Abstract
The security threats to software-defined networks (SDNs) have become a significant problem, generally because of the open framework of SDNs. Among all the threats, distributed denial-of-service (DDoS) attacks can have a devastating impact on the network. We propose a method to discover DDoS attack behaviors in SDNs using a feature-pattern graph model. The feature-pattern graph model presented employs network patterns as nodes and similarity as weighted links; it can demonstrate not only the traffic header information but also the relationships among all the network patterns. The similarity between nodes is modeled by metric learning and the Mahalanobis distance. The proposed method can discover DDoS attacks using a graph-based neighborhood classification method; it is capable of automatically finding unknown attacks and is scalable by inserting new nodes to the graph model via local or global updates. Experiments on two datasets prove the feasibility of the proposed method for attack behavior discovery and graph update tasks, and demonstrate that the graph-based method to discover DDoS attack behaviors substantially outperforms the methods compared herein.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Albin E, Rowe NC, 2012. A realistic experimental comparison of the Suricata and Snort intrusion-detection systems. Proc 26th Int Conf on Advanced Information Networking and Applications Workshops, p.122–127. https://doi.org/10.1109/WAINA.2012.29
AlEroud A, Alsmadi I, 2017. Identifying cyber-attacks on software defined networks: an inference-based intrusion detection approach. J Netw Comput Appl, 80:152–164. https://doi.org/10.1016/j.jnca.2016.12.024
Antikainen M, Aura T, Särelä M, 2014. Spook in your network: attacking an SDN with a compromised OpenFlow switch. Proc 19th Nordic Conf on Secure IT Systems, p.229–244. https://doi.org/10.1007/978-3-319-11599-3_14
Aziz MZA, Okamura K, 2017. Leveraging SDN for detection and mitigation SMTP flood attack through deep learning analysis techniques. Int J Comput Sci Netw Secur, 17(10):166–172.
Bawany NZ, Shamsi JA, Salah K, 2017. DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab J Sci Eng, 42(2):425–441. https://doi.org/10.1007/s13369-017-2414-5
Braga R, Mota E, Passito A, 2010. Lightweight DDoS flooding attack detection using NOX/OpenFlow. Proc IEEE Local Computer Network Conf, p.408–415. https://doi.org/10.1109/LCN.2010.5735752
Chung CJ, Khatkar P, Xing TY, et al., 2013. NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans Depend Sec Comput, 10(4):198–211. https://doi.org/10.1109/TDSC.2013.8
de Oliveira RLS, Schweitzer CM, Shinoda AA, et al., 2014. Using Mininet for emulation and prototyping software-defined networks. Proc IEEE Colombian Conf on Communications and Computing, p.1–6. https://doi.org/10.1109/ColComCon.2014.6860404
Fan ZJ, Xiao Y, Nayak A, et al., 2019. An improved network security situation assessment approach in software defined networks. Peer-to-Peer Netw Appl, 12(2):295–309. https://doi.org/10.1007/s12083-017-0604-2
Fiadino P, D’Alconzo A, Schiavone M, et al., 2015. Challenging entropy-based anomaly detection and diagnosis in cellular networks. ACM SIGCOMM Comput Commun Rev, 45(4):87–88. https://doi.org/10.1145/2829988.2790011
Giotis K, Argyropoulos C, Androulidakis G, et al., 2014. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw, 62:122–136. https://doi.org/10.1016/j.bjp.2013.10.014
Goldberger J, Roweis S, Hinton G, et al., 2004. Neighbourhood components analysis. Proc 17th Int Conf on Neural Information Processing Systems, p.513–520.
Klöti R, Kotronis V, Smith P, 2013. OpenFlow: a security analysis. Proc 21st IEEE Int Conf on Network Protocols, p.1–6. https://doi.org/10.1109/ICNP.2013.6733671
Kobayashi TH, Batista AB, Brito AM, et al., 2007. Using a packet manipulation tool for security analysis of industrial network protocols. Proc IEEE Conf on Emerging Technologies and Factory Automation, p.744–747. https://doi.org/10.1109/EFTA.2007.4416847
Kreutz D, Ramos FM, Veríssimo PE, et al., 2015. Software-defined networking: a comprehensive survey. Proc IEEE, 103(1):14–76. https://doi.org/10.1109/JPROC.2014.2371999
Nguyen HV, Bai L, 2010. Cosine similarity metric learning for face verification. Proc 10th Asian Conf on Computer Vision, p.709–720. https://doi.org/10.1007/978-3-642-19309-5_55
Niyaz Q, Sun WQ, Javaid AY, 2017. A deep learning based DDoS detection system in software-defined networking (SDN). EAI Endorsed Trans Secur Safety, 4(12):e2. https://doi.org/10.4108/eai.28-12-2017.153515
Roesch M, 1999. Snort: lightweight intrusion detection for networks. Proc 13th USENIX Conf on System Administration, p.229–238.
Scott-Hayward S, O’Callaghan G, Sezer S, 2013. SDN security: a survey. IEEE SDN for Future Networks and Services, p.1–7. https://doi.org/10.1109/SDN4FNS.2013.6702553
Shalimov A, Zuikov D, Zimarina D, et al., 2013. Advanced study of SDN/OpenFlow controllers. Proc 9th Central & Eastern European Software Engineering Conf in Russia, Article 1. https://doi.org/10.1145/2556610.2556621
Shen C, Kim J, Wang L, 2010. Scalable large-margin ma-halanobis distance metric learning. IEEE Trans Neur Netw, 21(9):1524–1530. https://doi.org/10.1109/TNN.2010.2052630
Shiravi A, Shiravi H, Tavallaee M, et al., 2012. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput Secur, 31(3):357–374. https://doi.org/10.1016/j.cose.2011.12.012
van Erven T, Harremos P, 2014. Rényi divergence and Kullback-Leibler divergence. IEEE Trans Inform Theory, 60(7):3797–3820. https://doi.org/10.1109/TIT.2014.2320500
Wang B, Zheng Y, Lou WJ, et al., 2015. DDoS attack protection in the era of cloud computing and software-defined networking. Comput Netw, 81:308–319. https://doi.org/10.1016/j.comnet.2015.02.026
Wang R, Jia ZP, Ju L, 2015. An entropy-based distributed DDoS detection mechanism in software-defined networking. Proc IEEE Trustcom/BigDataSE/ISPA, p.310–317. https://doi.org/10.1109/Trustcom.2015.389
Wu QS, Ferebee D, Lin YY, et al., 2009. An integrated cyber security monitoring system using correlation-based techniques. Proc IEEE Int Conf on System of Systems Engineering, p.1–6.
Xu Y, Liu Y, 2016. DDoS attack detection under SDN context. Proc 35th Annual IEEE Int Conf on Computer Communications, p.1–9. https://doi.org/10.1109/INFOCOM.2016.7524500
Yan Q, Yu FR, Gong QX, et al., 2016. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor, 18(1):602–622. https://doi.org/10.1109/COMST.2015.2487361
Yu S, Guo S, Stojmenovic I, 2012. Can we beat legitimate cyber behavior mimicking attacks from botnets? Proc IEEE INFOCOM, p.2851–2855. https://doi.org/10.1109/INFCOM.2012.6195714
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Ya XIAO, Zhi-jie FAN, Amiya NAYAK, and Cheng-xiang TAN declare that they have no conflict of interest.
Additional information
Project supported by the National Key R&D Program of China (Nos. 2017YFB0802300 and 2017YFC0803700)
Rights and permissions
About this article
Cite this article
Xiao, Y., Fan, Zj., Nayak, A. et al. Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model. Frontiers Inf Technol Electronic Eng 20, 1195–1208 (2019). https://doi.org/10.1631/FITEE.1800436
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/FITEE.1800436
Key words
- Software-defined network
- Distributed denial-of-service (DDoS)
- Behavior discovery
- Distance metric learning
- Feature-pattern graph