3051980

Related work
The section presents various researches from two perspectives, the DDoS attacks that
are against the OpenFlow switch and controller. However, to conduct this, the section will
first assess the overview of the SDN architecture, the DDoS attacks, and strategies of DDoS
attack predictions.
SDN Architecture
SDN mainly entails three components, including the application layer, the data plane,
the infrastructure layer, and the control plane. The first component, application is mainly
located within the higher side and consists of several Northbound interfaces, NBIs, and
application logic. The control layer is within the central section of the network and consists of
NBIs, control-Data-plane-interfaces, CDPIs, and the control logic. On the other hand, the
data plane is located at the lowest of the structure and encompasses of several CDPIs and
forwarding engines (Blial et al., 2016). The NBIs aids the application layer in communication
with control layer and forward their network needs to the controller, whereas the control layer
sends up the anticipated network behavior, events, and statistics to offer application with an
abstract interpretation of the entire network. Nevertheless, the CDPIs or southward interface
aid the network components within the infrastructure layer aid the communication with the
control layer. Also, the data layer forwards its statistics, events, notifications, and reports the
outcome to the control layer, while, in turn, the control layer sends its system needs to the
network components, which exists within the data layer, and it conforms to the stipulated
rules of the control plane (Li, Chen and Fu, 2019). On the other hand, the management and
admin elements are accountable for offering static tasks to every plane, including the data,
application, and control layer. Further, the service agreement and contracts, SLAs, would be
structured within the last element, that is, the application layer. Lastly, the design has
multiple coordinators, spread in the control and data plane, responsible for setting up the
isolation and sharing configuration between the control and data layer.
OpenFlow Switch
The OpenFlow switch is an instance of a data layer and provides an open protocol, the
OpenFlow protocol, which aids the scholars in programming the flow table that exists in the
devices used in networking. The user can insert their novel procedures and security model;
also, they could add their addressing strategy rather than the present IP protocol model.
However, they could isolate the study flows from the network’s production flows to ensure
they adapt and test their new concepts without interfering. The switch entails three main
segments: the flow table, OpenFlow protocol, and secure channel. The switch comprises of
several flow tables, and every flow table has several flow entries. Every entry within the table
mainly has three fields, and the packet header, which is the initial field, which classifies every
flow (Priya and Radhika, 2019). The header contains certain information like the ethernet
sources address, type of ethernet, ethernet destination address, TCP port number, IP source
address, TCP port number, an IP destination address. The activities within the second field
aids the switch in addressing the generated packets of the flow. Statistics within the last field
keep data concerning the packets like the packets’ numbers, the period since the last packet
match flow, and the number of bytes. Additionally, the secure channel is another section of
the switch, which assists directions and packets to be sent between the switch and controller
in a secure setting. The final segment is the OpenFlow, which provides a standard and open
path for the communication amid the controller and the switch.
There are primarily three forms of activities that could be executed by the switch,
where the first activity is forwarding the flow to a particular port that would allow the packets
to reach the required destination. This situation is applicable if there are certain rules within
the table regarding how to address the generated flow. Secondly, the encapsulation and
forwarding of the first package of every flow to the controller via a protected channel. This
can only occur if the storage of the flow table is empty and there is not stored action
regarding ways of processing the flow. The implication is that encapsulation and forwarding
the initial packet for every flow towards the controller is to essentially decrease the controller
bottleneck of the overhead. In another case, every packet in every flow forwarded to the
controller for processing (Bholebawa and Dalal, 2018). After the flow is processed within the
controller, the response is forwarded and stored within the conforming flow entry. The third
action essentially drops the flow, which is executed to significantly prevent attacks like
DDoS attacks or even to reduce the forged transmitted traffic from the end-users. Lastly,
these rules and activities are implemented by the controller within the data layer. Further,
such activities can be proactively installed by the controller. However, the controller could
select to implement such activities reactively in line with the reports or notifications from
switches if there are no matches amid the incoming packets and existing rules.
