ADAPTIVE ENTROPY-BASED DETECTION AND MITIGATION OF DDOS ATTACKS IN SOFTWARE DEFINED NETWORKS

Software Defined Networking (SDN) has emerged as a new networking paradigm that is based on the decoupling between data plane and control plane providing several benefits that include flexible, manageable, and centrally controlled networks. From a security point of view, SDNs suffer from several vulnerabilities that are associated with the nature of communication between control plane and data plane. In this context, software defined networks are vulnerable to distributed denial of service attacks. In particular, the centralization of the SDN controller makes it an attractive target for these attacks because overloading the controller with huge packet volume would result in bringing the whole network down or degrade its performance. Moreover, DDoS attacks may have the objective of flooding a network segment with huge traffic volume targeting single or multiple end systems. In this paper, we propose an entropy-based mechanism for Distributed Denial of Service (DDoS) attack detection and mitigation in SDN networks. The proposed mechanism is based on the entropy values of source and destination IP addresses of flows observed by the SDN controller which are compared to a preset entropy threshold values that change in adaptive manner based on network dynamics. The proposed mechanism has been evaluated through extensive simulation experiments.

[1]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[2]  Xiangyang Li,et al.  Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN) , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops.

[3]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[4]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[5]  Paul Goransson,et al.  Software Defined Networks: A Comprehensive Approach , 2014 .

[6]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[7]  Marc St-Hilaire,et al.  Early Detection of DDoS Attacks Against Software Defined Network Controllers , 2018, Journal of Network and Systems Management.

[8]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[9]  Deokjai Choi,et al.  Time-based DDoS detection and mitigation for SDN controller , 2015, 2015 17th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[10]  Luying Zhou,et al.  Applying NFV/SDN in mitigating DDoS attacks , 2017, TENCON 2017 - 2017 IEEE Region 10 Conference.

[11]  Xiaojiang Du,et al.  A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows , 2016, 2016 IEEE International Conference on Communications (ICC).

[12]  Thierry Turletti,et al.  A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks , 2014, IEEE Communications Surveys & Tutorials.

[13]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[14]  Fatih Alagöz,et al.  Defense Mechanisms against DDoS Attacks in SDN Environment , 2017, IEEE Communications Magazine.

[15]  Xin Li,et al.  Distributed and collaborative traffic monitoring in software defined networks , 2014, HotSDN.

[16]  Brij B. Gupta,et al.  Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment , 2018, Journal of Ambient Intelligence and Humanized Computing.

[17]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[18]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[19]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[20]  Kyungbaek Kim,et al.  Suspicious traffic detection based on edge gateway sampling method , 2017, 2017 19th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[21]  Md. Zakirul Alam Bhuiyan,et al.  A New Machine Learning-based Collaborative DDoS Mitigation Mechanism in Software-Defined Network , 2018, 2018 14th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[22]  Alberto Leon-Garcia,et al.  Software Defined Networks , 2015, Comput. Networks.

[23]  Zonghua Zhang,et al.  Towards Autonomic DDoS Mitigation using Software Defined Networking , 2015 .

[24]  Mauro Conti,et al.  SAFETY: Early Detection and Mitigation of TCP SYN Flood Utilizing Entropy in SDN , 2018, IEEE Transactions on Network and Service Management.