Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Hongcheng Huang,Peixin Ye,Min Hu,Jun Wu

DOI: https://doi.org/10.1016/j.dcan.2022.04.008

IF: 6.348

2022-04-01

Digital Communications and Networks

Abstract:Nowadays, a large number of intelligent devices involved in the Industrial Internet of Things (IIoT) environment are posing unprecedented cybersecurity challenges. Due to the limited budget for security protection, the IIoT devices are vulnerable and easily compromised to launch Distributed Denial-of-Service (DDoS) attacks, resulting in disastrous results. Unfortunately, considering the particularity of the IIoT environment, most of the defense solutions in traditional networks cannot be directly applied to IIoT with acceptable security performance. Therefore, in this work, we propose a multi-point collaborative defense mechanism against DDoS attacks for IIoT. Specifically, for the single point DDoS defense, we design an edge-centric mechanism termed EdgeDefense for the detection, identification, classification, and mitigation of DDoS attacks and the generation of defense information. For the practical multi-point scenario, we propose a collaborative defense model against DDoS attacks to securely share the defense information across the network through the blockchain. Besides, a fast defense information sharing mechanism is designed to reduce the delay of defense information sharing and provide a responsive cybersecurity guarantee. The simulation results indicate that the identification and classification performance of the two machine learning models designed for EdgeDefense are better than those of the state-of-the-art baseline models, and therefore EdgeDefense can defend against DDoS attacks effectively. The results also verify that the proposed fast sharing mechanism can reduce the propagation delay of the defense information blocks effectively, thereby improving the responsiveness of the multi-point collaborative DDoS defense.

telecommunications

Feiyang Hong,Zhejing Bao,Miao You

DOI: https://doi.org/10.1109/CCDC52312.2021.9601681

2021-01-01

Abstract:Recent studies show that the cyber-attacks such as false data injection attack (FDIA) are capable of severely threatening power system security, in such a way that the undetected errors are introduced into the states estimations by evading the conventional bad data detection (BDD) methods. This paper proposes a tri-level optimization model against the FDIA by formulating the attack actions and identifying the optimal defense strategies constrained by the limited resources. In the lower level, an economic dispatching is implemented to seek the operational strategy aiming at minimizing the operating costs under the given attack. The middle level formulates the behaviors of the attacker to discover the most destructive attack strategy intended by the attacker based on the defense strategy determined by the upper level. The upper level represents the actions of the planner and determines the optimal defense allocation on the measuring meters. The min-max-min tri-level model can be solved by the column-and-constraint generation (C&CG) algorithm. Simulations are implemented to identify the components which should be protected under the limited defense resources and severe attacks.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Haiyang Huang,Tianhui Meng,Jianxiong Guo,Xuekai Wei,Weijia Jia

DOI: https://doi.org/10.1145/3641106

2024-02-23

ACM Transactions on Sensor Networks

Abstract:Application-layer distributed denial-of-service (DDoS) attacks incapacitate systems by using up their resources, causing service interruptions, financial losses, and more. Consequently, advanced deep-learning techniques are used to detect and mitigate these attacks in cloud infrastructures. However, in mobile edge computing (MEC), it becomes economically impractical to equip each node with defensive resources, as these resources may largely remain unused in edge devices. Furthermore, current methods are mainly concentrated on improving the accuracy of DDoS attack detection and saving CPU resources, neglecting the effective allocation of computational power for benign tasks under DDoS attacks. To address these issues, this paper introduces SecEG, a secure and efficient strategy against DDoS attacks for MEC that integrates container-based task isolation with lightweight online anomaly detection on edge nodes. More specifically, a new model is proposed to analyze resource contention dynamics between DDoS attacks and benign tasks. Subsequently, by employing periodic packet sampling and real-time attack intensity predicting, an autoencoder-based method is proposed to detect DDoS attacks. We leverage an efficient scheduling method to optimize the edge resource allocation and the service quality for benign users during DDoS attacks. When executed in the real-world edge environment, our experimental findings validate the efficacy of the proposed SecEG strategy. Compared to conventional methods, the service rate of benign requests increases by 23% under intense DDoS attacks, and the CPU resource is saved up to 35%.

