(3.235.191.87) 您好!臺灣時間:2021/05/13 04:36
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:涂軒豪
研究生(外文):Hsuan-Hao Tu
論文名稱:基於P4交換機與入侵檢測系統之泛洪攻擊偵防機制
論文名稱(外文):Flooding Attack Detection and Defense Mechanism Based on P4 Switches and Intrusion Detection System
指導教授:周立德周立德引用關係
指導教授(外文):Li-Der Chou
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文出版年:2020
畢業學年度:108
語文別:中文
論文頁數:110
中文關鍵詞:軟體定義網路入侵檢測系統Programming Protocol-independent Packet Processors分散式阻斷服務攻擊分散式反射阻斷服務攻擊
外文關鍵詞:Software defined networkintrusion detection systemProgramming Protocol-independent Packet ProcessorsDistributed Denial of ServiceDistributed Reflected Denial of Service
相關次數:
  • 被引用被引用:0
  • 點閱點閱:57
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來,新型網路架構蓬勃發展、對於網路攻擊的防禦思維也日新月異,其中軟體定義網路(Software Define Network, SDN)的技術被提出,將控制層從交換機硬體中抽離,使控制層透過軟體定義其行為並集中管理。隨著SDN技術日益成熟,Programming Protocol-independent Packet Processors(P4)被提出,不同於原始SDN技術使控制層可程式化,P4技術使資料層也可程式化,使得SDN的網路管理者不再只能單純基於交換機晶片廠提供的封包欄位進行程式編寫,在P4的網路環境中,是由網路管理者自行決定封包的處理轉發方式,以此達到真正的軟體定義網路。另一方面,入侵檢測系統(Intrusion Detection System, IDS)技術也被提出,IDS透過網路攻擊的特徵定義捕捉封包的規則,每一個封包都必須接受IDS中的規則比對,而IDS會針對符合規則描述特徵的封包發出Alert,並記錄成具可讀性的log以供網路管理者做日後分析。
本論文所提出的系統是針對分散式阻斷服務攻擊(Distributed Denial of Service, DDoS)及分散式反射阻斷服務攻擊(Distributed Reflection Denial of Service, DRDoS)泛洪攻擊的偵測與防禦機制,並提出基於入侵數據的複合型閥值演算法(Intrusion Statistics-based Hybrid Threshold AlgoRithm, ISHTAR),透過IDS針對每一個封包進行規則比對,將符合特徵的封包資訊構成入侵數據,ISHTAR將透過入侵數據計算當前時間段是否正遭受惡意攻擊,若正遭受攻擊,則會利用P4的protocol-independency的特性,對P4交換機佈建基於custom protocol的惡意攻擊防禦機制,使惡意封包被丟棄,並使合法封包能正常通訊,進而達成惡意攻擊的偵防機制。
In recent years, new network architectures are booming and defense thinking against cyber attacks is also evolving. Among them, Software Define Network (SDN) technology has been proposed to separate the control layer from the switch hardware, centrally manage the control layer and define what it should do by software. As SDN technology becomes more mature, Programming Protocol-independent Packet Processors (P4) are proposed. Unlike the original SDN technology that the control layer can be programmed. P4 technology enables the data layer to be programmed, so that SDN network managers no longer be restricted by switch manufacture. In the P4 network environment, the network administrator decides the packet processing and forwarding method to achieve a true software-defined network. Also, Intrusion Detection System (IDS) technology has also been proposed. IDS defines the rules for capturing packets through the characteristics of network attacks. Each packet must go through the rule comparison in IDS, and IDS will claim the alert to those packets which match the rules, and record it into a readable log for network administrators to do later analysis.
The system proposed in this paper is aimed at the detection and defense mechanism of Distributed Denial of Service (DDoS) and Distributed Reflection Denial of Service (DRDoS) flood attacks, and Intrusion Statistics-based Hybrid Threshold AlgoRithm (ISHTAR) is proposed. The IDS is used to compare the rules of each packet to match the characteristics of the packet information into the intrusion data. ISHTAR will use the intrusion data to calculate whether the current time period is under malicious attack. If it is under attack, it will use the protocol-independency feature of P4 to build a malicious attack defense mechanism based on custom protocol for the P4 switch. So that malicious packets are discarded, and legal packets can keep normal communication, and then achieve a malicious attack detection and prevention mechanism.
目錄
摘要 i
Abstract ii
誌謝 iv
目錄 v
圖目錄 viii
表目錄 xi
第一章 緒論 1
1.1. 概要 1
1.2. 研究動機 2
1.3. 研究目的 3
1.4. 章節架構 4
第二章 背景知識與相關研究 5
2.1. 軟體定義網路 5
2.2. P4: Programming Protocol-Independent Packet Processor 7
2.3. 入侵檢測系統 8
2.4. 分散式阻斷服務及分散式反射阻斷服務 10
2.5. 相關研究之比較 13
第三章 系統架構設計及機制運作 16
3.1. 系統架構與設計 16
3.1.1. Traffic Monitor Module 18
3.1.2. IDS Rule Implementer Module 19
3.1.3. Alert-Log Generator Module 20
3.1.4. Alert-Log Analyzer Module 21
3.1.5. ISHTAR Module 21
3.1.6. Malice Announcement Module 22
3.1.7. DDoS Notification Module 22
3.1.8. P4Runtime Rule Generator Module 22
3.1.9. In-Crisis Traffic Management Module 23
3.2. 系統運作及機制 24
3.2.1. 資料符號表 24
3.2.2. 系統運作流程與機制 29
3.3. 系統實作與假設 40
第四章 實驗與討論 44
4.1. P4網路環境及偵防機制之驗證 44
4.1.1. 基於IPv4/IPv6雙軌機制之P4交換機路由及轉送驗證 44
4.1.2. ISHTAR演算法之運作及驗證 50
4.1.3. 危機時封包管理模組對連線能力之驗證 54
4.2. DDoS及DRDoS之偵測與防禦機制驗證 57
4.2.1. TCP SYN Flooding攻擊及其偵測防禦機制驗證 57
4.2.2. IPv6 RA Flooding攻擊及其偵測防禦機制驗證 65
4.2.3. Memcached Flooding攻擊及其偵測防禦機制驗證 69
4.2.4. 複合式惡意攻擊及其偵測防禦機制驗證 73
4.3. P4網路環境評估及分析 76
4.3.1. Insider行為及其攻擊之偵測及防禦驗證 77
4.3.2. 自定義標頭長度對封包連線能力之影響 81
第五章 結論與未來研究方向 84
5.1. 結論 84
5.2. 研究限制 85
5.3. 未來研究方向 86
參考文獻 89
[1] McKeown, Nick, et al. "OpenFlow: enabling innovation in campus networks." ACM SIGCOMM Computer Communication Review 38.2 (2008): 69-74.
[2] Bosshart, Pat, et al. "P4: Programming protocol-independent packet processors." ACM SIGCOMM Computer Communication Review 44.3 (2014): 87-95.
[3] Wikipedia, Entropy.
Available: https://en.wikipedia.org/wiki/Entropy_(information_theory)
[4] P4Compiler Available: https://github.com/p4lang/p4c
[5] Cello, Marco, Mario Marchese, and Maurizio Mongelli. "On the qos estimation in an openflow network: The packet loss case." IEEE Communications Letters 20.3 (2016): 554-557.
[6] Kaur, Karamjeet, Sukhveer Kaur, and Vipin Gupta. "Performance analysis of python based openflow controllers." (2016).
[7] Yi, Tao, and Hanyu Li. "Flow-split: An approach to reduce flow establish time and invoking of controller in OpenFlow networks." 2016 IEEE Information Technology, Networking, Electronic and Automation Control Conference. IEEE, 2016.
[8] Osiński, Tomasz, et al. "DPPx: A P4-based Data Plane Programmability and Exposure framework to enhance NFV services." 2019 IEEE Conference on Network Softwarization (NetSoft). IEEE, 2019.
[9] Kundel, Ralf, et al. "P4-CoDel: Active queue management in programmable data planes." 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). IEEE, 2018.
[10] Suricata, open-source IDS/IPS/NSM engine
Available: https://suricata-ids.org/
[11] Snort, Network Intrusion Detection & Prevention System
Available: https://www.snort.org/
[12] CUDA toolkit
Available: https://developer.nvidia.com/cuda-toolkit
[13] Nam, Kiho, and Keecheon Kim. "A study on sdn security enhancement using open source ids/ips suricata." 2018 International Conference on Information and Communication Technology Convergence (ICTC). IEEE, 2018.
