1

CHAPTER 1

INTRODUCTION

The Internet has emerged as one of the irreplaceable global systems,

connecting devices from different parts of the world. Internet is the interconnection of
individual networks operated by government, industry, academia and private parties
from local to global scope either in small or large scale. Though these networks are
owned by corresponding organizations, interconnection of these networks are owned by
none. Internet society (ISOC) is a non-profit organization providing leadership in
Internet-related standards, education, access, and policy with a mission to promote the
open development, evolution and use of the Internet for the benefit of all people
throughout the world. On the whole, Internet has become an indelible application of the
underlying networks.
In the early days of Internet, it was predominantly used for file sharing
through World Wide Web and now it has a variety of services namely, E-mail, Internet
telephony, Internet television, online music, digital newspapers, and video streaming
websites, instant messaging, Internet forums, social networking, online shopping and
much more. Almost ten million new users join Internet every day for the past five years
[18]. With rapidly increasing services and users over Internet, necessity to ensure
seamless connectivity for all users with proper consistency, integrity and authentication
for every service occupies centrality in design of network.

1.1 NETWORK SECURITY

Network security refers to any activity that preserves consistency, integrity,

usability and authentication of given network and data, including both hardware and
software technologies. All access to the network are monitored and managed according
to the policies and practices of Network Security. It targets a variety of threats and
 2

prevents them from entering or spreading on the network. Attacks are any kind of
attempts to expose, alter, disable, destroy, steal or gain unauthorized access to or make
unauthorized use of an asset.
Attacks are of two types, passive and active attacks. Passive attack is when a
network intruder obtains information and does not cause any damage to the network.
Active attack denotes a potential change in data either in the target or on the way to the
target. Comparatively, active attacks are more easily detectable than passive attacks due
to the change in data. But, in case of recovery from the attack, attack attacks are more
expensive. In order to prevent the loss caused by active attacks, it is much wiser to abate
the attack as much early as possible before nearing the target, which can be otherwise
termed as ‘proactive mechanism’.

1.2 DISTRIBUTED DENIAL OF SERVICE ATTACK

A denial-of-service attack (DoS) is an active attack preventing legitimate

users from accessing targeted computer systems, devices or other network resources,
caused directly by a single attacker. Distributed denial of service (DDoS) attack is a
subclass of DoS attacks. A DDoS attack involves multiple connected online devices,
collectively known as a botnet, which are used to overwhelm a target website with fake
traffic [20]. In DDoS attack, attacker becomes the master in controlling a number of
systems or bots and launches the attack by commanding all bots at a time. DDoS attacks
don't attempt to breach security perimeter of a system but they aim to make a website
and servers unavailable to legitimate users. DDoS can also be used as a smokescreen for
other malicious activities and to take down security appliances, breaching the target’s
security perimeter.
DDoS assaults often last for days, weeks and even months at a time, making
them extremely destructive to any online organization. DDoS attacks can lead to loss of
revenues, erode consumer trust, force businesses to spend fortunes in compensations and
cause long-term reputation damage whereas launching a DDoS attack is very simple and
inexpensive with tools available online.
 3

DDoS attack can be classified into two general categories as application

layer attack and network layer attacks [20]. Application layer attacks overload a server
by sending a large number of requests requiring resource-intensive handling and
processing. This category includes HTTP floods, slow attacks and DNS query flood
attacks. Network layer attacks clog the pipelines connecting the target network. Attack
vectors in this category include UDP flood, SYN flood, NTP amplification and DNS
amplification attacks.
In this work, network layer attacks are considered for study. By tracking
specific attributes and their corresponding values, specific attacks can be detected easily
whereas detecting generic attacks is difficult as generic attacks generate packets with
random values for all the attributes.

1.3 SOFTWARE DEFINED NETWORKING

Software-defined networking (SDN) encompasses several kinds of network

technology aimed at making the network as agile and flexible as the virtualized server
and storage infrastructure of the modern data center. The goal of SDN is to allow
network engineers and administrators to respond quickly to changing business
requirements. In a software-defined network, a network administrator can shape traffic
from a centralized control console without having to touch individual switches, and can
deliver services to wherever they are needed in the network, without regard to what
specific devices a server or other hardware components are connected to. The key
technologies for SDN implementation are functional separation, network virtualization
and automation through programmability. To put simply, it is the physical separation of
the network control plane from the forwarding plane, where a control plane controls
several devices [21].
In SDN, the control plane of the network makes decisions about how packets
should flow through the network from the data plane of the network, which actually
moves packets from place to place. When a packet arrives at a switch in the network,
rules built into the switch's proprietary firmware tell the switch where to forward the
 4

packet. The switch sends every packet going to the same destination along the same path,
and treats all the packets the exact same way. In a classic SDN scenario, rules for packet
handling are sent to the switch from a controller, an application running on a server
somewhere, and switches (also known as data plane devices) query the controller for
guidance as needed, and provide it with information about traffic they are handling.
Controllers and switches communicate through a controller's south bound interface,
using OpenFlow or other protocols [22]. OpenFlow is an open standard for a
communication protocol that enables the control plane to interact with the forwarding
plane.

Application
Business Applications
Layer

API API API

Control Network Services

Layer

c OpenFlow

Infrastructure
Layer

Figure 1.1 Architecture of SDN

 5

From the figure 1.1, hierarchy of layers in SDN can be observed, which
makes SDN more agile and flexible than traditional network. SDN offers direct
programmability, centralized management at reduced Capital and Operational expenses.

1.4 DDoS ATTACK IN SDN

Any device or network connected to the internet and accepting data, has the
possibility of suffering DDoS attack and SDN is no exception. All components of SDN
namely, controller, switches, devices may encounter a flooding attack and links between
them may be congested by attackers.
Defending DDoS attack can be done in three ways as follows,

 Detecting attack at source: Finding bots controlled by the attacker and

removing malicious program running on them
 Detecting attack on the way: Routers or packet forwarding devices in the
intermittent stage of the attack can sense excess packet flow and drop them
immediately.
 Detecting attack at target: When the target system gets overflowing requests, it
senses the attack and takes action.

Among the above mentioned methods, first and last are very expensive,
tedious and causes a lot of resource wastage just to detect the attack. Though first
method seems to be perfect, it is impossible to monitor ever system connected to the
internet and maintain its loyalty status. Last method may prove to be successful in
securing the target but intermediate network resources are wasted until the attack packets
reach the target and certainly they may cause link congestion.

Detecting DDoS attack at intermittent routers may seem to be an extra

burden on them but when this task is distributed among them, it proves to be effective
and less expensive than the other two methods. When it comes to SDN environment, its
characteristics like, flexible monitoring mechanism, software based detection
 6

mechanism, increased network visualization and more granular network control are
powerful and can be leveraged to the best for detecting and mitigating DDoS attack. And
the topic of early detection, meaning that detecting attack at the forwarding device near
to the attack source, becomes important in improving the efficiency of second method.

1.5 NEED FOR COLLABORATIVE DETECTION TECHNIQUE

It is clear that detecting DDoS attack near to the source is needed which is a
proactive approach from the view of victim or target of the DDoS attack, that is, stopping
the attack before even it spreads around the target system. In order to be proactive, the
network between source and target must be wise enough to know what is being sent
between whom and at which rate. Obviously, all routing information available with each
router must be known to all other routers in the network or a centralized master router,
which itself makes the links congested, in case of the network being a traditional one.
Fortunately, in SDN, all switches are controlled by controller which has the access to the
forwarding tables (flow entry table) of each switch. Controller can collect all switch
information and detect any kind of attack easily.

1.6 OVERVIEW OF THE PROJECT

DDoS defense, being the need of hour in keeping web services available at
the time of attack floods directed towards service network, is concentrated. Attack
defense steps against DDoS attack (detection, trace back and mitigation) are explored.
Attack Trace back and mitigation will be worthwhile only if attack detection is correct.
Hence, an attempt is made to find the most effective mechanism to detect the attack. As
SDN is becoming more popular and replacing the traditional network set up because of
its direct programmability and centralized control, DDoS defense is developed to
implement on SDN. Two different detection mechanisms are implemented to detect their
accuracy.
 7

1.7 OBJECTIVE OF THE PROJECT

Currently, back propagation neural networks method is used in SDN to

detect DDoS attack by training the neural network model with previous DDoS attack
datasets. Detecting specific attacks may be successful with this model, whereas detecting
generic attacks with knowledge of previous attacks is not complete and suitable. This
project aims to implement collaborative approach in SDN to detect DDoS attack based
on score of each packet which can cover all attack vectors. Finding the most accurate
attack detection mechanism is the motive of the project.

1.8 ORGANISATION OF THE REPORT

Chapter 2 presents literature survey of bibliographies related to various

mechanisms of DDoS defense in SDN architecture. In Chapter 3, DDoS defense using
neural networks in SDN is explained. In Chapter 4, a collaborative mechanism to detect
DDoS attack in SDN attack is proposed. Chapter 5 details the implementation of
modules in existing system as well as proposed system. Chapter 6 discusses results and
inferences to measure the efficiency of DDoS defense mechanisms. In Chapter 7,
conclusion of the project is given and future scope is proposed.
 8

CHAPTER 2

LITERATURE SURVEY

2.1 INTRODUCTION

DDoS defense mechanism involves DDoS attack detection, attack trace back
and attack mitigation in order. Attack detection mechanism is the most crucial among the
three. In attack detection, existence of attack in the protected network is analyzed and
confirmed and alert is spread to the corresponding authorities. In attack trace back,
source of attack and path of attack traversal is identified. In attack mitigation, suitable
filters are chosen and kept at appropriate switches to drop attack packets as near to the
attack source as possible.
Different kinds of detection and mitigation methods followed in various
literatures are surveyed below.

2.2 DDoS ATTACK DETECTON USING SELF ORGANISING MAPS

An artificial neuron network (ANN) is a computational model based on the

structure and functions of biological neural networks. Information that flows through the
network affects the structure of the ANN because a neural network changes - or learns,
in a sense - based on that input and output. In a computational neural network, a vector
or set of inputs and outputs are interconnected with synaptic weights. The synaptic
weight is changed by using a learning rule, the most basic of which is Hebb's rule, which
is usually stated in biological terms as "Neurons that fire together, wire together".
Computationally, this means that if a large signal from one of the input neurons results in
a large signal from one of the output neurons, then the synaptic weight between those
two neurons will increase [1].
 9

Self-Organizing Maps (SOM) is an artificial neural network which transforms

a given n-dimensional pattern of data into a 1- or 2-dimensional map or grid. This
transformation process is done following a topological ordering, where patterns of data
(synaptic or vector weights) with similar statistical features are gathered in regions close
to each other in the grid. This learning process can be classified as competitive based
because neurons compete against each other to be placed at the output layer of the
neuron network, but only one wins as shown in Figure 2.1. It is also unsupervised
because the neuron network learns only with entry patterns, reorganizing itself after the
first trained data and adjusting its weights as new data arrive.