computer science, information systems,telecommunications

Yiying Zhang,Yiyang Liu,Xiaoyan Guo,Zhu Liu,Xiankun Zhang,Kun Liang

DOI: https://doi.org/10.3390/en15217882

IF: 3.2

2022-10-25

Energies

Abstract:With the rapid development of smart grids, the number of various types of power IoT terminal devices has grown by leaps and bounds. An attack on either of the difficult-to-protect end devices or any node in a large and complex network can put the grid at risk. The traffic generated by Distributed Denial of Service (DDoS) attacks is characterised by short bursts of time, making it difficult to apply existing centralised detection methods that rely on manual setting of attack characteristics to changing attack scenarios. In this paper, a DDoS attack detection model based on Bidirectional Long Short-Term Memory (BiLSTM) is proposed by constructing an edge detection framework, which achieves bi-directional contextual information extraction of the network environment using the BiLSTM network and automatically learns the temporal characteristics of the attack traffic in the original data traffic. This paper takes the DDoS attack in the power Internet of Things as the research object. Simulation results show that the model outperforms traditional advanced models such as Recurrent Neural Network (RNN) and Long Short Term Memory (LSTM) in terms of accuracy, false detection rate, and time delay. It plays an auxiliary role in the security protection of the power Internet of Things and effectively improves the reliability of the power grid.

energy & fuels

Minh T. Hoang,Nhan V. Nguyen,Thu A. Pham,Tra T. Nguyen,Tuan M. Dang,Hoang N. Nguyen

DOI: https://doi.org/10.15837/ijccc.2024.5.6767

IF: 2.635

2024-09-02

International Journal of Computers Communications & Control

Abstract:Edge computing is essential for 6G mobile networks for improving reliability, reducing data rates and latency, and enhancing mobile connectivity. Edge computing is also meant to meet the increasing demands of the Internet of Things (IoT)/ Internet of Everything (IoE). In these approaches, IIoT systems necessitate precision, reliability, and scalability, while vulnerabilities in IIoT systems may lead to financial losses and safety hazards. To tackle this, Edge AI/ML-based IDSs provide adaptability and robustness for IIoT security challenges. These solutions improve security levels, threat detection rates, and response times. However, main issues such as limited resources and the accuracy of attack detection rate are challenged nowadays. In this paper, we present contributions in proposing an intrusion detection system (IDS) for edge devices deploying a lightweight deep neural network to detect IIoT attacks. We present performance analysis of the typical dimensionality reduction methods and balancing data features of the Edge-IIoT dataset to get higher performance metrics than other state-of-the-art studies.

computer science, information systems,automation & control systems

Masoumeh Zareapoor,Pourya Shamsolmoali,M. Afshar Alam

DOI: https://doi.org/10.1504/ijcse.2018.10012837

2018-01-01

International Journal of Computational Science and Engineering

Abstract:Distributed denial of service (DDoS) attacks have become a serious attack on internet security and cloud computing. This kind of attacks is the most complex form of denial of service (DoS) attacks. This type of attack can simply duplicate its source address, such as spoofing attack, which disguises the real location of the attack. Therefore, DDoS attack is the most significant challenge for network security. In this paper, we present a model to detect and mitigate DDoS attacks in cloud computing. The proposed model requires very small storage and has the ability of fast detection. The experimental results show that the system is able to mitigate most of the attacks. Detection accuracy and processing time were the metrics used to evaluate the performance of proposed model. From the results, it is evident that the system achieved high detection accuracy (97%) with some minor false alarms.

