CN106921666B

CN106921666B - DDoS attack defense system and method based on cooperative theory

Info

Publication number: CN106921666B
Application number: CN201710128028.7A
Authority: CN
Inventors: 黄以华; 黄阳欣
Original assignee: Sun Yat Sen University
Current assignee: Sun Yat Sen University
Priority date: 2017-03-06
Filing date: 2017-03-06
Publication date: 2020-10-02
Anticipated expiration: 2037-03-06
Also published as: CN106921666A

Abstract

The invention relates to a DDoS attack defense system based on a collaborative theory, which is particularly applied to an SDN network and comprises a controller and cleaning equipment arranged on a switch, wherein the controller is used for monitoring ports of a whole network switch and then drawing the monitored network flow of abnormal ports of the switch to the cleaning equipment; the cleaning equipment is used for analyzing and cleaning the received network flow and providing a security defense strategy for the controller based on the analysis result; the controller configures the switch based on the security defense policy to mitigate the attack.

Description

DDoS attack defense system and method based on cooperative theory

Technical Field

The invention relates to the field of network security, in particular to a DDoS attack defense system and a DDoS attack defense method based on a collaborative theory.

Background

With the rapid development and deep application of computer science and technology, the revolution in the network space is constantly changing and affecting people's lifestyle. As people have higher and higher dependence on the internet, and many confidential information about enterprises, individuals, and even countries are involved in the internet, the problem of network security has been an important issue in the technological development process.

Among a plurality of network Attack methods existing in the internet, distributed denial of Service (DDoS) is the most common Attack method with strong destructive power. Distributed denial-of-service attacks, mostly from botnets, cooperate with each other to launch a denial-of-service attack on one or more targets. As the DDoS attack method is simple and has strong concealment, no means for completely defending the DDoS attack exists so far.

Software Defined Networking (SDN) is a new network innovation architecture that provides centralized control over the network by decoupling the control and data layers. Since in an SDN network all networks rely on a single controller, the controller is easily targeted for DDoS attacks, making this new type of network face new network security issues. The controller has the network global management and control capability, the rapid deployment capability and the intelligent scheduling capability, and can realize the rapid monitoring and the effective cleaning of abnormal flow, thereby providing a good method for defending DDoS attack.

At present, DDoS attack defense methods based on SDN network architectures, which are proposed at home and abroad, are mostly applied to SDN controllers, and intrusion detection is carried out by using methods such as mathematical statistics or neural networks. When the abnormality is detected, the attack source is determined by using a backtracking algorithm or a marking method and the like, and the attack source is blocked by the controller in a flow table issuing mode. The defense method is characterized in that intrusion detection and attack defense are concentrated on the SDN controller, so that the accuracy of intrusion detection depends on the accuracy of an algorithm on the controller, and the robustness of the whole defense system also depends on the safety of the controller. Therefore, how to fully utilize the controller without depending on the controller too much is one of the issues that need to be paid attention to designing the DDoS attack defense system.

Disclosure of Invention

The invention provides a DDoS attack defense system based on a cooperative theory, which separates monitoring and decision-making functions in a defense process, wherein a controller is responsible for monitoring, and a cleaning equipment group is responsible for decision-making. The whole defense system does not depend on the controller excessively, and the robustness of the whole defense system is improved while the controller resources can be fully utilized.

In order to realize the purpose, the technical scheme is as follows:

a DDoS attack defense system based on a collaborative theory is particularly applied to an SDN network and comprises a controller and cleaning equipment arranged on a switch, wherein the controller is used for monitoring ports of a whole network switch and then drawing the monitored network flow of abnormal ports of the switch to the cleaning equipment; the cleaning equipment is used for analyzing and cleaning the received network flow and providing a security defense strategy for the controller based on the analysis result; the controller configures the switch based on the security defense policy to mitigate the attack.

