DDoS Attack Detection Based On SDN/openflow Entry Features

With rapid development of the Internet,there are billions of devices connected with networks.In the future,IOT(Internet of Things)and IPv6 will be more and more popular,and the network size will experience an explosion.Meanwhile,DDoS attacks become more and more serious.In legacy networks,DDoS detection relies on dedicated hardware devices.Due to the lack of global view of networks,the efficiency and accuracy of DDoS detection is not very good.As a novel network architecture,SDN disassociates control plane from data plane.SDN offers a new approach in solving problems in legacy networks,and has attracted numerous attention from academy and industry.In the future,SDN stands a chance of being widely deployed.This thesis suggests a novel set of flow entry features,which can be used to indicate whether OpenFlow switch is under attack in multiple DDoS attacks scenarios.This thesis also proposes a detection method based on deep learning.In addition,a cooperative detection method is presented by combining information from multiple switches.The main contributions are as follows:(1)By analyzing existing DDoS attacking methods,switch features under DDoS attack were examined from the view of packets and flows respectively.How these features influence OpenFlow flow entries was also discussed.Then this thesis proposed a set of features and corresponding algorithms to get these features These features can indicate whether an OpenFlow switch is under attack in multiple DDoS attacks scenarios.A significant advantage of these features is that they can take effect even when OpenFlow switches contain permanent flow entries and SDN controllers produce flow entries with IP subnet mask.(2)By converting DDoS detection problem to a supervised binary classification problem in machine learning,a single-switch based algorithm based on deep learning was proposed.The algorithm takes these features as input,and predicts the likelihood that a DDoS attack is happening on a specific switch.Furthermore,this thesis discussed selection of activation method and cost function,as well as how to deploy regularization and deal with aspects of overfitting in detail.According to experiments,high detection rate,low false alarm rate and less time consuming are main merits of this algorithm.(3)By utilizing the global view of SDN networks,a set of features indicating the correlation among multiple switches was extracted.Afterwards,a cooperative DDoS detection method was designed,which fully combines these features and detection results based on individual switches.As a result,the above proposed single-switch based detection method is improved and the detection results are more accurate.Finally,an SDN testbed was set up,Floodlight controller was rebuilt and new northbound APIs were added.Machine learning algorithms were implemented via development frameworks including theano and keras.Extensive experiment results indicate that,compared to existing feature schemes and detection methods,the proposed OpenFlow features and DDoS detection methods perform much better in terms of detection accuracy and efficiency.