An Ensemble-based Machine Learning Framework for Advanced Distributed Denial of Service Attack Detection in Software Defined Networks

A novel dual optimized IDS to detect DDoS attack in SDN using hyper tuned RFE and deep grid network

Due to the growing dependence of digital services on the Internet, Distributed Denial of Service (DDoS) attacks are a common threat that can cause significant disruptions to online operations and financial losses. Machine learning (ML) offers a promising way for early DDoS attack detection due to its ability to analyze large datasets and identify patterns. However, adding too many features to the ML might reduce its effectiveness in identifying the attacks provided by central network paradigms such as the Software-Defined Network (SDN). In this research, we investigate the effectiveness of the ML methods such as (Random Forest (RF), Naive Base (NB), and K-Nearest Neighbor’s (KNN)) combining SDN to enhance the classification of DDoS attacks. We leverage three diverse datasets: DDoS attack SDN, CICDDoS2019, and SDN-DDOS-TCP-SYN dataset. By leveraging cross-feature selection and feature ranking techniques, such as information gain, gain ratio, and Gini importance, we could identify the most relevant network features for DDoS attacks. We reduced the feature up to 5 effective features without compromising the classification accuracy. The experimental results show that the proposed models achieved an accuracy of 100% for both Random Forest (RF) and K-Nearest Neighbor (KNN), and 99.8% for Naive Bayes (NB). Due to their high accuracy and lower complexity, KNN and NB outperform ML algorithms in this study

Software Defined Networking (SDN) offers several advantages such as manageability, scaling, and improved performance. However, SDN involves specific security problems, especially if its controller is defenseless against Distributed Denial of Service (DDoS) attacks. The process and communication capacity of the controller is overloaded when DDoS attacks occur against the SDN controller. Consequently, as a result of the unnecessary flow produced by the controller for the attack packets, the capacity of the switch flow table becomes full, leading the network performance to decline to a critical threshold. In this study, DDoS attacks in SDN were detected using machine learning-based models. First, specific features were obtained from SDN for the dataset in normal conditions and under DDoS attack traffic. Then, a new dataset was created using feature selection methods on the existing dataset. Feature selection methods were preferred to simplify the models, facilitate their interpretation, and provide a shorter training time. Both datasets, created with and without feature selection methods, were trained and tested with Support Vector Machine (SVM), Naive Bayes (NB), Artificial Neural Network (ANN), and K-Nearest Neighbors (KNN) classification models. The test results showed that the use of the wrapper feature selection with a KNN classifier achieved the highest accuracy rate (98.3%) in DDoS attack detection. The results suggest that machine learning and feature selection algorithms can achieve better results in the detection of DDoS attacks in SDN with promising reductions in processing loads and times.

Software defined networking (SDN) is a new network architecture that allows for centralized network control. The separation of the data plane from the control plane, which establishes a programmable network environment, is the key breakthrough underpinning SDN. The controller facilitates the deployment of services that specify control policies and delivers these rules to the data plane using a common protocol such as OpenFlow at the control plane. Despite the many advantages of this design, SDN security remains a worry because the aforementioned chapter expands the network's attack surface. In fact, denial of service (DoS) assaults pose a significant threat to SDN settings in a variety of ways, owing to flaws in the data and control layers. This work shows how distributed denial of service (DDoS) attack detection is based on the entropy variation of the destination IP address. The study takes advantage of the OpenFlow protocol's (OFP) flexibility and an OpenFlow controller (POX) to apply the proposed method. An entropy computation to determine the distributed features of DDoS traffic is developed and it is capable of detecting a user datagram protocol (UDP) flood attack after 0.445 seconds this type of attack occurred.

To analyze and evaluate the security of the latest network architectures like Software Defined Network (SDN) architectures is a significant step in protecting these against various security threats. The security of SDN assumes greater significance as this dynamic network paradigm, in addition to its great future potential, experiences various design complexities and common Open-flow shortcomings, such as the issues related to a centralized controller. There is no doubt that SDN has been perceived as a standout among the most common ideal models for the networks because of its property of isolation of control and information planes. However, various malicious activities have managed to affect the network performance. Distributed Denial of Service (DDoS) attack has been one of the most crucial issues as far as the dependability on the Internet is concerned. This attack makes the service of any host or hub connected to the network difficult due to a wide variety of its approaches by hampering the normal functioning of the network. The inherent simplicity of SDN makes it easily vulnerable to DDoS attacks. This paper presents the techniques to detect the presence of flooding DDoS attacks in SDN. Three types of techniques have been shown to be implemented for mitigation of these attacks in SDN. Besides, a comparison of the performance of traditional networks and SDN under this type of DDoS attack has been illustrated in terms of throughput and Round-Trip-Time. It has been shown through experimentation that performance of SDN’s degrades drastically as compared to that of traditional networks under DDoS attacks.

