基於SDN的阻斷式服務攻擊之減緩應用於負載平衡服務

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：32

、訪客IP：18.217.161.27

姓名

李宜璟(Yi-Ching Lee) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

基於SDN的阻斷式服務攻擊之減緩應用於負載平衡服務
(SDN-based Mitigation of DoS Attacks for Load Balancing Service)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近年來隨著科技的進步，使用者對於網路服務的需求與功能也越趨多元，但是現今的網路架構下已經難以負荷如此龐大的要求。在如此的環境下，造就了軟體定義網路（Software-Defined Networking, SDN）的發展。SDN是一開放式的網路架構，將控制功能（Control plane）從傳送層（Forwarding plane / Data plane）中獨立出來，並利用OpenFlow此協定作為控制層與傳輸層之傳輸協定，採集中式的網路管理，藉此提升網管人員對於網路的控制能力、降低網路的複雜度，並自行定義所需的網路。但在此新穎的網路架構中存在著隱憂，這些隱憂會在遭受到惡意的阻斷式服務攻擊時造成SDN網路所提供之服務中斷並崩潰。因此本論文將以負載平衡為服務，提出SDN網路下的阻斷式服務攻擊減緩系統，藉此來提升SDN網路的可用性，確保在遭受到攻擊情況時，網路所提供之服務可以維持正常之運作。
本論文中透過主動式攻擊減緩（Active Mitigation）以及被動式攻擊減緩（Passive Mitigation）來進行SDN網路的保護，並且在負載平衡服務中，提供了SYN Flooding Attack檢測機制，以及透過設置reverse netmask的UDP pre-configured flow來降低Control and Data Plane Interface（CDPI）之負擔。透過Active Mitigation可降低60.2%的OpenFlow Switch資源消耗，而SYN Flooding Attack也可以阻擋在TCP SYN Flooding下95.77%的OpenFlow Switch資源消耗，另外在本論文提出透過單一類別支援向量機之Passive Mitigation攻擊減緩機制下平均可以偵測出98.8%的惡意流量，顯示本機制可以有效防止在遭受到攻擊的情況下SDN網路服務中斷的情況發生。

摘要(英)

With the technology growth, user requirements for network services are becoming more and more diverse. Software-Defined Networking (SDN), an open network architecture, decouples the control functions from traditional network devices and uses OpenFlow as the communication protocol between control plane and forwarding plane. It also centralizes the network control to decrease the complexity of network topology. However, security issues remain in this emerging network architecture. These problems will cause SDN services interrupted and even collapsed when subjected to malicious DoS attacks. Therefore, this paper will provide a load balancing service with the proposed DoS attack mitigation mechanism in SDN network. This mitigated can increase the availability of SDN network, and ensure the service is normal when under attack.
This thesis contains Active and Passive Mitigation mechanism for SDN network protection. In addition, two types of load balancing, TCP and UDP, are also included. TCP load balancing provides SYN Flooding Attack detection to lower hardware resource consumption. UDP load balancing uses reverse netmask method to reduce Control and Data Plane Interface (CDPI) loading. The experimental results show the proposed Active Mitigation can reduce 60.2% consumption of OpenFlow Switch computing power, SYN Flooding attack detection can reduce 95.77% consumption when TCP SYN Flooding occurs, and Passive mitigation by One-class Support Vector Machine can detect 98.8% abnormal traffic. All of these show the proposed mechanisms can effectively prevent SDN network service interruptions from DoS attacks.

關鍵字(中)

★ 軟體定義網路
★ 阻斷式服務攻擊
★ 單一類別支援向量機
★ 負載平衡

關鍵字(英)

★ SDN
★ DoS attack
★ One-Class Support Vector Machine
★ Load Balancing

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vii
表目錄 ix
第1章緒論 1
1.1. 概要 1
1.2. 研究動機 3
1.3. 研究目的 4
1.4. 章節架構 4
第2章背景知識與相關研究 5
2.1. Software-Defined Networking and OpenFlow 5
2.2. 阻斷式服務攻擊偵測與減緩 9
2.3. 單一類別支援向量機 11
2.4. 負載平衡 15
2.5. 相關研究之比較 17
第3章研究方法 20
3.1. 系統架構與設計 20
3.1.1. Packet Handler模組 23
3.1.2. Flow Modification模組 24
3.1.3. OpenFlow Switch Monitor模組 25
3.1.4. Control模組 25
3.1.5. Agency Database模組 26
3.1.6. Active Mitigation模組 31
3.1.7. Passive Mitigation模組 31
3.1.8. UDP Pre-configured Flow模組 32
3.1.9. TCP Dynamic Flow模組 33
3.2. 系統運作流程與機制 34
3.2.1. 系統定義與假設 34
3.2.2. 資料符號表 35
3.2.3. 系統功能與模組運作流程 38
3.2.4. Passive Mitigation與One-Class SVM攻擊減緩運作流程 42
3.2.5. Active Mitigation模組運作流程 45
3.2.6. UDP Pre-configured Flow模組運作流程 46
3.2.7. TCP Dynamic Flow模組運作流程 48
3.3. 系統實作 50
第4章實驗與討論 56
4.1. 情境一：OpenFlow Switch之使用量控制 56
4.1.1. 實驗一：SYN Flooding檢測下Flow table使用率評量 56
4.1.2. 實驗二：Active Mitigation模組測試 58
4.1.3. 實驗三：Active Mitigation Performance Evaluation 60
4.2. 情境二：Passive Mitigation攻擊減緩機制之討論 61
4.2.1. 實驗四：Passive Mitigation implement by One-class SVM 62
4.2.2. 實驗五：Passive Mitigation與類神經網路SOM 65
4.3. 情境三：SDN Load Balancing服務討論 71
4.3.1. 實驗六：TCP Dynamic Flow與連線維護機制 71
4.3.2. 實驗七：UDP Pre-configured Flow與Reverse Netmask機制 74
第5章結論與未來研究方向 76
5.1. 結論 76
5.2. 研究限制 77
5.3. 未來研究 77
參考文獻 80

