Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Kun Wang,Yu Fu,Xueyuan Duan,Taotao Liu

DOI: https://doi.org/10.1038/s41598-024-66907-z

2024-07-16

Abstract:Due to the large computational overhead, underutilization of features, and high bandwidth consumption in traditional SDN environments for DDoS attack detection and mitigation methods, this paper proposes a two-stage detection and mitigation method for DDoS attacks in SDN based on multi-dimensional characteristics. Firstly, an analysis of the traffic statistics from the SDN switch ports is performed, which aids in conducting a coarse-grained detection of DDoS attacks within the network. Subsequently, a Multi-Dimensional Deep Convolutional Classifier (MDDCC) is constructed using wavelet decomposition and convolutional neural networks to extract multi-dimensional characteristics from the traffic data passing through suspicious switches. Based on these extracted multi-dimensional characteristics, a simple classifier can be employed to accurately detect attack samples. Finally, by integrating graph theory with restrictive strategies, the source of attacks in SDN networks can be effectively traced and isolated. The experimental results indicate that the proposed method, which utilizes a minimal amount of statistical information, can quickly and accurately detect attacks within the SDN network. It demonstrates superior accuracy and generalization capabilities compared to traditional detection methods, especially when tested on both simulated and public datasets. Furthermore, by isolating the affected nodes, the method effectively mitigates the impact of the attacks, ensuring the normal transmission of legitimate traffic during network attacks. This approach not only enhances the detection capabilities but also provides a robust mechanism for containing the spread of cyber threats, thereby safeguarding the integrity and performance of the network.

Lu Wang,Ying Liu

DOI: https://doi.org/10.1109/itnec48623.2020.9085007

2020-01-01

Abstract:Software Defined Networking (SDN) decouples the control plane and the data plane and solves the difficulty of new services deployment. However, the threat of a single point of failure is also introduced at the same time. The attacker can launch DDoS attacks towards the controller through switches. In this paper, a DDoS attack detection method based on information entropy and deep learning is proposed. Firstly, suspicious traffic can be inspected through information entropy detection by the controller. Then, fine-grained packet-based detection is executed by the convolutional neural network (CNN) model to distinguish between normal traffic and attack traffic. Finally, the controller performs the defense strategy to intercept the attack. The experiments indicate that the accuracy of this method reaches 98.98%, which has the potential to detect DDoS attack traffic effectively in the SDN environment.

Chuanhuang Li,Yan Wu,Xiaoyong Yuan,Zhengjun Sun,Weiming Wang,Xiaolin Li,Liang Gong

DOI: https://doi.org/10.1002/dac.3497

2018-01-01

International Journal of Communication Systems

Abstract:SummaryDistributed denial of service (DDoS) is a special form of denial of service attack. In this paper, a DDoS detection model and defense system based on deep learning in Software‐Defined Network (SDN) environment are introduced. The model can learn patterns from sequences of network traffic and trace network attack activities in a historical manner. By using the defense system based on the model, the DDoS attack traffic can be effectively cleaned in Software‐Defined Network. The experimental results demonstrate the much better performance of our model compared with conventional machine learning ways. It also reduces the degree of dependence on environment, simplifies the real‐time update of detection system, and decreases the difficulty of upgrading or changing detection strategy.

Jin Ye,Xiangyang Cheng,Jian Zhu,Luting Feng,Ling Song

DOI: https://doi.org/10.1155/2018/9804061

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:The detection of DDoS attacks is an important topic in the field of network security. The occurrence of software defined network (SDN) (Zhang et al., 2018) brings up some novel methods to this topic in which some deep learning algorithm is adopted to model the attack behavior based on collecting from the SDN controller. However, the existing methods such as neural network algorithm are not practical enough to be applied. In this paper, the SDN environment by mininet and floodlight (Ning et al., 2014) simulation platform is constructed, 6-tuple characteristic values of the switch flow table is extracted, and then DDoS attack model is built by combining the SVM classification algorithms. The experiments show that average accuracy rate of our method is 95.24 % with a small amount of flow collecting. Our work is of good value for the detection of DDoS attack in SDN.

