SDN Network DDOS Detection Using ML

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY1031
SDN Network DDOS Detection Using ML

1 2
A. Bindu (Assistant Professor) Ambati Venkata Sai Harika
Dept. of Computer Science Engineering GVPCEW (JNTUK) Dept. of Computer Science Engineering GVPCEW (JNTUK)
Visakhapatnam, India Visakhapatnam, India
3 4
Dandamudi Swetha Malli Sahithi
Dept. of Computer Science Engineering GVPCEW (JNTUK) Dept. of Computer Science Engineering GVPCEW (JNTUK)
Visakhapatnam, India Visakhapatnam, India
Abstract:- This paper describes a technique that uses the II. METHODOLOGY
Ryu Controller and Mininet to identify and mitigate
Distributed Denial of Service (DDoS) threats in Software We built a virtual network environment utilizing
Defined Networks (SDN). Using Mininet, the suggested Mininet, a well-known network emulator, and Ryu
method entails building a virtual network topology with Controller for network administration in order to assess the
connected switches and hosts. The Ryu Controller efficacy of our suggested method. The network structure
gathers traffic data while Mininet simulates several allowed for the simulation of several attack scenarios
DDoS attack types, such as ICMP flood, land assault, because it consisted of switches and hosts connected by
TCP SYN flood, and UDP attacks. The Ryu Controller virtual links. ICMP flood, TCP SYN flood, UDP flood, and
collects both benign and DDoS traffic into a dataset that LAND attack were created by mimicking actual threat
is used to build a machine learning (ML) model that can scenarios with the aid of tools such as hping. The Ryu
detect DDoS attacks in real time. Controller collected and processed traffic data, including
malicious and benign flows, and then put the information
Keywords:- Software-Defined Networking, DDoS , Ryu into a structured dataset for additional study.
Controller, Mininet Simulation, Machine Learning , ICMP
Flooding, Land Attack Simulation, TCP SYN Flooding, UDP  Ryu Controller
Flooding, Network Security Enhancement, Anomaly Ryu Controller:is an open-source python based
Detection, Traffic Classification, Real-time Monitoring, programmable controller, which is used to define the rules
Network Topology Emulation. and logic for the switches to follow in the methodology.
I. INTRODUCTION  Mininet
Mininet is a network simulator and creates a virtual
The Distributed Denial of Service (DDoS) attacks are a network topology with controller, switches and hosts, in this
serious threat to network performance and availability in work a single openVswitch with 10 and 25 hosts are created
conventional networking systems. These attacks usually for multiple tests.
entail sending a large amount of malicious traffic over
network resources, blocking access to services for  Hping3
authorized users. SDN, or software-defined networking, has Hping3 is a packet generator which generates TCP/IP
become a prominent paradigm for improving network traffic in the network, it is mostly used to test network
security.SDN enables dynamic reconfiguration of network security. Normal and attack traffic scripts are written to
devices and centralized management by severing the control generate traffic automatically using this tool .
plane from the data plane.
 IDS
There are many benefits to using SDN for DDoS IDS: intrusion detection systems (IDS) provide
detection and mitigation, such as improved visibility, proactive defense against hostile activity by analyzing
scalability, and flexibility in response to changing threats. In system behavior and network traffic patterns to identify
this work, we present an approach that uses widely-used anomalies. ML-based intrusion detection systems are able to
tools like Ryu Controller and Mininet to identify and adapt and detect previously undiscovered threats with
mitigate DDoS attacks by utilizing the capabilities of SDN increased accuracy and efficiency because they are
along with an Intrusion Detection System using Machine constantly learning from changing threat environments.
Learning.
IJISRT24MAY1031 www.ijisrt.com 811

