P4環境中運用入侵偵測系統針對物聯網攻擊之偵防機制;Detection and Mitigation of IoT Attacks Based on Intrusion Detection System in P4 Networks

NCUIR > College of Electrical Engineering & Computer Science > Graduate Institute of Computer Science and Information Engineering > Electronic Thesis & Dissertation > Item 987654321/89920

Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/89920

Title:	P4環境中運用入侵偵測系統針對物聯網攻擊之偵防機制;Detection and Mitigation of IoT Attacks Based on Intrusion Detection System in P4 Networks
Authors:	張晁誌;Chang, Chao-Chih
Contributors:	資訊工程學系
Keywords:	軟體定義網路;入侵偵測系統;P4;阻斷式服務攻擊;位址解析協定欺騙攻擊;動態時間校正;Software Defined Networking;Intrusion-Detection System;Programming Protocol-independent Packet Processors;DoS;ARP Spoofing;Dynamic Time Warping
Date:	2022-08-10
Issue Date:	2022-10-04 12:04:52 (UTC+8)
Publisher:	國立中央大學
Abstract:	在網路的蓬勃發展下，軟體定義網路(Software Defined Networking, SDN)的概念被廣泛應用於各個領域。透過將控制層與資料層切割，並將控制層集中管理，讓網路管理者可以更輕易的管控整體網路。然而隨著物聯網等網路裝置數量的急遽增加，使SDN控制器的負擔越來越重，於此同時，Programming Protocol-independent Packet Processors(P4)被提出。P4是一個與SDN截然不同的概念，P4交換器可以透過P4專屬的程式來操作網路傳輸的資料層，透過定義新的協定等，能夠做到許多單純SDN無法達成的目標。通過兩者的結合，可以讓網路管理者更輕鬆細膩的管理網路。而入侵偵測系統(Intrusion Detection System, IDS)是一種透過捕捉網路封包分析其舉動，作為判斷是否為惡意攻擊的依據。本論文所提出的方法名稱為基於動態時間校正之服務層級調整演算法(Dynamic-time-wArping based Service LEvel Regulating Algorithm, DASLERA)，旨在防禦阻斷式服務攻擊(Denial of Service, DoS)以及位址解析協定欺騙攻擊(Address Resolution Protocol Spoofing, ARP Spoofing)。透過入侵偵測系統與P4網路的結合，減輕SDN控制器的負擔，並透過服務層級的設定讓網路管理者可以更有彈性的管理網路。DASLERA在判斷出惡意攻擊者有93.6%的準確度，同時保持控制器的CPU平均使用率低於20%。 ;With the booming of the Internet, the concept of Software Defined Networking (SDN) is widely used in various fields. By separating the control plane and data plane from the traditional network and centralizing the control plane, network administrators can more easily control the overall network. However, with the rapid increase in the number of network devices such as the Internet of Things, the overhead on SDN controllers has become heavier and heavier. P4 is a very different concept from SDN, as P4 switches can operate the data plane of network transport through P4-specific programs, and can achieve many goals that cannot be achieved by SDN alone, by defining new protocols, etc. Through the combination of the two, network administrators can manage their networks with greater ease and sophistication. The Intrusion Detection System (IDS) is a system that captures network packets and analyzes their behavior to determine if they are malicious attacks. The method proposed in this paper aims to prevent Denial of Service (DoS) and Address Resolution Protocol Spoofing (ARP Spoofing) defenses, called Dynamic-time-wArping based Service LEvel Regulating Algorithm (DASLERA). Through the integration of intrusion detection system and P4 network, the overhead of SDN controller is reduced, and the service level setting allows network administrators to manage the network more flexibly. DASLERA has 93.6% accuracy in determining malicious attackers while keeping the average CPU usage of the controller below 20%.
Appears in Collections:	[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

Files in This Item:

File	Description	Size	Format
index.html		0Kb	HTML	36	View/Open

社群 sharing

Loading...