SYNTROPY: TCP SYN DDoS attack detection for Software Defined Network based on Rényi entropy

Abstract

The rapidly evolving landscape of network security, particularly in Software Defined Networks (SDNs), presents a critical need for efficient and adaptive DDoS attack detection methods, especially in the face of TCP SYN DDoS attacks. These attacks pose significant threats to network resources and service availability. Current state-of-the-art solutions, predominantly based on Shannon entropy, have inherent limitations, that give equal weightage to all frequency probability. This inherent assumption often leads to inadequate detection in complex and dynamic network environments, where attack patterns are increasingly sophisticated and variable. In this paper, we present a novel framework called SYNTROPY that is designed to detect TCP SYN DDoS attacks in SDN environments. The proposed SYNTROPY framework leverages Rényi entropy to effectively generalize the measurement of uncertainty in the network traffic. Unlike Shannon entropy, Rényi entropy offers the flexibility to adjust sensitivity to varying network conditions and attack patterns, thereby enhancing detection accuracy. It filters benign, flash, and suspicious traffic and employs a min–max threshold to identify attack patterns accurately. Our framework is implemented using the Ryu Controller, thus enabling seamless integration with SDN systems. The experiment is conducted to evaluate the SYNTROPY performance using the CAIDA UCSD DDoS 2007 Attack Dataset. The comparative analysis demonstrates that SYNTROPY performs better across various metrics than state-of-the-art solutions. It includes a 40% reduction in average CPU load, 59% enhancement in average detection time, 13% increase in true positives rate, 34% decrease in false negatives rate, 10% recall improvement, and 8% higher F1-Score. These promising results showcase the potential of SYNTROPY as a robust and effective solution for addressing TCP SYN DDoS attacks in SDNs.