0% found this document useful (0 votes)
82 views5 pages

DDoS Attack Identification and Defense Using SDN Based On Machine Learning Method

This document proposes an SDN framework to identify and defend against DDoS attacks using machine learning. The framework has 3 parts: 1) a traffic collection module that extracts traffic characteristics, 2) a DDoS attack identification module that uses SVM to classify traffic as attack or normal, and 3) a flow table delivery module that adjusts forwarding rules to mitigate identified attacks. The framework aims to improve security in campus networks by leveraging the flexibility of SDN to dynamically respond to DDoS threats.

Uploaded by

aiot8f
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
82 views5 pages

DDoS Attack Identification and Defense Using SDN Based On Machine Learning Method

This document proposes an SDN framework to identify and defend against DDoS attacks using machine learning. The framework has 3 parts: 1) a traffic collection module that extracts traffic characteristics, 2) a DDoS attack identification module that uses SVM to classify traffic as attack or normal, and 3) a flow table delivery module that adjusts forwarding rules to mitigate identified attacks. The framework aims to improve security in campus networks by leveraging the flexibility of SDN to dynamically respond to DDoS threats.

Uploaded by

aiot8f
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

2018 15th International Symposium on Pervasive Systems, Algorithms and Networks

DDoS Attack Identification and Defense using SDN based on Machine Learning Method

YANG Lingfeng ZHAO Hui


School of Computer Science and Software Shanghai Key Laboratory of Trustworthy Computing
Engineering School of Computer Science and Software
East China Normal University Engineering
ShangHai, China East China Normal University
[email protected] Shanghai, China
[email protected]

Abstract—SDN (Software Defined Network) has attracted Distributed Denial of Service(DDoS) flooding attacks are the
great interests as a new paradigm in the network. Thus, the main methods to destroy availability of campus network. In
security of SDN is important. Distributed Denial Service (DDoS) traditional networks, hardware and software applications based
attack has been the plague of the Internet. Now, it is a threat in on DDoS attack detection and defense are expensive and
some SDN applied scenarios, such as the campus network. In difficult to deploy[3]. Software Defined Network (SDN) has
order to alleviate the DDoS attack in the campus network, we attracted great interests as a new paradigm in the network. In
propose an SDN framework to identify and defend DDoS attacks SDN, the control planes and data planes are decoupled.
based on machine learning. This framework consists of 3 parts Network intelligence and Network state are logically
which are traffic collection module, DDoS attack identification
centralized. The underlying network infrastructure is abstracted
module and flow table delivery module. Traffic collection module
from the applications. SDN can improve network
extracts traffic characteristics to prepare for traffic identification.
Utilizing the flexible and multi-dimensional features of SDN manageability, scalability, controllability and dynamism[4].
network architecture in deploying DDoS attack detection system, Thus, SDN can dynamically modify forwarding rules to defend
the controller extracts the network traffic characteristics through DDoS traffic and improve network security.
statistical flow table information and uses the support vector To mitigate the DDoS attacks and reduce the restrictions,
machines (SVM) method to identify the attack traffic. Then the traffic classification needs to be performed to identify attack
flow table delivery module dynamically adjusts the forwarding traffic. Machine learning technology based network traffic
policy to resist DDoS attacks according to the traffic
classification has become a hot topic and has achieved
identification result. The experiment is conducted using KDD99
dataset. The experiment results show the effectiveness of the
encouraging results in intrusion detection[5].In this paper, we
DDoS attack identification method. propose an SDN framework to identify and defend DDoS
attacks based on machine learning for the campus network.
Keywords—Software Defined Network (SDN), Distributed This framework consists of 3 parts which are traffic collection
Denial of Service (DDoS), Machine Learning (ML), Support Vector module, DDoS attack identification module and flow table
Machines (SVM), security delivery module. Traffic collection module extracts traffic
characteristics to prepare for traffic identification. The Support
I. INTRODUCTION Vector Machine (SVM) is applied to identify the DDoS traffic.
Security has been regarded as the dominant barrier of the The Ryu controller[6] is employed to build the flow table
development of Internet service. Denial of Service (DoS) decision delivery module.
attacks and Distributed Denial of Service(DDoS) attacks are The main work of this paper is as follows:
the main methods to destroy availability of Internet service. z Combining the characteristics of the SDN network, we
DDoS attacks refer to the use of client/server technology to propose network features that are easy to extract in the
combine multiple computers as an attack platform to launch a SDN environment.
DoS attack on one or more targets. Thus, the power of DoS z Abstracting the DDoS attack detection problem as an
attacks mainly used IDC is multiplied to forge source IP attacks. attack traffic classification problem and using SVM to
DDoS attacks are common in these years. These attack establish a classification detection model.
incidents incurred heavy downtime, business losses, to name z Designing and implementing the attack detection and
but a few. There are some noted attack examples. In 2015, prevention framework using Ryu controllers.
Lizard Squad attacked cloud-based game services of Microsoft The rest of the paper is organized as follows. In Section II,
and Sony, leading to the decline of QoS on Christmas day. We describe the scenario assumptions and propose the DDoS
Cloud service provider, Rackspace, was targeted by a massive attack identification and defense framework. In Section III, The
DDoS attack on its services. Amazon EC2 cloud servers were process of establishing a DDoS attack detection model is
attacked by a massive DDoS attack[1]. Thus, strengthening presented, including feature selection and model training.
DDoS attack detection and defense is an urgent task. Section IV shows the result of experiments using KDD99
The security of the campus network is paid much attention dataset. Section V introduces some of the current research on
by the government[2]. Denial of Service (DoS) attacks and

