Elsevier

Future Generation Computer Systems

Volume 89, December 2018, Pages 685-697
Future Generation Computer Systems

An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics

https://doi.org/10.1016/j.future.2018.07.017Get rights and content

Highlights

  • Investigated different control plane security issues of SDN.

  • Highlighted the importance of GE metric and implement on incoming packets.

  • The results are compared with Shannon metric for performance comparison.

  • Our result also compared with other information distance metrics.

Abstract

The primary innovations behind Software Defined Networks (SDN) are the decoupling of the control plane from the data plane and centralizing the network management through a specialized application running on the controller. In spite of many advantages, SDN based data centers’ security issues is still a matter of concern among the research communities. Although SDN becomes a valuable tool to defeat attackers, at the same time SDN itself becomes a victim of Distributed Denial-of-Service (DDoS) attacks due to the potential vulnerabilities exist across various SDN layer. The logically centralized controller is always an attractive target for DDoS attack. Hence, it is important to have a fast as well as accurate detection model to detect the control layer attack traffic at an early stage. We have employed information distance (ID) as a metric to detect the attack traffic at the controller. The ID metric can quantify the deviations of network traffic with different probability distributions. In this paper, taking the advantages of flow based nature of SDN, we proposed a Generalized Entropy (GE) based metric to detect the low rate DDoS attack to the control layer. The experimental results show that our detection mechanism improves the detection accuracy as compared to Shannon entropy and other statistical information distance metrics.

Introduction

Safeguarding the network security is a rat race process between attackers and victims for many years. Advancement of the technology, open up new attack tools to launch various attacks, consequently, the defenders require sophisticated and up-to-date defense mechanism to countermeasure the attack. As contrasting to other attacks, DDoS attack, can cause a massive interruption in any kind of network infrastructure. With the recent advancement of virtualization-based cloud computing, SDN paradigm is being adopting as an security solutions by the modern data centers [[1], [2], [3]]. In SDN the entire control decisions are made by a separate entity called controller [4]. This decoupling framework brings many benefits to the network management and provides an easy solution to improve the overall network efficiency [5]. As the control plane separate from the data plane, it is believed that a flexible and scalable network can be designed to meet the requirement of the ever-changing business need. On one hand, the programmability and logically centralized architecture help controller to easily detect the attack, on the other hand the control layer of SDN paradigm itself is likely to targeted by DDoS attacker [6].

All the forwarding decision are taken by the controller and managed by flow tables of OpenFlow switches. There is a search in the flow table for every new packet to the switch. For a successful match, the flow action will carry out. Otherwise, the packet will be sent to the controller for further instructions. The Fig. 1 shows the header fields that are used during matching period. During DDoS attack, spoofing the source IP address is a common practice. In SDN based data center scenario, for spoofed address there is a mismatch each time on the flow table. Therefore, for each unmatched flow, a packet_in is sent to the controller [7]. If the arrival rate of packet_in is very high in case of DDoS attack, the controller resources will start to deplete soon. A high rate IP spoofed may overwhelm the controller and as a result, it disconnects from the data plane. In a centralized SDN controller architecture single point of failure will defunct the entire network [8]. Hence, it is necessary to identify the DDoS traffic from the benign traffic (see Fig. 2).

In anomaly detection usually the threshold is fixed, and any abnormal deviation of some statistical features of the incoming traffic, can help to identify attack traffic [9]. Therefore, the choice of statistical techniques is so vital in case of DDoS detection. The information theory based metrics can identify more accurately the variations of the traffic behavior of such events. In this work, we have extended the idea of [10], and explore the Generalized Entropy (GE) and Generalized Information Divergence (GID) metrics to detect low rate DDoS attacks. The main contribution of the paper are:

  • Investigate different control plane security issues of SDN.

  • Highlight the importance of GE metric and implement it on the incoming packets coming to the controller for identifying the low rate attack traffic.

  • Compare the result with Shannon metric. In addition to this we compare our result with other information distance metrics.

  • We simulate the above scenario on Mininet emulator with POX controller.

The rest of the paper is organized as follows. Section 2 describes the motivation behind this work and related work. Section 3 discussed the information metrics used in the work. The detection procedure explains in Section 4. The experimental setup is mentioned in Section 5. The performance of the algorithms and results are well discussed in Section 6. Finally, Section 7 ends with concluding remarks.

Section snippets

Motivation and related work

In the last decades, there is significant research carried out on the security of the traditional network [[11], [12], [13]]. Specifically, a number of approaches have been suggested to identify and mitigate the DDoS attack traffic in traditional network [[14], [15], [16], [17], [18]]. Keeping in the view of the future traffic demand, the traditional network was computationally expensive and requiring innovation for the variety of security issues. In this regard, OpenFlow enabled SDN

General entropy and information distance

Entropy is also termed as Shannon–Wiener index is an essential concept in information theory [53]. It was introduced to measure the uncertainty of an event associated with a given probability distribution X. A higher value of entropy is expected when the probability distribution event is more random in nature. On the other hand, the least value of entropy is expected when the amount of uncertainty in the event is relatively small. To quantify the randomness of the event, Renyi had introduced

Proposed attack detection scheme

Usually, a DDoS attack model can comprise of three-tuples i.e. ¡Attacker, Victim, Type¿. In SDN environment, it can be identified as: Attacker={host,switch,botnet},victim={controller,switch,host,controllerswitchlink},Type={UDPflood,TCP_Synflood,HTTPflood}. Any attack can fall into the permutation of this tuple set [58]. A target of an attack may affect multiple types of victim. For instance, in our case, host, controller, UDP flood, which implies attacker is the host, target is controller, and

Experimental setup

We run our experiment on a PC with Intel Core i7-4770 processor, 3.4 GHz clock speed with 4 GB RAM. The operating system is Linux Ubuntu 14.04 LTS and Mininet V 2.2.26 which supports the OF version 1.3. To illustrate the functionality of the proposed approach, we have used the following scenario which has illustrated in Fig. 4. The network consists of three controller domain and each domain consists of one POX controller, 64 hosts and 8 OpenFlow switches. We connect 8 hosts to each OF switch to

Performance evaluation

In order to validate the information distance metric and carry out the simulation, we make the following assumptions.

  • The normal traffic follows the Gaussian distribution and the attack traffic follows the Poisson distribution.

  • The attack flows coming from OpenFlow devices and merge at controller.

  • During the attack, the used attack traffic generating tool generates UDP packets and spoof the source IP address of the packet.

  • During an attack, the whole network system is stable.

Conclusion

Low rate DDoS attack is a serious threat to the control layer of SDN based data center. It is very much important to identify the attack much before it happens. One of the ways the controller layer can be attacked is due to increasing the number of packet_in control events. When packet_in event increases, it becomes a bottleneck for the controller, and the resources start depleting. In such situation, usual Shanon entropy is a less efficient method to detect the false alarm. Hence, we have

Kshira Sagar Sahoo is a Ph.D. scholar in Computer Science and Engineering at National Institute of Technology, Rourkela, India. He received his M.Tech degree in Information and Communication Technology from IIT, Kharagpur, India in 2014. His research interests include Software Defined Network, network virtualization, Big Data Analytics. He is a student member of IEEE computer society.

References (58)

  • OsanaiyeO. et al.

    Distributed denial of service (ddos) resilience in cloud: review and conceptual cloud ddos mitigation framework

    J. Netw. Comput. Appl.

    (2016)
  • LinC. et al.

    Security and privacy for the internet of drones: Challenges and solutions

    IEEE Commun. Mag.

    (2018)
  • DOrazioC.J. et al.

    Circumventing ios security mechanisms for apt forensic investigations: A security taxonomy for cloud apps

    Future Gener. Comput. Syst.

    (2018)
  • DoQ. et al.

    Cyber-physical systems information gathering: A smart home case study

    Comput. Netw.

    (2018)
  • BehalS. et al.

    Detection of ddos attacks and flash events using novel information theory metrics

    Comput. Netw.

    (2017)
  • HuF. et al.

    A survey on software-defined network and openflow: From concept to implementation

    IEEE Commun. Surv. Tutor.

    (2014)
  • DargahiT. et al.

    A survey on the security of stateful sdn data planes

    IEEE Commun. Surv. Tutor.

    (2017)
  • SahooK.S. et al.

    On the placement of controllers in software-defined-wan using meta-heuristic approach

    J. Syst. Softw.

    (2018)
  • AkhunzadaA. et al.

    Securing software defined networks: taxonomy, requirements, and open issues

    IEEE Commun. Mag.

    (2015)
  • S. Denazis, E. Haleplidis, J.H. Salim, O. Koufopavlou, D. Meyer, K. Pentikousis, Software-Defined Networking (SDN):...
  • WangR. et al.

    An entropy-based distributed DDoS detection mechanism in software-defined networking

  • PuthalD. et al.

    Secure and sustainable load balancing of edge data centers in fog computing

    IEEE Commun. Mag.

    (2018)
  • XiangY. et al.

    Low-rate ddos attacks detection and traceback by using new information metrics

    IEEE Trans. Inf. Forensics Secur.

    (2011)
  • ZhouL. et al.

    Low-rate ddos attack detection using expectation of packet size

    Secur. Commun. Netw.

    (2017)
  • KompellaR.R. et al.

    On scalable attack detection in the network

  • SwainB.R. et al.

    Mitigating ddos attack and saving computational time using a probabilistic approach and hcf method

  • WangH. et al.

    Defense against spoofed ip traffic using hop-count filtering

    IEEE/ACM Trans. Netw. (ToN)

    (2007)
  • AlanaziS. et al.

    On resilience of wireless mesh routing protocol against dos attacks in iot-based ambient assisted living applications

  • ShinS. et al.

    Avant-guard: Scalable and vigilant switch flow management in software-defined networks

    • Cited by (148)

    • DDOS attack detection in SDN: Method of attacks, detection techniques, challenges and research gaps

      2024, Computers and Security

    • A path selection scheme for detecting malicious behavior based on deep reinforcement learning in SDN/NFV-Enabled network

      2023, Computer Networks

    • LRDADF: An AI enabled framework for detecting low-rate DDoS attacks in cloud computing environments

      2023, Measurement: Sensors

    • A comprehensive survey on low-rate and high-rate DDoS defense approaches in SDN: taxonomy, research challenges, and opportunities

      2024, Multimedia Tools and Applications

    • A Comprehensive Analysis of Machine Learning- and Deep Learning-Based Solutions for DDoS Attack Detection in SDN

      2024, Arabian Journal for Science and Engineering

    • DYNAMIC THRESHOLD GENERALIZED ENTROPIESBASED DDOS DETECTION AGAINST SOFTWARE-DEFINED NETWORK CONTROLLER

      2024, Journal of Theoretical and Applied Information Technology
    View all citing articles on Scopus

    Kshira Sagar Sahoo is a Ph.D. scholar in Computer Science and Engineering at National Institute of Technology, Rourkela, India. He received his M.Tech degree in Information and Communication Technology from IIT, Kharagpur, India in 2014. His research interests include Software Defined Network, network virtualization, Big Data Analytics. He is a student member of IEEE computer society.

    Deepak Puthal received the Ph.D. degree in computer from University of Technology Sydney (UTS), Australia. He is currently a Lecturer (Assistant Professor) with the Faculty of Engineering and IT, University of Technology Sydney, Australia. He has authored in several international conferences and journals, including IEEE and ACM transactions. His research interests include cyber security, Internet of Things, distributed computing, and big data analytics. He is an Associate Editor of the IEEE Consumer Electronics Magazine and the KSII Transactions on Internet and Information Systems.

    Mayank Tiwary is working as a core developer in SAP Cloud Platform at SAP Labs Bangalore, India. He has received his graduation degree from Biju Patnaik University of Technology, Odisha, India. He has numbers of publications in the domain of distributed and cloud computing.

    Joel J.P.C. Rodrigues is a professor and senior researcher at the National Institute of Telecommunications (Inatel), Brazil and senior researcher at the Instituto de Telecomunicac̨ões, Portugal. He has been professor at the University of Beira Interior (UBI), Portugal and visiting professor at the University of Fortaleza (UNIFOR), Brazil. He received the Academic Title of Aggregated Professor in informatics engineering from UBI, the Habilitation in computer science and engineering from the University of Haute Alsace, France, a Ph.D. degree in informatics engineering and an M.Sc. degree from the UBI, and a five-year B.Sc. degree (licentiate) in informatics engineering from the University of Coimbra, Portugal. His main research interests include e-health, sensor networks and IoT, vehicular communications, and mobile and ubiquitous computing. Prof. Joel is the leader of NetGNA Research Group (http://netgna.it.ubi.pt), the President of the scientific council at ParkUrbis—Covilhã Science and Technology Park, the Past-Chair of the IEEE ComSoc Technical Committee on eHealth, the Past-chair of the IEEE ComSoc Technical Committee on Communications Software, Steering Committee member of the IEEE Life Sciences Technical Community and Publications co-Chair, and Member Representative of the IEEE Communications Society on the IEEE Biometrics Council. He is the editor-in-chief of the International Journal on E-Health and Medical Communications, the editor-in-chief of the Recent Advances on Communications and Networking Technology, the editor-in-chief of the Journal of Multimedia Information Systems, and editorial board member of several high-reputed journals. He has been general chair and TPC Chair of many international conferences, including IEEE ICC, GLOBECOM, and HEALTHCOM. He is a member of many international TPCs and participated in several international conferences organization. He has authored or coauthored over 500 papers in refereed international journals and conferences, 3 books, and 2 patents. He had been awarded several Outstanding Leadership and Outstanding Service Awards by IEEE Communications Society and several best papers awards. Prof. Rodrigues is a licensed professional engineer (as senior member), member of the Internet Society, an IARIA fellow, and a senior member ACM and IEEE.

    Bibhudatta Sahoo obtained his M. Tech. and Ph.D. degree in Computer Science & Engineering from NIT, Rourkela. He has 24years of Teaching Experience in undergraduate and graduate level in the field of computer Science & Engineering. He is presently Assistant Professor in the Department of Computer Science & Engineering, NIT Rourkela, INDIA. His technical interests include Data Structures & Algorithm Design, Parallel & Distributed Systems, Networks, Computational Machines, Algorithms for VLSI Design, Performance evaluation methods and modeling techniques Distributed computing system, Networking algorithms, and Web engineering. He is a member of IEEE & ACM.

    Ratnakar Dash received his Ph.D. degree from National Institute of Technology, Rourkela, India, in 2013. He is presently working as Assistant Professor in the Department of Computer Science and Engineering at National Institute of Technology, Rourkela, India. His area of interests includes signal processing, image processing, intrusion detection system and steganography. He has published more than 10 papers in journals of international repute.

    View full text
    © 2018 Published by Elsevier B.V.