Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Daojing He,Sammy Chan,Xiejun Ni,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2017.2694702

IF: 10.6

2017-01-01

IEEE Internet of Things Journal

Abstract:Traffic anomaly detection has been a principal direction in the network security field, which aims to identify attacks based on significant deviations from the established normal usage profiles. Recently, a new networking paradigm, software defined networking (SDN), has emerged to facilitate effective network control and management. In this paper, we present the advantages of leveraging SDN to detect traffic anomaly, and review recent progresses in this direction. Despite their effectiveness for traditional traffic, SDN-based traffic anomaly detection methods have to face the challenge of continuously increasing network traffic. To this end, we propose two refined algorithms to be used in an anomaly detection framework which can handle voluminous data, and report some experimental results to demonstrate their performance.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Wei Xiong,Hanping Hu,Naixue Xiong,Laurence T. Yang,Wen-Chih Peng,Xiaofei Wang,Yanzhen Qu

DOI: https://doi.org/10.1016/j.ins.2013.04.009

IF: 8.1

2013-01-01

Information Sciences

Abstract:Cloud computing represents a new paradigm where computing resources are offered as services in the world via communication Internet. As many new types of attacks are arising at a high frequency, the cloud computing services are exposed to an increasing amount of security threats. To reduce security risks, two approaches of the network traffic anomaly detection in cloud communications have been presented, which analyze dynamic characteristics of the network traffic based on the synergetic neural networks and the catastrophe theory. In the former approach, a synergetic dynamic equation with a group of the order parameters is used to describe the complex behaviors of the network traffic system in cloud communications. When this equation is evolved, only the order parameter determined by the primary factors can converge to 1. Then, the anomaly can be detected. In the latter approach, a catastrophe potential function is introduced to describe the catastrophe dynamic process of the network traffic in cloud communications. When anomalies occur, the state of the network traffic will deviate from the normal one. To assess the deviation, an index named as catastrophe distance is defined. The network traffic anomaly can be detected by the value of this index. We evaluate the performance of these two approaches using the standard Defense Advanced Research Projects Agency data sets. Experimental results show that our approaches can effectively detect the network traffic anomaly and achieve the high detection probability and the low false alarms rate.

Huishan Bian,Liehuang Zhu,Meng Shen,Mingzhong Wang,Chang Xu,Qiongyu Zhang

DOI: https://doi.org/10.1007/978-3-319-31550-8_1

2015-01-01

Abstract:Software Defined Network SDN separates control plane from data plane and provides programmability which adds rich function for anomaly detection. In this case, every organization can manage their own network and detect anomalous traffic data using SDN architecture. Moreover, detection of malicious traffic, such as DDoS attack, would be dealt with much higher accuracy if these organizations shared their data. Unfortunately, they are unwilling to do so due to privacy consideration. To address this contradiction, we propose an efficient and privacy-preserving collaborative anomaly detection scheme. We extend prior work on SDN-based anomaly detection method to guarantee accuracy and privacy at the same time. The implementation of our design on simulated data shows that it performs well for network-wide anomaly detection with little overhead.

Yang Qin,Junjie Wei,Weihong Yang

DOI: https://doi.org/10.23919/apnoms.2019.8892873

2019-01-01

Abstract:Software Defined Networking (SDN) has attracted more and more attention due to its prominent features that are different from the traditional network. SDN is programmable through which controller can modify the rules in the switch. However, security was not considered in its initial design, and many manufacturers no longer support Transport Layer Security (TLS) due to the cost. Although many machine learning based approaches have been implemented in SDN, they all need features that experts extract from original data. However, the manual extraction increases the level of human interaction and decreases detection accurate. This paper presents a malicious network traffic classification method based on Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) to address these concerns. Our proposed method is implemented in Graphic Process Unit (GPU) enabled TensorFlow. We evaluated our proposal on three datasets. The results demonstrate that our proposal achieves improvements in term of detection accuracy and stability over existing approaches and strong potential for user in SDN security.

Zhaohui Ma,Jialiang Huang

DOI: https://doi.org/10.1007/978-981-15-2767-8_33

2020-01-01

Abstract:The seperation of control layer from data layer through SDN (software defined network) enables network administrators to plan the network programmatically without changing network devices, realizing flexible configuration of network devices and fast forwarding of data flows. However, due to its construction, SDN is vulnerable to be attacked by Distributed Denial of Service (DDoS) attack. So it is important to detect DDoS attack in SDN network. This paper presents a DDoS detection scheme based on the machine learning method of SVM (support vector machine) support vector machine in SDN environment. By extracting the flow table information features in SDN network, the data is detected and the data model of DDoS traffic can be trained, and the purpose of DDoS abnormal traffic identification is finally realized.

