针对云环境中2类典型的分布式拒绝服务(DDoS)攻击问题,提出一种基于软件定义网络架构的DDoS攻击检测与防御方案——SDCC.SDCC综合使用链路带宽和数据流这2种检测方式,利用基于置信度过滤(CBF)的方法计算数据分组CBF分数,将分数低于阈值的数据分组判断为攻击分组,添加其属性信息至攻击流特征库,并通过控制器下发流表将其拦截.仿真实验表明,SDCC能有效检测并防御不同类型DDoS攻击,具有较高检测效率,降低了控制器计算开销,并保持较低误判率.%For addressing the problem of two typical types of distributed denial of service (DDoS) attacks in cloud envi-ronment, a DDoS attack detection and prevention scheme called SDCC based on software defined network (SDN) archi-tecture was proposed. SDCC used a combination of bandwidth detection and data flow detection, utilized confi-dence-based filtering (CBF) method to calculate the CBF score of packets, judged the packet of CBF score below the threshold as an attacking packet, added its attribute information to the attack flow feature library, and sent the flow table to intercept it through SDN controller. Simulation results show that SDCC can detect and prevent different types of DDoS attacks effectively, and it has high detection efficiency, reduces the controller's computation overhead, and achieves a low false positive rate.
展开▼