Figure 2.1 Example of SOM map

Main steps of SOM’s learning process are given below.

i. Initialization: at the beginning of the process all neuron vectors have their
synaptic weights randomly generated. Such vectors must have the same
dimension of the entry pattern space.
ii. Sampling: a single sample x is chosen from the entry pattern space, and fed to
the neuron grid.
 10

iii. Competition: based on the minimum Euclidean distance criterion the winning
neuron i(x) is found as follows:

i 2.1

where l is the number of neuron in the grid.

iv. Synaptic adaptation: after finding the winning neuron, all synaptic weights of
each neuron vector are adjusted:

where t represents the current instant, η(t) is the learning rate which gradually
decreases with time t, and Θj(t) is the neighborhood function which determines
the grade of learning of a neuron j according to its relative distance to the
winning neuron.
v. Repeat steps ii to iv until no significant change happens in the topological map.

ADVANTAGE:
SOM can detect specific attacks by comparing with clusters using minimum
Euclidean distance and training can be done with a sample of the whole entry space
which reduces computational complexity and time.
LIMITATION:
Detecting generic attacks is difficult and threshold of the neural network must
be adjusted accordingly for every data sample to minimize error rate in neural network
model.

2.3 DISTRIBUTED SELF ORGANISING MAPS

In SDN, SOMs are distributed across the data plane along with OpenFlow
switches to detect packet flooding at switch level itself. DSOMs are integrated with
every switch individually and analyze flow entries at each switch. Yet this approach is
not collaborative. Figure 2.2 visualizes how DSOMs are integrated with OpenFlow
switches [2].
 11

Figure 2.2 Distributed SOM system

ADVANTAGE
Distributing the task of attack detection reduces burden on the controller to
make decisions for each switch by analyzing its flow table. It provides the possibility of
stopping the attack at the earliest switch possible.
LIMITATION
Along with the drawbacks of SOM, making switches intelligent violates the
significant policy of SDN, that is, using commodity hardware at data plane level.
Ensuring proper functioning of DSOMs always is essential to defend DDoS attack.
 12

2.4 SDN-SUPPORTED COLLABORATIVE APPROACH

In this collaborative approach, three components namely, Monitor, Co-relator

and Controller are used to perform attack detection, trace back and mitigation
respectively. Monitors, distributed over a computer network, constantly observe the
network traffic for any anomalies. Co-relators residing at Open Virtual Switches (OVS)
respond to the alerts from monitors on demand. SDN Controllers themselves take actions
to modify the network flows in attack mitigation. Monitor can employ different anomaly
detection algorithms to flag a range of potential attacks. Monitors have normal traffic
behavioral profile and compare that with current traffic flow.
Once an alert is received, a co-relator immediately takes actions based on the
type of alert. Often, it is necessary for the co-relator to first collect additional packets and
data for pertinent information. After close examination of the evidence, if the co-relator
cannot identify the attacker(s), this may indicate simply an increase of normal traffic.
Then a reset command is issued to the reporting monitor(s). The normal traffic profile is
updated as necessary to establish a new baseline. As an attacker can originate from a
network segment different from that of the monitor, multiple co-relators need to
communicate with each other to access related OVSs to reveal attackers from different
network segment and generate insights of the path of the attack traffic. At last,
confirmation of attack presence triggers SDN controllers, which may order OVS to drop
the attack packets, deploy honey pots to trick the attack for more evidence or
dynamically reconfigure the network and reshaping the traffic [3].

ADVANTAGE

Flow entry data is used by monitors to detect packet overflow and detecting
specific attacks is very simple by comparison with normal behavioral profile.
Communication between co-relators improves attack detection accuracy and preventing
attack as early as possible.
 13

2.5 PROBABLISTIC FILTER SCHEDULING

PFS, applied in traditional network, adopts Probabilistic Packet Marking

(PPM), a general technique, which routers can use to reveal internal network information
to end-hosts. Such information is probabilistically set by the routers in headers of regular
IP packets on their way to destinations. PFS modifies PPM by fragmenting an IP address
to fit into the unused bits of the current IPv4 packet, such as the IP identification field,
and adding checksum bits to achieve integrity. Consequently, a victim can identify which
filter router is in charge of the undesired flow. Second, a filter router receives marked
packets from upstream filter routers. That is, a filter router can also identify the attack
path and propagate filters to upstream filter routers. Last, PFS performs a filter
scheduling policy. Filter scheduling allows the filter router to retain the most effective
filters depending on the attack situation. Accordingly, the filter router can efficiently use
its limited resources [4].
PFS consists of four phases: 1) probabilistic packet marking, 2) filter
invocation, 3) filter scheduling and propagation, and 4) filter revocation. In phase one, a
filter router probabilistically marks its own IP address into the packet header. Then, in
phase two, a victim collects and reconstructs the marking values to send a filter request.
In phase three, the filter router receiving filter requests decides the best-k filters using a
filter scheduling policy, and forwards the filters to upstream routers. Finally, when the
attack stops, filters’ score corresponding to the attacks decrease and the corresponding
filters are eventually evicted from the filter router, which is phase four.

ADVANTAGES

Involving modified PPM, can help in quick attack trace back with SDN
environment, either as paths that connect switches or as paths between networks. Filter
invocation can be done by a switch connected to the victim, instead of victim doing it.
 14

2.6 ADAPTIVE PROBABILISTIC FILTER SCHEDULING

Adaptive Probabilistic Filter Scheduling (APFS) follows the same procedure

as that of PFS and uses a different packet marking technique. In APFS, a filter router
adaptively calculates its own marking probability based on three factors: hop count from
a sender, the filter router’s resource availability and the filter router’s link degree. That
is, a filter router that is closer to attackers, has more available resources, or has more
connections to neighbors inserts its marking with a higher probability [5]. These three
factors lead a victim to receive more markings from more effective filter routers, and
thus, filters are quickly distributed to effective filter routers. And, each filter router
manages multiple filters using a filter scheduling policy that allows it to selectively keep
the most effective filters depending on attack situations.

ADVANTAGES

Adaptive probabilistic packet marking helps in detecting the exact entry points
of attack, which in turn results in positioning filters at required switches in SDN
environment.

2.7 APPLYING STATISTICAL SEGREGATION METHOD

Possibility of attack traffic disguising as legitimate traffic is high in DDoS

attack which may result in dropping legitimate packets wrongly. Statistical segregation
method samples the flow in consecutive intervals and then the samples are compared
against the attack state condition and sorted with the mean as the parameter, then the
correlation analysis is performed to segregate attack flows from the legitimate flows.
Attacks can be classified into low rate attack, constant rate attack, increased rate attack
and intermittent rate attack [6].
 15

 Low Rate Attack: Packets are generated to imitate the behavior of the genuine
client so as to avoid the detection. The attack traffic never floods the bandwidth
throughout the network but due to very large number of malicious devices
involved in sending attack packets, eventually victim gets overloaded and then
becomes unavailable.
 Constant Rate Attack: The attacker commands zombies (malicious systems
under attacker’s control) to generate same number of packet for every interval,
which generates steady traffic with the rate greater than the legitimate traffic.
This increased rate creates sudden packet flood to disrupt the victim’s services so
quickly and it is a cost-effective approach to the attacker.
 Increasing Rate Attack: The rate of this flood keeps on increasing gradually
staring from the lowest possible rate, thus delays the early detection.
 Intermittent Rate Attack: This kind of attack varies the rate quiet often and
breaks for every constant or varying interval so as to avoid detection.
By comparing consequent traffic samples (that are under suspicion) with the
normal traffic of the network, increased and constant rate attacks can be detected easily.
If the traffic rate of consequent samples are increasing and greater than normal traffic
rate, it is an increasing rate attack. If the traffic rates of consequent samples remain
constant and greater than normal traffic rate, it is a constant rate attack.
Since low rate attacks disguise normal traffic, covariance between every two
sample flows is calculated to obtain correlation between those flows, which denote
degree of similarity between those flows. Covariance is calculated from the mean of the
two flows and correlation is by their covariance and standard deviation. By analyzing
similarity, low rate attack and legitimate flow can be differentiated since the type of
packets sent by legitimate users cannot be matched by that from zombies, By combining
all the three above mentioned methods, intermittent rate attack, which occurs rarely, can
be detected.
 16

ADVANTAGES

In SDN, finding correlation among different flows helps in identifying the

abnormally behaving flows that are seem to be normal. Hence, calculating mean,
standard deviation, correlation for traffic flow samples is effective with less computation.

2.8 COLLABORATIVE PROTECTION NETWORK

A distributed architecture composed of multiple Intrusion prevention Systems
(IPS) forming overlay networks of protection rings around hosts that are intended to be
protected from DDoS attack. The IPSs form virtual protection rings around the host they
protect. The virtual rings use horizontal communication when the degree of a potential
attack is high. In this way, the threat is measured based on the overall traffic bandwidth
directed to the target systems compared to the maximum bandwidth it supports.
Horizontal communication refers to the information exchange between nodes that form a
ring. Vertical communication means information exchange between nodes of
consecutive rings [7].
Analogous to the flow table entries in SDN, this system maintains a set of
rules that matches the pattern of IP packets. For each set of rules, frequency of packets
matching the rules and entropy of rule frequencies are calculated. Entropy refers to the
measures of the uniformity of distribution of rule frequencies. Relative entropy metric
measures the dissimilarity between two distributions.

ADVANTAGES
When topology of open flow switches in SDN resembles layer of rings
structure (a set of switches are connected in ring form and this ring is surrounded by
another ring), collecting flow entry information from a ring and its next ring may reveal
which ring is affected and where to activate filters. Horizontal and vertical
communication between rings of IPS denotes a collaborative approach in dealing with
attack detection and mitigation.
 17

2.9 IDENTIFYING CYBER-ATTACKS ON SDN

From a number of attack datasets collected from attack database, attack

signatures are generated by flow creation module. To avoid false positives and negatives
in attack detection, an inference mechanism is used. Inference mechanism relies on
graphical based prediction module, in which each node on the graph represents a specific
packet flow which can be either a specific alert or benign flow. Each node is assigned
with labels based on the features of each flow and relationships between these nodes are
weighted. By augmenting the semantics of graph with Markov process, indirect
relationships between nodes are discovered. After finding indirect relationships, most
feasible path is selected representing the most probable relationship. Based on the edge
similarity, nodes are grouped and k-nearest neighbors are found using k-Nearest
Neighbor classification with number of neighbors, edge weights and set of flows to be
processed (nodes). Now to label a flow as benign or attack type, majority of its neighbors
is considered. If the count of neighbor of suspicious flows is greater than benign flow
neighbors, the flow is said to be suspicious. If count of both type of neighbors are equal,
the similar nodes are removed until the tie is broken [8].