Overview of DDoS Attack
This form of attack leads to the inability of the authentic user to access various
services; hence, it is considered as the DoS, the Denial of Service, attacks. In most cases of
the attack, the hacker would send services inquiries to the enterprise mainly to register with
the company or acquire the connection to certain enterprises authentic services instances. The
inquires would overwhelm the firm’s server and would be unable to deliver the required
services to other legitimate users. Another plausible attack instance is the one in which
several machines are utilized to execute a DoS attack. The firm’s network links numerous
essential machines. Hence, suppose an attacker acquire access to one or more additional
machines owned by the company; this could abuse the opportunity and carry out the DoS
attack against other systems in a similar network subnet (Alieyan et al., 2016). However, this
attack is extensive in this situation; the hacker can take over numerous machines and equally
use them to access the DoS. This form of DoS attack is often described as a thee Distributed
Denial of Services attack, DDoS.
Fig 1: DDoS attack classification
Besides bandwidth and resource deficiency attacks, there are other classifications of
DDoS attacks: resource and bandwidth depletion. A bandwidth depletion is a form of an
attack that tries to overwhelm the network using different network packets and is subdivided
into attacks that either amplify or flood the system. The amplification attacks attempt towards
the advantage of the IP address broadcast components found on most routers, while the
flooding attacks mainly overwhelm the resources of a network by sending an excess quantity
of UDP or ICMP packets (Cetinkaya, Ishii and Hayakawa, 2019). The amplification attack
component allows the directing system to offer a broadcast internet protocol address rather
than a particular address as the destination address, like in Fragile or Smurf attacks. On the
other hand, in resource depletion attacks, the hacker essentially utilizes all the resources of
the targeted system. This form of attack can be conducted by attacking the network protocols
like Neptune or creating malformed packets and sending them over the network to the
targeted machine.
DDoS attack detection
The main strategies in detecting DDoS attacks are categorized as the detection of
attacks created on the traffic components and the detection of attacks created on the traffic
abnormality. The initial gathers several attack attributes and creates a database of the DDoS
attack attributes. Thus, it can be determined if the DDoS attacks the network by linking and
assessing the data statistics encompassed within the current network data packet and the
nature of the database. Further, model reasoning, expert systems, features matching, and state
transitions. These techniques are generally applied in the construction of traffic models
consisting of the analysis of aberrant flow variations to evaluate whether or not the traffic is
abnormal or determine if or not the server has been attacked. The data gathering, filtering and
processing for the irregularity detection are approached by various methods (Xu and Liu,
2016). Machine learning and statistic analysis are the common primary techniques of
anomaly detection. In machine learning detection, an algorithm is mainly trained to
continuously update its filtering criteria founded on the network’s events rather than setting
up a fixed filter.
An example of the system is the neural network, which consists of multiple nodes
operating in parallel for data processing. When the nodes are trained or provided with a huge
amount of data, the collective knowledge of the nodes or neurons develops a pattern for
processing similar information. The three primary layers of the neural networks include the
output, input, and hidden layers within the middle to process the input information. Further,
as more information is processed, the nodes learn more and establish an explicit pattern.
Since the algorithm is the driving force behind the decision making of such networks, some
universal algorithms within the network intrusion and detection of the anomaly are multilayer
perception, MLP, Kmeans Clustering, K-M, Gaussian classifier, GAU, and Markov model.
DDoS Attacks against the Controller
The control function is often assigned to the system controller opposed to the switch,
which is considered as the network’s brain in the SDN structure. The rules of the parent level
can be easily used in the network as aided by the network’s controller. Further, the controller
can essentially add novel regulations to the broadcast devices and transform the prevailing
rules. Thus, it would enable it to carry out such changes through communication with the
broadcast devices through a protected channel via the OpenFlow protocols. Unity and
continuity of the information traffic are guaranteed via this channel. Therefore, if the
protected channel malfunctions, the link amid the transmission device and controller would
also be disrupted. In most cases, the DDoS attacks are often centred on the SDN architecture.
Hence, whereas the hacker is attacking the SDN network, the system presents them with three
key targets, as illustrated in the figure below, to saturate resources within the controller, to
inhabit the channel bandwidth amid the switch and controller, and to fill tables within the
switch with redundant flows (Mousavi and St-Hilaire, 2018). Additionally, in the DDoS
attack on the controller, the hacker directs s a huge quantity of packets to the switch through
the machine users. Thus, making it challenging for the controller to distinguish among the
traffic forwarded by legal traffic and the attackers.
