DDoS attack detection under SDN context

Software Defined Networking (SDN) has recently emerged as a new network management platform. The centralized control architecture presents many new opportunities. Among the network management tasks, measurement is one of the most important and challenging one. Researchers have proposed many solutions to better utilize SDN for network measurement. Among them, how to detect Distributed Denial-of-Services (DDoS) quickly and precisely is a very challenging problem. In this paper, we propose methods to detect DDoS attacks leveraging on SDN's flow monitoring capability. Our methods utilize measurement resources available in the whole SDN network to adaptively balance the coverage and granularity of attack detection. Through simulations we demonstrate that our methods can quickly locate potential DDoS victims and attackers by using a constrained number of flow monitoring rules.

[1]  Daniel S. Yeung,et al.  A covariance analysis model for DDoS attack detection , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[2]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[3]  Minlan Yu,et al.  Online Measurement of Large Traffic Aggregates on Commodity Switches , 2011, Hot-ICE.

[4]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[5]  D. R. Fulkerson,et al.  Maximal Flow Through a Network , 1956 .

[6]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[7]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[8]  Chen-Nee Chuah,et al.  LEISURE: A Framework for Load-Balanced Network-Wide Traffic Measurement , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[9]  Walter Willinger,et al.  cSamp: A System for Network-Wide Flow Monitoring , 2008, NSDI.

[10]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[11]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[12]  Gyungho Lee,et al.  DDoS Attack Detection and Wavelets , 2003, Proceedings. 12th International Conference on Computer Communications and Networks (IEEE Cat. No.03EX712).

[13]  Teuvo Kohonen,et al.  The self-organizing map , 1990, Neurocomputing.

[14]  Ying Zhang,et al.  An adaptive flow counting method for anomaly detection in SDN , 2013, CoNEXT.

[15]  Ramesh Govindan,et al.  Resource/accuracy tradeoffs in software-defined measurement , 2013, HotSDN '13.

[16]  Rob Sherwood,et al.  Can the Production Network Be the Testbed? , 2010, OSDI.

[17]  Shawn Ostermann,et al.  Detecting Anomalous Network Traffic with Self-organizing Maps , 2003, RAID.

[18]  Malcolm I. Heywood,et al.  A Hierarchical SOM based Intrusion Detection System , 2008 .

[19]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.