Preferably, the controller comprises a packet entering statistical module, a flow table configuration module and a device management module which are positioned in a control layer, and a defense strategy configuration module, an interaction management module and a log recording module which are positioned in an application layer;

the Packet-entering statistic module is used for carrying out statistic analysis on a Packet-In Packet sent to the controller and determining abnormal ports of the switch under false IP address DDoS attack and DDoS attack aiming at the controller based on the analysis result;

the flow counting module is used for monitoring the port flow of each switch in the SDN network in real time, and then determining the abnormal ports of the switches under DDoS attack initiated by the botnet based on the monitoring result;

the flow table configuration module is used for issuing a flow table to a specified switch to realize that the network flow of the abnormal port is dragged to the cleaning equipment;

the device management module is used for managing the cleaning device in the SDN network and recording the state information of the cleaning device;

the defense strategy configuration module is used for interacting with the cleaning equipment, receiving a security defense strategy from the cleaning equipment and then configuring the switch based on the security defense strategy;

the interaction management module is used for providing a visual interface for an administrator to use;

the log recording module is used for uploading log information generated by the defense system to a database.

Preferably, the cleaning equipment comprises a flow collection module, a flow classification module, a flow processing module and a strategy configuration module;

the flow collection module is used for monitoring a network port of the cleaning equipment and caching a network flow data packet sent to the cleaning equipment;

the flow classification module is used for periodically performing classification detection on the cached network flow to obtain the attack type of the network flow;

the flow processing module is used for eliminating abnormal flow in network flow according to the attack type and then returning normal flow to the network;

the strategy configuration module is used for comprehensively analyzing the attack type and the statistical distribution condition of the abnormal flow to obtain a security defense strategy and sending the security defense strategy to the defense strategy configuration module of the controller.

Preferably, when determining an abnormal port of the switch under the attack of the false IP address DDoS, the Packet entry counting module firstly uses an entropy value counting method based on the destination IP address to count the Packet-In Packet sent to the controller, and selects the port with the largest occupation rate In the switch providing the largest contribution rate as the abnormal port when detecting that the entropy value is lower than a preset threshold value;

when the packet entering statistical module determines the abnormal ports of the switches under DDoS attack aiming at the controller, the abnormal ports are determined by detecting the updating rate of the MAC-IP binding table of each switch port, and when the updating rate of the ports of a certain switch exceeds the preset rate, the ports are determined as the abnormal ports.

Preferably, the traffic statistics module determines an abnormal port by detecting traffic bandwidths of each port of the switch, and determines the port as the abnormal port when the traffic bandwidth of the port of the switch exceeds a set threshold and fails to decrease below a preset threshold within a set early warning duration.

Preferably, the flow table configuration module realizes the traction of the network flow of the abnormal port by issuing the flow table; when the cleaning equipment and the abnormal port belong to the same switch, the Flow table configuration module directly issues a Flow _ Mod message to the switch to forward the local port; when the cleaning equipment and the abnormal port belong to different switches, the flow table configuration module obtains an optimal path from the abnormal port to the cleaning equipment based on Dijkstra algorithm according to the topology information; after the optimal path is obtained, adding VLANTag to the network flow at the abnormal port by a flow table configuration module through a QinQ technology supported by an Openflow1.1 protocol; and forwarding the network flow matched with the VLAN Tag on the switch related to the optimal path, and finally removing the VLAN Tag at the port of the cleaning equipment to realize flow traction.

Preferably, the traffic classification module periodically extracts network traffic data packets from the cache to perform feature analysis, so as to obtain feature tuples, and inputs the feature tuples into the trained BP neural network to perform classification, so as to obtain DDoS attack types.

Preferably, the policy configuration module sends the security defense policy to the defense policy configuration module of the controller through the SSL channel.

