Lightweight DDoS flooding attack detection using NOX/OpenFlow

Distributed denial-of-service (DDoS) attacks became one of the main Internet security problems over the last decade, threatening public web servers in particular. Although the DDoS mechanism is widely understood, its detection is a very hard task because of the similarities between normal traffic and useless packets, sent by compromised hosts to their victims. This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches. This is possible due to the use of the NOX platform which provides a programmatic interface to facilitate the handling of switch information. Other major contributions include the high rate of detection and very low rate of false alarms obtained by flow analysis using Self Organizing Maps.

[1]  Teuvo Kohonen,et al.  The self-organizing map , 1990, Neurocomputing.

[2]  Rui Guo,et al.  Research on the Active DDoS Filtering Algorithm Based on IP Flow , 2009, 2009 Fifth International Conference on Natural Computation.

[3]  Parag Kulkarni,et al.  Intrusion Detection System using Self Organizing Maps , 2009, 2009 International Conference on Intelligent Agent & Multi-Agent Systems.

[4]  Kensuke Fukuda,et al.  Seven Years and One Day: Sketching the Evolution of Internet Traffic , 2009, IEEE INFOCOM 2009.

[5]  Nick McKeown,et al.  Unifying Packet and Circuit Switched Networks , 2009, 2009 IEEE Globecom Workshops.

[6]  Sonia Fahmy,et al.  How to Test DoS Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[7]  Min Xia,et al.  Research on Intrusion Detection Based on an Improved SOM Neural Network , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[8]  Wei Wang,et al.  Efficient detection of DDoS attacks with important attributes , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[9]  Shawn Ostermann,et al.  Detecting Anomalous Network Traffic with Self-organizing Maps , 2003, RAID.

[10]  Malcolm I. Heywood,et al.  A Hierarchical SOM based Intrusion Detection System , 2008 .

[11]  Wanlei Zhou,et al.  2009 Third International Conference on Network and System Security , 2009 .

[12]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[13]  Masahiro Fujita,et al.  Analysis of neighborhood interaction in Kohonen neural networks , 1991, [1991] Proceedings. The Fifth International Parallel Processing Symposium.

[14]  He-feng Yu,et al.  Grey self-organizing map based intrusion detection , 2009 .

[15]  Min Li,et al.  Anormaly Intrusion Detection Based on SOM , 2009, 2009 WASE International Conference on Information Engineering.

[16]  S. Hyakin,et al.  Neural Networks: A Comprehensive Foundation , 1994 .

[17]  C. Douligeris,et al.  Detecting denial of service attacks using emergent self-organizing maps , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[18]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[19]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.