ADVANTAGE
Using graph representation for flow types and k-NN for grouping flows,
similarity between flows is calculated extensively which drastically reduces chance of
occurrence of false positives and false negatives.

2.10 MOVING TARGET DEFENSE NETWORK PROTECTION

Moving Target Defense (MTD) uses counter-deception techniques that

constantly change the target surface, so that attackers can’t get a foothold. MTD forces
the attacker to learn the target over and over again, increasing the likelihood of discovery
and making attacks costly and unfeasible. MTD can be done at three levels as Network
level MTD, Host Level MTD and Application level MTD, in which IP addresses and
 18

port numbers, naming and OS configuration, and application environment is randomly

changed respectively in a periodic manner.
Most network mapping tools perform their operations by using ICMP packets
and TCP or UDP scans. ICMP messages are typically used to verify connectivity or
reach ability of potential targets. TCP and UDP port scans are used to identify running
services of a target. Replies (TCP RST, silent drop or ICMP unreachable) to scans can
also reveal what services are allowed or filtered through transit devices. Additionally, the
TTL field of IP packets is used to identify the hop distance between the target and the
destination. SDN-enabled devices can be used to confuse the reconnaissance. For
example, traffic to a destination that can be blocked according to a filtering policy can be
silently dropped and SDN utilities can generate varying responses that will confuse the
attacker. In the case of traffic that is permitted by the filtering policy (that is, it is
legitimate), the SDN policy does not interfere [9].
Randomization can be introduced at an IP address level, routing or access
policy. Attacks that would be affected by IP address randomization are network based
(i.e. DDoS or worm propagation). Additionally, reconnaissance capabilities are
diminished in a constantly changing topology. SDN’s high programmability can offload
the computationally intensive randomization and management techniques from the
network to software, which consequently makes randomization techniques more
efficient, customizable and practical.
ADVANTAGE
Though MTD is an old technique, it does prove to be a proactive measure for
confusing the attackers about target location or identity with which unavailability of
protected resource will never be a question and a dynamic environment like SDN is
capable to enough for implementing MTD with less cost.

2.11 CONFIDENCE BASED FILTERING APPROACH

In order to discriminate attack packets from legitimate ones, the concept of

correlation is used that refers to the situation that some interior characteristics take places
 19

at the same time in the packet flows. With basic assumption that some unique correlation
patterns occur in legitimate packet flows, it is quite hard for attackers to notice and
mimic these patterns when carrying out DoS or DDoS attacks. So, using these kinds of
patterns to judge the legitimacy of packets can be feasible. Focusing on transport and
network layers, the correlation patterns in these two layers are the co-appearances
between attributes in IP header and TCP header. These attribute pair patterns are
distinctive because certain characteristics of the operating system, network structure and
even hobbies of users can affect the values of these attributes, and thus make some
attribute pairs related. Confidence is the frequency of appearances of attributes in the
packet flows [10]. The more times an attribute pair appears in the legitimate packet
flows, the higher confidence value of this pair. CBF score for a packet is the weighted
average of the confidence of the attribute value pairs in it. The attribute pairs which
cannot be easily copied by attackers will be given a high weight. Thus, higher score of a
packet corresponds to more frequently-appeared and difficultly-copied correlation
patterns, and thus more likely to be legitimate. The legitimate packet in CBF is the one
who’s CBF score is above the discarding threshold. So on the contrary, those packets
with scores lower than the discarding threshold are regarded as attack ones.

ADVANTAGE
Discriminating packet flows based on confidence values can eliminate a huge
amount of false positives and negatives.

2.12 STATISTICS-BASED PACKET FILTERING SCHEME

This approach forms the basis of the proposed method that attack packets are
eliminated based on their packet score calculate from the attribute values. Characteristics
of packet flow to a server or a user is monitored during non-attack period and a profile is
created in the name of nominal profile. From the nominal profile, attribute values are
used to calculate packet score of benign packets and mean of this packet scores provide
maximum the threshold of a packet to a benign one and above threshold value, it is
 20

obviously a suspicious one. The principle is to punish the traffic whose attribute value
ratio is higher than in normal profile. If the variance among the periodic ratios in
nominal profile is too great to be reliable, it is possible to include only those attribute
values with low variance to have a more stable profile. Due to space constraints, taking
all packet flow for nominal profile may be difficult, so iceberg profiles are considered in
which only the most frequently occurring attribute values are stored along with their
ratio. Iceberg profiles are obtained either by static threshold or by adaptive threshold. In
the static threshold approach, the profile only includes those attribute values which
appear more frequently than a preset threshold ratio, say x percent. In the adaptive
threshold approach, the most frequently appearing attribute values that constitute a preset
coverage of the traffic, e.g., 95 percent, are selected. The corresponding cutoff threshold
y percent for the given coverage serves as the adaptive threshold, which is also used as
the default ratio for the absent items. With such iceberg-style profiles, the nominal
profile can be kept to a manageable size [11].
Single attributes taken for nominal profile creation are packet size, Time-to-
Live (TTL) values, protocol-type values, and Source IP prefixes.
And single attributes from TCP headers are TCP flag patterns and server port numbers,
i.e., the smaller of the source port number and the destination port number.
Attribute combinations taken for nominal profile creation are as follows:
 packet-size and protocol-type,
 server port number and protocol-type
 Source IP prefix, TCP flags and packet size.
To maintain stability in nominal profiles, packet samples are taken at
different time intervals and maximum frequency attribute values are considered for
nominal profile creation as given in the figure 2.3.

ADVANTAGE
Though nominal profiles are created in a slightly different way from this
approach, it forms the basics and combination of attributes taken for profile creation will
always persist in DDoS defense.
 21

Table 2.1 Example of Nominal Profile

2.13 AUTONOMIC DDOS MITIGATION FRAMEWORK

In this approach, detecting and preventing DDoS attack is handled at a higher

level. Attack information is shared via the communication channel between the SDN
controllers of ISP and customer network, instead of data plane routers which leads to
latency between controllers and not a customer side. To solve scalable flow management
(controller cannot serve all customers when the number of new packet flows increase
rapidly) and consistency of forwarding policy (modification of header information that
violates ISP forwarding policy), labels are used to identify the path from the ingress
switch to the egress switch of the ISP network. Labels are used for fast switching and
rerouting, as core switches in ISP network simply need to check the label and forward
the packets and using labels preserves the modification of packet header by devices like
NAT (Network Address Translation) [12].

Figure 2.3: Use Case of communication between ISP and Customer Controllers
 22

ADVANTAGE

Reducing latency in data plane by labeling flows for forwarding and

communication between controllers will take DDoS defense a step ahead from current
level of defense.

2.14 SECURE AND DEPENDABLE SDN

Figure 2.4 Secure and Dependable SDN architecture

Slightly modified version architecture is proposed in this system for SDN

from its current architecture. By this architecture a switch can associate it with multiple
controllers instead of one controller and controllers are also replicated for any desired
number of times.
From Figure 2.5 modified SDN architecture can be understood. This
architecture aims to defend the threat vectors like, forged or faked traffic flows, attacks
on vulnerabilities in switches, attacks on control plane communications, attacks on and
vulnerabilities in controllers, lack of trust between the controller and management
 23

applications and attacks on and vulnerabilities in administrative stations. With this

modified architecture, controller is replicated and diversified. The basic principle behind
this mechanism is to avoid common-mode faults [13]. Under persistent adversary
circumstances, proactive and reactive recovery can bring the system back to a healthy
state, replacing compromised components, and keep it working virtually forever. When
replacing components, it is important that the replacement be done with new and diverse
versions of the components, whenever possible to strengthen the defense against attacks
targeting specific vulnerabilities in a system. Another simple approach would be to have
authenticated white lists of known trusted devices, kept at controllers, which ensures
trusted communication among devices in SDN.

ADVANTAGE
Diversifying controller is novel idea since similar kind of vulnerabilities and
bugs may not be present in different operating systems or software, which will help in
defending a bit more at least till detection. Though replicating a controller is tedious, this
will prove effective in very critical applications and choice of replication can be given to
network administrators.

2.15 DEFENSE MECHANISMS IN SDN

SDN architecture itself can encounter DDoS attack in five possible scenarios
as congestion in link to the controller, blind DDoS attack on controller, exhaustion of
switch memory, congestion on link between switches and flooding attack on a user under
a switch. Solutions to these scenarios can be in different aspects which are based on
table-entry, scheduling, architectural, statistics and machine learning [14].
Table-entry-based models propose solutions related to the limited table size
of switches. Each unknown packet flow needs a new entry in switch memory. This
becomes a bottleneck during a DDoS attack, which contains packets with different IP
addresses. Table entry replacement policies should use multiple parameters of flow entry
 24

instead of one parameter and controller must have intermediate buffer module. And also
proper updating of flow entries is necessary.
To keep the controller alive all the time, scheduling assignment of tasks from
switches is necessary, which will also support scalability. Also separate queue for each
switch connected to the controller can be provided to prevent controller from getting
attacked through one of its switches. In the architectural aspect, monitoring and
controlling activities of the controller can be decoupled and a controller can be managed
by a master. For security and load balancing reasons, controller should be distributed.
By statistical methods, baseline profiles collected during attack-free period
are compared with suspected flow for discarding attack packets. Network switches
monitor traffic and detect congestion by monitoring the bandwidth usage. When
congestion occurs, the switch notifies the controller. Then, the controller requests
statistics from every switch that sends packets to the congested link. It determines badly
behaving flows that consume more bandwidth, and sends commands to switches to rate-
limit them.

2.16 SUMMARY

In this chapter DDoS detection by neural networks method and various

collaborative methods are discussed in detail. Neural network is trained using previous
attack datasets and used to predict any attack signatures in current traffic flow, with
which only the specific attacks like TCP SYN flood attack can be detected. But generic
attacks generated by randomizing attribute features may go undetected if the flow type of
current traffic does not resemble the one dataset taken for training. Collaborative
approach allows packet flow information exchange between nodes of the network and
also communication among controllers for DDoS defense is a novel idea to solve
problems at earliest. From this study, varied approach of collaborative techniques for
DDoS defense are observed which prove to be more promising than other methods
available and how early detection and prevention of DDoS attack preserves intermittent
network resources along with the target system.
 25

CHAPTER 3

EXISTING SYSTEM

3.1 INTRODUCTION

SDN is an emerging architecture that is dynamic, manageable, cost-effective,

and adaptable, making it ideal for the high-bandwidth, dynamic nature of business
applications. Need of SDN is inevitable in future as every possible device will stay
connected by internet of things. DDoS being a persistent issue, existing system attempts
to defend against DDoS using neural networks to detect the DDoS attack in SDN.