Wei Guo,Jin Xu,Yukui Pei,Liuguo Yin,Chunxiao Jiang,Ning Ge

DOI: https://doi.org/10.1109/jiot.2022.3176121

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Satellite Internet (SI) dramatically expanded the ground-based Internet, and it is also the future direction of 6G. However, due to limited computing power and bandwidth resources, Distributed Denial-of-Service (DDoS) attacks can cause more severe damage to SI, and even paralysis of the entire network. Current DDoS defense mechanisms are built on abundant computing power and bandwidth resources, making applying in the SI scenario challenging. Aiming at protecting SI from DDoS attacks, a blockchain-based distributed collaborative entrance defense (DCED) framework is proposed, in which network traffic characteristics can be recorded and aggregated at the entrances of SI. The proposed framework consists of a distributed detection digesting procedure, a digest virtual aggregation procedure, and an entrance control strategy. The former procedure detects and extracts multidimensional characteristics of DDoS attacks and pushes them onto the blockchain. The latter procedure collects block data and aggregates attack features using the MapReduce algorithm and then compares them with baseline and gives an alert. The strategy completes the filtering and interception of traffic. Experiments use the IXIA platform to generate malicious traffic, and results show that the framework can accurately identify attack traffic within 1500 ms, reaching an area of 0.99 under the receiver operating characteristic curve. The proposed framework is more effective than other similar DDoS methods, protecting the precious SI bandwidth resources.

Wengui Hu,Qingsong Cao,Mehdi Darbandi,Nima Jafari Navimipour

DOI: https://doi.org/10.1007/s10586-024-04385-8

2024-04-28

Cluster Computing

Abstract:The number of cloud-, edge-, and Internet of Things (IoT)-based applications that produce sensitive and personal data has rapidly increased in recent years. The IoT is a new model that integrates physical objects and the Internet and has become one of the principal technological evolutions of computing. Cloud computing is a paradigm for centralized computing that gathers resources in one place and makes them available to consumers via the Internet. Despite the vast array of resources that cloud computing offers, real-time mobile applications might not find it acceptable because it is typically located far from users. However, in applications where low latency and high dependability are required, edge computing—which disperses resources to the network edge—is becoming more and more popular. Though it has less processing power than traditional cloud computing, edge computing offers resources in a decentralized way that can react to customers' needs more quickly. There has been a sharp increase in attackers stealing data from these applications since the data is so sensitive. Thus, a powerful Intrusion Detection System (IDS) that can identify intruders is required. IDS are essential for the cybersecurity of the IoT, cloud, and edge architectures. Investigators have mostly embraced the use of deep learning algorithms as a means of protecting the IoT environment. However, these techniques have some issues with computational complexity, long processing times, and poor precision. Feature selection approaches can be utilized to overcome these problems. Optimization methods, including bio-inspired algorithms, are applied as feature selection approaches to enhance the classification accuracy of IDS systems. Based on the cited sources, it appears that no study has looked into these difficulties in depth. This research thoroughly analyzes the current literature on intrusion detection and using nature-inspired algorithms to safeguard IoT and cloud/edge settings. This article examines pertinent analyses and surveys on the aforementioned subjects, dangers, and outlooks. It also examines many frequently used algorithms in the development of IDSs used in IoT security. The findings demonstrate their efficiency in addressing IoT and cloud/edge ecosystem security issues. Moreover, it has been shown that the methods put out in the literature might improve IDS security and dependability in terms of precision and execution speed.

computer science, information systems, theory & methods

Hao Zhang,Jie Yao,Zhuping Wang,Sheng Gao,Huaicheng Yan

DOI: https://doi.org/10.1109/jsyst.2024.3381304

IF: 4.802

2024-01-01

IEEE Systems Journal

Abstract:This article studies the optimal distributed denial-of-service attack strategy for cyber–physical systems with multiple attackers and multiple defenders. An advanced attack strategy is proposed to cause the great damage to system in a multiattacker–defender form. First, a novel model of signal-to-interference-to-noise ratio for the multiattacker and multidefender is built. Taking the energy constraints into consideration, the objective of defenders is to minimize the system performance, while the attackers tend to deteriorate it by emitting interference energy. Thus, the optimal channel selection and optimal energy allocation strategies are proposed to answer which channel both of them should choose and how much power both of them should allocate to each channel in a finite time horizon. Second, a two-player zero-sum matrix game is formulated to solve the optimal problem by linear programming and obtain the Nash equilibrium. When the channel parameters are time-varying, a dynamic optimal channel selection problem is considered and a multistage game algorithm is proposed to find the Nash equilibrium. In addition, the designed optimal strategies of both players are demonstrated and analyzed. Finally, a numerical simulation is provided to illustrate the effectiveness of the proposed approach.

Kun Wang,Yu Fu,Xueyuan Duan,Taotao Liu

DOI: https://doi.org/10.1038/s41598-024-66907-z

2024-07-16

Abstract:Due to the large computational overhead, underutilization of features, and high bandwidth consumption in traditional SDN environments for DDoS attack detection and mitigation methods, this paper proposes a two-stage detection and mitigation method for DDoS attacks in SDN based on multi-dimensional characteristics. Firstly, an analysis of the traffic statistics from the SDN switch ports is performed, which aids in conducting a coarse-grained detection of DDoS attacks within the network. Subsequently, a Multi-Dimensional Deep Convolutional Classifier (MDDCC) is constructed using wavelet decomposition and convolutional neural networks to extract multi-dimensional characteristics from the traffic data passing through suspicious switches. Based on these extracted multi-dimensional characteristics, a simple classifier can be employed to accurately detect attack samples. Finally, by integrating graph theory with restrictive strategies, the source of attacks in SDN networks can be effectively traced and isolated. The experimental results indicate that the proposed method, which utilizes a minimal amount of statistical information, can quickly and accurately detect attacks within the SDN network. It demonstrates superior accuracy and generalization capabilities compared to traditional detection methods, especially when tested on both simulated and public datasets. Furthermore, by isolating the affected nodes, the method effectively mitigates the impact of the attacks, ensuring the normal transmission of legitimate traffic during network attacks. This approach not only enhances the detection capabilities but also provides a robust mechanism for containing the spread of cyber threats, thereby safeguarding the integrity and performance of the network.

Lili Chen,Zhen Wang,Jintao Wu,Yunchuan Guo,Fenghua Li,Zifu Li

DOI: https://doi.org/10.1002/cpe.6944

2022-04-20

Concurrency and Computation: Practice and Experience

Abstract:As mobile communications, the Internet, databases, distributed computing, and other technologies continue to develop, the Internet of Things (IoT) has emerged as prevalent technique. However, attacks on security and sensitive data in IoT occur frequently, and these attacks often evade intrusion detection systems strategically by mutating their traffic. To prevent security threats and sensitive data leakage, we propose a game approach based on adversarial deep learning to optimize a dynamic security threshold strategy. We introduce a mobile edge computing framework and utilize a game model to describe the adversarial interaction between the two participants. To solve the complexity of the game problem to gain dynamically randomized adversarial attacks, we present a column generation (CG) framework, which uses a feedforward neural network to quantify data flowing through IoT devices. Considering the limited resources of IoT devices, we calculate an optimal response to cyberattacks via a particle swarm optimization algorithm, aiming to reduce the false alarm rate. The adversarial dynamic threshold (ADT)‐based column generation (CG‐ADT) algorithm generates the set of detection threshold and the probability. Finally, we present the results of experiments conducted to demonstrate the effectiveness and robustness of the proposed dynamic threshold scheme for sensitive data security protection in IoT and its suitability for implementation in production systems.

