DataPlane‐ML: An integrated attack detection and mitigation solution for software defined networks

Abstract

SummarySoftware defined network (SDN) is a paradigm that emphasizes the separation of the control plane from the data plane, offering advantages such as flexibility and programmability. However, from a security perspective, SDN also introduces new vulnerabilities due to the communication required between these planes. SYN Flood attacks are typical distributed denial‐of‐service (DDoS) attacks that especially challenge network administrators since they produce a large volume of semi‐open TCP connections to a target, compromising its availability. Most of the current solutions to detect and mitigate these attacks are designed to operate at the control plane, imposing an additional overhead on controller functions. Moreover, traffic‐blocking mechanisms, a widely used alternative to protect network resources, have the drawback of restricting legitimate traffic. This work proposes DataPlane‐ML, an integrated solution to detect and mitigate DDoS attacks on SDN, acting directly in the data plane. DataPlane‐ML uses machine learning techniques for attack detection and a mitigation solution based on the node's reputation to avoid blocking legitimate traffic during an attack. Experimental results show that DataPlane‐ML is faster than statistical‐based solutions for attack detection while presenting better accuracy. Moreover, the DataPlane‐ML mitigation solution can preserve more than of legitimate traffic during an attack.