作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2024, Vol. 50 ›› Issue (10): 216-227. doi: 10.19678/j.issn.1000-3428.0067935

• 网络空间安全 • 上一篇    下一篇

基于软件定义网络的Crossfire攻击防御方法

郭雷1, 荆山1,*(), 魏亮2, 赵川3   

  1. 1. 济南大学信息科学与工程学院, 山东 济南 250022
    2. 江苏省未来网络创新研究院, 江苏 南京 211111
    3. 泉城实验室, 山东 济南 250103
  • 收稿日期:2023-06-26 出版日期:2024-10-15 发布日期:2024-02-21
  • 通讯作者: 荆山
  • 基金资助:
    国家自然科学基金(62172258); 国家自然科学基金(61702218); 国家自然科学基金(61672262); 山东省自然科学基金(ZR2021LZH007); 山东省重点研发计划(2021CXGC010103); 泰山学者青年专家工程项目(tsqn202211280)

Crossfire Attack Defense Method Based on Software Defined Network

GUO Lei1, JING Shan1,*(), WEI Liang2, ZHAO Chuan3   

  1. 1. School of Information Science and Engineering, University of Jinan, Jinan 250022, Shandong, China
    2. Jiangsu Future Networks Innovation Institute, Nanjing 211111, Jiangsu, China
    3. Quan Cheng Laboratory, Jinan 250103, Shandong, China
  • Received:2023-06-26 Online:2024-10-15 Published:2024-02-21
  • Contact: JING Shan

摘要:

区别于常规的分布式拒绝服务攻击, 利用僵尸网络发动的Crossfire攻击具有低速率不可区分的特性, 这导致常规入侵检测系统难以防御此类攻击。针对该问题, 设计一种检测防御Crossfire攻击的方法。该方法基于软件定义网络(SDN), 首先利用网络瓶颈选择算法筛选出易受攻击的网络瓶颈节点与链路, 在此基础上部署虚拟节点预防Crossfire攻击, 虚拟节点应答可疑探测流, 扰乱攻击者的攻击视图从而隐藏物理拓扑的网络瓶颈, 并基于随机森林和双阈值自编码器检测僵尸网络, 最后通过慢开始防御策略和局部快速重路由方法达到防御Crossfire攻击的目的。实验在SDN环境下进行, 虚拟节点的部署能够使得瓶颈节点指标明显降低, 构建的僵尸网络检测模型在精度、召回率、F1值等方面相较于传统随机森林分类模型提高近5个百分点, 防御方法能够在10 s内达到缓解Crossfire攻击的效果。实验结果表明, 相对其他方法, 所提方法能有效检测并缓解此类攻击, 且在此过程中基本不会影响到合法流量在物理拓扑中的正常转发。

关键词: 软件定义网络, Crossfire攻击, 虚拟节点, 僵尸网络检测, 检测防御

Abstract:

Unlike conventional Distributed Denial of Service(DDoS) attacks, Crossfire attacks launched by botnets are low-speed and indistinguishable, making them difficult for traditional intrusion detection systems to defend against. To address this issue, a method for detecting and defending against Crossfire attacks is proposed, based on a Software Defined Network(SDN). The method involves several steps. First, a network bottleneck selection algorithm identifies vulnerable network bottleneck nodes and links. On this basis, virtual nodes are deployed to prevent Crossfire attacks. These virtual nodes respond to suspicious probe flows, distorted the attacker's view, and obscured the network bottleneck in the physical topology. Botnet detection is performed using a random forest and a double-threshold autoencoder. Finally, a slow-start defense strategy and local fast rerouting method are adopted to mitigate crossfire attacks. Experiments conducted in an SDN environment show that deploying virtual nodes significantly reduces the bottleneck node index. The proposed botnet detection model performs approximately 5 percentage points better in terms of precision and recall compared to the traditional random forest classification model. The defense method effectively mitigates Crossfire attacks within 10 s. Experimental results show that the proposed method can effectively detect and mitigate such attacks in the SDN environment, with minimal impact on the normal forwarding of legitimate traffic in the physical topology.

Key words: Software Defined Network(SDN), Crossfire attack, virtual node, botnet detection, detection and defense