Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Omer Elsier Tayfour,Muhammad Nadzir Marsono

DOI: https://doi.org/10.1007/s11227-021-03782-9

IF: 3.3

2021-04-20

The Journal of Supercomputing

Abstract:This research presents the detection and mitigation of distributed denial of service (DDoS) in software defined networks (SDN). The proposed method consists of three modules: classifier module, mitigation module, and collaborative module. An ensemble classifier called V-NKDE is capable of detecting DDoS attacks accurately. The mitigation module blocks malicious traffics and purges entries of malicious traffic from the switch flow table. The collaborative module shares DDoS detection and mitigation rules among multiple SDN controllers using Redis Simple Message Queue mechanism. The proposed classifier performance validation on InSDN2020, CICIDS2017, NSL-KDD and UNSW-NB15 datasets. Furthermore we evaluated our proposed classifier in real traffic on an SDN simulation tested. The results show that the proposed method can detect DDoS attacks with high accuracy using an ensemble classifier, which performs better than single classifiers. More importantly, the false positive rate is greatly reduced, showing detection and mitigation of DDoS attacks across multi-controller domains with low controller overhead.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Xiaofan Chen,Shunzheng Yu

DOI: https://doi.org/10.1587/transinf.2016edl8016

2016-01-01

IEICE Transactions on Information and Systems

Abstract:DDoS remains a major threat to Software Defined Networks. To keep SDN secure, effective detection techniques for DDoS are indispensable. Most of the newly proposed schemes for detecting such attacks on SDN make the SDN controller act as the IDS or the central server of a collaborative IDS. The controller consequently becomes a target of the attacks and a heavy loaded point of collecting traffic. A collaborative intrusion detection system is proposed in this paper without the need for the controller to play a central role. It is deployed as a modified artificial neural network distributed over the entire substrate of SDN. It disperses its computation power over the network that requires every participating switch to perform like a neuron. The system is robust without individual targets and has a global view on a large-scale distributed attack without aggregating traffic over the network. Emulation results demonstrate its effectiveness.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Yongyi Cao,Jing Wu,Bo Zhu,Hao Jiang,Yuchuan Deng,Wei Luo

DOI: https://doi.org/10.1007/978-3-030-34139-8_23

2019-01-01

Abstract:Distributed Denial of Service (DDoS) has been one of the biggest threats in the field of network security and a big problem to many researchers and large enterprises for years. In SDN, traditional DDoS attack detection mechanisms are mostly based on intermediate plug-ins or SDN controllers, most of which have problems of large southbound communication overhead, detection delay or lacking network-wide monitoring information. In this paper, we propose a cross-plane cooperative DDoS defense system (CPCS) under the architecture of SDN, which filters abnormal traffic through coarse-grained detection on the data plane and fine-grained detection on the control plane. On the data plane, a preliminary screening is performed to reduce the detection range of the control plane, and the K-means clustering algorithm is used to perform fine-grained analysis of traffic on the control plane. In addition, an anti-false positive module is added ingeniously. The proposed method captures the key characteristics of DDoS attack traffic by polling the value of counters in OpenFlow switches which leverages the computational power of OpenFlow switches that currently not fully utilized. We conducted experiments on a campus network center including OpenFlow switches and RYU controllers. The results show that the framework and traffic monitoring algorithms proposed in this paper can greatly improve detection efficiency and accuracy, and reduce detection delay and southbound communication overhead.

Boren He,Futai Zou,Yue Wu

DOI: https://doi.org/10.1109/ssic.2018.8556830

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threat in current internet. Software Defined Network (SDN) is novel network structure based on the idea of separation of control plane and data plane. SDN allows us to program and monitor networks, and decide how to forward a packet, so it provides a new solution to defend DDoS attack. This paper proposes a multi-SDN Based cooperation scheme to defend DDoS attack. We adopt machine learning to detect DDoS attack, and design a protocol to enable communication among controllers. This protocol can achieve two goals, one is to build and maintain an independent network among controllers of different SDN, and the other is to enable attack information exchange among controllers, so they can find attacker and mitigate DDoS attack. The experimental results show that the proposed protocol can achieve high detection accuracy, find attackers accurately and mitigate DDoS attack traffic effectively with a relatively low cost and latency.

Yandong Liu,Mianxiong Dong,Kaoru Ota,Jianhua Li,Jun Wu

DOI: https://doi.org/10.1109/CAMAD.2018.8514971

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack has remained as one of the most destructive attacks for more than two decades. Although great efforts have been made to design the defense mechanism, it is still difficult to mitigate these attacks in real time smartly and effectively for the reason that attack traffic may mix with benign traffic. Software-Defined Networks (SDN) decouples control and data plane in the network. Its centralized control paradigm and global view of the network bring some new chances to enhance the defense ability against network attacks. In this paper, we propose a deep reinforcement learning based framework, which can smartly learn the optimal mitigation policies under different attack scenarios and mitigate the DDoS flooding attack in real time. This framework is an effective system to defend against a wide range of DDoS flooding attacks such as TCP SYN, UDP, and ICMP flooding. It can intelligently learn the patterns of attack traffic and throttle the attack traffic, while the traffic of benign users is forwarded normally. We compare our proposed framework with a baseline along with a popular state-of-the-art router throttling method. The experimental results show that our approach can outperform both of them in five attacking scenarios with different attack dynamics significantly.