2375-527X/18/$31.00 ©2018 IEEE 174


DOI 10.1109/I-SPAN.2018.00036
DDoS attack defense and compares the differences between our the external networks and the package-in message initiated by
work. Finally, we conclude the research in section VI. this switch. The attack identification model passes the
recognition result to the flow table delivery model. The flow
II. DDOS ATTACK IDENTIFICATION AND DEFENSE table delivery model conducts the control strategy: The traffic
FRAMEWORK will be forwarded as usual unless it is dropped because of
A. Scenario Assumptions having the DDoS attack packet.
Figure 1 shows the simplified illustration of the system
architecture in the hypothetical scenario. The system is
濄濕濗濟濕濛濙 澷濕濠濗濩濠濕濨濝濢濛澔澽濄澔
composed of a web server, an SDN controller and the DDoS 澺濠濕濛澱澤 澹濢濨濦濣濤濭
attack identification module running on the controller and two
OpenFlow switches. In addition, there are some normal visitors 澺濠濕濛 濍濙濧
and some attackers. In order to better describe the DDoS attack 澱澥 濢濣 澽濧澔濝濨澔
identification and defense framework, we give the following 濕濖濢濣濦濡濕濠

assumptions about the above system architecture. 澺濙濕濨濩濦濙澔


濇濨濕濨濝濧濨濝濗濧澔濚濠濣濫澔 濍濙濧
濨濕濖濠濙澔
濙濬濨濦濕濗濨濝濣濢
z All attackers come from external networks. 濝濢濚濣濦濡濕濨濝濣濢 澺濠濕濛澔澱澔澥

z DDoS attacks are HTTP flood attacks against web


濍濙濧
servers. 濇濊濁 澽濧澔澸澸濣濇 濇濙濢濘澔濚濠濣濫澔
澷濠濕濧濧濝濚濝濙濦 澵濨濨濕濗濟澳 濨濕濖濠濙澔濨濣澔濚濝濠濨濙濦
z Web server is used to simulate the website of a 濢濣
university.
Figure 2. Specific detection process
濇澸濂
澸澸濣濇澔濕濨濨濕濗濟澔
濂濣濦濡濕濠澔濄澷 濝濘濙濢濨濝濚濝濗濕濨濝濣濢澔
濗濣濢濨濦濣濠濠濙濦 濡濣濘濩濠濙