Meanwhile, the invention also provides a method applied to the system, and the specific scheme is as follows:

step 1: the controller monitors the ports of the whole network switch in real time through the packet-entering statistical module and the flow statistical module, and searches and confirms abnormal ports attacked by the DDoS;

step 2: after the abnormal port is confirmed, the controller draws the network flow of the abnormal port to the cleaning equipment through the flow table configuration module and the equipment management module;

and step 3: the cleaning equipment receives network flow from the abnormal port through the flow collection module;

and 4, step 4: the cleaning equipment periodically acquires network flow from the flow collection module through the flow classification module, and obtains the DDoS attack type after classification detection;

and 5: according to the attack type, a flow processing module in the cleaning equipment eliminates the flow which accords with the attack type, and the rest normal flow flows back to the network;

step 6: a strategy configuration module of the cleaning equipment analyzes by combining the attack type and the statistical distribution condition of abnormal flow to obtain a security defense strategy and sends the security defense strategy to a defense strategy configuration module of the controller;

and 7: the defense strategy configuration module receives a safety defense strategy provided by the cleaning equipment, configures the switch according to the safety defense strategy, simultaneously clears related flow table items dragged to the cleaning equipment in the switch, and uploads logs to the database;

and 8: and the cleaning equipment cleans the subsequent cached network flow according to the security defense strategy until all the flow is processed, and then informs the controller to update the equipment management module.

Compared with the prior art, the invention has the beneficial effects that:

1. the invention provides a defense system which can fully utilize the resources of a controller and effectively reduce the burden of the controller. The system realizes the defense of DDoS attack through the cooperative cooperation of the controller and the cleaning equipment group, the core is to separate the monitoring and decision-making functions in the defense process, a mathematical statistics method is used on the controller to monitor the port of the switch, and the detection of smaller fine granularity of network flow and the decision of a security defense strategy are finished by the cleaning equipment. This way the controller is enabled to serve the monitoring function centrally without consuming resources for the decision function.

2. The defense system provided by the invention has stronger safety and robustness. The safety is realized by the cooperative cooperation of the controller and the cleaning equipment, and the cleaning equipment can ensure the backflow of normal flow, so the false alarm rate of the controller can be reduced, and the safety of the whole system cannot depend on the accuracy of a detection algorithm on the controller excessively. The robustness is realized in the defense method provided by the invention, the controller firstly ensures that the controller can normally and stably work, and the controller is matched with the cleaning equipment group to ensure that the controller cannot burst due to large-scale DDoS attack.

Drawings

Fig. 1 is a schematic diagram of a controller.

Fig. 2 is a schematic view of a cleaning apparatus.

Figure 3 is a topology diagram of an SDN network.

Fig. 4 is a flow chart of a method.

Detailed Description

The drawings are for illustrative purposes only and are not to be construed as limiting the patent;

the invention is further illustrated below with reference to the figures and examples.

Example 1

The invention provides a DDoS attack defense system based on a collaborative theory, and the system architecture mainly comprises two parts: SDN controller and cleaning equipment group.

As shown in fig. 1, the SDN controller includes a module located at a control layer, and a module located at an application layer using a REST API interface provided by the controller. Wherein, the module at the control layer mainly comprises: the system comprises a packet statistical module, a flow table configuration module and an equipment management module. And the modules located at the application layer mainly comprise: the system comprises a defense strategy configuration module, an interaction management module and a log recording module.

In an SDN controller control layer, a Packet entering statistic module is used for carrying out statistic analysis on a Packet-In Packet sent to a controller and determining an abnormal port of a switch under false IP address DDoS attack and DDoS attack aiming at the controller based on an analysis result; the flow counting module is used for monitoring the port flow of each switch in the SDN network in real time, and then determining the abnormal ports of the switches under DDoS attack initiated by the botnet based on the monitoring result; the flow table configuration module is used for issuing a flow table to a designated switch, realizing the functions of dragging the network flow of the abnormal port to the cleaning equipment and blocking an attack source; the equipment management module is used for managing all cleaning equipment in the network and recording the state information of all the cleaning equipment.

In an SDN controller application layer, a defense strategy configuration module is used for interacting with cleaning equipment, receiving a security defense strategy from the cleaning equipment, and then configuring a switch based on the security defense strategy; the interaction management module is used for providing a visual interface for an administrator to use; the log recording module is used for uploading log information generated by the defense system to the database.

