An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics
Introduction
Safeguarding the network security is a rat race process between attackers and victims for many years. Advancement of the technology, open up new attack tools to launch various attacks, consequently, the defenders require sophisticated and up-to-date defense mechanism to countermeasure the attack. As contrasting to other attacks, DDoS attack, can cause a massive interruption in any kind of network infrastructure. With the recent advancement of virtualization-based cloud computing, SDN paradigm is being adopting as an security solutions by the modern data centers [[1], [2], [3]]. In SDN the entire control decisions are made by a separate entity called controller [4]. This decoupling framework brings many benefits to the network management and provides an easy solution to improve the overall network efficiency [5]. As the control plane separate from the data plane, it is believed that a flexible and scalable network can be designed to meet the requirement of the ever-changing business need. On one hand, the programmability and logically centralized architecture help controller to easily detect the attack, on the other hand the control layer of SDN paradigm itself is likely to targeted by DDoS attacker [6].
All the forwarding decision are taken by the controller and managed by flow tables of OpenFlow switches. There is a search in the flow table for every new packet to the switch. For a successful match, the flow action will carry out. Otherwise, the packet will be sent to the controller for further instructions. The Fig. 1 shows the header fields that are used during matching period. During DDoS attack, spoofing the source IP address is a common practice. In SDN based data center scenario, for spoofed address there is a mismatch each time on the flow table. Therefore, for each unmatched flow, a packet_in is sent to the controller [7]. If the arrival rate of packet_in is very high in case of DDoS attack, the controller resources will start to deplete soon. A high rate IP spoofed may overwhelm the controller and as a result, it disconnects from the data plane. In a centralized SDN controller architecture single point of failure will defunct the entire network [8]. Hence, it is necessary to identify the DDoS traffic from the benign traffic (see Fig. 2).
In anomaly detection usually the threshold is fixed, and any abnormal deviation of some statistical features of the incoming traffic, can help to identify attack traffic [9]. Therefore, the choice of statistical techniques is so vital in case of DDoS detection. The information theory based metrics can identify more accurately the variations of the traffic behavior of such events. In this work, we have extended the idea of [10], and explore the Generalized Entropy (GE) and Generalized Information Divergence (GID) metrics to detect low rate DDoS attacks. The main contribution of the paper are:
Investigate different control plane security issues of SDN.
Highlight the importance of GE metric and implement it on the incoming packets coming to the controller for identifying the low rate attack traffic.
Compare the result with Shannon metric. In addition to this we compare our result with other information distance metrics.
We simulate the above scenario on Mininet emulator with POX controller.
The rest of the paper is organized as follows. Section 2 describes the motivation behind this work and related work. Section 3 discussed the information metrics used in the work. The detection procedure explains in Section 4. The experimental setup is mentioned in Section 5. The performance of the algorithms and results are well discussed in Section 6. Finally, Section 7 ends with concluding remarks.
Section snippets
Motivation and related work
In the last decades, there is significant research carried out on the security of the traditional network [[11], [12], [13]]. Specifically, a number of approaches have been suggested to identify and mitigate the DDoS attack traffic in traditional network [[14], [15], [16], [17], [18]]. Keeping in the view of the future traffic demand, the traditional network was computationally expensive and requiring innovation for the variety of security issues. In this regard, OpenFlow enabled SDN
General entropy and information distance
Entropy is also termed as Shannon–Wiener index is an essential concept in information theory [53]. It was introduced to measure the uncertainty of an event associated with a given probability distribution . A higher value of entropy is expected when the probability distribution event is more random in nature. On the other hand, the least value of entropy is expected when the amount of uncertainty in the event is relatively small. To quantify the randomness of the event, Renyi had introduced
Proposed attack detection scheme
Usually, a DDoS attack model can comprise of three-tuples i.e. ¡Attacker, Victim, Type¿. In SDN environment, it can be identified as: Any attack can fall into the permutation of this tuple set [58]. A target of an attack may affect multiple types of victim. For instance, in our case, host, controller, UDP flood, which implies attacker is the host, target is controller, and
Experimental setup
We run our experiment on a PC with Intel Core i7-4770 processor, 3.4 GHz clock speed with 4 GB RAM. The operating system is Linux Ubuntu 14.04 LTS and Mininet V 2.2.26 which supports the OF version 1.3. To illustrate the functionality of the proposed approach, we have used the following scenario which has illustrated in Fig. 4. The network consists of three controller domain and each domain consists of one POX controller, 64 hosts and 8 OpenFlow switches. We connect 8 hosts to each OF switch to
Performance evaluation
In order to validate the information distance metric and carry out the simulation, we make the following assumptions.