Yuhua Xu,Yunfeng Yu,Hanshu Hong,Zhixin Sun

DOI: https://doi.org/10.1155/2021/5594468

IF: 1.968

2021-04-10

Security and Communication Networks

Abstract:Software-defined networking (SDN) emerges as an innovative network paradigm, which separates the control plane from the data plane to improve the network programmability and flexibility. It is widely applied in the Internet of Things (IoT). However, SDN is vulnerable to DDoS attacks, which can cause network disasters. In order to protect SDN security, a DDoS detection method using cloud-edge collaboration based on Entropy-Measuring Self-organizing Maps and KD-tree (EMSOM-KD) is designed for SDN. Entropy measurement is utilized to select the ideal SOM map and classify SOM neurons considering the limitation of dead and suspicious neurons. EMSOM can detect most flows directly and filter out a few doubtable flows. Then these flows are fine-grained, identified by KD-tree. Due to the limited and precious resources of the controller, parameter computation is performed in the cloud. The edge controller implements DDoS detection by EMSOM-KD. The experiments are conducted to evaluate the performance of the proposed method. The results show that EMSOM-KD has better detection accuracy; moreover, it improves the KD-tree detection efficiency.

computer science, information systems,telecommunications

Haiou Huang,Bangyi Sun,Liang Hu

DOI: https://doi.org/10.1016/j.cose.2024.103789

IF: 5.105

2024-02-01

Computers & Security

Abstract:Edge computing mitigates the high latency and other issues associated with cloud computing, but it also introduces new risks. One such issue is DDoS attacks on edge servers, which arise when edge tasks are offloaded. There is a dearth of research on countermeasures for these kinds of DDoS attacks. Consequently, we present EDM_TOS, a task offloading strategy. This technique makes sure that tasks are transferred to dependable edge nodes based on the edge nodes' risk assessment mechanism, thereby reducing edge DDoS attacks. On the other hand, EDM_TOS works better than current approaches in five domains of evaluating awareness and capacity limitations for resolving edge DDoS attacks and issues with edge computing offloading. The edge computing task offloading algorithm, weighted cluster analysis algorithm, and risk assessment algorithm, respectively, are used to implement the risk assessment module, cluster analysis module, and task offloading module of the EDM_TOS mechanism. The three modules were evaluated experimentally. The findings demonstrate that the task offloading module's transactions per second (TPS) and the risk assessment module's malicious detection rate (MDR) respectively outperform to those of other policies. The cluster analysis module's clustering effect is superior to that of the conventional K-means algorithm. EDM_TOS performs better than current methods for thwarting edge DDoS attacks, according to performance assessments on five datasets. EDM_TOS can successfully fend off edge DDoS attacks, as demonstrated by practice.

computer science, information systems

Jiabin Li,Ming Liu,Zhi Xue,Xiaochen Fan,Xiangjian He

DOI: https://doi.org/10.1109/access.2020.2974293

IF: 3.9

2020-01-01

IEEE Access

Abstract:Distributed Denial of Service (DDoS) attacks are increasingly harmful to the cyberspace nowadays. The attackers can now easily launch a bigger and more challenging DDoS attack both towards and with Internet-of-Things (IoT) devices, due to the fast popularization of them. Because of the characteristic of fast overwhelming, it is important to make fast as well as accurate response to DDoS attacks, and the real-time performance can be even more important to prevent and legitimate the attacks. Among the methods proposed by researchers, the entropy-based detection method provides a sensitive and reliable performance. However, the balance between computational complexity and recognition accuracy remains a challenge. In this paper, we propose a detection method that consists of 3 main parts in different aspects: a sliding time window to fasten the entropy calculation, a single-directional filter to realize early detection during the DDoS progress but not after the crash, and a quintile deviation check algorithm to optimize the detection result. These will eventually lead to a real-time and high-efficient performance to recognize IoT DDoS attacks as soon as possible.

