DDoS Attack Identification and Defense Using SDN Based On Machine Learning Method
DDoS Attack Identification and Defense Using SDN Based On Machine Learning Method
DDoS Attack Identification and Defense using SDN based on Machine Learning Method
Abstract—SDN (Software Defined Network) has attracted Distributed Denial of Service(DDoS) flooding attacks are the
great interests as a new paradigm in the network. Thus, the main methods to destroy availability of campus network. In
security of SDN is important. Distributed Denial Service (DDoS) traditional networks, hardware and software applications based
attack has been the plague of the Internet. Now, it is a threat in on DDoS attack detection and defense are expensive and
some SDN applied scenarios, such as the campus network. In difficult to deploy[3]. Software Defined Network (SDN) has
order to alleviate the DDoS attack in the campus network, we attracted great interests as a new paradigm in the network. In
propose an SDN framework to identify and defend DDoS attacks SDN, the control planes and data planes are decoupled.
based on machine learning. This framework consists of 3 parts Network intelligence and Network state are logically
which are traffic collection module, DDoS attack identification
centralized. The underlying network infrastructure is abstracted
module and flow table delivery module. Traffic collection module
from the applications. SDN can improve network
extracts traffic characteristics to prepare for traffic identification.
Utilizing the flexible and multi-dimensional features of SDN manageability, scalability, controllability and dynamism[4].
network architecture in deploying DDoS attack detection system, Thus, SDN can dynamically modify forwarding rules to defend
the controller extracts the network traffic characteristics through DDoS traffic and improve network security.
statistical flow table information and uses the support vector To mitigate the DDoS attacks and reduce the restrictions,
machines (SVM) method to identify the attack traffic. Then the traffic classification needs to be performed to identify attack
flow table delivery module dynamically adjusts the forwarding traffic. Machine learning technology based network traffic
policy to resist DDoS attacks according to the traffic
classification has become a hot topic and has achieved
identification result. The experiment is conducted using KDD99
dataset. The experiment results show the effectiveness of the
encouraging results in intrusion detection[5].In this paper, we
DDoS attack identification method. propose an SDN framework to identify and defend DDoS
attacks based on machine learning for the campus network.
Keywords—Software Defined Network (SDN), Distributed This framework consists of 3 parts which are traffic collection
Denial of Service (DDoS), Machine Learning (ML), Support Vector module, DDoS attack identification module and flow table
Machines (SVM), security delivery module. Traffic collection module extracts traffic
characteristics to prepare for traffic identification. The Support
I. INTRODUCTION Vector Machine (SVM) is applied to identify the DDoS traffic.
Security has been regarded as the dominant barrier of the The Ryu controller[6] is employed to build the flow table
development of Internet service. Denial of Service (DoS) decision delivery module.
attacks and Distributed Denial of Service(DDoS) attacks are The main work of this paper is as follows:
the main methods to destroy availability of Internet service. z Combining the characteristics of the SDN network, we
DDoS attacks refer to the use of client/server technology to propose network features that are easy to extract in the
combine multiple computers as an attack platform to launch a SDN environment.
DoS attack on one or more targets. Thus, the power of DoS z Abstracting the DDoS attack detection problem as an
attacks mainly used IDC is multiplied to forge source IP attacks. attack traffic classification problem and using SVM to
DDoS attacks are common in these years. These attack establish a classification detection model.
incidents incurred heavy downtime, business losses, to name z Designing and implementing the attack detection and
but a few. There are some noted attack examples. In 2015, prevention framework using Ryu controllers.
Lizard Squad attacked cloud-based game services of Microsoft The rest of the paper is organized as follows. In Section II,
and Sony, leading to the decline of QoS on Christmas day. We describe the scenario assumptions and propose the DDoS
Cloud service provider, Rackspace, was targeted by a massive attack identification and defense framework. In Section III, The
DDoS attack on its services. Amazon EC2 cloud servers were process of establishing a DDoS attack detection model is
attacked by a massive DDoS attack[1]. Thus, strengthening presented, including feature selection and model training.
