DDoS Attacks in SDN x IoT Botnet x Honeypot

12th鐵人賽

阿瑜

團隊300萬 Tesla

2020-09-30 19:36:22

1562 瀏覽

分享至

Survey IoT Botnet

tags: `paper`

1 Analysis of DDoS Attacks in SDN Environments

偵測: 專門針對SDN環境的新型的DDoS攻擊
- 與傳統的DDoS攻擊不同,封包的目的地是隨機選擇的,不是針對一台固定的目標,是針對sdn網路系統
方法: Principal Component Analysis
比較對象: sample entropy
- measure of disorder

觀念: 降維 Dimensionality Reduction
目標: 找出一組最能代表手中主成分(Principle Components)，並以此為基底重新得到數據的成分表徵。新的成分表徵能為數據降維、去關聯並幫助理解數據本質

sflow-rt	miniedit

Reproduce Entropy
{%youtube uLx4WXeZb34 %}

Reproduce PCA
{%youtube Dnq0xlEO3_Q %}

sflow-rt 流量監控

Explanation : PCA

機器學習
- 用PCA達到降維避免維度詛咒
  - 預測能力隨維度(變數)增加而上升,但是樣本數沒有繼續上升的情況下,預測能力到一定程度,預測能力隨維度增加而減少
- 基本假設:
  - 希望資料可以在特徵空間找到一個投影軸(向量)投影後可以得到這組資料的最大變異量

Ref : https://github.com/aswanthpp/Analysis-of-DDoS-Attacks-in-SDN-Environments/blob/master/reports/Final%20Report.pdf
Comparison

sample entropy : entropy < threshold , is stored in a dictionary and if an entry comes more than 5 times , it is assumed as a DDoS attack. '5' depends on the topology,hence a topo smaller in size show ddos attack for normal traffic also.
PCA : taking characteristics of each packet to update the pronciple component axis. Each packet dst value is compared with current principle component axis. During an attack,the PCA is gradually shifted towards the dst value.
Hence,there will be successive decrease in deltaY values,means ddos attack

2 Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset

botnet dataset
downloaded from HERE

Experiment

丟真實流量進mininet
IoT_Dataset_HTTP_DDoS_00001_20180604190104.pcap

from scapy.all import *

myreader = PcapReader('IoT_Dataset_HTTP_DDoS__00001_20180604190104.pcap')

for p in myreader:
    p[IP].dst = '10.0.0.64'
    sendp(p)

Result