2024 IEEE International Conference on Blockchain and Distributed Systems Security (ICBDS)
Pune, India. Oct 17 - 19, 2024
Implementation of QOS in SDN and Distributed
Networks for mitigation of DDOS based attacks using
2024 IEEE International Conference on Blockchain and Distributed Systems Security (ICBDS) | 979-8-3503-5434-8/24/$31.00 ©2024 IEEE | DOI: 10.1109/ICBDS61829.2024.10837482
Machine Learning
Subhash Kumar*1
School of Computer Engineering and Technology,
MIT World Peace University,
Pune, India
[email protected]
Abstract: Distributed Denial Service of Service (DDoS) is very
sophisticated attack which brute-force packet jamming to a
network to render it useless, if done with large number of nodes.
It can be easily countered by a number of techniques such as load
balancing, rate limiting and many newer intelligent systems
techniques but attackers are continuously developing new
techniques to circumvent traditional defense mechanisms. The
Sophistication of the attack is determined by current defenses in
place and duration of attack. The use of DDoS attack is done on
distributed Network traffic by an attacker which might send more
traffic than a network card can handle or overwhelm an
application with more requests than it can process which might led
to not able to add legitimate user to the application With coming
of Web 3.0 the DDoS attack grown exponentially , So we are
proposing a Machine Learning based traffic filtering system by
which we can determine the legitimate user entering to our
application resources with encrypted HTTPS traffic. Pirated and
duplicate IP events filtering will lead to clean resources inside
Web3.0 and gaming environment which will improve the efficiency,
latency and performance of game and similar resources. We will
use QoS parameters in SDN parameters to define the network
governance and tuning mechanism so that application traffic is
correctly routed and prioritized. One of the major reasons to
propose this research is because right now the major rDDoS
attacks shifted from L3/L4 Network Layer to L7 Application layer
causing major increase in attack size ratio.
Keywords: DDoS, Software Defined Network (SDN), Distributed
Networks, Cyberattack, Quality of Service (QoS), IoT, Attack
Detection, Botnet, rDDoS, SMTP.
I. INTRODUCTION
The growth of big data, cloud computing, and other
emerging technologies is causing network traffic to increase
continuously. The demands of network scalability, management,
and flexibility are difficult for the traditional network
architecture, which is based on IP. The report lists several
protocols, such as TCP, ICMP, UDP, SYN, and HTTP, that can
be used to carry out DDoS assaults. DDoS attacks rely on
worldwide botnets that employ well-known attack tools, which
are often shared and reused among different groups across
various botnets. [1]
HTTP attacks, in particular, can be detected by scrutinizing
web server logs for abnormal or malicious requests and patterns.
These logs record crucial details such as request time, client IP
979-8-3503-5434-8/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on February 20,2025 at 17:34:41 UTC from IEEE Xplore. Restrictions apply.
Dr. Kishor Kolhe*2
School of Computer Engineering and Technology,
MIT World Peace University,
Pune, India
[email protected]
address, requested resource, and server response, providing
insights into server performance and potential security threats.
Anomaly detection on HTTP is pivotal for cybersecurity,
aiming to identify irregular patterns that deviate from expected
behavior, indicative of attacks or performance issues. Machine
learning is increasingly leveraged in this realm due to its
capacity to discern new patterns. The research delves into using
machine learning techniques for anomaly detection in system
performance analysis. The study comprises of four sections:
1. Related works on anomaly detection for DDoS attacks
using machine learning.
2. Detailed explanation of the proposed method.
3. Performance results of various machine learning
algorithms.
4. Conclusion summarizing the research findings.
The core principle of the software-defined networking
(SDN) an innovative network architecture, lies in decoupling the
control and data planes, centralizing the network's state logically
and the abstraction of the controller from the underlying network
infrastructure. [2]
The emergence of SDN significantly enhances the network's
dynamism, controllability, extensibility, and manageability.
However, with the growing adoption of SDN applications,
security challenges have emerged as a critical area of research,
with distributed denial-of-service (DDoS) attacks standing out
as a major concern.
The study emphasizes how difficult it is to identify the
source of DDoS attacks because they might come from a variety
of sources. By examining network traffic patterns, Intrusion
Detection Systems (IDS) are essential in spotting and stopping
these types of assaults. They help identify the type of attacks and
provide advice on how to mitigate it, assisting organizations in
meeting their legal responsibilities and protecting confidential
information for data security.
Given the importance of promptly detecting and preventing
DDoS attacks, there is a pressing need to design robust IDS
capable of real-time detection and prevention. The study aims to
evaluate different intrusion detection and mitigation strategies to
combat DDoS attacks effectively. It also aims to provide insights
for creating more resilient and efficient IDS systems. Machine
1
Learning is actively used these days in this Anamoly detection
in network traffic and security in general to address the
challenges.
II. LITERATURE REVIEW
Anamoly Detection in Software Defined Networks and
Distributed Networks has been very interesting choice of
research among modern researchers. Nowadays, a lot of
researchers are interested in studying anomaly detection in
distributed networks and software-defined networks (SDNs). To
detect and categorize such anomalies, a variety of machine
learning algorithms have been used, such as Sequential Minimal
Optimization (SMO), Logistic Regression (LR), Random Forest
(RF), Decision Tree (DT), k-Nearest Neighbors (k-NN), Naive
Bayes (NB), Gradient Boosting (GB), Artificial Neural
Networks (ANN), Recurrent Neural Networks (RNN-IDS),
XGBoost (XGB), AdaBoost (AB), and Multi-Layer Perceptron
(MLP). Finding patterns in network data and separating typical
behavior from possible anomalies or malicious activity is the
main goal of these algorithms. In turn, this improves detection
capabilities and offers suggestions for responses for the
suggested framework meant to lessen the risks of DDoS attacks.
Previous research suggests Attacks based on HTTP and
HTTPS are used to categorized by various Machine learning
presented a comparison of Deep learning algorithms Neural
Networks [4]The experimental results show that k-NN has 99.40%
accuracy on KDD dataset with learning rate 0.1 on training
dataset but on testing dataset it is 83.38%., Also Neural Network
works better than ML algorithms according to them.
Deep learning has become popular in intrusion detection,
outperforming traditional methods. Techniques like deep neural
networks and self-taught learning have shown promising results
in detecting anomalies in software-defined networks. However,
current studies focus on deep learning's feature reduction ability,
using it for pre-training and relying on supervised models for
classification. Limited research has been done on deep learning's
performance in multiclass classification scenarios.[12] We
currently possess substantial data processing and computational
skills thanks to the continuous developments in Web 3.0 and the
21st century's emphasis on Big Data. This is when conventional
machine learning approaches are outperformed by deep learning
techniques. We are examining the publicly accessible CIDDS-
001 Week 1 dataset in this context, which is displayed in Fig. 1
and is being used by numerous cybersecurity researchers to
create ML and AI-driven methods.
Another research paper demonstrates comparison of
different machine learning algorithms for use case of IDS
(Intrusion Detection System). [3] This was a study that
examined Synchronize (SYN) flood attacks on the system, a
type of DDoS attack, compared various ML methods for binary
and multi-class categorization [3]. According to their study's
findings, the algorithm's accuracy is the greatest at 93.27%,
followed by ANN and NB algorithms, which have respective
accuracy rates of 94.85 and 95.52% [3].
Another study which was on Botnet detection for DDoS [7]
was using Machine learning techniques. The best result in their
precision score reaching 92.09% by SVM ML model. In this
study some machine learning comparative analysis is done for
classification results.
Fig. 2. Network traffic distribution on columns
Some previous research on SDN for DDoS is that the authors
propose a novel approach to efficiently manage resources in
Mobile Edge Computing (MEC) [10] servers while
incorporating cyber deception techniques. To protect MEC
infrastructure and entice prospective attackers, they incorporate
deception tactics, decision-making technologies, Software-
Defined Networking (SDN), Network Function Virtualization
(NFV), Service Function Chaining (SFC), and Network Slicing
(NS). To identify and reroute assaults, the approach uses cyber
deception data, such as request collection rates and fluctuations
in request counts. Also carefully considered are Quality of
Service (QoS) characteristics as latency, compute, storage, and
bandwidth resources. To improve the QoS for end devices, the
author suggested a novel MEC architecture that combines SFC,
NS, SDN, NFC, and a few additional decision-making
technologies. [10]
III. PROPOSED METHOD
The proposed method in Fig 3. is like a feedback loop will
follow of every machine learning classifier as whenever any
attack or malicious data is identified by machine learning model,
it will give continuous feedback to the model and then detection
and prevention will happen at respective stage.

Fig. 1. CIDDS-001 dataset analysis

2
Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on February 20,2025 at 17:34:41 UTC from IEEE Xplore. Restrictions apply.

Fig. 3. Proposed ML based DDoS security Framework
The dataset is firstly examined to determine any duplicate
records and then for the balanced and imbalanced class so that
the overfitting and underfitting can be minimized and we can
determine the other techniques oversampling and under
sampling methods using SMOTE algorithms to address those
challenges. [5]
The minority instances are oversampled and rendered
equivalent to the majority class using the SMOTE algorithm.
There are the same number of records in both categories.
More precisely, the number of members of the minority class
has surpassed that of the majority class. View the accuracy and
recall outcomes following the application of the SMOTE
algorithm (oversampling). A balanced number of classes in the
dataset can be achieved by employing oversampling and
undersampling approaches to it for datasets that use feature
selection and random sampling. [12]
Each algorithm possesses unique strengths and the potential
to enhance detection accuracy and robustness in server log
analysis.
Fig. 4. Smote algorithm for class imbalance
The dataset captures the total number of majority class
samples (N-) and minority class samples (N+) respectively. A
threshold value(dth), is set to define the maximum degree of
class imbalance. [11]
The total number of synthetic samples to generate, G, is
calculated as G = (N- - N+) * β, where β = N+ / N-. For each
minority sample xi, the k-nearest neighbors are found using
3
Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on February 20,2025 at 17:34:41 UTC from IEEE Xplore. Restrictions apply.
Euclidean distance, and a ratio ri is calculated as Δi/k, then
normalized to rx < = ri / ∑ ri.
The total number of synthetic samples to generate for each
xi is gi = rx * G. [11]
The synthetic samples are then iteratively created for each xi
up to gi in the same way as the SMOTE algorithm.
This Dataset is of a server log and it classifies sessions as
suspicious or not and we have to predict the right class. We are
trying to see what factors and feature knowledge are responsible
for malicious activities. Staring with preprocessing steps
followed by EDA which includes data cleaning and label
encoding, finding null values, finding correlation patterns in the
dataset.
Fig. 5. Data Preprocessing
The data preprocessing and cleaning is done rigorously and
firstly the data is trained on decision tree classifier to find the
feature importance and then on the basis the model got built that
we can have our customized model which gives better
confidence in finding DDoS attack patterns. [7]
Data Preprocessing led to conversion of some of attributes.
The Bytes variable is an object data type and the model would
not recognize it as a number. Therefore, we need to convert the
M attribute. We can clearly see the class imbalance problem as
per our dataset hence SMOTE has been used. Fig 4 suggests the
normal, suspicious and unknown class for the dataset.
Fig. 6. Data class information
We applied SMOTE algorithm on the dataset after train and
test split of dataset. The data then got balanced for all the classes,
in this way we can know there will be no issue of class
imbalance.
The Accuracy Paradox, Let's say that you are tackling a fraud
detection issue related to health insurance. In cases like these,
we typically find that out of 100 insurance claims, 99 are
legitimate and 1 is not. Therefore, a binary classifier model does lead to good results. Correlation Heatmap shows how each
not need to be complicated in order to attain a high accuracy of variable is correlated with class variable which we will try to
99% and forecast all outcomes as 0, which denotes non- predict. [8]
fraudulent. Clearly, the accuracy metric is biased and not
desirable in such situations where the class distribution is
skewed.
Resampling is a commonly used technique to address
unbalanced datasets of large size, while oversampling creates
fake data to balance the data, undersampling decreases the
majority class and may result in the loss of crucial data. There
are basically two types of approaches for this: i) undersampling
and ii) oversampling. In general, oversampling methods are
preferred over undersampling ones. The rationale is that when Fig. 8. Data correlation to find hidden patterns
we undersample, we frequently exclude data points that might
contain significant information. I am primarily discussing A list of several flag variables that are required in the
SMOTE and its related unique data augmentation oversampling networking field may be found in the Flags field. A "." is used
techniques in this paper. [13] whenever a specific flag is not set. In order to assist the model,
learn more quickly and build stronger relationships, we must
SMOTE is an oversampling technique that creates synthetic divide each column into individual variables for the flags.
samples for the minority class. This approach helps to solve the
overfitting problem caused by random oversampling. By Dropping some unnecessary columns and columns having a
focusing on the feature space, it uses interpolation between single value like flows and tos. In Fig 8. we have taken limited
positively aligned examples to generate new instances. features to make the model for detection of DDoS attack or
Intrusion. [7]

Fig. 9. Feature Importance

IV. EXPERIMENTAL RESULTS

Fig. 7. After using SMOTE for solving class imbalance
After analyzing the all five models in both Machine Learning
and Neural Network we found that Decision Tree work really
DDoS attacks are becoming a more serious danger to any well to determine the rate of Intrusion in DDoS attack and
organization that depends on connectivity. There are a number classifies very well and also did not generalized.
of ways to defend against DDoS attacks, but the out-of-path
technique to identify and stop the attacks is the most economical.
The components of such a solution include traffic rerouting for
a mitigation in third-party solutions from vendors like Radware,
F5, or A10, among others, and Flowmon DDoS Defender for
out-of-path DDoS attack detection based on flow data. [6] Thus
far, we have discussed the physical surroundings and hardware
equipment. But moving into SDN/NFV virtual environments is
the trend, and these environments typically don't come with
built-in DDoS detection and mitigation tools.
Let’s now find data hidden patterns with correlation among
all the attributes. All the green ones are highly correlated so that Fig. 10. Decision Tree classification report
Duration and Dark First Seen attribute are highly correlated. We
can see that majority of the data is suspicious sessions so our
model will learn better on classify suspicious class which will

4
Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on February 20,2025 at 17:34:41 UTC from IEEE Xplore. Restrictions apply.

