A Collaborative Approach to Detecting DDoS Attacks in SDN

Using Entropy and Deep Learning

:Introduction.1

Software-defined networking (SDN) offers a centralized approach to network infrastructure,

separating the traffic forwarding process from the control process. This separation allows for
programmable configurations and centralized network behavior management through open
APIs. However, SDN’s centralized nature introduces risks, particularly from Distributed Denial
.of Service (DDoS) attacks, which aim to disrupt services by overwhelming network resources

Despite numerous studies using classification algorithms to combat DDoS attacks, challenges
remain in achieving effective detection rates and handling large traffic volumes. Recent
research focuses on AI-driven methods, especially machine and deep learning, though some
.unsupervised learning approaches have proven less accurate

This study proposes an entropy-based mechanism to detect suspicious switches in the SDN
control plane and a deep learning model to identify potential attacker machines by analyzing
packet data. The approach integrates entropy and deep learning modules to enhance
detection precision and provide robust defenses against unknown threats. The contributions
:include

.An entropy-based detection method for the control plane •

Machine and deep learning modules for DDoS attack identification •

.A multi-feature selection mechanism for traffic analysis •

.A comprehensive performance evaluation of the proposed methods •

The article is structured into four sections: related research, the proposed model, results,
.and conclusions

:Related Work .2

Numerous studies have been conducted on DDoS attack detection using various
methodologies, achieving high accuracy rates. For example, deep neural networks applied to
the CICIDS 2017 dataset reached 97.59% accuracy, while methods employing k-nearest
neighbors and k-means achieved 97.53%. Several approaches utilize entropy-based
techniques to identify anomalies through network feature distributions, with enhancements
like ensemble learning and hybrid models integrating machine learning for improved
precision. Some frameworks focus on the control plane, using machine learning algorithms
such as SVM, random forest, and deep learning to detect attacks. Others implement cross-
plane methods combining data and control planes for more accurate detection. Various
studies highlight the importance of feature selection and hybrid models for increased
detection rates and efficiency. Despite high accuracy rates, these methods often use
standard datasets and lack a focus on feature selection techniques. The current study aims to
address these gaps by incorporating the in SDN dataset and multi-feature selection methods
.to enhance DDoS detection
:Proposed Methodology .3

The proposed system integrates entropy-based anomaly detection with deep learning to
identify DDoS attacks in SDN environments. The process begins with entropy computation of
source IP addresses in a 50-packet window to detect anomalous behaviors. When entropy
drops below a threshold (0.5) for 10 consecutive instances, the system flags the associated
.switches for further analysis

A deep learning module captures traffic from these switches for three seconds and classifies
it using models trained on the SDN dataset. The system iteratively combines entropy and
.deep learning for proactive detection

:Key components

Entropy Module: Calculates the randomness of source IPs using the entropy formula. •
.Anomalies are flagged when entropy remains below 0.5 for 10 consecutive windows

Data Preprocessing: Involves cleaning, normalizing, and augmenting the SDN dataset for •
.training the model

Feature Selection: Employs SelectKBest, ANOVA F-value scores, and random forest •
.importance scores to select the top 10 out of 81 features

Deep Learning Module: Utilizes MLP, CNN, and LSTM models to classify traffic as normal or •
malicious. The models are trained on the SDN dataset and tested with real-time traffic in
.Mininet using the Ryu controller

This system offers a robust methodology for detecting DDoS attacks by leveraging statistical
and machine learning techniques, ensuring precise identification of malicious traffic in SDN
.environments

Results and Discussion .4

The evaluation of the proposed system was conducted using the Mininet emulator in an SDN
environment with a leaf-spine topology, consisting of three OpenFlow switches and 20 hosts,
managed by the Ryu controller. Normal and abnormal traffic, including spoofed IP addresses,
.was generated using the hping3 tool

Machine Learning Results .4.1

Machine learning algorithms were used to detect attacks on suspicious switches identified
through entropy-based anomaly detection. The SDN dataset, processed and reduced to the
.top 10 features, was employed for training

.Logistic Regression (LR): Achieved an accuracy of 94.6% •

.Decision Tree Classifier: Reached an accuracy of 96.8% •

.Random Forest (RF) Classifier: Outperformed others with an accuracy of 98.2% •

Deep Learning Results .4.2

Deep learning models—LSTM, CNN, and MLP—were evaluated for their ability to capture
.complex patterns and handle high-dimensional data in network traffic

LSTM Model: Achieved the highest accuracy of 99.83%, showcasing superior capability in •
capturing temporal relationships in the data. Its memory mechanism is effective in retaining
.long-term dependencies, essential for detecting anomalies in network traffic

CNN and MLP Models: Also demonstrated strong performance but were outperformed by •
.LSTM

Deep learning, particularly the LSTM model, outperformed traditional machine learning
models in DDoS attack detection, achieving higher accuracy. Consequently, the LSTM model
is employed for real-time detection in the proposed system, enhancing the overall detection
.process and reducing lead time for identifying DDoS attacks in SDN environments

Conclusions .5

Software-Defined Networking (SDN) offers a centrally controlled and programmable

architecture that provides flexibility in network management. However, security concerns
remain a significant challenge in SDN environments. This research addresses the issue by
.proposing a two-module approach for detecting DDoS attacks in SDN networks

Entropy Module: Deployed in the control plane, this module identifies suspicious switches •
and hosts by monitoring entropy levels. A drop in entropy indicates potential anomalies,
.leading to the identification of suspicious network behavior

Deep Learning Module: This module further analyzes the test data from suspicious •
switches using deep learning algorithms such as MLP, CNN, and LSTM. It performs feature
.extraction and classifies the traffic to detect DDoS attacks

The system achieved an impressive average accuracy of 99.83% in detecting various types of
DDoS flooding attacks, including UDP, TCP-SYN, and ICMP. The evaluation demonstrated that
deep learning techniques provide superior performance in terms of accuracy and model loss,
.validating the effectiveness of the proposed approach

Future Work: The next step involves implementing the proposed mechanism within a real-
time SDN testbed based on the OpenStack cloud, to further validate its efficacy in practical,
.large-scale network environments