本文選題：軟件定義網(wǎng)絡(luò)　切入點：流量異常檢測　出處：《電子科技大學(xué)》2017年碩士論文

【摘要】：隨著網(wǎng)絡(luò)技術(shù)的不斷發(fā)展,人們越來越依賴于網(wǎng)絡(luò)來進(jìn)行信息的傳輸。在傳統(tǒng)網(wǎng)絡(luò)中,靜態(tài)網(wǎng)絡(luò)配置導(dǎo)致攻擊者能輕易地標(biāo)識網(wǎng)絡(luò)目標(biāo),從而發(fā)起攻擊。最近幾年,網(wǎng)絡(luò)安全事件頻頻發(fā)生,國家、公司和個人都面臨著許多潛在的網(wǎng)絡(luò)安全威脅,于是網(wǎng)絡(luò)安全問題引起了社會的廣泛關(guān)注。軟件定義網(wǎng)絡(luò)(SDN)作為一種新型的網(wǎng)絡(luò)技術(shù),為網(wǎng)絡(luò)控制提供了強(qiáng)大的功能,也為網(wǎng)絡(luò)安全研究領(lǐng)域提供了新的機(jī)會。本論文主要研究一種基于SDN架構(gòu)的動態(tài)網(wǎng)絡(luò)防御系統(tǒng)。系統(tǒng)通過統(tǒng)計流量狀態(tài)信息來生成流量矩陣,進(jìn)而進(jìn)行異常檢測,然后調(diào)用相應(yīng)的網(wǎng)絡(luò)配置跳變策略,消除安全隱患。論文描述了系統(tǒng)的結(jié)構(gòu)設(shè)計,包括流量異常檢測和動態(tài)目標(biāo)防御模塊。流量異常檢測模塊中重點研究了流量矩陣的估計;動態(tài)目標(biāo)防御模塊中主要是研究如何動態(tài)地改變3種網(wǎng)絡(luò)配置:IP地址、端口號和路由。另外,通過實驗驗證了系統(tǒng)的可行性。論文的主要工作如下:(1)提出了兩種流量矩陣估計算法,分別是最大波動值優(yōu)先算法和流規(guī)則負(fù)載均衡算法。首先,論文基于流規(guī)則負(fù)載均衡的算法測量出初始流量矩陣;然后,利用最大波動值優(yōu)先的算法,從初始矩陣中優(yōu)先選擇前k個波動值較大的數(shù)據(jù)流進(jìn)行測量;最后,引入二分圖最大權(quán)匹配的思想來分配流表項。(2)采用動態(tài)目標(biāo)防御的思想,實現(xiàn)IP地址、端口號和路由三種網(wǎng)絡(luò)配置動態(tài)跳變。IP地址跳變中,采用了一種基于兩級分頻的跳變方法,最大化IP地址的不可預(yù)測性。路由跳變中,采用了一種基于路徑權(quán)重的路由選擇方法,減少單節(jié)點脆弱性。最后,利用D-ITG來模擬現(xiàn)實流量數(shù)據(jù)對系統(tǒng)進(jìn)行了性能測試。流量異常測試實驗結(jié)果顯示,流規(guī)則負(fù)載均衡算法選出前k個波動值較大的數(shù)據(jù)流的正確率在70%以上,這就證明了最大波動優(yōu)先算法能夠有效地減少流量矩陣的估計誤差。動態(tài)目標(biāo)防御實驗,證明了網(wǎng)絡(luò)配置跳變可以最大化網(wǎng)絡(luò)配置的不可預(yù)測性,能夠有效地防止網(wǎng)絡(luò)偵察。
[Abstract]:With the development of network technology, people rely more and more on the network to transmit information. In traditional network, static network configuration can easily identify the target of the network and launch an attack. With the frequent occurrence of network security incidents, countries, companies and individuals are faced with many potential network security threats, so network security issues have aroused widespread concern in the society. As a new network technology, software defines network SDN. It provides a powerful function for network control and provides a new opportunity for network security research. In this paper, a dynamic network defense system based on SDN architecture is studied. The system generates traffic matrix by statistical traffic state information. Then the anomaly detection is carried out, and then the corresponding network configuration jump strategy is called to eliminate the hidden danger of security. The structure design of the system is described in this paper. Traffic anomaly detection module focuses on the estimation of traffic matrix, and dynamic target defense module mainly studies how to dynamically change three kinds of network configuration: IP address. In addition, the feasibility of the system is verified by experiments. The main work of this paper is as follows: 1) two algorithms for estimating the flow matrix are proposed, one is the maximum fluctuation priority algorithm and the other is the flow rule load balancing algorithm. In this paper, the initial flow matrix is measured based on the algorithm of flow rule load balancing. Then, using the algorithm of maximum fluctuation value first, the first k data streams with large fluctuation value are selected first from the initial matrix. Finally, This paper introduces the idea of bipartite graph maximum weight matching to allocate the flow table item. (2) using the idea of dynamic object defense, it realizes three network configurations, I. E. IP address, port number and route, in dynamic jump. IP address jump. In order to maximize the unpredictability of IP address, a route selection method based on path weight is adopted to reduce the vulnerability of single node. The performance of the system is tested by using D-ITG to simulate the real traffic data. The experimental results of flow anomaly test show that the accuracy of selecting the first k data streams with large fluctuation value is more than 70% by using the flow rule load balancing algorithm. It is proved that the maximum fluctuation priority algorithm can effectively reduce the estimation error of the traffic matrix. The dynamic target defense experiment proves that the network configuration jump can maximize the unpredictability of the network configuration and can effectively prevent network reconnaissance.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前8條

1 左青云;張海粟;;基于OpenFlow的SDN網(wǎng)絡(luò)安全分析與研究[J];信息網(wǎng)絡(luò)安全;2015年02期

2 張朝昆;崔勇;唐，

本文編號：1682992