Page 408 - 《软件学报》2025年第8期

P. 408

软件学报 ISSN 1000-9825, CODEN RUXUEW E-mail: jos@iscas.ac.cn
2025,36(8):3831−3857 [doi: 10.13328/j.cnki.jos.007249] [CSTR: 32375.14.jos.007249] http://www.jos.org.cn
©中国科学院软件研究所版权所有. Tel: +86-10-62562563

*
可编程数据平面 DDoS 检测与防御机制

武文浩 1 , 张磊磊 1 , 潘恒 1 , 李恩晗 1 , 周建二 2 , 李振宇 1

1
(中国科学院计算技术研究所, 北京 100190)
2
(南方科技大学, 广东深圳 518055)
通信作者: 潘恒, E-mail: panheng@ict.ac.cn

摘要: 传统的分布式拒绝服务攻击 (DDoS) 检测与防御机制需要对网络流量进行镜像、采集以及远程集中式的
攻击特征分析, 这直接造成额外的性能开销, 无法满足高性能网络的实时安全防护需求. 随着可编程交换机等新型
网络设备的发展, 可编程数据平面能力得到增强, 为直接在数据面进行高性能的 DDoS 攻击检测提供了实现基础.
然而, 当前已有的基于可编程数据面的 DDoS 攻击检测方法准确率低, 同时受限于编程约束, 难以在可编程交换机
(如 Intel Tofino) 中进行直接部署. 针对上述问题, 提出了一种基于可编程交换机的 DDoS 攻击检测与防御机制. 首
先, 使用基于源目地址熵值差的攻击检测机制判断 DDoS 攻击是否发生. 在 DDoS 攻击发生时, 设计了一种基于源
目地址计数值差的攻击流量过滤机制, 实现对 DDoS 攻击的实时防御. 实验结果表明, 该机制能够有效地检测并防
御多种 DDoS 攻击. 相较于现有工作, 该机制在观察窗口级攻击检测中的准确率平均提升了 17.75%, 在数据包级攻
击流量过滤中的准确率平均提升了 3.7%.
关键词: 分布式拒绝服务攻击; 可编程数据平面; 异常检测; P4; 网络安全
中图法分类号: TP309

中文引用格式: 武文浩, 张磊磊, 潘恒, 李恩晗, 周建二, 李振宇. 可编程数据平面DDoS检测与防御机制. 软件学报, 2025, 36(8):
3831–3857. http://www.jos.org.cn/1000-9825/7249.htm
英文引用格式: Wu WH, Zhang LL, Pan H, Li EH, Zhou JE, Li ZY. Detecting and Defending Mechanism Against DDoS Attacks in
Programmable Data Plane. Ruan Jian Xue Bao/Journal of Software, 2025, 36(8): 3831–3857 (in Chinese). http://www.jos.org.cn/1000-
9825/7249.htm

Detecting and Defending Mechanism Against DDoS Attacks in Programmable Data Plane
1
1
2
1
1
WU Wen-Hao , ZHANG Lei-Lei , PAN Heng , LI En-Han , ZHOU Jian-Er , LI Zhen-Yu 1
1
(Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China)
2
(Southern University of Science and Technology, Shenzhen 518055, China)
Abstract: Traditional detection and defense mechanisms for distributed denial-of-service (DDoS) attacks require traffic mirroring,
collection, and centralized remote analysis, which introduces extra performance overhead and fails to achieve real-time protection in high-
performance networks. With the development of network devices such as programmable switches, the programmable data plane has
emerged as a solid foundation for achieving high-performance DDoS attack detection. However, existing detection methods based on the
programmable data plane cannot guarantee accuracy and are difficult to deploy directly in programmable switches (such as Intel Tofino)
due to programming constraints. To this end, this paper proposes a programmable switch-based mechanism for detecting and defending
against DDoS attacks. First, the mechanism uses the difference between the entropy of source and destination addresses to determine
whether DDoS attacks occur. When DDoS attacks occur, a traffic filtration mechanism based on the difference in counts between source
and destination address will defend against DDoS attacks in real time. Experimental results indicate that the proposed mechanism
effectively identifies and defends against DDoS attacks. Compared with the benchmark method, the accuracy of this mechanism in window-

* 基金项目: 国家自然科学基金 (62002344, U20A20180, 62072437)
收稿时间: 2022-07-12; 修改时间: 2023-05-10, 2023-11-18, 2024-03-18, 2024-06-03; 采用时间: 2024-07-14; jos 在线出版时间: 2024-12-31
CNKI 网络首发时间: 2025-01-02

403 404 405 406 407 408 409 410 411 412 413