Attacks In Software-Defined Networking Research Articles

ERT-EDR: Online defense framework for TCP-targeted LDoS attacks in SDN

The Low-rate denial of service (LDoS) attack is a variant of denial of service (DoS) attack that exploits low overhead to render target services unreachable for legitimate users. Unlike legacy networks, software-defined networking (SDN) separates the behavior of controlling and forwarding, providing excellent programmability to achieve real-time defense against LDoS attacks. Leveraging the potential of SDN’s programmability, we propose a real-time anomaly defense framework tailored for SDN, named ERT-EDR. This framework is capable of detecting and mitigating TCP-targeted LDoS Attacks and comprises three modules: (1) The Information Collection Module. It periodically samples the traffic statistics for analysis. (2) The LDoS Attack Detection Module. It combines six features of traffic statistics and utilizes the Extremely Randomized Trees (ERT) algorithm to detect. (3) LDoS Attack Mitigation Module. It locates attacked ports with the Edit Distance on Real sequence (EDR) algorithm and installs flow table entries to filter attack traffic.Extensive experiments are conducted under various background traffic scenarios to validate the effectiveness and scalability of ERT-EDR. The results demonstrate that ERT-EDR can effectively detect TCP-targeted LDoS attacks with 96.4667% accuracy and 96.4977% F1score. Furthermore, it accurately identifies the attacked port and successfully mitigates attacks.

Cross-layer detection and defence mechanism against DDoS and DRDoS attacks in software-defined networks using P4 switches

This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system’s ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

TITAN: Combining a bidirectional forwarding graph and GCN to detect saturation attack targeted at SDN.

The decoupling of control and forwarding layers brings Software-Defined Networking (SDN) the network programmability and global control capability, but it also poses SDN security risks. The adversaries can use the forwarding and control decoupling character of SDN to forge legitimate traffic, launching saturation attacks targeted at SDN switches. These attacks can cause the overflow of switch flow tables, thus making the switch cannot forward benign network traffic. How to effectively detect saturation attack is a research hotspot. There are only a few graph-based saturation attack detection methods. Meanwhile, the current graph generation methods may take useless or misleading information to the attack detection, thus decreasing the attack detection accuracy. To solve the above problems, this paper proposes TITAN, a bidirecTional forwardIng graph-based saturaTion Attack detectioN method. TITAN defines flow forwarding rules and topology information, and designs flow statistical features. Based on these definitions, TITAN generates nodes of the bi-forwarding graph based on the flow statistics features and edges of the bi-forwarding graph based on the network traffic routing paths. In this way, each traffic flow in the network is transformed into a bi-directional forwarding graph. Then TITAN feeds the above bidirectional forwarding graph into a Graph Convolutional Network (GCN) to detect whether the flow is a saturation attack flow. The experimental results show that TITAN can effectively detect saturation attacks in SDNs with a detection accuracy of more than 97%.

SYNTROPY: TCP SYN DDoS attack detection for Software Defined Network based on Rényi entropy

The rapidly evolving landscape of network security, particularly in Software Defined Networks (SDNs), presents a critical need for efficient and adaptive DDoS attack detection methods, especially in the face of TCP SYN DDoS attacks. These attacks pose significant threats to network resources and service availability. Current state-of-the-art solutions, predominantly based on Shannon entropy, have inherent limitations, that give equal weightage to all frequency probability. This inherent assumption often leads to inadequate detection in complex and dynamic network environments, where attack patterns are increasingly sophisticated and variable. In this paper, we present a novel framework called SYNTROPY that is designed to detect TCP SYN DDoS attacks in SDN environments. The proposed SYNTROPY framework leverages Rényi entropy to effectively generalize the measurement of uncertainty in the network traffic. Unlike Shannon entropy, Rényi entropy offers the flexibility to adjust sensitivity to varying network conditions and attack patterns, thereby enhancing detection accuracy. It filters benign, flash, and suspicious traffic and employs a min–max threshold to identify attack patterns accurately. Our framework is implemented using the Ryu Controller, thus enabling seamless integration with SDN systems. The experiment is conducted to evaluate the SYNTROPY performance using the CAIDA UCSD DDoS 2007 Attack Dataset. The comparative analysis demonstrates that SYNTROPY performs better across various metrics than state-of-the-art solutions. It includes a 40% reduction in average CPU load, 59% enhancement in average detection time, 13% increase in true positives rate, 34% decrease in false negatives rate, 10% recall improvement, and 8% higher F1-Score. These promising results showcase the potential of SYNTROPY as a robust and effective solution for addressing TCP SYN DDoS attacks in SDNs.

Improved K-means-based solution for detecting DDoS attacks in SDN

Software Defined Networking (SDN) is a change to the traditional network, which can better face the complex network scenarios and meet the future network development needs. However, SDN faces many network security problems in the process of development, among which distributed denial-of-service (DDoS) attacks on SDN cause the most serious problem of communication paralysis. For the problem of unstable detection accuracy based on K-means algorithm detection scheme, a detection scheme based on density selection and mutual information improvement K-means algorithm (MIK-means) is proposed, which can well improve the stability and accuracy of the detection effect. Through a large number of experimental results show that the detection scheme maintains an average accuracy of more than 96% under different attack types and rates, while the detection scheme also maintains 5 6 s from response to completion of mitigation, which well reduces the computational overhead.

Countering ARP spoofing attacks in software-defined networks using a game-theoretic approach

The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

A Study on Ddos Attacks in Software Defined Networks and Deep Learning IDS

A Study on Ddos Attacks in Software Defined Networks and Deep Learning IDS

Моделирование алгоритма аутентификации трафика на стороне контроллера в программно-конфигурируемой сети

To ensure efficient and optimal transmission of heterogeneous user traffic in a network, it is necessary to take into account such conditions as frame delay, speed, frequency range, and queue overflow in the Ethernet switch. In software-defined networks (SDN), these conditions can be controlled, which distinguishes SDN from a conventional computer network. SDN is a new paradigm in the field of network telecommunications. Petri nets in SDN modeling can be used to create formal models, which can be checked for correctness and efficiency before being implemented in a real network. Petri nets are also helpful in representing the architecture of SDN in the form of a graph, which improves the understanding and visualization of the SDN work. In this paper, we present a solution to the problem of SDN vulnerability using CPN Tools. We develop an algorithm for traffic authentication on the controller side in SDN to ensure the security of traffic transmission and eliminate man-in-the-middle attacks in SDN. The research aim consists in simulating the proposed algorithm and its verification based on the apparatus of Petri nets. All the components of the model on Petri nets are described. A comparative analysis of algorithms for encryption speed is carried out, and the maximum speed of traffic encryption by the proposed algorithm is revealed.

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

A Detailed Review on The Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks in Software Defined Networks (SDNs) and Defense Strategies

The development of Software Defined Networking (SDN) has altered the landscape of computer networking in recent years. Its scalable architecture has become a blueprint for the design of several advanced future networks. To achieve improve and efficient monitoring, control and management capabilities of the network, software defined networks differentiate or decouple the control logic from the data forwarding plane. As a result of this, logical control is solely centralized in the controller. Due to the centralized nature, SDNs are exposed to several vulnerabilities such as Spoofing, Flooding, and primarily Denial of Service (DoS) and Distributed Denial of Service (DDoS) among other attacks. In effect, the performance of SDN degrades based on these attacks. This paper presents a comprehensive review of several DoS and DDoS defense/mitigation strategies and classifies them into distinct classes with regards to the methodologies employed. Furthermore, based on the discussions raised, suggestions have been made to enhance current mitigation strategies accordingly.

Mitigating Timing Side-Channel Attacks in Software-Defined Networks: Detection and Response

Software-defined networking (SDN) is an innovative technology that has the potential to enhance the scalability, flexibility, and security of telecommunications networks. The emergence and development of SDNs have introduced new opportunities and challenges in the telecommunications industry. One of the major challenges encountered by SDNs is the timing side-channel attacks. These attacks exploit timing information to expose sensitive data, including flow tables, routes, controller types, and ports, which pose a significant threat to communication networks. Existing techniques for mitigating timing side-channel attacks primarily focus on limiting them via network architectural changes. This significantly increases the overhead of SDNs and makes it difficult to identify the origin of the attack. To secure resilient integration of SDN in telecommunications networks, it is necessary to conduct comprehensive research that not only identifies the attack activity, but also formulates an adequate response. In this paper, we propose a detection and response solution for timing side-channel attacks in SDN. We used a machine learning-based approach to detect the probing activity and identify the source. To address the identified timing side-channel attack queries, we propose a response mechanism. This entails devising a feedback-oriented response to counter the identified source, such as blocking or diverting it, while minimising any adverse effects on legitimate network traffic. This methodology is characterised by an automated data-driven approach that enables prompt and effective responses. The architecture of this security solution ensures that it has a minimal impact on network traffic and resource usage as it is designed to be used in conjunction with SDN. The overall design findings show that our detection approach is 94% precise in identifying timing side-channel attacks in SDN when compared with traditional mitigation strategies. Additionally, the response mechanism employed by this approach yielded highly customised and precise responses, resulting in an impressive accuracy score of 97.6%.

Flow Table Overflow Attacks in Software Defined Networks: A Survey

<p>While Software-Defined Networks (SDNs) have separated control and data planes and completely decouple the flow control from the data forwarding to enable network flexibility, programmability, and innovation, they also raise serious security concerns in each plane and the interfaces between the two planes. This paper, instead of studying the security issues in the SDN control plane as many literatures have done in current research, focuses on the security issues in the SDN data plane, aiming at the state of the art mechanims to identify, detect, and mitigate them. Specifically, this paper reviews the typical models, detections, and mitigations of SDN flow table overflow attacks. After reviewing the various vulnerabilities in SDNs, this paper categorizes the flow table overflow attacks into saturation, low-rate table exhaustion, and slow saturation attacks, and summarizes the attack models, detections, and mitigations of each category. It reviews the typical attacks that can overflow the flow tables and provides the main challenges and open issues for the future research.</p> <p> </p>

Detection of Distributed Denial of Service Attacks in Software Defined Networks by Using Machine Learning

Within the sphere of Software-Defined Networking (SDN) — an innovative architectural paradigm that segregates the control plane from the data plane — a paramount concern is the defense against Distributed Denial of Service (DDoS) assaults. These attacks pose a significant threat to the integrity and operational sustainability of SDN infrastructures, potentially leading to extensive system disruptions and financial losses.To address this challenge, our study introduces an innovative approach utilizing machine learning strategies to enhance the detection of DDoS threats. We employed a trio of classification algorithms: Random Forest (RF), Support Vector Machine (SVM), and K-Nearest Neighbors (KNN), applied to a publicly available SDN dataset specific to DDoS attacks. Our methodology integrates a blend of feature selection techniques, including Recursive Feature Elimination (RFE), Principal Component Analysis (PCA), and t-Distributed Stochastic Neighbor Embedding (t-SNE), with the aim of refining the accuracy of our classifications.In a comparative analysis with existing models, our innovative application of KNN in conjunction with RFE demonstrated exceptional performance, achieving an accuracy of 99.97%, a precision of 99.98%, a recall of 99.96%, and an F1-score of 99.97%. This breakthrough indicates a significant advancement in the field of SDN security.

A deep learning technique to detect distributed denial of service attacks in software-defined networks

Software-Defined Network (SDN) is an established networking paradigm that separates the control plane from the data plane. It has central network control, and programmability facilities, therefore SDN can improve network flexibility, management, performance, and scalability. The programmability and control centralization of SDN have improved network functions but also exposed it to security challenges such as Distributed Denial of Service (DDoS) attacks that target both control and data planes. This paper proposes an effective detection technique against DDoS attack in SDN control plane and data plane. For the control plane, the technique detects DDoS attacks through a Deep Learning (DL) model using new features extracted from traffic statistics. A DL method (AE-BGRU) for DDoS detection uses Autoencoder (AE) with Bidirectional Gated Recurrent Unit (BGRU). The proposed features for the control plane include unknown IP destination address, packets inter-arrival time, Transport layer protocol (TLP) header, and Type of service (ToS) header. For the data plane, the technique tracks the switch's average arrival bit rate with an unknown destination address in the data plane. Then, the technique detects DDoS attacks through a DL-based model which also uses AE with BGRU. The proposed features in the data plane include the switch's stored capacity, the average rate of packets with unknown destination addresses, the IP Options header, and the average number of flows. The dataset is generated from feature extraction and computations from normal and attack packets and used with the classifier. Also, additional Machine Learning (ML) methods are used to enhance the detection process. If the model detects an attack, the technique mitigates DDoS effects by updating the user's trust value and blocking suspicious senders based on the trust value. The experimental results proved that compared to related techniques, the suggested method had a higher accuracy and lower false alarm rate.

Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking

Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking

GaTeBaSep: game theory-based security protocol against ARP spoofing attacks in software-defined networks

GaTeBaSep: game theory-based security protocol against ARP spoofing attacks in software-defined networks

USAGE : Uncertain flow graph and spatio-temporal graph convolutional network-based saturation attack detection method

With the development of Software-Defined Networking (SDN), its security problems have attached interests from academia. The saturation attack targeted at the SDN switch is one of the most destructive problems in SDN. The saturation attack can destroy SDN networks by depleting the computation and storage resources of SDN switches. Currently, graph neural networks have already been used for detecting saturation attacks in SDN. When constructing the graph based on K-Nearest Neighbors (KNN) algorithm, the number of edges in the graph is fixed. That may fail on accurately representing the relationship among different nodes. In addition, when using the Graph Convolutional Network (GCN) to detect saturation attack against SDN, only a partial graph structure and node features will be learned, causing the flow graph nodes information cannot be fully utilized. To overcome these issues, in this work, we propose USAGE, an uncertain flow graph and spatio-temporal graph neural network-based saturation attack detection method. More specifically, USAGE designs the CRAM algorithm and EGG model. The CRAM algorithm is proposed to generate an uncertain flow graph for each network traffic flow, which can represent the uncertain relationship among different nodes. EGG is a spatio-temporal graph convolutional network model, which is proposed to detect saturation attacks. The evaluation results demonstrate that USAGE can generate a better graph than KNN and achieve high detection performance. Meanwhile, USAGE outperforms other methods in terms of TPR, TNR, accuracy, precision, recall, F-score, confusion matrix, ROC curves, and PR curves.

Comparative Study of AI-Enabled DDoS Detection Technologies in SDN

Software-defined networking (SDN) is becoming the standard for the management of networks due to its scalability and flexibility to program the network. SDN provides many advantages but it also involves some specific security problems; for example, the controller can be taken down using cyber attacks, which can result in the whole network shutting down, creating a single point of failure. In this paper, DDoS attacks in SDN are detected using AI-enabled machine and deep learning models with some specific features for a dataset under normal DDoS traffic. In our approach, the initial dataset is collected from 84 features on Kaggle and then the 20 top features are selected using a permutation importance algorithm. The dataset is learned and tested with five AI-enabled models. Our experimental results show that the use of a machine learning-based random forest model achieves the highest accuracy rate of 99.97% in DDoS attack detection in SDN. Our contributions through this study are, firstly, that we found the top 20 features that contributed to DDoS attacks. Secondly, we reduce the time and cost of comparing various learning models and their performance in determining a learning model suitable for DDoS detection. Finally, various experimental methods to evaluate the performance of the learning model are presented so that related researchers can utilize them.

Feature-based real-time distributed denial of service detection in SDN using machine learning and Spark

Recently, software defined networking (SDN) has been deployed extensively in diverse practical domains, providing a new direction in network management by separating the control plane from the data plane. Nevertheless, SDN is vulnerable to distributed denial of service (DDoS) attacks resulting from its centralized controller. Several studies have been suggested to address the DDoS attacks in SDN utilizing machine learning approaches. However, these approaches are resource-intensive and cause performance degradation since they cannot perform effectively in large-scale SDN networks that generate vast traffic statistics. To handle all these challenges, we build a DDoS attack detection model in SDN using Spark as a big data tool to overcome the limitations of conventional data processing methods. Four machine learning algorithms are employed. The decision tree (DT) is elected to be used for real-time deployment based on the performance results, which indicates that it has the best accuracy of 0.936. The model performance is compared with state-of-the-art and shows an overall better performance.

Feature-based real-time distributed denial of service detection in SDN using machine learning and Spark

Recently, software defined networking (SDN) has been deployed extensively in diverse practical domains, providing a new direction in network management by separating the control plane from the data plane. Nevertheless, SDN is vulnerable to distributed denial of service (DDoS) attacks resulting from its centralized controller. Several studies have been suggested to address the DDoS attacks in SDN utilizing machine learning approaches. However, these approaches are resource-intensive and cause performance degradation since they cannot perform effectively in large-scale SDN networks that generate vast traffic statistics. To handle all these challenges, we build a DDoS attack detection model in SDN using Spark as a big data tool to overcome the limitations of conventional data processing methods. Four machine learning algorithms are employed. The decision tree (DT) is elected to be used for real-time deployment based on the performance results, which indicates that it has the best accuracy of 0.936. The model performance is compared with state-of-the-art and shows an overall better performance.