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Trung V. Phan,Minho Park

DOI: https://doi.org/10.1109/access.2019.2896783

IF: 3.9

2019-01-01

IEEE Access

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet infrastructure to be more programmable, configurable, and manageable. However, critical cyber-threats in the SDN-based cloud environment are rising rapidly, in which distributed denial-of-service (DDoS) attack is one of the most damaging cyber attacks. In this paper, we propose an efficient solution to tackle DDoS attacks in the SDN-based cloud environment. We first introduce a new hybrid machine learning model based on support vector machine and self-organizing map algorithms to improve the traffic classification. Then, we propose an enhanced history-based IP filtering scheme ( $eHIPF$ ) to improve the attack detection rate and speed. Finally, we introduce a novel mechanism that combines both the hybrid machine learning model and the $eHIPF$ scheme to make a DDoS attack defender for the SDN-based cloud environment. The testbed is implemented in an SDN-based cloud with service function chaining. Through practical experiments, the proposed DDoS attack defender is proven to outperform existing mechanisms for DDoS attack classification and detection. The comprehensive experiments conducted with various DDoS attack levels prove that the proposed mechanism is an effective, innovative approach to defend DDoS attacks in the SDN-based cloud.

computer science, information systems,telecommunications,engineering, electrical & electronic

Bing Wang,Yao Zheng,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.1016/j.comnet.2015.02.026

IF: 5.493

2015-04-01

Computer Networks

Abstract:Cloud computing has become the real trend of enterprise IT service model that offers cost-effective and scalable processing. Meanwhile, Software-Defined Networking (SDN) is gaining popularity in enterprise networks for flexibility in network management service and reduced operational cost. There seems a trend for the two technologies to go hand-in-hand in providing an enterprise’s IT services. However, the new challenges brought by the marriage of cloud computing and SDN, particularly the implications on enterprise network security, have not been well understood. This paper sets to address this important problem.We start by examining the security impact, in particular, the impact on DDoS attack defense mechanisms, in an enterprise network where both technologies are adopted. We find that SDN technology can actually help enterprises to defend against DDoS attacks if the defense architecture is designed properly. To that end, we propose a DDoS attack mitigation architecture that integrates a highly programmable network monitoring to enable attack detection and a flexible control structure to allow fast and specific attack reaction. To cope with the new architecture, we propose a graphic model based attack detection system that can deal with the dataset shift problem. The simulation results show that our architecture can effectively and efficiently address the security challenges brought by the new network paradigm and our attack detection system can effectively report various attacks using real-world network traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi

DOI: https://doi.org/10.11959/j.issn.1000-436x.2019120

2019-01-01

Abstract:Aiming at the problems of low-rate DDoS attack detection accuracy in cloud SDN network and the lack of unified framework for data plane and control plane low-rate DDoS attack detection and defense,a unified framework for low-rate DDoS attack detection was proposed.First of all,the validity of the data plane DDoS attacks in low rate was analyzed,on the basis of combining with low-rate of DDoS attacks in the aspect of communications,frequency characteristics,extract the mean value,maximum value,deviation degree and average deviation,survival time of ten dimensions characteristics of five aspects,to achieve the low-rate of DDoS attack detection based on bayesian networks,issued by the controller after the relevant strategies to block the attack flow.Finally,in OpenStack cloud environment,the detection rate of low-rate DDoS attack reaches 99.3% and the CPU occupation rate is 9.04%.It can effectively detect and defend low-rate DDoS attacks.

Xinshuo Bai,Jun Bai,Xu Yang,Hongri Liu,Bailing Wang,Yang Liu

DOI: https://doi.org/10.1109/ICAIT51223.2020.9315471

2020-01-01

Abstract:Software-Defined Network (SDN), an innovating technique, endows flexibility and programmability to the network in contrast to the conventional one. Its idea of decoupling control and data plane brings convenience to manage networks like load balancing, traffic engineering, virtual firewall etc. Nevertheless, the separated plane structure results in novel threats, composed by the common in conventional network and the specialized in SDN. In this paper, we propose a deep learning approach to detect anomaly in SDN with OpenFlow by analyzing multiple metrics extracted from OpenFlow switch metadata. Evaluated by four trained deep learning models to classify the multivariate time series, we obtained an average accuracy of 83.8%.