澵濨濨濕濗濟澔
濆濭濩澔濗濣濢濨濦濣濠濠濙濦 濝濘濙濢濨濝濚濝濗濕濨濝濣濢澔
濡濣濘濙濠
濂濣濦濡濕濠澔濄澷 澽濢濨濙濦濢濙濨 濇濨濕濨濝濧濨濝濗濕濠澔濦濙濧濩濠濨濧
澺濠濣濫澔
濧濫濝濨濗濜 濧濫濝濨濗濜 濨濕濖濠濙
澽濄澔
濧濢濝濚濚濙濦
澵濨濨濕濗濟濙濦
澹濢濨濦濣濤濭

濜濙濕濘澔濚濝濙濠濘濧
澽濢濤濩濨
濧濙濦濪濙濦 濤濕濗濟濕濛濙 澽濢濤濩濨
澵濨濨濕濗濟濙濦 濤濕濗濟濕濛濙

Figure1. The system architecture in the hypothetical scenario


B. The detection process 濝濢濨濙濦濢濙濨
The detection process is divided into two steps. Firstly, the
IP entropy is detected to determine whether a DDoS attack has
been generated. If the IP entropy detection result is a DDoS Figure 3. DDoS attack recognition and defense framework
attack, the system sets the flag to 1. After that, the traffic D. Tools used
collection module performs feature extraction based on the
flow table entries and the message packets when the flag is 1. We use Ryu[6] to build our controller. The reason for
Then the DDoS attack detection is applied to perform DDoS choosing it is that Ryu is an open source controller based on
recognition. When a DDoS attack is identifiedˈthe controller Python, which facilitates system integration and has high
sends out the flow table to filter this packet. The detection portability and extensibility. We use the SVM model to
process is showed in figure 2. establish the DDoS attack detection module. The specific
process is described in section III. Generate DDoS attack traffic
C. The DDoS attack identification and defense framework using the open source tool Ddosflowgen[7]. The web server is
According to the above DDoS attack detection process, we simulated with the Damn Vulnerable Web App (DVWA)[8].
propose a DDoS attack identification and defense framework DVWA is a PHP/MySQL web application that is damn
showed in Figure 3.The framework consists of 3 parts which vulnerable. Its web environment is similar to the school website.
are traffic collection module, DDoS attack identification In the experimental phase, we use mininet[9] to simulate an
module and flow table delivery module. The sniffer is used to SDN network and build an experimental topology.
collect statistical information from the package-in message and III. THE DDOS TRAFFIC IDENTIFICATION MODEL
flow tables then convert statistical information into a feature
vector which the classifier can handle. Assuming that the A. Feature Extraction
originator of the attack is all in the external network, the sniffer
only needs to check the flow table of the switch1 connected to

175
When a packet arrives at the switch, if there is no matching r_rate current connection with the same target
rule in the flow entry, the switch will send a package-in host.
message to the controller. After the controller receives the
package-in message, it will design the forwarding rule through dst_host_rerro In the first 100 connections, the percentage
the internal decision and return flow table to the switch with the r_rate of REJ error connections is the same as the
package-out message. After the switch updates the flow table, current connection with the same target
the packets are processed according to the matching rules. The host.
traffic statistics information can be obtained from the package-
in message and flow table. The process of switch processing
packets is in figure 4 in detail. B. Support Vector Machine based DDoS traffic Identification
Model
The real-time requirement of DDoS attack detection is
濄濕濗濟濕濛濙澔濝濢 relatively high. Support Vector Machine (SVM) is a supervised
濃濤濙濢濊濇濫濝濨濗濜 learning method with associated learning algorithms that
analyze data used for classification and regression analysis. In
濈濕濖濠濙澔濩濤濘濕濨濙
this study, the main goal is to classify each packet as an
澺濠濣濫濓濡濣濘
濁濝濧濧濙濘澔濤濕濗濟濕濛濙濧 澚澔濤濕濗濟濕濛濙澔
attacker or a normal one. Therefore, we select SVM to establish
濣濩濨
澷濣濢濨濦濣濠濠濙濦 the DDoS attack recognition model. SVM has a higher
澺濠濣濫澔濨濕濖濠濙澔澥 robustness than other machine learning algorithms. The traffic
classifier construction process is showed in figure5.
澺濠濣濫澔濨濕濖濠濙澔澦
澺濣濦濫濕濦濘澔濤濕濗濟濕濛濙澔濣濩濨澔
瀖 濣濦澔濘濦濣濤澔濤濕濗濟濕濛濙 濈濦濕濝濢澔
濘濕濨濕濧濙濨
澿澸澸澭澭 濧濤濠濝濨

