Abstract
Long-term occupation of flow table can occur in the management mechanism of software-defined networking (SDN), which is a prerequisite for APT attacks. The task of detecting such APT attacks in existent research is mainly undertaken by the controller, which results in high computation overhead. To address this problem, a two-phase detection method for APT attacks on flow table management (TMAF) is proposed in this paper. Firstly, the suspicious flow entries are pre-detected in the SDN switch according to the periodicity of the packet. Secondly, the five-dimensional features of suspicious flow entries are selected according to the characteristics of packets in load and frequency, and then the B-P neural network on the controller for further analysis. Experiments show that TMAF reduces the controller’s load and improves the detection efficiency and accuracy compared to existing works. Additionally, the potential risk of APT attacks can be reduced to a certain extent.
Similar content being viewed by others
Data availability
Not applicable.
References
Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni FZ (2021) The ddos attacks detection through machine learning and statistical methods in sdn. J Supercomput 77(3):2383–2415
Cui Y, Qian Q, Guo C, Shen G, Tian Y, Xing H, Yan L (2021) Towards ddos detection mechanisms in software-defined networking. J Netw Comput Appl 190:103156
Shengxu X, Changyou X, Guomin Z, Lihua S, Guyu H (2021) Survey of openflow switch flow table overflow mitigation techniques. J Comput Res Dev 58(7):1544–1562
Li X, Huang Y (2019) A flow table with two-stage timeout mechanism for sdn switches, 1804–1809. IEEE
Cao J, Xu M, Li Q, Sun K, Yang Y, Zheng J (2017) Disrupting sdn via the data plane: a low-rate flow table overflow attack. Springer, Berlin, pp 356–376
Zhijun W, Qing X, Jingjie W, Meng Y, Liang L (2020) Low-rate ddos attack detection based on factorization machine in software defined network. IEEE Access 8:17404–17418
Chen X, Hua Q, Zhu Y, Wang Y, Ge L (2019) Research on low-rate ddos attack of sdn network in cloud environment. Tongxin Xuebao 40(6):210–222
Pascoal TA, Dantas YG, Fonseca IE, Nigam V (2017) Slow tcam exhaustion ddos attack. In: IFIP International Conference on ICT Systems Security and Privacy Protection, pp 17–31. Springer
Phan TV, Gias TR, Islam ST, Huong TT, Thanh NH, Bauschert T (2019) Q-mind: defeating stealthy dos attacks in sdn with a machine-learning based defense framework. In: 2019 IEEE Global Communications Conference (GLOBECOM), pp 1–6. IEEE
Xie S, Xing C, Zhang G, Zhao J (2021) A table overflow ldos attack defending mechanism in software-defined networks. Secur Commun Netw 2021
Yu Z, Xiaoming P, Qingzhong L, Junkuo C, Ziqiang L (2017) Apt attacks and defenses. J Tsinghua Univ (Science and Technology) 57(11):1127–1133
Joloudari JH, Haderbadi M, Mashmool A, GhasemiGol M, Band SS, Mosavi A (2020) Early detection of the advanced persistent threat attack using performance analysis of deep learning. IEEE Access 8:186125–186137
Fu T, Lu Y, Zhen W (2019) Apt attack situation assessment model based on optimized bp neural network. In: 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), pp 2108–2111. IEEE
Do Xuan C, Dao MH (2021) A novel approach for apt attack detection based on combined deep learning model. Neural Comput Appl 33:13251–13264
Shan-Shan J, Ya-Bin X (2017) The apt detection method in sdn. In: 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp 1240–1245. IEEE
Shan-Shan J, Ya-Bin X (2018) The apt detection method based on attack tree for sdn. In: Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, pp 116–121
Snow NA, Dasari VR, Geerhart BE (2018) Openflow experimenter labels for encoding adaptive network functions. In: 2018 IEEE 39th Sarnoff Symposium, pp 1–5. IEEE
Emulator for rapid prototyping of Software Defined Networks (2022) https://github.com/mininet/mininet. Accessed June 2
Ryu component-based software defined networking framework (2022) https://github.com/faucetsdn/ryu. Accessed June 4
Scapy: the Python-based interactive packet manipulation program & library (2022) https://github.com/secdev/scapy. Accessed June 7
Liu Z, He Y, Wang W, Zhang B (2019) Ddos attack detection scheme based on entropy and pso-bp neural network in sdn. China Commun 16(7):144–155
Pascoal TA, Fonseca IE, Nigam V (2020) Slow denial-of-service attacks on software defined networks. Comput Netw 173:107223
El Sayed MS, Le-Khac N-A, Azer MA, Jurcut AD (2022) A flow-based anomaly detection approach with feature selection method against ddos attacks in sdns. IEEE Trans Cognitive Commun Netw 8(4):1862–1880
Funding
Natural Science Foundation of Hebei Province (F2021201049).
Author information
Authors and Affiliations
Contributions
Mr. He and Mr. Sun wrote the main manuscript text. Mr. Sun did experiments and prepared figures and tables. All authors reviewed the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
All the authors declare that they have no conflict of interest.
Ethical approval
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Xinfeng He and Shuchao Sun wrote the main manuscript text. Shuchao Sun did experiments and prepared figures and tables. All authors reviewed the manuscript.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
He, X., Sun, S. A two-phase detection method against APT attack on flow table management in SDN. J Supercomput 79, 15415–15434 (2023). https://doi.org/10.1007/s11227-023-05281-5
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-023-05281-5