Software

SDN Architecture
SDN mainly consist of three components, that is the application layer, the data plane
also known as infrastructure layer, and the control plane. The application is mainly located
within the upper side, and contains several application logic and Northbound interfaces, NBIs.
The control plane exists within the middle, and contains NBIs, control-Data-plane-interfaces,
CDPIs, and the control logic. On the other hand, the data plane is located in the bottom of the
design and contains several CDPIs and the forwarding engines. The NBIs aids the application
plane to communicate with the control plane, and sends down their network needs to the
controller whereas the control plane sends up the desired network behavior, events, and
statistics to offer application with abstract view of the entire networks. Nevertheless, the
CDPIs or southbound interface aid the network components that exists within the
infrastructure plane to communicate with the control plane. Also, the data layer transfers its
statistics, events, notifications, and reports up to the control layer, while, in turn, the control
layer sends down its network needs to the network components that exists within the data
layer, and the data plane obeys the stipulated rules of the control plane (). On the other hand,
the management and admin element are accountable for offering static tasks to all the planes,
which encompasses of the data plane, control plane, and application. Further, the service
agreement and contracts, SLAs, would be configured within the last element, that is, the
application plane. Lastly, the design has multiple coordinators, which are spread in the
control and data plane, which are responsible to set up the isolation and share configuration
between the control and data plane.
OpenFlow Switch
The OpenFlow switch is an example of data plane and provides an open protocol that
is the OpenFlow protocol, which aids the researchers in programming the flow table that exist
in the networking devices. The administrators can inserts their novel protocols and security
paradigm, also, they can add their addressing strategy rather than the present IP protocol
model. However, they could merely separate their research flows from the production flows,
to ensure they adopt and test their new concepts without interfering with others. The switch
entails three main segments, which are the flow table, OpenFlow protocol, and secure
channel. The switch contains several flow tables, and every flow table contains several flow
entries. Every entry within the table contains three fields, and the packet header is the initial
field, which identifies every flow. The header contains certain information like the ethernet
sources address, type of ethernet, ethernet destination address, TCP port number, IP source
address, TCP port number, and IP destination address. The action within the second field aids
the switch in addressing the received flow’s packets. Statistics in the third field, which keeps
information concerning the packets like number of packets, time since the last packet match
flow, and the number of bytes. Additionally, the secure channel is another section of the
switch, which assists instructions and packets to be send back and forth between the switch
and controller in a secure environment. the final segment is the OpenFlow, which provides an
open and standard path for controller to communicate with the switch.
There are primarily three forms of actions that can be executed by the switch, where
the fist action forwards a flow to a particular port to allow the packets reach their destination.
This situation is applicable when there are rules in the flow table regarding how to address
the received flow. The second action encapsulates and forwards merely the first package of
every flow to the controller via secure channel. This can only occur if there is no saved action
within the flow table concerning how to process that flow. The key reason for the
encapsulation and forwarding the initial packet for every flow towards the controller is to
essentially reduce the controller bottleneck of the overhead. In other case, all the packets in
every flow send to the controller for processing. After processing the flow within the
controller, response is sent and saved within the corresponding flow entry. The third action
essentially drops the flow, which is executed to significantly prevent attacks like the DDoS
attacks, or even to reduce the fake broadcast traffic from the end users. Lastly, these rules and
actions are installed by the controller within the data layer. Further, these actions can be
installed proactively by the controller that means on its accord. However, the controller can
select to install such actions reactively in line with the reports or notifications from switches
if there are no matches amid the incoming packets and existing rules.
Overview of DDoS Attack
This form of attack leads to the inability of authentic user to access various services;
hence, it is considered as the DoS, the Denial of Service, attacks. In most cases of the attack,
the hacker would send services inquiries to enterprise mainly to register with the company or
acquire connection to certain enterprises authentic services instances. The inquires would
overwhelm the firm’s server and would be unable to deliver the required services to other
legitimate users. Another plausible attack instance is the one in which several machines are
utilized to execute a DoS attack. The firm’s network links numerous essential machines.
hence, suppose an attacker acquire access to one or more additional machines owned by the
company, this could abuse the opportunity and carry out the DoS attack against other systems
in similar network subnet. However, this attack is extensive in this situation, the hacker can
take over numerous machines and equally use them to access the DoS. This form of DoS
attacks is often described a thee Distributed Denial of Services attack, DDoS.
DDoS attack types
Resource depletion
Bandwidth depletion
Flooding attack
Amplification attack
In addition to Bandwidth deficiency and resource deficiency attacks, around two more classes
of DoS attacks are available: Bandwidth Depletion plus Resource Depletion. Bandwidth
Depletion is an attack that attempts into overwhelm network with network packets.
Bandwidth Depletion attacks are classified as follows: Attackers who use flooding or
amplification.
• Flooding attacks seek to overwhelm the network’s resources by sending an excess quantity
of ICMP or UDP packets.
• Amplification attacks attempt towards the advantage of the IP address broadcast features
found on majority of routers. Aforementioned aspect enables a directing system to provide a
broadcast internet protocol address instead of a specific address as the destination address.
Smurf and Fragile assaults are examples of such attacks [4]. In Resource Depletion assaults,
the attacker suffocates the target system’s resources. This attack perhaps conducted by
attacking a network protocol (for example, Neptune, mail bomb) or generating malformed
packets (for example ping of death, Apche2, teardrop Back, land, etc.) and sending them over
the network to the victim machine. A concise description of several of these attacks [5] is
provided in Table. I.
1) DDoS attack detection: The primary approaches for detecting DDoS attacks are classified
as detection of attack established on traffic features as well detection of attack created on
traffic abnormality. The first collects numerous attack characteristics and produces a database
of DDoS assault characteristics. We can determine whether DDoS, attacks a network by
relating and examining the data statistics included in current network data packet as well
nature of database. Expert systems, model reasoning, features matching and state transition
are primary implementation methods. The latter is generally used to construct a traffic model
including analyse aberrant flow variations to assess whether or not the traffic is abnormal and
determine whether or not the server has been attacked. Fig. 2, depicts a flowchart of
identifying DDoS assault in different stages.
B. Software Defined Network Deep packet analysis is possible via a complete network view
in the revolutionary architecture environment of SDN [6]. It allows for quick response and
changes to traffic policies and procedures. The SDN allows perceptual regulators of global
visualization illustration to be flexible and timed. Quick deployment that is schedule-aware
and intelligent scheduling that is service-aware.
Though assuring network facilities plus lowering implementation value, the software defined
network improves user experience and enables more comprehensive network rollout
promotion. Fig. 3, shows software defined network architecture. It is visibly clear that the
architecture is divided into Applications, Controller and Data plane, which enables us to
identify and mitigate attacks in SDN. Lin and Wang [7] offered DDoS assault detection and
defence technique based on SDN. Still, system required three Open flow management tools
to accomplish anomaly detection using Flow standard, making implementation and operation
complicated.
Yang et al. [8] described a strategy for combining flow statistics and IP entropy-specific
information. Using a single flow as well as internet protocol entropy characteristic
information, the flow and IP entropy distinctive information are detected, resulting in a more
effective and precise detection impact. While information entropy is adaptable and
appropriate, it must be used with other technologies to determine the threshold and multielement weight distribution.
Author [9] suggested that to detect DDoS attacks, the approach must analyse the features of
each ICMP/TCP/UDP protocol using the training ANN algorithm, which is difficult and
ineffective. In [10], the author presented a strategy for identifying and preventing DDoS
assaults in a large network, however it is not suitable for simple implementation. [11] offers a
logical source and destination IP address database-based DDoS attack detection system.
When a DDoS attack occurs, it investigates the unusual properties of the source and
destination IP addresses. It successfully verifies the DDoS attack using the non-parametric
cumulative algorithm CUSUM, but the approach needs to change and set the threshold. Data
entropy and the usage of the data-mining method, in which the SOM methodology is most
prominent, have been found to be the most important factors in DDoS detection in SDN
networks. The SOM algorithm requires determining the number of neurons in advance
because of the high falsepositive information entropy rate.