Kun Wang,Yu Fua,Xueyuan Duan,Taotao Liu,Jianqiao Xu

2023-11-20

Abstract:Software defined network (SDN) provides technical support for network construction in smart cities, However, the openness of SDN is also prone to more network attacks. Traditional abnormal traffic detection methods have complex algorithms and find it difficult to detect abnormalities in the network promptly, which cannot meet the demand for abnormal detection in the SDN environment. Therefore, we propose an abnormal traffic detection system based on deep learning hybrid model. The system adopts a hierarchical detection technique, which first achieves rough detection of abnormal traffic based on port information. Then it uses wavelet transform and deep learning techniques for fine detection of all traffic data flowing through suspicious switches. The experimental results show that the proposed detection method based on port information can quickly complete the approximate localization of the source of abnormal traffic. the accuracy, precision, and recall of the fine detection are significantly improved compared with the traditional method of abnormal traffic detection in SDN.

Networking and Internet Architecture

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Hsiu-Min Chuang,Fanpyn Liu,Chung-Hsien Tsai

DOI: https://doi.org/10.3390/sym14061178

2022-06-08

Symmetry

Abstract:Recent developments have made software-defined networking (SDN) a popular technology for solving the inherent problems of conventional distributed networks. The key benefit of SDN is the decoupling between the control plane and the data plane, which makes the network more flexible and easier to manage. SDN is a new generation network architecture; however, its configuration settings are centralized, making it vulnerable to hackers. Our study investigated the feasibility of applying artificial intelligence technology to detect abnormal attacks in an SDN environment based on the current unit network architecture; therefore, the concept of symmetry includes the sustainability of SDN applications and robust performance of machine learning (ML) models in the case of various malicious attacks. In this study, we focus on the early detection of abnormal attacks in an SDN environment. On detection of malicious traffic in SDN topology, the AI module in the topology is applied to detect and act against the attack source through machine learning algorithms, making the network architecture more flexible. Under multiple abnormal attacks, we propose a hierarchical multi-class (HMC) architecture to effectively address the imbalanced dataset problem and improve the performance of minority classes. The experimental results show that the decision tree, random forest, bagging, AdaBoost, and deep learning models exhibit the best performance for distributed denial-of-service (DDoS) attacks. In addition, for the imbalanced dataset problem of multiclass classification, our proposed HMC architecture performs better than previous single classifiers. We also simulated the SDN topology and scenario verification. In summary, we concatenated the AI module to enhance the security and effectiveness of SDN networks in a practical manner.

Zhang Long,Wang Jinsong

DOI: https://doi.org/10.1016/j.cose.2022.102604

2022-04-01

Abstract:Software-defined networking (SDN) is a new network architecture that offers considerable management convenience and efficiency relative to conventional networks. However, the centralized control employed in SDN incurs a high risk of single point failure that is susceptible to distributed denial of service (DDoS) attacks. The present work addresses this issue by proposing a hybrid approach for detecting DDoS attacks using an initial detection module based on information entropy to quickly identify anomalous traffic and a second detection module based on machine learning with a stacked sparse autoencoder (SSAE)–support vector machine (SVM) architecture to confirm the suspected anomalous traffic. If DDoS traffic is detected, a defense module is implemented to restore normal network communication in a timely manner via an issued flow table. The effectiveness and efficiency of the proposed approach for DDoS detection is experimentally evaluated using both real-time and benchmark datasets in comparison with state-of-the-art methods. The results demonstrate that the proposed approach provides superior detection performance and identifies greater than 98% of existing DDoS traffic with greatly reduced training time and computational burden.

computer science, information systems

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Haosu Cheng,Jianwei Liu,Tongge Xu,Bohan Ren,Jian Mao,Wei Zhang

DOI: https://doi.org/10.1504/ijsnet.2020.109720

2020-01-01

International Journal of Sensor Networks

Abstract:The software-defined network (SDN) enabled internet of things (IoT) architecture is deployed in many industrial systems. The ability of SDN to intelligently route traffic and use underutilised network resources, enables IoT networks to cope with data onslaught smoothly. SDN also eliminates bottlenecks and helps to process IoT data efficiently without placing a larger strain on the network. The SDN-based IoT network is vulnerable to DDoS attack in a sophisticated usage environment. The SDN-based IoT network behaviours are different from traditional networks, which makes the detection of low-traffic DDoS attacks more difficult. In this paper, we propose a learning-based detection approach that deploys learning algorithms and utilizes stateful and stateless features from Openflow packages to identify attack traffics in SDN control and data planes. Our prototype approach and experiment results show that our system identified the low-rate DDoS attack traffic accurately with relatively low system performance overheads.