Skip to main content
SpringerLink
Log in

A two-phase detection method against APT attack on flow table management in SDN

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Long-term occupation of flow table can occur in the management mechanism of software-defined networking (SDN), which is a prerequisite for APT attacks. The task of detecting such APT attacks in existent research is mainly undertaken by the controller, which results in high computation overhead. To address this problem, a two-phase detection method for APT attacks on flow table management (TMAF) is proposed in this paper. Firstly, the suspicious flow entries are pre-detected in the SDN switch according to the periodicity of the packet. Secondly, the five-dimensional features of suspicious flow entries are selected according to the characteristics of packets in load and frequency, and then the B-P neural network on the controller for further analysis. Experiments show that TMAF reduces the controller’s load and improves the detection efficiency and accuracy compared to existing works. Additionally, the potential risk of APT attacks can be reduced to a certain extent.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Data availability

Not applicable.

References

  1. Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni FZ (2021) The ddos attacks detection through machine learning and statistical methods in sdn. J Supercomput 77(3):2383–2415

    Article  Google Scholar 

  2. Cui Y, Qian Q, Guo C, Shen G, Tian Y, Xing H, Yan L (2021) Towards ddos detection mechanisms in software-defined networking. J Netw Comput Appl 190:103156

    Article  Google Scholar 

  3. Shengxu X, Changyou X, Guomin Z, Lihua S, Guyu H (2021) Survey of openflow switch flow table overflow mitigation techniques. J Comput Res Dev 58(7):1544–1562

    Google Scholar 

  4. Li X, Huang Y (2019) A flow table with two-stage timeout mechanism for sdn switches, 1804–1809. IEEE

  5. Cao J, Xu M, Li Q, Sun K, Yang Y, Zheng J (2017) Disrupting sdn via the data plane: a low-rate flow table overflow attack. Springer, Berlin, pp 356–376

    Google Scholar 

  6. Zhijun W, Qing X, Jingjie W, Meng Y, Liang L (2020) Low-rate ddos attack detection based on factorization machine in software defined network. IEEE Access 8:17404–17418

    Article  Google Scholar 

  7. Chen X, Hua Q, Zhu Y, Wang Y, Ge L (2019) Research on low-rate ddos attack of sdn network in cloud environment. Tongxin Xuebao 40(6):210–222

    Google Scholar 

  8. Pascoal TA, Dantas YG, Fonseca IE, Nigam V (2017) Slow tcam exhaustion ddos attack. In: IFIP International Conference on ICT Systems Security and Privacy Protection, pp 17–31. Springer

  9. Phan TV, Gias TR, Islam ST, Huong TT, Thanh NH, Bauschert T (2019) Q-mind: defeating stealthy dos attacks in sdn with a machine-learning based defense framework. In: 2019 IEEE Global Communications Conference (GLOBECOM), pp 1–6. IEEE

  10. Xie S, Xing C, Zhang G, Zhao J (2021) A table overflow ldos attack defending mechanism in software-defined networks. Secur Commun Netw 2021

  11. Yu Z, Xiaoming P, Qingzhong L, Junkuo C, Ziqiang L (2017) Apt attacks and defenses. J Tsinghua Univ (Science and Technology) 57(11):1127–1133

    Google Scholar 

  12. Joloudari JH, Haderbadi M, Mashmool A, GhasemiGol M, Band SS, Mosavi A (2020) Early detection of the advanced persistent threat attack using performance analysis of deep learning. IEEE Access 8:186125–186137

    Article  Google Scholar 

  13. Fu T, Lu Y, Zhen W (2019) Apt attack situation assessment model based on optimized bp neural network. In: 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), pp 2108–2111. IEEE

  14. Do Xuan C, Dao MH (2021) A novel approach for apt attack detection based on combined deep learning model. Neural Comput Appl 33:13251–13264

    Article  Google Scholar 

  15. Shan-Shan J, Ya-Bin X (2017) The apt detection method in sdn. In: 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp 1240–1245. IEEE

  16. Shan-Shan J, Ya-Bin X (2018) The apt detection method based on attack tree for sdn. In: Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, pp 116–121

  17. Snow NA, Dasari VR, Geerhart BE (2018) Openflow experimenter labels for encoding adaptive network functions. In: 2018 IEEE 39th Sarnoff Symposium, pp 1–5. IEEE

  18. Emulator for rapid prototyping of Software Defined Networks (2022) https://github.com/mininet/mininet. Accessed June 2

  19. Ryu component-based software defined networking framework (2022) https://github.com/faucetsdn/ryu. Accessed June 4

  20. Scapy: the Python-based interactive packet manipulation program & library (2022) https://github.com/secdev/scapy. Accessed June 7

  21. Liu Z, He Y, Wang W, Zhang B (2019) Ddos attack detection scheme based on entropy and pso-bp neural network in sdn. China Commun 16(7):144–155

    Article  Google Scholar 

  22. Pascoal TA, Fonseca IE, Nigam V (2020) Slow denial-of-service attacks on software defined networks. Comput Netw 173:107223

    Article  Google Scholar 

  23. El Sayed MS, Le-Khac N-A, Azer MA, Jurcut AD (2022) A flow-based anomaly detection approach with feature selection method against ddos attacks in sdns. IEEE Trans Cognitive Commun Netw 8(4):1862–1880

    Article  Google Scholar 

Download references

Funding

Natural Science Foundation of Hebei Province (F2021201049).

Author information

Authors and Affiliations

  1. School of Cyber Security and Computer, Hebei University, Baoding, 071002, People’s Republic of China

    Xinfeng He & Shuchao Sun

  2. Key Lab on High Trusted Information System of Hebei Province, Baoding, 071002, People’s Republic of China

    Xinfeng He & Shuchao Sun

Authors
  1. Xinfeng He
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shuchao Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Mr. He and Mr. Sun wrote the main manuscript text. Mr. Sun did experiments and prepared figures and tables. All authors reviewed the manuscript.

Corresponding author

Correspondence to Shuchao Sun.

Ethics declarations

Conflict of interest

All the authors declare that they have no conflict of interest.

Ethical approval

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Xinfeng He and Shuchao Sun wrote the main manuscript text. Shuchao Sun did experiments and prepared figures and tables. All authors reviewed the manuscript.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

He, X., Sun, S. A two-phase detection method against APT attack on flow table management in SDN. J Supercomput 79, 15415–15434 (2023). https://doi.org/10.1007/s11227-023-05281-5

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-023-05281-5

Keywords

Search

Navigation