computer science, information systems,telecommunications

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jaime Tamayo,Lorena Isabel Barona López,Ángel Leonardo Valdivieso Caraguay

2024-01-18

Abstract:Recent years witnessed a surge in network traffic due to the emergence of new online services, causing periodic saturation and complexity problems. Additionally, the growing number of IoT devices further compounds the problem. Software Defined Network (SDN) is a new architecture which offers innovative advantages that help to reduce saturation problems. Despite its benefits, SDNs not only can be affected by traditional attacks but also introduce new security challenges. In this context, Distributed Denial of Service (DDoS) is one of the most important attacks that can damage an SDN network's normal operation. Furthermore, if these attacks are executed using botnets, they can use thousands of compromised devices to disrupt critical online services. This paper proposes a framework for detecting DDoS attacks generated by a group of botnets in an SDN network. The framework is implemented using open-source tools such as Mininet and OpenDaylight and tested in a centralized network topology using BYOB and SNORT. The results demonstrate real-time attack identification by implementing an intrusion detection mechanism in the victim client. Our proposed solution offers quick and effective detection of DDoS attacks in SDN networks. The framework can successfully differentiate the type of attack with high accuracy in a short time

Networking and Internet Architecture

Jie Cui,Mingjun Wang,Yonglong Luo,Hong Zhong

DOI: https://doi.org/10.1016/j.future.2019.02.037

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Software-defined networking (SDN) provides a promising architecture for future networks, and can provide advantages as central control programmability and global view. However, it faces numerous security challenges. Distributed denial of service (DDoS) is a security threat to SDN. Most existing schemes only perform DDoS attack detection and do not address how to defend and recover after detecting DDoS. In this paper, a DDoS attack detection and defense mechanism based on cognitive-inspired computing with dual address entropy is proposed. The flow table characteristics of the switch are extracted, and a DDoS attack model is built by incorporating the support vector machine classification algorithm. This mechanism can realize real-time detection and defense at the preliminary stage of the DDoS attack and can restore normal communication in time. The experiment shows that our mechanism not only detects attacks quickly but also has a high detection rate and low false positive rate. More importantly, it can take appropriate defense and recovery measures in the time after the attack has been identified.

Quamar Niyaz,Weiqing Sun,Ahmad Y Javaid

DOI: https://doi.org/10.4108/eai.28-12-2017.153515

2016-11-23

Abstract:Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

Networking and Internet Architecture

Zhenpeng Liu,Yihang Wang,Fan Feng,Yifan Liu,Zelin Li,Yawei Shan

DOI: https://doi.org/10.3390/s23136176

IF: 3.9

2023-07-06

Sensors

Abstract:Distributed denial-of-service (DDoS) attacks pose a significant cybersecurity threat to software-defined networks (SDNs). This paper proposes a feature-engineering- and machine-learning-based approach to detect DDoS attacks in SDNs. First, the CSE-CIC-IDS2018 dataset was cleaned and normalized, and the optimal feature subset was found using an improved binary grey wolf optimization algorithm. Next, the optimal feature subset was trained and tested in Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbor (k-NN), Decision Tree, and XGBoost machine learning algorithms, from which the best classifier was selected for DDoS attack detection and deployed in the SDN controller. The results show that RF performs best when compared across several performance metrics (e.g., accuracy, precision, recall, F1 and AUC values). We also explore the comparison between different models and algorithms. The results show that our proposed method performed the best and can effectively detect and identify DDoS attacks in SDNs, providing a new idea and solution for the security of SDNs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ying Liu,Ting Zhi,Ming Shen,Lu Wang,Yikun Li,Ming Wan

DOI: https://doi.org/10.1016/j.future.2021.11.009

IF: 7.307

2022-01-01

Future Generation Computer Systems

Abstract:Software Defined Networking (SDN) decouples the control plane and the data plane and solves the difficulty of new services deployment. However, the threat of a single point of failure is also introduced at the same time. Attackers usually launch distributed denial of service (DDoS) attacks towards the controller through switches. However, it is difficult for the traditional DDoS detection methods to balance the relationship between accuracy and efficiency. Statistical analysis-based methods have low accuracy, while machine learning-based methods have low efficiency and high training cost. In this paper, a two-level DDoS attack detection method based on information entropy and deep learning is proposed. First, the information entropy detection mechanism detects suspicious components and ports in coarse granularity. Then, a fine-grained packet-based detection mechanism is executed by the convolutional neural network (CNN) model to distinguish normal traffic from suspicious traffic. Finally, the controller performs the defense strategy to intercept the attack. The experiment results indicate that the detection accuracy of the proposed method reaches 98.98%, which shows the potential of detecting DDoS attack traffic effectively in the SDN environment.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Xiaofan Chen,Shunzheng Yu

2016-01-01

Abstract:We study two types of attacks particularly targeting SDN, i.e. controller-targeting DDoS and switch-targeting LDDoS (low-rate DDoS). Attackers of DDoS generate special packets to overload the bandwidth and computation resource of SDN controller. Attackers of LDDoS generate special packets periodically to overload the flow table of SDN switch. A new collaborative intrusion detection system is proposed in this paper to detect such attacks. It consists of cascaded two-level artificial neural networks which are distributed over the entire substrate of SDN. Each neural network disperses its computation power over the network that requires every participating switch to perform like a neuron. The first level neural networks discover the anomaly with a global view, while the second level one classifies the attacks based on their time pattern. Therefore, the system is robust without individual centralized targets and has a global view on the distributed attack without aggregating traffic over the network. Simulation results demonstrate its effectiveness.

Deyun Gao,Zehui Liu,Ying Liu,Chuan Heng Foh,Ting Zhi,Han-Chieh Chao

DOI: https://doi.org/10.1007/s00500-018-3407-3

IF: 3.732

2018-01-01

Soft Computing

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet to a more programmable, configurable, and manageable infrastructure. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one of the critical vulnerabilities in SDNs, the capacity of controller, which is most likely to be attacked. Due to the logical centralized management, the breakdown of a controller may disrupt a whole SDN network, which can be easily occurred by Packet-In messages flooding attack (a network-level DDoS attack). To provide a robust environment in SDN, we propose an effective detection method, which has low overhead and high accuracy. We first classify the potential switches that are compromised using Bayesian Network, which is a supervised learning algorithm. Then, we deploy the anomaly detection on the vulnerable switches to detect the Packet-In messages flooding attack based on fuzzy c-means. Extensive simulations and testbed-based experiments show that the proposed solution can defeat the Packet-In messages flooding attack with low overhead and high accuracy.

JIA Min,SHU Yuejie,GUO Qing,GAO Zihe,XIE Suofei

DOI: https://doi.org/10.12142/ztecom.202004004

2020-01-01

Abstract:With the development of satellite communications,the number of satellite nodes is constantly increasing,which undoubtedly increases the difficulty of maintaining network security.Combining software defined network（SDN） with traditional space-based networks provides a new class of ideas for solving this problem.However,because of the highly centralized network management of the SDN controller,once the SDN controller is destroyed by network attacks,the network it manages will be paralyzed due to loss of control.One of the main security threats to SDN controllers is Distributed Denial of Service（DDoS） attacks,so how to detect DDoS attacks scientifically has become a hot topic among SDN security management.This paper proposes a DDoS attack detection method for space-based networks based on SDN architecture.This attack detection method combines the optimized Long Short-Term Memory（LSTM） deep learning model and Support Vector Machine（SVM）,which can not only make classification judgments on the time series,but also achieve the purpose of detecting and judging through the flow characteristics of a period of time.In addition,it can reduce the detection time as well as the system burden.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Haosu Cheng,Jianwei Liu,Tongge Xu,Bohan Ren,Jian Mao,Wei Zhang