A. Abbreviations and Acronyms version and confirm the installation type in:- -ovs-vsctl –
SDN: Software Defined Network, ML:Machine version.
Learning IDS: Intrusion Detection System , DDOS:
Distributed Deniel Of Service.ICMP: Internet Control To view the stages of detection and mitigation.
Message Protocol,UDP: User Datagram Protocol,LAND:
Local Area Network Denial,TCP-SYN: Transmission  Ryu Controller
Control Protocol - SYNchronize Ryu Controller must be installed. Since Ryu is a
Python-based controller, installing it requires installing PIP
B. Simulation Platform Setup for Python in order to install Python packages. Enter the
This Section involves the steps and procedure to install following commands into the terminal to install PIP and the
all the packages and software required to implement the Ryu controller.
project. The Platform setup is done on Ubuntu 20.04.1 LTS
operating system. The project demonstration and simulation  Mininet
was using the following tools:- Mininet is a network simulator and creates virtual
network topology for software defined networks.
 Openflow Protocol For SDN
 Ryu Controller  Sudo apt-get install mininet -mn –version.
 Mininet
 Hping3.  Hping3
Hping3 is a network packet generator and traffic
 Openflow protocol generator for TCP/IP protocol, mostly used for network
Openflow protocol For SDN or OpenVswitch has to be testing . Iperf is network traffic performance tool to generate
installed as it is the standard protocol for software defined traffic and monitor it.
network- Switch (2009).1 Open Terminal and type in the
following command:- -sudo apt-get install openvswitch-  Sudo apt-get install iperf -sudo apt-get install hping3
switch Give yes(Y) where ever it is asked, and to check the
Fig 1 Architecture of the Project

C. Traffic Data Collection

In order for the learning algorithms of Random Forest, KNN, Naives Bayes, and linear regression to analyse and forecast
attack traffic, traffic data must be gathered and saved in a CSV file.The objective is to demonstrate that if a hacker executes a
DDoS attack on a system, traffic will be gathered and screened by an intrusion detection system before being collected or halted,
depending on whether the traffic is authentic.
Fig 2 Use Case Diagram

D. Experimental Design  Traffic Generation:

Utilize traffic generation tools, such as hping, to
 Network Topology: simulate both benign and malicious traffic flows within the
Design a simulated network topology using Mininet network. Generate traffic patterns representative of normal
comprising switches, hosts, and the Ryu Controller. The network behavior as well as DDoS attack patterns for
topology should replicate a real-world network environment evaluation.
with interconnected devices.
 Ryu Controller Configuration:
 Attack Scenarios: Configure the Ryu Controller to monitor network
Define a set of DDoS attack scenarios to be simulated traffic, analyze packet headers, and identify anomalous
during the experiment, including ICMP flood, TCP SYN patterns indicative of DDoS attacks. Implement detection
flood, UDP flood, and others. Specify the characteristics and algorithms and mitigation strategies within the Ryu
intensity of each attack, such as packet rate, duration, and application to respond to detected threats.
target IP addresses.
Fig 3 Traffic Generation

III. INTRUSION DETECTION SYSTEM
In addition to the SDN-based detection and mitigation mechanisms implemented using the Ryu Controller, the experimental
design includes the integration of an Intrusion Detection System (IDS) to augment threat detection capabilities. The IDS serves as
an additional layer of defense, complementing the SDN-based approach by providing advanced threat detection and anomaly
analysis capabilities. essential data on pharmaceutical the batch. Incorporating IDS into the experimental setup enriches the
research methodology by providing a comprehensive evaluation of hybrid security approaches that combine both traditional and
SDN-based security measures.
Fig 4 Flow Diagram
IV. DATASET  Decision Trees:

Employ Decision Trees for their interpretability and
An essential tool for assessing the efficacy of the SDN- simplicity in modeling complex decision boundaries.
based DDoS detection and mitigation strategy is the data set Decision Trees partition the feature space based on attribute
created throughout the experiment. It includes a wide variety values to classify instances, making them suitable for DDoS
of network traffic patterns, such as malicious traffic detection tasks.
produced during DDoS attack simulations and benign traffic
under typical operational conditions. The data collection  K-Nearest Neighbors (KNN):
makes it possible to thoroughly analyse and validate Apply the KNN algorithm for its simplicity and
mitigation plans, performance measures, and detection effectiveness in classification tasks. KNN classifies
algorithms. instances based on the majority class of their nearest
neighbors in feature space, making it suitable for identifying
Without having to connect to the main Ethereum patterns in unlabeled data.
network.
 Linear Regression:
A. Machine Learning Model Training and Evaluation: Although primarily used for regression tasks, Linear
Regression can be adapted for binary classification by
 Algorithm Selection: thresholding predicted probabilities. While simpler
compared to other algorithms, Linear Regression provides
 Random Forest: insights into the linear relationships between features and
Utilize the Random Forest algorithm for its ability to target variables.
handle high-dimensional data, handle non-linear
relationships, and mitigate overfitting. Random Forest
builds multiple decision trees and combines their predictions
to improve accuracy and robustness.

