Flow Table Management Technology For Software-Defined Network Saturation Attack

Software-defined networking(Software-Defined Networking,SDN)is an innovative architecture that separates the control plane and the data plane.The cached flow entry resources are limited.Software-defined network saturation attacks will cause the switch to install a large number of flow entries,and the flow table overflow phenomenon will occur,so that the switch has no free and available resources to install flow entries for normal user network traffic,which will seriously affect the service quality and stability of the network.Aiming at the problem of efficient utilization of switch flow entry resources,this thesis studies the scheme of dynamically setting the idle expiration time of flow entry,and proposes an algorithm to dynamically set the idle expiration time of flow entry based on historical flow time characteristics,which alleviates the flow entry under SDN saturation attack Invalid occupation of flow table resources.Aiming at the problem of frequent swapping in and out of flow table items in switches,this paper studies the solution to overflow of flow table items,and proposes a flow table swapping in and out algorithm based on Poisson distribution,which alleviates the problem of constant swapping in and out of flow table items under SDN saturation attacks.out of the question.The research content and contributions of this thesis mainly include:(1)An algorithm for dynamically setting the idle expiration time of flow entries based on historical flow time characteristics is proposed.Predict the idle expiration time of flow entries by recording the interval time between data packets of historical flows.When the switch installs the flow entry,the idle expiration time is taken from the predicted value of the idle expiration time,so that the flow entry resources of the switch can be efficiently utilized.Experimental results show that the algorithm can improve the hit rate of the flow table and reduce the number of packet-in messages.(2)The proposed technique is based on the expected number of packets per unit of time for flow table entry replacement.The expected number of packets arriving within a unit of time in the network data flow is used as the basis for determining which flow table entries to replace.Through the management of flow table entry replacement,the algorithm aims to retain the entries for long flows or flows with shorter packet intervals in the flow table,reducing the frequency of entry replacement.Experimental results demonstrate an improvement in the hit rate of flow table entries and a reduction in the number of packet-in messages.(3)Design and implement a flow table management system,which includes a flow time feature collection module,a flow table item idle expiration time calculation module,a flow table item idle expiration time setting module,a flow-mod information cache module,and a flow table item miss Processing module,flow entry credit value calculation module,flow entry swap-in/out decision module,flow-mod information cache deletion decision module and statistical information module.Each module has passed the function test.