Defending DDoS attacks in software defined networking based on improved Shiryaev–Roberts detection algorithm

As the availability is an important issue of network security, it is necessary to research the DDoS defending mechanism of Software Defined Networking (SDN) before the real-world deployment. In this paper, we first measured the impact of DDoS attacks on SDN based on a test bed. The results showed that the resource utilization changed sharply when DDoS attacks started. Based on this observation, a lightweight DDoS defending mechanism which is implemented in SDN controller is put forward. In this mechanism, a score based Shiryaev-Roberts change point detection algorithm is firstly adopted to detect the starting time points of DDoS attacks. Then, the attacking flows will be filtered and rerouted to the middle boxes network where the DDoS attacking flows filtering algorithm is deployed. A prototype of the mechanism is built and evaluated in the test bed. The results show that the score based Shiryaev-Roberts detection mechanism can detect the attack quickly, and the controller along with switches can be protected from DDoS efficiently.

[1]  Jean-Pierre Vila,et al.  Optimality of CUSUM Rule Approximations in Change-Point Detection Problems: Application to Nonlinear State–Space Systems , 2008, IEEE Transactions on Information Theory.

[2]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[3]  B. R. Upadhyaya,et al.  Signal anomaly detection using modified CUSUM method , 1988, Proceedings of the 27th IEEE Conference on Decision and Control.

[4]  Alexander G. Tartakovsky,et al.  Efficient Computer Network Anomaly Detection by Changepoint Detection Methods , 2012, IEEE Journal of Selected Topics in Signal Processing.

[5]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[6]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[7]  Connie M. Borror,et al.  EWMA forecast of normal system activity for computer intrusion detection , 2004, IEEE Transactions on Reliability.

[8]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[9]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[10]  Francesco Palmieri,et al.  Network anomaly detection through nonlinear analysis , 2010, Comput. Secur..

[11]  Van Jacobson,et al.  Networking named content , 2009, CoNEXT '09.

[12]  M. Pollak Average Run Lengths of an Optimal Method of Detecting a Change in Distribution. , 1987 .

[13]  Urbashi Mitra,et al.  Parametric Methods for Anomaly Detection in Aggregate Traffic , 2011, IEEE/ACM Transactions on Networking.

[14]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[15]  Martín Casado,et al.  Rethinking enterprise network control , 2009, TNET.

[16]  Monia Ghobadi,et al.  Rethinking end-to-end congestion control in software-defined networks , 2012, HotNets-XI.

[17]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[18]  G. Lorden PROCEDURES FOR REACTING TO A CHANGE IN DISTRIBUTION , 1971 .

[19]  Peter Reiher,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2015, SIGCOMM 2015.

[20]  M. Pollak Optimal Detection of a Change in Distribution , 1985 .

[21]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[22]  F. Palmieri VPN scalability over high performance backbones evaluating MPLS VPN against traditional approaches , 2003, Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003.

[23]  Moshe Pollak,et al.  ON OPTIMALITY PROPERTIES OF THE SHIRYAEV-ROBERTS PROCEDURE , 2007, 0710.5935.

[24]  S. W. Roberts A Comparison of Some Control Chart Procedures , 1966 .