B. Frontend Setup using Flask Framework:
 Purpose:
The frontend setup using the Flask framework
facilitates user interaction and real-time DDoS detection by
providing a user-friendly interface to input instances and
receive predictions from trained machine learning models.
 Implementation:
 Flask Application Structure:

Developed a Flask web application with a modular
structure consisting of routes, templates, static files, and
backend logic. Organize application components to ensure
scalability, maintainability, and extensibility.
 Input Interface:
Design an input interface where users can input
features representing network traffic instances for DDoS Fig 6 Types of Attack Performed in the Generated Dataset
detection. Provide form fields or input boxes for entering
relevant features such as packet rates, packet sizes, and V. CONCLUSION
protocol types.
In conclusion, our project underscores the potential of
 Prediction Integration: SDN and machine learning in fortifying network defenses
Integrate the trained machine learning models into the against DDoS attacks. By combining the agility of SDN
Flask application to enable real-time prediction of DDoS with the intelligence of machine learning, we present a
attacks. Utilize Flask's routing mechanisms to handle proactive and adaptive approach to DDoS detection and
incoming requests, preprocess input data, and invoke model mitigation. The integration of real-time detection
predictions. capabilities with user-friendly interfaces paves the way for
effective collaboration between network administrators and
 Output Display: automated security systems, fostering a resilient and secure
Display the prediction results on the frontend interface network infrastructure. Furthermore, our project emphasizes
to inform users whether the input instance is classified as a the importance of collaborative defense mechanisms and
DDoS attack or benign traffic. Provide clear and intuitive community engagement in combating cyber threats. By
visualizations or messages to convey the prediction outcome sharing insights, best practices, and threat intelligence within
effectively. the cybersecurity community, we can collectively enhance
our defenses and adapt to emerging threats more effectively.
The integration of machine learning algorithms and the
setup of a frontend using the Flask framework enhance the Open-source tools such as the Ryu Controller and
experimental design by enabling real-time DDoS detection machine learning libraries foster collaboration and
and user interaction. By leveraging trained models and knowledge sharing, enabling researchers and practitioners to
intuitive interfaces, the experiment aims to demonstrate the collaborate on innovative solutions for network security it is
feasibility and practicality of deploying SDN-based DDoS imperative to consider the ethical implications and
detection solutions in operational environments. responsible deployment of advanced security technologies
in real-world settings. While SDN and machine learning
offer powerful capabilities for DDoS detection and
mitigation, their deployment must be guided by ethical
principles, privacy concerns, and regulatory compliance.
Ensuring transparency, accountability, and fairness in
algorithmic decision- making processes is essential to
maintain trust and integrity in network security operations.
Fig 5 DDOS and Normal Instances in the Dataset