DOI: https://doi.org/10.1504/ijsnet.2020.109720

2020-01-01

International Journal of Sensor Networks

Abstract:The software-defined network (SDN) enabled internet of things (IoT) architecture is deployed in many industrial systems. The ability of SDN to intelligently route traffic and use underutilised network resources, enables IoT networks to cope with data onslaught smoothly. SDN also eliminates bottlenecks and helps to process IoT data efficiently without placing a larger strain on the network. The SDN-based IoT network is vulnerable to DDoS attack in a sophisticated usage environment. The SDN-based IoT network behaviours are different from traditional networks, which makes the detection of low-traffic DDoS attacks more difficult. In this paper, we propose a learning-based detection approach that deploys learning algorithms and utilizes stateful and stateless features from Openflow packages to identify attack traffics in SDN control and data planes. Our prototype approach and experiment results show that our system identified the low-rate DDoS attack traffic accurately with relatively low system performance overheads.

Yunhe Cui,Qing Qian,Chun Guo,Guowei Shen,Youliang Tian,Huanlai Xing,Lianshan Yan

DOI: https://doi.org/10.1016/j.jnca.2021.103156

IF: 7.574

2021-01-01

Journal of Network and Computer Applications

Abstract:Software-Defined Networking (SDN) is widely considered as one of the next generation network architecture. However, SDN faces with a series of issues which restraint its development and application, where the security is one of the serious issues. The Distributed Denial of Service (DDoS) is such a devastating security problem. In this work, a comprehensive review of the DDoS detection mechanisms utilized in SDN is presented. DDoS attacks in SDN are classified into two types and five subtypes based on the features of DDoS and SDN. For each kind of DDoS, how the attackers can exploit the vulnerabilities of SDN to launch DDoS attacks is discussed. Subsequently, the DDoS detection mechanisms used in SDN are reviewed and categorized into five types and forty-six subtypes. These kinds of DDoS detection mechanisms are compared and analyzed, where we draw a conclusion that the machine learning-based DDoS detection mechanisms and threshold-based DDoS detection mechanisms are the two most popular technologies utilized to detect DDoS attacks in SDN. More importantly, for each kind of DDoS detection mechanism, the generational process, advantages, and disadvantages are discussed. Additionally, the open problems and future directions of DDoS detection in SDN are discussed. By presenting these review, discussion and analysis, we hope it can facilitate the understanding of DDoS detection in SDN.

Tewelde Gebremedhin Gebremeskel,Ketema Adere Gemeda,T. Gopi Krishna,Perumalla Janaki Ramulu

DOI: https://doi.org/10.1155/2023/9965945

2023-06-24

Wireless Communications and Mobile Computing

Abstract:A software-defined network (SDN) brings a lot of advantages to the world of networking through flexibility and centralized management; however, this centralized control makes it susceptible to different types of attacks. Distributed denial of service (DDoS) is one of the most dangerous attacks that are frequently launched against the controller to put it out of service. This work takes the special ability of SDN to propose a solution that is an implementation run at the multicontroller to detect a DDoS attack at the early stage. This method not only detects the attacks but also identifies the attacking paths and starts a mitigation process to provide protection for the network devices. This method is based on the entropy variation of the destination host targeted with its IP address and can detect the attack within the first 250 packets of malicious traffic attacking a particular host. Then, fine-grained packet-based detection is performed using a deep-learning model to classify the attack into different types of attack categories. Lastly, the controller sends the updated traffic information to neighbor controllers. The chi-squared ( x 2 ) test feature selection algorithm was also employed to reveal the most relevant features that scored the highest in the provided data set. The experiment result demonstrated that the proposed Long Short-Term Memory (LSTM) model achieved an accuracy of up to 99.42% using the data set CICDDoS2019, which has the potential to detect and classify the DDoS attack traffic effectively in the multicontroller SDN environment. In this regard, it has an enhanced accuracy level to 0.42% compared with the RNN-AE model with data set CICDDoS2019, while it has improved up to 0.44% in comparison with the CNN model with the different data set ICICDDoS2017.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ping Dong,Xiaojiang Du,Hongke Zhang,Tong Xu

DOI: https://doi.org/10.1109/ICC.2016.7510992

2016-01-01

Abstract:A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.