DDoS attack detection and defense is an urgent task. Section IV shows the result of experiments using KDD99
The security of the campus network is paid much attention dataset. Section V introduces some of the current research on
by the government[2]. Denial of Service (DoS) attacks and
澵濨濨濕濗濟澔
濆濭濩澔濗濣濢濨濦濣濠濠濙濦 濝濘濙濢濨濝濚濝濗濕濨濝濣濢澔
濡濣濘濙濠
濂濣濦濡濕濠澔濄澷 澽濢濨濙濦濢濙濨 濇濨濕濨濝濧濨濝濗濕濠澔濦濙濧濩濠濨濧
澺濠濣濫澔
濧濫濝濨濗濜 濧濫濝濨濗濜 濨濕濖濠濙
澽濄澔
濧濢濝濚濚濙濦
澵濨濨濕濗濟濙濦
澹濢濨濦濣濤濭
濷
濜濙濕濘澔濚濝濙濠濘濧
澽濢濤濩濨
濧濙濦濪濙濦 濤濕濗濟濕濛濙 澽濢濤濩濨
澵濨濨濕濗濟濙濦 濤濕濗濟濕濛濙
175
When a packet arrives at the switch, if there is no matching r_rate current connection with the same target
rule in the flow entry, the switch will send a package-in host.
message to the controller. After the controller receives the
package-in message, it will design the forwarding rule through dst_host_rerro In the first 100 connections, the percentage
the internal decision and return flow table to the switch with the r_rate of REJ error connections is the same as the
package-out message. After the switch updates the flow table, current connection with the same target
the packets are processed according to the matching rules. The host.
traffic statistics information can be obtained from the package-
in message and flow table. The process of switch processing
packets is in figure 4 in detail. B. Support Vector Machine based DDoS traffic Identification
Model
The real-time requirement of DDoS attack detection is
濄濕濗濟濕濛濙澔濝濢 relatively high. Support Vector Machine (SVM) is a supervised
濃濤濙濢濊濇濫濝濨濗濜 learning method with associated learning algorithms that
analyze data used for classification and regression analysis. In
濈濕濖濠濙澔濩濤濘濕濨濙
this study, the main goal is to classify each packet as an
澺濠濣濫濓濡濣濘
濁濝濧濧濙濘澔濤濕濗濟濕濛濙濧 澚澔濤濕濗濟濕濛濙澔
attacker or a normal one. Therefore, we select SVM to establish
濣濩濨
澷濣濢濨濦濣濠濠濙濦 the DDoS attack recognition model. SVM has a higher
澺濠濣濫澔濨濕濖濠濙澔澥 robustness than other machine learning algorithms. The traffic
classifier construction process is showed in figure5.
澺濠濣濫澔濨濕濖濠濙澔澦
澺濣濦濫濕濦濘澔濤濕濗濟濕濛濙澔濣濩濨澔
瀖 濣濦澔濘濦濣濤澔濤濕濗濟濕濛濙 濈濦濕濝濢澔
濘濕濨濕濧濙濨
澿澸澸澭澭 濧濤濠濝濨
澥
Figure 4. The process of switch processing packets 濘濕濨濕澔濧濙濨
濈濙濧濨澔
濘濕濨濕濧濙濨
Combining the characteristics of the OpenFlow flow table,
we extract 8 features based on the original data set features. 澦 濈濦濕濝濢澔
濘濕濨濕濧濙濨
濄濕濦濕濡濙濨濙濦澔濕濘濞濩濧濨濡濙濢濨澜澷澝 ∗
∗
澔澚澔澔
濈濙濧濨澔
Table 1 The description of features which we extract 澧
濘濕濨濕濧濙濨
澵濗濗濩
濙濪濕濠濩濕濨濝濣濢 澦
Label Description ∗ 澔澚澔澔 ∗
濦濕濗濭
176
regularization parameter, which must be greater than zero. We Table 3 Experiment data division
let the C is 1. ∗ = ( ∗ , ∗ , … , ∗ ) is the LaGrange multiplier Dataset Type of Total instances Percent
vector. It is the best solution of above. attribute
ℎ 1 All Normal (768670+1074241)1842911 100%
min , − (1) & attacks
2
Training Normal& (576842+805342)1382184 75%
attacks
s. t =0 (2)
Testing Normal (191828+268900)460728 25%
& attacks
0≤ ≤ , = 1,2, …
∗ ∗ ∗ ∗)
=( , ,…, (3)
∗ ∗ B. Experiment result
2) Step 2: Select a positive component from (0 ≤ ) to
calculate ∗ which is the parameter of objethe the function: All experiments are run on a personal computer which is
equipped with a quad-core Intel Core i5-8200U 1.8GHz
∗
= − ∗
∙ (4) processor and 8G of memory. The basic code of the SVM
classifier is adopted from scikit-learn[12] and is revised to finish
3) Step 3: Construct decision function. our work.
