ارائه الگوریتمی مبتنی بر فاصله هلینگر برای تشخیص و کاهش اثر حملات منع خدمت توزیع شده در شبکه‏ های نرم افزار محور

نویسندگان

1 شهید ستاری تهران

2 آزاد-واحد علوم تحقیقات

3 استادیار، دانشگاه آزاد اسلامی، واحد علوم و تحقیقات تهران، گروه کامپیوتر، تهران

چکیده

شبکه ‏های نرم‌افزار محور برای ایجاد تغییر در معماری شبکه‏های سنتی با عملکرد اختصاصی جهت رسیدن به شبکه‏های هوشمند به وجود آمده‏اند. اخیراً این نوع شبکه‌ها، به‌دلیل انعطاف‌پذیری در مدیریت سرویس‌های شبکه و کاهش هزینه‌های عملیاتی در بین سازمان‌ها محبوبیت خاصی پیدا کرده‌اند. در معماری این شبکه‌ها، سیستم عامل و برنامه‌های کاربردی از سطح سوئیچ‌های شبکه جدا شده و در یک لایه مجازی تحت عنوان کنترل‌کننده، متمرکز شده است. این معماری به‌دلیل تصمیم‌گیری متمرکز و محدودیت منابع کنترل‌کننده در معرض انواع تهدیدات ازجمله حملات منع خدمت توزیع‌شده قرار دارد. ما در این مقاله، معماری شبکه‌های نرم‌افزار محور و حملات منع خدمت توزیع‌شده در این معماری را بررسی کرده و با بهره‏گیری از امکانات منحصربه‌فرد کنترل‌کننده، الگوریتم جدیدی برای تشخیص و کاهش اثر این حملات ارائه داده‏ایم. ما در این الگوریتم پیشنهادی از رابطه آماری فاصله هلینگر و روش تطبیق متحرک میانگین وزنی به منظور شناسایی حملات منع خدمت توزیع‌شده در شبکه‏های نرم‌افزار محور استفاده کرده‌ایم. در این مقاله، حملات منع خدمت توزیع‌شده در شبکه نرم‌افزارمحور توسط مقلد مینی‌نت به همراه کنترل‌کننده Pox شبیه‌سازی شده است. آزمایش‌ها و ارزیابی‌های انجام‌شده در این محیط، کارآیی الگوریتم پیشنهادی و برتری آن نسبت به روش‌های قبلی را نشان می‌دهند.