Distributed denial of service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.

Distributed Denial of Service (DDoS) attacks represent major risks for the current cloud computing architecture. The rate of DDoS attacks in cloud is growing because of the essential characteristics of cloud computing. In this paper, we propose to use Software Defined Network (SDN) architecture and Fast Entropy approach in order to secure cloud computing environment from DDoS attacks in real time. Thus, we exploited the centralized control and programmable characteristics of SDN architecture to supervise cloud traffics. The provided architecture collects and analyzes flow tables from switches. It also detects DDoS attacks by the controller using Fast Entropy algorithms. Through the performed experimental tests, we evaluated the performance of our solution in defending Cloud computing infrastructure against Distributed Denial of Service attacks.

Distributed Denial of Service (DDoS) attacks represent a major concern in modern Software Defined Networking (SDN), as SDN controllers are sensitive points of failures in the whole SDN architecture. Recently, research on DDoS attacks detection in SDN has focused on investigation of how to leverage data plane programmability, enabled by P4 language, to detect attacks directly in network switches, with marginal involvement of SDN controllers. In order to effectively address cybersecurity management in SDN architectures, we investigate the potential of Artificial Intelligence and Machine Learning (ML) algorithms to perform automated DDoS Attacks Detection (DAD), specifically focusing on Transmission Control Protocol SYN flood attacks. We compare two different DAD architectures, called Standalone and Correlated DAD, where traffic features collection and attack detection are performed locally at network switches or in a single entity (e.g., in SDN controller), respectively. We combine the capability of ML and P4-enabled data planes to implement real-time DAD. Illustrative numerical results show that, for all tested ML algorithms, accuracy, precision, recall and F1-score are above 98% in most cases, and classification time is in the order of few hundreds of upmu text {s} in the worst case. Considering real-time DAD implementation, significant latency reduction is obtained when features are extracted at the data plane by using P4 language.Graphic

Introduction: This research article intends to depict the usage of machine learning (ML) techniques in software defined network (SDN) to address the Distributed Denial of Service (DDoS) attack. Due to expansion in the complex network operations and configurations, SDN has come out as a propitious network model which uses software-based controllers or application programming interfaces (APIs) to manage activity in an organization and connect with the basic equipment framework. Unlike traditional systems which use dedicated hardware (such as switches) to control assemble activities, SDN can create and control a virtual organization or traditional equipment, through computer programmes. With SDN, the online intelligence is concentrated in a software component called SDN Pick, giving organization’s admin the ability to effectively manage, protect, and optimize assets as well as programmatically shape the entire organizational activity design. This research comprehensively portrays the usage of ML Algorithms to detect and prevent the DDoS attack. Based on the analysis, to determine the research gaps and opportunities to implement an efficient solution for security in SDN, we summarize the bland system of SDN, identify security problems, find out the optimal solution and provide insights on the long run improvement in this field along with detailed comparison. Objectives: The objective of this paper is to depict the usage of machine learning (ML) techniques in software defined network (SDN) to address the Distributed Denial of Service (DDoS) attack. Algorithms: To evaluate the performance and functionality of the proposed SDN, we have carried out independent experiments using Random Forest (RF) Algorithm, Decision Tree (DT) Algorithm, Naïve Bayes (NB) Algorithm, K- Nearest Neighbors (KNN) Algorithm and Linear Regression. Results: The first scenario performs better at detecting DDoS attack, while other scenarios are more effective at identifying low-frequency attacks. In best scenario using prevention method , over 64.13% of normal data is detected. Additionally, the proposed solution improves the detection and prevention rate of DDoS by 9.67%. Conclusions The subject of SDN had exclusively gotten colossal consideration from industry and the scholarly community. The anticipated commitments of our work are to reply the investigate questions. We carried out an in-depth examination of security applications conveyed in SDN utilizing m innovation and found out that most ponders included in our paper proposed SDN security and Ddos attack mitigation.

As 5G technology becomes more widespread, the significant improvement in network speed and connection density has introduced more challenges to network security. In particular, distributed denial of service (DDoS) attacks have become more frequent and complex in software-defined network (SDN) environments. The complexity and diversity of 5G networks result in a great deal of unnecessary features, which may introduce noise into the detection process of an intrusion detection system (IDS) and reduce the generalization ability of the model. This paper aims to improve the performance of the IDS in 5G networks, especially in terms of detection speed and accuracy. It proposes an innovative feature selection (FS) method to filter out the most representative and distinguishing features from network traffic data to improve the robustness and detection efficiency of the IDS. To confirm the suggested method's efficacy, this paper uses four common machine learning (ML) models to evaluate the InSDN, CICIDS2017, and CICIDS2018 datasets and conducts real-time DDoS attack detection on the simulation platform. According to experimental results, the suggested FS technique may match 5G network requirements for high speed and high reliability of the IDS while also drastically cutting down on detection time and preserving or improving DDoS detection accuracy.

Distributed Denial of Service (DDoS) attacks became a true threat to network infrastructure. DDoS attacks are capable of inflicting major disruption to the information communication technology infrastructure. DDoS attacks aim to paralyze networks by overloading servers, network links, and network devices with illegitimate traffic. Therefore, it is important to detect and mitigate DDoS attacks to reduce the impact of DDoS attacks. In traditional networks, the hardware and software to detect and mitigate DDoS attacks are expensive and difficult to deploy. Software-Defined Network (SDN) is a new paradigm in network architecture by separating the control plane and data plane, thereby increasing scalability, flexibility, control, and network management. Therefore, SDN can dynamically change DDoS traffic forwarding rules and improve network security. In this study, a DDoS attack detection and mitigation system was built on the SDN architecture using the random forest machine-learning algorithm. The random forest algorithm will classify normal and attack packets based on flow entries. If packets are classified as a DDoS attack, it will be mitigated by adding flow rules to the switch. Based on tests that have been done, the detection system can detect DDoS attacks with an average accuracy of 98.38% and an average detection time of 36 ms. Then the mitigation system can mitigate DDoS attacks with an average mitigation time of 1179 ms and can reduce the average number of attack packets that enter the victim host by 15672 packets and can reduce the average number of CPU usage on the controller by 44,9%.

Distributed Denial of Service (DDoS) attack is one of the significant threats to network security currently. The emerging network architecture Software-Defined Networking (SDN) with its centralized control and programmability makes it susceptible to malicious attacks, leading to network paralysis. In response to this issue, this paper proposes a hybrid machine learning model based on Support Vector Machine (SVM) and Gradient Boosting Decision Tree (GBDT) to detect attack traffic. The combination of GBDT and SVM enables dual-stage classification detection. Initially, GBDT conducts preliminary classification on large-scale data and filters misclassified samples. Subsequently, these filtered samples are inputted into the SVM classifier. Leveraging SVM’s robust generalization performance between training and testing data and its advantage in detecting anomalous traffic, further classification of data is achieved to accomplish attack detection. The integration of GBDT-SVM helps reduce misclassification of data samples by SVM that are close to the decision boundary during detection. Experimental results demonstrate that compared to other methods, the GBDT-SVM model achieves higher detection efficiency, with an average detection rate of up to 98.1%, lower false positive rates, thus enhancing detection accuracy and efficiency.

With the continuous evolution of digital technologies, the frequency and sophistication of cyber-attacks, particularly Distributed Denial of Service (DDoS) attacks, have significantly escalated, posing critical threats to global network infrastructures. The challenge lies in differentiating between legitimate network traffic and malicious DDoS traffic as it moves from attackers to targets. Network traffic classification plays a essential role in identifying such anomalies and is vital for safeguarding cyberspace. However, traditional detection techniques are no longer sufficient to manage the increasing complexity and diversity of modern network environments. In response, machine learning (ML) and deep learning (DL) methods have emerged as leading approaches in DDoS detection. Research Objective: This research aims to develop and evaluate a hybrid CNN-LSTM framework for detecting DDoS attacks using the CICDDoS2019 dataset. The specific objectives are: CNN Model Development: Design a CNN model to extract high-level features from the pre-processed data, transforming it into informative feature maps. Parallel Execution: Implement parallel execution of feature maps through both the dense layer and LSTM to enhance the model’s efficiency and performance. Real-time Detection Capability: Assess the model’s ability to detect DDoS attacks in real-time, focusing on its scalability and robustness in handling large volumes of network traffic. Methods: The novelty of this work lies in its hybrid parallel deep learning architecture, which effectively addresses the limitations of traditional methods while enhancing the detection of increasingly sophisticated DDoS attacks. The machine learning methods have emerged as leading approaches in DDoS detection. This paper provides a comprehensive comparison of ML and DL algorithms, evaluated on the CICDoS2019 dataset, to identify the most effective model for detecting DDoS attacks. Additionally, a hybrid deep learning model combining Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM) is proposed. Results: This model leverages ML and DL ability to automatically extract and select significant features, achieving a remarkable detection accuracy of 99.84%. This high accuracy underscores the model's potential in real-time DDoS detection. Conclusion: The findings emphasize the critical role of ML and DL in securing modern network environments and highlight its significance in advancing cyber security defenses. The detection of Distributed Denial of Service (DDoS) attacks using machine learning models, specifically the hybrid CNN-LSTM architecture, demonstrates exceptional performance in both binary and multi-class classification tasks.

