Abstract
Denial of Service (DoS) attack is a serious threat to Software Defined Network (SDN). Although many research efforts have been devoted to identify new features for DoS attack detection, the existing approaches are not able to detect various types of DoS attacks. In SDN, DoS attacks against data plane are mainly organized in two ways: 1) DoS attack with multiple flow entries (M-DoS) to exhaust the Ternary Content-Addressable Memory (TCAM) resource of the switch. 2) DoS attack with a single well-designed entry (S-DoS) to overwhelm the target link and further impact the controller. To detect these two attacks, we propose a new approach by extracting six features of flow table, and using the back propagation (BP) neural network to construct the classifier. Test results of test-bed experiments indicate that the accurate detection probability of proposed approach is 98.9%, which can effectively distinguish M-DoS flows and S-DoS flows without being affected by Flash crowd scene.
Highlights
Software Defined Network (SDN), as a new type of network management architecture, provides network with flexible control, simple network architecture, and great programmability by decoupling the control plane and the data plane of the traditional network
Many efforts have been devoted to these two attacks, we found two shortcomings in existing studies: 1) high false positive rate in Flash crowd scenario; 2) no approach could detect both M-DoS and S-DoS
We analyze real network data from CAIDA Datasets [33], [35]. We found that both Flash crowd and M-DoS install lots of flow rules, the number of matched packets matched by their flow entries are different: the number of packets under M-DoS attack usually stays between 1 and 2, is no more than 3, while the number of packets in Flash crowd scene usually stays between 5 and 20
Summary
Software Defined Network (SDN), as a new type of network management architecture, provides network with flexible control, simple network architecture, and great programmability by decoupling the control plane and the data plane of the traditional network. DoS attacks against data plane, control plane or SDN application commonly have different principles and features, corresponding to specialized detection methods. The flow table of SDN switches stores a large amount of flow information, from which some useful features can be extracted for DoS detection. We extract six features from SDN flow tables, and use a BP neural network classifier to design the detection model, which can accurately identify M-DoS flows, S-DoS flows and normal flows. S-DoS attack produces lots of packets, and the number of matching bytes for the flow entry increases significantly, resulting in a large increase in the GRMMB value. We design PFSP to distinguish Flash crowd and M-DoS attacks, which is defined as follows: FlowSum. FlowSum where n_packet remarks the number of matched packets for each flow entry. Duration pour into the switch, the value of PFSD will keep pretty high, but it will still low in the Flash crowd scene
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
