基于软件定义网络的Crossfire攻击防御方法

doi:10.19678/j.issn.1000-3428.0067935

摘要/Abstract

摘要： 区别于常规的分布式拒绝服务攻击，利用僵尸网络发动的Crossfire攻击具有低速率不可区分的特性，这导致常规入侵检测系统难以防御此类攻击。针对该问题，设计一种检测防御Crossfire攻击的方法。该方法基于软件定义网络，首先利用网络瓶颈选择算法筛选出易受攻击的网络瓶颈节点与链路，在此基础上部署虚拟节点预防Crossfire攻击，虚拟节点应答可疑探测流，扰乱攻击者的攻击视图从而隐藏物理拓扑的网络瓶颈，并在此过程基于随机森林和双阈值自编码器检测僵尸网络，最后通过慢开始防御策略和局部快速重路由方法以达到防御Crossfire攻击的目的。实验在软件定义网络环境下进行，虚拟节点的部署能够使得瓶颈节点指标明显降低，方法所提的僵尸网络检测模型在精度以及召回率等方面相较于传统随机森林分类模型提高了近5%，防御方法能够在10秒内达到缓解Crossfire攻击的效果。实验结果表明，对比其他方法，所提方法能有效检测缓解此类攻击，且在此过程中基本不会影响到合法流量在物理拓扑中的正常转发。

Abstract: Different from conventional DDoS, Crossfire attacks launched by botnets are low-speed indistinguishable, which makes it difficult for conventional intrusion detection systems to defend against such attacks. To solve this problem, a method of detecting and defending Crossfire attacks is designed. This method is based on Software Defined Network (SDN). Firstly, the network bottleneck selection algorithm is used to screen out vulnerable network bottleneck nodes and links. On this basis, deploy virtual nodes to prevent Crossfire attacks. Virtual nodes respond to the suspicious probe flow, distort the attacker's attack view, and hide the network bottleneck of the physical topology. In this process, the botnet is detected based on random forest and double-threshold autoencoder. Finally, the slow start defense strategy and local fast reroute method are adopted to defend against Crossfire attacks. The experiment is carried out in the SDN environment. The deployment of virtual nodes could significantly reduce the bottleneck node index. The botnet detection model proposed by the method is nearly 5% higher than the traditional random forest classification model in terms of precision and recall. The defense method can alleviate Crossfire attacks within 10 seconds. Experimental results show that compared with other methods, the proposed method can effectively detect and mitigate such attacks in the SDN environment, and the normal forwarding of legitimate traffic in the physical topology is basically not affected in this process.

郭雷, 荆山, 魏亮, 赵川. 基于软件定义网络的Crossfire攻击防御方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0067935.

GUO Lei, JING Shan, WEI Liang, ZHAO Chuan. Crossfire Attack Defense Method Based on Software Defined Network[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0067935.

参考文献

[1] 李可欣,王兴伟,易波,等.智能软件定义网络[J].软件学报,2021,32(1): 118-136. (Li K X, Wang X W, Yi B, et al. Intelligent software defined networking[J]. Journal of Software, 2021, 32(1): 118-136.)
[2] 徐玉华,孙知信.软件定义网络中的异常流量检测研究进展[J].软件学报,2020,31(1):183-207. (XU Y H, SUN Z X. Research development of abnormal traffic detection in software defined networking [J]. Journal of Software, 2020, 31(1): 183-207.)
[3] STUDER A, PERRIG A. The coremelt attack [C]// ESORICS 2009: 14th European Symposium on Research in Computer Security. Saint-Malo: LNSC, 2009: 37-52
[4] MIN S K, LEE S B, GLIGOR V D. The crossfire attack [C]// SP 2013: 2013 IEEE Symposium on Security and Privacy. Berkeley: IEEE, 2013: 127-141.
[5] GitHub, February 28th Github DDoS Incident Report [R/OL]. [2018-03-01] https://github.blog/2018-03-01-ddo s-incident-report/.
[6] XING J, CAI J, ZHOU B, et al. A deep ConvNet-Based countermeasure to mitigate link flooding attacks using software-defined networks [C]// ISCC 2019: 2019 IEEE Symposium on Computers and Communications. Barcelona: IEEE, 2020: 1-6.
[7] RAFIQUE W, HE X, LIU Z, et al. CFADefense: A security solution to detect and mitigate crossfire attacks in software-defined IoT-Edge infrastructure [C]// HPCC 2019: 2019 IEEE 21st International Conference on High Performance Computing and Communications. Zhangjiajie: IEEE, 2019: 500-509.
[8] MIN S K, GLIGOR V D. Routing bottlenecks in the Internet: Causes, Exploits, and Countermeasures [C]// CCS 2014: 2014 ACM SIGSAC Conference on Computer and Communications Security. Scottsdale Arizona: ACM, 2014: 321-333.
[9] MANAMI N, NORIAKI K. Detecting crossfire-attack hosts in search phase [C]// APNOMS 2022: 2022 23rd Asia-Pacific Network Operations and Management Symposium. Takamatsu: IEEE, 2022: 1-4.
[10] WANG J, WEN R, LI J, et al. Detecting and mitigating target link-flooding attacks using SDN [J]. IEEE Transactions on Dependable and Secure Computing, 2018, 16(6): 944-956.
[11] MIN S K, GLIGOR V D, VYAS S. SPIFFY: inducing Cost-Detectability tradeoffs for persistent link-flooding attacks [C]// NDSS 2016: Network and DistributedSystems Security Symposium. San Diego: ISOC, 2016: 53-55.
[12] WANG L, LI Q, JIANG Y, et al. Woodpecker: detecting and mitigating link-flooding attacks via SDN [J]. Computer Networks, 2018, 147(24): 1-13.
[13] ZHOU B, PAN G, CHUNMING W U, et al. Multi-variant network address hopping to defend stealthy crossfire attack [J]. Science China Information Sciences, 2020, 63(6): 1-3.
[14] AYDEGER A, MANSHAEI M H, RAHMAN M A, et al. Strategic defense against stealthy link flooding attacks: a signaling game approach [J]. IEEE Transactions on Network Science and Engineering, 2021, 8(1): 751-764.
[15] HYDER M F, Fatima T. Towards crossfire distributed denial of service attack protection using intent-based moving target defense over software-defined networking [J]. IEEE Access, 2021, 9: 112792-112804.
[16] KIM J, SHIN S. Software-defined HoneyNet: towards mitigating link flooding attacks [C]// DSN-W 2017: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops. Denver: IEEE, 2017: 99-100.
[17] KIM J, NAM J, LEE S, et al. BottleNet: hiding network bottlenecks using SDN-Based topology deception [J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 3138-3153.
[18] KIM J, MARIN E, CONTI M, et al. EqualNet: a secure and practical defense for long-term network topology obfuscation [C]// NDSS 2022: Network and Distributed Systems Security Symposium. San Diego: ISOC, 2022: 24-28.
[19] LIASKOS C, IOANNIDIS S. Network topology effects on the detectability of crossfire attacks [J]. IEEE Transactions on Information Forensics and Security, 2018, 13(7): 1682-1695.
[20] NICK M, TOM A, HARI B, et al. OpenFlow: enabling innovation in campus networks [J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69-74.
[21] 穆俊芳,郑文萍,王杰,等.基于重连机制的复杂网络鲁棒性分析[J].计算机科学,2021,48(7):130-136. (MU J F, ZHENG W P, WANG J, et al. Robustness analysis of complex network based on rewiring mechanism[J]. Computer Science, 2021, 48(7): 130-136.)
[22] 周桐庆,蔡志平,夏竟,等.基于软件定义网络的流量工程 [J].软件学报,2016,27(2):394-417. (ZHOU T Q, CAI Z P, XIA J, et al. Traffic engineering for software defined networks [J]. Journal of Software, 2016, 27(2): 394-417.)
[23] FREEMAN L C. A set of measures of centrality based on betweenness[J]. Sociometry, 1977, 40(1): 35-41.
[24] MARTEAU P F. Random partitioning forest for point-wise and collective anomaly detection—application to network intrusion detection [J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 2157-2172.
[25] KUMAR M A, SHWETA P. Mitigating cyber threats through integration of feature selection and stacking ensemble learning: the LGBM and random forest intrusion detection perspective[J]. Cluster computing, 2023, 26(4): 2339-2350.
[26] CHOUDHURY S, BHOWAL A. Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection [C]// ICSTM 2015: 2015 International Conference on Smart Technologies and Management for Computing, Communication, Controls, Energy and Materials. Avadi: IEEE, 2015: 89-95.
[27] ANBAR M, ABDULLAH R, HASBULLAH I H, et al. Comparative performance analysis of classification algorithms for intrusion detection system [C]// PST 2016: 2016 14th Annual Conference on Privacy, Security and Trust. Auckland: IEEE, 2016: 282-288.
[28] KNIGHT S, NGUYEN H X, FALKNER N, et al. The internet topology zoo[J]. IEEE Journal on Selected Areas in Communications, 2011, 29(9):1765-1775.
[29] GARCIA S, GRILL M, STIBOREK J, et al. An empirical comparison of botnet detection methods[J]. Computers and Security, 2014, 45: 100-123.

选择文件类型/文献管理软件名称

选择包含的内容