DDoS Detection in SDN Switches using Support Vector Machine Classifier

Abstract

Keywords: SDN Switches, Distributed Denial-of-Service (DDoS), Support Vector Machine (SVM), Genetic Algorithm (GA) Abstract. Compared with traditional network, Software Defined network (SDN) technology contains data plane, control plane and application plane. The control plane centralized controls multiple switches instead of only one switch. Therefore, SDN has more security requirements. The existing network security equipment already can no longer adapt to the environment of SDN. Distributed Denial-of-Service Attacks (DDoS) is one of the most major threats. DDoS detection is necessary for SDN switches. Support vector machine (SVM) classification technology is widely used in various fields. In this article, we will detect DDoS attacks using SVM optimized parameter c and g with cross validation-genetic algorithm (CV-GA). The experiments show that CV-GA-SVM classification performs better than others. Intr oduction In recent years, Software defined network (SDN) as a new research highlight appears in the development of computer network (1). SDN was originated from the Clean Slate project at Stanford University in the United States. With further researches, SDN which gradually obtained the wide recognition of academia and industry, has become the mainstream direction of the Internet's development in the future. The network control plane is separated from the underlying network in SDN technologies. Instead of the traditional closed control plane, the open plane controls the entire network by the centralized controller, and allows a programmable network. SDN has good openness and flexibility to bring the huge change of network. According to the SDN's architecture which defined by Open Networking Foundation (ONF) (2), SDN is divided into the infrastructure layer, the control layer, the application layer, the north interface and the south interface which connect the layers of data exchange. Dist ributed Denial-of-Service (DDoS) is a destruction of the effectiveness of network service. It leads that a suffered host or network can't receive and deal with the request from outside world. So the host or network cannot provide normal service for a legitimate user. Thus the attack forms a denial of ser vice. Compared with the traditional network, SDN has more flexibility and controllability so that the SDN is more vulnerable to DDoS attacks (3). Therefore, the detection of DDoS attacks is one im portant research direction of SDN security. In this paper, compared with other existing methods, we first prove the superiority of SVM based on traffic flow for DDoS detection in SDN switches. Secondly, this paper proposes a parameter optimization for SVM classification based on traffic flow to improve the quality of detection. We come up with CV-GA (cross validation - genetic algorithm) with adjusting factor to optimize parameter. At last, we compare results with un-optimized SVM.