XGBoost Classifier for DDOS Attack Detection in Software Defined Network Using sFlow Protocol

Abstract

From a security perspective, Software Defined Network (SDN) separates security concerns into Control Plane and Data Plane. The Control Plane is responsible for managing the entire network centrally. Centralized SDN generates high vulnerability against the Distributed Denial of Service (DDOS). When the Software Defined Network overwhelms by DDOS, both Control Plane and Data Plane will lack resources. It can cause the SDN to fail to work if not detected early. Using the ability of sFlow Protocol to capture the flow traffic in real time, the data could be used to detect DDOS attacks. This sFlow sampling approach can reduce the workload of the network by lower down the processing in switches. This paper uses Extreme Gradient Boosting (XGBoost), Support Vector Machine (SVM), and Random Forest as detection methods. We use ONOS as SDN Controller and build the topology in GNS3. Prometheus retrieves data from the sFlow Collector as a time series database. The classifier then uses the data from Prometheus for DDOS detection. For the dataset, we use four different datasets. Datasets 1 and 2 consist of 6109 data, each divided into two classes and three classes. Datasets 3 and 4 consist of 400488 data divided into 2 and 3 classes, respectively. The evaluation results have proved the effectiveness of the proposed method. XGBoost has the highest accuracy of another algorithm. The best accuracy is 99.84% using Dataset 4 as the training set.