Manish Snehi,Abhinav Bhandari,Jyoti Verma

DOI: https://doi.org/10.1016/j.cose.2024.103702

IF: 5.105

2024-01-12

Computers & Security

Abstract:Introduction The convergence of the Internet of Anything (IoX), software-defined communication layer, and sophisticated cloud platform has steered the dawn of the fourth industrial revolution era (Industry 4.0). The technological leap forward has given shelter to the umbrella of cyber-physical systems such as Smart Grids, Agriculture, and Healthcare. The exponential growth of vulnerable spots (the Internet of Things) in multi-layer cyber-physical systems is involuntarily contributing to malignant IoT-generated denial-of-service attacks. The IoT devices manifest a high degree of diversity in traffic patterns, and a single dataset is insufficient to cover fiducial attack scenarios. In addition, the research community is pressing to overcome other roadblocks, such as an optimal architecture for solution efficacy, performance issues, and the need for comprehensive validation of the proposed solutions. Methods The paper offers a five-stage defense framework for building a mitigation against IoT-based DDoS attacks. The article brings forth an amalgamated dataset concocted from InSDN, BoT-IoT, and UNSW-Sydney datasets and a simulated dataset for IoT-DDoS to the research community. The paper employs a multi-stage Stack-Ensembled framework at the heart of the solution pillared on physical devices' behavioral attributes, resulting in a universal defense approach. The experiment leverages fog computing with distributed computational nodes to reduce response latency. Furthermore, the paper implements attack-detection-as-a-service on top of the Docker framework for a cost-effective, reusable, and portable framework. The novel design of the framework presents a light mitigation scheme to the SDN controller, ensuring a negligible impact on the controller's performance. Results and Discussion The hand-crafted feature selection process reduced the features by 80%, demonstrating a high accuracy of 99.99% with benchmark datasets, 98.84% accuracy in the simulation environment, and collateral damage of 1.52%. The experiment observes encouraging values for vital performance parameters that researchers often miss to discuss. Furthermore, the paper thoroughly analyzes IoT-DDoS mitigation framework performance parameters.

computer science, information systems

Muhammad Aslam,Dengpan Ye,Aqil Tariq,Muhammad Asad,Muhammad Hanif,David Ndzi,Samia Allaoua Chelloug,Mohamed Abd Elaziz,Mohammed A A Al-Qaness,Syeda Fizzah Jilani

DOI: https://doi.org/10.3390/s22072697

2022-03-31

Abstract:The development of smart network infrastructure of the Internet of Things (IoT) faces the immense threat of sophisticated Distributed Denial-of-Services (DDoS) security attacks. The existing network security solutions of enterprise networks are significantly expensive and unscalable for IoT. The integration of recently developed Software Defined Networking (SDN) reduces a significant amount of computational overhead for IoT network devices and enables additional security measurements. At the prelude stage of SDN-enabled IoT network infrastructure, the sampling based security approach currently results in low accuracy and low DDoS attack detection. In this paper, we propose an Adaptive Machine Learning based SDN-enabled Distributed Denial-of-Services attacks Detection and Mitigation (AMLSDM) framework. The proposed AMLSDM framework develops an SDN-enabled security mechanism for IoT devices with the support of an adaptive machine learning classification model to achieve the successful detection and mitigation of DDoS attacks. The proposed framework utilizes machine learning algorithms in an adaptive multilayered feed-forwarding scheme to successfully detect the DDoS attacks by examining the static features of the inspected network traffic. In the proposed adaptive multilayered feed-forwarding framework, the first layer utilizes Support Vector Machine (SVM), Naive Bayes (NB), Random Forest (RF), k-Nearest Neighbor (kNN), and Logistic Regression (LR) classifiers to build a model for detecting DDoS attacks from the training and testing environment-specific datasets. The output of the first layer passes to an Ensemble Voting (EV) algorithm, which accumulates the performance of the first layer classifiers. In the third layer, the adaptive frameworks measures the real-time live network traffic to detect the DDoS attacks in the network traffic. The proposed framework utilizes a remote SDN controller to mitigate the detected DDoS attacks over Open Flow (OF) switches and reconfigures the network resources for legitimate network hosts. The experimental results show the better performance of the proposed framework as compared to existing state-of-the art solutions in terms of higher accuracy of DDoS detection and low false alarm rate.

