A HMM-R Approach to Detect L-DDoS Attack Adaptively on SDN Controller

A data center network is vulnerable to suffer from concealed low-rate distributed denial of service (L-DDoS) attacks because its data flow has the characteristics of data flow delay, diversity, and synchronization. Several studies have proposed addressing the detection of L-DDoS attacks, most of them are only detect L-DDoS attacks at a fixed rate. These methods cause low true positive and high false positive in detecting multi-rate L-DDoS attacks. Software defined network (SDN) is a new network architecture that can centrally control the network. We use an SDN controller to collect and analyze data packets entering the data center network and calculate the Renyi entropies base on IP of data packets, and then combine them with the hidden Markov model to get a probability model HMM-R to detect L-DDoS attacks at different rates. Compared with the four common attack detection algorithms (KNN, SVM, SOM, BP), HMM-R is superior to them in terms of the true positive rate, the false positive rate, and the adaptivity.

[1]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[2]  Zhiyang Li,et al.  Detecting DDoS attacks against data center with correlation analysis , 2015, Comput. Commun..

[3]  Wen Ku,et al.  Survey on Research and Progress of Low-Rate Denial of Service Attacks , 2014 .

[4]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[5]  Qingxiang Gong,et al.  Detection of DDoS Attacks Against Wireless SDN Controllers Based on the Fuzzy Synthetic Evaluation Decision-making Model , 2016, Ad Hoc Sens. Wirel. Networks.

[6]  A. Kalwar,et al.  Low-Rate and High-Rate Distributed DoS Attack Detection Using Partial Rank Correlation , 2015, 2015 Fifth International Conference on Communication Systems and Network Technologies.

[7]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[8]  Wang Hong,et al.  Characteristics Research on Modern Data Center Network , 2014 .

[9]  R. Anitha,et al.  Evaluating Machine Learning Algorithms for Detecting DDoS Attacks , 2011 .

[10]  Hamid Farhadi,et al.  Software-Defined Networking: A survey , 2015, Comput. Networks.

[11]  B. M. Patil,et al.  Low-rate DDOS Attack Detection using Optimal Objective Entropy Method , 2013 .

[12]  Jian Zhu,et al.  SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks , 2016, J. Netw. Comput. Appl..

[13]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[14]  Jugal K. Kalita,et al.  A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis , 2016, COMSNETS.

[15]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[16]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[17]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Jugal K. Kalita,et al.  Information metrics for low-rate DDoS attack detection: A comparative evaluation , 2014, 2014 Seventh International Conference on Contemporary Computing (IC3).

[19]  Jugal K. Kalita,et al.  Rank Correlation for Low-Rate DDoS Attack Detection: An Empirical Evaluation , 2016, Int. J. Netw. Secur..

[20]  A. Gowrishankar,et al.  Detection of Low and High rate DDoS Attack using Metrics with SVM in FireCol Distributed Network , 2015 .

[21]  D. Goyal,et al.  A Rank Correlation Based Detection against Distributed Reflection DoS Attacks , 2014 .

[22]  George Karabatis,et al.  Discrete wavelet transform-based time series analysis and mining , 2011, CSUR.

[23]  Terrence L. Fine Foundations of Probability , 2004 .

[24]  Ali Selamat,et al.  An Evaluation on KNN-SVM Algorithm for Detection and Prediction of DDoS Attack , 2016, IEA/AIE.

[25]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[26]  Toshinori Sueyoshi,et al.  Early DoS/DDoS Detection Method using Short-term Statistics , 2010, 2010 International Conference on Complex, Intelligent and Software Intensive Systems.

[27]  Zhang Chao,et al.  State-of-the-Art Survey on Software-Defined Networking(SDN) , 2015 .