基於SDN及負載平衡考量之DoS攻擊防禦系統設計

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：27

、訪客IP：18.225.95.87

姓名

陳品睿(Pin-Jui Chen) 查詢紙本館藏

畢業系所

通訊工程學系

論文名稱

基於SDN及負載平衡考量之DoS攻擊防禦系統設計
(Design of SDN based DoS Protection System with Load Balance Consideration)

相關論文

★ 應用MSPP至DWDM都會光纖網路的設計	★ 光網路與WiMAX整合架構研究及其簡化雛型實驗
★ 以Linux系統為基礎之NAT效能優化研究及其實作	★ 光波長劃分多工網路之路徑保護機制研究
★ 標籤交換網路下具有服務品質路由安排之研究	★ 以訊務相關性為基礎的整合性服務可調整QoS排程器之研究
★ 以群體播送支援IPv6環境下移動式網路連結更新之研究	★ 無線區域網路資源動態分配之效能研究
★ 在微觀移動環境下有效資源保留之路徑管理研究	★ 無線網路交握程序之預先認證方法分析與比較
★ 無線區域網路虛擬允入控制之研究	★ IPv6環境下移動網路之連結更新程序及其效能之研究
★ 具有限數量波長轉換節點的分波多工網路之群播波長分配與容量計算研究	★ 階層化行動式IPv6移動錨點選擇機制研究
★ 具高能量移動節點之叢集式感測網路效能研究	★ 預先註冊之快速換手階層化行動式IPv6研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著網路發展的迅速演進，資訊的產生也變得更加快速且巨量，舉凡網路安全、雲端儲存及雲端運算等，其共同特徵便是需要處理非常大量的資訊，但舊有的傳統網路架構已逐漸無法滿足現今的網路需求，而如今網路功能虛擬化的應用變得越來越廣泛，傳統網路架構也將面臨來自新興軟體定義網路架構及雲端服務的挑戰。
在現代的網路安全架構中，傳統防火牆已經無法滿足現今複雜網路部署的安全需求。而入侵檢測提供了對內部和外部攻擊的即時保護，其安全防護技術具積極主動之特性，也因此隨著網路結構的越趨複雜化，更顯示出其重要性。而在以入侵檢測為核心的防禦機制當中，基於規則導向的入侵檢測防禦機制能透過抓取網路上往來的封包，對取得的封包進行解封裝，從入侵者的攻擊行為模式及封包特徵來加以分析並比對特徵資料庫，以進行維護網路安全的目的。然而在分析的過程當中，若面臨到會產生巨大流量的攻擊時，由於需要鏡像攻擊的流量以抓取分析封包，因此可能造成產生出雙倍甚至更多的流量至系統當中，進而導致系統負載過高而癱瘓。
而在本研究所提出的系統架構中，透過軟體定義網路架構的網路設定可程式化的特性，以自動產生OpenFlow規則的方式來設定網路安全的配置，在軟體定義的環境下根據網路負載狀況來分配流量的轉發，並搭配開源入侵檢測軟體Snort的監控及分析，以達到維護網路安全效能的目的。

摘要(英)

With the rapid evolution of network development, information producing has become more rapidly and massively. The co-feature of network security, cloud storage and cloud computing is that they all need to deal with very large amounts of information, but nowadays, the traditional network infrastructure has gradually unable to satisfy the needs of today′s network requirements. The applications of network functions virtualization become more widespread now, the traditional network architecture constantly needs to face the challenges coming from emerging software-defined networking (SDN) architecture and cloud services.
In modern network security architecture, traditional firewall cannot fully satisfy the security needs of the complex network deployment. IDS (Intrusion Detection System) provides real-time protection against the internal attacks and external attacks. The security technology of IDS has active properties, therefore, it shows its importance in the increasingly complicated network structure. In the core of defense mechanisms based on intrusion detection, the rules-based intrusion detection and prevention mechanisms can crawl packets pass on the network and de-encapsulate them. Then, the defense mechanism will analyze the aggressive behavior of the invaders and the characteristics of the packets, and compare to the feature library, in order to achieve the purpose of maintaining network security. However, in the process of analyzing traffic, it sometimes needs to face to enormous attack traffic. In the meantime, the need to mirror the attack traffic in order to analysis could result in generating double or even more traffic to the system, and this excessive load may lead to paralyzing of the system.
In the proposed method, SDN architecture is used to generate OpenFlow rules and set network security configuration automatically. By allocating the traffic according to the condition of network load under SDN environment, and with the ability of the open source intrusion detection software, Snort, to monitor and analysis the network, in order to achieve the purpose of maintaining network security.

關鍵字(中)

★ 軟體定義網路（Software-Defined Network, SDN）
★ 負載平衡（Load Balancing）
★ 入侵檢測系統（Intrusion Detection System, IDS）
★ Snort

關鍵字(英)

★ Software-Defined Network
★ SDN
★ Load Balancing
★ Intrusion Detection System
★ IDS
★ Snort

論文目次

摘要 I
Abstract II
致謝 III
目錄 IV
圖目錄 VI
表目錄 VIII
第一章緒論 1
1.1研究動機 1
1.2研究目的 2
1.3研究貢獻 3
1.4章節架構 3
第二章相關研究 4
2.1軟體定義網路與OpenFlow協定 4
2.1.1軟體定義網路Software-Defined Networking (SDN) 4
2.1.2 OpenFlow協定 7
2.2軟體定義架構與網路安全 10
2.3阻斷服務攻擊之類型和差異 11
2.4入侵檢測與網路攻防 13
2.5開源入侵檢測系統Snort 15
2.6負載平衡及相關文獻 17
第三章研究方法 20
3.1軟體定義環境下之網路安全系統 20
3.2規則導向入侵檢測系統 21
3.3規則導向防禦系統搭配負載平衡之方法 21
3.4演算法假設 28
3.5演算法 29
第四章模擬與數學分析 31
4.1模擬架構 31
4.2模擬結果 32
第五章實驗測試 41
5.1實驗環境 41
5.2實驗流程 45
5.3預期結果 46
5.4實驗結果 47
第六章　結論與未來研究 55
6.1結論 55
6.2未來研究 56
參考文獻 57

