Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Amany I Hassan,Eman Abd El Reheem,Shawkat K Guirguis

DOI: https://doi.org/10.1038/s41598-024-67984-w

2024-08-06

Abstract:Software-defined networks (SDNs) have been growing rapidly due to their ability to provide an efficient network management approach compared to traditional methods. However, one of the major challenges facing SDNs is the threat of Distributed Denial of Service (DDoS) attacks, which can severely impact network availability. Detecting and mitigating such attacks is challenging, given the constantly evolving range of attack techniques. In this paper, a novel hybrid approach is proposed that combines statistical methods with machine-learning capabilities to address the detection and mitigation of DDoS attacks in SDN environments. The statistical phase of the approach utilizes an entropy-based detection mechanism, while the machine-learning phase employs a clustering mechanism to analyze the impact of active users on the entropy of the system. The k-means algorithm is used for clustering. The proposed approach was experimentally evaluated using three modern datasets, namely, CIC-IDS2017, CSE-CIC-2018, and CICIDS2019. The results demonstrate the effectiveness of the system in detecting and blocking sudden and rapid attacks, highlighting the potential of the proposed approach to significantly enhance security against DDoS attacks in SDN environments.

Boren He,Futai Zou,Yue Wu

DOI: https://doi.org/10.1109/ssic.2018.8556830

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threat in current internet. Software Defined Network (SDN) is novel network structure based on the idea of separation of control plane and data plane. SDN allows us to program and monitor networks, and decide how to forward a packet, so it provides a new solution to defend DDoS attack. This paper proposes a multi-SDN Based cooperation scheme to defend DDoS attack. We adopt machine learning to detect DDoS attack, and design a protocol to enable communication among controllers. This protocol can achieve two goals, one is to build and maintain an independent network among controllers of different SDN, and the other is to enable attack information exchange among controllers, so they can find attacker and mitigate DDoS attack. The experimental results show that the proposed protocol can achieve high detection accuracy, find attackers accurately and mitigate DDoS attack traffic effectively with a relatively low cost and latency.

Ahmad Hamarshe,Huthaifa I. Ashqar,Mohammad Hamarsheh

DOI: https://doi.org/10.48550/arXiv.2303.06513

IF: 5.414

2023-03-11

Machine Learning

Abstract:The concept of Software Defined Networking (SDN) represents a modern approach to networking that separates the control plane from the data plane through network abstraction, resulting in a flexible, programmable and dynamic architecture compared to traditional networks. The separation of control and data planes has led to a high degree of network resilience, but has also given rise to new security risks, including the threat of distributed denial-of-service (DDoS) attacks, which pose a new challenge in the SDN environment. In this paper, the effectiveness of using machine learning algorithms to detect distributed denial-of-service (DDoS) attacks in software-defined networking (SDN) environments is investigated. Four algorithms, including Random Forest, Decision Tree, Support Vector Machine, and XGBoost, were tested on the CICDDoS2019 dataset, with the timestamp feature dropped among others. Performance was assessed by measures of accuracy, recall, accuracy, and F1 score, with the Random Forest algorithm having the highest accuracy, at 68.9%. The results indicate that ML-based detection is a more accurate and effective method for identifying DDoS attacks in SDN, despite the computational requirements of non-parametric algorithms.

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Kun Wang,Yu Fu,Xueyuan Duan,Taotao Liu

DOI: https://doi.org/10.1038/s41598-024-66907-z

2024-07-16

Abstract:Due to the large computational overhead, underutilization of features, and high bandwidth consumption in traditional SDN environments for DDoS attack detection and mitigation methods, this paper proposes a two-stage detection and mitigation method for DDoS attacks in SDN based on multi-dimensional characteristics. Firstly, an analysis of the traffic statistics from the SDN switch ports is performed, which aids in conducting a coarse-grained detection of DDoS attacks within the network. Subsequently, a Multi-Dimensional Deep Convolutional Classifier (MDDCC) is constructed using wavelet decomposition and convolutional neural networks to extract multi-dimensional characteristics from the traffic data passing through suspicious switches. Based on these extracted multi-dimensional characteristics, a simple classifier can be employed to accurately detect attack samples. Finally, by integrating graph theory with restrictive strategies, the source of attacks in SDN networks can be effectively traced and isolated. The experimental results indicate that the proposed method, which utilizes a minimal amount of statistical information, can quickly and accurately detect attacks within the SDN network. It demonstrates superior accuracy and generalization capabilities compared to traditional detection methods, especially when tested on both simulated and public datasets. Furthermore, by isolating the affected nodes, the method effectively mitigates the impact of the attacks, ensuring the normal transmission of legitimate traffic during network attacks. This approach not only enhances the detection capabilities but also provides a robust mechanism for containing the spread of cyber threats, thereby safeguarding the integrity and performance of the network.