The accuracy is used to evaluate the effectiveness of the
∗ ∗
f(x) = ( ∙ )+ (5) DDoS attack classifier.
+
Finally, we get the decision function. The decision function accuracy = (6)
is used to decide how to forward packets. If the output of the + + +
function is -1, it is a DDoS attack packet, otherwise, it is a Where TP indicates the true positives, TN indicates
normal packet. negatives, FN indicates false negatives and FN indicates false
negatives. The experiment results are shown in table 4. that
IV. EXPERIMENT denotes the effectiveness of our model. We can get the
A. Training and Test Dataset accuracy is 0.998. It can be seen that our model for identifying
DDoS attacks has a high recognition rate.
To explain the effectiveness of the DDoS identification
method based on SVM, We select the KDD99 dataset as Table 4. The identification results
training and test Dataset[10]. It is widely used in academic
research, such as IDS and machine learning studies[11]. Type The number of
The KDD99 dataset includes five major categories, which TP 191598
are normal, DoS, Probe, R2L, U2R. It uses 41 features to FP 553
describe a connection. The statistical analysis of the dataset is
shown in table 2. FN 230
Table 2 KDD99 Data Set TN 268347
Type Number
Normal 12056 V. RELATED WORK
DoS 46024 A. DDoS Defense Based on Machine Learning
Probe 839 Machine learning method based DDoS attack detection are
paid much attention. Most frequently used algorithms include
R2L 3277 Naive Bayes, Decision Tree, K-Nearest Neighbor (KNN) and
U2R 9 Support Vector Machine.
TOTAL 62205 IAO Fu et al. propose an improved KNN algorithm to
classify the attack traffic[13]. However, this method is suitable
We focus on the HTTP flood attacks in this paper. Thus, for offline detection.
the data with DoS and Normal label are selected. And the TCP
network connections are used as a dataset. He Z et al. propose a DDoS attack detection algorithm
based on machine learning to prevent attacks on the source side
Then we divided the dataset into train dataset and test in the cloud[14]. They evaluate nine machine learning
dataset after feature selection. Table3 describes the datasets in algorithms and carefully compare their performance. They
details respectively. found that machine learning methods had a good effect in
identifying DDoS attacks. They only did experiments about the
177
effectiveness of the detection algorithm without proposing the delivery module and deploy the model to the SDN environment
way to defend against DDoS attacks. for the campus network.
Ahmed ME et al. propose a method for mitigating DNS REFERENCES
Query-Based DDoS attacks based on DPMM(Dirichlet Process
[1] Somani, Gaurav, et al. “DDoS Attacks in Cloud
Mixture Model) [15]. Although the method has a good effect Computing.” Computer Communications, vol. 107, 2017,
on mitigating DNS Query-Based DDoS attacks, the miscarriage pp. 30–48.
rate is high. [2] Key Points of Education Informationization in
2017.[Online].Available:
Chuanhuang Li and Yan Wu et al. propose a DDoS attack http://www.edu.cn/edu/zheng_ce_gs_gui/zheng_ce_wen_j
detection and defense method based on deep learning, and they ian/zong_he/201702/t20170221_1491075.shtml
apply it to OpenFlow-based SDN[16]. The result shows deep [3] Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible an
learning is a good method to detect DDoS attack. d elastic DDoS defense[C]// Usenix Conference on Securi
ty Symposium. USENIX Association, 2015:817-832.
B. Research on defense DDoS in SDN based Networks [4] Yan Q, Yu F R, Gong Q, et al. Software-Defined
Alshamrani A et al. propose a defense system for defeating Networking (SDN) and Distributed Denial of Service
DDoS attacks in SDN based networks[17]. The system unlike (DDoS) Attacks in Cloud Computing Environments: A
Survey, Some Research Issues, and Challenges[J]. IEEE
most of the existing ML-based approaches, the extensive range Communications Surveys & Tutorials, 2016, 18(1):602-
of prediction features are used to cover more types of DDoS 622.
attacks as well as to ensure better DDoS detection accuracy. [5] Perera P, Tian Y C, Fidge C, et al. A Comparison of
However, the extracted features are based on the subset of valid Supervised Machine Learning Algorithms for
features. The easy accessibility of the features is not actually Classification of Communications Network Traffic[C]//
considered in the SDN environment. International Conference on Neural Information
Processing. Springer, Cham, 2017:445-454.