Fig 2: primary targets of DDoS attacks on SDN
The OpenFlow switch often operates by seeking a match within the input of the flow
by assessing the header of packet, such as the source IP, source port, target port, and target IP
address. If a corresponding match is not found, the packet is then sent to the controller
through encapsulation and the header with the request of the flow with a PACKET_IN
message of the OpenFlow protocol. After which, the network controller replies with an OFPT
FLOW_MOD message that entails the intended processing on the packet, as well as flow
timeout in the table given to the packet (Kuerban et al., 2016). As the packets quantity sent to
the controller upsurges, the controller sources ate consumed, memory, bandwidth, and CPU,
averting the processing of the new input of the flow for genuine novel packets generated
within the network, which causes the collapse of the CDN architecture. The research
conducted by Alshamrani et al. (2017) established that the prevailing techniques to avert
attacks are ineffective. The study also assessed the impact of the misconduct and the novel
attacks of flow on the SDN, and collected the traffic information from the broadcast devices
on the data layer intermittently and after which used the machine learning cataloguing
algorithm to effectively respond to the abrupt changes in the traffic that happened within the
SDN structure at the attack period. Additionally, the PACKET_IN messages that flow amid
the transmission device and controller as the attack moment were applied as the base. The
algorithms like Support Vector Machine, SVM, Naïve Bayes, NB, and J48, were utilized for
cataloguing. Besides, in their research, Latah and Toker (2018) sensed the attacks by
assessing the arriving rate of packets within the period of attack. When certain packets,
amongst those that came to the network controller, surpassed the stipulated threshold, the
review unit, which applies the SVM, was triggered to predict the DDoS flooding attacks.
On the other hand, Li et al. (2018) suggested a bidirectional recurrent neural network,
RNN, theory covering all SDN architecture’s layers to predict and essentially block the
DDoS attacks. Even though the projected technique was designed and designed for the actual
prediction and obstructing of the attacks has an exceptional precision level, it might be
ineffective in huge networks, in which more than a single controller is utilized. Overall, the
assessed method can interrupt the controller’s coordinated operations and reduce the
network’s performance.
DDoS Attacks against the OpenFlow Switch
Both the flow table and switch are perceived to be the primary targets since it consists
of the broadcast, administrative and access control data. According to Li, Meng and Kwok
(2016), the hackers initially target to interrupt the network’s functionality through virtual or
physical unauthenticated access to the system. Thus, making it implausible for the OpenFlow
switch to save the regulations regarding all the flow since it has restricted memory. Also, as
the packets originate from unidentified addresses, novel rules must be added to the OpenFlow
switch. Therefore, the hacker forwards a huge packets quantity from an unidentified address
within a short period. The controller writes the necessary packet rules and sends them to the
required flow table, which causes the table with restricted memory to be full within a limited
period of time. Hence, no storage capacity is left within table for new rules to be stored.
Therefore, blocking the broadcast of the authentic traffic. Apart from the table, the memory
of the flow cache is equally targeted for DDoS attacks.
After receiving the packets generated in the input port, the switch containing
responsive cache memory device sent the packet to cache memory of the flow. From the
generated packets, the system searches for a match for the flows within the table, and if such
match is established, then a packet is sent to corresponding output port from the memory
(Padmaja and Vetriselvi, 2016). However, suppose the match is not found. In that case, the
packet is sent and the message entailing PACKET_IN is sent to the control channel that
enable it to respond with the OFPT_FLOW_MOD message by evaluating the idle_timeout
and hard_timeout that is responsible for defining the required rules for the packet and the
period it would take the rules to stay. When the rules are sent from the controller and the
switch receives it, the packet is processed, and the generated rules by network controller are
forwarded to the broadcast table cache storage to enable the processing of the sent packets.
This technique often results in the OpenFlow switch being unprotected against any DDoS
attacks. Thus, the huge quantity of the packets sent to the SDN switch by the malevolent
nodes, which are forwarded to the cache, enabling the control to respond that encompasses
the data on the flow regulations is anticipated. Besides, the packets from such malevolent
nodes saturates buffer of the switch, and the packets originating from the authentic users
begins to drop (Bholebawa and Dalal, 2016).
