HSENet:基于异构语义超图及异构边卷积的SDN嗅探攻击检测方法

doi:10.19678/j.issn.1000-3428.0252966

摘要/Abstract

摘要： 软件定义网络（SDN）中的嗅探攻击是一类以探测交换机敏感配置与状态为目的的隐蔽攻击。因其低速率、小流量和高隐蔽性的特征，现有攻击检测方法对其识别能力极为有限。已有的面向控制器饱和或流表溢出等攻击的图神经网络（GNN）方法往往依赖密集的拓扑交互或强信号特征，难以有效刻画嗅探网络流之间稀疏的相关性以及主机层面的隐式结构关系，使其攻击检测性能受限。为解决上述问题，提出一种面向SDN嗅探攻击的检测方法HSENet。该方法首先通过设计异构语义超图生成算法HSHG，刻画网络流的微观通信语义与宏观主机行为语义；进而构建异构边卷积网络HEC-GCN，实现针对不同语义关系的自适应卷积与融合，得到判别力更强的节点嵌入表示。基于两个网络流数据集的实验结果表明，HSENet在准确率、加权F1值与宏F1值等多项指标上均显著优于多种GNN与传统机器学习基线。相比较最佳基线，准确率分别提升2.65%和3.34%，加权F1值分别提升2.64%和2.48%，宏F1值分别提升2.91%和11.37%。这些结果表明，该方法能够有效增强对低速率、小流量且高度隐蔽的嗅探流的识别能力，为SDN环境下的早期威胁发现提供了一种可行且高效的解决方案。

Abstract: Probing attacks in Software-Defined Networking (SDN) are stealthy attacks that probe switches for sensitive configurations and states. Their low rate, small volume, and high stealth make detection difficult. Existing detection methods show limited recognition ability. Graph Neural Network (GNN) methods designed for overt attacks such as controller saturation or flow-table overflow often rely on dense topological interactions or strong signal features. These methods fail to capture sparse correlations among probing flows and implicit host-level structures, which restricts their performance. This paper proposes HSENet, a detection method for SDN probing attacks. The method first designs a Heterogeneous Semantic Hypergraph generation algorithm called HSHG. The algorithm encodes micro-level communication semantics and macro-level host behavior semantics of network flows. The method then builds a Heterogeneous-Edge Convolutional GCN called HEC-GCN. The network performs adaptive convolution and fusion over different semantic relations and produces more discriminative node embeddings. Experiments on two network flow datasets show that HSENet significantly outperforms multiple GNN and traditional machine-learning baselines on Accuracy, Weighted-F1, and Macro-F1. Compared with the best baseline, Accuracy increases by 2.65% and 3.34%, Weighted-F1 by 2.64% and 2.48%, and Macro-F1 by 2.91% and 11.37%. These results indicate that the method strengthens the identification of low-rate, small-volume, and highly covert sniffing flows and provides a practical and efficient solution for early threat discovery in SDN.

杨刚, 崔允贺, 陈意, 郭春, 申国伟. HSENet:基于异构语义超图及异构边卷积的SDN嗅探攻击检测方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252966.

YANG Gang, CUI Yunhe, CHEN Yi, GUO Chun. HSENet: An SDN Probing Attack Detection Method Based on Heterogeneous Semantic Hypergraph and Heterogeneous Edge Convolution[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252966.

