ارائه یک روش جهت تشخیص و تقلیل حملات انکار سرویس در اینترنت اشیا از طریق شبکههای نرمافزارمحور
محورهای موضوعی : مهندسی برق و کامپیوترفاطمه مطیع شیرازی 1 , سیداکبر مصطفوی 2 *
1 - دانشگاه یزد
2 - دانشگاه یزد
کلید واژه: شبکههای نرمافزار محور, اینترنت اشیاء , حمله انکار سرویس توزیع شده , آنتروپی,
چکیده مقاله :
اینترنت اشیا (IoT) بهطور مداوم به علت مشکلات فنی، قانونی و انسانی تحت حملات متعدد قرار میگیرد. یکی از مهمترین این حملات، حمله منع سرویس (DoS) است که در آن سرویسهای عادی شبکه از دسترس خارج میشوند و دسترسی اشیا، و کاربران به سرور و سایر منابع ناممکن میشود. راهکارهای امنیتی موجود نتوانسته است بهطور مؤثر از حملات وقفه در خدمات اینترنت اشیا جلوگیری کند. قابلیت برنامه ریزی و مدیریت شبکه توسط شبکه نرم افزارمحور( SDN) را میتوان در معماری IoT به کار گرفت. SDN در صورت استقرار مناسب در مرکز داده میتواند به تقلیل یا جلوگیری از سیل دادههای ناشی از IoT کمک کند. در این مقاله راهکاری برای تشخیص و تقلیل حملات DoS توزیع شده (DDoS) در اینترنت اشیاء بر پایه SDN ارائه می شود. روش پیشنهادی مبتنی بر معیار آنتروپی و شروع جریان و مطالعه مشخصات جریان است. در این روش با استفاده از دو مؤلفه جدید روی کنترل کننده و در نظر گرفتن پنجره زمانی و محاسبه آنتروپی و نرخ جریان، حمله در شبکه تشخیص داده می شود. ارزیابی ها نشان می دهد که این روش حملات را با دقت بالا شناسایی کرده و اثرات آنها را تقلیل می دهد.
Internet of Things (IoT) is a network of objects on which objects can communicate with other objects. The Internet of Things is currently constantly under numerous attacks due to technical, legal and human problems. One of the most important of these attacks is the Denial of Service (DoS) attack, in which normal network services are out of service and it is impossible for objects and users to access the server and other resources. Existing security solutions have not been able to effectively prevent interruption attacks in Internet of Things services. Software-oriented network (SDN) is a new architecture in the network based on the separation of the control and data plane of the network. Programmability and network management capability by SDN can be used in IoT services because some IoT devices send data periodically and in certain time intervals. SDN can help reduce or prevent the data flood caused by IoT if properly deployed in the data center. In this article, a method to detect DDoS attacks in Internet of Things based on SDN is presented and then an algorithm to reduce DDoS attacks is presented. The proposed method is based on the entropy criterion, which is one of the most important concepts in information theory and is calculated based on the characteristics of the flow. In this method, by using two new components on the controller to receive incoming packets and considering the time window and calculating entropy and flow rate, a possible attack is detected in the network, and then based on the statistics of the flow received from the switches, the certainty of the attack is determined. Compared to the existing methods, the proposed method has improved 12% in terms of attack detection time and 26% in terms of false positives/negatives.
[1] K. Zhao and L. Ge, "A survey on the Internet of Things security," in Proc. 9th Int. Conf. on Computational Intelligence and Security, pp. 663-667, Emeishan, China, 14-15 Dec. 2013.
[2] O. Salman, I. Elhajj, A. Chehab, and A. Kayssi, "IoT survey: an SDN and fog computing perspective," Computer Networks, vol. 143, pp. 221-246, Oct. 2018.
[3] S. Scott-Hayward, G. O'Callaghan, and S. Sezer, "SDN security: a survey," IEEE SDN for Future Networks and Services, SDN4FNS, 7 pp., Trento, Italy, 11-13 Nov. 2013.