參考文獻

Open Networking Foundation, “Software-Defined Networking: The New Norm for Networks,” ONF White Paper, April , 2012.
Nunes, B.A.A.; Mendonca, M.; Xuan-Nam Nguyen; Obraczka, K.; Turletti, T., "A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks," Communications Surveys & Tutorials, IEEE , vol.16, no.3, pp.1617,1634, Third Quarter 2014.
W. Stallings: "Software-Defined Networks and OpenFlow", in The Internet Protocol Journal, Cisco, vol. 16, no 1, pp. 2-14, March, 2013.
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, J. Turner, “OpenFlow: Enabling Innovation in Campus Networks,” ACM SIGCOMM Computer Communication Review, vol. 38, pp. 69–74, March 2008.
R. Bifulco and G. Karame, “Towards a richer set of services in software-defined networks,” in Proceedings of the NDSS Workshop on Security of Emerging Technologies (SENT), 2014.
Khondoker, R.; Zaalouk, A.; Marx, R.; Bayarou, K., "Feature-based comparison and selection of Software Defined Networking (SDN) controllers," Computer Applications and Information Systems (WCCAIS), 2014 World Congress on , vol., no., pp.1,7, 17-19 Jan. 2014.
Y. Yu, C. Qian and X. Li "Distributed and collaborative traffic monitoring in software defined networks", Proc. 3rd Workshop Hot Topics Softw. Defined Netw., pp.85-90, 2014.
Giroire, F.; Moulierac, J.; Phan, T.K., "Optimizing rule placement in software-defined networks for energy-aware routing," Global Communications Conference (GLOBECOM), 2014 IEEE , vol., no., pp.2523,2529, 8-12 Dec. 2014.
Software-Defined Networking: The New Norm for Networks, https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf，retrieved date：2016/7/2.
Lara, A.; Ramamurthy, B., "OpenSec: A framework for implementing security policies using OpenFlow," Global Communications Conference (GLOBECOM), 2014 IEEE , vol., no., pp.781,786, 8-12 Dec. 2014.
Kampanakis, P.; Perros, H.; Beyene, T., "SDN-based solutions for Moving Target Defense network protection," A World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2014 IEEE 15th International Symposium on , vol., no., pp.1,6, 19-19 June 2014.
Jafar Haadi Jafarian, Ehab Al-Shaer, and Qi Duan, "Openflow random host mutation: transparent moving target defense using software defined networking," In Proceedings of the first workshop on Hot topics in software defined networks (HotSDN ′12), 2012 ACM, pp. 127-132, 13-17 Aug 2012.
Lim, S.; Ha, J.; Kim, H.; Kim, Y.; Yang, S., "A SDN-oriented DDoS blocking scheme for botnet-based attacks," Ubiquitous and Future Networks (ICUFN), 2014 Sixth International Conf on , vol., no., pp.63,68, 8-11 July 2014.
Belyaev, M.; Gaivoronski, S., "Towards load balancing in SDN-networks during DDoS-attacks," Science and Technology Conference (Modern Networking Technologies) (MoNeTeC), 2014 First International , vol., no., pp.1,6, 28-29 Oct. 2014.
Ashraf, J.; Latif, S., "Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques," Software Engineering Conference (NSEC), 2014 National , vol., no., pp.55,60, 11-12 Nov. 2014.
Yannan Hu; Wang Wendong; Gong Xiangyang; Liu, C.H.; Xirong Que; Shiduan Cheng, "Control traffic protection in software-defined networks," Global Communications Conference (GLOBECOM), 2014 IEEE , vol., no., pp.1878,1883, 8-12 Dec. 2014.
Pena, J.G.V.; Yu, W.E., "Development of a distributed firewall using software defined networking technology," Information Science and Technology (ICIST), 2014 4th IEEE International Conference on , vol., no., pp.449,452, 26-28 April 2014.
Y. Yu, C. Qian and X. Li "Distributed and collaborative traffic monitoring in software defined networks", Proc. 3rd Workshop Hot Topics Softw. Defined Netw., pp.85 -90, March 2014.
Namal, S.; Ahmad, I.; Gurtov, A.; Ylianttila, M., "SDN Based Inter-Technology Load Balancing Leveraged by Flow Admission Control," Future Networks and Services (SDN4FNS), 2013 IEEE SDN for , vol., no., pp.1,5, 11-13 Nov. 2013.
C. Gong and K. Sarac, “Toward a Practical Packet Marking Approach for IP Traceback,” International Journal of Network Se-curity (IJNS), vol. 8, no, 3, pp. 271– 281, May 2009.
Yufei Gu; Yangchun Fu; Prakash, A.; Zhiqiang Lin; Heng Yin, "Multi-Aspect, Robust, and Memory Exclusive Guest OS Fingerprinting," Cloud Computing, IEEE Transactions on , vol.2, no.4, pp.380,394, Oct.-Dec. 1 2014.
Osanaiye, O.A., "Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing," Intelligence in Next Generation Networks (ICIN), 2015 18th International Conference on , vol., no., pp.139,141, 17-19 Feb. 2015.
Dabbagh, M.; Ghandour, A.J.; Fawaz, K.; Hajj, W.E.; Hajj, H., "Slow port scanning detection," Information Assurance and Security (IAS), 2011 7th International Conference on , vol., no., pp.228,233, 5-8 Dec. 2011.
Soniya, B.; Wiscy, M., "Detection of TCP SYN Scanning Using Packet Counts and Neural Network," Signal Image Technology and Internet Based Systems, 2008. SITIS ′08. IEEE International Conference on , vol., no., pp.646,649, Nov. 30 2008-Dec. 3 2008.
Y. Hu, W. Wendong, G. Xiangyang, C. H. Liu, X. Que and S. Cheng, "Control traffic protection in software-defined networks," Global Communications Conference (GLOBECOM), 2014 IEEE, Austin, TX, 2014, pp. 1878-1883.
M. G. Ionită and V. V. Patriciu, "Biologically inspired risk assessment in cyber security using neural networks," Communications (COMM), 2014 10th International Conference on, Bucharest, 2014, pp. 1-4.
