Detection of high rate DDoS attack from flash events using information metrics in software defined networks

The OpenFlow based Software Defined networks (SDN) is a new network architecture has gained much popularity in these days. Although the centralized control of SDN provides an enormous benefit, there are still a lot of security challenges are in control plane. As Distributed Denial of Services (DDoS) attack is one of the main security threat to the Internet, the goal of this paper is to detect the attack at the control layer by using the flow table information of the OpenFlow switches. The controller is the separate entity of SDN if it is made unreachable by a DDoS attack the entire architecture become defunct. In the current high-speed network scenario, discriminating a high-rate DDoS traffic from the flash events(FE) is a relatively more challenging task. The characteristics of the high-rate DDoS traffic are nearly similar to the legitimate FE traffic. Hence, in this work for detection purpose, we have used information theory based metrics such as General Entropy(GE) and Generalized Information Distance (GID). We evaluate the effectiveness of these metrics with Shannon entropy and Kullberg-Leibler divergence. The extensive simulation result shows that the considered metrics outperforms the other metrics with reduced false positives.

[1]  Bibhudatta Sahoo,et al.  A Comprehensive Tutorial on Software Defined Network: The Driving Force for the Future Internet Technology , 2016 .

[2]  Geert Deconinck,et al.  Tackling Application-layer DDoS Attacks , 2012, ANT/MobiWIS.

[3]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Ying Zhang,et al.  An adaptive flow counting method for anomaly detection in SDN , 2013, CoNEXT.

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  George M. Mohay,et al.  Parametric Differences between a Real-world Distributed Denial-of-Service Attack and a Flash Event , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[7]  R.C. Joshi,et al.  A Distributed Approach using Entropy to Detect DDoS Attacks in ISP Domain , 2007, 2007 International Conference on Signal Processing, Communications and Networking.

[8]  Tuomas Aura,et al.  Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch , 2014, NordSec.

[9]  Zenon Chaczko,et al.  Can SDN Technology Be Transported to Software-Defined WSN/IoT? , 2016, 2016 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[10]  Kshira Sagar Sahoo,et al.  A secured SDN framework for IoT , 2015, 2015 International Conference on Man and Machine Interfacing (MAMI).

[11]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[12]  Mourad Debbabi,et al.  A Survey and a Layered Taxonomy of Software-Defined Networking , 2014, IEEE Communications Surveys & Tutorials.

[13]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[14]  Amrit Lal Sangal,et al.  Characterizing flash events and distributed denial-of-service attacks: an empirical investigation , 2016, Secur. Commun. Networks.

[15]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[16]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[17]  Sunny Behal,et al.  Discriminating Flash Events from DDoS Attacks: A Comprehensive Review , 2017, Int. J. Netw. Secur..

[18]  Kshira Sagar Sahoo,et al.  Signature based malware detection for unstructured data in Hadoop , 2014, 2014 International Conference on Advances in Electronics Computers and Communications.

[19]  Ejaz Ahmed,et al.  Securing software defined networks: taxonomy, requirements, and open issues , 2015, IEEE Communications Magazine.

[20]  Alex C. Snoeren,et al.  High-fidelity switch models for software-defined network emulation , 2013, HotSDN '13.

[21]  Guyue Liu,et al.  SDNFV: Flexible and Dynamic Software Defined Control of an Application- and Flow-Aware Data Plane , 2016, Middleware.