Detection and Mitigation of DDoS Attack in Software Defined Networks (SDN) using Statistical Approach

Abstract

Software-Defined Network (SDN) is a network management technology that makes the network efficient in performance and dynamic in nature. SDN attempts to centralize network intelligence in one network component by decoupling the data plane from the control plane. The SDN uses the OpenFlow protocol for communication with network layer components. The centralized behaviour has some vulnerabilities in terms of security, scalability, and elasticity, which are the primary security concerns of SDN. One of these critical issues is the impact of Distributed Denial of Service (DDoS) attack on SDN. In a DDoS attack, multiple targets are attacked with Trojans and target single or multiple victims’ on the network. The attacker uses numerous spoofed IPs for targeting the network. The attacker can cause significant damage to the entire network by bringing down the controller. The DDoS attack affects the switch and controller since the attacker sends the spoofed source IPs from different locations.The effectiveness of DDoS attacks in SDN appears faster and more significantly than the traditional networks. Therefore, it is vital to ensure the early detection method to prevent the DDoS attack in the SDN network. A generic DDoS detection approach is proposed in [1]. The existing method consists of flow collection, essential feature extraction, and self-organized maps (SOM) classification. The features for DDoS are 6-tuples entries, i.e., an average of packets per flow, an average of bytes per flow, an average of duration per flow, percentage of pair-flows, growth of single flowers, and growth of different Ports. The paper assumes that each attack packet received from an additional source should be a new flow entry, but it is always implementation-dependent. Also, various topology scenarios such as near to victim or near to attacker are not discussed. Due to the wide popularity of UDP flood attacks, many solutions have been proposed in the literature to counter such attacks in SDN networks. The solutions found in the literature are implemented on the edge switch at the data plane [2, 3]. The existing literature fails to achieve the best results for detecting the flooding attack in SDN. Hence. We proposed the Shannon entropy method to measure traffic’s randomness and compare the threshold with window entropy to detect the attacker source in the SDN data plane. The Shannon entropy is used to detect the DDoS flooding attack by comparing the window’s entropy with a threshold. If the entropy is less than the threshold, there is a possibility of attack. The first step is to detect the victim host followed by an attacker’s source. Once the targeted host is identified, mitigation can be performed by the rate-limiting method. Low rate DDoS attacks are a severe threat to SDN-based data centres’ data layer. It is very much essential to identify the attack before it happens. When a packet in event increases, it becomes a bottleneck for the controller, and the resources start depleting. The usual Shannon entropy is a less efficient method to detect the false alarm in such a situation. Hence, we have employed Renyi entropy (RE) as the information distance metric to discriminate between low rate DDoS attacks and regular traffic. Also, we have compared RE with other ID metrics like KLD, Hellinger, and Sibson distance. We have observed that this metric can identify attack traffic from legitimate traffic to a greater extent with an improved false-negative rate. DDoS attacks can be against the SDN controller or the flow table storage capacity in an OpenFlow switch. The increasing internet traffic poses a challenge to distinguish between legitimate and malicious traffic. Thus, a convolutional neural network (CNN) model detects the DDoS attack traffic in SDN using the standard dataset CICDDoS2017. It can identify malicious traffic using a two-level detection method. The first one is on entropy implemented by the controller to determine which switch the suspicious traffic entered the network from. The next is fine-grained packet-based deep detection distinguished DDoS attack traffic based on a convolutional neural network. This work is compared with SVM, DNN, and DT. The results are analyzed using various evaluation metrics like accuracy F1-score, precision, and recall with acceptable training time. The CNN model increases the accuracy for detecting the DDoS traffic and enhancing the network system’s security. The proposed model shows through emulation results that CNN model is capable of early detection and mitigation of the high-rate attack traffic at the edge switches itself. In the future, we will use this same model to detect DDoS attacks in multi-controller environments.