A deep learning technique to detect distributed denial of service attacks in software-defined networks

Abstract

Software-Defined Network (SDN) is an established networking paradigm that separates the control plane from the data plane. It has central network control, and programmability facilities, therefore SDN can improve network flexibility, management, performance, and scalability. The programmability and control centralization of SDN have improved network functions but also exposed it to security challenges such as Distributed Denial of Service (DDoS) attacks that target both control and data planes. This paper proposes an effective detection technique against DDoS attack in SDN control plane and data plane. For the control plane, the technique detects DDoS attacks through a Deep Learning (DL) model using new features extracted from traffic statistics. A DL method (AE-BGRU) for DDoS detection uses Autoencoder (AE) with Bidirectional Gated Recurrent Unit (BGRU). The proposed features for the control plane include unknown IP destination address, packets inter-arrival time, Transport layer protocol (TLP) header, and Type of service (ToS) header. For the data plane, the technique tracks the switch's average arrival bit rate with an unknown destination address in the data plane. Then, the technique detects DDoS attacks through a DL-based model which also uses AE with BGRU. The proposed features in the data plane include the switch's stored capacity, the average rate of packets with unknown destination addresses, the IP Options header, and the average number of flows. The dataset is generated from feature extraction and computations from normal and attack packets and used with the classifier. Also, additional Machine Learning (ML) methods are used to enhance the detection process. If the model detects an attack, the technique mitigates DDoS effects by updating the user's trust value and blocking suspicious senders based on the trust value. The experimental results proved that compared to related techniques, the suggested method had a higher accuracy and lower false alarm rate.