A Cooperative Detection of DDoS Attacks Based on CNN-BiLSTM in SDN

Abstract

In view of the problem that detecting DDoS attack traffic in traditional SDN depends on the controller continuously collecting traffic and running the detection model, resulting in excessive controller overhead, low detection efficiency, increased traffic forwarding delay, and easy to cause "single point of failure", a cooperative detection method of DDoS attack in SDN based on information entropy and deep learning is proposed, which divides part of the detection task into the data plane for detection based on information entropy and uses the improved CNN-BiLSTM model to detect DDoS attack traffic on control plane. The experimental results show that, compared with the SVC-RF method in recent years, the accuracy of the proposed CNN-BiLSTM model is increased by 0.74%, the detection rate is increased by 1.42%, and the false alarm rate is reduced by 1.5%. Compared with the BiLSTM model, the accuracy is increased by 0.75%, the detection rate is increased by 0.64%, and the false alarm rate is reduced by 1.14%. Compared with the RF method, the accuracy is increased by 2.34%, the detection rate is increased by 3.88%, and the false alarm rate is reduced by 4%. Compared with the traditional single point detection method which only depends on the controller, the proposed switch-controller cooperative detection method reduces the CPU occupancy of the controller by about 12% and the detection time by about 13 seconds.