3.2 ARCHITECTURE

From the figure 3.1, coordination of SDN and anti DDoS mechanism can be
observed. SDN has switches and controllers to manage network administration. A switch
just performs packet forwarding or packet dropping based on the flow entries approved
by the controller for the switch. One controller controls a number of switches based on
the network capacity and layout, which can be configured by program. A controller that
manages a switch decides which kind of packets must be forwarded or dropped by the
switch and makes flow entries on the switch accordingly. When a switch encounters a
new flow of packets that does not match flow entries in it, it intimates to controller about
the new packet flow and waits for approval from controller in order to forward or drop
the packets of new flow [16].
In order to reduce the bottleneck on the controller, a separate decision module
is associated with it for knowing the credibility of new flow entries. With the help of this
module, controller can easily inform switches about which packets to forward and which
packets to drop. The reason for keeping a separate module for deciding on the legitimacy
of packets is, when there is a flooding attack or a huge raise in flow of legitimate
 26

packets, each switch can have multiple new flow entries to be approved by the controller
which can cause congestion between controller and switches, and controller have to
decide on a number of flow entries in a very short duration which is not suitable for
ensuring the security of the network.

Figure 3.1 SDN architecture for DDoS defense

It is clear that SD-Anti-DDoS takes care of DDoS detection, trace back and
mitigation in consecutive steps. For attack detection, Back Propagation Neural Networks
is used and for attack trace back, a lightweight trace back mechanism is employed that
takes advantage of results from BPNN in previous step by analyzing flow statistics. In
attack mitigation step, blocking attack flows by inserting new flow entries in the ingress
port of the edge switch in the network that drop attack packets and cleaning malicious
flow entries are done. Overall, existing system is a complete package of DDoS defense
in SDN that concentrates on detecting attack as soon as possible. SD-Anti-DDoS or
existing system utilizes OpenFlow communication protocol between controller and
forwarding plane.
 27

3.3 COLLECTING FLOW ENTRIES

In order to detect attack and trace back attack path, having flow information of
packets from each switch is essential. Periodically, flow entries in each switch, managed
by the controller, is snapped and stored into controller for further analysis. Flow entry
log is used for identifying any malicious traces in incoming packet flows. Template of a
flow entry is shown in figure 3.2, with which core aspects required for DDoS defense
and features of packets can be distinguished.

Figure 3.2: Architecture of a generic flow entry

Header fields contain characteristics of incoming packet flow. Counters refer to

the count or number of packets that have arrived till the time of recorded flow entry.
Actions represent whether to forward or to drop the packet flow in future.

3.4 EXTRACTING FEATURES FROM FLOW ENTRIES

When there are specific DDoS attacks like SYN flood, UDP flood which
contain very large number packets of a particular protocol with certain attributes set to
same values, making the target to keep on listening or responding to these packets which
leads to unavailability of service for legitimate users. In such scenarios, monitoring
particular attribute values in flow entry is enough to make defense. Selecting appropriate
attributes that constitute a particular attack type is important in detecting the attack
 28

correctly. Based on the service provided by the target system, types of DDoS attack that
remain as big threats are identified and corresponding features are extracted from flow
entries as a dataset to train the neural network in next step.

Table 3.1 Attacks and features

Packet Size (in
Attack type Protocol Flag/port bytes)
TCP SYN flood TCP Flag=40 Randomized
SQL slammer
worm attack UDP Des. Port =1434 371-400
DNS amplification
attack DNS Des. Port =53 60
Randomized but IP fragments Exceeds
Ping of Death IP are set to fake values 65,535
NTP attack NTP Des. Port =123 90

By observing values of specific packet attributes from above table, extracting

features from flow entries can be understood. For example, in order to identify TCP SYN
flood attack, protocol type and flag values are extracted from flow entries and analyzed.

3.5 BACK PROPAGATION NEURAL NETWORK TRAINING

With neural network, the attack detection mechanism can classify benign flow
entry generated by normal traffic and malicious flow entry generated by DDoS attack
traffic. The information of a flow entry will be obtained by the controller, then the Eigen
values of this flow entry will be extracted and sent to the trained neural network to
classify whether it is malicious. Consequently, the attack detection can be broadly
divided into two steps: the neural network model training stage and the real-time
detection stage. Once the system starts, the neural network will be trained firstly. The
dataset is made in advance for training. At the beginning, a set of features of malicious
attack traffic and benign traffic is collected. The corresponding target value of malicious
attack and benign traffic is then assigned with different values (that is, zero represents for
 29

benign traffic and one represents for malicious attack). Subsequently, the extracted flow
features and the corresponding target value are combined to form the training dataset.
When the system starts, the training dataset is read from the txt file and used to train the
neural network. Thus, the available neural network model can be built by using the
extracted feature parameters as the input parameters of neural network, and taking the
target values as the output parameters.
In SD-Anti-DDoS, BPNN is used as the classify algorithm. In order to
overcome the detection error caused by various packets in network, a detection method
based on threshold is also introduced in the detection. The following characteristic values
are used as the input parameters of neural network: number of packets matched by each
flow entry, number of bytes matched by each flow entry, survival time of each flow
entry, packet rate of each flow entry and byte rate of each flow entry. These features are
the Eigen values of a flow entry. These can be extracted from the flow statistics message
received by the controller. Using these features, BPNN is able to classify the network
traffic. The BPNN model used in exiting system is built by using the follow parameter:
one input layer, one hidden layer and one output layer. The number of neurons in input
layer is five, and the number of neurons in hidden layer is ten, while the number of
neurons in output layer is one.

3.6 DETECTING DDoS ATTACK BY BPNN

In real-time detection stage, all flow entries of each switch will be acquired
firstly. After the controller receives the flow statistics message about flow entries send
by the switch, the flow stats message will be parsed. The flow entry in that message will
be processed one by one. At first, the Eigen values of a flow entry including number of
packets matched by each flow entry, number of bytes matched by each flow entry,
survival time of each flow entry, packet rate of each flow entry and byte rate of each
flow entry will be extracted. Then the extracted Eigen values are transferred to the
BPNN to determine whether the flow entry is benign or malicious. Meanwhile, the
classify result will be stored in an array to avoid the repeated processing in trace back
 30

state. If the flow entry is considered as a malicious one, its destination IP address will be
parsed and appended to an array (attack_dst_store_list). After that, if the number of
malicious flow entry reaches the predefined upper limit, a DDoS attack alert will be
generated firstly. Subsequently, the processing of flow statistics message will be stopped.
At last, the attack destination will be found out by searching the one which has the max
occurrence number in attack_dst_store_list. However, if the flow entry is considered as a
benign one or the number of malicious flow entry is less than the predefined upper limit,
another flow entry will be processed. Systematic flow of these steps can be identified
from figure 3.3.

Figure 3.3 Workflow of attack detection

 31

3.7 DDoS ATTACK TRACE BACK AND MITIGATION

Figure 3.4 Workflow of attack trace back

Usual mechanism deployed for packet trace back in SDN is mainly based on
matching the head fields of the packet with the correlative flow entries, which needs a
large number of comparisons of flow entries with packets in the scenario of wide spread
DDoS attack. In existing system, in order to react more quickly to attack, an attack trace
back method correlated with the attack detection method is proposed to trace the DDoS
attack source switch. In the detection stage, the analyzing results of flow statistics
 32

messages will be stored in an array and sent to the trace back module. Based on the
results analyzed by the attack detection module and the topology known by the
controller, the attack trace back module will continue to analyze the flow statistics
message to find out the attack source switch. The attack trace back method is described
in detail as follows. Once the attack detection module detects the existence of DDoS
attack, the system will step into the trace back State. The trace back module is the main
component of the trace back State. As a main module for determining whether a switch
is in the attack path, it utilizes the same trained BPNN model used in attack detection to
get the result. After the switches in attack path are successfully found out, the whole
attack path in the order that the attack traffic passes will be located using the
combination of the network topology, attack destination and the marked switches.

Figure 3.5 Architecture of blocking flow entry

As shown in figure 3.4, the number of malicious flow entries and benign flow
entries of each switch is recorded. Then the number of total flow entries and the
proportion of malicious flow entries are calculated. Based on the number and the
proportion of malicious flow entries in each switch, whether the switch is located on the
attack path will be determined. If the number of malicious flow entries is over a
predefined upper limit or the proportion of malicious flow entries is higher than the
predefined value, the switch will be marked as a malicious switch which is on the attack
path. Otherwise, it will be marked as a benign switch. Using the combination of global
 33

network topology, attack destination and marked malicious switches, the accurate attack
path in the order that attack traffic passes will be found out.
After the attack path and the attack source switch are identified, the attack
mitigation module will start. The most important task of the attack mitigation module is
blocking the attack traffic. After successfully blocking the attack traffic, huge amounts of
malicious flow entries, which are generated by attack, will still exist in switches. Those
flow entries are useless. Meanwhile, those can be a waste of storage space of switches.
Therefore, after blocking the attack traffic, the malicious flow entries are deleted to
release the occupied storage space in the proposed method. Using controller-to-switch
messages to insert flow entries with highest priority (65,535) into the flow table of the
switch which is marked as the attack source switch, the Attack block module tries to stop
the attack traffic. Those flow entries are called blocking flow entries. The structure of
blocking flow entry shown in figure 3.5, it can be understood that the attack destination
address is assigned as the IP destination address and the ingress port of attack traffic is
assigned as the ingress port of flow entry's Header fields. Meanwhile, The Drop action is
used to block the malicious attack traffic.
After the blocking flow entry has been inserted into the attack source switch,
the attack traffic arrives through the ingress port will be matched against the blocking
flow entry, thus it will be directly discarded. Therefore, the attack mitigation can be
achieved. Once the block strategy is executed successfully, the attack traffic will be
blocked. But a huge number of flow entries still exist in switches that are in the attack
path. Therefore, the flow table modification message (OFPFC_DELETE message) is
proposed to delete the flow entries which are marked as malicious flow entry.

3.8 DRAWBACKS OF THE EXISTING SYSTEM

Following are the drawbacks identified in the existing system.

 Training neural networks with previous attack data sets is not suitable to detect
generic attacks.
 34

 Attack trace back uses proportion of malicious flow entries to total flow entries to
mark attack path which may miss switches that are under low rate attack.
 In attack mitigation, switches controlled by the controller, that detected DDoS
attack, are inserted with blocking flow entries where as nearby network with a
controller and a set of switches should perform the same defense steps again to
recover itself from the attack.

