Defending saturation attacks on SDN controller: A confusable instance analysis-based algorithm

Abstract

Software-Defined Networking (SDN) is an emerging network architecture that offers flexible network management. Although the decoupling of the control plane and data plane provides network programmability for SDN, it also makes SDN become vulnerable to several attacks. The saturation attack is one of these attacks. It is a concealed attack that has a highly negative impact by overwhelming the SDN controller. Once the SDN controller is crashed, the network cannot work. Currently, the cusp catastrophe theory has already been used for detecting saturation attack against SDN controller. When using the cusp catastrophe theory to detect saturation attack in SDN, most instances will be identified as unstable instances. The additional detection of unstable instances is achieved using the distance between current state and previous state, leading to the low detection accuracy. To overcome that issues, in this work, we propose LICENSE, a saturation attack detection mechanism designed based on confusable instance analysis. More specifically, a Condition Transferring Mechanism (CTM) method is designed to first classify the input instances into two kinds, the unconfusable instance that clearly belongs to attack or benign instance and the confusable instance which is not easy to distinguish. Then a Network State Base Cusp model is proposed to further distinguish the confusable instance to stable instance and unstable instance. At last, a method recorded as Unstable Instance Detection (UID) is proposed for identifying unstable instances. The evaluation results demonstrate that LICENSE can reduce the number of unstable instances and improve the detection accuracy of unstable instances, thus achieving a higher overall detection performance. In conclusion, LICENSE can effectively detect saturation attack in SDN.