Hong Zhong,Chao Yu,Jie Cui,Xiuwen Sun,Chengjie Gu,Lu Liu

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00059

2021-01-01

Abstract:Since software-defined networking (SDN) has the ad-vantages of central control programmability and global view, it is suitable for industrial network. However, large-scale security risks such as distributed denial of service (DDoS) attacks endanger the security and reliability of services in the SDN-based system. Therefore, a comprehensive and efficient solution to this issue is crucial. This paper proposes a scheme for mitigating DDoS attack traffic deployed on an SDN application plane. The framework periodically obtains the traffic statistics of the switch ports and flow tables. After obtaining the traffic characteristics, a machine learning model is used for training. The trained model can identify benign and malicious traffic. After the attack is found, the rules are sent to the switch to control the flow and resist DDoS attacks. We use the CICDDoS2019 dataset to perform experiments. The experimental results show that compared to other schemes, the proposed scheme achieves more accurate classification.

Zhenpeng Liu,Yihang Wang,Fan Feng,Yifan Liu,Zelin Li,Yawei Shan

DOI: https://doi.org/10.3390/s23136176

IF: 3.9

2023-07-06

Sensors

Abstract:Distributed denial-of-service (DDoS) attacks pose a significant cybersecurity threat to software-defined networks (SDNs). This paper proposes a feature-engineering- and machine-learning-based approach to detect DDoS attacks in SDNs. First, the CSE-CIC-IDS2018 dataset was cleaned and normalized, and the optimal feature subset was found using an improved binary grey wolf optimization algorithm. Next, the optimal feature subset was trained and tested in Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbor (k-NN), Decision Tree, and XGBoost machine learning algorithms, from which the best classifier was selected for DDoS attack detection and deployed in the SDN controller. The results show that RF performs best when compared across several performance metrics (e.g., accuracy, precision, recall, F1 and AUC values). We also explore the comparison between different models and algorithms. The results show that our proposed method performed the best and can effectively detect and identify DDoS attacks in SDNs, providing a new idea and solution for the security of SDNs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

M. Revathi,V. V. Ramalingam,B. Amutha

DOI: https://doi.org/10.1007/s11277-021-09071-1

IF: 2.017

2021-09-15

Wireless Personal Communications

Abstract:Recently, SDN has arisen as a new network platform that offers unparalleled programming that enables network operators to dynamically customize and control their networks. The attackers aim to paralyse the logical plane, the brain of the network that offers several advantages, by using the SDN controller. However, the control plane is the desirable target of security attacks on the opponents because of its characteristics. One of the most common threats is the DDOS attacks to drain network capacity by sending them heavy traffic, causing network congestion. SDN is a common area of investigation for SDN defenceand DDoS threat identification and prevention in the SDN context has been introduced to many researchers since the proposed SDN attacks. Nevertheless, security risks must be adequately secured. In this paper we suggest a discrete scalable memory based support vector machine algorithm for DDoS threat and SDN mitigation architecture for attack detection. By starting the process of attack detection the input data can gets pre-processed by using Spark standardization technique in which the missing values are replaced and the unwanted data are removed. Then the feature extractions are done using semantic multilinear component analysis algorithm. The classifier is responsible for predicting target and for this a novel discrete scalable memory based support vector machine (DSM-SVM) algorithm is used which provides high accuracy of attack prediction. Followed by attack detection the mitigation process was done, here the mitigation server can identify the threat by intelligently dropping malicious bot traffic and absorbing the rest of the traffic. Here the suggested mechanism achieves attack traffic mitigation and benign traffic dropping. We have evaluated the whole process on KDD dataset. The proposed network model was trained and then used in an SDN threat detection and mitigation environment as part of the assessment process. The entire experiment is run on a VMware-based Ubuntu virtual machine. Weka will utilize our suggested classifier model for training and evaluation, while Mininet uses a RYU controller to establish an SD Network. The findings demonstrate that the mechanism presented exceeds the other algorithms examined, by expressing 99.7% accuracy especially concerning training and testing time over KDD dataset.

telecommunications

Omer Elsier Tayfour,Muhammad Nadzir Marsono

DOI: https://doi.org/10.1007/s11227-021-03782-9

IF: 3.3

2021-04-20

The Journal of Supercomputing

Abstract:This research presents the detection and mitigation of distributed denial of service (DDoS) in software defined networks (SDN). The proposed method consists of three modules: classifier module, mitigation module, and collaborative module. An ensemble classifier called V-NKDE is capable of detecting DDoS attacks accurately. The mitigation module blocks malicious traffics and purges entries of malicious traffic from the switch flow table. The collaborative module shares DDoS detection and mitigation rules among multiple SDN controllers using Redis Simple Message Queue mechanism. The proposed classifier performance validation on InSDN2020, CICIDS2017, NSL-KDD and UNSW-NB15 datasets. Furthermore we evaluated our proposed classifier in real traffic on an SDN simulation tested. The results show that the proposed method can detect DDoS attacks with high accuracy using an ensemble classifier, which performs better than single classifiers. More importantly, the false positive rate is greatly reduced, showing detection and mitigation of DDoS attacks across multi-controller domains with low controller overhead.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Yonghong Wang,Xiaofeng Wang,Mazeyanti Mohd Ariffin,Masoumeh Abolfathi,Abdulmajeed Alqhatani,Laila Almutairi

DOI: https://doi.org/10.1016/j.compeleceng.2023.108655

2023-05-01

Abstract:The Software-Defined Network (SDN) provides a more flexible and effectively managed network design for next-generation networking. Network managers can easily manage and regulate the entire network using its programmable central controller architecture. This central controller serves as the focal point for numerous attack vectors due to its centralized structure. However, Distributed Denial of Service (DDoS) attacks against the SDN is the most prominent. The goal of this project is to use a machine learning method to categorize SDN traffic as either attack or normal traffic. Next, the Feature Selection method, such as the Filter-based Fisher score method, Wrapper-based method, and analysis of variables (ANOVA) f-test, is used for finely-granulated detection. Then, a rule-based detection method using the Renyi joint entropy algorithm is employed to detect DDoS attacks on SDN controllers. We manage a public "DDoS attack SDN Dataset" with 23 attributes overall. The dataset includes normal and attack traffic for the Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), and Transmission Control Protocol (TCP). Except for attributes that specify the target and source machines, the dataset, which contains more than 100,000 recordings, has statistical features such as byte count, duration sec, packet rate, and packet per flow. In the classification process, many classifiers such as Artificial Neural Network (ANN), XGBoost (XGB), Support Vector Machine (SVM), and k-Nearest Neighbor (k-NN) were used. The test results demonstrated the efficacy and efficiency of the suggested strategy using the analysis of variables (ANOVA), which performed better than competing methods across a range of evaluation parameters.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Daoqi Han,Honghui Li,Xueliang Fu,Shuncheng Zhou

DOI: https://doi.org/10.3390/s24134344

2024-07-04

Abstract:As 5G technology becomes more widespread, the significant improvement in network speed and connection density has introduced more challenges to network security. In particular, distributed denial of service (DDoS) attacks have become more frequent and complex in software-defined network (SDN) environments. The complexity and diversity of 5G networks result in a great deal of unnecessary features, which may introduce noise into the detection process of an intrusion detection system (IDS) and reduce the generalization ability of the model. This paper aims to improve the performance of the IDS in 5G networks, especially in terms of detection speed and accuracy. It proposes an innovative feature selection (FS) method to filter out the most representative and distinguishing features from network traffic data to improve the robustness and detection efficiency of the IDS. To confirm the suggested method's efficacy, this paper uses four common machine learning (ML) models to evaluate the InSDN, CICIDS2017, and CICIDS2018 datasets and conducts real-time DDoS attack detection on the simulation platform. According to experimental results, the suggested FS technique may match 5G network requirements for high speed and high reliability of the IDS while also drastically cutting down on detection time and preserving or improving DDoS detection accuracy.

Amran Mansoor,Mohammed Anbar,Abdullah Ahmed Bahashwan,Basim Ahmad Alabsi,Shaza Dawood Ahmed Rihan

DOI: https://doi.org/10.3390/systems11060296

2023-06-09

Systems

Abstract:The rapid growth of cloud computing has led to the development of the Software-Defined Network (SDN), which is a network strategy that offers dynamic management and improved performance. However, security threats are a growing concern, particularly with the SDN controller becoming an attractive target for malicious actors and potential Distributed Denial of Service (DDoS) attacks. Many researchers have proposed different approaches to detecting DDoS attacks. However, those approaches suffer from high false positives, leading to low accuracy, and the main reason behind this is the use of non-qualified features and non-realistic datasets. Therefore, the deep learning (DL) algorithmic technique can be utilized to detect DDoS attacks on SDN controllers. Moreover, the proposed approach involves three stages, (1) data preprocessing, (2) cross-feature selection, which aims to identify important features for DDoS detection, and (3) detection using the Recurrent Neural Networks (RNNs) model. A benchmark dataset is employed to evaluate the proposed approach via standard evaluation metrics, including false positive rate and detection accuracy. The findings indicate that the recommended approach effectively detects DDoS attacks with average detection accuracy, average precision, average FPR, and average F1-measure of 94.186 %, 92.146%, 8.114%, and 94.276%, respectively.