[4] J. Ren, H. Guo, C. Xu, and Y. Zhang, "Serving at the edge: a scalable IoT architecture based on transparent computing," IEEE Network, vol. 31, no. 5, pp. 96-105, 2017.
[5] K. S. Sahoo, B. Sahoo, and A. Panda, "A secured SDN framework for IoT," in Proc. Int Conf. on Man and Machine Interfacing MAMI'15, 4 pp., Bhubaneswar, India, 17-19 Dec. 2015.
[6] Y. Lu and M. Wang, "An easy defense mechanism against botnet-based DDoS flooding attack originated in SDN environment using sFlow," in Proc. of the 11th Int. Conf. on Future Internet Technologies-CFI'16, pp. 14-20, Nanjing, China, 15-17 Jun. 2016.
[7] S. M. Mousavi and M. St-Hilaire, "Early detection of DDoS attacks against software defined network controllers," J. of Network and Systems Management, vol. 26, no. 3, pp. 573-591, Jul. 2018.
[8] R. Neres Carvalho, J. Luiz Bordim, and E. Adilio Pelinson Alchieri, "Entropy-based DoS attack identification in SDN," in Proc. IEEE Int. Parallel and Distributed Processing Symp. Workshops, IPDPSW'19, pp. 627-634, Rio de Janeiro, Brazil, 20-24 May 2019.
[9] R. B. Shohani and S. A. Mostafavi, "Introducing a new linear regression based method for early DDoS attack detection in SDN," in Proc. 6th Int. Conf. on Web Research, ICWR'10, pp. 126-132, Tehran, Iran, 23-24 Apr. 2020.
[10] J. Galeano-Brajones, J. Carmona-Murillo, J. F. Valenzuela-Valdes, and F. Luna-Valero, "Detection and mitigation of DoS and DDoS attacks in IoT-based stateful SDN: an experimental approach," Sensors, vol. 20, no. 3, Article ID: 816, 18 pp., Feb. 2020.
[11] L. Li, J. Zhou, and N. Xiao, "DDoS attack detection algorithms based on entropy computing," In: Qing, S., Imai, H., Wang, G. (eds) Information and Communications Security. ICICS 2007. Lecture Notes in Computer Science, vol 4861. Springer, Berlin, pp. 452-466, 2007.
[12] R. Wang, Z. Jia, and L. Ju, "An entropy-based distributed DDoS detection mechanism in software-defined networking," in Proc. IEEE Trustcom/BigDataSE/ISPA, pp. 310-317, Helsinki, Finland, 20-22 Aug. 2015.
[13] S. Oshima, T. Nakashima, and T. Sueyoshi, "Early DoS/DDoS detection method using short-term statistics," in Proc. Int Conf. on Complex, Intelligent and Software Intensive Systems, pp. 168-173, Krakow, Poland, 15-18 Feb. 2010.
[14] K. Muthamil Sudar and P. Deepalakshmi, "A two level security mechanism to detect a DDoS flooding attack in software-defined networks using entropy-based and C4.5 technique," J. of High Speed Networks, vol. 26, no. 1, pp. 55-76, Mar. 2020.
[15] R. L. S. de Oliveira, C. M. Schweitzer, A. A. Shinoda, and L. R. Prete, "Using mininet for emulation and prototyping software-defined networks," in Proc. IEEE Colombian Conf. on Communications and Computing, COLCOM'14, 6 pp., Bogota, Colombia, 4-6 Jun. 2014.
[16] C. S. Wright, Searching for Exploits, SCAPY Fuzzing, 11 pp., 31 Mar. 2018, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3153525,
[17] M. A. Al-Adaileh, M. Anbar, Y. W. Chong, and A. Al-Ani, "Proposed statistical-based approach for detecting distribute denial of service against the controller of software defined network (SADDCS)," in Proc. MATEC Web of Conf., vol. 218, Article ID: 02012, 8 pp., 26 Oct2018.
[18] Q. Yan, F. R. Yu, Q. Gong, and J. Li, "Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges," IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 602-622, Firstquarter 2016.