As shown in fig. 2, a single cleaning apparatus in the cleaning apparatus group mainly includes: the system comprises a flow collection module, a flow classification module, a flow processing module and a strategy configuration module. The flow collection module is used for monitoring a network port of the cleaning equipment and caching a network flow data packet sent to the cleaning equipment; the flow classification module is used for periodically carrying out classification detection on the cached network flow to obtain the attack type of the network flow; the flow processing module is used for eliminating abnormal flow in the network flow according to the attack type and then returning the normal flow to the network; the strategy configuration module is used for comprehensively analyzing the attack type and the statistical distribution condition of the abnormal flow to obtain a security defense strategy and sending the security defense strategy to the defense strategy configuration module of the controller.

In the technical implementation level, the system provided by the invention mainly relates to flow monitoring, flow traction and abnormal flow classification, and specifically comprises the following steps:

1) flow monitoring: and the SDN controller monitors the port flow of the switch in the local area network in real time through the packet-entering counting module and the flow counting module. The method is mainly used for defending three DDoS attacks: DDoS attacks using false IP addresses, DDoS attacks against controllers, and DDoS attacks initiated by botnets.

The SDN controller defends against DDoS attacks using false IP addresses through a packet-entering counting module. Since false IP addresses used by such DDoS attacks are mostly randomly generated, it is easy for a switch to not match corresponding flow table entries, and at this time, the switch sends the data Packet to the controller through a Packet-In Packet. The Packet-entering statistical module utilizes the characteristic and uses an entropy value statistical method based on the destination IP address to carry out statistical analysis on the Packet-In Packet sent to the controller. For a data packet set with a window width W, the entropy calculation formula is as follows:

wherein N is the number of different destination IP addresses in the data packet set, p_iThe ratio of the total number of packets for the same destination IP address to the total number of all packets.

When the packet statistical module detects that the entropy value is lower than the preset threshold value, the destination IP address with the largest proportion weight can be obtained and recorded as the IP_max. The abnormal traffic ports are locked by calculating the contribution rate of each switch port, and for the same switch, the contribution rate calculation formula is as follows:

where i is the switch port number, P_iThe destination IP address in all the data packets sent to the port is IP_maxThe ratio of data packets.

When an anomaly is detected, the packet entering statistical module generally selects the port number with the largest ratio in the switch providing the largest contribution ratio as an abnormal flow port, and informs the flow table configuration module to pull the port flow to the cleaning equipment.

The SDN controller defends against DDoS attacks on the controller through a packet-entering counting module. Since the DDoS attack aims to increase the burden of the controller, a large number of false data packets are produced to force the switch not to match the flow table entry, so that a large number of Packet-In packets are sent to the controller. The destination and source IP addresses of the Packet-In Packet are almost randomly generated, so that the Packet-In statistical module does not directly analyze the Packet-In Packet, but judges whether the attack occurs by detecting the updating rate of the MAC-IP binding table of each switch port. Each entry in the MAC-IP binding table contains a Dpid of the switch, a Port number Port of the switch, a MAC address of the host, and an IP address of the host, and the specific format is as follows: { Dpid: Port: MACAddress: IPAddress }. The update rate of the MAC-IP binding table is expressed as:

v＝v_change+v_add

wherein v is_changeSpeed, v, of change of IP address of a switch port within a specific time t_addThe speed is generated for a new MAC-IP entry within a certain time t.

When a switch port update rate exceeds a preset rate, it is preferable to pull the port traffic to the cleaning device, optionally masking the port or limiting the port bandwidth.

The SDN controller defends against DDoS attacks initiated by botnet through a flow counting module. Most normal users in the botnet become puppet machines under the control of attackers without knowing or volunteering, and massive traffic is formed in a short time and sent to an attack target. Therefore, the flow statistics module performs statistical analysis on the flow tables in each switch through the controller, and calculates the flow bandwidth of each port on the switch, wherein the specific calculation formula is as follows:

wherein, Δ t is the time interval, C, for acquiring the switch flow table each time set by the controller_tThe number of bytes of the data packet sent by a certain port of the switch at the time t is shown.

When the controller monitors that the flow bandwidth of a certain switch port in the network exceeds a set threshold value within a time interval delta t, in order to prevent false early warning, the controller sets the early warning time t_alarmIf the traffic bandwidth is not availableAnd if the flow rate can be reduced to be below a preset threshold value, judging the port as an abnormal flow rate port, and informing a flow table configuration module to pull the flow rate of the port to the cleaning equipment.

2) Flow traction: and a flow table configuration module on the SDN controller realizes abnormal flow traction in a flow table issuing mode. When the cleaning equipment and the abnormal Flow port belong to the same switch, the controller directly sends a Flow _ Mod message to the switch to forward a local port; when the cleaning equipment and the abnormal flow port belong to different switches, the flow table configuration module obtains an optimal path from the abnormal flow port to the cleaning equipment based on Dijkstra algorithm according to the topology information. After the optimal path is obtained, the controller adds VLAN Tag to the network flow at the abnormal flow port through a QinQ technology supported by an Openflow1.1 protocol, forwards the network flow matched with the VLAN Tag on the switch related to the optimal path, and finally removes the VLAN Tag at the port of the cleaning equipment to realize flow traction.

3) And (3) abnormal flow classification: and a flow classification module in the cleaning equipment performs classification detection on the network flow through a BP neural network. Before classification detection, learning and training are required to be carried out on a BP neural network model, and training samples mainly come from a large amount of network traffic data (including normal network traffic and abnormal network traffic) in an actual network. After training is completed, the traffic classification module periodically extracts data packets from the cache to perform feature analysis, so as to obtain a feature tuple, wherein the feature tuple is a group of representative feature values selected according to DDoS attack types to be detected, and then the feature tuple is input into a BP neural network, and an output result is the attack type of the network traffic.

As shown in fig. 3, a network topology of an embodiment of the present invention. Shown in the figure is an SDN network, where C is an SDN controller; s1, S2, S3, S4, S5 are switches supporting openflow1.1 protocol; q1, Q2, Q3 are cleaning devices deployed in the network.

As shown in fig. 4, the DDoS attack defense method based on the cooperative theory provided by the present invention can be specifically divided into the following 8 steps in combination with the embodiment:

step 1: an attacker launches a DDoS attack, the SDN controller monitors the port flow of the switch in the local area network in real time through the packet entering statistical module and the flow statistical module, and abnormal flow sources of DDoS attack behaviors are searched and confirmed. According to different targets and means for initiating DDoS attack by an attacker, the SDN controller adopts different monitoring modes:

1) an attacker uses a false IP address to launch a DDoS attack on a target H. When network traffic reaches switch S3, the corresponding flow entry is easily unmatched in switch S3 because the false IP address used by this type of attack is mostly randomly generated. In this case, switch S3 would be sent to the controller In the form of a Packet-In Packet. Since the destination IP addresses of these Packet-In packets are too concentrated, the controller Packet statistics module detects that the entropy value will be lower than the preset threshold. In this case, the controller can know that the switch S3 has the largest contribution rate according to the destination IP address, and the port No. 1 has the largest proportion in the switch S3, so the controller regards the port No. 1 of the switch S3 as the abnormal traffic port.

2) An attacker launches a DDoS attack against controller C. Since the DDoS attack aims to increase the burden of the controller, a large number of false data packets are produced to force the switch not to match the flow table entry, so that a large number of Packet-In packets are sent to the controller. Since the MAC-IP address pairs in these dummy packets are all randomly generated, it is known to the controller that the controller is learning as a newly added host. In this case, the controller packet counting module detects that the MAC-IP binding table update rate of port No. 1 of the switch S3 exceeds the preset rate, and therefore, the controller takes the MAC-IP binding table as the abnormal traffic port.

3) An attacker launches a DDoS attack on the target H through a botnet. Since the puppet network will generate a large amount of traffic flowing to the attack target in a short time, the traffic statistics module of the controller detects that the traffic of port 1 of switch S3 is increased. To prevent false alarms, the controller waits a short period of time before detecting again that the traffic bandwidth has not returned to a normal level, so the controller treats port No. 1 of switch S3 as the abnormal traffic port.