Tewelde Gebremedhin Gebremeskel,Ketema Adere Gemeda,T. Gopi Krishna,Perumalla Janaki Ramulu

DOI: https://doi.org/10.1155/2023/9965945

2023-06-24

Wireless Communications and Mobile Computing

Abstract:A software-defined network (SDN) brings a lot of advantages to the world of networking through flexibility and centralized management; however, this centralized control makes it susceptible to different types of attacks. Distributed denial of service (DDoS) is one of the most dangerous attacks that are frequently launched against the controller to put it out of service. This work takes the special ability of SDN to propose a solution that is an implementation run at the multicontroller to detect a DDoS attack at the early stage. This method not only detects the attacks but also identifies the attacking paths and starts a mitigation process to provide protection for the network devices. This method is based on the entropy variation of the destination host targeted with its IP address and can detect the attack within the first 250 packets of malicious traffic attacking a particular host. Then, fine-grained packet-based detection is performed using a deep-learning model to classify the attack into different types of attack categories. Lastly, the controller sends the updated traffic information to neighbor controllers. The chi-squared ( x 2 ) test feature selection algorithm was also employed to reveal the most relevant features that scored the highest in the provided data set. The experiment result demonstrated that the proposed Long Short-Term Memory (LSTM) model achieved an accuracy of up to 99.42% using the data set CICDDoS2019, which has the potential to detect and classify the DDoS attack traffic effectively in the multicontroller SDN environment. In this regard, it has an enhanced accuracy level to 0.42% compared with the RNN-AE model with data set CICDDoS2019, while it has improved up to 0.44% in comparison with the CNN model with the different data set ICICDDoS2017.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yang Xu,Yong Liu

DOI: https://doi.org/10.1109/infocom.2016.7524500

2016-01-01

Abstract:Software Defined Networking (SDN) has recently emerged as a new network management platform. The centralized control architecture presents many new opportunities. Among the network management tasks, measurement is one of the most important and challenging one. Researchers have proposed many solutions to better utilize SDN for network measurement. Among them, how to detect Distributed Denial-of-Services (DDoS) quickly and precisely is a very challenging problem. In this paper, we propose methods to detect DDoS attacks leveraging on SDN's flow monitoring capability. Our methods utilize measurement resources available in the whole SDN network to adaptively balance the coverage and granularity of attack detection. Through simulations we demonstrate that our methods can quickly locate potential DDoS victims and attackers by using a constrained number of flow monitoring rules.

Zhang Long,Wang Jinsong

DOI: https://doi.org/10.1016/j.cose.2022.102604

2022-04-01

Abstract:Software-defined networking (SDN) is a new network architecture that offers considerable management convenience and efficiency relative to conventional networks. However, the centralized control employed in SDN incurs a high risk of single point failure that is susceptible to distributed denial of service (DDoS) attacks. The present work addresses this issue by proposing a hybrid approach for detecting DDoS attacks using an initial detection module based on information entropy to quickly identify anomalous traffic and a second detection module based on machine learning with a stacked sparse autoencoder (SSAE)–support vector machine (SVM) architecture to confirm the suspected anomalous traffic. If DDoS traffic is detected, a defense module is implemented to restore normal network communication in a timely manner via an issued flow table. The effectiveness and efficiency of the proposed approach for DDoS detection is experimentally evaluated using both real-time and benchmark datasets in comparison with state-of-the-art methods. The results demonstrate that the proposed approach provides superior detection performance and identifies greater than 98% of existing DDoS traffic with greatly reduced training time and computational burden.

computer science, information systems

Quamar Niyaz,Weiqing Sun,Ahmad Y Javaid

DOI: https://doi.org/10.4108/eai.28-12-2017.153515

2016-11-23

Abstract:Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

Networking and Internet Architecture

Hongfei Xiao,Tao Xiang,Shiqi Tang

DOI: https://doi.org/10.1002/tee.24026

IF: 0.923

2024-03-02

IEEJ Transactions on Electrical and Electronic Engineering

Abstract:The architecture of software‐defined network (SDN)enhances the openness of the network by separating the control and forwarding functions, but the centralized SDN control form is susceptible to distributed denial of service (DDoS) attacks. In this paper, entropy value and back‐propagation neural network (BPNN) were applied to the DDoS attack detection of SDN, and then the two detection algorithms were simulated in MATLAB software and compared with the K‐means algorithm. The results showed that in the face of four DDoS attacks, SYN Flood, ACK Flood, UDP Flood and ICMP Flood, the BPNN‐based DDoS detection had higher accuracy and less detection time; the switch that adopted the BPNN‐based DDoS detection algorithm adjusted the traffic ratio back to normal level faster when facing DDoS attacks, reducing the impact on other switches and maintaining the traffic stability of the network. © 2024 Institute of Electrical Engineers of Japan. Published by Wiley Periodicals LLC.

engineering, electrical & electronic