A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN) (1611.07400v1)

Abstract: Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

• The paper introduces a novel deep learning model that leverages stacked autoencoders for detecting multi-vector DDoS attacks in the SDN control and data planes.
• It integrates modules for traffic collection, feature extraction, and classification to accurately distinguish between normal and eight types of DDoS traffic.
• The system achieves 95.65% accuracy in multi-class tests and 99.82% in binary classification, demonstrating its significant efficacy in network defense.

Overview of "A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN)"

The paper presents a comprehensive paper on a deep learning-based Distributed Denial of Service (DDoS) detection system within a Software-Defined Networking (SDN) environment. The authors propose a model leveraging Stacked Autoencoder (SAE) for feature reduction and classification purposes, addressing both data and control plane DDoS attacks that commonly threaten SDN infrastructures. This research offers a distinct methodology by implementing their detection system entirely on the SDN controller and providing a robust evaluation based on real and simulated network traffic.

Research Context and Motivation

DDoS attacks pose significant operational disruptions by overwhelming network resources, and their incidence is anticipated to increase as per trends identified within the paper. The complexity of these attacks has evolved, often utilizing multi-vector strategies involving TCP, UDP, and ICMP flooding. A critical aspect of modern attack vectors includes targeting SDN’s control plane, which centralizes network analytics and policy enforcement, posing a higher risk relative to traditional networking setups.

Software-Defined Networking, with its global network view and programmable capabilities, coupled with Deep Learning’s effective handling of high-dimensional data, provides a fertile ground for developing adaptive security solutions. This research aims to harness these capabilities to deliver an adept DDoS detection system capable of high accuracy and low false positives.

Methodology

The proposed detection system consists of three primary modules:

1. Traffic Collector and Flow Installer (TCFI): Captures all incoming packets to the SDN controller, logs network traffic data, and intelligently manages flow rules to mitigate unnecessary rule installations in the data plane.
2. Feature Extractor (FE): Computes a comprehensive set of 68 features from incoming network flows over a specified interval. These features address diverse traffic characteristics, such as entropy, packet size, and protocol-specific metrics.
3. Traffic Classifier (TC): Utilizes a SAE-based model to process the reduced feature set, classifying traffic into eight distinct classes, including normal flow and seven DDoS attack types.

Results and Evaluation

The system exhibits exceptional identification capabilities for DDoS attacks with an accuracy of 95.65% across eight classes. When simplified to a binary classification problem distinguishing between normal and attack traffic, the model attains an even more impressive accuracy of 99.82%. Such results underscore the efficacy of the SAE in handling complex multi-class classification scenarios, significantly outperforming traditional machine learning approaches employed in similar contexts.

Implications and Future Directions

Practically, this system can be deployed to enhance organizational network defenses within SDN environments, contributing to the reduction of downtime caused by DDoS attacks. The methodological integration of SAE extends the potential for deep learning applications across a broader spectrum of network security tasks, further encouraging research that leverages raw network data directly in neural networks for feature extraction.

The paper suggests future work in reducing processing overheads through hybrid data approaches, deploying FE and TCFI on separate hosts, or leveraging distributed processing techniques. These optimizations might extend the system's scalability and applicability to larger networks.

In conclusion, the development of a deep learning-based DDoS detection system provides a promising avenue for SDN security. Expanding the scope of this research to encompass a wider array of network attacks will bolster its practicality and augment the robustness of SDN deployments worldwide.