3.9 SUMMARY

In this chapter, components of existing system and mechanisms involved in the

system are explained in detail. Managing flow entries on switches by controller, deciding
on forwarding or blocking flow entries, DDoS attack detection, trace back and mitigation
process in SDN are described. Though existing system can detect specific DDoS attack
efficiently using neural networks, it has a downside of overlooking the generic attacks
which will bring a huge loss if left undetected.
 35

CHAPTER 4

PROPOSED SYSTEM

4.1 INTRODUCTION

DDoS defense involves attack detection, trace back and mitigation. Though
each step is critical to defend the attack promptly with correctness, detection of attack is
more crucial. If detection has gone wrong or incomplete, there is no use of performing
trace back and mitigation further. Existing system has a downside of not addressing to
the issue of identifying generic DDoS attacks. Moreover, identifying generic attacks by
comparing attack signatures from previous attacks is difficult and not effective, as the
current attack packets can hold attribute values randomized in a way that is very different
from attack signatures in datasets and it will give poor results when applied in dynamic
programmable SDN. This liability leads to the necessity of determining an attack based
on recent behaviors and current traffic flow in the network, rather than using attack
signatures collected from various sites. Attack signatures are useful only when the attack
is specific. A collaborative approach is proposed to detect generic attacks in the dynamic
SDN environment. Collaborative approach makes all nodes in a network to learn by co-
operation and decide about attack filters. By this approach, proactive response to attack
can be made, rather than reacting after an attack.

4.2 NOMINAL PROFILE AND CURRENT PROFILE CREATION

In order to learn co-operatively, each node (or switch, in case of SDN) in the
network must share packet flow information, that it has, with other nodes in the network.
Generically, a node can either be an intermediate forwarding device or an end host. If
learning needs to be efficient and quick, format of data being shared must be common
and organized, resulting in maintenance of profiles at each node. To identify any attack
 36

signatures in current packet flow, analyzing it with the recent past flow information is
necessary. So, profiles are split into nominal and current profiles. Nominal profile of a
switch referring to a time period contains flow entries that were recorded during a non-
attack period. Current profile contains flow entries that are recorded at current time and
are yet to be classified as benign or malicious packet flow. Creating nominal profile and
current profiles in SDN is easy by using flow entries of each switch. Profile and flow
entry mean same information, that is, packets grouped by similar attribute values along
with their count and time of existence of the flow. There are single profiles or pair
profiles. Single profiles have a single packet attribute with all possible values and
number of packets with that attribute value. Pair profiles have combination of two
attributes and number of packets with both attribute values occurring together [17].

Table 4.1 Pair nominal profile

Destination Port Number of packets or
TTL
number counter
48 25 15
48 53 25
48 80 10
50 80 30
… … …

Table 4.2 Single nominal profile

Number of
Protocol name packets
TCP 85
DNS 10
UDP 4
NTP 1
… …

In Table 4.1, sample of pair nominal profile is shown which has recorded
packets that had combination of TTL value and Destination Port number, along with
their count. Similarly in Table 4.2 and Table 4.3, single attributes of a packet are
recorded along with their count. Format of nominal and current profiles remain same to
 37

be ease comparison. Traditionally, profiles do not contain the total duration of a packet
flow but logging time duration is simple in SDN switches.

Table 4.3 Single current profile

Protocol name Number of packets
TCP 185
DNS 17
UDP 8
NTP 1
… …

For an extensive analysis, six single profiles and a pair profile are taken from
each switch. As number of pair profiles will count to fifteen if all pair combinations of
six attributes are taken, only one pair profile is taken from each switch. Single profiles
have attributes like IP address, port number, protocol type, packet size, TTL value and
TCP flag. Each switch gives a different pair profile, that is, attribute combinations vary
with each switch randomly. In this way profile information is collected traditionally. In
order to improve accuracy of detection, number of single profiles (attribute) and pair
profiles (attribute combinations) can be varied accordingly, taking space constraints of
switch in concern.

4.3 PACKET SCORE AND THRESHOLD COMPUTATION

Proposed method attempts to detect attacks by assigning a score for each

kind of packet flow and discriminating attack flow based on the score values. Score for
each packet flow (attribute or attribute pairs with specific values) is calculated from the
number of packets recorded in corresponding nominal and current profiles. In case of
flooding attacks, calculating scores for packets with respect to every attribute pair is
meaningless as attack happens only with certain attributes mostly and even in
randomized generic attacks not all attributes are randomized. So it is enough to calculate
score for packets with respect to the attributes that contribute to the attack. Of course,
 38

attributes contributing a flooding attack can vary and cannot be predicted before. But by
monitoring flow statistics, attributes or attribute pairs that have drastic variation in packet
count can be identified and chances are high that these most deviating packet flow can
contribute to flooding attack.
In each switch, six single nominal profiles and six single current profiles are
recorded with six predefined packet attributes. By comparing count variation between
single nominal and current profiles (count of packets having same attribute value in
current profile tends to be very higher that in nominal profile or attack free period), most
deviating attributes can be found out. Out of six attributes that are arranged in the
descending order of packet count variation, first two attribute are chosen to be the
suspicious pair. This attribute pair is suspicious only with respect to the current switch
from which it is chosen. Confirming that this pair has deviated much from nominal
profile values in other switches assures that this pair contributes to flooding attack and
this is the collaborative approach. After confirmation with other switches, if the pair
remains to be suspicious, it is termed as score pair. With respect to score pair attributes
of each switch, each incoming packet flow is scored and judged for attack flow.
Comparing suspicious pair deviation and selecting it as score pair is done
using following steps.
1. Let S be the current switch and S’, S’’ and S’’’ represent switches at first, second
and third hops from S. Let A, B, C, D, E, F represent six different attributes taken
for profiling.
2. Each of these switches has six single nominal profiles (SNP), six single current
profiles (SCP), a pair nominal profile (PNP). Pair current profile (PCP) will be
generated only after determining ScorePair of the switch.
3. Packet count variation between SCP and SNP of the same switch (say S), yields
suspicious pair of S as S(D,F) where D and F are most deviating in current profile
when compared with nominal profile, among six attributes.
4. If D and F were the randomly chosen attributes for pair nominal profiling in S,
S(D,F) is said to be the ScorePair of S.
 39

5. If D and F were not chosen for pair profiling in S, then pair profiles of S’, S’’,
S’’’ are taken in order and attribute matching is checked until ScorePair of S is
found.
6. If none of the pair profiles of S’, S’’, S’’’ have D and F as their pair profile
attributes, own pair of S (attribute pair taken for pair profiling) is considered to be
the ScorePair of S.
By following above steps, ScorePair of every switch is found. Based on this
ScorePair attributes, Pair current profiles (ScorePCP) are generated at each switch. Each
packet’s score is calculated considering ScorePNP’s corresponding value. If ScorePair is
determined as A and B, then packet p with the attributes A = ap and B = bp will have the
score Sp as follows.

ScoreP P ap , bp TP P
Sp
ScorePNP ap , bp,… TPNP

Where
ScorePCP is the number of packets in current profile that have the property of ap for
attribute A and bp for attribute B.
ScorePNP is the number of packets in the nominal profile that have the property of ap
for attribute A and bp for attribute B.
TPCP is the total number of packets in current profile.
TPNP is the total number of packets in nominal profile.

The score of a packet needs to be compared with a threshold Th. All scores are stored in
a ScoreList and the threshold value Th is determined according to the cumulative
distribution of scores. It is shown as symbolically CDF(Th) = ɸ where ɸ is the ratio of
traffic that should be dropped. The fraction of traffic permitted to pass is 1-ɸ = Ф/ ψ
where Ф acceptable traffic and ψ is the total current incoming traffic.

Each packet’s score value is compared with the threshold. If it exceeds the threshold, this
packet is supposed to be malicious and discarded. Otherwise, it is forwarded to the
destination.
 40

4.4 BLOCK DIAGRAM

Figure 4.1 Packet Score calculation by Collaborative approach

From figure 4.1, working of proposed system is denoted. OPNP1, OPNP2 and
OPNP3 refers to the own pair nominal profiles maintained in switches S, S’, and S’’
 41

respectively. This workflow describes what is done within a controller’s area. When
controllers are allowed to share attack information, attack can be blocked at nodes that
are immediate neighbors of zombies. When a packet flow is determined to be malicious,
trace back of attack path is simple as attack information is already collaborated.
Mitigation is done by inserting corresponding blocking flow entries in the switches that
are best located near to the attack source.

4.5 ADVANTAGES OF PROPOSED SYSTEM

Following are the advantages of implementing proposed system:

 Proposed system employs a collaborative approach which involves all switches in
the network for sharing packet flow information, thus resulting in early detection
of attack much near to the attack source.
 This approach highly reduces spreading of attack.
 Blocking flow entries at edge or egress switches serve as best filters in preventing
the attack.

4.6 SUMMARY

In this chapter, the way in which proposed system overcomes drawback of not
detecting generic attacks in SDN is explained. Steps carried out in collaborative
approach are detailed. Idea of collaborating packet flow information proves to be much
useful in solving tough problems like flooding attack, for which defense efforts from a
single system will not be equivalent enough.
 42

CHAPTER 5

IMPLEMENTATION ENVIRONMENT

5.1 INTRODUCTION

Among the three steps of DDoS defense, attack detection is focused in the
current work and it is performed by two different approaches in existing and proposed
systems. In existing system, neural network is used to detect attack flow and it is
implemented by R language in RStudio. In proposed system, collaborative approach is
implemented in a virtualized SDN environment using Mininet emulator that supports
python language [23]. Packet flow data is collected from traffic data repository
maintained by the MAWI Working Group of the WIDE Project [15]. In WIDE Project
15 minute traffic traces are uploaded on daily basis, in packet capture format that
contains information about packets that number from 65 million to 95 million
approximately.

5.2 MODULES

The following are the module wise implementation of the existing and
proposed system,

5.2.1 COLLECTING NETWORK DATA

A 15 minute data trace containing information about more than 50 million

packets that sizes up to gigabytes of data is taken and split into packet capture files
and each file size is around 10 mega bytes, that is suitable for processing. Fields in
the data trace file are Time, Source, Destination, Protocol, Length and info.
 Time – time at which the packet information is recorded in a switch
 43

 Source – source IP address of the packet

 Destination – destination IP address of the packet
 Protocol – protocol that the packet belong to
 Length – packet size in bytes
 Info – information that is specific to the protocol like TTL, echo message,
sequence number of the packet for acknowledgement, TCP SYN.
From the above mentioned fields, first five are taken for preprocessing of the data to
make it into flow entry format as Info filed content is not required for training the
neural network. Table 5.1 shows a sample of the network data.
Table 5.1 Sample of Network Data
Time Source Destination Protocol Length
0 203.76.245.95 103.77.143.234 TCP 1514
0.000019 203.76.245.95 103.77.143.234 TCP 1514
0.000023 203.76.235.238 149.237.40.255 ICMP 60
0.000059 203.76.235.238 187.59.20.14 ICMP 60
0.00007 123.33.206.156 203.76.235.238 ICMP 60
0.00009 203.76.235.238 212.135.42.125 ICMP 60
0.000165 203.76.235.238 108.123.45.14 ICMP 60
0.000166 203.76.235.238 171.43.189.241 ICMP 60
0.000181 203.76.235.238 108.123.45.14 ICMP 60
. . . . .
. . . . .
. . . . .