Hong, Kiwon et al. propose an SDN-assisted DDoS attack [6] Ryu controller.[Online]. Available: http://osrg.github.io/ry
defense method that can detect and mitigate Slow HTTP DDoS u/resources.html
attacks(SHDA), which relies on an SHDA in the SDN [7] Ddosflowgen.[Online].Available: https://github.com/Galo
controller[18]. They use a proprietary controller so that the isInc/ddosflowgen
portability is poor. [8] Damn Vulnerable Web App (DVWA). [Online].Available:
http://www.dvwa.co.uk/
Yang Xu and Yong Liu studied how to utilize SDN to [9] Mininet.[Online].Available: http://mininet.org/
detect DDoS attacks by capturing the flow volume feature as [10] KDD Cup 1999 Data.[Online].Available: http://kdd.ics.uc
well as the flow rate asymmetry feature[19]. But their methods i.edu/databases/kddcup99/kddcup99.html
only consider one factor. [11] Özgür, Atilla, and Hamit Erdem. “A Review of KDD99 D
ataset Usage in Intrusion Detection and Machine Learning
We propose a framework to identify and defend DDoS between 2010 and 2015.” PeerJ, vol. 4, 2016.
attacks that based on SDN and machine learning for the [12] Scikit-learn.[Online].Available: http://scikit-learn.org/stab
campus network. This framework can be deployed online to le
identified the DDoS attack and defense DDoS attack. Our [13] IAO Fu,MA Junqing, HUANG Xunsong, WANG ̩uchu
framework enables online real-time detection of DDoS attacks an. DDoS attack detection based on KNN in software defi
and corresponding defense strategies. This framework design ned networks. Journal of Nanjing University of Posts and
Telecommunications, j.cnki.1673-5439.2015.01.013
does not depend on other hardware and has good portability.
[14] He Z, Zhang T, Lee R B. Machine Learning Based DDoS
VI. CONCLUSION & FUTURE WORK Attack Detection from Source Side in Cloud[C]// IEEE, In
ternational Conference on Cyber Security and Cloud Com
In this paper, we design an SDN framework to identify and puting. IEEE, 2017:114-120.
defend against DDoS attacks. This framework consists of 2 [15] Ahmed ME, Kim H, Park M. Mitigating DNS query-base
parts which are traffic collection module, attack identification d DDoS attacks with machine learning on software-define
d networking[C]// Milcom 2017 - 2017 IEEE Military Co
module and flow table delivery module. Traffic collection mmunications Conference. IEEE, 2017:11-16.
module extracts traffic characteristics to prepare for traffic [16] Li, Chuanhuang, et al. “Detection and Defense of DDoS
identification. Currently, we have applied SVM to DDoS traffic Attack-Based on Deep Learning in OpenFlow-Based SD
identification. The experiment results on the KDD99 dataset N.” International Journal of Communication Systems, vol.
show the effectiveness. 31, no. 5, 2018.
[17] Alshamrani A, Chowdhary A, Pisharody S, et al. A Defen
This classification model is deployed on the simulated se System for Defeating DDoS Attacks in SDN based Net
SDN environment for campus network as a DDoS detection works[C]// ACM International Symposium on Mobility M
module. All traffic is identified by this model. If attack traffic is anagement and Wireless Access. ACM, 2017:83-92.
identified, the controller will discard packets according to the [18] Hong, Kiwon, et al. “SDN-Assisted Slow HTTP DDoS At
predefined rule. If the packet is not attacked, the forwarding tack Defense Method.” IEEE Communications Letters, 20
17, pp. 1–1.
policy will be executed normally.
[19] Xu Y, Liu Y. DDoS attack detection under SDN context
In the future, we will optimize that the ratio of convection [C]// INFOCOM 2016 - the, IEEE International Conferen
and single flow are used to judge whether the growth of ce on Computer Communications, IEEE. IEEE, 2016:1-9.
network traffic is DDoS. And we will improve the flow table
178