A Flexible SDN-Based Architecture for Identifying and Mitigating Low-Rate DDoS Attacks Using Machine Learning

Jesus Arturo Perez-Diaz,Dakai Zhu,Ismael Amezcua Valdovinos,Kim-Kwang Raymond Choo

doi:10.1109/access.2020.3019330

Jesus Arturo Perez-Diaz, Dakai Zhu + Show 2 more

Open Access

https://doi.org/10.1109/access.2020.3019330

Copy DOI

Abstract

While there have been extensive studies of denial of service (DoS) attacks and DDoS attack mitigation, such attacks remain challenging to mitigate. For example, Low-Rate DDoS (LR-DDoS) attacks are known to be difficult to detect, particularly in a software-defined network (SDN). Hence, in this paper we present a flexible modular architecture that allows the identification and mitigation of LR-DDoS attacks in SDN settings. Specifically, we train the intrusion detection system (IDS) in our architecture using six machine learning (ML) models (i.e., J48, Random Tree, REP Tree, Random Forest, Multi-Layer Perceptron (MLP), and Support Vector Machines (SVM)) and evaluate their performance using the Canadian Institute of Cybersecurity (CIC) DoS dataset. The findings from the evaluation demonstrate that our approach achieves a detection rate of 95%, despite the difficulty in detecting LR-DoS attacks. We also remark that in our deployment, we use the open network operating system (ONOS) controller running on Mininet virtual machine in order for our simulated environment to be as close to real-world production networks as possible. In our testing topology, the intrusion prevention detection system mitigates all attacks previously detected by the IDS system. This demonstrates the utility of our architecture in identifying and mitigating LR-DDoS attacks.

Highlights

Low-rate denial of service (LR-distributed DoS (DDoS)) attacks is one of the more challenging denial of service (DoS) attack types to detect, and these attacks are designed to exhaust computing resources on servers
We present a flexible security software-defined network (SDN)-based architecture aimed at Low-Rate DDoS (LR-DDoS) attack detection and mitigation through the use of multiple machine learning and deep learning techniques
We evaluate the performance of six machine and deep learning techniques for LR-DDoS attacks (i.e., J48, Random Trees, REP Tree, Random Forest, Multi-Layer Perceptron (MLP), and Support Vector Machines (SVM)) in LR-DDoS attack detection and mitigation

Summary

Introduction

Low-rate denial of service (LR-DDoS) attacks is one of the more challenging denial of service (DoS) attack types to detect, and these attacks are designed to exhaust computing resources on servers. Unlike high-rate distributed DoS (DDoS) attacks, an LR-DDoS attack does not flood the network with high traffic loads. Instead, it carefully triggers specific protocol mechanisms such as TCP’s timeout retransmission [1], [2], congestion control [3] mechanisms, and. DDoS attack detection approaches can be broadly categorized into signature-based and anomaly-based approaches [5], [6]. The former uses the identified patterns or strings from protocol header fields as signatures to match incoming traffic and determine if the flow is malicious (or not).

Methods

Results

Conclusion