Skip to main content
SpringerLink
Log in

A Novel Feature-Based DDoS Detection and Mitigation Scheme in SDN Controller Using Queueing Theory

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Software defined network (SDN) has attracted great interests as an emergent paradigm which aims to centralize the configuration of network devices by decoupling control layer and data layer. One considerable challenge in SDN is to protect against multiple attacks generated by distributed denial of service (DDoS) bots which attempt to make SDN controllers unavailable. The goal of this research is to propose a novel detect and mitigate DDoS attack in SDN controllers using traffic monitoring. Besides the advantages of queueing theory based model is exploited to evaluate the arrival flows and leveraging robust features and entropy, a distance-based classification is designed accurately to detect malicious packets from legitimate packets. The experimental results vividly demonstrate that our proposed detection scheme effectively yields high accuracy as well as high-efficiency controller utilization.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Ravi, N., & Shalinie, M. (2020). Learning-driven detection and mitigation of DDoS attack in IoT via SDN-cloud architecture. IEEE Internet of Things Journal, 7(4), 3559–3570. https://doi.org/10.1109/JIOT.2020.2973176.

    Article  Google Scholar 

  2. Dang, V., Huong, T., Thanh, N., Nam, P., & Thanh, N. (2019). SDN-based SYN Proxy—A solution to enhance performance of attack mitigation under TCP SYN flood. The Computer Journal, 62(4), 518–534. https://doi.org/10.1093/comjnl/bxy117.

    Article  Google Scholar 

  3. Wang, H., Xu, L., & Gu. G. (2014). FloodGuard, a DoS attack prevention extension in software-defined networks. In 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Rio de Janeiro, Brazil (pp. 239–250).

  4. Lim, S., Ha, J., Kim, H., Kim, Y., & Yang, S. (2014). A SDN-oriented DDoS blocking scheme for botnet-based attacks. In IEEE 6th International Conference on Ubiquitous and Future Networks (ICUFN), Shanghai, China (pp. 63–68).

  5. Comeras, M., Bafalluy, J., Krendzel, A., & Esteso, M. (2015). An evolutionary path for the evolved packet system. IEEE Communications Magazine, 53(7), 184–191. https://doi.org/10.1109/MCOM.2015.7158284.

    Article  Google Scholar 

  6. Zhao, G., Huang, L., Yu, Z., Xu, H., & Wang, P. (2017). On the effect of flow table size and controller capacity on SDN network throughput. In IEEE International Conference on Communications (ICC), Paris, France (pp. 1–6).

  7. Yao, L, Hong, P, & Zhou, W. (2014). Evaluating the controller capacity in software defined networking. In 23rd International Conference on Computer Communication and Networks (ICCCN), Shanghai, China (pp. 1–6).

  8. Bari, M., Roy, A., Chowdhury, S., Zhang, Q., Zhani, M., Ahmed, R., et al. (2013). Dynamic controller provisioning in software defined networks. In 9th International Conference on Network and Service Management (CNSM), Zurich, Switzerland (pp. 18–25).

  9. Dixit, A., Hao, F., Mukherjee, S., Lakshman, T., & Kompella, R. (2013). Towards an elastic distributed SDN controller. ACM SIGCOMM Computer Communication Review, 43(4), 7–12. https://doi.org/10.1145/2534169.2491193.

    Article  Google Scholar 

  10. Wang, Y., Hu, T., Tang, G., Xie, J., & Lu, J. (2019). SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking. IEEE Access, 7(1), 34699–34710. https://doi.org/10.1109/ACCESS.2019.2895092.

    Article  Google Scholar 

  11. Basile, C., Canavese, D., Lioy, A., Pitscheider, C., & Valenza, F. (2016). Interfunction anomaly analysis for correct SDN/NFV deployment. Networks, 26(1), 25–43. https://doi.org/10.1002/nem.1917.

    Article  Google Scholar 

  12. Song, S., Park, H., Choi, H., Choi, T., & Zhu, H. (2017). Control path management framework for enhancing software-defined network (SDN) reliability. IEEE Transactions on Network Service Management, 14(2), 302–316. https://doi.org/10.1109/TNSM.2017.2669082.

    Article  Google Scholar 

  13. Simpson, K., Rogers, S., & Pezaros, D. (2020). Per-Host DDoS mitigation by direct-control reinforcement learning. IEEE Transactions on Network and Service Management, 17(1), 103–117. https://doi.org/10.1109/TNSM.2019.2960202.

