Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Meng Wang,Yiqin Lu,Jiancheng Qin

DOI: https://doi.org/10.1109/access.2021.3139511

IF: 3.9

2022-01-01

IEEE Access

Abstract:In the traditional distributed control network, due to the difficulty in detection and the ambiguous defense responsibility, it is not efficient and effective to detect Distributed Denial of Service (DDoS) attacks in the network where they are launched, which is so-called source-based defense mechanism. Moreover, with the development of cloud computing, Internet of Things (IoT), and mobile Internet, the number of terminals and the communication bandwidth in a single autonomous domain have increased significantly, providing much more easy conditions for organizing large-scale botnets to launch a threatening DDoS attack. Therefore, there is an urgent need for source-based defense against DDoS attacks. The emerging Software-Defined Networking (SDN) provides some new ideas and advantages to solve this problem, such as centralized control and network programmability. In this paper, we proposed a defense method based on sFlow and improved Self-Organizing Map (SOM) model in SDN. This method consists of an sFlow-based macro-detection, which could cover the entire network to perceive DDoS attacks, a SOM-based micro-detection, which is used to recognize the attack traffic, and a response strategy based on the global view given by the controller. The experimental results under open data and simulated attack scenarios have proved the effectiveness of the proposed method, and it also has better overall detection performance than k-means and k-medoids.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kun Wang,Yu Fu,Xueyuan Duan,Taotao Liu

DOI: https://doi.org/10.1038/s41598-024-66907-z

2024-07-16

Abstract:Due to the large computational overhead, underutilization of features, and high bandwidth consumption in traditional SDN environments for DDoS attack detection and mitigation methods, this paper proposes a two-stage detection and mitigation method for DDoS attacks in SDN based on multi-dimensional characteristics. Firstly, an analysis of the traffic statistics from the SDN switch ports is performed, which aids in conducting a coarse-grained detection of DDoS attacks within the network. Subsequently, a Multi-Dimensional Deep Convolutional Classifier (MDDCC) is constructed using wavelet decomposition and convolutional neural networks to extract multi-dimensional characteristics from the traffic data passing through suspicious switches. Based on these extracted multi-dimensional characteristics, a simple classifier can be employed to accurately detect attack samples. Finally, by integrating graph theory with restrictive strategies, the source of attacks in SDN networks can be effectively traced and isolated. The experimental results indicate that the proposed method, which utilizes a minimal amount of statistical information, can quickly and accurately detect attacks within the SDN network. It demonstrates superior accuracy and generalization capabilities compared to traditional detection methods, especially when tested on both simulated and public datasets. Furthermore, by isolating the affected nodes, the method effectively mitigates the impact of the attacks, ensuring the normal transmission of legitimate traffic during network attacks. This approach not only enhances the detection capabilities but also provides a robust mechanism for containing the spread of cyber threats, thereby safeguarding the integrity and performance of the network.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Quamar Niyaz,Weiqing Sun,Ahmad Y Javaid

DOI: https://doi.org/10.4108/eai.28-12-2017.153515

2016-11-23

Abstract:Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

Networking and Internet Architecture

Yuhua Xu,Yunfeng Yu,Hanshu Hong,Zhixin Sun

DOI: https://doi.org/10.1155/2021/5594468

IF: 1.968

2021-04-10

Security and Communication Networks

Abstract:Software-defined networking (SDN) emerges as an innovative network paradigm, which separates the control plane from the data plane to improve the network programmability and flexibility. It is widely applied in the Internet of Things (IoT). However, SDN is vulnerable to DDoS attacks, which can cause network disasters. In order to protect SDN security, a DDoS detection method using cloud-edge collaboration based on Entropy-Measuring Self-organizing Maps and KD-tree (EMSOM-KD) is designed for SDN. Entropy measurement is utilized to select the ideal SOM map and classify SOM neurons considering the limitation of dead and suspicious neurons. EMSOM can detect most flows directly and filter out a few doubtable flows. Then these flows are fine-grained, identified by KD-tree. Due to the limited and precious resources of the controller, parameter computation is performed in the cloud. The edge controller implements DDoS detection by EMSOM-KD. The experiments are conducted to evaluate the performance of the proposed method. The results show that EMSOM-KD has better detection accuracy; moreover, it improves the KD-tree detection efficiency.