Peyman Khordadpour,Saeed Ahmadi

DOI: https://doi.org/10.48550/arXiv.2305.16389

2023-05-26

Abstract:In recent times, I've encountered a principle known as cloud computing, a model that simplifies user access to data and computing power on a demand basis. The main objective of cloud computing is to accommodate users' growing needs by decreasing dependence on human resources, minimizing expenses, and enhancing the speed of data access. Nevertheless, preserving security and privacy in cloud computing systems pose notable challenges. This issue arises because these systems have a distributed structure, which is susceptible to unsanctioned access - a fundamental problem. In the context of cloud computing, the provision of services on demand makes them targets for common assaults like Denial of Service (DoS) attacks, which include Economic Denial of Sustainability (EDoS) and Distributed Denial of Service (DDoS). These onslaughts can be classified into three categories: bandwidth consumption attacks, specific application attacks, and connection layer attacks. Most of the studies conducted in this arena have concentrated on a singular type of attack, with the concurrent detection of multiple DoS attacks often overlooked. This article proposes a suitable method to identify four types of assaults: HTTP, Database, TCP SYN, and DNS Flood. The aim is to present a universal algorithm that performs effectively in detecting all four attacks instead of using separate algorithms for each one. In this technique, seventeen server parameters like memory usage, CPU usage, and input/output counts are extracted and monitored for changes, identifying the failure point using the CUSUM algorithm to calculate the likelihood of each attack. Subsequently, a fuzzy neural network is employed to determine the occurrence of an attack. When compared to the Snort software, the proposed method's results show a significant improvement in the average detection rate, jumping from 57% to 95%.

Cryptography and Security

Zhenpeng Liu,Yihang Wang,Fan Feng,Yifan Liu,Zelin Li,Yawei Shan

DOI: https://doi.org/10.3390/s23136176

IF: 3.9

2023-07-06

Sensors

Abstract:Distributed denial-of-service (DDoS) attacks pose a significant cybersecurity threat to software-defined networks (SDNs). This paper proposes a feature-engineering- and machine-learning-based approach to detect DDoS attacks in SDNs. First, the CSE-CIC-IDS2018 dataset was cleaned and normalized, and the optimal feature subset was found using an improved binary grey wolf optimization algorithm. Next, the optimal feature subset was trained and tested in Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbor (k-NN), Decision Tree, and XGBoost machine learning algorithms, from which the best classifier was selected for DDoS attack detection and deployed in the SDN controller. The results show that RF performs best when compared across several performance metrics (e.g., accuracy, precision, recall, F1 and AUC values). We also explore the comparison between different models and algorithms. The results show that our proposed method performed the best and can effectively detect and identify DDoS attacks in SDNs, providing a new idea and solution for the security of SDNs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hongliang Zhou,Yifeng Zheng,Xiaohua Jia,Jiangang Shu

DOI: https://doi.org/10.1016/j.comnet.2023.109642

IF: 5.493

2023-02-22

Computer Networks

Abstract:Edge computing (EC) has greatly facilitated the deployment of networked services with fast responses and low bandwidth, by deploying computing and storage at the network edge which is closer to the data sources. However, it is challenging to have the EC servers gain security protections like those in centralized data centers, making them more vulnerable to security attacks, especially distributed denial-of-service (DDoS) attacks. Existing detection approaches relying on the feedback from EC servers under the attacks can incur high bandwidth costs and service performance degradation. In this paper, we propose a new framework CoWatch for collaborative prediction and detection of DDoS Attacks in EC scenarios. Based on the distributed software-defined networking (SDN) architecture, CoWatch can collaboratively predict the DDoS attacks towards the EC servers and detect the attack flows in time. To efficiently filter the suspicious flows in distributed SDN, we devise an optimal threshold model by balancing the trade-off between collaboration efficiency and prediction effectiveness. We also explore and build on the LSTM model to design an algorithm for collaborative prediction and detection of DDoS Attacks. Experiment results on a number of datasets demonstrate the promising performance of CoWatch in effectiveness and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture