保护 SD-IoV 系统免受以控制器为目标的 DDoS 攻击的综合检测和缓解机制

Behaylu Tadele Alemu, Alemu Jorgi Muhammed, Habtamu Molla Belachew, Mulatu Yirga Beyene
{"title":"保护 SD-IoV 系统免受以控制器为目标的 DDoS 攻击的综合检测和缓解机制","authors":"Behaylu Tadele Alemu, Alemu Jorgi Muhammed, Habtamu Molla Belachew, Mulatu Yirga Beyene","doi":"10.1007/s10586-024-04660-8","DOIUrl":null,"url":null,"abstract":"<p>Software-defined networking (SDN) has emerged as a transformative technology that separates the control plane from the data plane, providing advantages such as flexibility, centralized control, and programmability. This innovation proves particularly beneficial for Internet of Vehicles (IoV) networks, which amalgamate the Internet of Things (IoT) and Vehicular Ad Hoc Network (VANET) to implement Intelligent Transportation Systems (ITS). IoV provides a safe and secured vehicular environment by supporting V2V, V2I, V2S, and V2P. By employing an SDN controller, IoV networks can leverage centralized control and enhanced manageability, leading to the emergence of Software-Defined Internet of Vehicles (SD-IoV) as a promising solution for future communications. However, the SD-IoV networks introduces a potential vulnerability in the form of a single point of failure, particularly susceptible to Distributed Denial of Service (DDoS) attacks. This is because of the centralized nature of SDN and the dynamic nature of IoV. In this context, the SDN controller becomes a prime target for attackers who flood it with massive packet-in messages. To address this security concern, we propose an efficient and lightweight attack detection and mitigation scheme within the SDN controller. The scheme includes a detection module that utilizes entropy and flow rate to identify patterns indicative of attack traffic behavior. Additionally, a mitigation module is designed to minimize the effect of attack traffic on the normal operation, this is performed through analysis of payload lengths.The mitigation flow rule is set for specific traffic type if its payload is less than the threshold value to decrease the false positive rate. An adaptive threshold computation for all parameter values enhances the scheme’s effectiveness. We conducted simulations using SUMO, Mininet-WiFi, and Scapy. We evaluated the system performance by using Mininet-wifi SDN simulation tool and Ryu controller for control plane. The system detects DDoS attack traffic within a single window by checking both entropy and flow rate simultaneously. The simulation results demonstrate the efficacy of our proposed scheme in terms of detection time, accuracy, mitigation efficiency, controller load, and link bandwidth consumption, showcasing its superiority compared to existing works in the field.</p>","PeriodicalId":501576,"journal":{"name":"Cluster Computing","volume":"53 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A comprehensive detection and mitigation mechanism to protect SD-IoV systems against controller-targeted DDoS attacks\",\"authors\":\"Behaylu Tadele Alemu, Alemu Jorgi Muhammed, Habtamu Molla Belachew, Mulatu Yirga Beyene\",\"doi\":\"10.1007/s10586-024-04660-8\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>Software-defined networking (SDN) has emerged as a transformative technology that separates the control plane from the data plane, providing advantages such as flexibility, centralized control, and programmability. This innovation proves particularly beneficial for Internet of Vehicles (IoV) networks, which amalgamate the Internet of Things (IoT) and Vehicular Ad Hoc Network (VANET) to implement Intelligent Transportation Systems (ITS). IoV provides a safe and secured vehicular environment by supporting V2V, V2I, V2S, and V2P. By employing an SDN controller, IoV networks can leverage centralized control and enhanced manageability, leading to the emergence of Software-Defined Internet of Vehicles (SD-IoV) as a promising solution for future communications. However, the SD-IoV networks introduces a potential vulnerability in the form of a single point of failure, particularly susceptible to Distributed Denial of Service (DDoS) attacks. This is because of the centralized nature of SDN and the dynamic nature of IoV. In this context, the SDN controller becomes a prime target for attackers who flood it with massive packet-in messages. To address this security concern, we propose an efficient and lightweight attack detection and mitigation scheme within the SDN controller. The scheme includes a detection module that utilizes entropy and flow rate to identify patterns indicative of attack traffic behavior. Additionally, a mitigation module is designed to minimize the effect of attack traffic on the normal operation, this is performed through analysis of payload lengths.The mitigation flow rule is set for specific traffic type if its payload is less than the threshold value to decrease the false positive rate. An adaptive threshold computation for all parameter values enhances the scheme’s effectiveness. We conducted simulations using SUMO, Mininet-WiFi, and Scapy. We evaluated the system performance by using Mininet-wifi SDN simulation tool and Ryu controller for control plane. The system detects DDoS attack traffic within a single window by checking both entropy and flow rate simultaneously. The simulation results demonstrate the efficacy of our proposed scheme in terms of detection time, accuracy, mitigation efficiency, controller load, and link bandwidth consumption, showcasing its superiority compared to existing works in the field.</p>\",\"PeriodicalId\":501576,\"journal\":{\"name\":\"Cluster Computing\",\"volume\":\"53 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-07-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Cluster Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1007/s10586-024-04660-8\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cluster Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s10586-024-04660-8","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

软件定义网络(SDN)是一种变革性技术,它将控制平面与数据平面分开,具有灵活性、集中控制和可编程性等优势。事实证明,这种创新对车联网(IoV)网络尤其有益,它将物联网(IoT)和车载 Ad Hoc 网络(VANET)融合在一起,以实现智能交通系统(ITS)。IoV 支持 V2V、V2I、V2S 和 V2P,可提供安全可靠的车辆环境。通过采用 SDN 控制器,IoV 网络可以利用集中控制和增强的可管理性,从而使软件定义的车联网(SD-IoV)成为未来通信的一种有前途的解决方案。然而,SD-IoV 网络存在单点故障的潜在漏洞,特别容易受到分布式拒绝服务 (DDoS) 攻击。这是因为 SDN 的集中性和 IoV 的动态性。在这种情况下,SDN 控制器就成了攻击者的主要目标,他们会向控制器发送大量的数据包信息。为了解决这一安全问题,我们在 SDN 控制器中提出了一种高效、轻量级的攻击检测和缓解方案。该方案包括一个检测模块,利用熵和流速来识别表明攻击流量行为的模式。此外,还设计了一个缓解模块,通过分析有效载荷长度将攻击流量对正常运行的影响降至最低。如果有效载荷小于阈值,则为特定流量类型设置缓解流量规则,以降低误报率。对所有参数值进行自适应阈值计算可提高方案的有效性。我们使用 SUMO、Mininet-WiFi 和 Scapy 进行了模拟。我们使用 Mininet-wifi SDN 仿真工具和用于控制平面的 Ryu 控制器评估了系统性能。系统通过同时检查熵和流量,在一个窗口内检测到 DDoS 攻击流量。仿真结果表明,我们提出的方案在检测时间、准确性、缓解效率、控制器负载和链路带宽消耗等方面都很有效,与该领域的现有作品相比更具优势。
本文章由计算机程序翻译,如有差异,请以英文原文为准。

A comprehensive detection and mitigation mechanism to protect SD-IoV systems against controller-targeted DDoS attacks

A comprehensive detection and mitigation mechanism to protect SD-IoV systems against controller-targeted DDoS attacks

Software-defined networking (SDN) has emerged as a transformative technology that separates the control plane from the data plane, providing advantages such as flexibility, centralized control, and programmability. This innovation proves particularly beneficial for Internet of Vehicles (IoV) networks, which amalgamate the Internet of Things (IoT) and Vehicular Ad Hoc Network (VANET) to implement Intelligent Transportation Systems (ITS). IoV provides a safe and secured vehicular environment by supporting V2V, V2I, V2S, and V2P. By employing an SDN controller, IoV networks can leverage centralized control and enhanced manageability, leading to the emergence of Software-Defined Internet of Vehicles (SD-IoV) as a promising solution for future communications. However, the SD-IoV networks introduces a potential vulnerability in the form of a single point of failure, particularly susceptible to Distributed Denial of Service (DDoS) attacks. This is because of the centralized nature of SDN and the dynamic nature of IoV. In this context, the SDN controller becomes a prime target for attackers who flood it with massive packet-in messages. To address this security concern, we propose an efficient and lightweight attack detection and mitigation scheme within the SDN controller. The scheme includes a detection module that utilizes entropy and flow rate to identify patterns indicative of attack traffic behavior. Additionally, a mitigation module is designed to minimize the effect of attack traffic on the normal operation, this is performed through analysis of payload lengths.The mitigation flow rule is set for specific traffic type if its payload is less than the threshold value to decrease the false positive rate. An adaptive threshold computation for all parameter values enhances the scheme’s effectiveness. We conducted simulations using SUMO, Mininet-WiFi, and Scapy. We evaluated the system performance by using Mininet-wifi SDN simulation tool and Ryu controller for control plane. The system detects DDoS attack traffic within a single window by checking both entropy and flow rate simultaneously. The simulation results demonstrate the efficacy of our proposed scheme in terms of detection time, accuracy, mitigation efficiency, controller load, and link bandwidth consumption, showcasing its superiority compared to existing works in the field.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信