computer science, information systems,telecommunications

Jin Ye,Xiangyang Cheng,Jian Zhu,Luting Feng,Ling Song

DOI: https://doi.org/10.1155/2018/9804061

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:The detection of DDoS attacks is an important topic in the field of network security. The occurrence of software defined network (SDN) (Zhang et al., 2018) brings up some novel methods to this topic in which some deep learning algorithm is adopted to model the attack behavior based on collecting from the SDN controller. However, the existing methods such as neural network algorithm are not practical enough to be applied. In this paper, the SDN environment by mininet and floodlight (Ning et al., 2014) simulation platform is constructed, 6-tuple characteristic values of the switch flow table is extracted, and then DDoS attack model is built by combining the SVM classification algorithms. The experiments show that average accuracy rate of our method is 95.24 % with a small amount of flow collecting. Our work is of good value for the detection of DDoS attack in SDN.

computer science, information systems,telecommunications

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Yen-Hung Chen,Yuan-Cheng Lai,Kai-Zhong Zhou

DOI: https://doi.org/10.3390/mi12091019

2021-08-26

Abstract:The Deterministic Network (DetNet) is becoming a major feature for 5G and 6G networks to cope with the issue that conventional IT infrastructure cannot efficiently handle latency-sensitive data. The DetNet applies flow virtualization to satisfy time-critical flow requirements, but inevitably, DetNet flows and conventional flows interact/interfere with each other when sharing the same physical resources. This subsequently raises the hybrid DDoS security issue that high malicious traffic not only attacks the DetNet centralized controller itself but also attacks the links that DetNet flows pass through. Previous research focused on either the DDoS type of the centralized controller side or the link side. As DDoS attack techniques are evolving, Hybrid DDoS attacks can attack multiple targets (controllers or links) simultaneously, which are difficultly detected by previous DDoS detection methodologies. This study, therefore, proposes a Flow Differentiation Detector (FDD), a novel approach to detect Hybrid DDoS attacks. The FDD first applies a fuzzy-based mechanism, Target Link Selection, to determine the most valuable links for the DDoS link/server attacker and then statistically evaluates the traffic pattern flowing through these links. Furthermore, the contribution of this study is to deploy the FDD in the SDN controller OpenDayLight to implement a Hybrid DDoS attack detection system. The experimental results show that the FDD has superior detection accuracy (above 90%) than traditional methods under the situation of different ratios of Hybrid DDoS attacks and different types and scales of topology.

Dan Tang,Yudong Yan,Siqi Zhang,Jingwen Chen,Zheng Qin

DOI: https://doi.org/10.1109/jsac.2021.3126053

IF: 16.4

2022-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Software-Defined Networking (SDN) is an emerging network architecture. The decoupled data and control plane provides programmability for efficient network management. However, the centralized control mode of SDN also exposes unique vulnerabilities. Low-rate Denial of Service (LDoS) has a lower attack rate than ordinary DDoS attacks with the characteristics of periodicity and concealment, which is among one of the severe threats to SDN. In this paper, we propose a lightweight, real-time framework Performance and Features (P&F) to detect and mitigate LDoS attacks with SDN. We implement LDoS attacks in SDN, extract traffic features with OpenFlow, and classify the features into two categories. By analyzing the performance (P) of normal traffic under attack state, P&F determines whether LDoS attacks take effect based on machine learning. Meanwhile, P&F tries to locate attack sources and victims according to flow features (F) of LDoS attacks based on time-frequency analysis. According to detection and locating results, P&F sets corresponding mitigation schemes. Experimental results show that P&F has a high detection rate and low false positive rate for detecting LDoS attacks. P&F can deploy on controllers to achieve real-time attack detection and mitigation with low system cost, which can defend against LDoS attacks effectively.

telecommunications,engineering, electrical & electronic

Yinghao Su,Dapeng Xiong,Kechang Qian,Yu Wang

DOI: https://doi.org/10.3390/electronics13040807

IF: 2.9

2024-02-20

Electronics

Abstract:The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Sarwan Ali,Maria Khalid Alvi,Safi Faizullah,Muhammad Asad Khan,Abdullah Alshanqiti,Imdadullah Khan

