摘要(英) |
In recent years, new network architectures are booming and defense thinking against cyber attacks is also evolving. Among them, Software Define Network (SDN) technology has been proposed to separate the control layer from the switch hardware, centrally manage the control layer and define what it should do by software. As SDN technology becomes more mature, Programming Protocol-independent Packet Processors (P4) are proposed. Unlike the original SDN technology that the control layer can be programmed. P4 technology enables the data layer to be programmed, so that SDN network managers no longer be restricted by switch manufacture. In the P4 network environment, the network administrator decides the packet processing and forwarding method to achieve a true software-defined network. Also, Intrusion Detection System (IDS) technology has also been proposed. IDS defines the rules for capturing packets through the characteristics of network attacks. Each packet must go through the rule comparison in IDS, and IDS will claim the alert to those packets which match the rules, and record it into a readable log for network administrators to do later analysis.
The system proposed in this paper is aimed at the detection and defense mechanism of Distributed Denial of Service (DDoS) and Distributed Reflection Denial of Service (DRDoS) flood attacks, and Intrusion Statistics-based Hybrid Threshold AlgoRithm (ISHTAR) is proposed. The IDS is used to compare the rules of each packet to match the characteristics of the packet information into the intrusion data. ISHTAR will use the intrusion data to calculate whether the current time period is under malicious attack. If it is under attack, it will use the protocol-independency feature of P4 to build a malicious attack defense mechanism based on custom protocol for the P4 switch. So that malicious packets are discarded, and legal packets can keep normal communication, and then achieve a malicious attack detection and prevention mechanism. |
參考文獻 |
[1] McKeown, Nick, et al. "OpenFlow: enabling innovation in campus networks." ACM SIGCOMM Computer Communication Review 38.2 (2008): 69-74.
[2] Bosshart, Pat, et al. "P4: Programming protocol-independent packet processors." ACM SIGCOMM Computer Communication Review 44.3 (2014): 87-95.
[3] Wikipedia, Entropy.
Available: https://en.wikipedia.org/wiki/Entropy_(information_theory)
[4] P4Compiler Available: https://github.com/p4lang/p4c
[5] Cello, Marco, Mario Marchese, and Maurizio Mongelli. "On the qos estimation in an openflow network: The packet loss case." IEEE Communications Letters 20.3 (2016): 554-557.
[6] Kaur, Karamjeet, Sukhveer Kaur, and Vipin Gupta. "Performance analysis of python based openflow controllers." (2016).
[7] Yi, Tao, and Hanyu Li. "Flow-split: An approach to reduce flow establish time and invoking of controller in OpenFlow networks." 2016 IEEE Information Technology, Networking, Electronic and Automation Control Conference. IEEE, 2016.
[8] Osiński, Tomasz, et al. "DPPx: A P4-based Data Plane Programmability and Exposure framework to enhance NFV services." 2019 IEEE Conference on Network Softwarization (NetSoft). IEEE, 2019.
[9] Kundel, Ralf, et al. "P4-CoDel: Active queue management in programmable data planes." 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). IEEE, 2018.
[10] Suricata, open-source IDS/IPS/NSM engine
Available: https://suricata-ids.org/
[11] Snort, Network Intrusion Detection & Prevention System
Available: https://www.snort.org/
[12] CUDA toolkit
Available: https://developer.nvidia.com/cuda-toolkit
[13] Nam, Kiho, and Keecheon Kim. "A study on sdn security enhancement using open source ids/ips suricata." 2018 International Conference on Information and Communication Technology Convergence (ICTC). IEEE, 2018.
[14] Jakimoski, Kire, and Nidhi V. Singhai. "Improvement of Hardware Firewall’s Data Rates by Optimizing Suricata Performances." 2019 27th Telecommunications Forum (TELFOR). IEEE, 2019.
[15] Jiao, Jiahui, et al. "Detecting TCP-based DDoS attacks in Baidu cloud computing data centers." 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS). IEEE, 2017.
[16] Hong, Kiwon, et al. "SDN-assisted slow HTTP DDoS attack defense method." IEEE Communications Letters 22.4 (2017): 688-691.
[17] Thomas, Roshni Mary, and Divya James. "DDOS detection and denial using third party application in SDN." 2017 International Conference on Energy, Communication, Data Analytics and Soft Computing (ICECDS). IEEE, 2017.
[18] Memcached - a distributed memory object caching system
Available: https://memcached.org/
[19] Priya, P. Mohana, et al. "The protocol independent detection and classification (PIDC) system for DRDoS attack." 2014 International Conference on Recent Trends in Information Technology. IEEE, 2014.
[20] Huang, Haiou, et al. "An authentication scheme to defend against UDP DrDoS attacks in 5G networks." IEEE Access 7 (2019): 175970-175979.
[21] Gao, Yuxuan, et al. "A machine learning based approach for detecting DRDoS attacks and its performance evaluation." 2016 11th Asia Joint Conference on Information Security (AsiaJCIS). IEEE, 2016.
[22] Zhauniarovich, Yury, and Priyanka Dodia. "Sorting the Garbage: Filtering Out DRDoS Amplification Traffic in ISP Networks." 2019 IEEE Conference on Network Softwarization (NetSoft). IEEE, 2019.
[23] Lukaseder, Thomas, et al. "An sdn-based approach for defending against reflective ddos attacks." 2018 IEEE 43rd Conference on Local Computer Networks (LCN). IEEE, 2018.
[24] Grigoryan, Garegin, and Yaoqing Liu. "LAMP: Prompt layer 7 attack mitigation with programmable data planes." 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA). IEEE, 2018.
[25] Sheng Hung Haung. "P4 Switch-Based Solution for Moving Target Defense Networks" Master, Department of Computer Science and Information Engineering, National Central University, 2018.
[26] Behavior Model version 2. Available: https://github.com/p4lang/behavioral-model
[27] Lua. Available: https://www.lua.org/
[28] P4Runtime. Available: https://github.com/p4lang/p4runtime
[29] gRPC, Google Remote Procedure call. Available: https://grpc.io/
[30] protobuf, protocol buffer. Available: https://github.com/protocolbuffers/protobuf
[31] OSI model. Available: https://en.wikipedia.org/wiki/OSI_model
[32] IEEE public EtherType list
Available: http://standards-oui.ieee.org/ethertype/eth.txt
[33] hping3. Available: http://www.hping.org/
[34] thc-ipv6. Available: https://github.com/vanhauser-thc/thc-ipv6
[35] Scapy. Available: https://scapy.net/
[36] v1model.
Available: https://github.com/p4lang/p4c/blob/master/p4include/v1model.p4
[37] Mininet. Available: http://mininet.org/
[38] iperf. Available: https://iperf.fr/
[39] IANA preserved IPv6 prefix.
Available: https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
[40] RFC4291. Available: https://tools.ietf.org/html/rfc4291
[41] Yang, Guosong, et al. "Modeling and mitigating the coremelt attack." 2018 Annual American Control Conference (ACC). IEEE, 2018.
[42] Kim, Kyoungmin, et al. "DDoS mitigation: Decentralized CDN using private blockchain." 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN). IEEE, 2018.
[43] Hua, Yakang, Yuanzheng Du, and Dongzhi He. "Classifying Packed Malware Represented as Control Flow Graphs using Deep Graph Convolutional Neural Network." 2020 International Conference on Computer Engineering and Application (ICCEA). IEEE, 2020.
[44] Rajashree, S., K. S. Soman, and Pritam Gajkumar Shah. "Security with IP address assignment and spoofing for smart IOT devices." 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI). IEEE, 2018. |