Defense mechanism of SDN application layer against DDoS attack based on API call management
Due to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distr...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2022-04-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022017 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841529836859817984 |
|---|---|
| author | Yang WANG Guangming TANG Shuo WANG Jiang CHU |
| author_facet | Yang WANG Guangming TANG Shuo WANG Jiang CHU |
| author_sort | Yang WANG |
| collection | DOAJ |
| description | Due to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distributed denial-of-service) attacks against application layer.1) malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time, thus causing the controller to crash and paralyzing the whole network; 2) attackers take a legitimate SDN (software defined network) application as the target and make a large number of short-time calls to the specific API needed by the application, which makes the legitimate App unable to call the API normally.Compared with the first pattern, the second one is more subtle.Therefore, it’s necessary to distinguish whether the App is malicious or not, effectively clean the App running on the attacked controller, and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface, the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management, initial review, mapping allocation, anomaly detection and identification migration of the App, the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur, so as to avoid attacks.If the attack has already happened, the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer, and the algorithm runs efficiently. |
| format | Article |
| id | doaj-art-e411f40fa46d460393906ed541289076 |
| institution | Kabale University |
| issn | 2096-109X |
| language | English |
| publishDate | 2022-04-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj-art-e411f40fa46d460393906ed5412890762025-01-15T03:15:28ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2022-04-018738759570568Defense mechanism of SDN application layer against DDoS attack based on API call managementYang WANGGuangming TANGShuo WANGJiang CHUDue to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distributed denial-of-service) attacks against application layer.1) malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time, thus causing the controller to crash and paralyzing the whole network; 2) attackers take a legitimate SDN (software defined network) application as the target and make a large number of short-time calls to the specific API needed by the application, which makes the legitimate App unable to call the API normally.Compared with the first pattern, the second one is more subtle.Therefore, it’s necessary to distinguish whether the App is malicious or not, effectively clean the App running on the attacked controller, and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface, the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management, initial review, mapping allocation, anomaly detection and identification migration of the App, the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur, so as to avoid attacks.If the attack has already happened, the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer, and the algorithm runs efficiently.http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022017DDoSnetwork securitySDNnorthbound interface |
| spellingShingle | Yang WANG Guangming TANG Shuo WANG Jiang CHU Defense mechanism of SDN application layer against DDoS attack based on API call management 网络与信息安全学报 DDoS network security SDN northbound interface |
| title | Defense mechanism of SDN application layer against DDoS attack based on API call management |
| title_full | Defense mechanism of SDN application layer against DDoS attack based on API call management |
| title_fullStr | Defense mechanism of SDN application layer against DDoS attack based on API call management |
| title_full_unstemmed | Defense mechanism of SDN application layer against DDoS attack based on API call management |
| title_short | Defense mechanism of SDN application layer against DDoS attack based on API call management |
| title_sort | defense mechanism of sdn application layer against ddos attack based on api call management |
| topic | DDoS network security SDN northbound interface |
| url | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022017 |
| work_keys_str_mv | AT yangwang defensemechanismofsdnapplicationlayeragainstddosattackbasedonapicallmanagement AT guangmingtang defensemechanismofsdnapplicationlayeragainstddosattackbasedonapicallmanagement AT shuowang defensemechanismofsdnapplicationlayeragainstddosattackbasedonapicallmanagement AT jiangchu defensemechanismofsdnapplicationlayeragainstddosattackbasedonapicallmanagement |