    Article  Google Scholar 

  14. Zhang, Q., Wang, X., Huang, M., Li, K., & Das, K. (2018). Software de_ned networking meets information centric networking: A survey. IEEE Access, 6(1), 39547–39563. https://doi.org/10.1109/ACCESS.2018.2855135.

    Article  Google Scholar 

  15. Gu, Y., Li, K., Guo, Z., & Wang, Y. (2019). Semi-supervised K-means DDoS detection method using hybrid feature selection algorithm. IEEE Access, 7(1), 64351–64365. https://doi.org/10.1109/ACCESS.2019.2917532.

    Article  Google Scholar 

  16. Alsirhani, A., Sampalli, S., & Bodorik, P. (2019). DoS detection system: Using a set of classification algorithms controlled by fuzzy logic system in apache spark. IEEE Transactions on Network and Service Management, 16(3), 936–949. https://doi.org/10.1109/TNSM.2019.2929425.

    Article  Google Scholar 

  17. Zhou, L., Sood, K., & Xiang, Y. (2019). An accurate approach to detect DDoS attacks using entropy rate measurement. IEEE Communications Letters, 23(10), 1700–17003. https://doi.org/10.1109/LCOMM.2019.2931832.

    Article  Google Scholar 

  18. Lincoln Laboratory Scenario of DARPA (DDoS) Intrusion Detection Evaluation Data Sets [Online]. Retrieved from http://www.ll.mit.edu/ideval/data/2000.html

  19. The CAIDA UCSD “DDoS Attack 2007” Dataset [Online]. Retrieved from http://www.caida.org/data/passive.xml

  20. Bera, P., Saha, A., & Setua, S. (2016). Denial of service attack in software defined network. In 5th International Conference on Computer Science and Network Technology (ICCSNT), Changchun, China (pp. 497–501).

  21. Mininet. Retrieved from http://mininet.org/

  22. Jarschel, W., Oechsner, S., Schlosser, D., Pries, R., Goll, S., & TranGia, P. (2011). Modeling and performance evaluation of an OpenFlow architecture. In 23rd International Teletraffic Congress (ITC), San Francisco, USA (pp. 1–7).

  23. Lin, W. (2019). Aggregation of multiple pseudo relevance feedbacks for image search re-ranking. IEEE Access, 7, 147553–147559. https://doi.org/10.1109/ACCESS.2019.2942142.

    Article  Google Scholar 

  24. Laskara, S., & Mishra, D. (2016). Qualified vector match and merge algorithm (QVMMA) for DDoS prevention and mitigation. Computer Science, 79(1), 41–52. https://doi.org/10.1016/j.procs.2016.03.007.

    Article  Google Scholar 

  25. Yu, Y., Guo, L., Liu, Y., Zheng, J., & Zong, Y. (2018). An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks. IEEE Access, Security and Privacy for Vehicular Networks, 6(1), 44570–44579. https://doi.org/10.1109/ACCESS.2018.2854567.

    Article  Google Scholar 

  26. Kumar, P., Tripathiy, M., Nehray, A., Contix, M., & Lal, C. (2018). SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559. https://doi.org/10.1109/TNSM.2018.2861741.

    Article  Google Scholar 

  27. Kalkan, K., Altay, L., Gury, G., & Alagoz, F. (2018). JESS: Joint entropy based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372. https://doi.org/10.1109/JSAC.2018.2869997.

    Article  Google Scholar 

  28. Assis, M., Hamamoto, A., Abrão, T., & Proença, M. (2017). A game theoretical based system using holt-winters and genetic algorithm with fuzzy logic for DoS/DDoS mitigation on SDN networks. IEEE Access, 5, 9485–9496. https://doi.org/10.1109/ACCESS.2017.2702341.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Mechanical, Electrical and Computer Engineering, Science and Research Branch, Islamic Azad University, Tehran, Iran

    Ava Tahmasebi & Mohammad Ali Pourmina

  2. Communications Technology Institute, Iran Telecommunication Research Center, Tehran, Iran

    Ahmad Salahi

Authors
  1. Ava Tahmasebi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmad Salahi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad Ali Pourmina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmad Salahi.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tahmasebi, ., Salahi, A. & Pourmina, M.A. A Novel Feature-Based DDoS Detection and Mitigation Scheme in SDN Controller Using Queueing Theory. Wireless Pers Commun 117, 1985–2006 (2021). https://doi.org/10.1007/s11277-020-07954-3

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-020-07954-3

Keywords

Search

Navigation