1) Mininet and openflo: Mininet is a virtual network device emulator that simulates
virtual network devices such as hosts, switches, controllers, and links. Mininet
switches offer OpenFlow for highly flexible custom routing and SoftwareDefined
Networking, and its hosts run conventional Linux network software. Mininet makes it
easier to conduct research, development, learning, prototyping, testing, and debugging
on a laptop or other PC.
2.1. DDoS Attacks against the Controller
Control functions are taken from the switch and given to the controller, which is the brain of
the network in SDN architecture. Parent level rules are easily applied to the network with the
help of the controller. The controller can add new rules to the transmission devices and
change the existing rules. It can carry out these changes by communicating with transmission
devices via a secure channel through the OpenFlow protocol. Continuity and the unity of data
traffic are ensured through this channel. If this secure channel breaks, the connection between
the controller and transmission devices breaks. SDN architecture is the target for DDoS
attacks. While the attacker is attacking the SDN network, it has three main targets, as shown
in Figure 1: to consume the sources of the controller, to occupy the bandwidth of the channel
between the controller and the switch, and to fill the flow tables in the switch with
unnecessary flows. In DDoS attacks against the controller, the attacker sends a large number
of packets to the OpenFlow switch via zombie users. It is difficult for the controller to
differentiate between traffic sent by the attacker and legal traffic.
The OpenFlow switch seeks a match in the flow input by checking the packet header (source
port, target port, source IP address, target IP address, etc.). If there is no match, the packet is
forwarded to the controller by encapsulating the packet header in the flow request with the
OpenFlow protocol (OFPT) PACKET_IN message. Then, the controller responds with the
OFPT FLOW_MOD message. This message involves the process to be carried out on the
packet and the timeout of the flow in the flow table assigned for the packet [8]. As the
number of packets forwarded to the controller increases, the sources of the controller are
consumed (bandwidth, memory, and CPU), new flow input for the new legal packets arriving
at the network cannot be processed, and the SDN architecture collapses. Alshamrani et al. [9]
claim that the existing mechanisms to prevent DDoS attacks are not effective. Accordingly,
they investigated the effect of misbehavior and new flow attacks on SDN. They gathered
traffic data from transmission devices on a data plane periodically and then applied machine
learning classification algorithms to respond to sudden traffic changes that occurred in the
SDN architecture at the moment of attack. Packet_In messages flowing between the
controller and transmission devices at the moment of attack were used as a base. Support
Vector Machine (SVM), J48, and Naive Bayes (NB) algorithms were employed for
classification. Latah and Toker [10] detected DDoS attacks by measuring the rate of the
arriving packet at the moment of attack. When some packets, among the ones coming to the
controller, passed the pre-determined threshold, an inspection unit that uses SVM was
activated to be able to detect DDoS flooding attacks.
Li et al. [11] proposed a bidirectional Recurrent Neural Network (RNN) model covering each
layer of the SDN network structure in order to detect and block DDoS attacks. Although the
proposed model was developed for the real-time detection, and the blocking of DDoS attacks
has a high accuracy rate, it may not be equally successful in large networks where more than
one controller is used. The proposed model may disrupt the synchronized work of controllers
and degrade the performance of the network.
2.2. DDoS Attacks against the OpenFlow Switch
The OpenFlow switch and flow table are seen as the main targets, as they include
administrative, transmission, and access control information [12]. The attacker first aims to
break the functionality of the network by way of physical or virtual unauthorized access to
the network. It is impossible for the OpenFlow switch to store all the rules covering each
flow as it has a limited storage capacity. As packets come from an unknown address, new
rules are needed to be added to the switch. If the attacker sends a large number of packets
from an unknown address in a short time, the rules are written by the controller for these
packets and forwarded to the flow table. The flow table with limited storage space becomes
full in a short time. No space is left in the flow table for a new rule. Thus, transmission of the
legal traffic stops. Apart from the flow table, flow cache memory is also a target for DDoS
attacks (Figure 1). Upon receiving the packet from the input port, the switch with a reactive
cache memory mechanism forwards this packet to the flow cache memory [13]. For the new
arriving packets, a match is searched for the flows in a flow table. If a match is found, the
packet is forwarded from the cache memory to the output port. Otherwise, it is forwarded to
the controller by means of the control channel and with a Packet_In message. The controller
responds with an OFPT_FLOW_MOD message by assigning hard_timeout and idle_timeout,
which define the necessary rules for the packet and how long the rules will stay. When the
switch receives the rule from the controller, the packet is processed and the rule written by
the controller is taken into the transmission table cache memory to have the arriving packets
directly processed. This mechanism makes the switch defenseless against DDoS attacks. A
large number of packets forwarded to the switch by malicious nodes are taken into cache
memory and the response from the controller, which includes the information on the flow
rules, is expected [14]. Packets coming from malicious nodes fill the switch buffer and then
packets coming from legal users start to drop [15].