The research conducted by Ye et al. (2018) collected information on the network
traffic generated from the broadcast strategies on the data layer through the use of a
controller. The study extracted six-tuple distinctive standards linked to the DDoS attack from
the switch flow table through the SVM mechanism. A higher rate of prediction precision was
established; nonetheless, the test precision degree of the Internet Control Message Protocol,
ICMP, attack flow founded to be extremely low. However, the research by Myint Oo et al.
(2019) showed that numerous security needs are required as the controller promptly manages
several OpenFlow switches within the data layer. Further, the study established that the
required protection was challenging to attain with the current software and equipment, which
has not implemented the SDN structure. Essentially, the DDoS attack on the OpenFlow
switches within the data layer poses a substantial threat to the network’s SDN structure
continuity. The SVM-optimized G and C constraints by the cross-validation-genetic
algorithm (CV-GA) were applied in the prediction of attacks. Additionally, Nanda et al.
(2016) suggested the application of the algorithm of machine learning, structured on the past
network attack information, to promptly categorize the possible malicious association and the
targets to reduce or eradicate the security threats. The study applied C4.5, Decision Table,
DT, Naïve Bayes, and Bayesian Network algorithm, which established that the prediction of
malicious users within the data layer through estimations applying the algorithms of machine
learning was plausible. Guaranteeing the user credentials could allow the SDN controller to
swiftly and efficiently generate the novel rules applied in averting the attack that is deemed
significant for the efficacy and network continuity.
Another study by Jankowski and Amanowicz (2016) applied the algorithm of machine
learning of Learning Vector Quantization, LVQ1, Self-Organizing Maps, SOM, and their
improved version, Multi-pass Self-Organizing Maps, M-SOM, and Hierarchical Learning
Vector Quantization, H-LVQ1, among others to predict and effectively assess malevolent
events on the data layer. The study attained promising outcomes with the application of the
H-LVQ1 algorithm as opposed to the SOM, LVQ1 and M-SOM, among other algorithms
used in the research. On the other hand, the study carried out by Meti, Narayan, and Baligar
(2017) used two-stage research, in which, in the initial phase, the K-Nearest Neighbors,
KNN, and Naïve Bayes machine learning algorithms that was pre-structured to distinguish
amid the authentic and attack traffic. Further, the research sensed the hacker through the
application of a three-ways service. The perceived hacker was mainly prevented by
generating the access control list, ACL. However, Mowla, Doh and Chae (2018) suggested a
cognitive switch-founded DDoS prediction and vindication within the SDN-driven content
delivery networks. The study applied logistic regression and algorithms of SVM to classify
traffic. The cataloguing introduced the use of protected rules to the switch to avert novel
types of flooding attacks and effectively predict and protect against every potential DDoS
attack. The research mainly focused on the DDoS attack within SDN structure and provides
models of machine learning supported with components selections techniques to predict the
attack. Thus, the objective of developing a DDoS attack prediction system is founded on a
high rate of the fertility of the machine learning for SDN structure. Also, the attack prediction
on the switches and controller situated within the data layer is extremely significant for the
network continuity and the authentic traffic prediction at the moment of attack. Thus, if the
system detects attack traffic on the controller, it becomes easier for the controller to promptly
generate novel regulations to the switches’ table located within the data layer to avert the
attack. This offers a substantial advantage for attack aversion. Overall, the research proposed
the application of the feature selection techniques with models of machine learning to predict
DDoS attacks since this strategy would result in a substantial contribution to a prompt
prediction of the DDoS attacks within the SDN network.
References
Alieyan, K., Kadhum, M.M., Anbar, M., Rehman, S.U. and Alajmi, N.K., 2016, October. An
overview of DDoS attacks based on DNS. In 2016 International Conference on
Information and Communication Technology Convergence (ICTC) (pp. 276-280).
IEEE.
Alshamrani, A., Chowdhary, A., Pisharody, S., Lu, D., & Huang, D. (2017, November). A
defence system for defeating DDoS attacks in SDN based networks. In Proceedings of
the 15th ACM International Symposium on Mobility Management and Wireless
Access (pp. 83-92).