參考文獻

[1] “SDN security issues: How secure is the SDN stack.” http://searchsdn.techtarget.com/news/2240214438/SDN-security-issues-How-secure-is-the-SDN-stack.
[2] “Open Networking Foundation.” https://www.opennetworking.org/.
[3] “Sotfware-Defined Networking: The New Norm for Networks.” Open Networking Foundation (ONF), 13-Apr-2012.
[4] “SDN Architecture Overview.” Open Networking Foundation (ONF), 12-Dec-2013.
[5] “Ryu SDN Framework.” http://osrg.github.io/ryu/.
[6] “Floodlight OpenFlow Controller.” http://www.projectfloodlight.org/floodlight/.
[7] “OpenDaylight.” http://www.opendaylight.org/.
[8] “Trema.” http://trema.github.io/trema/.
[9] M. F. Bari, A. R. Roy, S. R. Chowdhury, Q. Zhang, M. F. Zhani, R. Ahmed, and R. Boutaba, “Dynamic Controller Provisioning in Software Defined Networks,” in 2013 9th International Conference on Network and Service Management (CNSM), 2013, pp. 18–25.
[10] R. Kawashima and H. Matsuo, “Non-tunneling Edge-Overlay Model Using OpenFlow for Cloud Datacenter Networks,” in 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom), 2013, vol. 2, pp. 176–181.
[11] H. E. Egilmez, S. T. Dane, K. T. Bagci, and A. M. Tekalp, “OpenQoS: An OpenFlow controller design for multimedia delivery with end-to-end Quality of Service over Software-Defined Networks,” in Signal Information Processing Association Annual Summit and Conference (APSIPA ASC), 2012 Asia-Pacific, 2012, pp. 1–8.
[12] L. Liu, D. Zhang, T. Tsuritani, R. Vilalta, R. Casellas, L. Hong, I. Morita, H. Guo, J. Wu, R. Martinez, and R. Munoz, “Field Trial of an OpenFlow-Based Unified Control Plane for Multilayer Multigranularity Optical Switching Networks,” J. Light. Technol., vol. 31, no. 4, pp. 506–514, Feb. 2013.
[13] R. Casellas, R. Martinez, R. Munoz, R. Vilalta, L. Liu, T. Tsuritani, and I. Morita, “Control and management of flexi-grid optical networks with an integrated stateful path computation element and OpenFlow controller [invited],” IEEEOSA J. Opt. Commun. Netw., vol. 5, no. 10, pp. A57–A65, Oct. 2013.
[14] “Denial-of-service attack.” http://en.wikipedia.org/wiki/Denial-of-service_attack.
[15] A. Piskozub, “Denial of service and distributed denial of service attacks,” in Modern Problems of Radio Engineering, Telecommunications and Computer Science, 2002. Proceedings of the International Conference, 2002, pp. 303–304.
[16] I. Aad, J.-P. Hubaux, and E. W. Knightly, “Denial of Service Resilience in Ad Hoc Networks,” in Proceedings of the 10th Annual International Conference on Mobile Computing and Networking, New York, NY, USA, 2004, pp. 202–215.
[17] C. Xin and M. Song, “Detection of PUE Attacks in Cognitive Radio Networks Based on Signal Activity Pattern,” IEEE Trans. Mob. Comput., vol. 13, no. 5, pp. 1022–1034, May 2014.
[18] Y. Tang, X. Luo, Q. Hui, and R. K. C. Chang, “Modeling the Vulnerability of Feedback-Control Based Internet Services to Low-Rate DoS Attacks,” IEEE Trans. Inf. Forensics Secur., vol. 9, no. 3, pp. 339–353, Mar. 2014.
[19] C. Fachkha, E. Bou-Harb, and M. Debbabi, “Fingerprinting Internet DNS Amplification DDoS Activities,” in 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), 2014, pp. 1–5.
[20] M. Darwish, A. Ouda, and L. F. Capretz, “Cloud-based DDoS attacks and defenses,” in 2013 International Conference on Information Society (i-Society), 2013, pp. 67–71.
[21] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, “Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments,” Comput. Netw., vol. 62, pp. 122–136, Apr. 2014.
[22] Avi Chesla and Ehud DORON, “Techniques for traffic diversion in software defined networks for mitigating denial of service attacks,” US20130333029 A1, 12-Dec-2013.
[23] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in 2010 IEEE 35th Conference on Local Computer Networks (LCN), 2010, pp. 408–415.