Meng Wang,Yiqin Lu,Jiancheng Qin

DOI: https://doi.org/10.1109/access.2021.3139511

IF: 3.9

2022-01-01

IEEE Access

Abstract:In the traditional distributed control network, due to the difficulty in detection and the ambiguous defense responsibility, it is not efficient and effective to detect Distributed Denial of Service (DDoS) attacks in the network where they are launched, which is so-called source-based defense mechanism. Moreover, with the development of cloud computing, Internet of Things (IoT), and mobile Internet, the number of terminals and the communication bandwidth in a single autonomous domain have increased significantly, providing much more easy conditions for organizing large-scale botnets to launch a threatening DDoS attack. Therefore, there is an urgent need for source-based defense against DDoS attacks. The emerging Software-Defined Networking (SDN) provides some new ideas and advantages to solve this problem, such as centralized control and network programmability. In this paper, we proposed a defense method based on sFlow and improved Self-Organizing Map (SOM) model in SDN. This method consists of an sFlow-based macro-detection, which could cover the entire network to perceive DDoS attacks, a SOM-based micro-detection, which is used to recognize the attack traffic, and a response strategy based on the global view given by the controller. The experimental results under open data and simulated attack scenarios have proved the effectiveness of the proposed method, and it also has better overall detection performance than k-means and k-medoids.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pengfei Zhai,Yanbo Song,Xiaoming Zhu,Lihui Cao,Jiaming Zhang,Chungang Yang

DOI: https://doi.org/10.1109/iccc49849.2020.9238872

2020-01-01

Abstract:Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network,and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat,we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address,and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

Behaylu Tadele Alemu,Alemu Jorgi Muhammed,Habtamu Molla Belachew,Mulatu Yirga Beyene

DOI: https://doi.org/10.1007/s10586-024-04660-8

2024-07-20

Cluster Computing

Abstract:Software-defined networking (SDN) has emerged as a transformative technology that separates the control plane from the data plane, providing advantages such as flexibility, centralized control, and programmability. This innovation proves particularly beneficial for Internet of Vehicles (IoV) networks, which amalgamate the Internet of Things (IoT) and Vehicular Ad Hoc Network (VANET) to implement Intelligent Transportation Systems (ITS). IoV provides a safe and secured vehicular environment by supporting V2V, V2I, V2S, and V2P. By employing an SDN controller, IoV networks can leverage centralized control and enhanced manageability, leading to the emergence of Software-Defined Internet of Vehicles (SD-IoV) as a promising solution for future communications. However, the SD-IoV networks introduces a potential vulnerability in the form of a single point of failure, particularly susceptible to Distributed Denial of Service (DDoS) attacks. This is because of the centralized nature of SDN and the dynamic nature of IoV. In this context, the SDN controller becomes a prime target for attackers who flood it with massive packet-in messages. To address this security concern, we propose an efficient and lightweight attack detection and mitigation scheme within the SDN controller. The scheme includes a detection module that utilizes entropy and flow rate to identify patterns indicative of attack traffic behavior. Additionally, a mitigation module is designed to minimize the effect of attack traffic on the normal operation, this is performed through analysis of payload lengths.The mitigation flow rule is set for specific traffic type if its payload is less than the threshold value to decrease the false positive rate. An adaptive threshold computation for all parameter values enhances the scheme's effectiveness. We conducted simulations using SUMO, Mininet-WiFi, and Scapy. We evaluated the system performance by using Mininet-wifi SDN simulation tool and Ryu controller for control plane. The system detects DDoS attack traffic within a single window by checking both entropy and flow rate simultaneously. The simulation results demonstrate the efficacy of our proposed scheme in terms of detection time, accuracy, mitigation efficiency, controller load, and link bandwidth consumption, showcasing its superiority compared to existing works in the field.

computer science, information systems, theory & methods

Dan Tang,Siyuan Wang,Siqi Zhang,Zheng Qin,Wei Liang,Sheng Xiao

DOI: https://doi.org/10.1109/tccn.2023.3306358

IF: 6.359

2023-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Slow-rate denial-of-service (SDoS) attacks are a type of denial-of-service (DoS) attacks with a low attack rate. They have a flash-crowd nature and can be well concealed in legitimate traffic, so it is difficult to identify them by anti-DoS mechanisms. Existing solutions have drawbacks such as difficult deployment, poor real-time performance, and poor scalability. We propose a scheme for real-time monitoring and mitigation of SDoS attacks on the basis of a software-defined network (SDN) and new traffic metrics. The new traffic metrics are the coefficient of fluctuation (CoF) and pulse period coefficient (PPC), which can help us identify SDoS attacks in the network and locate the attackers quickly and accurately. Based on the two metrics, the scheme uses a Gaussian mixture model (GMM) to predict and cluster network traffic and obtain attacker IPs. The mitigation module installs flow rules to discard attacking flows. With blacklisting and weighted IPs, the mitigation module reduces the probability of dropping legitimate flows in case of false positives. Experiments show that our scheme is inexpensive to deploy and can identify attacks and locate attackers quickly and accurately. The mitigation strategy can mitigate SDoS attacks within 4 to 6 seconds with high probability.

