Journal of Survey in Fisheries Sciences 10(4S) 964-971 2023

Detection of TCP, UDP and ICMP DDOS attacks in SDN

Using Machine Learning approach

R. Anusuya1, M. Ramkumar Prabhu2

Professor, Department of CSE, Professor, Department of ECE,
Modern Institute of technology and research Centre, PERI Institute of Technology, Chennai.
Alwar, Rajasthan. E-mail: [email protected] E-mail: [email protected]

Ch. Prathima3 J. R. Arun Kumar4

Assistant Professor, School of Computing, Professor, Department of CSE,
Mohan Babu University, Tirupati. Modern Institute of technology and research Centre,
E-mail: [email protected] Alwar, Rajasthan. E-mail: [email protected]

Abstract: Software Defined Networking (SDN) is an architecture for the network to control centrally through programmed
software applications. SDN enables the programming behaviour of the network centrally over software programs with the
help of open Application interfaces. We can change the parameters of network connections in a dynamic manner. In
conventional network, it is impossible to change the settings in a dynamic way, as it is a fixed connection. In SDN, the Control
plane is controlled by software is at the center which links the application layer and infrastructure layer. Software-Defined
Networking (SDN) has proved its efficiency in countering attacks by providing network surveillance and online configuration
of the network. DDoS attack is a malicious attack in which the attacker floods the target server from various sources. This
project uses SDN intrusion dataset for training. This project focuses on the implementation of a compatible way for finding
the DDoS detriment in SDN employing multiple Machine Learning (ML) approaches.
Keywords: DDoS attack, Machine Learning, Software-Defined Networking.

I. INTRODUCTION
Software Defined Networking (SDN) is widely used
interconnected criterion that is dynamic, less cost,
extensible, by preparing it better suited to various devices
or different network projects. The network or
interconnection control and advancing activities are
segregated in this architecture, by permitting network
control straightforwardly programmable and the Fig 1: Architecture of SDN.
framework components are preoccupied for applications In SDN, we can modify the specifications of network
and organization administrations. It is critical to construct connections on the fly. On the basis of controller's
a Intrusion Detection System (IDS) based on network that decisions, the data plane transports network traffic. The
detect DDoS detriment using information from network control plane determines traffic flow by enumerate routing
traffic flows (SDN). In SDN, the control planes (CP) are tables. The application plane controls other applications
separated by network devices. This technology different such like load balancers, firewall, & Quality of Service
from traditional network design in its operation. Because (QoS) apps. Creating an Intrusion Detection System (IDS)
the traditional network is a fixed link, it is not possible to is based on a network and utilizes modern networking
adjust dynamically. technologies like SDN is of utmost importance. This

964
 Detection of TCP, UDP and ICMP DDOS attacks in SDN Using Machine Learning approach

system should be able to find DDoS attacks by analysing
data from network traffic flows that are managed by SDN.
DDoS attacks are dangerous attacks from various OSI
layers. DDoS attacks continue to cause countless issues in
today's network infrastructures. These are usually high-
volume and expensive attacks. Artificial intelligence
approaches such as machine learning can, however,
identify them. Control programmes in a logically
centralized controller will manage numerous routers
across the network. DDoS attacks have grown in
frequency and severity over time, as well as in
sophistication. The modularity aspect allows us to adapt
and improve any component of the architecture separately,
such as the flow collector, and detection.
Using artificial intelligence methodologies, this study
provides a scalable and extensible SDN-based architecture
II. RELATED WORKS
S.No AUTHOR TITLE
NAME
for detecting DDoS attacks. The modularity aspect allows
us to improve each component separately, namely pre-
processing, the flow collector, detection, and flow
management modules.
This approach allows experimenting with alternatives ML
detection techniques to counter different DDoS attacks.
And also, this research looked into the most common and
harmful transport layer to do damage by DDoS, UDP
Flood and SYN Flood. Because a large quantity of traffic
passes through the controller in the SDN control layer, a
good security system is required to analyse and identify
suspicious traffic. Furthermore, the approaches KNN, RF,
DT, and SVM were successful for various sorts of attacks.
PROPOSED SYSTEM LIMITATIONS

1. Mario Long Short Term Memory and The system proposed in this paper However, this work was
Lemes Fuzzy Logic for finding aims to characterise network traffic, subjected to few high-
Proença, Jr. Anomaly and Mitigation in detect DDoS attacks, and mitigate volume damages. Up-to-
(proenca@ Software-Defined Network. Port scan in an SDN environment. date datasets are not
uel.br) used.

2. N. N. Tuan A DDoS detriment mitigation This work proposed a DDoS attack The datasets used in this
scheme in ISP networks using mitigation strategy for TCP-SYN paper are not up to date
ML by SDN and ICMP flood attacks in SDN- and explored only few
based (ISP) networks using an ML types of DDoS attacks.
approach, namely,
K_Nearest_Neighbor and
X_G_Boost.

965
Journal of Survey in Fisheries Sciences 10(4S) 964-971 2023

3. T. V. Phan Q-MIND: Loosing stealthy This research published Q-MIND, a This work explored only
DoS detriment in SDN with a machine ML defence application, to few classification
machine-learning based defense find and mitigate DoS damage in Methods and this work
framework SDN. only detects whether
attack is DDoS attack or
not. This work does not
explored types of DDoS
attacks.

4. M. Semi-supervised ML approach Writers presented an online ordered This study did not use
Idhammad for finding DDoS semi-supervised ML process in up-to-date datasets and a
finding DDoS by network Entropy smaller number of
estimation, Co-clustering, Data Gain methods are explored.
Ratio, and Extra-Trees algorithm.

5. X. Liang A long short-term memory To address this paper a guided This work explored only
framework for finding DDoS DDoS, find scheme by LSTM is slow rate DDoS attacks.
detection published. Only explored a single
classifier.
6. Amit DDoS detriment at the DDoS detriment on the application This paper presents a
Praseed application layer: Problems and or framework layer have begun. detailed explanation and
research perspectives for They make legitimate application classifications of
safeguarding web applications layer requests, making existing application layer
defence mechanisms difficult to DDoS to help
detect. researchers better
understand of attacks.
7. M. Elsayed A Deep-Learning Model for The authors published DDoSNet, an This work does not focus
Detecting Network Attacks intrusion detecting system against on testing the proposed
DDoS damage in SDN framework, in model's performance on
this paper. other datasets.

III. PROPOSED SYSTEM
This section discusses about proposed work for finding of
DDoS damage using ML approaches in SDN. The
presented work makes uses machine learning techniques
which are SVM, Decision tree, k Nearest Neighbours,
Random Forest. The advantage of using this ML
algorithms is their less complexity.
This work focuses on the following DDoS attack:
1) TCP-SYN FLOOD ATTACK: It is a type of DDoS
attacks where intruder rapidly initialises a connection
without finalizing it to web server. The server must use
resources to wait for poorly opened connections, which
might cause the system to become unresponsive to routine
traffic.

966
 Detection of TCP, UDP and ICMP DDOS attacks in SDN Using Machine Learning approach
2) UDP FLOOD ATTACK: It is a classification of
DDoS damage (attack) where intruder attacks the ports of
host with IP packets comprising User Datagram protocol
packets.
3) ICMP FLOOD ATTACK: Usual method in which a
DDOS attack occurs is when attacker floods the target
device with ICMP echo requests, causing it to be
overwhelmed.
A. MACHINE LEARNING:
The methodology employed in this study involves
utilizing ML techniques to identify DDOS attacks in
SDN. Dataset that will be used for both training and
testing the algorithms is SDN DDOS. Prior to the
analysis, essential pre-processing steps have been carried
out on the dataset. Necessary pre-processing steps have
been applied to the dataset.In the pre-processing process,
Data cleaning, variable standardization and feature
selection were performed. Preprocessed data has been
splitted into trainee and testing sets to train and testing
ML algorithms.
Fig 2: Illustration of machine learning process.
In Data cleaning process, all the Null values from dataset
were identified and removed. In variable standardization
process all the features with standard variation equals to
0 were removed from the dataset. In feature selection
process, necessary has been extracted from the dataset.
Then algorithms were trained using pre-processed data
and evaluated based on performance metrics.
B. MODELLING MACHINE LEARNING
ALGORITHMS:
The ML algorithms utilized in this study for the
identification of DDoS attacks include Random Forest,
SVM, DT, KNN.
SVM: SVM is supervised ML based process that is used
in both classification and regression challenges.
Important aspect of this algorithm is to classify input
points by finding hyperplane in N-dimensional space.
KNN: This algorithm is used for both classification and
regression issues. This algorithm assumes that similar
objects are put into same category.
RANDOM FOREST: It is for classification and
predicting issues. It constructs decision trees from
heterogeneous data and classifies and predicts using the
average of their votes.
DECISION TREE: It is a tool to solve classification and
prediction problems. Internal nodes symbolise to test
attribute, every branch symbolises a test outcome, and leaf
nodes stores a class label.
Fig 3: Block diagram for modelling ML algorithms.
Training and testing sets have been created from the pre-
processed dataset. and training set was used for training
machine learning and a model will be created from
training. The model was tested with the testing set. From
the results of testing, accuracies of machine learning
algorithms were generated.
967
Journal of Survey in Fisheries Sciences 10(4S) 964-971 2023

C. EXPERIMENTAL ANALYSIS:
The Efficiency of the ML algorithms used in the
suggested system was assessed in a Mininet and Ryu
controllers-based SDN test environment.
attacks webserver is hosted on one host and attack will be
generated from another host and one more host is
employed to notice the reachability of web-server while
attack in progress. Each trained ML algorithm is
evaluated in SDN testbed in similar manner

IV. RESULT ANALYSIS

Performance of Machine Learning algorithms in the
proposed work is analysed using recall, accuracy and f1-
score. Accuracy describes the success of ML algorithm.
The recall metric is employed to differentiate between
true positives and false negatives as well as to identify
true negatives. In addition, the F1-score is a calculation
Fig 4: Architecture of SDN Testbed. of the weighted mean between precision and recall.
A simple SDN network consisting of 18 hosts, 6 switches
and a controller has emulated using Mininet and Ryu A. Accuracies of Machine Learning Models:
controller. Mininet is a standard tool used to emulate SDN Machine learning ACCURACY of
networks and Ryu controller is a python based models detection (%)
programmable controller used in research works
Decision Tree 99.95
regarding SDN networks. Despite the fact that, in various
virtual machines installed all of these applications, the Random Forest 99.99
proposed work only uses one physical computer to
KNN 97.99
emulate the MNE and RYU controller. Following is how
the proposed architecture works. Flow Collector is an
SVM 66.07
application programme that runs in the controller.
Table 1: Accuracy of ML models.
Network traffic flow is collected by flow collector and
delivers the collected flow to a trained ML model, which
detects if the flow represents an attack or normal
B. Recall Comparison of Machine Learning Models:
All the ML models in the proposed work have achieved
traffic and presents the results to the controller.
same recall value which is 99.99

Fig 5: Emulated SDN network topology
A simple web server (SimpleHTTPServer) will be
running on any of hosts and DDoS attacks will be
performed on that webserver. To perform attacks a
standard tool hping3 is used. Hping3 can be used to
perform TCP-SYN, UDP, ICMP attacks. During DDoS
H-host
C -controller
S-switch
Fig 6: Recall comparison ML Models
F1-score comparison of Machine Learning Models:
All the ML models in the proposed work have achieved
the same F1-score which is 99.99.

968
 Detection of TCP, UDP and ICMP DDOS attacks in SDN Using Machine Learning approach
Fig 7: F1-score comparison of
Machine learning models
V. CONCLUSION AND FUTURE WORK
DDoS attacks has become very sophisticated in latest
time, as well as more enormous. This work we present a
flexible solution using ML techniques for finding of
DDoS attacks in SDN. Large Volumes of data is pre-
processed and trained with ML algorithms, namely KNN,
SVM, DT, and RF. These trained algorithms were
evaluated in simulated SDN network. out of these
algorithms Random Forest and Decision Tree algorithm
has shown the best results. In future, the work will be
focused on increasing the scalability of network and also
the mitigation of attacks in SDN network. Thus, the
Suggested system can be useful for identifing DDoS
attacks in SDN.
REFERENCES
[1]. “SDN-Based Architecture for Transport and
Application Layer DDoS Attack Detection by Using
Machine and Deep Learning” by NOE MARCELO
YUNGAICELA-NAULA, CESAR VARGAS-
ROSALES, (Senior Member, IEEE), AND JESUS
ARTURO PEREZ-DIAZ. (Base Paper)
[2]. M. P. Novaes, L. F. Carvalho, J. Lloret, and M.
L. Proenca, ‘‘Long short-term memory and fuzzy logic
for anomaly detection and mitigation in software-defined
network environment,’’ IEEE Access, vol. 8, pp. 83765–
83781, 2020.
[3]. M. Idhammad, K. Afdel, and M. Belouch, ‘‘Semi-
supervised machine learning approach for DDoS
detection,’’ Appl. Intell., vol. 48, no. 10, pp. 3193–3208,
2018.
[4]. N. N. Tuan, P. H. Hung, N. D. Nghia, N. V. Tho,
T. V. Phan, and N. H. Thanh, ‘‘A DDoS attack mitigation
scheme in ISP networks using machine learning based on
SDN,’’ Electronics, vol. 9, no. 3, p. 413, Feb. 2020.
[5]. T. V. Phan, T. M. R. Gias, S. T. Islam, T. T.
Huong, N. H. Thanh, and T. Bauschert, ‘‘Q-MIND:
Defeating stealthy DoS attacks in SDN with a machine-
learning based defense framework,’’ in Proc. IEEE
Global Commun. Conf. (GLOBECOM), Dec. 2019, pp.
1–6.
[6]. X. Liang and T. Znati, ‘‘A long short-term
memory enabled framework for DDoS detection,’’ in
Proc. IEEE Global Commun. Conf. (GLOBECOM), Dec.
2019, pp. 1–6.
[7]. M. M. Salim, S. Rathore, and J. H. Park,
‘‘Distributed denial of service attacks and its defenses in
IoT: A survey,’’ J. Supercomput., vol. 76, pp. 5320–5363,
Jul. 2019.
[8]. K. Srinivasan, A. Mubarakali, A. S. Alqahtani, and
A. D. Kumar, ‘‘A survey on the impact of DDoS attacks
in cloud computing: Prevention, detection and mitigation
techniques,’’ in Intelligent Communication Technologies
and Virtual Mobile Networks. Cham, Switzerland:
Springer, 2019, pp. 252–270.
[9]. D. Gurusamy, M. Deva Priya, B. Yibgeta, and A.
Bekalu, ‘‘DDoS risk in 5G enabled IoT and solutions,’’
Int. J. Eng. Adv. Technol., vol. 8, no. 5, pp. 1574–1578,
2019.
[10]. Kaspersky. (2021). Kaspersky Q4 2020 DDoS
Attacks Report. [Online]. Available:
https://securelist.com/ddos-attacks-in-q4-2020/100650/
[11]. A. Praseed and P. S. Thilagam, ‘‘DDoS attacks at
the application layer: Challenges and research
perspectives for safeguarding web applications,’’
IEEE Commun. Surveys Tuts., vol. 21, no. 1, pp. 661–
685, 1st Quart., 2019.
[12]. J. C. Correa Chica, J. C. Imbachi, and J. F.
Botero Vega, ‘‘Security in SDN: A comprehensive
survey,’’ J. Netw. Comput. Appl., vol. 159, Jun. 2020,
Art. no. 102595.
[13]. N. Sultana, N. Chilamkurti, W. Peng, and R.
Alhadad, ‘‘Survey on SDN based network intrusion
969
Journal of Survey in Fisheries Sciences 10(4S) 964-971 2023

detection system using machine learning approaches,’’ [23]. P. Nirmala, T. Manimegalai, J. R. Arunkumar,
Peer-Peer Netw. Appl., vol. 12, no. 2, pp. 493–501, Jan. S. Vimala, G. Vinoth Rajkumar, Raja Raju, "A
2019. Mechanism for Detecting the Intruder in the Network
[14]. Dr.Anusuya Ramasamya, Dr.M.Sundar Rajanb, through a Stacking Dilated CNN Model", Wireless
Dr.J.R.Arunkumar ”Segmentation of Spatial and Communications and Mobile Computing, vol. 2022,
Geometric Information from Floorplans using CNN Article ID 1955009, 13 pages, 2022.
Model” Turkish Journal of Computer and Mathematics https://doi.org/10.1155/2022/1955009.
Education Vol.12 No.9 (2021), 1909-1920 [24]. M. S. Elsayed, N.-A. Le-Khac, S. Dev, and A.
[15]. R. Swami, M. Dave, and V. Ranga, ‘‘Software- D. Jurcut, ‘‘DDoSNet: A deep-learning model for
defined networking-based DDoS defense mechanisms,’’ detecting network attacks,’’ in Proc. IEEE 21st Int. Symp.
ACM Comput. Surv., vol. 52, no. 2, p. 28, 2019. ‘A World Wireless, Mobile Multimedia Netw.’
[16]. C. Birkinshaw, E. Rouka, and V. G. Vassilakis, (WoWMoM), Aug. 2020, pp. 391–396.
‘‘Implementing an intrusion detection and prevention [25]. Prathima, C., Muppalaneni, N.B., Kharade, K.G.
system using software-defined networking: Defending (2022). Deduplication of IoT Data in Cloud Storage. In:
against port-scanning and denial-of-service attacks,’’ J. Satyanarayana, C., Gao, XZ., Ting, CY., Muppalaneni,
Netw. Comput. Appl., vol. 136, pp. 71–85, Jun. 2019. N.B. (eds) Machine Learning and Internet of Things for
[17]. P. Wang, L. T. Yang, X. Nie, Z. Ren, J. Li, and Societal Issues. Advanced Technologies and Societal
L. Kuang, ‘‘Data-driven software defined network attack Change. Springer, Singapore.
detection: State-of-the-art and perspectives,’’ Inf. Sci., https://doi.org/10.1007/978-981-16-5090-1_13
vol. 513, pp. 65–83, Mar. 2020. [26]. Muppalaneni, N.B., Prathima, C. (2021). A
[18]. M. Idhammad, K. Afdel, and M. Belouch, Secure Smart Shopping Cart Using RFID Tag in IoT. In:
‘‘Semi-supervised machine learning approach for DDoS Shakya, S., Balas, V.E., Haoxiang, W., Baig, Z. (eds)
detection,’’ Appl. Intell., vol. 48, no. 10, pp. 3193–3208, Proceedings of International Conference on Sustainable
2018. Expert Systems. Lecture Notes in Networks and Systems,
[19]. Rajan, M.S., Arunkumar, J.R., Anusuya, R., vol 176. Springer, Singapore.
Mesfin, A. (2021). Earliest-Arrival Route: A Global https://doi.org/10.1007/978-981-33-4355-9_52
Optimized Communication for Networked Control [27]. Dr. Sivakumar .C (2023), “Design of
Systems. vol 384. Springer, Cham. Acceptance Sampling based Network Intrusion Detection
https://doi.org/10.1007/978-3-030-80621-7_10. system using Deep Learning Techniques”, Journal of
[20]. Arunkumar, J. R., Anusuya, R., Rajan, M. S., & Survey in Fisheries Sciences, 10(1S) 3817-3821.
Prabhu, M. R. (2020). Underwater wireless information [28]. C. Silpa , Dr.I. Suneetha , Dr.G. Reddy
transfer with compressive sensing for energy efficiency. Hemantha , Ram Prakash Reddy Arava, Y. Bhumika,
Wireless Personal Communications, 113(2), 715–725 “Medication Alarm: A Proficient IoT-Enabled
[21]. Priyadarshini and R. K. Barik, ‘‘A deep learning Medication Alarm for Age Old People to the Betterment
based intelligent framework to mitigate DDoS attack in of their Medication Practice”, Journal of Pharmaceutical
fog environment,’’ J. King Saud Univ.-Comput. Inf. Sci., Negative Results, vol. 13, no. 4, pp. 1041–1046, Nov.
pp. 1–7, Apr. 2019. 2022.
[22]. V. Punitha, C. Mala, and N. Rajagopalan, ‘‘A [29] Infectious diseases of Rice plants classified using a
novel deep learning model for detection of denial of deep learning-powered Least Squares Support Vector
service attacks in HTTP traffic over internet,’’ Int. J. Ad Machine Model,Goluguri,N.V.R.,Suganya Devi, K.,
Hoc Ubiquitous Comput., vol. 33, no. 4, pp. 240–256, Prathima,C.H.Indian Journal of Computer Science and
2020.

970
 Detection of TCP, UDP and ICMP DDOS attacks in SDN Using Machine Learning approach

Engineering this link is disabled, 2022, 13(5), pp. 1640–

1659.
[30] Auto Encoders and Decoders Techniques of
Convolutional Neural Network Approach for Image
Denoising In Deep Learning Chilukuri, JRA Kumar, R
Anusuya, MR Prabhu, Journal of Pharmaceutical
Negative Results 13 (4), 1036-1040,2022

971