Saima Siraj Qureshi,Jingsha He,Sirajuddin Qureshi,Nafei Zhu,Zulfiqar Ali Zardari,Tariq Mahmood,Ahsan Wajahat

DOI: https://doi.org/10.3233/jifs-220932

2023-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:The intelligence-embedded devices also called the Internet of Things, have heterogeneous characteristics and generate enormous data. To oblige the expansion of smart devices in the age of data, software-defined networking (SDN) has emerged as a promising cost-effective, scalable, versatile solution for IoT services. However, the proliferation and pervasiveness of IoT devices also bring some serious security concerns of cyber threats and attacks. This work presents a real-time intrusion detection and mitigation solution for SDN-enabled IoT infrastructure to provide autonomous security in high-traffic IoT networks in the 5G and beyond future. The suggested approach used an ensemble of Convolution Long short-term memory + Bidirectional Long short-term memory (ConvLSTM2D+BLSTM) at the SDN network layer to automate flow feature extraction and classification. For evolving distributed denial of service (DDoS) attacks, the testing is conducted on the CICIDS2017 dataset. The experimental results showed that the proposed security approach could detect and mitigate threats in real-time with high accuracy of 99.69% rate, 99.93% precision, and 99.65% F1-score by performing 10-fold cross-validation.

Wajid Rafique,Xin He,Zifan Liu,Yuhu Sun,Wanchun Dou

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00080

2019-01-01

Abstract:Managing the Internet of Things (IoT) infrastructure has become a critical challenge due to an enormous increase in the connected devices and the lack of available security solutions. Software-Defined Networking (SDN) has been extensively involved in network infrastructure management. Moreover, numerous recent studies demonstrate the use of SDN for managing IoT networks. In SDN, policy consistency and security of the data plane is maintained through Waypoint Enforcement (WPE) which ensures that the traffic traverses policy nodes/switches to implement high-level network requirements. Previous studies on SDN primarily secure SDN infrastructure against traditional Distributed Denial of Service (DDoS) attacks. However, we investigate Crossfire Attack (CFA), which is a novel DDoS attack capable of interrupting communication of data plane switches using low-rate legitimate traffic. CFA has the potential to isolate policy switch from the rest of the data plane devices which introduces many security anomalies and routing inconsistencies. We first demonstrate how CFA is lethal on policy switch attacks and then present the design and implementation of a novel CFA countermeasure called CFADefense, which employs link selection, attack detection, and malicious flows interception modules. CFADefense has been developed as an application at the application layer of the open-source Floodlight controller. Our evaluation demonstrates that CFADefense accurately detects and efficiently mitigates CFA and poses minimal overhead on the controller in dealing with this attack.

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.

Sehrish Batool,Farrukh Zeeshan Khan,Syed Qaiser Ali Shah,Muneer Ahmed,Roobaea Alroobaea,Abdullah M. Baqasah,Ihsan Ali,Muhammad Ahsan Raza

DOI: https://doi.org/10.1155/2022/2593672

IF: 1.968

2022-01-25

Security and Communication Networks

Abstract:Distributed Denial of Service (DDoS) attack is known to be one of the most lethal attacks in traditional network architecture. In this attack, the attacker uses botnets to overwhelm network resources. Botnets can be randomly compromised computers or IoT devices that are used to generate excessive traffic towards the victim, and as a result, legitimate users cannot access the services. In this research, software-defined networking (SDN) has been suggested as a solution to fight DDoS attacks. SDN uses the idea of centralized control and segregation of the data plane from the control plane. SDN is more flexible, and policy implementation on the centralized controller is easy. SDN is now being widely used in modern network paradigms because it has enhanced security. In this work, an entropy-based statistical approach has been suggested to detect and mitigate TCP SYN flood DDoS attacks. The proposed algorithm uses a three-phased detection scheme to minimize the false-positive rate. Entropy, standard deviation, and weighted moving average have been used for intrusion detection. Multiple experiments were performed, and the results show that the suggested approach is more reliable and lightweight and has a minimal false-positive rate.

computer science, information systems,telecommunications

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Naziya Aslam,Shashank Srivastava,M. M. Gore