DOI: https://doi.org/10.48550/arXiv.1912.12221

2020-02-03

Abstract:Software Defined Networking (SDN) is a network paradigm shift that facilitates comprehensive network programmability to cope with emerging new technologies such as cloud computing and big data. SDN facilitates simplified and centralized network management enabling it to operate in dynamic scenarios. Further, SDN uses the OpenFlow protocol for communication between the controller and its switches. The OpenFlow creates vulnerabilities for network attacks especially Distributed Denial of Service (DDoS). DDoS attacks are launched from the compromised hosts connected to the SDN switches. In this paper, we introduce a time- and space-efficient solution for the identification of these compromised hosts. Our solution consumes less computational resources and space and does not require any special equipment.

Cryptography and Security

Marcos Aurélio Ribeiro,Mauro Sergio Pereira Fonseca,Juliana de Santi

DOI: https://doi.org/10.1016/j.cose.2023.103462

2023-09-06

Abstract:The Distributed Denial of Service (DDoS) coordinates synchronized attacks on systems on the Internet using a set of infected hosts (bots). Bots are programmed to attack a determined target by firing a lot of synchronized requests, causing slowness or unavailability of the service. This type of attack has recently grown in magnitude, diversity, and economic cost. Thus, this paper presents a DDoS detection and mitigation architecture based on Software Defined Networking (SDN). It considers the Moving Target Defense (MTD) approach, redirecting malicious floods to expendable low-capacity servers to protect the main server while discouraging the attacker. The redirecting decision is based on a sensor, that employs Machine Learning (ML) algorithms for flow classification. When malicious flows are detected, the sensor notifies the SDN controller to include them in the malicious hosts lists and to realize the redirection. The validation and evaluation of the proposed architecture are conducted by simulation. Results considering different classification models (probabilistic, linear model, neural networks, and trees) and attack types indicate that the proposed architecture is efficient in detecting and mitigating DDoS attacks in approximately 3 seconds.

computer science, information systems

Abbas Jasem Altamemi,Aladdin Abdulhassan,Nawfal Turki Obeis

DOI: https://doi.org/10.11591/eei.v11i5.4155

2022-10-01

Bulletin of Electrical Engineering and Informatics

Abstract:The term software defined networking (SDN) is a network model that contributes to redefining the network characteristics by making the components of this network programmable, monitoring the network faster and larger, operating with the networks from a central location, as well as the possibility of detecting fraudulent traffic and detecting special malfunctions in a simple and effective way. In addition, it is the land of many security threats that lead to the complete suspension of this network. To mitigate this attack this paper based on the use of machine learning techniques contribute to the rapid detection of these attacks and methods were evaluated detecting DDoS attacks and choosing the optimum accuracy for classifying these types within the SDN, the results showed that the proposed system provides the better results of accuracy to detect the DDos attack in SDN network as 99.90% accuracy of Decision Tree (DT) algorithm.

Ramin Fadaei Fouladi,Orhan Ermiş,Emin Anarim

DOI: https://doi.org/10.1016/j.jisa.2020.102587

IF: 4.96

2020-10-01

Journal of Information Security and Applications

Abstract:Software defined networking (SDN) has emerged as the integral part of cloud services since it provides flexible management capabilities to monitor and to analyze the network traffic with the help of programmable entities. Although, such functionalities play a significant role in terms of protecting the availability of cloud services against the security threats, SDN still has some vulnerabilities such as the distributed denial of service (DDoS) attacks. The DDoS attackers use spurious packets similar to normal ones and endanger the service continuity of SDN. Although conventional packet-based intrusion detection systems have broad databases to detect DDoS attacks, they are impotent of detection when the attack traffic is sheltered by the normal network traffic. The idea is therefore, to come up with a new countermeasure by observing and distinguishing the instant changes in network. In this work, we propose a DDoS attack detection and defense scheme using time-series analysis for SDN. The proposed scheme employs a model based on the upcoming traffic feature forecasting and the chaos theory together with the exponential filter and the dynamic threshold method to detect instant changes in the network. The experimental result shows that our algorithm has high detection rate and low false alarm.

computer science, information systems