Figure 4. The process of switch processing packets 濘濕濨濕澔濧濙濨
濈濙濧濨澔
濘濕濨濕濧濙濨
Combining the characteristics of the OpenFlow flow table,
we extract 8 features based on the original data set features. 澦 濈濦濕濝濢澔
濘濕濨濕濧濙濨
濄濕濦濕濡濙濨濙濦澔濕濘濞濩濧濨濡濙濢濨澜澷澝 ∗

澔澚澔澔

Table1 depicts the features. All data packet features are


collected and extracted by the sniffer. 濇濊濁

濈濙濧濨澔
Table 1 The description of features which we extract 澧
濘濕濨濕濧濙濨
澵濗濗濩
濙濪濕濠濩濕濨濝濣濢 澦
Label Description ∗ 澔澚澔澔 ∗
濦濕濗濭

count In the past two seconds, the number of 濇濊濁


connections between the target hosts and
the current connections is the same. ∗ ∗ 澺濝濢濕濠澔
澨 濘濕濨濕濧濙濨 澺濝濢濕濠澔 澔澚澔澔
濡濣濘濙濠
srv_count In the past two seconds, the number of
connections with the current connection 濇濊濁

has the same service.


Figure5. The traffic classifier construction process
same_srv_rate In the past two seconds, the percentage of
connections that have the same service as Firstly, the raw dataset is separated into train dataset and
the current connection has the same service test dataset. Then the training dataset is used to build the DDoS
as the current connection. attack recognition model. And determining the best parameters
through repeated tests.
dst_host_coun In the first 100 connections, the number of
t connections with the same target host is the The traffic data is collected from the flow table based flow
same as the current connection. table entries. The traffic dataset X has N traffics X={x1,x2,x3,..,
xn}, and xi denotes a TCP connection that is made up of 8
dst_host_srv_ In the first 100 connections, the number of
count connections that have the same target features. These features denote the host-based network traffic
service as the current connection is the features and time-based network traffic features. We use -1 to
same as the current connection. represent “attacker packet” for the packet from the attacker
pool, and we use 1 to represent “normal packet” for the packet
dst_host_same In the first 100 connections, the connection from normal pc.
_src_port_rate with the current connection has the same
target host, the same service and the same 1) Step 1: we use SVM to solve the following the
port. optimization problem. The linear kernel function K(x,y) and the
appropriate parameter C is selected to build the SVM model.
dst_host_serro In the first 100 connections, the percentage
of SYN error connections is the same as the The linear kernel function ( , ) = + is used to map
input space the to high-dimensional feature space. C is the

176
regularization parameter, which must be greater than zero. We Table 3 Experiment data division
let the C is 1. ∗ = ( ∗ , ∗ , … , ∗ ) is the LaGrange multiplier Dataset Type of Total instances Percent
vector. It is the best solution of above. attribute
ℎ 1 All Normal (768670+1074241)1842911 100%
min , − (1) & attacks
2
Training Normal& (576842+805342)1382184 75%
attacks
s. t =0 (2)
Testing Normal (191828+268900)460728 25%
& attacks
0≤ ≤ , = 1,2, …
∗ ∗ ∗ ∗)
=( , ,…, (3)
∗ ∗ B. Experiment result
2) Step 2: Select a positive component from (0 ≤ ) to
calculate ∗ which is the parameter of objethe the function: All experiments are run on a personal computer which is
equipped with a quad-core Intel Core i5-8200U 1.8GHz

