可编程数据平面DDoS检测与防御机制
CSTR:
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

TP309

基金项目:

国家自然科学基金(62002344, U20A20180, 62072437)


Detecting and Defending Mechanism Against DDoS Attacks in Programmable Data Plane
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    传统的分布式拒绝服务攻击(DDoS)检测与防御机制需要对网络流量进行镜像、采集以及远程集中式的攻击特征分析, 这直接造成额外的性能开销, 无法满足高性能网络的实时安全防护需求. 随着可编程交换机等新型网络设备的发展, 可编程数据平面能力得到增强, 为直接在数据面进行高性能的DDoS攻击检测提供了实现基础. 然而, 当前已有的基于可编程数据面的DDoS攻击检测方法准确率低, 同时受限于编程约束, 难以在可编程交换机 (如Intel Tofino)中进行直接部署. 针对上述问题, 提出了一种基于可编程交换机的DDoS攻击检测与防御机制. 首先, 使用基于源目地址熵值差的攻击检测机制判断DDoS攻击是否发生. 在DDoS攻击发生时, 设计了一种基于源目地址计数值差的攻击流量过滤机制, 实现对DDoS攻击的实时防御. 实验结果表明, 该机制能够有效地检测并防御多种DDoS攻击. 相较于现有工作, 该机制在观察窗口级攻击检测中的准确率平均提升了17.75%, 在数据包级攻击流量过滤中的准确率平均提升了3.7%.

    Abstract:

    Traditional detection and defense mechanisms for distributed denial-of-service (DDoS) attacks require traffic mirroring, collection, and centralized remote analysis, which introduces extra performance overhead and fails to achieve real-time protection in high-performance networks. With the development of network devices such as programmable switches, the programmable data plane has emerged as a solid foundation for achieving high-performance DDoS attack detection. However, existing detection methods based on the programmable data plane cannot guarantee accuracy and are difficult to deploy directly in programmable switches (such as Intel Tofino) due to programming constraints. To this end, this paper proposes a programmable switch-based mechanism for detecting and defending against DDoS attacks. First, the mechanism uses the difference between the entropy of source and destination addresses to determine whether DDoS attacks occur. When DDoS attacks occur, a traffic filtration mechanism based on the difference in counts between source and destination address will defend against DDoS attacks in real time. Experimental results indicate that the proposed mechanism effectively identifies and defends against DDoS attacks. Compared with the benchmark method, the accuracy of this mechanism in window-level attack detection is increased by 17.75% on average, and the accuracy of packet-level attack filtration is increased by 3.7% on average.

    参考文献
    相似文献
    引证文献
引用本文

武文浩,张磊磊,潘恒,李恩晗,周建二,李振宇.可编程数据平面DDoS检测与防御机制.软件学报,,():1-27

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2022-07-12
  • 最后修改日期:2023-05-10
  • 录用日期:
  • 在线发布日期: 2024-12-31
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号