DOI: https://doi.org/10.1002/ett.4534

IF: 3.6

2022-05-24

Transactions on Emerging Telecommunications Technologies

Abstract:The programmable behavior of Software‐Defined Networking (SDN) enables it to change behavior on the fly, provides instructions for the task's automatic performance, dynamic scaling, and service integration. These advantages have made SDN necessary in networks. Unfortunately, SDN suffers from the threat of DDoS attacks. We have developed an approach to detect and mitigate these threats in SDN by creating an ONOS Flood Defender application (OFD app). This app effectively detects DDoS attacks using machine learning techniques and mitigates them by tracebacking the attack traffic to its origin. The proposed framework of the OFD app is implemented in a Mininet emulator and ONOS SDN controller. The application performs effectively in terms of time, accuracy, and overhead of the system and efficiently mitigates the attacks, preventing a tremendous amount of damage to legitimate users. Software‐Defined Networking (SDN) has made its place in the networks as new technology. SDN's programmable behavior enables it to change behavior on the fly, provides instructions for the task's automatic performance, dynamic scaling, and service integration. These advantages have made SDN necessary in networks. However, SDN suffers from the threat of DDoS attack. We have developed an approach to mitigate these threats by creating an ONOS Flood Defender Application (OFD App). This app effectively detects DDoS attack using supervised and ensemble machine learning techniques and mitigates them by tracebacking the attack traffic to its origin. Our results show that ensemble machine learning techniques perform better than single machine learning algorithm to detect DDoS attack. Random Forest classifier (RFC), an ensemble technique, performs best with the highest accuracy of 99.3% in detecting DDoS attack, followed by XGBoost classifier with an accuracy of 99%. The proposed framework of the OFD app is implemented in a Mininet emulator and ONOS SDN controller. The application performs effectively in terms of time, accuracy, and overhead of the system. Our app efficiently mitigates the attacks, thereby preventing a tremendous amount of damage to legitimate users.

telecommunications

A. Pavlidis,Marinos Dimolianis,B. Maglaris

DOI: https://doi.org/10.1109/ICIN51074.2021.9385540

2021-03-01

Abstract:Distributed Denial of Service (DDoS) attacks are widely used by malicious actors to disrupt network infrastructures/services. A common attack is TCP SYN Flood that attempts to exhaust memory and processing resources. Typical mitigation mechanisms, i.e. SYN cookies require significant processing resources and generate large rates of backscatter traffic to block them. In this paper, we propose a detection and mitigation schema that focuses on generating and optimizing signature-based rules. To that end, network traffic is monitored and appropriate packet-level data are processed to form signatures i.e. unique combinations of packet field values. These are fed to machine learning models that classify them to malicious/benign. Malicious signatures corresponding to specific destinations identify potential victims. TCP traffic to victims is redirected to high-performance programmable XDPenabled firewalls that filter off ending traffic according to signatures classified as malicious. To enhance mitigation performance malicious signatures are subjected to a reduction process, formulated as a multi-objective optimization problem. Minimization objectives are (i) the number of malicious signatures and (ii) collateral damage on benign traffic. We evaluate our approach in terms of detection accuracy and packet filtering performance employing traces from production environments and high rate generated attack traffic. We showcase that our approach achieves high detection accuracy, significantly reduces the number of filtering rules and outperforms the SYN cookies mechanism in high-speed traffic scenarios.

Computer Science,Engineering

Ahmad Almadhor,Ali Altalbe,Imen Bouazzi,Abdullah Al Hejaili,Natalia Kryvinska

DOI: https://doi.org/10.1038/s41598-024-76016-6

IF: 4.6

2024-10-18

Scientific Reports

Abstract:Due to the rising use of the Internet of Things (IoT), the connectivity of networks increases the risk of Distributed Denial of Service (DDoS) attacks. Decentralized systems commonly used in centralized security systems fail to adequately prevent potential cyber threats in IoT because of the issues of privacy and scaling. The method proposed in this study seeks to remedy these facts by employing Explainable Artificial Intelligence (XAI) together with Federated Deep Neural Networks (FDNNs) to detect and prevent DDoS attacks. Our approach is thus to use federated learning models that are to be trained on distributed and dissimilar sources of data without compromising on the privacy aspect. FDNNs were trained over three rounds with information from three client gadgets incorporating pre-processed datasets of various types of DDoS attacks. Additionally, for feature selection, we integrated XGBoost with SHapley Additive exPlanations (SHAP) to improve model interpretability. The proposed solution can be considered to be quite robust, privacy-preserving, and highly scalable for the detection of DDoS attacks on the IoT network. The results shown on the server side indicate that this approach accurately detects 99.78% of DDoS attacks with a precision rate as high as 99.80%, recall rate (detection rate) going up to 99.74% and F1 score reaching 99.76%. They emphasize that FL-based IDSs are strong enough to cope with cybersecurity challenges in IoT, thus offering hope for securing modern network infrastructures against ever-growing cyber threats.

multidisciplinary sciences

Jorge Maestre Vidal,Ana Lucila Sandoval Orozco,Luis Javier García Villalba

DOI: https://doi.org/10.1016/j.swevo.2017.07.002

2024-02-12

Abstract:Denial of service attacks pose a threat in constant growth. This is mainly due to their tendency to gain in sophistication, ease of implementation, obfuscation and the recent improvements in occultation of fingerprints. On the other hand, progress towards self-organizing networks, and the different techniques involved in their development, such as software-defined networking, network-function virtualization, artificial intelligence or cloud computing, facilitates the design of new defensive strategies, more complete, consistent and able to adapt the defensive deployment to the current status of the network. In order to contribute to their development, in this paper, the use of artificial immune systems to mitigate denial of service attacks is proposed. The approach is based on building networks of distributed sensors suited to the requirements of the monitored environment. These components are capable of identifying threats and reacting according to the behavior of the biological defense mechanisms in human beings. It is accomplished by emulating the different immune reactions, the establishment of quarantine areas and the construction of immune memory. For their assessment, experiments with public domain datasets (KDD'99, CAIDA'07 and CAIDA'08) and simulations on various network configurations based on traffic samples gathered by the University Complutense of Madrid and flooding attacks generated by the tool DDoSIM were performed.

Cryptography and Security

Peyman Khordadpour,Saeed Ahmadi

DOI: https://doi.org/10.48550/arXiv.2305.16389

2023-05-26

Abstract:In recent times, I've encountered a principle known as cloud computing, a model that simplifies user access to data and computing power on a demand basis. The main objective of cloud computing is to accommodate users' growing needs by decreasing dependence on human resources, minimizing expenses, and enhancing the speed of data access. Nevertheless, preserving security and privacy in cloud computing systems pose notable challenges. This issue arises because these systems have a distributed structure, which is susceptible to unsanctioned access - a fundamental problem. In the context of cloud computing, the provision of services on demand makes them targets for common assaults like Denial of Service (DoS) attacks, which include Economic Denial of Sustainability (EDoS) and Distributed Denial of Service (DDoS). These onslaughts can be classified into three categories: bandwidth consumption attacks, specific application attacks, and connection layer attacks. Most of the studies conducted in this arena have concentrated on a singular type of attack, with the concurrent detection of multiple DoS attacks often overlooked. This article proposes a suitable method to identify four types of assaults: HTTP, Database, TCP SYN, and DNS Flood. The aim is to present a universal algorithm that performs effectively in detecting all four attacks instead of using separate algorithms for each one. In this technique, seventeen server parameters like memory usage, CPU usage, and input/output counts are extracted and monitored for changes, identifying the failure point using the CUSUM algorithm to calculate the likelihood of each attack. Subsequently, a fuzzy neural network is employed to determine the occurrence of an attack. When compared to the Snort software, the proposed method's results show a significant improvement in the average detection rate, jumping from 57% to 95%.

Cryptography and Security

Jianhua Li,Lingjuan Lyu,Ximeng Liu,Xuyun Zhang,Xixiang Lyu

DOI: https://doi.org/10.1109/TII.2021.3088938

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Due to resource constraints and working surroundings, many IIoT nodes are easily hacked and turn into zombies from which to launch attacks. It is challenging to detect such networked zombies rooted behind the Internet for any individual defender. In this article, we combine federated learning (FL) and fog/edge computing to combat malicious codes. Our protocol trains a global optimized model based on distributed datasets of collaborators while removing the data and communication constraints. The FL-based detection protocol maximizes the values of distributed data samples, resulting in an accurate model timely. On top of the protocol, we place mitigation intelligence in a distributed and collaborative manner. Our approach improves accuracy, eliminates mitigation time, and enlarges attackers' expense within a defense alliance. Comprehensive evaluations confirm that the cost incurred is 2.7 times larger, the mitigation response time is 72% lower, and the accuracy is 47% higher on average. Besides, the protocol evaluation shows the detection accuracy is approximately 98% in the FL, which is almost the same as centralized training.

Dragi Kimovski,Humaira Ijaz,Nishant Surabh,Radu Prodan

DOI: https://doi.org/10.48550/arXiv.1803.03444

2018-03-09

Distributed, Parallel, and Cluster Computing

Abstract:During the last decade, Cloud computing has efficiently exploited the economy of scale by providing low cost computational and storage resources over the Internet, eventually leading to consolidation of computing resources into large data centers. However, the nascent of the highly decentralized Internet of Things (IoT) technologies that cannot effectively utilize the centralized Cloud infrastructures pushes computing towards resource dispersion. Fog computing extends the Cloud paradigm by enabling dispersion of the computational and storage resources at the edge of the network in a close proximity to where the data is generated. In its essence, Fog computing facilitates the operation of the limited compute, storage and networking resources physically located close to the edge devices. However, the shared complexity of the Fog and the influence of the recent IoT trends moving towards deploying and interconnecting extremely large sets of pervasive devices and sensors, requires exploration of adaptive Fog architectural approaches capable of adapting and scaling in response to the unpredictable load patterns of the distributed IoT applications. In this paper we introduce a promising new nature-inspired Fog architecture, named SmartFog, capable of providing low decision making latency and adaptive resource management. By utilizing novel algorithms and techniques from the fields of multi-criteria decision making, graph theory and machine learning we model the Fog as a distributed intelligent processing system, therefore emulating the function of the human brain.

