軟體定義網路將傳統的網路功能切割成兩個部分:控制層和資料層，並利用OpenFlow做為之間溝通的協定。軟體定義網路可以集中化管理網路狀態以及網路拓樸，雖然它有種種的好處，但有帶來許多新的威脅。在分散式阻斷服務的攻擊下軟體定義網路的特性就會變成它的攻擊弱點，更甚至造成整個網路架構崩毀。因此，本研究提出一個針對分散式阻斷服務攻擊的完整防禦系統，本系統分為四個模組。首先，我們會先利用packet_in訊息來計算封包的速率以及亂度以偵測是否有異常發生。接下來，我們利用最近鄰居法來判斷flow是否為分散式阻斷服務攻擊。最後，我們可以根據這些以分類的flow來找出攻擊的來源，來進行更進一步的處理。經過實驗後，我們的演算法可以達到99%的準確率，以及我們的系統可以有效的減少CPU的負擔。

Software Defined Network (SDN) decouples control function from traditional data plane and use OpenFlow as the communication protocol between the control plane and data plane. It can centralize the network control to decrease the complexity of network topology. But, this SDN characteristic makes the controller become vulnerable since attackers may launch Distributed Denial of Service (DDoS) attacks against the controller. In this paper, we propose a complete protection system for DDoS attack with four major modules: anomaly detection module, attack detection module, traceback module and attack mitigation module. We use packet_in message query the controller for routing rule to implemented anomaly detection module. Then, we use K-nearest neighbors with correlation features selection (CKNN) to classify whether the flow is an attack flow in attack detection module. Because of the extracting feature from correlation information, the classification efficiency is increased. The accuracy of CKNN using our feature can achieve 99%. Finally, we find the attack path in traceback module and block the attack traffic by attack mitigation module. This system we proposed can effectively reduce the load (CPU) of the controller and switches by quickly find out attack source.

Abstract i
摘要 ii
Contents iii
Table List iv
Figure List v
Chapter 1 Introduction 1
Chapter 2 Related work 4
2.1 The threat caused by DDoS in SDN 4
2.2 Countermeasures 6
2.2.1 Non-machine learning methods 6
2.2.2 Machine learning methods 7
2.3 Summary 12
Chapter 3 System Architecture 14
3.1 Overview of the Architecture 14
3.1.1 KNN with correlation feature selection (CKNN) 16
3.2 System architecture 17
3.2.1 Anomaly detection module 17
3.2.2 Attack detection module 19
3.2.3 Attack traceback module 22
3.2.4 Attack mitigation module 24
Chapter 4 Architecture Evaluation 26
4.1 Evaluation environment 26
4.2 Algorithm Performance Evaluation 29
4.3 Evaluating overall performance 32
4.4 Discussion 34
Chapter 5 Conclusion and Future Work 37
References 40

[1] Angiulli, F., & Fassetti, F. (2007, November). Detecting distance-based outliers in streams of data. In Proceedings of the sixteenth ACM conference on Conference on information and knowledge management (pp. 811-820). ACM.
[2] Borgnat, P., Dewaele, G., Fukuda, K., Abry, P., & Cho, K. (2009, April). Seven years and one day: Sketching the evolution of internet traffic. In INFOCOM 2009, IEEE (pp. 711-719). IEEE.
[3] Braga, R., Mota, E., & Passito, A. (2010, October). Lightweight DDoS flooding attack detection using NOX/OpenFlow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on (pp. 408-415). IEEE.
[4] Cui, Y., Yan, L., Li, S., Xing, H., Pan, W., Zhu, J., & Zheng, X. (2016). SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks. Journal of Network and Computer Applications, 68, 65-79.
[5] D-ITG. 2013. Retrieved from http://www.grid.unina.it/software/ITG/
[6] DARPA 2000 Scenario Specific dataset. Retrieved from http://www.ll.mit.edu/ideval/data/2000/LLS_DDOS_1.0.html
[7] Hall, M. A. (1999). Correlation-based feature selection for machine learning.
[8] Kokila, R. T., Selvi, S. T., & Govindarajan, K. (2014, December). DDoS detection and analysis in SDN-based environment using support vector machine classifier. In Advanced Computing (ICoAC), 2014 Sixth International Conference on (pp. 205-210). IEEE.
[9] McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., et al. (2008). OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2), 69-74.
[10] Mininet. 2013. Retrieved from http://mininet.org/
[11] Ryu. 2012. Retrieved from http://osrg.github.io/ryu/
[12] Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013, November). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 413-424). ACM.
[13] Wang, H., Xu, L., & Gu, G. (2015, June). Floodguard: A dos attack prevention extension in software-defined networks. In Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on (pp. 239-250). IEEE.
[14] Wang, R., Jia, Z., & Ju, L. (2015, August). An entropy-based distributed DDoS detection mechanism in software-defined networking. In Trustcom/BigDataSE/ISPA, 2015 IEEE (Vol. 1, pp. 310-317). IEEE.
[15] Xiao, P., Qu, W., Qi, H., & Li, Z. (2015). Detecting DDoS attacks against data center with correlation analysis. Computer Communications, 67, 66-74.
[16] Zhang, P., Wang, H., Hu, C., & Lin, C. (2016). On Denial of Service Attacks in Software Defined Networks. IEEE Network, 30(6), 28-33.
[17] Stacheldraht. 2009. Retrieved from https://staff.washington.edu/dittrich/misc/stacheldraht.analysis