5.2.2 CREATING FLOW ENTRIES

From the five fields taken for data preprocessing, flow entries are
constructed by taking number of packet instances having a source IP address, a
destination IP address, protocol and length. Time of the flow entry is calculated by
finding difference between time record of last and first packet instance of the packet
flow. Byte count of flow entry is the sum of number of bytes of each packet that
counts to a packet flow. And also, number of bytes received per second and number
 44

of packets received per second are calculated using packet count of a flow and
number of bytes transmitted in the flow.

Table 5.2 Flow entry creation

Time of Bytes Packets Attack
Packet Byte
S.No. flow per per
count count
entry second second
1 0.002002 9 13626 4495.504 0.650741 1
2 0.000023 1 60 43478.26 0.249418 1
3 0.000059 1 60 16949.15 0.097231 0
4 0.00007 1 60 14285.71 0.081952 0
5 0.00009 1 60 11111.11 0.06374 0
6 0.001073 10 15140 9319.664 1.349057 1
7 0.000441 1 60 2267.574 0.013008 0
8 0.000442 1 60 2262.443 0.012979 0
. . . . . . .
. . . . . . .
. . . . . . .

Sample of flow entries are shown using table 5.2 in which ‘ ttack’ field represents
the status of flow entry contributing to attack. A flow entry is determined to be
malicious or flooding if it has packet rate and byte rate greater than the average
packet rate and byte rate of flow entries recorded in the switch respectively. Resulted
table of flow entries is used to train back propagation neural network in the next
stage, for classifying the forth coming packet flows as flooding or benign.

5.2.3 BPNN CLASSIFICATION

Back Propagation Neural Network (BPNN), also known as error back

propagation algorithm, consists of two processes: computed information forward
propagation and error information back propagation. A BPNN model contains three
layers: input layer, hidden layer and output layer. One or more neurons could be used
in each layer. In the input layer, each neuron is responsible for receiving input
information, and passing the information to each neuron of the middle layer.
 45

Figure 5.1 Sample of BPNN trained with flow entry table

Table 5.3 Comparison of actual and predicted attack status for a set of flow
entries
Actual attack status Predicted attack
given for test data status by BPNN
0 0.00003022188527
1 1.18415214621660
0 0.01522612634656
0 -0.00284071561286
0 -0.00672242836680
0 -0.00652079488739
0 -0.00586295472040
0 -0.00568238367241
0 -0.00472990867619

The middle layer is the internal information processing layer, which is responsible
for information calculation. The middle layer can be designed as a single hidden
layer or multiple hidden layers based on the demand of sensitivity. The computed
information is forwarded to each neuron of the output layer from neurons in the last
 46

hidden layer. If the actual output matches the expected output or the number of
training reaches the upper limit, it will be output. Otherwise, the error back
propagation will be started. During this process, each layer's weight will be adjusted
according to the gradient descent algorithm. Such process will continue until the
network output error is reduced to an acceptable level, or the number of training
reaches the predefined upper limit.
Figure 5.1 denotes the set of inputs given to the neural network with ten hidden
layers and output is obtained as attack along with the bias values for every neuron in
the hidden layer and output neuron. From table 5.3, comparison of actual attack
status and predicted attack status can be observed.

5.2.4 PROFILE CREATION

To detect generic attacks that do not fall under the category of attacks
contributed by a set of packet attributes, collaborative approach is performed by
comparing packet flow characteristics during attack free period of corresponding
network or particular target and suspicious period of packet flow to the network or
target. Nominal profiles are created by collecting single attribute and attribute pair
information along with packet count from flow entries in switches recorded during
attack free period. Current profiles record the single attribute and attribute pair
information of packet flow at current period. For improved comparison, from
nominal and current profile statistics, score for every packet from every packet flow
is computed and it is compared with predetermined threshold to discriminate attack
and benign flows.
Profile creation from flow entries, is done at deciding module attached to the
controller in SDN. Score list of packets and threshold computation are done at the
controller supporting module. This approach reduces burden on controller and keeps
the switches to be packet forwarding devices which results in cost-effective yet
manageable dynamic system with appropriate DDoS defense mechanism.
 47

5.2.5 PACKET SCORE AND THRESHOLD COMPUTATION

Score for every packet is calculated as a ratio of number of packet in each

kind of packet flow in current profile to that of the nominal profile. Sp is calculated
by formula 4.1. After collecting all packet scores in a list, threshold value is obtained
by applying cumulative distribution function on the list of values.

5.3 SUMMARY

Methodologies for implementing each module are discussed in this chapter.

DDoS detection part of the existing system being implanted in R language, its result will
be compared with that from the collaborative approach implemented in virtualized SDN
created using Mininet.
 48

CHAPTER 6

RESULTS AND INFERENCES

6.1 EVALUATION METRICS

Following are the evaluation metrics used to evaluate the obtained results
from existing system and proposed system.

Table 6.1 Evaluation factors

Factors Description

True Positive Number of packets classified as attack that actually contribute to

attack
True Negative Number of packets classified as normal that are actually benign
False Positive Number of packets classified as attack that are actually benign
False Negative Number of packets classified as benign that actually contribute to
attack

6.1.1 PRECISION (PN)

It refers to the percentage of the forwarded packets that were legal

6.1.2 RECAL (RL)

It denotes the percentage of the legal packets were forwarded to the
destination

6.1.3 TRUE NEGATIVE RATE (TNR)

TNR is the percentage of the attack packets that were dropped.
 49

6.1.4 NEGATIVE PREDICTED VALUE (NPV)

NPV displays the percentage of the dropped packets that were actually
attack packets.

6.1.5 F-MEASURE (FM)

This metric combines precision and recall. It deals with the system’s
success regarding legal packets. It is the harmonic mean of precision and
recall

6.1.6 F-MEASURE COMPLEMENT (FMC)

As opposed to F-measure, it is dealing with system’s success in attack
packets. This metric combines true negative rate and negative predictive
value. It is the harmonic mean of these metrics.

6.2 RESULTS

Network Log from MAWI Lab is taken as dataset for creating sample data.
Five different samples are given to Neural Network model and Packet Score method
simultaneously to get DDoS attack detection. After preprocessing, data input for Neural
Networks and Packet Score are formed as seen in Table 6.1 and Table 6.2 respectively.
All five samples have same format of data. For Packet Score, Time attribute is not given
as it only focuses on maximum deviating attribute selection along with packet score.
TTL value and Destination port are given additionally. In Neural Networks, TTL and
Destination port are not considered for training, hence not given.
 50

Table 6.2 Sample Input for Neural Network

Time Source Destination Protocol Length

0.000002 74.185.243.81 163.26.12.46 TCP 1486

Table 6.3 Sample Input for Packet Score

Source Destination Protocol Length Source port Destination
or TTL Port

74.185.243.81 163.26.12.46 TCP 1486 443 61107

From Precision and Recall values in Table 6.3, it is visible that Packet Score
method can classify attack packets more correctly than Neural Networks model. Five
samples are collected during different time points and that notifies the different values of
precision and recall in Table 6.3.

Table 6.4 Comparison of Precision and Recall for Neural Network and
Packet Score method
Sample dataset Precision Recall

Neural Packet Neural Packet

Network Score Network Score
Sample 1 0.056962 0.26924 0.45 0.22636
Sample 2 0.025579 0.490737 0.4468 0.476156
Sample 3 0.02518 0.327428 0.40384 0.97365
Sample 4 0.024631 0.28369 0.465116 0.289974
Sample 5 0.064209 0.626343 0.981818 0.487784
 51

Figure 6.1 Evaluated F – Measure for NN and PS

Figure 6.2 Evaluated F – Measure Compliment for NN and PS

From Figure 6.1 and Figure 6.2, FM and FMC values can be observed.
From mean of F M, Packet Score is.33.21% better than Neural Networks in not dropping
legitimate packets as attack packets. From mean of FMC, Packet Score is 3.7% better
than Neural Networks by maintaining harmonic mean of True Negative Rate and
Negative Predicted value.
 52

6.3 INFERENCES OBSERVED

From the results analysis, more proper classification is done by Packet Score
than neural networks. False Positives and False Negatives are 24 percent lesser in Packet
Score when compared with Neural Networks. Packet Score technique monitoring the
current increase in packet rate based on the attributes which directly contribute to any
kind of DDoS attack is the important reason for lesser false prediction in Packet score
when compared with Neural Network. Neural Network method checks current flow only
based on previous attack trace knowledge. Hence, DDoS attack detection in dynamic
environments can be done using flow based methods like Packet Score, rather than
training and testing methods like Neural Networks.

6.4 SUMMARY

Various evaluation metrics are suggested to extensively measure the accuracy

of methods employed to detect DDoS attack. By measuring performance of detection
mechanisms in this way helps in knowing what the exact lagging point in these
mechanisms is. Collaborative approach suggested in the proposed system replacing
neural networks trained by datasets improves overall detection accuracy by 3.7 percent.
 53

CHAPTER 7

CONCLUSION AND FUTURE WORK

7.1 CONCLUSION

For detecting DDoS attack in SDN environment, a flow based method, by

calculating packet score for each packet based on its flow characteristics is implemented
instead of training a neural network model with previous attack traces. Performance of
Neural Networks and Packet Score technique are evaluated using the measures precision,
recall, FM and FMC. FM and FMC values are found to be higher values in Packet Score
techniques than Neural Networks. This proves that flow based methods are much
suitable in detecting DDoS attack than Training method.

