KS-SDN-DDoS: A Kafka streams-based real-time DDoS attack classification approach for SDN environment

Abstract

Software-Defined Networking (SDN) is a modern networking architecture that segregates control logic from data plane and supports a loosely coupled architecture. It provides flexibility in this advanced networking paradigm for any changes. Further, it controls the complete network in a centralized using controller(s). However, it comes with several security issues: Exhausting bandwidth and flow tables, Distributed Denial of Service (DDoS) attacks, etc. DDoS is a powerful attack for Internet-based applications and services, traditional and SDN paradigms. In the case of the SDN environment, attackers frequently target the central controller(s). This paper proposes a Kafka Streams-based real-time DDoS attacks classification approach for the SDN environment, named KS-SDN-DDoS. The KS-SDN-DDoS has been designed using highly scalable H2O ML techniques on the two-node Apache Hadoop Cluster (AHC). It consists of two modules: (i) Network Traffic Capture (NTCapture) and (ii) Attack Detection and Traffic Classification (ADTClassification). The NTCapture is deployed on the two nodes Apache Kafka Streams Cluster (AKSC-1). It captures incoming network traffic, extracts and formulates attributes, and publishes significant network traffic attributes on the Kafka topic. The ADTClassification is deployed on the two nodes Apache Kafka Streams Cluster (AKSC-2). It consumes network flows from the Kafka topic, classifies it based on the ten attributes, and publishes it to the decision Kafka topic. Further, it saves attributes with outcome to the Hadoop Distributed File System (HDFS). The KS-SDN-DDoS approach is designed and validated using the recent “DDoS Attack SDN dataset”. The result shows that the proposed system gives better classification accuracy (100%).