Keywords: SDN Switches, Distributed Denial-of-Service (DDoS), Support Vector Machine (SVM), Genetic Algorithm (GA) Abstract. Compared with traditional network, Software Defined network (SDN) technology contains data plane, control plane and application plane. The control plane centralized controls multiple switches instead of only one switch. Therefore, SDN has more security requirements. The existing network security equipment already can no longer adapt to the environment of SDN. Distributed Denial-of-Service Attacks (DDoS) is one of the most major threats. DDoS detection is necessary for SDN switches. Support vector machine (SVM) classification technology is widely used in various fields. In this article, we will detect DDoS attacks using SVM optimized parameter c and g with cross validation-genetic algorithm (CV-GA). The experiments show that CV-GA-SVM classification performs better than others. Intr oduction In recent years, Software defined network (SDN) as a new research highlight appears in the development of computer network (1). SDN was originated from the Clean Slate project at Stanford University in the United States. With further researches, SDN which gradually obtained the wide recognition of academia and industry, has become the mainstream direction of the Internet's development in the future. The network control plane is separated from the underlying network in SDN technologies. Instead of the traditional closed control plane, the open plane controls the entire network by the centralized controller, and allows a programmable network. SDN has good openness and flexibility to bring the huge change of network. According to the SDN's architecture which defined by Open Networking Foundation (ONF) (2), SDN is divided into the infrastructure layer, the control layer, the application layer, the north interface and the south interface which connect the layers of data exchange. Dist ributed Denial-of-Service (DDoS) is a destruction of the effectiveness of network service. It leads that a suffered host or network can't receive and deal with the request from outside world. So the host or network cannot provide normal service for a legitimate user. Thus the attack forms a denial of ser vice. Compared with the traditional network, SDN has more flexibility and controllability so that the SDN is more vulnerable to DDoS attacks (3). Therefore, the detection of DDoS attacks is one im portant research direction of SDN security. In this paper, compared with other existing methods, we first prove the superiority of SVM based on traffic flow for DDoS detection in SDN switches. Secondly, this paper proposes a parameter optimization for SVM classification based on traffic flow to improve the quality of detection. We come up with CV-GA (cross validation - genetic algorithm) with adjusting factor to optimize parameter. At last, we compare results with un-optimized SVM.

Software Defined Networking (SDN) is a promising solution for addressing challenges of future networks. Despite its advantages such as flexibility, simplification and low costs, it has several drawbacks that are largely induced by the centralized control paradigm. Security is one of the most significant challenges related to centralization. In that regard, Distributed Denial of Service (DDoS) attacks pose crucial security questions in software-defined networks. In SDN architecture, switches send all packets to the controller if they do not have any applicable rules in their flow tables. Basically, controller is the key place that can take initiative in decisions. However, this characteristic results in large communication overhead and delay until a DDoS attack is detected and an appropriate action is activated against attack packets. Therefore, in this work we propose a hybrid mechanism, namely SDNScore, where switches are not simply data forwarders. Instead, they can collect statistics and decide if DDoS attack is in action. Then they coordinate with the controller and act on attack packets in cooperation. SDNScore is a statistical and packet-based defense mechanism against DDoS attacks in SDN environment. Since it has a statistical scoring method, it can detect not only known but also unknown attacks entailing packets that are alike in terms of TCP and IP layer properties. In addition, it does not drop all packets in a flow which includes both attack and legal packets, but rather filters out attack packets using packet-based analysis.