کلیدواژه‌ها


N.McKeown, T.Anderson, H.Balakrishnan, G.Parulkar, L.Peterson, J.Rexford and J.Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, vol.38, no.2, pp.69-74, 2008.
ONF Market Education Committee, "Software-defined networking: The new norm for networks," ONF White Paper, 2012.
S.Luo, J.Wu, J.Li and B.Pei, "A Defense Mechanism for Distributed Denial of Service Attack in Software-Defined Networks," In 2015 Ninth International Conference on Frontier of Computer Science and Technology, IEEE, pp. 325-329, August, 2015.
D.Kreutz, F.M.Ramos, P.E.Verissimo, C.E.Rothenberg, S.Azodolmolky and S.Uhlig, "Software-defined networking: A comprehensive survey," Proceedings of the IEEE, vol.103, no.1, pp.14-76, 2015.
M.Pham, D.B.Hoang, "SDN applications-The intent-based Northbound Interface realisation for extended applications," In NetSoft Conference and Workshops (NetSoft), 2016 IEEE, pp. 372-377, June, 2016.
N.N.Dao, J.Park, M. Park and S.Cho, "A feasible method to combat against DDoS attack in SDN network," In 2015 International Conference on Information Networking (ICOIN), IEEE, pp. 309-311, January, 2015.
H.T.N.Tri, K. Kim, "Assessing the impact of resource attack in Software Defined Network," In 2015 International Conference on Information Networking (ICOIN), IEEE, pp.420-425, January, 2015.
S.M.Mousavi, M.St-Hilaire, "Early detection of DDoS attacks against SDN controllers," In Computing, Networking and Communications (ICNC), 2015 International Conference on IEEE, pp. 77-81, February, 2015.
M.Hamedi, M.R.Shamani, M.J.Shamani, "Optimize the ant colony algorithm to track DoS attacks," Journal of Electronical & Cyber Defence, vol. 1, no. 4, pp.77-86, 2012. (in Persian)
M. Fathian, M.Abdollahi Azgomi, H. Dehghani, "Modeling Browsing Behavior Analysis for Malicious Robot Detection in Distributed Denial of Service Attacks," Journal Of Electronical & Cyber Defence, vol. 4, no. 2, pp.1-13, 2016. (in Persian)
M.Abassi, S.A.Hosseini, S.A.Vaezie, "Effective defense mechanism based a fair queue weighted against flood denial of service attacks in SIP networks," In 16th National Innovation Conference Computer Engineering and Information Technology, 2012. (in Persian)
A.Salarvand, "Software defiend networks," In 1th symposium computer networks, Iran, Qom unit Sama Vocational School, 2012. (in Persian)
E.Haleplidis, K.Pentikousis, S.Denazis, J.H.Salim, D.Meyer, O.Koufopavlou, "Software-defined networking (sdn): Layers and architecture terminology," No. RFC 7426, 2015.
C.B.L.Contreras, D.Lopez, "Cooperating layered architecture for SDN," Draft-contrerassdnrg-layered-sdn-01 (work in progress), 2014.
S.Shin, P.A.Porras, V.Yegneswaran, M.W.Fong, G.Gu and M.Tyson, "FRESCO: Modular Composable Security Services for Software-Defined Networks," In NDSS, February, 2013.
P.Porras, S.Shin, V.Yegneswaran, M.Fong, M.Tyson, and G.Gu, "A security enforcement kernel for OpenFlow networks," In Proceedings of the first workshop on Hot topics in software defined networks, ACM, pp. 121-126, August, 2012.
B.Wang, Y.Zheng, W.Lou and Y.T.Hou, "DDoS attack protection in the era of cloud computing and software-defined networking," Computer Networks, 81, pp.308-319, 2015.
R. Mohammadifar, A. A. Rezaei, "Protection Against Flooding Attacks In Traditional Networks in Heterogeneous Partnership With Service Provider And Software Define Network (SDN) Controller," Journal of Electronical & Cyber Defence, vol. 4, no. 4, pp.63-78, 2017. (in Persian)
S.Shin, V.Yegneswaran, P.Porras and G.Gu, "AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks," In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security ACM, pp. 413-424 , November, 2013.
R.Kandoi, M.Antikainen, "Denial-of-service attacks in OpenFlow SDN networks," In 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), IEEE, pp. 1322-1326, May, 2015.
M.Suh, S.H.Park, B.Lee and S.Yang, "Building firewall over the software-defined network controller," In 16th International Conference on Advanced Communication Technology, IEEE, pp. 744-748, February, 2014.
Y.L.Hu, W.B.Su, L.Y.Wu, Y.Huang and S.Y.Kuo, "Design of event-based intrusion detection system on OpenFlow network," In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 1-2, June, 2013.
R.Braga, E.Mota, A.Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," In Local Computer Networks (LCN), 2010 IEEE 35th Conference on IEEE, pp. 408-415, October, 2010.
P.Zhang, H.Wang, C.Hu and C.Lin, "On Denial of Service Attacks in Software Defined Networks," IEEE Network, vol.30, no.6, pp.28-33, 2016.
M.Ramadas, S.Ostermann and B.Tjaden, "Detecting anomalous network traffic with self-organizing maps," In International Workshop on Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, pp. 36-54, September, 2003.
L.Le Cam, G.L.Yang, "Asymptotics in statistics: some basic concepts," Springer Science & Business Media, 2012.
E.Hellinger, "Neue Begründung der Theorie quadratischer Formen von unendlichvielen Veränderlichen," Journal für die reine und angewandte Mathematik, vol.136, pp.210-271, 1909.
A.R.Khajoeinezhad, H.R.Dalili and S.R.Chogan, "Study the impacts of INVITE flooding attack in VOIP and offering a new approach to detect attack," Electronics Industries Quarterly, vol. 6, no. 2, pp. 29-37, 2015. (in Persian)
J.Tang, Y.Cheng and C.Zhou, "Sketch-based SIP flooding detection using Hellinger distance," In Global Telecommunications Conference, GLOBECOM 2009, IEEE, pp. 1-6, November, 2009.
J.F.Kurose, K.W.Ross, "Computer networking: a top-down approach," Addison Wesley, 2007.
B.Lantz, B.Heller and N.McKeown, "A network in a laptop: rapid prototyping for software-defined networks," In Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, ACM, p.19, October, 2010.
S.Oshima, T.Nakashima and T.Sueyoshi, "Early DoS/DDoS detection method using short-term statistics," In Complex, Intelligent and Software Intensive Systems (CISIS), International Conference on IEEE, pp. 168-173, February , 2010.