Step 2: after the source of the abnormal flow is confirmed, a flow table configuration module on the SDN controller realizes abnormal flow traction in a flow table issuing mode. The state information of all cleaning devices in the network is stored in the device management module of the controller, and in this embodiment, the initial state information is:

DPID	PORT	STATE
			00：00：00：00：00：00：00：01(s1)	3	NONE
00：00：00：00：00：00：00：03(s3)	4	NONE
			00：00：00：00：00：00：00：04(s4)	4	NONE

after the controller detects that port No. 1 of the switch S3 is an abnormal traffic port, the controller can know that there is a cleaning device in an idle state, i.e., Q1, on port No. 4 of the switch S3 through the device management module. Therefore, the controller directly issues a Flow _ Mod message to the switch S3 for port forwarding, where the specific Flow _ Mod message format is as follows:

{“switch”：”00：00：00：00：00：00：00：03”，“cookie”：”0”，“in_port”：”1”，“active”：”true”，“actions”：”output＝4”}

at this time, the cleaning device status information table in the device management module is updated as follows:

DPID	PORT	STATE
			00：00：00：00：00：00：00：01(s1)	3	NONE
00：00：00：00：00：00：00：03(s3)	4	{″00：00：00：00：00：00：00：03″：″1″}
			00：00：00：00：00：00：00：04(s4)	4	NONE

if the cleaning equipment Q1 is not in an idle state, the controller obtains an optimal path from the abnormal flow port to the cleaning equipment based on Dijkstra algorithm according to the topology information and the cleaning equipment state information table in the equipment management module. In the present embodiment, the optimal path is S3(1) - > S3(3) - > S4(1) - > S4 (4).

After the optimal path is obtained, the controller sends a Flow _ Mod message to the switch related to the path through a QinQ technology supported by an Openflow1.1 protocol, and abnormal Flow is pulled to the cleaning equipment. The specific Flow _ Mod message format is as follows:

configuration S3:

{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“active”:”true”,“actions”:”push_vlan＝123,output＝3”}

configuration S4:

{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“eth_vlan_vid”:”123”,“active”:”true”,“actions”:”pop_vlan,output＝4”}

and step 3: the cleaning device Q1 receives network traffic from port number 1 of the switch S3 through a traffic collection module;

and 4, step 4: a flow classification module in the cleaning equipment Q1 periodically extracts a data packet from a cache for feature analysis, and inputs an obtained feature tuple into a trained BP neural network to obtain a DDoS attack type;

and 5: according to the attack type, the flow processing module in the cleaning equipment can remove the flow which accords with the attack type, and the rest normal flow flows back to the network. In this embodiment, the cleaning device Q1 will flow normal traffic from port 4 of switch S3 back into the network.

Step 6: a strategy configuration module in the cleaning equipment analyzes and obtains a security defense strategy by combining the attack type and the statistical distribution condition of abnormal flow. The security defense strategy comprises a switch DPID where the cleaning equipment is located, a switch Port number, an attack Type, a defense mode and a defense Object, the specific format is { DPID: Port: Type: Way: Object }, and one possible security defense strategy style in the embodiment is as follows:

{”00:00:00:00:00:00:00:03”:“4“:SynFlood:Drop_IP:{“172.18.216.23”,”172.18.216.45”}}

indicating that the cleaning device located on port 4 of switch S3 detected the attack type as Syn flooding attack, the switch was proposed to drop packets with IP addresses 172.18.216.23 and 172.18.216.45.