Ye et al. [16] gathered data on network traffic from the transmission devices on the data
plane by means of the controller. Six-tuple characteristic values related to DDoS attacks from
the switch flow table were extracted to detect DDoS attacks by means of SVM. A high
detection accuracy rate was reported. However, the test accuracy rate of the Internet Control
Message Protocol (ICMP) attack flow was reported as relatively low. Xue et al. [17]
indicated that many security requirements are needed as the SDN controller manages multiple
switches in the data plane. They stated that security could not be achieved with existing
equipment and software that has not yet adapted to the SDN architecture. In particular, DDoS
attack on switches in the data plane pose a great danger for the continuity of the SDN
architecture of the network. SVM-optimized C and G parameters by cross-validation-genetic
algorithm (CV-GA) were used to detect the DDoS attacks. Nanda et al. [18] proposed the use
of machine learning algorithms, trained on historical network attack data, to identify potential
malicious connections and potential targets to minimize security threats. They used C4.5,
Bayesian Network (BayesNet), Decision Table (DT), and Naive Bayes algorithms. It was
stated that detecting malicious users in the data plane by means of estimations using machine
learning algorithms was possible. Ensuring user identification can enable the SDN controller
to quickly and effectively write new rules to prevent the attack, which is important for the
efficiency and continuity of the network.
Jankowski and Amanowicz [19] employed the machine learning algorithms of SelfOrganizing Maps (SOM), Learning Vector Quantization (LVQ1), and their enhanced
versions (Multi-pass Self-Organizing Maps (M-SOM), Multi-pass Learning Vector
Quantization (M-LVQ1) and Hierarchical Learning Vector Quantization (H-LVQ1)) to detect
and monitor malicious activities on the data plane. Promising results were achieved with the
H-LVQ1 algorithm compared to SOM, M-SOM, LVQ1, M-LVQ1. Banerjee and Chakraborty
[20] conducted a two-stage study. In the first stage, Naive Bayes and K-Nearest Neighbors
(KNN) machine learning algorithms were trained to differentiate between the attack and
normal traffic. Then the attacker was detected using a three-way handshake service. The
detected attacker was blocked by creating an Access Control List (ACL). Mowla et al. [21]
proposed Cognitive Switch-based DDoS Sensing and Mitigation in SDN-driven Content
Delivery Networks. SVM and Logistic Regression algorithms were used for traffic
classification, and this classification initiated the deployment of security rules to the
OpenFlow switches, to prevent from new forms of flooding attacks, and to detect and defend
against all possible DDoS attacks. This study focuses on DDoS attacks in SDN architecture
and offers machine learning models supported with feature selection methods to detect
attacks. Therefore, the aim is to develop DDoS attack detection systems based on a highfertility rate machine learning for SDN architecture. The detection of the DDoS attack on the
SDN controller and the switches located in the data plane are very important for the
continuity of the network and the detection of legal traffic at the time of the attack. If attack
traffic is detected on the controller, it is easier for the controller to write new rules to the flow
table of the switches located in the data plane to prevent the attack. This provides a great
advantage for preventing the attack. We propose the use of feature selection methods with
machine learning models to detect DDoS attacks. We believe that our approach will make a
significant contribution to the effective detection of DDoS attacks in SDN
Machine Learning Approaches for Attack Detection
…