Efficient Detection of Link-Flooding Attacks with Deep Learning

The DDoS attack is one of the most notorious attacks, and the severe impact of the DDoS attack on GitHub in 2018 raises the importance of designing effective defense methods for detecting this type of attack. Unlike the traditional network architecture that takes too long to cope with DDoS attacks, we focus on link-flooding attacks that do not directly attack the target. An effective defense mechanism is crucial since as long as a link-flooding attack is undetected, it will cause problems over the Internet. With the flexibility of software-defined networking, we design a novel framework and implement our ideas with a deep learning approach to improve the performance of the previous work. Through rerouting techniques and monitoring network traffic, our system can detect a malicious attack from the adversary. A CNN architecture is combined to assist in finding an appropriate rerouting path that can shorten the reaction time for detecting DDoS attacks. Therefore, the proposed method can efficiently distinguish the difference between benign traffic and malicious traffic and prevent attackers from carrying out link-flooding attacks through bots.

Download Full-text

An Investigation into the Application of Deep Learning in the Detection and Mitigation of DDOS Attack on SDN Controllers

Technologies ◽

10.3390/technologies9010014 ◽

2021 ◽

Vol 9 (1) ◽

pp. 14

Author(s):

James Dzisi Gadze ◽

Akua Acheampomaa Bamfo-Asante ◽

Justice Owusu Agyemang ◽

Henry Nunoo-Mensah ◽

Kwasi Adu-Boahen Opare

Keyword(s):

Deep Learning ◽

Network Architecture ◽

Learning Algorithm ◽

Single Point ◽

Denial Of Service ◽

Specific Work ◽

Learning Models ◽

Ddos Attack ◽

Deep Learning Algorithm ◽

Proposed Model

Software-Defined Networking (SDN) is a new paradigm that revolutionizes the idea of a software-driven network through the separation of control and data planes. It addresses the problems of traditional network architecture. Nevertheless, this brilliant architecture is exposed to several security threats, e.g., the distributed denial of service (DDoS) attack, which is hard to contain in such software-based networks. The concept of a centralized controller in SDN makes it a single point of attack as well as a single point of failure. In this paper, deep learning-based models, long-short term memory (LSTM) and convolutional neural network (CNN), are investigated. It illustrates their possibility and efficiency in being used in detecting and mitigating DDoS attack. The paper focuses on TCP, UDP, and ICMP flood attacks that target the controller. The performance of the models was evaluated based on the accuracy, recall, and true negative rate. We compared the performance of the deep learning models with classical machine learning models. We further provide details on the time taken to detect and mitigate the attack. Our results show that RNN LSTM is a viable deep learning algorithm that can be applied in the detection and mitigation of DDoS in the SDN controller. Our proposed model produced an accuracy of 89.63%, which outperformed linear-based models such as SVM (86.85%) and Naive Bayes (82.61%). Although KNN, which is a linear-based model, outperformed our proposed model (achieving an accuracy of 99.4%), our proposed model provides a good trade-off between precision and recall, which makes it suitable for DDoS classification. In addition, it was realized that the split ratio of the training and testing datasets can give different results in the performance of a deep learning algorithm used in a specific work. The model achieved the best performance when a split of 70/30 was used in comparison to 80/20 and 60/40 split ratios.

Download Full-text

Mitigation of DDoS attack instigated by compromised switches on SDN controller by analyzing the flow rule request traffic

International Journal of Engineering & Technology ◽

10.14419/ijet.v7i2.6.10065 ◽

2018 ◽

Vol 7 (2.6) ◽

pp. 46 ◽

Cited By ~ 2

Author(s):

Sanjeetha R ◽

Shikhar Srivastava ◽

Rishab Pokharna ◽

Syed Shafiq ◽

Dr Anita Kanavalli

Keyword(s):

Network Architecture ◽

Flow Rule ◽

Software Defined Network ◽

Ddos Attacks ◽

Control Plane ◽

Ddos Attack ◽

Flow Table ◽

Data Plane ◽

Ddos Detection ◽

Sdn Controller

Software Defined Network (SDN) is a new network architecture which separates the data plane from the control plane. The SDN controller implements the control plane and switches implement the data plane. Many papers discuss about DDoS attacks on primary servers present in SDN and how they can be mitigated with the help of controller. In our paper we show how DDoS attack can be instigated on the SDN controller by manipulating the flow table entries of switches, such that they send continuous requests to the controller and exhaust its resources. This is a new, but one of the possible way in which a DDoS attack can be performed on controller. We show the vulnerability of SDN for this kind of attack. We further propose a solution for mitigating it, by running a DDoS Detection module which uses variation of flow entry request traffic from all switches in the network to identify compromised switches and blocks them completely.

Download Full-text

An Adaptive Protection of Flooding Attacks Model for Complex Network Environments

Security and Communication Networks ◽

10.1155/2021/5542919 ◽

2021 ◽

Vol 2021 ◽

pp. 1-17

Author(s):

Bashar Ahmad Khalaf ◽

Salama A. Mostafa ◽

Aida Mustapha ◽

Mazin Abed Mohammed ◽

Moamin A. Mahmoud ◽

...

Keyword(s):

Denial Of Service ◽

Attack Behavior ◽

Ddos Attacks ◽

Ip Address ◽

Agent Based ◽

Ddos Attack ◽

Adaptive Protection ◽

Adaptive Agent ◽

Processing Power ◽

Flooding Attacks

Currently, online organizational resources and assets are potential targets of several types of attack, the most common being flooding attacks. We consider the Distributed Denial of Service (DDoS) as the most dangerous type of flooding attack that could target those resources. The DDoS attack consumes network available resources such as bandwidth, processing power, and memory, thereby limiting or withholding accessibility to users. The Flash Crowd (FC) is quite similar to the DDoS attack whereby many legitimate users concurrently access a particular service, the number of which results in the denial of service. Researchers have proposed many different models to eliminate the risk of DDoS attacks, but only few efforts have been made to differentiate it from FC flooding as FC flooding also causes the denial of service and usually misleads the detection of the DDoS attacks. In this paper, an adaptive agent-based model, known as an Adaptive Protection of Flooding Attacks (APFA) model, is proposed to protect the Network Application Layer (NAL) against DDoS flooding attacks and FC flooding traffics. The APFA model, with the aid of an adaptive analyst agent, distinguishes between DDoS and FC abnormal traffics. It then separates DDoS botnet from Demons and Zombies to apply suitable attack handling methodology. There are three parameters on which the agent relies, normal traffic intensity, traffic attack behavior, and IP address history log, to decide on the operation of two traffic filters. We test and evaluate the APFA model via a simulation system using CIDDS as a standard dataset. The model successfully adapts to the simulated attack scenarios’ changes and determines 303,024 request conditions for the tested 135,583 IP addresses. It achieves an accuracy of 0.9964, a precision of 0.9962, and a sensitivity of 0.9996, and outperforms three tested similar models. In addition, the APFA model contributes to identifying and handling the actual trigger of DDoS attack and differentiates it from FC flooding, which is rarely implemented in one model.

Download Full-text

Performance analysis of Cluster-based DDoS Defense System with different Reactive Routing Protocols

International Journal of Sensors Wireless Communications and Control ◽

10.2174/2210327910666191227125250 ◽

2019 ◽

Vol 10 ◽

Author(s):

Deepa Nehra ◽

Kanwalvir Singh Dhindsa ◽

Bharat Bhushan

Keyword(s):

Routing Protocols ◽

Defense Mechanism ◽

Attack Detection ◽

Delivery Ratio ◽

Ddos Attacks ◽

Defense System ◽

Ddos Attack ◽

Cluster Heads ◽

Reactive Routing ◽

Better Than

Background & Objective: DDoS attack poses a huge threat to communication and security of mobile nodes in MANETs. The number of approaches proposed to defense against DDoS attacks in MANETs is much less as compared to those for the wire-based networks. The aim of this paper is to test the effectiveness of proposed cluster based DDoS attacks mechanism with various reactive routing protocols. Method: The scheme proposed here is clustering based DDoS defense mechanism, in which the Accepted: cluster heads monitors the incoming traffic to identify the presence of suspicious behaviour. After the successful identification of suspicious behavior, the flow responsible behind it will be identified and confirmed whether it is related to DDoS attack or not. Once DDoS attack is confirmed, all the packet related to it will be discarded. Results & Discussions: OMNeT++ along with INET framework is used to evaluate the effectiveness of proposed defense scheme with different routing protocols. In attack situations, DYMO exhibited higher throughput and able to deliver approximately 95% legitimate packets. DYMO, in comparison to AODV and DSR, managed to control end-to-end delay at its best levels (i.e. 0.40 to 0.70 seconds). In terms of packet delivery ratio, AODV and DYMO both perform better than DSR and able to maintain PDR at their highest levels (i.e. 0.90 to 0.94). Conclusion: The attack detection mechanism proposed here performs various tasks like monitoring, characterization, and identification of attack traffic from the incoming flow with the help neighbouring cluster heads. The flow identified as attack is discarded and attack related information would be shared with neighbouring cluster heads to achieve distributed defense. The performance of proposed defense system is assessed with different reactive routing protocols and identified that DYMO protocols performs better than AODV and DSR.

Download Full-text

Multilevel Modeling of Distributed Denial of Service Attacks in Wireless Sensor Networks

Journal of Sensors ◽

10.1155/2016/5017248 ◽

2016 ◽

Vol 2016 ◽

pp. 1-13 ◽

Cited By ~ 8

Author(s):

Katarzyna Mazur ◽

Bogdan Ksiezopolski ◽

Radoslaw Nielek

Keyword(s):

Wireless Sensor Networks ◽

Sensor Networks ◽

Denial Of Service ◽

Monitoring Network ◽

Wireless Sensor ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Denial Of Service Attack ◽

Ddos Attack ◽

Service Attack

The growing popularity of wireless sensor networks increases the risk of security attacks. One of the most common and dangerous types of attack that takes place these days in any electronic society is a distributed denial of service attack. Due to the resource constraint nature of mobile sensors, DDoS attacks have become a major threat to its stability. In this paper, we established a model of a structural health monitoring network, being disturbed by one of the most common types of DDoS attacks, the flooding attack. Through a set of simulations, we explore the scope of flood-based DDoS attack problem, assessing the performance and the lifetime of the network under the attack condition. To conduct our research, we utilized the Quality of Protection Modeling Language. With the proposed approach, it was possible to examine numerous network configurations, parameters, attack options, and scenarios. The results of the carefully performed multilevel analysis allowed us to identify a new kind of DDoS attack, the delayed distributed denial of service, by the authors, referred to as DDDoS attack. Multilevel approach to DDoS attack analysis confirmed that, examining endangered environments, it is significant to take into account many characteristics at once, just to not overlook any important aspect.

Download Full-text

DDoS attack detection using deep learning

IAES International Journal of Artificial Intelligence (IJ-AI) ◽

10.11591/ijai.v10.i2.pp382-388 ◽

2021 ◽

Vol 10 (2) ◽

pp. 382

Author(s):

Thapanarath Khempetch ◽

Pongpisit Wuttidittachotti

Keyword(s):

Deep Learning ◽

Short Term Memory ◽

Denial Of Service ◽

Attack Detection ◽

Ddos Attacks ◽

Ddos Attack ◽

Attack Surface ◽

Iot Devices ◽

Ddos Attack Detection ◽

Flow Of Information

<span id="docs-internal-guid-58e12f40-7fff-ea30-01f6-fbbed132b03c"><span>Nowadays, IoT devices are widely used both in daily life and in corporate and industrial environments. The use of these devices has increased dramatically and by 2030 it is estimated that their usage will rise to 125 billion devices causing enormous flow of information. It is likely that it will also increase distributed denial-of-service (DDoS) attack surface. As IoT devices have limited resources, it is impossible to add additional security structures to it. Therefore, the risk of DDoS attacks by malicious people who can take control of IoT devices, remain extremely high. In this paper, we use the CICDDoS2019 dataset as a dataset that has improved the bugs and introducing a new taxonomy for DDoS attacks, including new classification based on flows network. We propose DDoS attack detection using the deep neural network (DNN) and long short-term memory (LSTM) algorithm. Our results show that it can detect more than 99.90% of all three types of DDoS attacks. The results indicate that deep learning is another option for detecting attacks that may cause disruptions in the future.</span></span>

Download Full-text

SDNDefender: A Comprehensive DDoS Defense Mechanism Using Hybrid Approaches over Software Defined Networking

Security and Communication Networks ◽

10.1155/2021/5097267 ◽

2021 ◽

Vol 2021 ◽

pp. 1-22

Author(s):

Tianfang Yu ◽

Lanlan Rui ◽

Xuesong Qiu

Keyword(s):

Network Architecture ◽

Defense Mechanism ◽

Software Defined Networking ◽

Transport Layer ◽

Global Network ◽

Control Mode ◽

Detection Accuracy ◽

Centralized Control ◽

Ddos Attacks ◽

Network Bandwidth

In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Download Full-text

A Hybrid Neural Network Architecture for Early Detection of DDOS attacks using Deep Learning Models

10.1109/icosec51865.2021.9591969 ◽

2021 ◽

Author(s):

Kumbala Pradeep Reddy ◽

Sarangam Kodati ◽

Madireddy Swetha ◽

M. Parimala ◽

S. Velliangiri

Keyword(s):

Neural Network ◽

Deep Learning ◽

Early Detection ◽

Network Architecture ◽

Ddos Attacks ◽

Learning Models ◽

Neural Network Architecture ◽

Hybrid Neural Network

Download Full-text

Software Defined Network : The Comparison of SVM kernel on DDoS Detection

RSF Conference Series: Engineering and Technology ◽

10.31098/cset.v1i1.413 ◽

2021 ◽

Vol 1 (1) ◽

pp. 281-290

Author(s):

Rifki Indra Perwira ◽

Hari Prapcoyo

Keyword(s):

Network Security ◽

New Technology ◽

Training Data ◽

Software Defined Network ◽

Data Traffic ◽

Ddos Attacks ◽

Ddos Attack ◽

Ddos Detection ◽

The Difference ◽

The Brain

SDN is a new technology in the concept of a network where there is a separation between the data plane and the control plane as the brain that regulates data forwarding so that it becomes a target for DDoS attacks. Detection of DDoS attacks is an important topic in the field of network security. because of the difficulty of detecting the difference between normal traffic and anomalous attacks. Based on data from helpnetsecurity.com, in 2020 there were 4.83 million attempted DoS/DDoS attacks on various services, this shows that network security is very important. Various methods have been used in detecting DDoS attacks such as using a threshold on passing network traffic with an average traffic size compared to 3 times the standard deviation, the weakness of this method is if there is a spike in traffic it will be detected as an attack even though the traffic is normal so that it increases false positives. To maintain security on the SDN network, the reason is that a system is needed that can detect DDoS attacks anomalously by taking advantage of the habits that appear on the system and assuming that if there are deviations from the habits that appear then it is declared a DDoS attack, the SVM method is used to categorize the data traffic obtained from the controller to detect whether it is a DDoS attack or not. Based on the tests conducted with 500 training data, the accuracy is 99,2%. The conclusion of this paper is that the RBF SVM kernel can be very good at detecting anomalous DDoS attacks.

Download Full-text

DDoS on Sketch: Spoofed DDoS attack defense with programmable data plans using sketches in SDN

10.5753/sbrc.2019.7404 ◽

2019 ◽

Author(s):

Kairo Tavares ◽

Tiago Coelho Ferreto

Keyword(s):

Defense Mechanism ◽

Denial Of Service ◽

Management Control ◽

Ddos Attacks ◽

Limited Data ◽

Defense System ◽

Flooding Attacks ◽

Data Plane ◽

High Level ◽

Flexible Management

Distributed Denial of Service (DDoS) attacks continues to be a major issue in todays Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of these attacks. Among the various types, spoofed TCP SYN Flood is one of the most common forms of volumetric DDoS attacks. Several works explored the flexible management control provided by the new network paradigm called Defined Networking Software (SDN) to produce a flexible and powerful defense system. Among them, data plane based solutions combined with recent flexibility of programmable switches aims to leverage hardware speed and defend against Spoofed Flooding attacks. Usually, they implement anti-spoofing mechanisms that rely on performing client authentication on the data plane using techniques such as TCP Proxy, TCP Reset, and Safe Reset. However, these mechanisms have several limitations. First, due to the required interaction to authenticate the client, they penalize all clients connection time even without an ongoing attack. Second, they use a limited version of TCP cookies to detect a valid client ACK or RST, and finally, they are vulnerable to a buffer saturation attack due to limited data plan resources that stores the whitelist of authenticated users. In this work, we propose the use of sketch-based solutions to improve the data plane Safe Reset anti-spoofing defense mechanism. We implemented our solution in P4, a high-level language for programmable data planes, and evaluate our solution against a data plan. Safe Reset technique on an emulated environment using Mininet.

Download Full-text