[14] Jakimoski, Kire, and Nidhi V. Singhai. "Improvement of Hardware Firewall’s Data Rates by Optimizing Suricata Performances." 2019 27th Telecommunications Forum (TELFOR). IEEE, 2019.
[15] Jiao, Jiahui, et al. "Detecting TCP-based DDoS attacks in Baidu cloud computing data centers." 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS). IEEE, 2017.
[16] Hong, Kiwon, et al. "SDN-assisted slow HTTP DDoS attack defense method." IEEE Communications Letters 22.4 (2017): 688-691.
[17] Thomas, Roshni Mary, and Divya James. "DDOS detection and denial using third party application in SDN." 2017 International Conference on Energy, Communication, Data Analytics and Soft Computing (ICECDS). IEEE, 2017.
[18] Memcached - a distributed memory object caching system
Available: https://memcached.org/
[19] Priya, P. Mohana, et al. "The protocol independent detection and classification (PIDC) system for DRDoS attack." 2014 International Conference on Recent Trends in Information Technology. IEEE, 2014.
[20] Huang, Haiou, et al. "An authentication scheme to defend against UDP DrDoS attacks in 5G networks." IEEE Access 7 (2019): 175970-175979.
[21] Gao, Yuxuan, et al. "A machine learning based approach for detecting DRDoS attacks and its performance evaluation." 2016 11th Asia Joint Conference on Information Security (AsiaJCIS). IEEE, 2016.
[22] Zhauniarovich, Yury, and Priyanka Dodia. "Sorting the Garbage: Filtering Out DRDoS Amplification Traffic in ISP Networks." 2019 IEEE Conference on Network Softwarization (NetSoft). IEEE, 2019.
[23] Lukaseder, Thomas, et al. "An sdn-based approach for defending against reflective ddos attacks." 2018 IEEE 43rd Conference on Local Computer Networks (LCN). IEEE, 2018.
[24] Grigoryan, Garegin, and Yaoqing Liu. "LAMP: Prompt layer 7 attack mitigation with programmable data planes." 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA). IEEE, 2018.
[25] Sheng Hung Haung. "P4 Switch-Based Solution for Moving Target Defense Networks" Master, Department of Computer Science and Information Engineering, National Central University, 2018.
[26] Behavior Model version 2. Available: https://github.com/p4lang/behavioral-model
[27] Lua. Available: https://www.lua.org/
[28] P4Runtime. Available: https://github.com/p4lang/p4runtime
[29] gRPC, Google Remote Procedure call. Available: https://grpc.io/
[30] protobuf, protocol buffer. Available: https://github.com/protocolbuffers/protobuf
[31] OSI model. Available: https://en.wikipedia.org/wiki/OSI_model
[32] IEEE public EtherType list
Available: http://standards-oui.ieee.org/ethertype/eth.txt
[33] hping3. Available: http://www.hping.org/
[34] thc-ipv6. Available: https://github.com/vanhauser-thc/thc-ipv6
[35] Scapy. Available: https://scapy.net/
[36] v1model.
Available: https://github.com/p4lang/p4c/blob/master/p4include/v1model.p4
[37] Mininet. Available: http://mininet.org/
[38] iperf. Available: https://iperf.fr/
[39] IANA preserved IPv6 prefix.
Available: https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
[40] RFC4291. Available: https://tools.ietf.org/html/rfc4291
[41] Yang, Guosong, et al. "Modeling and mitigating the coremelt attack." 2018 Annual American Control Conference (ACC). IEEE, 2018.
[42] Kim, Kyoungmin, et al. "DDoS mitigation: Decentralized CDN using private blockchain." 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN). IEEE, 2018.
[43] Hua, Yakang, Yuanzheng Du, and Dongzhi He. "Classifying Packed Malware Represented as Control Flow Graphs using Deep Graph Convolutional Neural Network." 2020 International Conference on Computer Engineering and Application (ICCEA). IEEE, 2020.
[44] Rajashree, S., K. S. Soman, and Pritam Gajkumar Shah. "Security with IP address assignment and spoofing for smart IOT devices." 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI). IEEE, 2018.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