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.

Meng Yue,Qingxin Yan,Zichao Lu,Zhijun Wu

DOI: https://doi.org/10.1109/tnsm.2024.3363490

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Software-Defined Networking (SDN) actualizes the separation of control and forwarding, innovates network functionality with a logically centralized controller, and facilitates network-wide collaboration. Contemporary SDN infrastructure exposes potential bottlenecks which are prone to engaging low-rate denial of service (LDoS) attacks. Currently, a great deal of detection methods are deployed in the controller, and the controller needs to poll the switch frequently, which brings heavy load to the controller and the southbound link. According to the analysis of existing researches, we focused on the how to decrease the frequent polling of the controller and improve the detection rate. In this paper, we adopted the idea of cross-plane collaboration and proposed a two-phase detection framework, which carried out the lightweight detection method in the data plane and the in-depth detection based on Bayesian voting mechanism in the control plane. Once LDoS attacks are detected, the controller recalculates routes for the bottleneck nodes using the optimized Dijkstra algorithm to complete mitigation. Theoretical analyses and extensive experiments are conducted to validate the performance of our proposed method. Test results show that our method outperforms other traditional methods in terms of the detection rate of 99.1%, the detection delay of 1.3s and the communication overhead of 1068 Byte/s, the average CPU utilization of controller remains at approximately 3.5%. The proposed method takes a step forward to enhance the security of SDN.

computer science, information systems

Yang Xu,Yong Liu

DOI: https://doi.org/10.1109/infocom.2016.7524500

2016-01-01

Abstract:Software Defined Networking (SDN) has recently emerged as a new network management platform. The centralized control architecture presents many new opportunities. Among the network management tasks, measurement is one of the most important and challenging one. Researchers have proposed many solutions to better utilize SDN for network measurement. Among them, how to detect Distributed Denial-of-Services (DDoS) quickly and precisely is a very challenging problem. In this paper, we propose methods to detect DDoS attacks leveraging on SDN's flow monitoring capability. Our methods utilize measurement resources available in the whole SDN network to adaptively balance the coverage and granularity of attack detection. Through simulations we demonstrate that our methods can quickly locate potential DDoS victims and attackers by using a constrained number of flow monitoring rules.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Marcos Aurélio Ribeiro,Mauro Sergio Pereira Fonseca,Juliana de Santi

DOI: https://doi.org/10.1016/j.cose.2023.103462

2023-09-06

Abstract:The Distributed Denial of Service (DDoS) coordinates synchronized attacks on systems on the Internet using a set of infected hosts (bots). Bots are programmed to attack a determined target by firing a lot of synchronized requests, causing slowness or unavailability of the service. This type of attack has recently grown in magnitude, diversity, and economic cost. Thus, this paper presents a DDoS detection and mitigation architecture based on Software Defined Networking (SDN). It considers the Moving Target Defense (MTD) approach, redirecting malicious floods to expendable low-capacity servers to protect the main server while discouraging the attacker. The redirecting decision is based on a sensor, that employs Machine Learning (ML) algorithms for flow classification. When malicious flows are detected, the sensor notifies the SDN controller to include them in the malicious hosts lists and to realize the redirection. The validation and evaluation of the proposed architecture are conducted by simulation. Results considering different classification models (probabilistic, linear model, neural networks, and trees) and attack types indicate that the proposed architecture is efficient in detecting and mitigating DDoS attacks in approximately 3 seconds.

computer science, information systems

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Peng Zhang,Huanzhao Wang,Chengchen Hu,Chuang Lin

DOI: https://doi.org/10.1109/mnet.2016.1600109nm

IF: 10.294

2016-01-01

IEEE Network

Abstract:Software defined networking greatly simplifies network management by decoupling control functions from the network data plane. However, such a decoupling also opens SDN to various denial of service attacks: an adversary can easily exhaust network resources by flooding short-lived spoofed flows. Toward this issue, we present a comprehensive study of DoS attacks in SDN, and propose multi-layer fair queueing (MLFQ), a simple but effective DoS mitigation method. MLFQ enforces fair sharing of an SDN controller's resources with multiple layers of queues, which can dynamically expand and aggregate according to controller load. Both testbed-based and emulation-based experiments demonstrate the effectiveness of MLFQ in mitigating DoS attacks targeted at SDN controllers.