[24] B. Schölkopf, J. C. Platt, J. Shawe-taylor, A. J. Smola, and R. C. Williamson, Estimating the Support of a High-Dimensional Distribution. 1999.
[25] D. Jain, G. Shikkenawis, S. K. Mitra, and S. Parulkar, “Face and facial expression recognition using Extended Locality Preserving Projection,” in 2013 Fourth National Conference on Computer Vision, Pattern Recognition, Image Processing and Graphics (NCVPRIPG), 2013, pp. 1–4.
[26] F. Peng and D. Zhou, “Discriminating natural images and computer generated graphics based on the impact of CFA interpolation on the correlation of PRNU,” Digit. Investig., May 2014.
[27] H. Wu, Y. Wang, and J. Huang, “Identification of Electronic Disguised Voices,” IEEE Trans. Inf. Forensics Secur., vol. 9, no. 3, pp. 489–500, Mar. 2014.
[28] L. M. Manevitz and M. Yousef, “One-class svms for document classification,” J Mach Learn Res, vol. 2, pp. 139–154, Mar. 2002.
[29] Y. Xu, “Predicting customer churn with extended one-class support vector machine,” in 2012 Eighth International Conference on Natural Computation (ICNC), 2012, pp. 97–100.
[30] B. Krawczyk and M. Wozniak, “On diversity measures for fuzzy one-class classifier ensembles,” in 2013 IEEE Symposium on Computational Intelligence and Ensemble Learning (CIEL), 2013, pp. 60–65.
[31] J. Liu and T. Wang, “Fault diagnosis of the light-rail’s cast steel pedestal system based on KPCA and One-class SVM,” in 2011 International Conference on Consumer Electronics, Communications and Networks (CECNet), 2011, pp. 3185–3188.
[32] “Service-level agreement.”http://en.wikipedia.org/wiki/Service-level_agreement.
[33] M. Koerner and O. Kao, “Optimizing openflow load-balancing with L2 direct server return,” in Network of the Future (NOF), 2013 Fourth International Conference on the, 2013, pp. 1–5.
[34] “GENI OpenFlow LoadBalancer.” http://groups.geni.net/geni/wiki/GEC17Agenda/AdvancedOpenFlow/Procedure.
[35] P. Calyam, S. Rajagopalan, A. Selvadhurai, S. Mohan, A. Venkataraman, A. Berryman, and R. Ramnath, “Leveraging OpenFlow for resource placement of virtual desktop cloud applications,” in 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013), 2013, pp. 311–319.
[36] L. R. Bays and D. S. Marcon, “Flow Based Load Balancing: Optimizing Web Servers Resource Utilization,” J. Appl. Comput. Res., vol. 1, no. 2, pp. 76–83, Dec. 2011.
[37] Z. Shang, W. Chen, Q. Ma, and B. Wu, “Design and implementation of server cluster dynamic load balancing based on OpenFlow,” in 2013 International Joint Conference on Awareness Science and Technology and Ubi-Media Computing (iCAST-UMEDIA), 2013, pp. 691–697.
[38] L.-D. Chou, Y.-T. Yang, Y.-M. Hong, J.-K. Hu, and B. Jean, “A Genetic-Based Load Balancing Algorithm in OpenFlow Network,” in Advanced Technologies, Embedded and Multimedia for Human-centric Computing, Y.-M. Huang, H.-C. Chao, D.-J. Deng, and J. J. (Jong H. Park, Eds. Springer Netherlands, 2014, pp. 411–417.
[39] R. Wang, D. Butnariu, and J. Rexford, “OpenFlow-based Server Load Balancing Gone Wild,” in Proceedings of the 11th USENIX Conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services, Berkeley, CA, USA, 2011, pp. 12–12.
[40] M. Koerner and O. Kao, “Multiple service load-balancing with OpenFlow,” in 2012 IEEE 13th International Conference on High Performance Switching and Routing (HPSR), 2012, pp. 210–214.
[41] H. Long, Y. Shen, M. Guo, and F. Tang, “LABERIO: Dynamic load-balanced Routing in OpenFlow-enabled Networks,” in 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA), 2013, pp. 290–297.
[42] K. Phemius, M. Bouet, and J. Leguay, “DISCO: Distributed multi-domain SDN controllers,” in 2014 IEEE Network Operations and Management Symposium (NOMS), 2014, pp. 1–4.
[43] 黃文源, 胡仁維, and 劉德隆, “軟體定義網路下跨網域之端對端自動拓樸與流量檢視,” presented at the TANET2013台灣網際網路研討會.
[44] “Flowvisor.” https://github.com/OPENNETWORKINGLAB/flowvisor/wiki.

指導教授

周立德(Li-Der Chou)

審核日期

2014-8-21

推文