鏈路洪泛攻擊(Link Flooding Attacks, LFA)是一種新型態的DDoS(Distributed Denial-of-Service, DDoS)攻擊，LFA利用大量殭屍向誘餌伺服器發送低速流量，試圖攻擊目標區域連外的目標鏈路，導致目標區域中的所有伺服器無法正常對外連線，傳統防禦LFA機制為監測網路流量，並基於流量大小及變化量來偵測異常流量，然而這些機制需仰賴演算法設計者的豐富經驗，且無法及時反應出LFA多變的攻擊特徵。本文提出了一種稱為SCL(Stacking-based CNN and LSTM)架構來防禦LFA，SCL基於堆疊的卷積神經網路和長短期記憶架構，可自動學習基於流量模式檢測攻擊而無需任何人工干預，並根據被攻擊目標鏈路的比例來排除LFA。SCL利用卷積神經網路是因為它可以降低輸入的維度以便在短時間內訓練，SCL使用長短期記憶架構是因為它具有時間序列的概念，因此非常適合檢測具有時間序列攻擊模式的LFA。SCL根據被攻擊目標鏈接的比率來排除LFA，是因為受攻擊目標鏈路的數量與攻擊的嚴重性相關。模擬結果顯示，SCL偵測系統是否遭受攻擊的準確率為94.38％；成功阻擋LFA的準確率為92.95％；SCL成功阻擋攻擊的準確率比傳統基於SDN檢測流量防禦LFA之方法LFAD提升了60.81%；SCL在不同的情境下均能維持88.17%以上成功阻擋LFA的準確率。

Link Flooding Attacks (LFA) is a new type of DDoS (Distributed Denial-of-Service, DDoS) attack. LFA arrange a lot of bots to send low-speed traffic to servers and attempt to flood backbone links that connect a target area to the Internet, and paralyze all servers in the target area to access the Internet. The traditional defense LFA mechanism is to monitor network traffic to capture network anomaly based on the change of the traffic. However, these works rely on the experience of algorithm designers and cannot reflect the changing attack characteristics of LFA in a timely manner. In this paper, we propose an architecture called SCL (Stacking-based CNN and LSTM) to defend against LFA. SCL is based on a stacking Convolutional Neural Network (CNN) and a Long Short-Term Memory (LSTM) architecture, which can learn how to detect attack based on flow pattern without any manual intervention and mitigate the attack according to the ratio of attacked target links. SCL uses CNN because it can reduce the dimensions of the input for training in a short time. SCL uses LSTM because it has the concept of time series, so it is very suitable for detecting LFA with time series attack patterns. SCL excludes LFA based on the ratio of attacked target links because the number of attacked target links is related to the seriousness of the attack. The simulation results show that the accuracy rate of SCL detecting LFA is 94.38%; the accuracy rate of successfully blocking LFA is 92.95%; the accuracy rate of SCL successfully blocking the attack is 60.81% higher than the traditional method based on SDN to detect traffic for defending LFA; SCL can maintain an accuracy rate of over 88.17% of successfully blocking LFA in different situations.

[1] J. Wang, R. Wen, J. Li, F. Yan, B. Zhao, and F. Yu, “Detecting and Mitigating Target Link-flooding Attacks Using SDN,” IEEE Transactions on Dependable and Secure Computing, 2018.
[2] M. S. Kang, S. B. Lee, and V. D. Gligor, “The Crossfire Attack,” IEEE Symposium on Security and Privacy, pp. 127-141, 2013.
[3] J. Kim and S. Shin, “Software-Defined HoneyNet: Towards Mitigating Link Flooding Attacks,” 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 99-100, 2017.
[4] L. Wang, Q. Li, Y. Jiang and, J. Wu, “Towards Mitigating Link Flooding Attack via Incremental SDN Deployment,” 2016 IEEE Symposium on Computers and Communication, pp. 397-402, 2016.
[5] J. Zheng, Q. Li, G. Gu, J. Cao, D. K. Y. Yau and, J. Wu, “Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis,” IEEE Transactions on Information Forensics and Security, pp. 1838-1853, July 2018.
[6] L. Xue, X. Ma, X. Luo, E. W. Chan, T. T. Miu, and G. Gu, “LinkScope: Toward Detecting Target Link Flooding Attacks,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2423-2438, 2018.
[7] X. Ma et al., "Randomized Security Patrolling for Link Flooding Attack Detection," in IEEE Transactions on Dependable and Secure Computing, doi: 10.1109/TDSC.2019.2892370.
[8] N. Ravi, S. M. Shalinie and D. D. J. Theres, "BALANCE: Link Flooding Attack Detection and Mitigation via Hybrid-SDN," in IEEE Transactions on Network and Service Management, doi: 10.1109/TNSM.2020.2997734.
[9] K. Sakuma, H. Asahina, S. Haruta, and I. Sasase, “Traceroute-based Target Link Flooding Attack Detection Scheme by Analyzing Hop Count to the Destination,” Asia-Pacific Conference on Communications (APCC), pp. 1-6, 2017.
[10] A. Aydeger, N. Saputro, K. Akkaya and, M. Rahman, “Mitigating Crossfire Attacks Using SDN-Based Moving Target Defense,” IEEE 41st Conference on Local Computer Networks, pp. 627-630, 2016.
[11] R. U. Rasool, U. Ashraf, K. Ahmed, H. Wang, W. Rafique, and Z. Anwar, "Cyberpulse: A Machine Learning Based Link Flooding Attack Mitigation System for Software Defined Networks," IEEE Access, vol. 7, pp. 34885-34899, 2019.
[12] J. Xing, J. Cai, B. Zhou and C. Wu, "A Deep ConvNet-Based Countermeasure to Mitigate Link Flooding Attacks Using Software-Defined Networks," 2019 IEEE Symposium on Computers and Communications (ISCC), Barcelona, Spain, 2019, pp. 1-6, doi: 10.1109/ISCC47284.2019.8969595.
[13] G. Yang, H. Hosseini, D. Sahabandu, A. Clark, J. Hespanha, and R. Poovendran, "Modeling and Mitigating the Coremelt Attack," in 2018 Annual American Control Conference (ACC), 2018, pp. 3410-3416.
[14] [online] Available: https://bangaloreai.com/blog/meet-the-bitcoin-cash-hyper-mini-sprint-car/.
[15] [online] Available: https://www.akamai.com/us/en/resources/what-is-a-botnet.jsp.
[16] N. V. Mahajan, A. S. Deshpande and S. S. Satpute, "Prediction of Fault in Gas Chromatograph using Convolutional Neural Network," 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI), Tirunelveli, India, 2019, pp. 930-933.
[17] K. Pai and A. Giridharan, "Convolutional Neural Networks for classifying skin lesions," TENCON 2019 - 2019 IEEE Region 10 Conference (TENCON), Kochi, India, 2019, pp. 1794-1796, doi: 10.1109/TENCON.2019.8929461.
[18] T. Guo, J. Dong, H. Li and Y. Gao, "Simple convolutional neural network on image classification," 2017 IEEE 2nd International Conference on Big Data Analysis (ICBDA), Beijing, 2017, pp. 721-724, doi: 10.1109/ICBDA.2017.8078730.
[19] [online] Available: https://towardsdatascience.com/a-comprehensive-guide-to-convolutional-neural-networks-the-eli5-way-3bd2b1164a53.
[20] [online] Available: https://missinglink.ai/guides/convolutional-neural-networks/fully-connected-layers-convolutional-neural-networks-complete-guide/.
[21] S. Yu, "Residual Learning and LSTM Networks for Wearable Human Activity Recognition Problem," 2018 37th Chinese Control Conference (CCC), Wuhan, 2018, pp. 9440-9447.