REFERENCES [17]. Meti N, Narayan DG, Baligar VP. Detection of

distributed denial of service attacks using machine
[1]. Nadeau T, Gray K. SDN: Software Defined Networks. learning algorithms in software defined networks;
O'Reilly Media; 2013. 2017: 1366-1371.
[2]. Jarschel M, Zinner T, Hossfeld T, Tran-Gia P, Kellerer [18]. Kaur K, Singh J, Ghumman N. Mininet as software
W. Interfaces, attributes, and use cases: a compass for defined networking testing platform; 2014.
SDN. IEEE Commun Mag. 2014; 52(6): 210-217. [19]. Asadollahi S, Goswami B, Sameer M. Ryu controller's
doi:10.1109/MCOM.2014.6829966 scalability experiment on software defined networks;
[3]. Khondoker R, Zaalouk A, Marx R, Bayarou K. Feature- 2018:1-5.
based comparison and selection of software defined
networking (SDN) controllers. In. 2014; 1-7.
[4]. Correa Chica JC, Imbachi JC, Botero Vega JF. Security
in SDN: a comprehensive survey. J Netw Comput Appl.
2020; 159:102595. doi:10.1016/j.jnca.2020.102595
[5]. Einy S, Oz C, Navaei YD. The anomaly- and
signature-based IDS for network security using hybrid
inference systems. Math Probl Eng. 2021.
doi:10.1155/2021/6639714
[6]. Khraisat A, Gondal I, Vamplew P, Kamruzzaman J.
Survey of intrusion detection systems: techniques,
datasets and challenges. Cybersecurity. 2019; 2(1).
doi:10.1186/s42400-019-0038-7
[7]. Rischke J, Sossalla P. Ch. 16 - Machine learning for
routing. In: FH Fitzek, F Granelli, P Seeling, eds.
Computing in Communication Networks. Academic
Press; 2020: 289-296.
[8]. Geurts P, Khayat IE, Leduc G. A machine learning
approach to improve congestion control over wireless
computer networks; 2004; IEEE.
[9]. Park G, Lee W, Joe I. Network resource optimization
with reinforcement learning for low power wide area
networks. EURASIP J Wirel Commun Netw. 2020;
2020(1). doi:10.1186/s13638-020-01783-5
[10]. Ali MHE. Deep learning-based pilot-assisted channel
state estimator for OFDM systems. IET Commun. 2020;
15(2): 257-264.doi:10.1049/cmu2.12051
[11]. Ajaeiya GA, Adalian N, Elhajj IH, Kayssi A, Chehab
A. Flow-based intrusion detection system for SDN;
2017: 787-793.
[12]. Ye J, Cheng X, Zhu J, Feng L, Song L. A DDoS attack
detection method based on SVM in software defined
network. Secur Commun Netw. 2018; 2018:9804061.
doi:10.1155/2018/9804061
[13]. Myint Oo M, Kamolphiwong S, Kamolphiwong T,
Vasupongayya S. Advanced support vector machine-
(ASVM-) based detection for distributed denial of
service (DDoS) attack on software defined networking
(SDN). J Comput Netw Commun. 2019; 2019:8012568.
doi:10.1155/2019/8012568
[14]. Prakash A, Priyadarshini R. An intelligent software
defined network controller for preventing distributed
denial of service attack; 2018: 585-589.
[15]. Polat H, Polat O, Cetin A. Detecting DDoS attacks in
software-defined networks through feature selection
methods and machine learning models. Sustain For.
2020; 12(3): 1-16.
[16]. Elsayed MS, Le-Khac NA, Jurcut AD. InSDN: a novel
SDN intrusion dataset. IEEE Access. 2020; 8: 165263-
165284. doi:10.1109/ACCESS.2020.3022633

SDN Network DDOS Detection Using ML

Uploaded by

Copyright:

Available Formats

SDN Network DDOS Detection Using ML

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SDN Network DDOS Detection Using ML

Uploaded by

Copyright:

Available Formats

Volume 9, Issue 5, May – 2024 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24MAY1031

SDN Network DDOS Detection Using ML

IJISRT24MAY1031 www.ijisrt.com 811

Fig 1 Architecture of the Project

IJISRT24MAY1031 www.ijisrt.com 812

C. Traffic Data Collection

Fig 2 Use Case Diagram

IJISRT24MAY1031 www.ijisrt.com 813

D. Experimental Design  Traffic Generation:

Fig 3 Traffic Generation

IJISRT24MAY1031 www.ijisrt.com 814

III. INTRUSION DETECTION SYSTEM

Fig 4 Flow Diagram

IV. DATASET  Decision Trees:

IJISRT24MAY1031 www.ijisrt.com 815

B. Frontend Setup using Flask Framework:

 Flask Application Structure:

Fig 5 DDOS and Normal Instances in the Dataset

IJISRT24MAY1031 www.ijisrt.com 816

REFERENCES [17]. Meti N, Narayan DG, Baligar VP. Detection of

IJISRT24MAY1031 www.ijisrt.com 817

You might also like