental results showed that TDM could effectively detect and defend against the flow table overflow LDoS attack through mutual scheduling and cooperation among components.