The Journal of Korea Institute of Information, Electronics, and Communication Technology (한국정보전자통신기술학회논문지)

Korea Information Electronic Communication Technology (한국정보전자통신기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Detection Technique of DDoS Attacks on the Software-Defined Networks

소프트웨어-정의 네트워크에서 분산형 서비스 거부(DDoS) 공격에 대한 탐지 기술 연구

  • Received : 2020.01.30
  • Accepted : 2020.02.25
  • Published : 2020.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, the network configuration is being rapidly changed to enable easy and free network service configuration based on SDN/NFV. Despite the many advantages and applications of SDN, many security issues such as Distributed Denial of Service (DDoS) attacks are being constantly raised as research issues. In particular, the effectiveness of DDoS attacks is much faster, SDN is causing more and more fatal damage. In this paper, we propose an entropy-based technique to detect and mitigate DDoS attacks in SDN, and prove it through experiments. The proposed scheme is designed to mitigate these attacks by detecting DDoS attacks on single and multiple victim systems and using time - specific techniques. We confirmed the effectiveness of the proposed scheme to reduce packet loss rate by 20(19.86)% while generating 3.21% network congestion.

최근 네트워크 구성은 SDN/NFV 기반으로 쉽고 자유로운 네트워크 서비스 구성이 가능하도록 빠르게 전환중이다. SDN의 많은 장점과 적용에도 불구하고 분산형 서비스 거부(Distributed Denial of Service: DDoS) 공격과 같은 많은 보안 문제가 연구 이슈로 지속적으로 제기되고 있다. 특히, DDoS 공격의 효과는 훨씬 더 신속하게 나타나며 기존의 네트워크에 비하여 SDN에서는 더욱더 치명적인 피해를 발생시키고 있다. 본 논문에서는 SDN에서 DDoS 공격을 감지하고 완화하기 위해 엔트로피 기반 기법을 제안하고 실험을 통해 입증하였다. 본 논문에서 제안하는 기법은 단일 시스템에 대한 DDoS 공격을 탐지하고 시간 특성 기법을 활용하여 이러한 공격을 완화하도록 설계하였으며, 제안한 기법을 적용했을때 3.21%의 네트워크 혼잡도를 발생시키지만, 20(19.86)%의 패킷 분실률을 줄이는 효과를 실험을 통해 확인하였다.

Keywords

References

  1. Akhunzada A., Ahmed E., Gani A., Khan M. K., Imran M., and Guizani, S., "Securing software defined networks: taxonomy, requirements, and open issues", IEEE Communications Magazine, Vol. 53, No. 4, pp. 36-44, 2015. https://doi.org/10.1109/MCOM.2015.7081073
  2. Scott-Hayward S., Natarajan S., and Sezer S., "A survey of security in software defined networks", IEEE Communications Surveys & Tutorials, Vol. 18, No. 1, pp. 623-654, 2016. https://doi.org/10.1109/COMST.2015.2453114
  3. Scott-Hayward S., O'Callaghan G., and Sezer, S, "SDN security: A survey. In Future Networks and Services (SDN4FNS)", 2013 IEEE SDN, pp. 1-7, 2013.
  4. Wang R., Jia Z., and Ju, L., "An Entropy-Based Distributed DDoS Detection Mechanism in SDN", In Trustcom/BigDataSE/ISPA, 2015 IEEE, Vol. 1, pp. 310-317, 2015.
  5. Mousavi S.M. and St-Hilaire M., "Early detection of DDoS attacks against SDN controllers", In Computing Networking and Communications (ICNC) International Conference, pp. 77-81, 2015.
  6. Muhammad Nugraha, Isyana Paramita, Ardiansyah Musa, Deokjai Choi, Buseung Cho, "Utilizing OpenFlow and sFlow to Detect and Mitigate SYN Flooding Attack," Journal of Korea Multimedia Society, Vol. 17, No. 8, pp.988-994, Aug. 2014. https://doi.org/10.9717/kmms.2014.17.8.988
  7. Dharma N. G., Muthohar M. F., Prayuda J. A., Priagung K., Choi, D., "Time-based DDoS detection and mitigation for SDN controller,". In Network Operations and Management Symposium (APNOMS 2015), pp. 550-553, Aug. 2015.
  8. sFlow Version 5. [Online]. http://sflow.org/sflowversion5.txt, May 2017.
  9. Mininet, http://mininet.org/, 2018, May.
  10. Openflow, https://openflow.stanford.edu/display/Beacon/Home, 2018. May
  11. Scapy. http://www.secdev.org/projects/scapy/, 2018, May.