7.2 FUTURE WORK

DDoS attack is detected using flow based collaborative method in SDN

based on the nominal profile generated during non-attack period. In future, nominal
profile can be monitored based on predefined constraints that are applicable to the
specified networks like blocking packets of particular protocol and from particular
networks or source. Thus, chance of DDoS attack on specific networks can be
considerably reduced.
 54

CHAPTER 8

PUBLICATIONS

[1] Sangeetha M.V., havithra Janakiraman, “ pplying Packet Score

Technique In SDN For DDoS ttack Detection”, Proceedings of
International Conference On Emerging Trends In Engineering,
Science And Sustainable Technology, Erode Sengunthar Engineering
College, Erode, PP: 42 – 46 (5th April, 2018)
55
 56

APPENDIX 1

SOURCE CODE
Creating Flow entries:
myFile <- file.choose() //choosing dataset
datasamplepart <- read.csv(myFile, header=TRUE, sep=",")
datasamplepart //displaying dataset
sapply(datasamplepart,class) //displaying column type
tempdataframe <- data.frame("src"=character(),"dest"=character(),"proto"=character(),"len1"=integer(0),
"time_of_flow_entry"=double(),"packet_count"=integer(0),"byte_count"=integer(0),
"packet_rate"=double(),"byte_rate"=double(),
stringsAsFactors=FALSE)
for(i_row_of_datasamplepart in 1:nrow(datasamplepart))
{
s1 = datasamplepart[i_row_of_datasamplepart,"Source"]
d1 <- datasamplepart[i_row_of_datasamplepart,"Destination"]
p1 <- datasamplepart[i_row_of_datasamplepart,"Protocol"]
len1 <- datasamplepart[i_row_of_datasamplepart,"Length"]

flow_entry_match <- which((datasamplepart$Source == s1) & (datasamplepart$Destination == d1) &

(datasamplepart$Protocol == p1) & (datasamplepart$Length == len1))
//checking for matching flows
no_of_packts_matching_flowentry <- length(flow_entry_match)
total_bytecnt=0
if(no_of_packts_matching_flowentry==1) //when there is a single packet for a flow
{time_calc= datasamplepart[i_row_of_datasamplepart,2]
total_bytecnt= datasamplepart[i_row_of_datasamplepart,6] }
else
{ for(i_row_of_flow_entry_match in 1:no_of_packts_matching_flowentry)
{
total_bytecnt=total_bytecnt+datasamplepart[flow_entry_match[i_row_of_flow_entry_match],6]
} time_one = datasamplepart[flow_entry_match[1],2]
time_last= datasamplepart[flow_entry_match[i_row_of_flow_entry_match],2]
time_calc= time_last - time_one
}
tempdataframe[nrow(tempdataframe)+1,] <- c(as.character(s1),as.character(d1),as.character(p1),
as.integer(len1), as.double(time_calc), as.integer(no_of_packts_matching_flowentry),
as.integer(total_bytecnt), as.double(no_of_packts_matching_flowentry/time_calc),
as.double((total_bytecnt/(time_calc*1024*10214))) )}
print (tempdataframe)
tempdataframe<-unique(tempdataframe) print(tempdataframe)
write.csv(tempdataframe,file="flowentries/flowentryuniq.csv")
sapply(tempdataframe,class)
tempdf<- read.csv(file="R:/1phase_1/flowentries/flowentryuniq.csv", header=TRUE, sep=",")
tempdf$attack <-0
sapply(tempdf,class)
asdf =as.vector(colMeans(tempdf[,c(6,7,8,9,10)],na.rm = FALSE,dims = 1)) //calculating average
for(b in 1:nrow(tempdf))
{ time<- tempdf[b,6] pktcnt<- tempdf[b,7] lenn<- tempdf[b,8] paktrt<- tempdf[b,9] bytrt<- tempdf[b,10]
cat(sprintf("%f %f %f %f %f %f %f %f %f
%f\n",time,asdf[1],pktcnt,asdf[2],lenn,asdf[3],paktrt,asdf[4],bytrt,asdf[5]))
if(((pktcnt>asdf[2])&(lenn>asdf[3]))||((paktrt>asdf[4])&(bytrt>asdf[5])))
{ tempdf[b,"attack"] <- 1 //determining attack
 57

} else { tempdf[b,"attack"] <- 0 }} tempdf

tempdataframe$attack1 <- tempdf$attack tempdataframe
write.csv(tempdataframe,file="flowentries/flowentryfor150.csv")

Training BPNN:
data = read.csv(file.choose(), header=T)
data <- data[,c(6:11)]
sapply(data,class)
nrow(data)
ncol(data)
// Random sampling
samplesize = 0.70 * nrow(data)
set.seed(80)
index = sample( seq_len ( nrow ( data ) ), size = samplesize )
// Create training and test set
datatrain = data[ index, ]
datatest = data[ -index, ]
nrow(datatrain)
nrow(datatest)
maxs = apply(data, 2,max)
mins = apply(data, 2 ,min)
scaled = as.data.frame(scale(data, center = mins, scale = maxs - mins))
library(neuralnet)
# creating training and test set
trainNN = scaled[index , ]
testNN = scaled[-index , ]
nrow(trainNN)
nrow(testNN)
# fit neural network
set.seed(2)
NN = neuralnet(attack1 ~ time_of_flow_entry + packet_count + byte_count+ packet_rate + byte_rate , trainNN,
hidden = 10 , linear.output = T )
# plot neural network
plot(NN,cex=1.3)
NNt = compute(NN,testNN[,1:5])
ls(NNt)
co<- cbind(testNN[,c("attack1")],as.data.frame(NNt)[,c("net.result")])
colnames(co) <- c("given op","NN op")
print(col(co))
data = read.csv(file.choose(), header=T)
data <- data[,c(6:11)]
sapply(data,class)
nrow(data)
ncol(data)
# Random sampling
samplesize = 0.70 * nrow(data)
set.seed(80)
index = sample( seq_len ( nrow ( data ) ), size = samplesize )
# Create training and test set
datatrain = data[ index, ]
datatest = data[ -index, ]
nrow(datatrain)
nrow(datatest)
maxs = apply(data, 2,max)
mins = apply(data, 2 ,min)
scaled = as.data.frame(scale(data, center = mins, scale = maxs - mins))
library(neuralnet)
 58

# creating training and test set

trainNN = scaled[index , ]
testNN = scaled[-index , ]
nrow(trainNN)
nrow(testNN)
# fit neural network
set.seed(2)
NN = neuralnet(attack1 ~ time_of_flow_entry + packet_count + byte_count+ packet_rate + byte_rate , trainNN,
hidden = 10 , linear.output = T )
# plot neural network
plot(NN,cex=1.3)
NNt = compute(NN,testNN[,1:5])
ls(NNt)
co<- cbind(testNN[,c("attack1")],as.data.frame(NNt)[,c("net.result")])
colnames(co) <- c("given op","NN op")
print(co)

Profile creation, Score Pair Selection and Packet Score Calculation:

import math
import pandas as pd
# for storing max deviation
Devmax_attrib=pd.DataFrame(columns=['value'])
TPNP=0 TPCP=0
scorepair=[] Sp=[] k1=pd.DataFrame()
#getting data
csvfile = pd.read_csv('R:/1phase_2/PSinput1.csv')
numberofrows=len(csvfile.index)
print("\n\n ",numberofrows)
if (numberofrows>1):
datasplit = math.ceil( numberofrows/2 )
data_nominal = csvfile.iloc[:datasplit]
data_cur = csvfile.iloc[datasplit:]
TPNP=len(data_nominal.index)
TPCP=len(data_cur.index)
print(TPNP," ",TPCP," \n\n\n\n")
#creating single nominal profile
SNPsrc =pd.DataFrame({'src': data_nominal['Source'].value_counts().index,
'count':data_nominal['Source'].value_counts().values})
SNPdst =pd.DataFrame({'dest': data_nominal['Destination'].value_counts().index,
'count':data_nominal['Destination'].value_counts().values })
SNPprotocol =pd.DataFrame({'prot': data_nominal['Protocol'].value_counts().index,
'count':data_nominal['Protocol'].value_counts().values })
SNPsize =pd.DataFrame({'size': data_nominal['Length'].value_counts().index,
'count':data_nominal['Length'].value_counts().values })
SNPsrc_port =pd.DataFrame({'src_port-ttl': data_nominal['src_port-ttl'].value_counts().index,
'count':data_nominal['src_port-ttl'].value_counts().values })
SNPdst_port =pd.DataFrame({'dstport': data_nominal['dst_port'].value_counts().index,
'count':data_nominal['dst_port'].value_counts().values })

#creating single current profile

SCPsrc =pd.DataFrame({'src': data_cur['Source'].value_counts().index,
'count':data_cur['Source'].value_counts().values})
SCPdst =pd.DataFrame({'dest': data_cur['Destination'].value_counts().index,
'count':data_cur['Destination'].value_counts().values})
SCPprotocol =pd.DataFrame({'prot': data_cur['Protocol'].value_counts().index,
'count':data_cur['Protocol'].value_counts().values})
SCPsize =pd.DataFrame({'size': data_cur['Length'].value_counts().index,
 59

'count':data_cur['Length'].value_counts().values})
SCPsrc_port =pd.DataFrame({'src_port-ttl': data_cur['src_port-ttl'].value_counts().index,
'count':data_cur['src_port-ttl'].value_counts().values })
SCPdst_port =pd.DataFrame({'dstport': data_cur['dst_port'].value_counts().index,
'count':data_cur['dst_port'].value_counts().values })

def finding_Max_Deviation(SNP,SCP):
attrib_val=SNP.columns.values[1]
print("\n ^^ ",attrib_val)
no_of_rows_SNP=len(SNP.index)
no_of_rows_SCP=len(SCP.index) print("number of rows ",no_of_rows_SNP," >> ",no_of_rows_SCP)
Devmax_atrb_len= len(Devmax_attrib.index)
for each_row_SNP in range(no_of_rows_SNP):
nom_profile=SNP.at[each_row_SNP,attrib_val]
nomprofile_cnt=SNP.at[each_row_SNP,'count']
temp=SCP.loc[SCP[attrib_val]==nom_profile]
if not (temp.empty):
attrib_diff=temp['count']-nomprofile_cnt
tempstr=str(attrib_diff)
tl=tempstr.split()
diff=int(tl[1])
if (diff>=0):
Devmax_attrib.loc[Devmax_atrb_len]= diff
Devmax_atrb_len=Devmax_atrb_len+1
res=Devmax_attrib.sort_values('value',ascending=False)
res=res.rename(columns={'value':attrib_val})
return (res)
def get_maxofattrib(SP):
s1=str(SP)
#print(" head1 ",s1)
sl=s1.split()
s1=str(sl[-1])
k1=int(s1)
return k1

DevMx_src_port = finding_Max_Deviation(SNPsrc_port,SCPsrc_port)
print(DevMx_src_port)
DevMx_dest_port= finding_Max_Deviation(SNPdst_port,SCPdst_port)
print(DevMx_dest_port)
DevMx_protocol= finding_Max_Deviation(SNPprotocol,SCPprotocol)
print(DevMx_protocol)
DevMx_size= finding_Max_Deviation(SNPsize,SCPsize)
print(DevMx_size)
DevMx_src= finding_Max_Deviation(SNPsrc,SCPsrc)
print(DevMx_src)