Bholebawa, I.Z. and Dalal, U.D., 2016. Design and performance analysis of OpenFlowenabled network topologies using Mininet. International Journal of Computer and
Communication Engineering, 5(6), p.419.
Blial, O., Ben Mamoun, M. and Benaini, R., 2016. An overview of SDN architectures with
multiple controllers. Journal of Computer Networks and Communications, 2016.
Cetinkaya, A., Ishii, H. and Hayakawa, T., 2019. An overview on denial-of-service attacks in
control systems: Attack models and security analyses. Entropy, 21(2), p.210.
Jankowski, D. and Amanowicz, M., 2016. On the efficiency of selected machine learning
algorithms for intrusion detection in software-defined networks. International Journal
of Electronics and Telecommunications, 62(3), pp.247-252.
Kuerban, M., Tian, Y., Yang, Q., Jia, Y., Huebert, B. and Poss, D., 2016, August. FlowSec:
DOS attack mitigation strategy on SDN controller. In 2016 IEEE International
Conference on Networking, Architecture and Storage (NAS) (pp. 1-2). IEEE.
Latah, M. and Toker, L., 2018. A novel intelligent approach for detecting DoS flooding
attacks in software-defined networks. International Journal of Advances in Intelligent
Informatics.
Li, C., Wu, Y., Yuan, X., Sun, Z., Wang, W., Li, X. and Gong, L., 2018. Detection and
defence of DDoS attack–based on deep learning in OpenFlow‐based
SDN. International Journal of Communication Systems, 31(5), p.e3497.
Li, T., Chen, J. and Fu, H., 2019, April. Application scenarios based on SDN: an overview.
In Journal of Physics: Conference Series (Vol. 1187, No. 5, p. 052067). IOP
Publishing.
Li, W., Meng, W. and Kwok, L.F., 2016. A survey on OpenFlow-based Software Defined
Networks: Security challenges and countermeasures. Journal of Network and
Computer Applications, 68, pp.126-139.
Meti, N., Narayan, D.G. and Baligar, V.P., 2017, September. Detection of distributed denial
of service attacks using machine learning algorithms in software-defined networks. In
2017 international conference on advances in computing, communications and
informatics (ICACCI) (pp. 1366-1371). IEEE.
Mousavi, S.M. and St-Hilaire, M., 2018. Early detection of DDoS attacks against softwaredefined network controllers. Journal of Network and Systems Management, 26(3),
pp.573-591.
Mowla, N.I., Doh, I. and Chae, K., 2018. CSDSM: Cognitive switch-based DDoS sensing
and mitigation in SDN-driven CDNi word. Computer Science and Information
Systems, 15(1), pp.163-185.
Myint Oo, M., Kamolphiwong, S., Kamolphiwong, T. and Vasupongayya, S., 2019.
Advanced support vector machine-(ASVM-) based detection for distributed denial of
service (DDoS) attack on software-defined networking (SDN). Journal of Computer
Networks and Communications, 2019.
Nanda, S., Zafari, F., DeCusatis, C., Wedaa, E. and Yang, B., 2016, November. Predicting
network attack patterns in SDN using a machine learning approach. In 2016 IEEE
Conference on Network Function Virtualization and Software Defined Networks
(NFV-SDN) (pp. 167-172). IEEE.
Padmaja, S. and Vetriselvi, V., 2016, February. Mitigation of switch-Dos in a softwaredefined network. In 2016 International Conference on Information Communication
and Embedded Systems (ICES) (pp. 1-5). IEEE.
Priya, A.V. and Radhika, N., 2019. Performance comparison of SDN OpenFlow
controllers. International Journal of Computer-Aided Engineering and
Technology, 11(4-5), pp.467-479.
Xu, Y. and Liu, Y., 2016, April. DDoS attack detection under SDN context. In IEEE
INFOCOM 2016-the 35th annual IEEE international conference on computer
communications (pp. 1-9). IEEE.
Ye, J., Cheng, X., Zhu, J., Feng, L. and Song, L., 2018. A DDoS attack detection method
based on SVM in a software-defined network. Security and Communication
Networks, 2018.
…