The normal traffic follows the Gaussian distribution and the attack traffic follows the Poisson distribution.
The attack flows coming from OpenFlow devices and merge at controller.
During the attack, the used attack traffic generating tool generates UDP packets and spoof the source IP address of the packet.
During an attack, the whole network system is stable.
Conclusion
Low rate DDoS attack is a serious threat to the control layer of SDN based data center. It is very much important to identify the attack much before it happens. One of the ways the controller layer can be attacked is due to increasing the number of packet_in control events. When packet_in event increases, it becomes a bottleneck for the controller, and the resources start depleting. In such situation, usual Shanon entropy is a less efficient method to detect the false alarm. Hence, we have
Kshira Sagar Sahoo is a Ph.D. scholar in Computer Science and Engineering at National Institute of Technology, Rourkela, India. He received his M.Tech degree in Information and Communication Technology from IIT, Kharagpur, India in 2014. His research interests include Software Defined Network, network virtualization, Big Data Analytics. He is a student member of IEEE computer society.
References (58)
- et al.
Security of software defined networks: A survey
Comput. Secur.
(2015) - et al.
Software-defined networking: A survey
Comput. Netw.
(2015) - et al.
Collaborative detection and filtering of shrew ddos attacks using spectral analysis
J. Parallel Distrib. Comput.
(2006) - et al.
Ddos defense system for web services in a cloud environment
Future Gener. Comput. Syst.
(2014) - et al.
Ddos attacks in cloud computing: collateral damage to non-targets
Comput. Netw.
(2016) - et al.
Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments
Comput. Netw.
(2014) - et al.
DDoS attack detection using fast entropy approach on flow-based network traffic
Procedia Comput. Sci.
(2015) - et al.
Web application protection techniques: A taxonomy
J. Netw. Comput. Appl.
(2016) - et al.
Context-oriented web application protection model
Appl. Math. Comput.
(2016) - et al.
User profiling in intrusion detection: A review
J. Netw. Comput. Appl.
(2016)
Distributed denial of service (ddos) resilience in cloud: review and conceptual cloud ddos mitigation framework
J. Netw. Comput. Appl.
Security and privacy for the internet of drones: Challenges and solutions
IEEE Commun. Mag.
Circumventing ios security mechanisms for apt forensic investigations: A security taxonomy for cloud apps
Future Gener. Comput. Syst.
Cyber-physical systems information gathering: A smart home case study
Comput. Netw.
Detection of ddos attacks and flash events using novel information theory metrics
Comput. Netw.
A survey on software-defined network and openflow: From concept to implementation
IEEE Commun. Surv. Tutor.
A survey on the security of stateful sdn data planes
IEEE Commun. Surv. Tutor.
On the placement of controllers in software-defined-wan using meta-heuristic approach
J. Syst. Softw.
Securing software defined networks: taxonomy, requirements, and open issues
IEEE Commun. Mag.
An entropy-based distributed DDoS detection mechanism in software-defined networking
Secure and sustainable load balancing of edge data centers in fog computing
IEEE Commun. Mag.
Low-rate ddos attacks detection and traceback by using new information metrics
IEEE Trans. Inf. Forensics Secur.
Low-rate ddos attack detection using expectation of packet size
Secur. Commun. Netw.
On scalable attack detection in the network
Mitigating ddos attack and saving computational time using a probabilistic approach and hcf method
Defense against spoofed ip traffic using hop-count filtering
IEEE/ACM Trans. Netw. (ToN)
On resilience of wireless mesh routing protocol against dos attacks in iot-based ambient assisted living applications
Avant-guard: Scalable and vigilant switch flow management in software-defined networks
Cited by (148)
DDOS attack detection in SDN: Method of attacks, detection techniques, challenges and research gaps
2024, Computers and SecurityLRDADF: An AI enabled framework for detecting low-rate DDoS attacks in cloud computing environments
2023, Measurement: SensorsA comprehensive survey on low-rate and high-rate DDoS defense approaches in SDN: taxonomy, research challenges, and opportunities
2024, Multimedia Tools and ApplicationsA Comprehensive Analysis of Machine Learning- and Deep Learning-Based Solutions for DDoS Attack Detection in SDN
2024, Arabian Journal for Science and EngineeringDYNAMIC THRESHOLD GENERALIZED ENTROPIESBASED DDOS DETECTION AGAINST SOFTWARE-DEFINED NETWORK CONTROLLER
2024, Journal of Theoretical and Applied Information Technology
Kshira Sagar Sahoo is a Ph.D. scholar in Computer Science and Engineering at National Institute of Technology, Rourkela, India. He received his M.Tech degree in Information and Communication Technology from IIT, Kharagpur, India in 2014. His research interests include Software Defined Network, network virtualization, Big Data Analytics. He is a student member of IEEE computer society.
Deepak Puthal received the Ph.D. degree in computer from University of Technology Sydney (UTS), Australia. He is currently a Lecturer (Assistant Professor) with the Faculty of Engineering and IT, University of Technology Sydney, Australia. He has authored in several international conferences and journals, including IEEE and ACM transactions. His research interests include cyber security, Internet of Things, distributed computing, and big data analytics. He is an Associate Editor of the IEEE Consumer Electronics Magazine and the KSII Transactions on Internet and Information Systems.
Mayank Tiwary is working as a core developer in SAP Cloud Platform at SAP Labs Bangalore, India. He has received his graduation degree from Biju Patnaik University of Technology, Odisha, India. He has numbers of publications in the domain of distributed and cloud computing.
Joel J.P.C. Rodrigues is a professor and senior researcher at the National Institute of Telecommunications (Inatel), Brazil and senior researcher at the Instituto de Telecomunicac̨ões, Portugal. He has been professor at the University of Beira Interior (UBI), Portugal and visiting professor at the University of Fortaleza (UNIFOR), Brazil. He received the Academic Title of Aggregated Professor in informatics engineering from UBI, the Habilitation in computer science and engineering from the University of Haute Alsace, France, a Ph.D. degree in informatics engineering and an M.Sc. degree from the UBI, and a five-year B.Sc. degree (licentiate) in informatics engineering from the University of Coimbra, Portugal. His main research interests include e-health, sensor networks and IoT, vehicular communications, and mobile and ubiquitous computing. Prof. Joel is the leader of NetGNA Research Group (http://netgna.it.ubi.pt), the President of the scientific council at ParkUrbis—Covilhã Science and Technology Park, the Past-Chair of the IEEE ComSoc Technical Committee on eHealth, the Past-chair of the IEEE ComSoc Technical Committee on Communications Software, Steering Committee member of the IEEE Life Sciences Technical Community and Publications co-Chair, and Member Representative of the IEEE Communications Society on the IEEE Biometrics Council. He is the editor-in-chief of the International Journal on E-Health and Medical Communications, the editor-in-chief of the Recent Advances on Communications and Networking Technology, the editor-in-chief of the Journal of Multimedia Information Systems, and editorial board member of several high-reputed journals. He has been general chair and TPC Chair of many international conferences, including IEEE ICC, GLOBECOM, and HEALTHCOM. He is a member of many international TPCs and participated in several international conferences organization. He has authored or coauthored over 500 papers in refereed international journals and conferences, 3 books, and 2 patents. He had been awarded several Outstanding Leadership and Outstanding Service Awards by IEEE Communications Society and several best papers awards. Prof. Rodrigues is a licensed professional engineer (as senior member), member of the Internet Society, an IARIA fellow, and a senior member ACM and IEEE.
Bibhudatta Sahoo obtained his M. Tech. and Ph.D. degree in Computer Science & Engineering from NIT, Rourkela. He has 24years of Teaching Experience in undergraduate and graduate level in the field of computer Science & Engineering. He is presently Assistant Professor in the Department of Computer Science & Engineering, NIT Rourkela, INDIA. His technical interests include Data Structures & Algorithm Design, Parallel & Distributed Systems, Networks, Computational Machines, Algorithms for VLSI Design, Performance evaluation methods and modeling techniques Distributed computing system, Networking algorithms, and Web engineering. He is a member of IEEE & ACM.
Ratnakar Dash received his Ph.D. degree from National Institute of Technology, Rourkela, India, in 2013. He is presently working as Assistant Professor in the Department of Computer Science and Engineering at National Institute of Technology, Rourkela, India. His area of interests includes signal processing, image processing, intrusion detection system and steganography. He has published more than 10 papers in journals of international repute.