DevMx_dest= finding_Max_Deviation(SNPdst,SCPdst)
print(DevMx_dest)
sizei=get_maxofattrib(DevMx_size.iloc[[0]])
protocoli=get_maxofattrib(DevMx_protocol.iloc[[0]])
desti=get_maxofattrib(DevMx_dest.iloc[[0]])
srci=get_maxofattrib(DevMx_src.iloc[[0]])
srcporti=get_maxofattrib(DevMx_src_port.iloc[[0]])
destporti=get_maxofattrib(DevMx_dest_port.iloc[[0]])
idlcnt=[sizei,protocoli,desti,srci,srcporti,destporti]
idlattribute=['Length','Protocol','Destination','Source','src_port-ttl','dst_port']
print(idlcnt)
 60

id= max(idlcnt)
print(idlcnt)
idindex=idlcnt.index(id)
print(" output -",id,"-=-",idindex,"-=-",idlcnt)
print(idlattribute[idindex]," is the max1 deviation attribute ")
scorepair.append(idlattribute[idindex])
del idlcnt[idindex]
del idlattribute[idindex]
print("new cols-=-",idlcnt,"\n",idlattribute)
id2= max(idlcnt)
idindex2=idlcnt.index(id2)
print(" removed ",idlcnt, " ",idlattribute," \n",idlattribute[idindex2]," is the max2 deviation attribute ")
scorepair.append(idlattribute[idindex2])
print("\n",scorepair)

SNPatrb2 =pd.DataFrame({'atrbtwo': data_nominal[scorepair[0]].astype(str) +"-"+

data_nominal[scorepair[1]].astype(str)})
temp=pd.DataFrame({'atrbtwo':SNPatrb2['atrbtwo'].value_counts().index.astype(str),
'counti':SNPatrb2['atrbtwo'].value_counts().values.astype(str)})
print("temp================ \n",temp)
ScorePNP = pd.DataFrame(temp.atrbtwo.str.split('-',1).tolist(),columns = [scorepair[0],scorepair[1]])
ScorePNP['count']=temp['counti']
#print(ScorePNP)
SCPatrb2 =pd.DataFrame({'atrbtwo': data_cur[scorepair[0]].astype(str) +"-"
+ data_cur[scorepair[1]].astype(str)})
temp2=pd.DataFrame({'atrbtwo':SCPatrb2['atrbtwo'].value_counts().index.astype(str),
'counti':SCPatrb2['atrbtwo'].value_counts().values.astype(str)})
print("temp2================ \n",temp2)
ScorePCP = pd.DataFrame(temp2.atrbtwo.str.split('-',1).tolist(),columns = [scorepair[0],scorepair[1]])
ScorePCP['count']=temp2['counti']
print(temp)
k= []
for er1 in range(len(temp.index)): #
scorepnp_srcdest=temp.at[er1,'atrbtwo']
scorepnp_cnt=temp.at[er1,'counti']
#print(" >> ",scorepnp_cnt)
temppp=SCPatrb2.loc[SCPatrb2['atrbtwo']==scorepnp_srcdest]
#print(" >>> ",temppp)
if not(temppp.empty):
SNPcnt=scorepnp_cnt
SCPcnt=len(temppp.index)
print(" > ",scorepnp_srcdest," ",SNPcnt," --> ",SCPcnt)
numerator=int(SCPcnt)/TPCP
denominator=int(SNPcnt)/TPNP
DIV1=(numerator/denominator)
#print(" Sp ",DIV1 )
k.append({ 'atrbtwo':scorepnp_srcdest,'countc':SCPcnt, 'countn':SNPcnt,'score':DIV1})
Sp.append(DIV1)
#k1=pd.concat([k1,k])
#print(Sp)
Sp.sort(reverse=False)
#print(" threshold ",Sp)
print(len(Sp))
k=pd.DataFrame(k)
print(k)
print(k)
k.sort_values(by='score').to_csv('scored.csv')
 61

APPENDIX 2

SNAPSHOTS

DATASET

From MAWI lab project, daily trace of network flow data is taken in .pcap format and
converted into .csv format as shown below.

Figure A2.1 Network flow data collected from MAWI lab project
 62

FLOW ENTRY CREAION AND TRAINING NEURAL NETWORKS

A network data sample is chosen to be converted into flow entry table.

Figure A2.2 Choosing a sample data file

After combining packets of similar type into flow entries, below table is obtained.

Figure A2.3 Flow entry table

 63

From a set of flow entry tables, one file is chosen to train neural network.

Figure A2.4 Choosing flow entry table for training neural network

Below diagram shows a trained neural network having five input neurons, one hidden
layer with ten neurons and one output neuron.

Figure A2.5 Trained neural network

 64

From the below list, difference in actual and predicted attack status can be observed.

Figure A2.6 Actual attack status and predicted attack status for flow entries
 65

PROFILE CREATION

Single Nominal Profile is collected during non-attack period for Source address attribute.

Figure A2.7 Single Nominal Profile for Source IP as attribute

Single Current Profile is collected during attack period for Source address attribute.

Figure A2.8 Single Current Profile for Source IP as attribute

 66

SCORE PAIR SELECTION

Comparing counters from SNP and SCP of each attribute first two most deviating
attributes are chosen as Score Pair for recording Current Pair Profile. Below snapshot
shows Maximum deviation of each value in length or size of packet.

Figure A2.9 Calculating Maximum deviation for Length attribute

A network data sample is chosen to be converted into flow entry table.

Figure A2.10 Selection of Score Pair attributes

 67

CALCULATION OF PACKET SCORE BASED ON SCORE PAIR

A network data sample is chosen to be converted into flow entry table.

Figure A2.11 Packet Score Calculation

After combining packets of similar type into flow entries, below table is obtained.

Figure A2.12 Packet Discarding based on threshold value

 68

REFERENCES

[1] Rodrigo raga. et al (2010), “ Lightweight DDoS Flooding Attack Detection Using

NOX/Openflow”, IEEE - Local Computer Networks , Vol.1, pp.416-424.

[2] Trung V. Phan. et al (2017), “Distributed SOM: Novel Performance ottleneck

Handler For Large-Sized Software Defined Networks Under Flooding ttacks”,

Elsevier: Journal of Network and Computer Applications, Vol.91, pp. 14 – 25.

[3] Tommy hin et al (2011), “ n SDN-supported Collaborative Approach for DDoS

Flooding Detection and Containment”, IEEE - Military Communications Conference,

Vol.1, pp. 659-665.

[4] Donwon Seo et al (2011), “PFS: Probabilistic Filter Scheduling against Distributed

Denial-Of-Service ttacks”, IEEE - Local Computer Networks, Vol.1, pp. 9-17.

[5] Donwon Seo et al (2013), “ PFS: daptive Probabilistic Filter Scheduling against

Distributed Denial-Of-Service ttacks”, Elsevier: omputers & Security, Vol.39,

November, pp. 366-385.

[6] J.Udhayan, and T.Hamsapriya. (2011), “Statistical Segregation Method To Minimize

The False Detections During DDoS ttacks”, International Journal of Network

Security, Vol.13, Issue:3, pp.152–160.

[7] Jérôme Francois et al (2012), “Firecol: ollaborative Protection Network for the

Detection of Flooding DDoS ttacks”, IEEE - ACM Transactions on Networking,

Volume: 20, Issue: 6, pp. 1828 - 1841.

 69

[8] hmed lEroud and Izzat lsmadi (2016), “Identifying yber-Attacks On Software

Defined Networks: An Inference- ased Intrusion Detection pproach”, Elsevier:

Journal of Network and Computer Applications, Volume: 80, February, pp. 152-164.

[9] Panos Kampanakis et al, (2014), “SDN-Based Solutions for Moving Target Defense

Network Protection”, in Proceedings of IEEE – 15th International Symposium,

Vol.1, pp.28-34.

[10] Qi hen et al, (2012) “ F: A Packet Filtering Method for DDoS Attack Defense

Xxxxin Cloud Environment”, in Proceedings of IEEE – 9th International Conference on

XxxxDependable, Autonomic and Secure Computing, Vol.1, pp.427-434.

[11] hmad . Kardan, Mahnaz Ebrahimi, (2013), “PacketScore: Statistics-Based

XxxxPacket Filtering Scheme against Distributed Denial-of-Service ttacks”, IEEE

xxxxTransactions on Dependable and Secure Computing, Vol. 3, Issue: 2, pp. 141 - 155.

[12] Rishikesh Sahay et al, (2017), “ roma: n SDN Based Autonomic DDoS

XxxxMitigation Framework”, Elsevier - Computers & Security, Vol. 70, pp.482-499.

[13] Diego Kreutz et al (2013), “Towards Secure and Dependable Software Defined

XxxxNetworks”, in proceedings of ACM SIGCOMM workshop on Hot topics in SDN,

XxxxVol.2, Issue 16, pp.55-60.

[14] Kübra Kalkan et al (2017), “Defense Mechanisms against DDoS Attacks in SDN

XxxxEnvironment”, IEEE Communications Magazine, Vol.55, Issue: 9, pp. 175 –179.

[15] R. Fontugne et al, (2010), “Mawilab: ombining Diverse nomaly Detectors for

XxxxAutomated nomaly Labeling nd Performance enchmarking”, in Proceedings

Xxxxof ACM International Conference on Emerging Networking Experiments and

XxxxTechnologies.
 70

[16] Yunhe Cui et al (2016), “SD-Anti-DDoS: Fast and Efficient DDoS Defense in

xxxxSoftware-Defined Networks”, Elsevier - Journal of Network and Computer

xxxxApplications, Vol.68, pp.65 –79.

[17] Kübra Kalkan and Fatih lagöz (2016), “ Distributed Filtering Mechanism against

xxxxDDoS attacks: ScoreFor ore”, Elsevier – Computer Networks, Vol.108, pp.199–

xxxx209.

[18] Simo Kemp, “The Incredible growth of the Internet over the past five years –

xxxxexplained in detail”, URL: https://thenextweb.com/insider/2017/03/06/the-

xxxxincredible-growth-of-the-internet-over-the-past-five-years-explained-in-detail/

[19] “What Is Network Security? - Cisco”, URL:

xxxxhttps://www.cisco.com/c/en/us/products/security/what-is-network-security.html

[20]“What does DDoS Mean? | Distributed Denial of Service Explained |Incapsula”,

xxxxURL: https://www.incapsula.com/ddos/denial-of-service.html

[21] “Software-Defined Networking (SDN) Definition - Open Networking Foundation”,

xxxxURL: https://www.opennetworking.org/sdn-definition/

[22] “What’s Software-Defined Networking (SDN)?-SDxCentral”,

xxxxURL:https://www.sdxcentral.com/sdn/definitions/what-the-definition-of-software-

xxxxdefined-networking-sdn/

[23] “Traffic Trace Page”, URL: http://mawi.wide.ad.jp/mawi/samplepoint-F/2017/