参考文献

[1] 徐玉华, 孙知信. 软件定义网络中的异常流量检测研究进展[J]. 软件学报, 2020, 31(1): 183-207. XU Y, SUN Z. Research Development of Abnormal Traffic Detection in Software Defined Networking[J]. Journal of Software, 2020, 31(1): 183-207.
[2] 柳林, 周建涛. 软件定义网络控制平面的研究综述[J]. 计算机科学, 2017, 44(2): 75-81. LIU L, ZHOU J. Review for Research of Control Plane in Software-defined Network[J]. Computer Science, 2017, 44(2): 75-81.
[3] MALEH Y, QASMAOUI Y, EL GHOLAMI K, et al. A comprehensive survey on SDN security: threats, mitigations, and future directions[J]. Journal of Reliable Intelligent Environments, 2023, 9(2): 201-239.
[4] SHIRMARZ A, GHAFFARI A. Performance issues and solutions in SDN-based data center: a survey[J]. The Journal of Supercomputing, 2020, 76(10): 7545-7593.
[5] MARIN E, BUCCIOL N, CONTI M. An in-depth look into SDN topology discovery mechanisms: novel attacks and practical countermeasures[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2019: 1101-1114.
[6] WAZIRALI R, AHMAD R, ALHIYARI S. SDN-openflow topology discovery: an overview of performance issues[J]. Applied Sciences, 2021, 11(15): 6999.
[7] 徐建峰, 王利明, 徐震. 软件定义网络中资源消耗型攻击及防御综述[J]. 信息安全学报, 2020, 5(04): 72-95. XU J, WANG L, XU Z. Survey on Resource Consumption Attacks and Defenses in Software-Defined Networking[J]. Cyber Security, 2020, 5(04): 72-95.
[8] CUI Y, QIAN Q, GUO C, et al. Towards DDoS detection mechanisms in software-defined networking[J]. Journal of Network and Computer Applications, 2021, 190: 103156.
[9] JI Z, CUI Y, GUO Y, et al. Towards saturation attack detection in SDN: a multi-edge representation learning-based method[J]. Journal of King Saud University - Computer and Information Sciences, 2025, 37(6): 138.
[10] SHEN Y, WU C, KONG D, et al. Flow table saturation attack against dynamic timeout mechanisms in SDN[J]. Applied Sciences, 2023, 13(12): 7210.
[11] ANTIKAINEN M, AURA T, SÄRELÄ M. Spook in your network: Attacking an SDN with a compromised OpenFlow switch[C]//Proceedings of Nordic Conference on Secure IT Systems. Berlin, Germany: Springer, 2014: 229-244.
[12] SWEETEN J, ELSHAZLY A, TAKIDDIN A, et al. Cyber-physical fusion for GNN-based attack detection in smart power grids[J]. IEEE Open Access Journal of Power and Energy, 2025, 12: 515-528.
[13] DENG A, HOOI B. Graph neural network-based anomaly detection in multivariate time series[C]//Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35(5): 4027-4035.
[14] ZHENG J, LI D. GCN-TC: Combining trace graph with statistical features for network traffic classification[C]//Proceedings of 2019 IEEE International Conference on Communications (ICC). Shanghai, China: IEEE, 2019: 1-6.
[15] NAGARAJ K, STARKE A, MCNAIR J. GLASS: A graph learning approach for software defined network based smart grid DDoS security[C]//Proceedings of 2021 IEEE International Conference on Communications (ICC). Montreal, Canada: IEEE, 2021: 1-6.
[16] CAO Y, JIANG H, DENG Y, et al. Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 19(6): 3855-3872.
[17] WANG K, CUI Y, QIAN Q, et al. USAGE: Uncertain flow graph and spatio-temporal graph convolutional network-based saturation attack detection method[J]. Journal of Network and Computer Applications, 2023, 219: 103722.
[18] SHOAIB F, CHOW Y W, VLAHU-GJORGIEVSKA E, et al. Mitigating timing side-channel attacks in software-defined networks: detection and response[J]. Telecom, 2023, 4(4): 877-900.
[19] ALMAZYAD A, HALMAN L, ALSAEED A. Probe attack detection using an improved intrusion detection system[J]. Computers, Materials & Continua, 2023, 74(3).
[20] Yang Z, Ma Z, Zhao W, et al. HRNN: hypergraph recurrent neural network for network intrusion detection[J]. Journal of Grid Computing, 2024, 22(2): 52.
[21] Feng J, Zhang Y, Piao X, et al. Traffic Anomaly Detection based on Spatio-Temporal Hypergraph Convolution Neural Networks[J]. Physica A: Statistical Mechanics and its Applications, 2024, 646: 129891.
[22] Li J, Zhao B, Zhao G, et al. Hypergraph convolution networks for botnet detection[J]. Knowledge-Based Systems, 2025: 113802.
[23] Song Q, Chen T, Zhu T, et al. APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining[J]. Applied Sciences, 2025, 15(11): 5872.
[24] Ji Z, Cui Y, Guo Y, et al. Towards saturation attack detection in SDN: a multi-edge representation learning-based method[J]. Journal of King Saud University Computer and Information Sciences, 2025, 37(6): 138.
[25] Tang D, Zuo C, Li X, et al. Low-rate Flow Table Overflow Attack Defense System Based on Two-level Threshold in Software-Defined Networks[J]. Expert Systems with Applications, 2025: 128685.
[26] Tang D, Li X, Tan P, et al. DOE-DTL: A ML-Utilized System Combined With PDP for Detection and Mitigation of DLDoS Attack[J]. IEEE Transactions on Networking, 2025.
[27] OPEN NETWORKING FOUNDATION. OpenFlow switch specification[EB]. [2012-06]. http://www.cs.yale.edu/homes/yuminlan/teach/csci599fall12/papers/openflow-spec-v1.3.0.pdf.
[28] TANG D, WANG S, LIU B, et al. GASF-IPP: Detection and mitigation of LDoS attack in SDN[J]. IEEE Transactions on Services Computing, 2023, 16(5): 3373-3384.
[29] TANG D, YAN Y, ZHANG S, et al. Performance and features: Mitigating the low-rate TCP-targeted DoS attack via SDN[J]. IEEE Journal on Selected Areas in Communications, 2021, 40(1): 428-444.
[30] CHEN Z, YEO C K, LEE B S, et al. Power spectrum entropy based detection and mitigation of low-rate DoS attacks[J]. Computer Networks, 2018, 136: 80-94.
[31] LEI G, JI L, JI R, et al. Extracting low-rate DDoS attack characteristics: The case of multipath TCP-based communication networks[J]. Wireless Communications and Mobile Computing, 2021, 2021(1): 2264187.
[32] BigFlows[EB/OL]. [2023]. http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap.
[33] Data set for IMC 2010 data center measurement[EB/OL]. [2023]. http://pages.cs.wisc.edu/tbenson/IMC10 Data.html.
[34] CAO J, XU M, LI Q, et al. The LOFT attack: Overflowing SDN flow tables at a low rate[J]. IEEE/ACM Transactions on Networking, 2022, 31(3): 1416-1431.
[35] Najar A A, Naik S M. Cyber-secure SDN: A CNN-based approach for efficient detection and mitigation of DDoS attacks[J]. Computers & Security, 2024, 139: 103716.
[36] Lin Z Z, Pike T D, Bailey M M, et al. A hypergraph-based machine learning ensemble network intrusion detection system[J]. IEEE transactions on systems, man, and cybernetics: systems, 2024, 54(11): 6911-6923.
[37] Tran D H, Park M. FN-GNN: A novel graph embedding approach for enhancing graph neural networks in network intrusion detection systems[J]. Applied Sciences, 2024, 14(16): 6932.
[38] Deng X, Zhu J, Pei X, et al. Flow topology-based graph convolutional network for intrusion detection in label-limited IoT networks[J]. IEEE Transactions on Network and Service Management, 2022, 20(1): 684-696.

选择文件类型/文献管理软件名称

选择包含的内容