= − ∗
∙ (4) processor and 8G of memory. The basic code of the SVM
classifier is adopted from scikit-learn[12] and is revised to finish
3) Step 3: Construct decision function. our work.
The accuracy is used to evaluate the effectiveness of the
∗ ∗
f(x) = ( ∙ )+ (5) DDoS attack classifier.
+
Finally, we get the decision function. The decision function accuracy = (6)
is used to decide how to forward packets. If the output of the + + +
function is -1, it is a DDoS attack packet, otherwise, it is a Where TP indicates the true positives, TN indicates
normal packet. negatives, FN indicates false negatives and FN indicates false
negatives. The experiment results are shown in table 4. that
IV. EXPERIMENT denotes the effectiveness of our model. We can get the
A. Training and Test Dataset accuracy is 0.998. It can be seen that our model for identifying
DDoS attacks has a high recognition rate.
To explain the effectiveness of the DDoS identification
method based on SVM, We select the KDD99 dataset as Table 4. The identification results
training and test Dataset[10]. It is widely used in academic
research, such as IDS and machine learning studies[11]. Type The number of
The KDD99 dataset includes five major categories, which TP 191598
are normal, DoS, Probe, R2L, U2R. It uses 41 features to FP 553
describe a connection. The statistical analysis of the dataset is
shown in table 2. FN 230
Table 2 KDD99 Data Set TN 268347
Type Number
Normal 12056 V. RELATED WORK
DoS 46024 A. DDoS Defense Based on Machine Learning
Probe 839 Machine learning method based DDoS attack detection are
paid much attention. Most frequently used algorithms include
R2L 3277 Naive Bayes, Decision Tree, K-Nearest Neighbor (KNN) and
U2R 9 Support Vector Machine.
TOTAL 62205 IAO Fu et al. propose an improved KNN algorithm to
classify the attack traffic[13]. However, this method is suitable
We focus on the HTTP flood attacks in this paper. Thus, for offline detection.
the data with DoS and Normal label are selected. And the TCP
network connections are used as a dataset. He Z et al. propose a DDoS attack detection algorithm
based on machine learning to prevent attacks on the source side
Then we divided the dataset into train dataset and test in the cloud[14]. They evaluate nine machine learning
dataset after feature selection. Table3 describes the datasets in algorithms and carefully compare their performance. They
details respectively. found that machine learning methods had a good effect in
identifying DDoS attacks. They only did experiments about the

177
effectiveness of the detection algorithm without proposing the delivery module and deploy the model to the SDN environment
way to defend against DDoS attacks. for the campus network.
Ahmed ME et al. propose a method for mitigating DNS REFERENCES
Query-Based DDoS attacks based on DPMM(Dirichlet Process
[1] Somani, Gaurav, et al. “DDoS Attacks in Cloud
Mixture Model) [15]. Although the method has a good effect Computing.” Computer Communications, vol. 107, 2017,
on mitigating DNS Query-Based DDoS attacks, the miscarriage pp. 30–48.
rate is high. [2] Key Points of Education Informationization in
2017.[Online].Available:
Chuanhuang Li and Yan Wu et al. propose a DDoS attack http://www.edu.cn/edu/zheng_ce_gs_gui/zheng_ce_wen_j
detection and defense method based on deep learning, and they ian/zong_he/201702/t20170221_1491075.shtml
apply it to OpenFlow-based SDN[16]. The result shows deep [3] Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible an
learning is a good method to detect DDoS attack. d elastic DDoS defense[C]// Usenix Conference on Securi
ty Symposium. USENIX Association, 2015:817-832.
B. Research on defense DDoS in SDN based Networks [4] Yan Q, Yu F R, Gong Q, et al. Software-Defined
Alshamrani A et al. propose a defense system for defeating Networking (SDN) and Distributed Denial of Service
DDoS attacks in SDN based networks[17]. The system unlike (DDoS) Attacks in Cloud Computing Environments: A
Survey, Some Research Issues, and Challenges[J]. IEEE
most of the existing ML-based approaches, the extensive range Communications Surveys & Tutorials, 2016, 18(1):602-
of prediction features are used to cover more types of DDoS 622.
attacks as well as to ensure better DDoS detection accuracy. [5] Perera P, Tian Y C, Fidge C, et al. A Comparison of
However, the extracted features are based on the subset of valid Supervised Machine Learning Algorithms for
features. The easy accessibility of the features is not actually Classification of Communications Network Traffic[C]//
considered in the SDN environment. International Conference on Neural Information
Processing. Springer, Cham, 2017:445-454.
Hong, Kiwon et al. propose an SDN-assisted DDoS attack [6] Ryu controller.[Online]. Available: http://osrg.github.io/ry
defense method that can detect and mitigate Slow HTTP DDoS u/resources.html
attacks(SHDA), which relies on an SHDA in the SDN [7] Ddosflowgen.[Online].Available: https://github.com/Galo
controller[18]. They use a proprietary controller so that the isInc/ddosflowgen
portability is poor. [8] Damn Vulnerable Web App (DVWA). [Online].Available:
http://www.dvwa.co.uk/
Yang Xu and Yong Liu studied how to utilize SDN to [9] Mininet.[Online].Available: http://mininet.org/
detect DDoS attacks by capturing the flow volume feature as [10] KDD Cup 1999 Data.[Online].Available: http://kdd.ics.uc
well as the flow rate asymmetry feature[19]. But their methods i.edu/databases/kddcup99/kddcup99.html
only consider one factor. [11] Özgür, Atilla, and Hamit Erdem. “A Review of KDD99 D
ataset Usage in Intrusion Detection and Machine Learning
We propose a framework to identify and defend DDoS between 2010 and 2015.” PeerJ, vol. 4, 2016.
attacks that based on SDN and machine learning for the [12] Scikit-learn.[Online].Available: http://scikit-learn.org/stab
campus network. This framework can be deployed online to le
identified the DDoS attack and defense DDoS attack. Our [13] IAO Fu,MA Junqing, HUANG Xunsong, WANG ̩uchu
framework enables online real-time detection of DDoS attacks an. DDoS attack detection based on KNN in software defi
and corresponding defense strategies. This framework design ned networks. Journal of Nanjing University of Posts and
Telecommunications, j.cnki.1673-5439.2015.01.013
does not depend on other hardware and has good portability.
[14] He Z, Zhang T, Lee R B. Machine Learning Based DDoS
VI. CONCLUSION & FUTURE WORK Attack Detection from Source Side in Cloud[C]// IEEE, In
ternational Conference on Cyber Security and Cloud Com
In this paper, we design an SDN framework to identify and puting. IEEE, 2017:114-120.
defend against DDoS attacks. This framework consists of 2 [15] Ahmed ME, Kim H, Park M. Mitigating DNS query-base
parts which are traffic collection module, attack identification d DDoS attacks with machine learning on software-define
d networking[C]// Milcom 2017 - 2017 IEEE Military Co
module and flow table delivery module. Traffic collection mmunications Conference. IEEE, 2017:11-16.
module extracts traffic characteristics to prepare for traffic [16] Li, Chuanhuang, et al. “Detection and Defense of DDoS
identification. Currently, we have applied SVM to DDoS traffic Attack-Based on Deep Learning in OpenFlow-Based SD
identification. The experiment results on the KDD99 dataset N.” International Journal of Communication Systems, vol.
show the effectiveness. 31, no. 5, 2018.
[17] Alshamrani A, Chowdhary A, Pisharody S, et al. A Defen
This classification model is deployed on the simulated se System for Defeating DDoS Attacks in SDN based Net
SDN environment for campus network as a DDoS detection works[C]// ACM International Symposium on Mobility M
module. All traffic is identified by this model. If attack traffic is anagement and Wireless Access. ACM, 2017:83-92.
identified, the controller will discard packets according to the [18] Hong, Kiwon, et al. “SDN-Assisted Slow HTTP DDoS At
predefined rule. If the packet is not attacked, the forwarding tack Defense Method.” IEEE Communications Letters, 20
17, pp. 1–1.
policy will be executed normally.
[19] Xu Y, Liu Y. DDoS attack detection under SDN context
In the future, we will optimize that the ratio of convection [C]// INFOCOM 2016 - the, IEEE International Conferen
and single flow are used to judge whether the growth of ce on Computer Communications, IEEE. IEEE, 2016:1-9.
network traffic is DDoS. And we will improve the flow table

178

You might also like