可编程数据平面DDoS检测与防御机制

doi:10.13328/j.cnki.jos.007249

微信服务号

微信订阅号

2025年7月15日 21:21 星期二

首页 > 过刊浏览>2025年第36卷第8期 >3831-3857. DOI:10.13328/j.cnki.jos.007249

PDF HTML阅读 XML下载导出引用引用提醒

可编程数据平面DDoS检测与防御机制
DOI:
                        10.13328/j.cnki.jos.007249
                    
CSTR:
                        
                    
作者:
                        武文浩武文浩
中国科学院 计算技术研究所, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
张磊磊张磊磊
中国科学院 计算技术研究所, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
潘恒潘恒
中国科学院 计算技术研究所, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
李恩晗李恩晗
中国科学院 计算技术研究所, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找
周建二周建二
南方科技大学, 广东 深圳 518055
在期刊界中查找
在百度中查找
在本站中查找
李振宇李振宇
中国科学院 计算技术研究所, 北京 100190
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:TP309
基金项目:国家自然科学基金(62002344, U20A20180, 62072437)

Detecting and Defending Mechanism Against DDoS Attacks in Programmable Data Plane

Author:

WU Wen-Hao
WU Wen-Hao
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Lei-Lei
ZHANG Lei-Lei
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
PAN Heng
PAN Heng
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
LI En-Han
LI En-Han
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找
ZHOU Jian-Er
ZHOU Jian-Er
Southern University of Science and Technology, Shenzhen 518055, China
在期刊界中查找
在百度中查找
在本站中查找
LI Zhen-Yu
LI Zhen-Yu
Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [40]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

传统的分布式拒绝服务攻击(DDoS)检测与防御机制需要对网络流量进行镜像、采集以及远程集中式的攻击特征分析, 这直接造成额外的性能开销, 无法满足高性能网络的实时安全防护需求. 随着可编程交换机等新型网络设备的发展, 可编程数据平面能力得到增强, 为直接在数据面进行高性能的DDoS攻击检测提供了实现基础. 然而, 当前已有的基于可编程数据面的DDoS攻击检测方法准确率低, 同时受限于编程约束, 难以在可编程交换机 (如Intel Tofino)中进行直接部署. 针对上述问题, 提出了一种基于可编程交换机的DDoS攻击检测与防御机制. 首先, 使用基于源目地址熵值差的攻击检测机制判断DDoS攻击是否发生. 在DDoS攻击发生时, 设计了一种基于源目地址计数值差的攻击流量过滤机制, 实现对DDoS攻击的实时防御. 实验结果表明, 该机制能够有效地检测并防御多种DDoS攻击. 相较于现有工作, 该机制在观察窗口级攻击检测中的准确率平均提升了17.75%, 在数据包级攻击流量过滤中的准确率平均提升了3.7%.

关键词:分布式拒绝服务攻击;可编程数据平面;异常检测;P4;网络安全

Abstract:

Traditional detection and defense mechanisms for distributed denial-of-service (DDoS) attacks require traffic mirroring, collection, and centralized remote analysis, which introduces extra performance overhead and fails to achieve real-time protection in high-performance networks. With the development of network devices such as programmable switches, the programmable data plane has emerged as a solid foundation for achieving high-performance DDoS attack detection. However, existing detection methods based on the programmable data plane cannot guarantee accuracy and are difficult to deploy directly in programmable switches (such as Intel Tofino) due to programming constraints. To this end, this paper proposes a programmable switch-based mechanism for detecting and defending against DDoS attacks. First, the mechanism uses the difference between the entropy of source and destination addresses to determine whether DDoS attacks occur. When DDoS attacks occur, a traffic filtration mechanism based on the difference in counts between source and destination address will defend against DDoS attacks in real time. Experimental results indicate that the proposed mechanism effectively identifies and defends against DDoS attacks. Compared with the benchmark method, the accuracy of this mechanism in window-level attack detection is increased by 17.75% on average, and the accuracy of packet-level attack filtration is increased by 3.7% on average.

Key words:distributed denial of service attack (DDoS);programmable data plane;anomaly detection;P4;cyber security

参考文献

[1] Chadd A. DDoS attacks: Past, present and future. Network Security, 2018, 2018(7): 13–15.

[2] Kaur S, Kumar K, Aggarwal N, Singh G. A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions. Computers & Security, 2021, 110: 102423.

[3] Vishwakarma R, Jain AK. A survey of DDoS attacking techniques and defence mechanisms in the IoT network. Telecommunication Systems, 2020, 73(1): 3–25.

[4] Arelion. The 2021 DDoS threat landscape report. 2021. https://www.arelion.com/knowledge-hub/white-papers/ddos-threat-landscape-report-2021.html

[5] Gutnikov A, Kupreev O, Shmelev V. DDoS attacks in Q4 2021. 2022. https://securelist.com/ddos-attacks-in-q4-2021/105784/

[6] Chen LG, Zhang YD, Zhao Q, Geng GG, Yan ZW. Detection of DNS DDoS attacks with random forest algorithm on Spark. Procedia Computer Science, 2018, 134: 310–315.

[7] Hussain F, Abbas SG, Husnain M, Fayyaz UU, Shahzad F, Shah GA. IoT DoS and DDoS attack detection using ResNet. In: Proc. of the 23rd IEEE Int’l Multitopic Conf. (INMIC). Bahawalpur: IEEE, 2020. 1–6. [doi: 10.1109/INMIC50486.2020.9318216]

[8] Hauser F, H?berle M, Merling D, Lindner S, Gurevich C, Zeiger F, Frank R, Menth M. A survey on data plane programming with P4: Fundamentals, advances, and applied research. Journal of Network and Computer Applications, 2023, 212: 103561.

[9] Bosshart P, Daly D, Gibb C, Izzard M, McKeown N, Rexford J, Schlesinger C, Talayco D, Vahdat A, Varghese G, Walker D. P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review, 2014, 44(3): 87–95.

[10] Liu ZX, Namkung H, Nikolaidis G, Lee J, Kim C, Jin X, Braverman V, Yu ML, Sekar V. Jaqen: A high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: Proc. of the 30th USENIX Security Symp. (USENIX Security 2021). Vancouver: USENIX Association, 2021. 3829–3846.

[11] da Silveira Ilha A, Lapolli ?C, Marques JA, Gaspary LP. Euclid: A fully in-network, p4-based approach for real-time DDoS attack detection and mitigation. IEEE Trans. on Network and Service Management, 2021, 18(3): 3121–3139.

[12] GitHub: Behavioral model (BMv2). 2024. https://github.com/p4lang/behavioral-model

[13] Erhan D, Anar?m E. Bo?azi?i University distributed denial of service dataset. Data in Brief, 2020, 32: 106187.

[14] McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J. OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69–74.

[15] Open Tofino. 2024. https://github.com/barefootnetworks/open-tofino

[16] Cormode G. Count-Min Sketch. In: Kao MY, ed. Encyclopedia of Algorithms. New York: Springer, 2016. 464–468. [doi: 10.1007/978-1-4939-2864-4_579]

[17] Phaal P, Panchen S, McKee N. InMon corporation’s sFlow: A method for monitoring traffic in switched and routed networks. RFC 3186, Internet Engineering Task Force, 2001.

[18] Claise B. Cisco systems NetFlow services export version 9. RFC 3954. Internet Engineering Task Force, 2004.

[19] Hoque N, Kashyap H, Bhattacharyya DK. Real-time DDoS attack detection using FPGA. Computer Communications, 2017, 110: 48–58.

[20] Tao Y, Yu S. DDoS attack detection at local area networks using information theoretical metrics. In: Proc. of the 12th IEEE Int’l Conf. on Trust, Security and Privacy in Computing and Communications. Melbourne: IEEE, 2013. 233–240. [doi: 10.1109/TrustCom.2013.32]

[21] Fortunati S, Gini F, Greco MS, Farina A, Graziano A, Giompapa S. An improvement of the state-of-the-art covariance-based methods for statistical anomaly detection algorithms. Signal, Image and Video Processing, 2016, 10(4): 687–694.

[22] Ye J, Cheng XY, Zhu J, Feng LT, Song L. A DDoS attack detection method based on SVM in software defined network. Security and Communication Networks, 2018, 2018: 1–8.

[23] Lakshminarasimman S, Ruswin S, Sundarakantham K. Detecting DDoS attacks using decision tree algorithm. In: Proc. of the 4th Int’l Conf. on Signal Processing, Communication and Networking (ICSCN 2017). Chennai: IEEE, 2017. 1–6. [doi: 10.1109/ICSCN.2017.8085703]

[24] Saied A, Overill RE, Radzik T. Detection of known and unknown DDoS attacks using Artificial Neural Networks. Neurocomputing, 2016, 172: 385–393.

[25] Hou JP, Fu PP, Cao ZG, Xu AL. Machine learning based DDoS detection through NetFlow analysis. In: Proc. of the 2018 IEEE Military Communications Conf. (MILCOM 2018). Angeles: IEEE, 2018. 1–6. [doi: 10.1109/MILCOM.2018.8599738]

[26] McDermott CD, Majdani F, Petrovski AV. Botnet detection in the internet of things using deep learning approaches. In: Proc. of the 2018 Int’l Joint Conf. on Neural Networks (IJCNN). Rio de Janeiro: IEEE, 2018. 1–8. [doi: 10.1109/IJCNN.2018.8489489]

[27] Grigoryan G, Liu YQ. LAMP: Prompt layer 7 attack mitigation with programmable data planes. In: Proc. of the 17th IEEE Int’l Symp. on Network Computing and Applications (NCA). Cambridge: IEEE, 2018. 1–4. [doi: 10.1109/NCA.2018.8548136]

[28] Kuka M, Vojanec K, Ku?era J, Bená?ek P. Accelerated DDoS attacks mitigation using programmable data plane. In: Proc. of the 2019 ACM/IEEE Symp. on Architectures for Networking and Communications Systems (ANCS). Cambridge: IEEE, 2019. 1–3.

[29] Mi Y, Wang A. ML-pushback: Machine learning based pushback defense against DDoS. In: Proc. of the 15th Int’l Conf. on Emerging Networking Experiments and Technologies. Orlando: Association for Computing Machinery, 2019. 80–81.

[30] Kokila RT, Thamarai Selvi S, Govindarajan K. DDoS detection and analysis in SDN-based environment using support vector machine classifier. In: Proc. of the 6th Int’l Conf. on Advanced Computing (ICoAC). Chennai: IEEE, 2014. 205–210.

[31] Musumeci F, Ionata V, Paolucci F, Cugini F, Tornatore M. Machine-learning-assisted DDoS attack detection with P4 language. In: Proc. of the 2020 IEEE Int’l Conf. on Communications (ICC 2020). Dublin: IEEE, 2020: 1–6. [doi: 10.1109/ICC40277.2020.9149043]

[32] Gupta A, Harrison R, Canini M, Feamster N, Rexford J, Willinger W. Sonata: Query-driven streaming network telemetry. In: Proc. of the 2018 Conf. of the ACM Special Interest Group on Data Communication. Budapest: Association for Computing Machinery, 2018. 357–371. [doi: 10.1145/3230543.3230555]

[33] Ding DM, Savi M, Siracusa D. Tracking normalized network traffic entropy to detect DDoS attacks in P4. IEEE Trans. on Dependable and Secure Computing, 2022, 19(6): 4019–4031.

[34] 刘向举, 尚林松, 方贤进, 路小宝. 基于可编程协议无关报文处理的分布式拒绝服务攻击检测. 计算机应用研究, 2022, 39(7): 2149–2155.

Liu XJ, Shang LS, Fang XJ, Lu XB. Distributed denial of service attack detection based on programming protocol-independent packet processors. Application Research of Computers, 2022, 39(7): 2149–2155 (in Chinese with English abstract).

[35] Hoque N, Bhattacharyya DK, Kalita JK. Botnet in DDoS attacks: Trends and challenges. IEEE Communications Surveys & Tutorials, 2015, 17(4): 2242–2270.

[36] Nooribakhsh M, Mollamotalebi M. A review on statistical approaches for anomaly detection in DDoS attacks. Information Security Journal: A Global Perspective, 2020, 29(3): 118–133.

[37] Clausius R. Ueber verschiedene für die Anwendung bequeme Formen der Hauptgleichungen der mechanischen W?rmetheorie. Annalen der Physik, 1865, 201(7): 353–400.

[38] Shannon CE. A mathematical theory of communication. The Bell System Technical Journal, 1948, 27(3): 379–423.

[39] Ding DM, Savi M, Pederzolli F, Campanella M, Siracusa D. In-network volumetric DDoS victim identification using programmable commodity switches. IEEE Trans. on Network and Service Management, 2021, 18(2): 1191–1202.

引用本文

武文浩,张磊磊,潘恒,李恩晗,周建二,李振宇.可编程数据平面DDoS检测与防御机制.软件学报,2025,36(8):3831-3857

复制

文章指标

点击次数:94
下载次数: 656
HTML阅读次数: 0
引用次数: 0

历史

收稿日期:2022-07-12
最后修改日期:2023-05-10
录用日期:
在线发布日期: 2024-12-31
出版日期:

微信服务号

微信订阅号

引用本文

相关视频

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

相关视频

分享

微信扫一扫：分享

文章指标

历史

文章二维码