Fig. 11. Confusion Matrix of the model built for checking TP, FP, TN and FN.
Below is the Formula of Information Gain and Entropy that
is used to determine the loss and accuracy in Decision Tree
models. [9]
x Information Gain: A statistical characteristic
x evaluates the degree to which a certain attribute
distinguishes the training samples based on their
intended classification.
x Entropy: measures purity of collection of data
x Entropy is calculated as -p+ log₂ p+ - p- log₂ p-
x Gain(S, A) = Entropy(S) - Σ [(|Sv| / |S|) *
Entropy(Sv)], where Sv represents subsets of S based
on the attribute A.
x Entropy = 0 indicates that all training data points
belong to the same class.
x Entropy = 1 means the training dataset has an equal
number of positive and negative samples.
x 0 < Entropy < 1 implies that the training dataset has an
unequal number of positive and negative samples.
Fig. 12.
Comparison of Model Accuracy
V. CONCLUSION AND FUTURE WORK
There are several advantages of utilizing machine learning
methods for anomaly detection in server logs. It assists in
5
Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on February 20,2025 at 17:34:41 UTC from IEEE Xplore. Restrictions apply.
spotting odd behaviors or trends that could point to security
lapses, like attempted illegal access or possible cyberattacks.
This experiment employs five algorithms to detect anomalies in
server logs LR, k-NN, SVM, DT, RF, and ANN—to identify
anomalies in server logs. To get a balanced number of classes in
the dataset, oversampling and undersampling techniques are
appropriate. The studies' results show that the RF algorithm
performs best on datasets that employ random sampling and
feature selection. The F1-score, recall, accuracy, and precision
measures all remain at 97.348%.
On the other hand, depending too much on artificial methods
such as oversampling and undersampling may induce biases or
distort the original distribution of data.
This transition from device-based application delivery and
security to network-wide services is driven by attack detection
and mitigation. Organizations can get more effective, adaptable,
and scalable security management by utilizing SDN as an
enabling architecture. By improving network visibility and
control, this strategy enables the entire infrastructure to react
dynamically to new threats.
It is now evident from this research that the distributed
denial-of-service (DDoS) attack we are facing is well-planned
and beyond the capabilities of the security tools we now have.
Even though DDoS attacks are becoming more common, our
company lacks the necessary skills to handle anything this big.
With a sharp increase in malicious web and DNS queries, DDoS
attacks are moving more and more to the application layer,
namely targeting HTTP/S. As more services shift to web
applications, the threat of web DDoS attacks is increasing due
to the deployment of sophisticated botnets and new attack tools.
REFERENCES
[1] B. Paharia and K. Bhushan, ‘‘A comprehensive review of distributed
denial of service (DDoS) attacks in fog computing environment,’’ in
Handbook of Computer Networks and Cyber Security: Principles and
Paradigms, 2020, pp. 493–524.
[2] Q. Liao, H. Li, S. Kang, and C. Liu, ‘‘Application layer DDoS attack
detection using cluster with label based on sparse vector decomposition
and rhythm matching,’’ Secur. Commun. Netw., vol. 8, no. 17, pp. 3111–
3120, Nov. 2015.
[3] L. Lv, W. Wang, Z. Zhang, and X. Liu, ‘‘A novel intrusion detection
system based on an optimal hybrid kernel extreme learning machine,’’
Knowl.- Based Syst., vol. 195, May 2020, Art. no. 105648.
[4] C. Yin, Y. Zhu, J. Fei, and X. He, ‘‘A deep learning approach for intrusion
detection using recurrent neural networks,’’ IEEE Access, vol. 5, pp.
21954–21961, 2017.
[5] S. Behal and K. Kumar, ‘‘Trends in validation of DDoS research,’’ Proc.
Comput. Sci., vol. 85, pp. 7–15, Jan. 2016.
[6] A. E. Cil, K. Yildiz, and A. Buldu, ‘‘Detection of DDoS attacks with feed
forward based deep neural network model,’’ Expert Syst. Appl., vol. 169,
May 2021, Art. no. 114520.
[7] M. Motylinski, Á. MacDermott, F. Iqbal, and B. Shah, ‘‘A GPU-based
machine learning approach for detection of botnet attacks,’’ Comput.
Secur., vol. 123, Dec. 2022, Art. no. 102918.
[8] A. B. d. Neira, A. M. d. Araujo, and M. Nogueira, “An intelligent system
for DDoS attack prediction based on early warning signals,” IEEE Trans.
Netw. Service Manag., vol. 20, no. 2, pp. 1254–1266, Jun. 2023.
[9] D. M. Sharif, H. Beitollahi, and M. Fazeli, “Detection of application-layer
DDoS attacks produced by various freely accessible toolkits using
machine learning,” IEEE Access, vol. 11, pp. 51810–51819, 2023.
[10] N. Agrawal and S. Tapaswi, “Defense mechanisms against DDoS attacks
in a cloud computing environment: State-of-the-art and research
 challenges,” IEEE Commun. Surv. & Tuts., vol. 21, no. 4, pp. 3769–3795,
Fourth Quarter 2019.
[11] K. Wang, D. Du, S. Maharjan, and Y. Sun, “Strategic honeypot game
model for distributed denial of service attacks in the smart grid,” IEEE
Trans. Smart Grid, vol. 8, no. 5, pp. 2474–2482, Sep. 2017.
[12] S. K. Khattab, C. Sangpachatanaruk, D. Mosse, R. Melhem, and T. Znati,
“Roaming honeypots for mitigation service-level denial-of-service
attacks,” in Proc. 24th Int. Conf. Distrib. Comput. Syst., 2004, pp. 328–
337.
[13] Li Z , Jin H , Zou D , et al. Exploring New Opportunities to Defeat Low-
Rate DDoS Attack in Container-Based Cloud Environment[J]. IEEE
Transactions on Parallel and Distributed Systems, 2019, PP(99):1-1.

6
Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on February 20,2025 at 17:34:41 UTC from IEEE Xplore. Restrictions apply.