A. Data Flow in SDN

In SDN, the underlying switches only posses the forwarding logic. When a packet arrives at an OF switch, it checks its flow table and if the flow matches, it forwards the packet to the destination. If no match is found in the flow table, it sends the packet_in to the controller for taking appropriate decision. Thus by following the above procedure, SDN separates the processing plane and forwarding plane. If a huge volume of spoofed packets is sent together, each time there is a miss-match in the flow table and in turn, large packet_in events are sent to the controller. The limited memory space of the controller causes a delay for the processing the requests. This processing delay creates a chance for the attackers to modify the flow entries, dropping the legitimate traffic, makes overflow the flowtable, etc. This can be expressed as a DDoS attack on the SDN controller.

B. DDoS Attack in SDN

In DDoS attack, rate of arriving incoming packet to the network is high, the collection of legitimate and spoofed packet will collectively bind the network resources hence make the resource exhaust. If this process continues server will be unreachable for the new incoming legitimate packet and the packet will be dropped by making the network unreliable. DDoS attacks can broadly be categorized into three types, such as volumetric attack, protocol-exploitation attack, and application layer attack. The UDP flood and TCP flooding attacks come under volumetric attacks, whereas HTTP flood and DNS flooding categorized as application-layer attacks [44].

In SDN, the control plane is responsible for centralized network intelligence. In single controller architecture, there is a high possibility of single point of failure (SPF). If the attacker gets access to the controller, it can cause massive destruction to the network infrastructure [36]. The controller applications like load balancing, firewall, routing are operated on top of the control plane. For instance, if firewall application get accessed, then a different Access Control List (ACL) can be formed [43]. Though TLS/SSL connection between the controller and OF switch creates a secure connection; in case the loss of TLS connection, it needs a backup controller for the switch. In such a scenario, OF switch can use flow tables as per its choices. A malicious flow rule can be implanted into the flow table which may create DDoS attack onto the controller. Besides this, the flow format of SDN has some important properties. The SDN controller uses the southbound protocol such as OpenFlow to take action against the flow entries. There may be more than one rule for the same flow. The various fields of flow include priority, counter, timeout, action field, etc. Each field is designated for a specific task.

For example, the counter field keeps the information about the received bytes per flow, the timeout field indicates the time needed for a flow to expire since it was placed in the flow table. The instruction field specifies the action needed for a flow entry. The Figure 1 represents the discussed scenario.

FIGURE 1.

Attack to both forwarding and control layer.

Show All

A. Support Vector Machine (SVM)

The basic principle of SVM, is to find an optimal hyperplane that produces a better generalization of the dataset [21]. It develops a model that predicts whether a new sample falls into one of the categories or not. Let’s given a training data set $S=\{\left ({x_{1},y_{1} }\right),\ldots,(x_{n},y_{n})\}$ where $x_{i}\in R^{n}$ and y {+1,−1}.

The $x_{i}$ represents the transferred input vector and $y_{i}$ is the target value. SVM is a binary classifier in which the class labels contain only two values +1 or −1. From the inputs, SVM draws an optimal hyper-plane $H$ that separates the data into different classes and the hyper-plane $H$ can be defined as:

View Source\begin{equation*} x_{i}\in R^{n}:\left ({\vec {w},\vec {x} }\right)+b=0,\mathrm { }\quad \vec {w}\in R^{n},~b\in R\tag{1}\end{equation*}

$$\begin{equation*} f\left ({\vec {x} }\right)=sign\left ({\vec {w},\vec {x} }\right)+b\tag{2}\end{equation*}$$ View Source\begin{equation*} f\left ({\vec {x} }\right)=sign\left ({\vec {w},\vec {x} }\right)+b\tag{2}\end{equation*}

$$\begin{equation*} y_{i}\left \{{\left ({\vec {w},\vec {x} }\right)+b }\right \}\ge 1,\quad s.t.i=1,\ldots,n\tag{3}\end{equation*}$$ View Source\begin{equation*} y_{i}\left \{{\left ({\vec {w},\vec {x} }\right)+b }\right \}\ge 1,\quad s.t.i=1,\ldots,n\tag{3}\end{equation*}

$$\begin{align*}&minimization\frac {1}{2}(w^{T},w) \\&\text {s.t}~y_{i}(w.x+b)\ge 1\tag{4}\end{align*}$$ View Source\begin{align*}&minimization\frac {1}{2}(w^{T},w) \\&\text {s.t}~y_{i}(w.x+b)\ge 1\tag{4}\end{align*}

$$\begin{align*}&minimization\frac {1}{2}\left ({w^{T},w }\right)+C\sum \nolimits _{i=1}^{n} \xi _{i} \\&\text {s.t}.~y_{i}\left ({w.x+b }\right)+\xi _{i}\ge 1;\quad \mathrm { }\xi _{i}\ge 0\tag{5}\end{align*}$$ View Source\begin{align*}&minimization\frac {1}{2}\left ({w^{T},w }\right)+C\sum \nolimits _{i=1}^{n} \xi _{i} \\&\text {s.t}.~y_{i}\left ({w.x+b }\right)+\xi _{i}\ge 1;\quad \mathrm { }\xi _{i}\ge 0\tag{5}\end{align*}

B. KPCA+SVM Classification Model

To get better performance, parameter selection has major significance. Using Radial Basis Function (RBF) in the training process of a model produces a large number of hyper plane which takes a long period of time for training the model. To solve, such problem this model combines SVM with Kernel Principal Component Analysis (KPCA) to reduce the dimensions of features and at the same time reduces the training time. In the proposed model, KPCA maps the high dimensional input features into a new lower dimensional eigen space. Further, it extracts the principal features from the training data-set for classifying the attack. For dimensional reduction and feature selection Principal Component Analysis (PCA) is a widely used technique. The selection of a subset of features from a large feature set is based on the highest co-relation with the principal component. It can have the ability to extract the linear structure information but fails to extract non-linear information. But, K-PCA transfer input data into higher dimensional space in which PCA is carried out.

Let, ${\it \{a}_{1}{\it,a}_{2}, \ldots {\it,a}_{n}{\it \}}$ be the set of $n$ training samples. The $j^{th}$ transferred feature $y_{j}$ value can be obtained by using Equation 6. By using this, the Kernel-PCA, transformed the feature vector to a new sample vector.

View Source\begin{equation*} y_{j}=\frac {1}{\lambda _{j}}\gamma _{j}^{T}\left [{ k(a_{1},a_{n\mathrm { }}^{\prime }),\ldots,{(a}_{n},a_{n}^{\prime }) }\right]^{T}\tag{6}\end{equation*}

C. Kernel Function Used in SVM

It is not possible to find a linear decision boundary for some classification problems. If data points projected into a higher dimension space from the original space, a hyper-plane in the projected dimension helps to classify the data points. To deal with such problem, a kernel function is used to transfer the data set to a higher dimensional space. In general, the Computational cost increases, if the dimension of the data increases. The dot product of two vectors of the same dimensional produces a single number. Hence, the kernel function can utilize this property in a different space without even visiting the space. The standard method of calculating the dot product requires $o(n^{2})$ time, whereas kernel requires with $o(n)$ time.

In SVM there are some well-known kernel functions are used such as RBF, polynomial, sigmoid, etc. Since, RBF kernel function requires fewer parameters set, in most of the classification problem, SVM performs well in this kernel function. However, in a networking scenario, network flows contain several attributes, which may vary from protocol to protocol. Therefore, when the differences between the attribute sets are very large, RBF kernel may create a sizable number of support vectors (SV). A large number of SVs may increases the training period of the model. To lower the training period and to improve the overall performance, an improved kernel function called N-RBF is developed. Further, to normalize the attribute values, the NRBF can be expressed as:

View Source\begin{equation*} K\left ({x_{i},x_{j} }\right)=exp\left ({\frac {-\left |{ \frac {x_{i}-mv}{ms}-\frac {x_{j}-mv}{ms} }\right |^{2}}{\sigma ^{2}} }\right)\tag{7}\end{equation*}

$$\begin{align*} mv_{j}=&\frac {1}{n}\sum \nolimits _{i=1}^{n} P_{ij} \tag{8}\\ ms_{j}=&\sqrt {\frac {1}{n-1}\sum \nolimits _{i=1}^{n} \left ({P_{ij}-mv_{j} }\right)^{2}}\tag{9}\end{align*}$$ View Source\begin{align*} mv_{j}=&\frac {1}{n}\sum \nolimits _{i=1}^{n} P_{ij} \tag{8}\\ ms_{j}=&\sqrt {\frac {1}{n-1}\sum \nolimits _{i=1}^{n} \left ({P_{ij}-mv_{j} }\right)^{2}}\tag{9}\end{align*}

Further, the selection of $C$ and $\sigma$ plays an important role in the performance of SVM model. There are several disciplined approaches that have been utilized to get the optimal parameters. Technique like GA, simulated annealing (SA), and Particle Swarm Optimization like meta-heuristic algorithms can be employed for finding the optimal parameters.

D. Optimizing Parameters With Standard GA

Genetic algorithms (GA) is a search technique based on the ideas of natural selection and genetics. This technique is primarily used to generate high-quality solutions for optimization and search problems. The algorithm simulates on the basis of ”survival of the fittest” type scenario, where each generation of the algorithm attempts to improve upon the previous generation. It operates on the finite population of chromosomes and each chromosome is a possible solution. The best possible solution using GA can be obtained by setting various generic operators such as crossover, mutation, stopping criteria, etc. The process of selection, evaluation, re-combinations form one generation in the execution of the genetic algorithm. Our objective function (Mean Absolute Error (MAE)) is a minimization problem which has given in Equation 10 and it searches the best possible combination of $C$ and $\sigma$ .

View Source\begin{equation*} MAE=\frac {1}{T}\sum \nolimits _{i=1}^{T} {\vert \frac {AL_{i}-PR_{i}}{AL_{i}}\vert }\tag{10}\end{equation*}

The selection process of optimized SVM parameters using GA has been illustrated in Algorithm 1. In the algorithm, roulette wheel method has used for selecting new population.

A. Propsed Detection Framework

Our DDoS attack detection framework monitors the OpenFlow (OF) switches during predetermined time intervals $\Delta \text{T}$ . During such intervals, the controller sends flow_stat_request to each switch present in the network. In turn, the controller receives the flow statistics and then the statistics is fed to the statistics monitor module to extract the features discussed in the above section. After feature selection, the proposed ML classifier, classifies the traffic whether it is normal or malicious traffic.

Figure 2 describe an overall proposed detection framework. The Algorithm 2 summarizes the proposed approach.

FIGURE 2.

The proposed DDoS detection framework for SDN.

Show All

Detail description about each module is given below.

Statistics Monitor: The module sends Flow_start_request message to the OF switches and in turn, it receives the flow statistics information.

Feature extractor: Feature extractor module is meant for extracting the features that are essential for attack detection. For feature extraction, the proposed work utilizes KPCA technique. After feature selection, all extracted feature is inputed to the ML classifier.

ML Classifier: This module is responsible for classifying the traffic as per the training model. In this approach, SVM is considered as the ML classifier. Any learning method can be used as per the requirement. We have used KPCA+SVM+GA model for DDoS attack detection because this model takes least training/testing time with much better accuracy than single SVM.

Mitigation Module: For DDoS mitigation, a separate module is designed inside the controller. After DDoS detection, immediately mitigation module sets a flow rule which drops all the packets coming from the underlying switch. This rule prevents the flows to a particular $IP_{destination}$ address with a specific $IP_{protocol}$ . The rest of the flows communicate in the network ordinarily.

Since the considered data-set comprises five different types of traffic, hence multi-SVM classifier is applicable for DDoS detection. There are two popular techniques that are used for SVM multiclass classification such as: “One-against-all” and “Binary tree”.

B. Proposed SVM Model for DDOS Detection in SDN

The “Binary tree” technique requires only (n-1) two-class classifiers for a case of n class problem. Whereas, ‘One-against-all’ approach requires n number of two-class SVM classifiers. In this approach, each class is trained with all the samples. Due to less number of classes required for the training process, ’Binary Tree’ classifier has been considered for constructing the model. Based on the characteristics of the traffic, four SVM classifiers are developed to identify the five different classes. The basic principle of proposed SDN based DDoS detection framework which is the combination of SVM along with KPCA and GA is shown in Figure 3. For the proposed model, all SVMs use N-RBF as the kernel function. Moreover, the two important parameters of SVM i.e. C and $\sigma$ , are optimized with the GA technique which has been discussed earlier. Then, with the help of these optimal parameters the SVM model is trained. The proposed detection model comprises of two stages. In the first stage, KPCA is employed for achieving the principal component and SVM is used as the classifier. The second stage utilizes the feature subset for the training and testing of SVM. The N-RBF kernel is adopted by KPCA as well as SVM classifier. The parameter selection of SVM-GA technique has been illustrated in Figure 4.

FIGURE 3.

Proposed SVM model for DDoS detection.

Show All

FIGURE 4.

Process of optimizing SVM parameters using Genetic Algorithm.

Show All

A. Dataset Selection

For training and testing purpose, a modern DDoS dataset has considered [24]. This dataset consists of 27 features and 21,60,668 records.

The distribution of the records in the dataset has given in TABLE 2. In order to verify the effectiveness of the proposed model, another dataset called NSL-KDD is used. It contains 41 features, and randomly 1,08,400 records have considered for the simulation [35]. It is the more refined version of KDD’99 dataset. NSL-KDD contains different attacks such as Probe, DoS, R2L, U2R etc. In both the dataset, the redundant records are not present; hence, ML classifiers will not be biased towards more common instances. The selected records in each group from NSL-KDD is inversely proportional to the percentage of instances in the initial KDD data set. As a result, different ML algorithms can perform efficiently and evaluate accurately [47]. The proposed algorithm evaluated over two dataset separately. For experimenting, we named the previous data set as “Data set-I” and NSL-KDD is named as “Data set-II”. The feature set involved in the Dataset-I and Dataset-II has listed in TABLE 3 and TABLE 4, respectively.

TABLE 2 Traffic Distribution

TABLE 3 Feature Set (Dataset-I)

TABLE 4 Feature Set (Dataset-II)

B. Simulation Environment

In order to do simulation for SDN network, it is important to select a controller. We have chosen POX controller for the experiment [27]. It is considered as a fast, and a customized controller. Mininet is a standard network emulator tool that can be used for SDN [15]. It can make a prototype of the network on a laptop or PC. The network topology of any size can be tested on it and the developed code can be used for real network. Hence, Mininet 2.0.0 emulator is considered for this experiment.

The above-described classification algorithms were conducted on the machine having core i5 processor, 8 GB RAM, 64-bit operating system and clock speed of 2.30 GHz. Mininet 2.0.0 has installed on the Virtual Box that supports OpenFlow version 1.3. Using Mininet a topology has created which contains 15 switches and 64 hosts. In the experiment, a single host tries to attack the other hosts whose IP is 10.0.0.1 with IP spoofing.

C. Performance Metrics

Once the model is trained, the next step is to identify the type of attack and attacked hosts in the testing phase. An ML model is accurate if it correctly predicts the attack type during the attack. The performance of the model was evaluated based on the confusion matrix. The test outcome can be termed as positive or negative, for which the following terms have used. Further, the performance of the detection model is measured using the following metrics given in Equation 11, Equation 12, and Equation 13.

View Source\begin{align*} Accuracy=&\frac {TP+FN}{TP+FN+FP+TN} \tag{11}\\ Recall=&\frac {TP}{TP+FN} \tag{12}\\ Precision\left ({in\% }\right)=&\frac {TP}{TP+FP}\tag{13}\end{align*}

• True Positives (TP) Rate: Attack traffic classified as attack traffic.

• False Negative (FE) Rate: Attack traffic classified as legitimate traffic

• False Positive (FP) Rate: Legitimate traffic classified as attack traffic.

• True Negative (TN) Rate: Legitimate traffic classified as legitimate traffic.

D. Parameter Settings

Experiment in ML, is usually split into training and testing part. Then the model has to fit into the train data, in order to predict the test data. The following experiments have been carried out to verify the effectiveness of the proposed SVM model on SDN environment. After 50 times simulations, the optimal parameters have been determined for SVM, which are tabulated in Table 5.

TABLE 5 Optimal Parameters for Various SVM Model

E. Result Discussion

2) Comparison with Other Classifier

The experiments were conducted to verify the effective-ness of the novel KPCA-GA+SVM model. During the experiment, the model runs for 50 times with various combinations of training and testing set such as 70:30, 80:20, and 90:10. Each set contains both normal and attack class, and randomly records have chooses in phase. We evaluated the proposed model by comparing with PCA+GA+SVM, single SVM, KNN and RF method in terms of accuracy, precession, and recall. The accuracy percentage and total time taken by various classifiers are given in Table 6. The table comprises the result of different SVM variant, KNN, and Random Forest classifier.

TABLE 6 Detection Accuracy (in %) and Total Time Taken by Different SVM Variants, KNN, and Random Forest

From the result set, it can be observed that, dimensional reduction approach can enhance the overall performance and running time of the model in both the data sets. Moreover, the accuracy of the N-KPCA+GA model is 98.907% which is better than the rest of the model. The reason is obvious, employing kernel function to PCA, more number of principal components can be deduced than general PCA, which eventually shows better performance. It can be noted that compared to KPCA+GA+SVM, proposed SVM model is more effective in terms of accuracy and false rate. Single-SVM takes more training time, due to its trial-judging concept. Whereas, the training time of others is in the acceptable range. In terms of testing time KNN takes less time compared to other classifiers. From this analysis it is inferred that more the training/testing data, classifiers takes more time.

3) Comparision With Attack Class

For class wise comparison, the confusion matrix of N-KPCA+GA+SVM has been demonstrated in Table 5. Here, the objective is to observe the classification of normal traffic and other attack traffic. The accuracy measure of training/test data has already shown in Table 7. The confusion matrix contains the result of 10%, 20%, and 30% test data of Data set-I. The dataset contains five different types of traffic such as: Normal, smurf, UDP-flood, Si-DDoS, and HTTP-Flood. From the confusion matrix it is inferred that, using PCA and K-PCA, enhance the accuracy level of SVM than the single SVM which does not follow any feature extraction mechanism.

TABLE 7 Confusion Matrix of Test Data Using NKPCA+GA+SVM

In another experiment, we measured the precession and recall value of the proposed model with the considered state of art algorithms. As far as the precision and recall value is concerned, all the models achieved higher precision and recall value for both “normal” and “UDP-flood” class.

From Figure 5a and Figure 5b, it is also noted that classifying the “smurf class” is the most challenging task for all models. However, from the previous work [24], the proposed model improves the “smurf class” detection result. In “smurf class” a large volume of ICMP echo messages are being forwarded, which is difficult to classify as benign or attack traffic.

FIGURE 5.

Precision and Recall result of different SVM model.

Show All