The cleaning equipment sends a security defense strategy to a defense strategy configuration module on a controller application layer through an SSL channel;

and 7: after the controller receives the security policy provided by the cleaning device, it can know that cleaning device Q1 is processing port number 1 traffic of switch S3 according to the device management module. Therefore, the switch S3 is configured according to the security policy, and according to the security defense policy style provided in step 6, the controller issues a Flow table blocking attack source to the switch S3, where the specific Flow _ Mod message format is as follows:

{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“ipv4_src”:”17 2.18.216.23”,“active”:”true”,“actions”:”drop”}

{“switch”:”00:00:00:00:00:00:00:03”,“cookie”:”0”,“in_port”:”1”,“ipv4_src”:”17 2.18.216.45”,“active”:”true”,“actions”:”drop”}

and simultaneously clearing related flow table items which are dragged to the cleaning equipment in the exchanger, and uploading the log to a database.

And 8: since the attack type is known, the cleaning device will clean the subsequent cache traffic according to the security defense policy until all traffic is processed. After all traffic is processed, the cleaning device sends a WORK _ DONE command to the controller in the same format as the security defense policy. The specific pattern in this embodiment is as follows:

{”00:00:00:00:00:00:00:03”:“4“:WORK_DONE:NONE:NONE}

the controller, upon receiving the instruction, updates the device management module to set the status of the cleaning device Q1 to idle.

It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims

1. A DDoS attack defense system based on a collaborative theory is specifically applied to an SDN network and is characterized in that: the system comprises a controller and cleaning equipment arranged on a switch, wherein the controller is used for monitoring ports of the whole network switch and then drawing the monitored network flow of the abnormal ports of the switch to the cleaning equipment; the cleaning equipment is used for analyzing and cleaning the received network flow and providing a security defense strategy for the controller based on the analysis result; the controller configures the switch based on the security defense strategy, thereby mitigating the attack;

the controller comprises a packet entering statistical module, a flow table configuration module and a device management module which are positioned in a control layer, and a defense strategy configuration module, an interaction management module and a log recording module which are positioned in an application layer;

the log recording module is used for uploading log information generated by the defense system to a database;

the cleaning equipment comprises a flow collection module, a flow classification module, a flow processing module and a strategy configuration module;

the strategy configuration module is used for comprehensively analyzing the attack type and the statistical distribution condition of the abnormal flow to obtain a security defense strategy and sending the security defense strategy to the defense strategy configuration module of the controller;

when determining an abnormal port of a switch under the attack of a false IP address DDoS, the Packet-entering counting module firstly uses an entropy value counting method based on a target IP address to count a Packet-In Packet sent to a controller, and selects a port with the largest proportion rate In the switch providing the largest contribution rate as an abnormal port when detecting that the entropy value is lower than a preset threshold value;

2. A DDoS attack defense system based on cooperative theory according to claim 1, wherein: the flow counting module determines an abnormal port by detecting the flow bandwidth of each port of the switch, and when the flow bandwidth of the port of the switch exceeds a set threshold and cannot be reduced below a preset threshold within a set early warning duration, the port is determined as the abnormal port.

3. A DDoS attack defense system based on cooperative theory according to claim 1, wherein: the flow table configuration module realizes the traction of the network flow of the abnormal port in a flow table issuing mode; when the cleaning equipment and the abnormal port belong to the same switch, the Flow table configuration module directly issues a Flow _ Mod message to the switch to forward the local port; when the cleaning equipment and the abnormal port belong to different switches, the flow table configuration module obtains an optimal path from the abnormal port to the cleaning equipment based on Dijkstra algorithm according to the topology information; after the optimal path is obtained, adding VLAN Tag to the network flow at the abnormal port by a flow table configuration module through a QinQ technology supported by an Openflow1.1 protocol; and forwarding the network flow matched with the VLAN Tag on the switch related to the optimal path, and finally removing the VLAN Tag at the port of the cleaning equipment to realize flow traction.

4. A DDoS attack defense system based on cooperative theory according to claim 1, wherein: the flow classification module periodically extracts network flow data packets from the cache to perform feature analysis to obtain feature tuples, and inputs the feature tuples into the trained BP neural network for classification to obtain DDoS attack types.

5. A DDoS attack defense system based on cooperative theory according to claim 1, wherein: the policy configuration module sends the security defense policy to a defense policy configuration module of the controller through an SSL channel.

6. A method according to the system of claim 1, wherein: the method comprises the following steps: