【摘要】：近年來,重大網絡攻擊事件層見疊出,網絡安全已上升至國家安全的戰(zhàn)略層面。與此同時,隨著大數據、云計算等技術的不斷發(fā)展,軟件定義網絡(Software Defined Networking,SDN)隨之興起。由于傳統(tǒng)網絡安全事件對SDN網絡依然具有較大的威脅,基于SDN網絡的攻擊應對研究引起了學術界的關注。不過目前尚未出現一個準確、快速、有效的輕量級安全方案。根據傳統(tǒng)網絡攻擊的分類,本文的研究內容包括:非法報文攻擊、分布式拒絕服務(Distributed Denial of Service,DDoS)攻擊和端口掃描的應對研究。為了防止非法報文攻擊對目的主機/服務器系統(tǒng)造成危害,本文利用非法報文攻擊包特異性高、區(qū)分明顯的特點,提出了基于特征匹配的非法報文攻擊檢測應對方案,在控制器進行轉發(fā)決策前將解析出的packet-in相關信息與攻擊特征庫進行匹配篩查。仿真結果表明,非法報文應對方案能夠準確識別IP分片攻擊和Land攻擊包,并將攻擊報文全部阻塞在攻擊源頭。SDN控制器具有單點脆弱性,DDoS攻擊對SDN網絡的影響更加嚴重。為了準確檢測偽造源IP的DDoS攻擊,本文提出了基于熵值的DDoS攻擊應對方案(Entropy-based DDoS Defense Mechanism,EDDM),該方案通過目的IP熵值的變化區(qū)分異常流量、再根據源MAC與源IP的對應關系確認攻擊并鎖定攻擊源。針對偽造了源MAC地址的DDoS攻擊,本文提出了一個新的DDoS攻擊應對方案(Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM),該方案首次提出將入端口熵值的變化作為攻擊檢測依據,以目的IP熵值降低、入端口熵低于源IP熵作為攻擊判定標準,并根據入端口與源MAC/源IP的對應關系鎖定攻擊主機位置。通過仿真,證明Upgraded-EDDM方案能夠準確識別偽造源MAC的UDP Flood攻擊,將攻擊流量阻塞在入端口,且其總體性能優(yōu)于EDDM方案。分布式反射拒絕服務(Distributed Reflection Denial of Service,DRDoS)攻擊和端口掃描在入端口、目的IP、目的端口號等特征的熵值上具有不同的變化特點,由于它們具有與DDoS攻擊相同的熵值計算和異常排查過程,本文將Upgraded-EDDM方案擴展成一個基于熵值的一體化安全方案(Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM),使其能夠識別并阻塞多種網絡攻擊。仿真結果表明,Integrated-EADM方案能夠快速、準確地識別DRDoS攻擊和TCP SYN掃描,并將攻擊流量阻塞在源端。
[Abstract]:In recent years, major network attacks have emerged one after another, and network security has risen to the strategic level of national security. At the same time, with the continuous development of big data, cloud computing and other technologies, software-defined network (Software Defined Networking,SDN (Software definition Network) rises. Because the traditional network security events still pose a great threat to the SDN network, the research on the attack response based on the SDN network has attracted the attention of the academic circles. However, there is not yet an accurate, fast, effective lightweight security scheme. According to the classification of traditional network attacks, the research contents of this paper include: illegal packet attack, distributed denial of Service (Distributed Denial of Service,DDoS) attack and port scanning. In order to prevent the illegal message attack from causing harm to the target host / server system, this paper makes use of the high specificity and distinct distinction of the illegal message attack packet, and puts forward a response scheme of illegal message attack detection based on feature matching. The parsed packet-in correlation information is matched with the attack feature base before the controller makes forwarding decision. Simulation results show that the scheme can accurately identify IP fragmentation attack and Land attack packet, and block all the attack packets at the source of the attack. The DDoS controller has a single point of vulnerability, and the DDoS attack has a more serious impact on the SDN network. In order to detect the DDoS attack of the forgery source IP accurately, this paper proposes an entropy-based DDoS attack response scheme (Entropy-based DDoS Defense Mechanism,EDDM), which distinguishes abnormal traffic by the change of the destination IP entropy value. Then the attack is confirmed and locked according to the corresponding relationship between the source MAC and the source IP. In this paper, a new DDoS attack response scheme (Upgraded Entropy-based DDoS Defense Mechanism,Upgraded-EDDM) is proposed for the DDoS attack which forges the source MAC address. In this scheme, the change of the entropy value of the incoming port is first proposed as the basis of attack detection. The target IP entropy is reduced and the inlet entropy is lower than the source IP entropy as an attack criterion. The attack host location is locked according to the corresponding relationship between the inbound port and the source MAC/ source IP. The simulation results show that the Upgraded-EDDM scheme can accurately identify the UDP Flood attack of the forgery source MAC and block the attack traffic at the ingress port. The overall performance of the UDP Flood scheme is superior to that of the EDDM scheme. Distributed Reflectance denial of Service (Distributed Reflection Denial of Service,DRDoS) attacks and port scanning have different entropy values in terms of characteristics such as inbound port, destination IP, destination port number, and so on. Because they have the same entropy calculation and anomaly detection process as the DDoS attack, this paper extends the Upgraded-EDDM scheme to an all-in-one security scheme based on entropy (Integrated Entropy-based Attacks Defense Mechanism,Integrated-EADM). Enables it to identify and block multiple network attacks. The simulation results show that the Integrated-EADM scheme can quickly and accurately identify DRDoS attacks and TCP SYN scans, and block the attack traffic at the source end.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前4條

1 史振華;劉外喜;楊家燁;;SDN架構下基于ICMP流量的網絡異常檢測方法[J];計算機系統(tǒng)應用;2016年04期

2 舒遠仲;梅夢U，

本文編號：2460048