T. Chin, X. Mountrouidou, X. Li and K. Xiong, "An SDN-supported collaborative approach for DDoS flooding detection and containment," Military Communications Conference, MILCOM 2015 - 2015 IEEE, Tampa, FL, 2015, pp. 659-664.
R. Hilden and K. Hätönen, "A Method for Deriving and Testing Malicious Behavior Detection Rules," Trustcom/BigDataSE/ISPA, 2015 IEEE, Helsinki, 2015, pp. 1337-1342.
Peng Xiao, Wenyu Qu, Heng Qi, Yujie Xu and Zhiyang Li, "An efficient elephant flow detection with cost-sensitive in SDN," Industrial Networks and Intelligent Systems (INISCom), 2015 1st International Conference on, Tokyo, 2015, pp. 24-28.
Y. Liu, Q. Liu, P. Liu, J. Tan and L. Guo, "A factor-searching-based multiple string matching algorithm for intrusion detection," Communications (ICC), 2014 IEEE International Conference on, Sydney, NSW, 2014, pp. 653-658.
W. Yu, Guobin Xu, Zhijiang Chen and P. Moulema, "A cloud computing based architecture for cyber security situation awareness," Communications and Network Security (CNS), 2013 IEEE Conference on, National Harbor, MD, 2013, pp. 488-492.
R. Braga, E. Mota and A. Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," Local Computer Networks (LCN), 2010 IEEE 35th Conference on, Denver, CO, 2010, pp. 408-415.
Soniya, B.; Wiscy, M., "Detection of TCP SYN Scanning Using Packet Counts and Neural Network," Signal Image Technology and Internet Based Systems, 2008. SITIS ′08. IEEE International Conference on , vol., no., pp.646,649, Nov. 30 2008-Dec. 3 2008.
S. Gorlatch, T. Humernbrum and F. Glinka, "Improving QoS in real-time internet applications: from best-effort to Software-Defined Networks," Computing, Networking and Communications (ICNC), 2014 International Conference on, Honolulu, HI, 2014, pp. 189-193.
N. Khamphakdee, N. Benjamas and S. Saiyod, "Improving Intrusion Detection System based on Snort rules for network probe attack detection," Information and Communication Technology (ICoICT), 2014 2nd International Conference on, Bandung, 2014, pp. 69-74.
Y. Zhou et al., "A Load Balancing Strategy of SDN Controller Based on Distributed Decision," 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, Beijing, 2014, pp. 851-856.
W. Yong, T. Xiaoling, H. Qian and K. Yuwen, "A dynamic load balancing method of cloud-center based on SDN," in China Communications, vol. 13, no. 2, pp. 130-137, Feb. 2016.
R. Tu, X. Wang, J. Zhao, Y. Yang, L. Shi and T. Wolf, "Design of a load-balancing middlebox based on SDN for data centers," 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Hong Kong, 2015, pp. 480-485.
A. Craig, B. Nandy, I. Lambadaris and P. Ashwood-Smith, "Load balancing for multicast traffic in SDN using real-time link cost modification," 2015 IEEE International Conference on Communications (ICC), London, 2015, pp. 5789-5795.
W. K. Hsieh, W. H. Hsieh, J. L. Chen, F. Y. Chou and Y. S. Lee, "Load balancing virtual machines deployment mechanism in SDN open cloud platform," 2015 17th International Conference on Advanced Communication Technology (ICACT), Seoul, 2015, pp. 329-335.
R. Yasunaga, Y. Nakayama, T. Mochida, Y. Kimura, T. Yoshida and K. i. Suzuki, "Optimal load balancing method for symmetrically routed hybrid SDN networks," 2015 21st Asia-Pacific Conference on Communications (APCC), Kyoto, 2015, pp. 234-238.
M. Belyaev and S. Gaivoronski, "Towards load balancing in SDN-networks during DDoS-attacks," Science and Technology Conference (Modern Networking Technologies) (MoNeTeC), 2014 International, Moscow, 2014, pp. 1-6.
Z. Trabelsi and S. Zeidan, "IDS performance enhancement technique based on dynamic traffic awareness histograms," Communications (ICC), 2014 IEEE International Conference on, Sydney, NSW, 2014, pp. 975-980.
J. Ashraf and S. Latif, "Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques," Software Engineering Conference (NSEC), 2014 National, Rawalpindi, 2014, pp. 55-60.
A. Kalliola, K. Lee, H. Lee and T. Aura, "Flooding DDoS mitigation and traffic management with software defined networking," Cloud Networking (CloudNet), 2015 IEEE 4th International Conference on, Niagara Falls, ON, 2015, pp. 248-254.
H. Wang, L. Xu and G. Gu, "FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks," Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on, Rio de Janeiro, 2015, pp. 239-250.
R. Munir, M. R. Mufti, I. Awan, Y. F. Hu and J. P. Disso, "Detection, Mitigation and Quantitative Security Risk Assessment of Invisible Attacks at Enterprise Network," Future Internet of Things and Cloud (FiCloud), 2015 3rd International Conference on, Rome, 2015, pp. 256-263.
R. Tu, X. Wang, J. Zhao, Y. Yang, L. Shi and T. Wolf, "Design of a load-balancing middlebox based on SDN for data centers," Computer Communications Workshops (INFOCOM WKSHPS), 2015 IEEE Conference on, Hong Kong, 2015, pp. 480-485.
Lei Zhang, Guochu Shou, Yihong Hu and Zhigang Guo, "Deployment of Intrusion Prevention System based on Software Defined Networking," Communication Technology (ICCT), 2013 15th IEEE International Conference on, Guilin, 2013, pp. 26-31.
N. Jongsawat and J. Decharoenchitpong, "Creating behavior-based rules for snort based on Bayesian network learning algorithms," Science and Technology (TICST), 2015 International Conference on, Pathum Thani, 2015, pp. 267-270.
https://en.wikipedia.org/wiki/Fat_tree，retrieved date：2016/7/2.

指導教授

陳彥文(Yen-Wen Chen)

審核日期

2016-8-10

推文