DOI: https://doi.org/10.1186/s13677-023-00420-y

2023-03-23

Journal of Cloud Computing

Abstract:Nowadays, with the proliferation of internet of things-connected devices, the scope of cyber-attacks on the internet of things has grown exponentially. So, it makes it a necessity to develop an efficient and accurate intrusion detection system that should be fast, dynamic, and scalable in an internet of things environment. On the other hand, Fog computing is a decentralized platform that extends Cloud computing to deal with the inherent issues of the Cloud computing. As well, maintaining a high level of security is critical in order to ensure secure and reliable communication between Fog nodes and internet of things devices. To address this issue, we present an intrusion detection method based on artificial neural networks and genetic algorithms to efficiently detect various types of network intrusions on local Fog nodes. Through this approach, we applied genetic algorithms to optimize the interconnecting weights of the network and the biases associated with each neuron. Therefore, it can quickly and effectively establish a back-propagation neural network model. Moreover, the distributed architecture of fog computing enables the distribution of the intrusion detection system over local Fog nodes with a centralized Cloud, which achieves faster attack detection than the Cloud intrusion detection mechanism. A set of experiments were conducted on the Raspberry Pi4 as a Fog node, based on the UNSW-NB15 and ToN_IoT data sets for binary-class classification, which showed that the optimized weights and biases achieved better performance than those who used the neural network without optimization. The optimized model showed interoperability, flexibility, and scalability. Furthermore, achieving a higher intrusion detection rate through decreasing the neural network error rate and increasing the true positive rate is also possible. According to the experiments, the suggested approach produces better outcomes in terms of detection accuracy and processing time. In this case, the proposed approach achieved an 16.35% and 37.07% reduction in execution time for both data sets, respectively, compared to other state-of-the-art methods, which enhanced the acceleration of the convergence process and saved processing power.

Qaisar Shafi,Saad Qaisar,Abdul Basit

DOI: https://doi.org/10.1007/978-3-030-24305-0_45

2019-01-01

Abstract:Adaptation of intelligent devices with smart connectivity has tremendously increased the Internet of Things (IoT) traffic. For the security of IoTs massive applications, anomaly detection in these large number of devices is resource intensive task. This anomaly detection neither can be done in a cloud where analytical applications run nor in IoT device due to its limited computation capability. The Software Defined Networking (SDN) promises better management of network due to centralized control. In this paper, we proposed a software-defined machine learning (ML) based anomaly detection framework that provides network control in two scenarios, first is cloud infrastructure, and other is collocated fog(network edge) infrastructure. We compare our work in terms of delay in cloud against a collocated fog (processing) node; furthermore, we have also evaluated both scenarios with respect to packet error rate and throughput. Moreover, we discuss that these factors are critical in attack detection and mitigation. In the end, we conclude that in machine learning based anomaly detection, fog nodes provide better computational (attack detection) results in comparison with a cloud infrastructure.

Hao Wu,Aiqin Hou,Weike Nie,Chase Wu

DOI: https://doi.org/10.1109/icnc57223.2023.10074226

2023-01-01

Abstract:As a new network paradigm, software-defined networking (SDN) technology has been increasingly adopted. Unfortunately, SDN-enabled networks are more prone to threats from DDoS attacks than traditional networks due to the nature of centralized management. We propose an integrated defense framework to detect and mitigate various types of DDoS attacks in SDN-enabled networks. The proposed framework deploys two technical modules in the control plane of SDN for defending against high-rate and low-rate DDoS attacks, respectively. The former module consists of three components, which watch out for suspicious traffic, detect attacks using ensemble learning, and intercept malicious packets, respectively. The latter module is designed specifically to defend against the Slow Ternary Content Addressable Memory (TCAM) exhaustion attack (Slow-TCAM) using a new Alleviative Threat for TCAM (ATFT) algorithm. The proposed framework is implemented and tested in simulated networks using Mininet and further evaluated on the CICDDoS2019 dataset. Experimental results illustrate the superior performance of the proposed framework in defending against different types of DDoS attacks in comparison with other state-of-the-art algorithms.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Jing Zheng,Qi Li,Guofei Gu,Jiahao Cao,David K. Y. Yau,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2018.2805600

IF: 7.231

2018-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic