Attacks In Software-Defined Networking Research Articles

Machine Learning-Based Approach for Detecting DDoS Attacks in Software Defined Networks

Machine Learning-Based Approach for Detecting DDoS Attacks in Software Defined Networks

A Collaborative Approach to Detecting DDoS Attacks in SDN Using Entropy and Deep Learning

Software-defined networking (SDN) is an approach to network management allowing to enhance the performance of the network and making it more flexible. The centralized architecture of SDN makes it vulnerable to cyberattacks, especially distributed denial of service (DDoS) attacks. Existing research investigates the detection of DDoS attacks separately on the control plane and data plane. However, there is a need for efficient and accurate detection of these attacks using features obtained from both control and data planes. Therefore, we present a mechanism for identifying DDoS attacks using entropy, multiple feature selection mechanisms, and deep learning. Initially, we use entropy on the control plane to detect anomalous activity and identify suspicious switches. Next, we capture traffic on the suspicious switches to detect DDoS attacks. To detect these attacks, we utilize multi-layer perceptron (MLP) deep learning models, convolutional neural network (CNN), and the long short-term memory (LSTM) approach. An InSDN dataset is used to train the model and test data are generated using Mininet emulation and the Ryu controller. The results reveal that LSTM outperforms MLP and CNN, achieving an accuracy of 99.83%.

COMPARISON OF MACHINE LEARNING TECHNIQUES FOR CLASSIFICATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS BASED ON FEATURE ENGINEERING IN SDN-BASED NETWORKS

Distributed Denial-of-Service (DDoS) attacks present a noteworthy cybersecurity hazard to software-defined networks (SDNs). This investigation presents an approach that depends on feature engineering and machine learning to discern DDoS attacks in SDNs. Initially, the dataset acquired from Kaggle goes through cleansing and normalization procedures, and the optimal subset of features is determined by employing the Correlation-based Feature Selection (CFS) algorithm. Subsequently, the optimal subset of features is trained and evaluated utilizing diverse Machine Learning algorithms, specifically Random Forest (RF), Decision Tree, Adaptive Boosting (AdaBoost), K-Nearest Neighbor (k-NN), Gradient Boosting, Extreme Gradient Boosting (XGBoost), Light Gradient Boosting Machine (LightGBM), and Categorical Boosting (CatBoost). The outcomes demonstrate that XGBoost outperforms the other algorithms in various performance metrics (e.g., accuracy, precision, recall, F1, and AUC values). Furthermore, a comparative analysis was carried out among various models and algorithms, revealing that the technique proposed by the researchers yielded the most favourable outcomes and effectively detected and identified DDoS attacks in SDN. Consequently, this investigation provides a novel perspective and resolution for SDN security.

Detection and mitigation of DDoS attacks in SDN based intrusion detection system

Software defined networks (SDN) have completely revolutionized the management and operation of networks. This novel technology entails a distinctive approach to management. Amidst the advancements, a notable security concern arises in the form of distributed denial of service (DDoS) attacks. To counteract this attack, the deployment of intrusion detection systems (IDS) assumes paramount importance. IDS plays a critical role in monitoring network traffic, promptly detecting irregularities that may signify a potential denial of service (DoS) assault. This study delves into a comprehensive exploration of a DDoS attack on an SDN network using the OpenDaylight controller and the Mininet emulator. Furthermore, the assessment extends to evaluating the DDoS attack's repercussions and the effectiveness of IDS in mitigating such risks. Various performance metrics, including throughput according to delay time, are monitored to gauge network performance under duress. The difference in throughput curves when comparing scenarios with and without IDS highlights the significant impact of intrusion detection. When the IDS was absent, there was a noticeable increase in oscillations, indicating greater network susceptibility. On the other hand, the presence of an IDS created a more regulated environment, reducing variances and promoting a more stable network.

ERT-EDR: Online defense framework for TCP-targeted LDoS attacks in SDN

The Low-rate denial of service (LDoS) attack is a variant of denial of service (DoS) attack that exploits low overhead to render target services unreachable for legitimate users. Unlike legacy networks, software-defined networking (SDN) separates the behavior of controlling and forwarding, providing excellent programmability to achieve real-time defense against LDoS attacks. Leveraging the potential of SDN’s programmability, we propose a real-time anomaly defense framework tailored for SDN, named ERT-EDR. This framework is capable of detecting and mitigating TCP-targeted LDoS Attacks and comprises three modules: (1) The Information Collection Module. It periodically samples the traffic statistics for analysis. (2) The LDoS Attack Detection Module. It combines six features of traffic statistics and utilizes the Extremely Randomized Trees (ERT) algorithm to detect. (3) LDoS Attack Mitigation Module. It locates attacked ports with the Edit Distance on Real sequence (EDR) algorithm and installs flow table entries to filter attack traffic.Extensive experiments are conducted under various background traffic scenarios to validate the effectiveness and scalability of ERT-EDR. The results demonstrate that ERT-EDR can effectively detect TCP-targeted LDoS attacks with 96.4667% accuracy and 96.4977% F1score. Furthermore, it accurately identifies the attacked port and successfully mitigates attacks.

Cross-layer detection and defence mechanism against DDoS and DRDoS attacks in software-defined networks using P4 switches

This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system’s ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

TITAN: Combining a bidirectional forwarding graph and GCN to detect saturation attack targeted at SDN.

The decoupling of control and forwarding layers brings Software-Defined Networking (SDN) the network programmability and global control capability, but it also poses SDN security risks. The adversaries can use the forwarding and control decoupling character of SDN to forge legitimate traffic, launching saturation attacks targeted at SDN switches. These attacks can cause the overflow of switch flow tables, thus making the switch cannot forward benign network traffic. How to effectively detect saturation attack is a research hotspot. There are only a few graph-based saturation attack detection methods. Meanwhile, the current graph generation methods may take useless or misleading information to the attack detection, thus decreasing the attack detection accuracy. To solve the above problems, this paper proposes TITAN, a bidirecTional forwardIng graph-based saturaTion Attack detectioN method. TITAN defines flow forwarding rules and topology information, and designs flow statistical features. Based on these definitions, TITAN generates nodes of the bi-forwarding graph based on the flow statistics features and edges of the bi-forwarding graph based on the network traffic routing paths. In this way, each traffic flow in the network is transformed into a bi-directional forwarding graph. Then TITAN feeds the above bidirectional forwarding graph into a Graph Convolutional Network (GCN) to detect whether the flow is a saturation attack flow. The experimental results show that TITAN can effectively detect saturation attacks in SDNs with a detection accuracy of more than 97%.

Leveraging datasets for effective mitigation of DDoS attacks in software-defined networking: significance and challenges

Software-Defined Networking (SDN) has emerged as a transformative paradigm for network management, offering centralized control and programmability. However, with the proliferation of Distributed Denial of Service (DDoS) attacks that pose significant threats to network infrastructures, effective mitigation strategies are needed. The subject matter of this study is to explore the importance of datasets in the mitigation of DDoS attacks in SDN environments. The paper discusses the significance of datasets for training machine learning models, evaluating detection mechanisms, and enhancing the resilience of SDN-based defense systems. Goal of the paper is to assist researchers in effectively selecting and usage of datasets for DDoS mitigation in SDN, thereby maximizing benefits and overcoming challenges involved in dataset selection. This paper outlines the challenges associated with dataset collection, labeling, and management, along with potential solutions to address these challenges. Effective detection and mitigation of DDoS attacks in SDN require robust datasets that capture the diverse and evolving nature of attack scenarios. Characterization of tasks for each section is as follows: Importance of datasets in DDoS attack mitigation in SDN, challenges in dataset utilization in DDoS mitigation in SDN, Guidelines for dataset selection, comparison of datasets used and their results and different dataset usage according to the need. Methodology involves collecting results in tabular form based on prior research to analyze the characteristics of existing datasets, techniques for dataset augmentation and enhancement, and evaluating the effectiveness of different datasets in detecting and mitigating DDoS attacks through comprehensive experimentation. Results of our findings indicate that effective detection and mitigation of DDoS attacks in SDN require robust datasets that capture the diverse and evolving nature of attack scenarios. Our findings provide valuable insights into the importance of datasets in enhancing the resilience of SDN infrastructures against DDoS attacks. In conclusion, our findings provide valuable insights into the importance of datasets in enhancing the resilience of SDN infrastructures against DDoS attacks and highlight the need for further research in this critical area. Thorough guidelines for dataset selection and impacts of different datasets used in recent studies, provide research challenges and future directions in this area.

SYNTROPY: TCP SYN DDoS attack detection for Software Defined Network based on Rényi entropy

The rapidly evolving landscape of network security, particularly in Software Defined Networks (SDNs), presents a critical need for efficient and adaptive DDoS attack detection methods, especially in the face of TCP SYN DDoS attacks. These attacks pose significant threats to network resources and service availability. Current state-of-the-art solutions, predominantly based on Shannon entropy, have inherent limitations, that give equal weightage to all frequency probability. This inherent assumption often leads to inadequate detection in complex and dynamic network environments, where attack patterns are increasingly sophisticated and variable. In this paper, we present a novel framework called SYNTROPY that is designed to detect TCP SYN DDoS attacks in SDN environments. The proposed SYNTROPY framework leverages Rényi entropy to effectively generalize the measurement of uncertainty in the network traffic. Unlike Shannon entropy, Rényi entropy offers the flexibility to adjust sensitivity to varying network conditions and attack patterns, thereby enhancing detection accuracy. It filters benign, flash, and suspicious traffic and employs a min–max threshold to identify attack patterns accurately. Our framework is implemented using the Ryu Controller, thus enabling seamless integration with SDN systems. The experiment is conducted to evaluate the SYNTROPY performance using the CAIDA UCSD DDoS 2007 Attack Dataset. The comparative analysis demonstrates that SYNTROPY performs better across various metrics than state-of-the-art solutions. It includes a 40% reduction in average CPU load, 59% enhancement in average detection time, 13% increase in true positives rate, 34% decrease in false negatives rate, 10% recall improvement, and 8% higher F1-Score. These promising results showcase the potential of SYNTROPY as a robust and effective solution for addressing TCP SYN DDoS attacks in SDNs.

Improved K-means-based solution for detecting DDoS attacks in SDN

Software Defined Networking (SDN) is a change to the traditional network, which can better face the complex network scenarios and meet the future network development needs. However, SDN faces many network security problems in the process of development, among which distributed denial-of-service (DDoS) attacks on SDN cause the most serious problem of communication paralysis. For the problem of unstable detection accuracy based on K-means algorithm detection scheme, a detection scheme based on density selection and mutual information improvement K-means algorithm (MIK-means) is proposed, which can well improve the stability and accuracy of the detection effect. Through a large number of experimental results show that the detection scheme maintains an average accuracy of more than 96% under different attack types and rates, while the detection scheme also maintains 5 6 s from response to completion of mitigation, which well reduces the computational overhead.

Countering ARP spoofing attacks in software-defined networks using a game-theoretic approach

The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

A Study on Ddos Attacks in Software Defined Networks and Deep Learning IDS

A Study on Ddos Attacks in Software Defined Networks and Deep Learning IDS

Моделирование алгоритма аутентификации трафика на стороне контроллера в программно-конфигурируемой сети

To ensure efficient and optimal transmission of heterogeneous user traffic in a network, it is necessary to take into account such conditions as frame delay, speed, frequency range, and queue overflow in the Ethernet switch. In software-defined networks (SDN), these conditions can be controlled, which distinguishes SDN from a conventional computer network. SDN is a new paradigm in the field of network telecommunications. Petri nets in SDN modeling can be used to create formal models, which can be checked for correctness and efficiency before being implemented in a real network. Petri nets are also helpful in representing the architecture of SDN in the form of a graph, which improves the understanding and visualization of the SDN work. In this paper, we present a solution to the problem of SDN vulnerability using CPN Tools. We develop an algorithm for traffic authentication on the controller side in SDN to ensure the security of traffic transmission and eliminate man-in-the-middle attacks in SDN. The research aim consists in simulating the proposed algorithm and its verification based on the apparatus of Petri nets. All the components of the model on Petri nets are described. A comparative analysis of algorithms for encryption speed is carried out, and the maximum speed of traffic encryption by the proposed algorithm is revealed.

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

A Detailed Review on The Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks in Software Defined Networks (SDNs) and Defense Strategies

The development of Software Defined Networking (SDN) has altered the landscape of computer networking in recent years. Its scalable architecture has become a blueprint for the design of several advanced future networks. To achieve improve and efficient monitoring, control and management capabilities of the network, software defined networks differentiate or decouple the control logic from the data forwarding plane. As a result of this, logical control is solely centralized in the controller. Due to the centralized nature, SDNs are exposed to several vulnerabilities such as Spoofing, Flooding, and primarily Denial of Service (DoS) and Distributed Denial of Service (DDoS) among other attacks. In effect, the performance of SDN degrades based on these attacks. This paper presents a comprehensive review of several DoS and DDoS defense/mitigation strategies and classifies them into distinct classes with regards to the methodologies employed. Furthermore, based on the discussions raised, suggestions have been made to enhance current mitigation strategies accordingly.

Mitigating Timing Side-Channel Attacks in Software-Defined Networks: Detection and Response

Software-defined networking (SDN) is an innovative technology that has the potential to enhance the scalability, flexibility, and security of telecommunications networks. The emergence and development of SDNs have introduced new opportunities and challenges in the telecommunications industry. One of the major challenges encountered by SDNs is the timing side-channel attacks. These attacks exploit timing information to expose sensitive data, including flow tables, routes, controller types, and ports, which pose a significant threat to communication networks. Existing techniques for mitigating timing side-channel attacks primarily focus on limiting them via network architectural changes. This significantly increases the overhead of SDNs and makes it difficult to identify the origin of the attack. To secure resilient integration of SDN in telecommunications networks, it is necessary to conduct comprehensive research that not only identifies the attack activity, but also formulates an adequate response. In this paper, we propose a detection and response solution for timing side-channel attacks in SDN. We used a machine learning-based approach to detect the probing activity and identify the source. To address the identified timing side-channel attack queries, we propose a response mechanism. This entails devising a feedback-oriented response to counter the identified source, such as blocking or diverting it, while minimising any adverse effects on legitimate network traffic. This methodology is characterised by an automated data-driven approach that enables prompt and effective responses. The architecture of this security solution ensures that it has a minimal impact on network traffic and resource usage as it is designed to be used in conjunction with SDN. The overall design findings show that our detection approach is 94% precise in identifying timing side-channel attacks in SDN when compared with traditional mitigation strategies. Additionally, the response mechanism employed by this approach yielded highly customised and precise responses, resulting in an impressive accuracy score of 97.6%.

Flow Table Overflow Attacks in Software Defined Networks: A Survey

<p>While Software-Defined Networks (SDNs) have separated control and data planes and completely decouple the flow control from the data forwarding to enable network flexibility, programmability, and innovation, they also raise serious security concerns in each plane and the interfaces between the two planes. This paper, instead of studying the security issues in the SDN control plane as many literatures have done in current research, focuses on the security issues in the SDN data plane, aiming at the state of the art mechanims to identify, detect, and mitigate them. Specifically, this paper reviews the typical models, detections, and mitigations of SDN flow table overflow attacks. After reviewing the various vulnerabilities in SDNs, this paper categorizes the flow table overflow attacks into saturation, low-rate table exhaustion, and slow saturation attacks, and summarizes the attack models, detections, and mitigations of each category. It reviews the typical attacks that can overflow the flow tables and provides the main challenges and open issues for the future research.</p> <p> </p>

Detection of Distributed Denial of Service Attacks in Software Defined Networks by Using Machine Learning

Within the sphere of Software-Defined Networking (SDN) — an innovative architectural paradigm that segregates the control plane from the data plane — a paramount concern is the defense against Distributed Denial of Service (DDoS) assaults. These attacks pose a significant threat to the integrity and operational sustainability of SDN infrastructures, potentially leading to extensive system disruptions and financial losses.To address this challenge, our study introduces an innovative approach utilizing machine learning strategies to enhance the detection of DDoS threats. We employed a trio of classification algorithms: Random Forest (RF), Support Vector Machine (SVM), and K-Nearest Neighbors (KNN), applied to a publicly available SDN dataset specific to DDoS attacks. Our methodology integrates a blend of feature selection techniques, including Recursive Feature Elimination (RFE), Principal Component Analysis (PCA), and t-Distributed Stochastic Neighbor Embedding (t-SNE), with the aim of refining the accuracy of our classifications.In a comparative analysis with existing models, our innovative application of KNN in conjunction with RFE demonstrated exceptional performance, achieving an accuracy of 99.97%, a precision of 99.98%, a recall of 99.96%, and an F1-score of 99.97%. This breakthrough indicates a significant advancement in the field of SDN security.

A deep learning technique to detect distributed denial of service attacks in software-defined networks

Software-Defined Network (SDN) is an established networking paradigm that separates the control plane from the data plane. It has central network control, and programmability facilities, therefore SDN can improve network flexibility, management, performance, and scalability. The programmability and control centralization of SDN have improved network functions but also exposed it to security challenges such as Distributed Denial of Service (DDoS) attacks that target both control and data planes. This paper proposes an effective detection technique against DDoS attack in SDN control plane and data plane. For the control plane, the technique detects DDoS attacks through a Deep Learning (DL) model using new features extracted from traffic statistics. A DL method (AE-BGRU) for DDoS detection uses Autoencoder (AE) with Bidirectional Gated Recurrent Unit (BGRU). The proposed features for the control plane include unknown IP destination address, packets inter-arrival time, Transport layer protocol (TLP) header, and Type of service (ToS) header. For the data plane, the technique tracks the switch's average arrival bit rate with an unknown destination address in the data plane. Then, the technique detects DDoS attacks through a DL-based model which also uses AE with BGRU. The proposed features in the data plane include the switch's stored capacity, the average rate of packets with unknown destination addresses, the IP Options header, and the average number of flows. The dataset is generated from feature extraction and computations from normal and attack packets and used with the classifier. Also, additional Machine Learning (ML) methods are used to enhance the detection process. If the model detects an attack, the technique mitigates DDoS effects by updating the user's trust value and blocking suspicious senders based on the trust value. The experimental results proved that compared to related techniques, the suggested method had a higher accuracy and lower false alarm rate.

Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking

Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking