POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks

In Software-Defined Networks (SDN), the limited flow table capacity of switches makes them susceptible to flow table overflow attacks, which can lead to performance degradation or network corruption. Prior research has mainly focused on rate-based overflow attacks (ROA), which exhibit varying attack effects depending on the overflow rate. This study introduces a novel attack called the preemptive overflow attack (POA), which exploits flow entry eviction mechanism to preempt the flow entries of normal applications, resulting in amplified performance degradation. Notably, when using the widely deployed Least Frequently Used (LFU) eviction algorithm, POA achieves a significant impact while consuming fewer flow entries than existing ROA methods. Furthermore, the detection of POA remains challenging owing to the lack of distinctive flow features. To mitigate POA, we propose POAGuard as a defense mechanism. POAGuard incorporates a table segmentation method for table management, a score-based eviction algorithm that evicts suspicious flow entries, and a concept drift-based detection method that identifies and defends against POA. Extensive experiments are conducted to verify the effectiveness of POAGuard, and the results demonstrate that POAGuard can effectively defend against POA.


I. INTRODUCTION
Software-Defined Networks(SDN) simplify network management by decoupling the control plane from the data plane.However, this decoupling introduces new security threats.To achieve high-performance packet processing, hardware OpenFlow switches commonly utilize ternary content addressable memory (TCAM) to store flow entries.Nonetheless, owing to cost and capacity constraints, most commercial switches can only store a limited number of flow entries, ranging from a few hundred to tens of thousands [1], which makes them vulnerable to flow table overflow attacks.In this section, we provide the background of flow table The associate editor coordinating the review of this manuscript and approving it for publication was Alessio Giorgetti .overflow attacks and flow entry eviction mechanisms.Next, we introduce the motivation and contributions of this study.

A. BACKGROUND 1) FLOW TABLE OVERFLOW ATTACKS
Fig. 1 illustrates the workflow of packet processing in a SDN network.For flows that do not match any entries in flow table, their packets would first trigger a PacketIn message and then be delivered to the SDN controller (Steps 1 and 2).Afterward, the controller sends FlowMod messages to OpenFlow switches to install flow entries for them (Step 3).Meanwhile, the SDN controller forwards the unmatched packets through PacketOut Messages (Steps 3 and 4).Once flow entries are installed, packets of matched flows are directly forwarded according to the flow entries (Steps 5 and 6).It can be inferred that if packets trigger the installation of flow entries, then the trip time T step1−4 ≫ T step5−6 .Otherwise, the variation in the trip time should be small.Based on this, attackers can craft packets to probe installation rules and send well-crafted packets to overflow the flow table.When overflow occurs, the controller can evict the flow entries of normal applications, resulting in session interruption and performance degradation, which severely impact network avaliablity.

2) FLOW ENTRY EVICTION MECHANISM
Owing to the limited capacity of the flow table, SDN networks typically rely on a flow entry eviction mechanism to evict entries to make room for new requests.As shown in Fig. 2, the eviction module is initiated when the number of flow entries exceeds a certain threshold (Step 1).It is worth noting that the threshold can be less than or equal to the flow table capacity.Therefore, the flow entries can be evicted before overflow occurs.The eviction module then sorts the flow entries based on certain eviction algorithms (Step 2).Similar to cache replacement algorithms, commonly used eviction algorithms include RANDOM, first in first out (FIFO), least recently used (LRU), and least frequently used (LFU) [2], [3].Finally, a batch of flow entries with lower rankings is evicted (Step3).Under normal circumstances without attacks, previous studies [2], [13] have demonstrated that the LFU eviction algorithm achieves a higher flow table utilization by preferentially evicting lower-rate flows.Therefore, in this study, we focus on the LFU eviction mechanism.

B. MOTIVATION AND CONTRIBUTIONS
Prior research has mainly focused on two types of overflow attacks: the high-rate overflow attack (HROA), which intermittently overloads the SDN controller, and the low-rate overflow attack (LROA), which quietly consumes flow entries.However, little attention has been paid to exploiting the flow entry eviction mechanism.Motivated by [2] and [3], this paper introduces a preemptive overflow attack (POA) method that targets the flow entry eviction mechanism.Specifically, POA flows preempt the flow entries of normal applications by continuously transmitting well-crafted packets at a specific high rate, which exceeds the rate of normal application flows.As a result, the attack can lead to amplified performance degradation in normal applications.Notably, although HROA and LROA can also trigger flow entry eviction when overflow occurs, they are less effective in preempting the flow entries of normal applications, as demonstrated in Section III.Based on the previous description of table overflow attack principles, we further present the specific attack modes of these attacks, as shown in Fig. 3. Additionally, we summarize the differences among them in Table 1.
The arbitrary overflow rate and highly active flows pose challenges for identifying POA, as they resemble the overflow caused by a surge in normal flow numbers in non-attack situations.Meanwhile, existing defense methods against ROA are not applicable to POA, as detailed in Section II.Therefore, the detection and mitigation of POA remains challenging.To address this challenge, we propose a defense mechanism called POAGuard, which aims to defend against POA.The main contributions of this study are as follows: 1) We introduce a novel overflow attack called preemptive overflow attack, which targets the flow entry eviction mechanism.We analyze the optimal attack mode when deploying the widely used LFU eviction algorithm using established models.
2) We propose a mitigation mechanism that functions before POA is identified.This mechanism isolates POA flows in a specific segment using the table segmentation method and evicts suspicious flow entries using the defined score-based eviction algorithm.We propose a detection method to identify and defend against POA by monitoringÂ the continuous drift of flow feature models.
3) Extensive experiments are conducted to verify the feasibility and effectiveness of the proposed method.The results demonstrate that the proposed method can effectively detect and defend against POA.
The remainder of this paper is organized as follows: Section II provides an overview of related work.Section III describes the threat model.Section IV presents the designed system and demonstrates the principles of POAGuard.In Section V, we describe the experiments conducted to evaluate the effectiveness of POAGuard.Finally, Section VI concludes the study and discusses future work.

II. RELATED WORKS
To date, the majority of research on flow table overflow has not considered POA [2].Research in this area can be divided into two categories based on whether overflow attacks are considered.When no attack is involved, these studies aim to optimize the utilization of flow tables through table management to alleviate the problem of insufficient flow entries.When attacks are involved, the table management methods mentioned above can also be utilized to mitigate overflow attacks.In addition, feature-based detection methods have been introduced to detect such attacks.Table management methods include flow aggregation, timeout setting, flow entry eviction, and resource integration.Feature-based detection methods include statistical feature-based and machine learning-based methods.Next, we describe these methods in detail.

A. TABLE MANAGEMENT METHODS
The flow aggregation method aims to reduce the occupancy of flow entries by aggregating or compressing them based on matching fields such as destination IP addresses.Leng et al. [4] proposed the FTRS method, which utilizes a tri-tree to represent matching attributions and integrates them through bit merging.Chao et al. [5] developed an aggregation algorithm by deploying abundant flow entries to achieve a high compression rate.Phan et al. [6] proposed an adaptive destination address based aggregation algorithm, in which an SVM model was constructed to identify the state of switches and set flow entries with varying granularity.Priyanka et al. [7] utilized a hierarchical clustering method to compress similar flow entries and achieved better results than FTRS.Although flow aggregation methods can alleviate insufficient flow entries, they may change the access control policy rule and introduce new security issues [8].VOLUME 11, 2023 123661 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
The timeout setting method aims to eliminate idle flows as early as possible to avoid flow table overflow.Zhu et al. [9] proposed an intelligent timeout setting method that tunes the timeout value using historical timeout information and the current available capacity.This method can reduce the peak value of occupied flow entries.Xu et al. [10] calculated the optimized idle-timeout value through the established ON/OFF model, which considers both the flow table utilization and the load of the control channel.Other timeout setting methods based on heuristic model [11], queuing model [12], reinforcement learning [13] and machine learning [14] have also been proposed.However, owing to the inability to perceive the presence of attacks, the timeout setting methods cannot mitigate overflow attacks.
When there is a lack of available flow entries, flow entry eviction methods replace the appropriate entries to serve new flows.Shirali-Shahreza et al. [15] proposed an expedited eviction method for TCP flows, where flows with FIN or RST flags that indicate the end of TCP sessions can be eliminated early to improve flow table utilization.Kim et al. [16] presented a short-flow-first eviction method, in which a short flow can be identified if the packet interval exceeds the maximum waiting time.Yang et al. [17] analyzed the traffic characteristics of data centers and concluded that the traffic model can be sustainable for several hours.With this insight, the activeness of flows can be learned and predicted, and flows with lower activeness can be evicted to improve the utilization of flow table.Note that this observation inspired us to design the POA detection method.Feng et al. [18] proposed a multi-staged eviction method that classifies flows into temporal flows and persistent flows, and preferentially evicts the temporal ones.However, the temporal flow-first eviction mechanism is not applicable to POA flows, which are persistent rather than temporal.
The aforementioned methods do not consider the attack scenarios.To mitigate table overflow attacks, Yuan et al. [19] established a queuing model to describe the attack scenario and designed a Peer Support mechanism to migrate the load of the attacked switches to their adjacency.They also proposed to leverage a queuing model to measure the resistance of an SDN to DDoS attacks [57].Sooden et al. [20] extended the Peer Support mechanism and presented a dynamic timeout setting method.Xu et al. [21] proposed a defense model that uses the concept of degree to locate vulnerable switches and deploys token bucket to limit the strength of overflow attacks.Kong et al. [55] designed TableGuard, which uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows.However, because these methods mitigate or locate overflow attacks based on flow entry consumption rather than attack flow features, they may fail to defend against distributed attacks that exhibit subtle patterns and evade detection by consuming flow entries within the normal range.

B. FEATURE-BASED DETECTION METHODS
Statistical feature-based methods rely on thresholds to identify attacks based on their effects.Zhang et al. [22] designed FT-Guard, which assigns importance factors for each flow according to regularly collected features such as transmission rate and packet count.In FT-Guard, the flows with lower importance factors are preferentially removed.Wang et al. [23] designed BWManager, which first calculates the trust value of each switch according to the statistical features of ROA flows therein.Then, it schedules requests based on the trust value through a multi-level queue to limit malicious requests.Wang et al. [24] proposed a proactive defense framework that includes attack prediction and defense.Similarly, Xie et al. [25] developed SAIA (Small flow Analysis and Inport flow Analysis) by designing a table overflow prediction and flow entry eviction algorithm.Huang et al. [26] designed DaMask, which utilizes tailor time series to predict overflow attacks and identify attack flows based on the entropy of the IP addresses and switch ports.Xu et al. [27] developed SDNGuardian, which detects attacks based on the entropy of statistical features and then constrains suspicious switch ports.Li et al. [28] observed that the traffic of HROA shows higher similarity than that of normal flows and proposed a detection method SA-Detector based on selfsimilarity.Similar methods are listed in [29], [30], and [31].However, the assumptions made by these methods regarding overflow rate [24], [26], [28], flow duration [25], packet size [22], [23], and other features may be applicable to ROA, but not POA.This is because POA flows can exhibit similar activity as normal flows and can accommodate packets of arbitrary sizes.
Machine learning based detection method can learn from flow features to identify malicious flows.For ROA, Wang et al. [32] summarized six critical features, including packet number, byte number, and flow duration, which are utilized to detect attacks using a Self-Organized Mapping algorithm.Liu et al. [33] combined entropy with a backpropagation (BP) neural network to detect and locate attacks, in which entropy was calculated to detect attacks and the BP neural network model was constructed to locate attacks.Building on this, Meng et al. [34] improved the flow features for identifying attacks and used a BP neural network to classify traffic.Considering LDoS scenarios, Wu et al. [35] introduced several new features and utilized Factor Machine algorithm to identify the attack traffic.Tang et al. designed FTMaster [53] and LtRFT [54], which detect LDoS attacks based on the XGBoost algorithm.Referring to [36], these supervised methods perform excellently in terms of known attack traffic.However, identifying unknown attack traffic is difficult.In this regard, Khamaiseh, et al. [36] designed vSwitchGuard, using supervised methods to identify known attack traffic and semi-supervised methods to detect unknown traffic.For flow table overflow attacks, machine learning-based detection methods are considered promising [37], [38].However, literature [39] indicates that these methods can be bypassed by crafting attack samples.Thus, excessive assumptions on the flow features may affect the robustness of machine learning-based methods.Furthermore, the assumed features such as attack packet interval and packet size only adapt to LROA.In conclusion, the existing defense methods are not applicable to POA.

III. ATTACK MODEL
In this section, we demonstrate the workflow of POA and investigate its effectiveness.We then establish models to analyze the optimal attack mode under the LFU eviction algorithm.Table 2 lists the variables and notations used in this study.Since several related works [2], [40], [41] have demonstrated how to probe installation rules, timeout setting mechanisms and flow entry eviction mechanisms, as well as the capacity of flow table, we will not detail these methods as they fall outside the scope of our research.Instead, we assume that the necessary information can be obtained.the POA flows to preempt the entries of slower-rate normal flows.

A. PREEMPTIVE OVERFLOW ATTACK
To investigate the effectiveness of POA, we conduct an experiment, in which we deploy the idle-timeout (3s in this experiment) and the LFU eviction algorithm.Owing to the poor performance of the Scapy tool [49] used for sending attack flows, we limite the flow table capacity to 200 to ensure that POA flows can preempt flow entries while overflowing the flow table.We then compare the effects of different overflow attacks, including POA, HROA, and LROA.For POA, we generate 200 flows to occupy the flow table in the initial state and then continuously send them at varying packet intervals, such as 1s, 0.1s and 0.01s.For HROA, we generate varying amounts of attack flows in each interval, such as 400, 800, and 1200.For LROA, we generate 200 flows to overflow the flow table and then keep the flow entries active but slow at a 1s packet interval.Subsequently, we utilize the D-ITG tool [50] to initiate 50 TCP sessions, each of which transmits 1MB of data.Finally, we record the transmission delay under varying attacks, and the results are shown in Fig. 5.
As shown in Fig. 5(a), when the number of available installation rules is limited to 200, POA with a 0.1s packet interval results in a higher level of performance degradation than ROA.From Fig. 5(b), it can be inferred that a higher attack flow rate (smaller packet interval) results in better flow entries preemption.However, when the attack flow rate is slow, such as 1s packet interval, its contribution to performance degradation is limited, similar to that of LROA.By comparing Fig. 5(b) and Fig. 5(c), it can be observed that HROA requires 1200 installation rules to achieve a similar level of performance degradation as POA with a 0.01s packet interval.The experimental results indicate that, compared to HROA and LROA, POA performs more effectively in degrading the performance while consuming fewer flow entries (installation rules) under the LFU eviction algorithm.

B. OPTIMAL ATTACK MODE UNDER THE LFU EVICTION ALGORITHM
To maximize the impact of an attack while minimizing its cost, attackers typically adopt an optimal mode of operation.For quantitative analysis, we modeled the LFU eviction mechanism, which is activated when the number of current flow entries exceeds a predefined threshold, denoted by C e .The LFU eviction mechanism operates based on the trigger frequency, which is determined by the flow (transmission) rate.Specifically, higher transmission rates correspond to higher trigger frequencies.Therefore, during flow eviction, the flow entries with higher transmission rates are reserved, whereas those with lower transmission rates are evicted.Based on this, we assume that a threshold exists, as shown in (1), where the scaling factor 0 < α ≤ 1.This causes the flow entries with a higher transmission rate reserved and those with lower transmission rate to be evicted, as shown in (2).The equivalent probability function is defined in (3), which represents the survival probability of a flow entry during eviction.In (3), the scaling factor β > 1.
To evaluate the effect of POA, we define the occupancy efficiency and service efficiency for each flow entry.The occupancy efficiency, which represents the survival probability, is denoted by g k , as shown in (4).The service efficiency, which represents number of transmitted packets in per unit time, is denoted by h k , as shown in (5).
The occupancy efficiency and service efficiency of flow entries of normal applications can be defined as ( 6) and (7), respectively.To reduce ( 6) and (7), attackers can achieve the goal by increasing e j M and λ j M , as observed in previous studies [2], [3].According to the definition of λ, knowing the transmission rate λ i Consequently, the survival probability of the flow entries of normal applications In other words, if the transmission rates of attack flows are higher than those of normal flows, the flow entries of normal applications will be always evicted first when overflow occurs.
To evaluate the attack cost, we define it in terms of the resources required to create malicious applications, which are negatively correlated with L M .For simplicity, we assume a linear negative correlation between the cost and L M , as given by v M = −c 0 L M .In practice, the optimal attack mode is irrelevant to the definition of v M , as demonstrated below.The effectiveness of the attack is evaluated in terms of the occupancy and service efficiency (g M and h M ) of malicious flow entries.Therefore, considering the limitations of table capacity and transmission rate, we define the objective function as (8).Notably, since our focus lies on determing the value of L M that maximizes all the three terms in (8), thus we take the sum of them as the optimization objective.
i=1 and e i N L N i=1 are known, the other implicit variables in (8) cannot be determined.Meanwhile, the objective function in ( 8) is non-convex, making it impossible to obtain an analytical solution.To simplify the problem, we let β → +∞, causing the probabilistic function in (3) to become the indication function in (2).This simplification allows us to analyze the solution based on the relationship between threshold λ and the maximum average transmission rate of attack flows λ M , as defined in (9).
1) When λ > λ M , the greedy algorithm indicates that the malicious applications occupy most ⌊ C h * C x λ ⌋ at rate λ, as flow entries with a rate less than λ will be evicted.Meanwhile, we can derive max 2) When λ ≤ λ M , the malicious applications can occupy i=1 e i N and max h M = C h * C x , as well as the solution when which are irrelevant to the definition of v M .Based on our analysis, we conclude that the optimal attack mode involves minimizing the types of malicious applications and sending attack packets at the same high rate.Attackers may attempt to deviate from this optimal attack mode by sending attack packets at different rates.However, this can actually reduce the effectiveness of the attack, because higher-rate attack flows can preempt the entries of lower-rate attack flows.To verify this view, we conducted an experiment with the same setting as described in Section III.As shown in Fig. 6, attack flows with the same higher rate achieve a higher level of performance degradation than those with different rates.

IV. SYSTEM DESIGN
As shown in Fig. 7, the system contains three core modules: a table segmentation module, score-based flow entry eviction module and conception drift-based detection module, respectively.The table segmentation module manages flow table and isolates persistent flows that may result from POA.The flow entry eviction module aims to evict suspicious flow entries when overflow occurs.The detection module is responsible for identifying attack and blocking malicious switch ports.Next, we will provide a detailed explanation of how each module works.

A. TABLE SEGMENTATION
In application scenarios such as data centers, temporal flows are the predominant type of network traffic.To prevent POA flows from occupying flow table and impacting temporal flows, we propose managing the flow table through segmentation.Our approach involves isolating persistent flows in a specific segment and serving temporal flows with other segments.However, since the physical flow table is spatially flat, we implement virtual flow table for flow table management, as illustrated in in Fig. 8.
For ease of description, we use the abbreviations PTS/PPS/PCS and VTS/VPS/VCS to represent the temporal segment, persistent segment, critical segment of physical and virtual flow tables, respectively.The PTS is used to accommodate temporal flows that are assigned with hardtimeout values.The PPS is used to accommodate persistent flows that are assigned with idle-timeout values.The PCS is used to accommodate critical flows, such as the sessions between OpenFlow switches and their controller, which can only be removed manually.The virtual flow table only records the virtual entries containing simplified matching rules, active state, processing timestamp, and so on.The table segmentation mechanism serves two primary functions.First, by segmenting the flow table, we can ensure that attack flows scheduled in the PPS do not interfere with the management of other segments.Second, the recorded information in the virtual table can be leveraged for flow entry eviction and attack detection, thereby avoiding interaction with the physical flow Install a new entry in PTS with hard-timeout value t hard 14: end if As the SDN controller cannot discriminate whether a flow is persistent, we apply a migration mechanism to address this.Algorithm 1 outlines the flow rule installation process when a flow triggers a TableMiss event.The SDN controller first checks whether a corresponding record exists in the virtual table.If not, a new flow entry assigned with an initial hard-timeout value is added into the PTS (Line 11-13).If the flow has triggered less than δ out times, the timeout value remains unchanged (Line 6-7).Otherwise, the flow is migrated from the PTS to the PPS and reassigned with an idle-timeout value (Line 3-5).We assume that temporal flows can be completed before the migration occurs.In other words, temporal flows should last no more than a specified duration, which is determined based on δ out times hard-timeout value in seconds.In addition, the timeout values of flow entries can be dynamically adjusted as needed [9], [10], [11], [12], [13], which does not conflict with the segmentation mechanism.
It is important to note that the segmentation mechanism can introduce another problem.When persistent flows accumulate in the PPS, they can frequently trigger flow entry eviction and generate massive OpenFlow messages, potentially overloading theÂ SDN controller.To address this issue, we propose to evict the flows in the PPS with a probability, as shown in (10), where F vps and F pps represent the number of entries in the VPS and the PPS, respectively.The formula implies that, the larger the number of persistent flows in the PPS, the smaller the eviction probability, which can prevent the overloading of the SDN controller.

B. SCORE-BASED FLOW ENTRY EVICTION
As discussed in Section III, the objective of flow eviction is to reduce the occupancy efficiency and service efficiency of malicious flows according to the definitions of g M and h M .By observing ( 6) and ( 7), we can attain this objective by designing an appropriate function Pr (f ∈ F).However, prior to function design, it is essential to analyze potential features of POA flows under the optimal attack mode.

1) ANALYSIS OF POA FLOW FEATURES UNDER THE OPTIMAL MODE
Since POA flow features are difficult to identify, we can only analyze them under the optimal attack mode.As discussed in Section III, the optimal attack mode involves sending attack packets at the same high rate.In other words, attack flow features, such as the expectation and variance of packet intervals, should exhibit high similarity.Interestingly, it has been observed in [42] and [43] that DDoS attack flows exhibit higher similarity than normal flows due to prebuilt attack programs.Therefore, we analyze the effect of POA on the similarity of the flow features.According to [44], the similarity of features can be represented using kernel functions, as shown in (11), where similar data points form a cluster in a higher-dimensional feature space.The kernel function for a pair of input data can be computed using the inner product of the feature vectors.The mapping function maps the input data to the feature vectors.We define the sum of similarities between all flows as (12), and the similarity contribution rate as (13).Subsequently, we conduct a formula analysis of the effects of POA in terms of the similarity contribution rate.K X p , X q = X p , X q (11) Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
In the case of an unknown feature space and kernel functions, we assume the existence of a threshold K , such that K X p , X q ≥ K if the applications are of the same type (either normal or malicious), and K X p , X q < K if their types are different.To indicate whether the flows of X p and X q originate from applications of the same type, we define an indication function as shown in (14).This function can be used to calculate each part of K * , as shown in (15).Since the variables for normal applications, such as L N and e i N L N i=1 , are known, we can obtain p,q∈A N K X p , X q .Furthermore, we have is fixed, the value of K * depends on the value of ), it can be inferred that, a smaller value of L M results in a greater value of K * , and a smaller value of the similarity contribution rate of normal flows, as calculated by (16).Therefore, under the optimal attack mode (L M = 1), the similarity contribution rate of attack flows is high, while that of normal flows is low.This conclusion can guide the design of appropriate flow eviction algorithms to prioritize attack flows. 2

) DESIGN OF SCORE-BASED EVICTION ALGORITHM
Based on the previous analysis, we consider both the transmission rate λ f and the similarity contribution rate Cr f when designing the score function, as defined in (17) with a value ranging from 0 to 1.In particular, we set the hyper parameter σ = 10 to make lnλ f σ < 1, and set γ = F vps to scale the similarity contribution rate Cr f based on the number of flow entries.The score function determines the eviction priority for flows, where those with lower scores are evicted first.Equation (17) reveals that flows with higher transmission rates achieve higher scores under the same similarity contribution rate, whereas those with lower similarity contribution rates achieve higher scores under the same transmission rate.To accomplish this, we employ the product of a sigmoid function and a negative tanh function.The definition of the tanh function makes the score function more responsive to the similarity contribution rate than to the transmission rate.Consequently, this approach tends to evict flows of applications that use more flow entries, thereby promoting eviction fairness even under normal circumstances without attacks.

S f ∈F
To calculate the score function, a specific kernel function and flow features must be determined.In line with previous research [44], we utilize the Gaussian kernel function, as shown in (18), which demonstrated superior performance.In terms of flow features, previous research [45] has presented various features to identify applications in different scenarios.In the context of DDoS attacks, the top ten most significant features are identified.To balance efficiency and accuracy, we select the best three features, which are the expectation and variance of packet interval, and the variance of packet size.

C. CONCEPT DRIFT-BASED POA DETECTION AND DEFENSE
Unlike ROA flows, POA flows do not exhibit specific characteristics, which make them difficult to identify.It should be emphasized that the similarity of flow features used for flow entry eviction is not suitable for detection since high similarity flows do not necessarily indicate attacks.Furthermore, attackers may deviate from the optimal attack mode.Therefore, generating convincing datasets and training effective supervised models to identify POA flows are impractical.To overcome this challenge, we make an essential assumption based on [43], which assumes that the flow features of POA flows vary from those of normal flows.

1) PRINCIPLE OF POA DETECTION METHOD
Yang et al. [17] observed that the characteristics of data center traffic remain relatively stable over short periods of several hours.Therefore, the model (also known as the concept) established to describe the flow features is stable, as shown in Fig. 9.This model is also applicable to persistent flows.Based on this, we describe the principles of the proposed detection method.Before POA occurs, the model describing the features of persistent flows remains stable.Since the features of attack flows and normal flows are distinguishable, the model would change as massive attack flows are involved, as shown in Fig. 10.Although new flows with unique features may also appear in normal cases, they typically do not result in overflow.Therefore, the proposed method detects POA by identifying continuous concept drift.Note that we need to assume the absence of any attacks before performing attack detection.However, this assumption is reasonable and practical, particularly when defining convincing POA flow features is difficult.VOLUME 11, 2023 123667 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.The formal description of concept drift is as follows: Let  1}, where 1 and 0 represent the categories, in which the feature vector belongs to normal or unknown applications.The function p t (X t , Y t ) is defined as the feature representation model at time t.Since the model takes every feature vector as the one of known applications at the initial time t 0 , ∀x p ∈ X t 0 , we have y p = 1, p t 0 x p , 1 ≡ 1.This means that all the flow features belong to normal applications in the initial state.If the concept drift occurs at time t 1 (t 1 > t 0 ).then p t 1 X t 1 , 1 ̸ = p t 0 X t 0 , 1 .In this event, ∃x q ∈ X t 1 causes p t 1 x q , 1 = 1 whereas y q = 0.In other words, the initial model cannot accurately represent the existing flow features anymore.Referring to [45], we select the four most representative features to construct the feature vector, namely the expectation and variance of packet interval and packet size.

2) DESIGN OF THE POA DETECTION AND DEFENSE METHOD
In the absence of labels, unsupervised methods can be used to detect concept drifts.Literature [46] and [47] presented an efficient detection algorithm D3 (Discriminative Drift Detector) to achieve this goal.One advantage of this method is that it can observe whether two sets differ continuously without estimating distribution.The principle of D3 is as follows: First, it samples the latest (1 + θ) * W data for evaluation, where W is the size of the sliding window and also the scale of the old data, W θ represents the scale of the new data.Next, it marks the category of the old data with label 1 and the category of the new data with label 0. Subsequently, it disturbs and classifies them using a binary model, such as the logistic regression used in [46].Finally, the AUC (Area Under ROC Curve) coefficient is used to judge if the system in initial state then datasets ← collect flow features from virtual tables.

4:
Mark the datasets as known datasets with label 1. end if 6: for ds in datasets do ds_1, ds_0 ← get known data with label 1 and new data with label 0 8: S is vector of s, where s = 1 for ds_1 and s = 0 for ds_0 Train C ([ds_1, ds_0] , S) //binary classification.
However, the original D3 algorithm cannot be adapted for the identification of POA.When completing the concept drift detection, it directly uses the new data to update the detection model.However, the new data may contain attack flow features, which can contaminate the detection model [48].
To address this, we propose an online detection method called DROPOA (DRift based Online POA detection), as depicted in Algorithm 2, which improves D3 to adapt to our situation.In Lines 2-4, the system is in the initial state, and we collect the flow features in each switch to construct the datasets.We then execute the detection algorithm, as shown in Lines 6-15.If the number of persistent flows obtained from the VPS exceeds threshold δ lim , a POA warning is generated, as shown in Line 16.If the number of concept drift occurrences exceeds the threshold δ mon , a POA warning is generated, as shown in Line 20.
After identifying an ongoing attack, the defense module would locate the malicious switch ports from where the attack flows originate, and then dispatches flow rules to block them.In practice, it is recommended to block the ports that contain the majority of suspicious flows, such as 90% of the total suspicious flows, to accelerate processing.

V. EXPERIMENT AND ANALYSIS
In this section, we describe the experiments conducted to verify the effectiveness of POAGuard.We utilize the Mininet and Ryu controller to simulate a SDN network with topology [25], as shown in Fig. 11.The environment is deployed on a virtual machine (Ubuntu 20.04, 4 cores CPU, 4GB RAM), within a physical machine (Intel Core i7-11800H CPU, 32G RAM).The code is available on GitHub Repository.

A. EVALUATION OF TABLE SEGMENTATION MECHANISM
In this experiment, we set the capacity of flow table to 1000 and set the time out value according to Algorithm 1.In addition, we deploy the RANDOM eviction algorithm.Since it does not preferentially evict normal or attack flow entries, we can focus on verifying the effectiveness of table segmentation mechanism in mitigating POA flows.Specifically, we utilize the Scapy tool to launch 1000 POA flows to occupy the flow table, and then utilize the D-ITG tool to schedule 50 TCP sessions, each of which transmits 1MB of data.Subsequently, we compare the transmission delay before and after deploying the table segmentation mechanism.The results are shown in Fig. 12.

FIGURE 12. The transmission delay before and after the deployment of table segmentation mechanism.
As shown in Fig. 12, the transmission delay is significant before deploying the table segmentation mechanism.This is attributed to session interruptions resulting from the eviction of their flow entries.By isolating POA flows in the PPS and accommodating temporal flows in the PTS, the mechanism effectively mitigates the impact of attacks and reduces the transmission delay to less than 5s.It is worth noting that insufficient PPS capacity can undermine the effectiveness of attack mitigation, such as a ratio of 9:1.Therefore, to balance the capacity of the PTS and the effectiveness, we choose a ratio of 8:2 for the table segmentation.
In addition, to demonstrate the importance of the eviction probability defined in (10), we record the control channel load before and after deploying the eviction probability.The parameter ϵ used in (10) is set to 100 since we do not observe any performance improvement for table segmentation when ϵ > 100.As shown in Fig. 13, the POA flows migrate   from the PTS to the PPS in approximately 60s.In this event, the load increases significantly.In contrast, when the eviction probability is deployed, the load remains at a much lower level.Therefore, it is essential to deploy the eviction probability for the table segmentation mechanism.

B. EVALUATION OF FLOW ENTRY EVICTION ALGORITHM
In this experiment, we set the capacity of flow table to 1000 and the segmentation ratio to 8:2, resulting in a PPS capacity of 200.To induce the PPS overflow, we combine 100 background flows and 110 POA flows, leading to the eviction of 10 entries each time.We compare the proposed eviction algorithm with FIFO, LFU, SIFT [38], SAIA [25] and TableGuard [55] in terms of the evction of attack flows.To investigate the impact of attack traffic, we set the packet interval at 1s, 0.1s, 0.01s, and a 1:1 mixture of both.To investigate the impact of background traffic, we construct two datasets to repectively occupy 100 flow entries.The first one comprises 50 TCP sessions conducted by D-ITG.The second one comprises 100 unidirectional flows extracted from the famous dataset UNI1 [52] and replayed by TCPReplay [51].
The results of the experiments conducted using D-ITG to generate background flows are presented in Fig. 14.It can be observed that: 1) The FIFO eviction algorithm operates based on the duration of flow entries, which is independent of the attack flow rate (packet interval).Since the ratio of attack flows to normal flows is nearly 1:1, the eviction rate of attack flows is approximately 50%.2) SIFT is essentially a random eviction algorithm, which is also unaffected by the attack flow rate, and exhibits similar effectiveness to FIFO. 3) SAIA is essentially an LRU eviction algorithm, and it demonstrates the same effectiveness as LFU.Hence, their lines in the figure overlap.Regardless of the specific attack flow rate, when it exceeds the flow rate of normal flows, normal flows are exclusively evicted, resulting in a 0% eviction rate.Conversely, attack flows are exclusively evicted, leading to a 100% eviction rate.This observation highlights the vulnerability of the LRU and LFU eviction algorithms to POA. 4) TableGuard randomly evicts the flow entries from suspicious switch ports, making it similar but superior to the RANDOM eviction algorithm.5) POAGuard evicts flow entries based on flow feature similarity and flow rate, with a primary emphasis on flow feature similarity.As the attack flows exhibit similar features under the optimal mode, POAGuard preferentially evicts attack flows and achieves the best performance among these algorithms in most cases.In summary, the characteristics of these algorithms result in a similar eviction rate of attack flows under different attack rates.
The results of the experiments conducted using TCPReplay to replay background flows are shown in Fig. 15.The UNI1 datasets primarily consist of low-rate flows (less than 1 pkt/s).In this context, the SAIA and LFU eviction algorithms preferentially evict normal flow entries, thereby posing a vulnerability to POA.Therefore, the latest eviction algorithms that function similarly to SAIA, such as FTMaster [54] and LtRFT [55], are excluded from comparison.Furthermore, a comparison between Fig. 14 and Fig. 15 reveals that the background flows generated by TCPReplay exhibit lower similarity than those generated by D-ITG.Consequently, the eviction rate of attack flow entries in Fig. 15 is higher.

C. EVALUATION OF ATTACK DETECTION METHOD
In this experiment, we set the capacity of flow table to 1000 and the segmentation ratio to 8:2, resulting in a PPS capacity of 200.To verify the effectiveness of the detection method, we extract 100 unidirectional flows from the UNI1 trace to serve as background flows [35], and then involve 100 test flows to trigger attack detection.The test flows contain a proportion of attack flows.The procedure is as follows.
First, to select the appropriate attack parameters, we generate 100 attack flows with varying flow rates (packet interval) and packet sizes to trigger attack detection.The worse the detection method performs, the more effective the attack parameters are, as indicated by the detection method outlined in Algorithm 2. Therefore, we select the parameters that results in a smaller AUC value.As shown in Fig. 16, we use different prefixes to indicate whether the packet size is fixed or random.We use a suffix to represent the packet interval.For example, ''fix_1s'' represents a fixed packet size with  a 1s packet interval.Since a smaller AUC value indicates a worse-performing detection method, we set a random packet interval in the range of 0-1s, while either a fixed or random packet size is appropriate.
Next, to determine the appropriate thresholds for POA detection, we mix varying proportions of normal and attack flows to construct 100 test flows to trigger attack detection.It should be noted that the normal flows contained in the test flows are extracted from the other parts of the UNI1 trace.After migrating 100 background flows into the PPS, we inject the 100 test flows to activate the detection model.The results are presented in Table 3 and Table 4.The label ''fix_9:1'' represents that the size of attack packets is fixed and the ratio of attack flows to normal flows is 9:1.According to Algorithm 2, AUC = 0.7 can be taken as the threshold for identifying the concept drift.Specifically, AUC < 0.7 means no concept drift and vice versa.At this threshold, when the concept drift occurs 7 times out of 10 tests, we consider that the attacks can be identified.set the thresholds because, we expect the attack to be identified when the proportion of attack flows reaches 50% of the test flows.Therefore, the parameters used in Algorithm 2 can be determined as follows: δ mon = 0.7 and τ = 0.7.
Finally, using the determined parameters, we repeat each group of experiments 20 times to evaluate the effectiveness of the proposed detection method.Fig. 17 and Fig. 18 show that the detection rate increases with the proportion of attack flows.However, when the attack flows account for a small proportion, the attack becomes difficult to identify, and the detection result becomes sensitive to the attack parameters, such as packet size.When the proportion of attack flows increases to a certain extent, such as 70% in this experiment, the detection result is no longer affected by the attack parameters since the attacks can be identified with a probability close to 1.These results indicate that the proposed detection method is effective only if the features of attack flows and normal flows are discriminated, and the number of attack flows reaches a certain amount.
To confirm this conclusion, with slightly different parameters (δ mon = 0.8, τ = 0.7), we deploy other basic classification methods (for online test) used in Algorithm 2, including Logistic Regression, Naive Bayes, KNN, and SVM.As can been observed, the results shown in Fig. 19 and Fig. 20 exhibit a similar trend to Fig. 17 and Fig. 18, which can prove the conclusion.It is important to note that:1) Owing to the novelty of the attack method proposed in this study and the absence of related work available for comparison in terms of POA detection, we do not conduct comparative experiments on the detection rate with other methods.2) The proposed detection method is based on analyzing flow features, rather than the overall topology or scale of the network.This means that the detection method can be applied to various network environments, regardless of their size or complexity.

D. EVALUATION OF ATTACK DEFENSE METHOD
In this experiment, we keep the capacity of the flow table and the PPS unchanged.To evaluate the effectiveness of    and 400, respectively.In Fig. 21(g)-(i), the number of attack ports is 3, and 4, respectively, with each port transmitting the same number of attack flows.As the curves in Fig. 21 exhibit similar patterns, we take Fig. 21(e) as an example to analyze the reasons for the curve changes.
The curve changes shown in Fig. 21(e) can be divided into three stages.These stages are Timeout, Migration, and Eviction before deploying the defense module.After deploying the defense module, the stages are Timeout, Migration, and Block.In the Timeout stage, periodic fluctuations occur due to multiple hard-timeouts of attack flows.After that, these flows are migrated from the PTS to the PPS, and trigger the defense module to calculate the score and conduct attack detection.This process requires a large amount of computation, resulting in a sharp increase in the curve.Prior to deploying the defense module, the curve enters the Eviction stage after the Migration stage.As the SDN controller starts to evict flow entries, the load on the control channel decreases and remain constant as the system gradually stabilizes.After deploying the defense module, the curve enters the Block stage after the Migration stage.Since the defense module can locate the malicious switch ports and block them, the load on the control channel remains negligible.Therefore, the defense method is effective in the context, even though the attack flows are conducted from multiple switch ports.
In addition, it should be noted that: 1) In Fig. 21 21(d) results in higher load on the control channel.This is because the attack module implemented by the Scapy tool can actually achieve a higher attack flow rate using the attack parameters presented in Fig. 21(d).

E. EVALUATION OF PERFORMANCE OVERHEAD
To evaluate the performance overhead of POAGuard, we deploy it on a linear network topology that can scale proportionally to the number of switches.First, we generate 200 persistent flows to initiate flow processing (e.g., similarity calculation and attack detection).Next, we implement performance monitors to record the CPU and memory utilization.The results, as shown in Fig. 22, illustrate that the CPU and memory utilization increases almost linearly with the number of switches.When the number of switches reaches 70, CPU utilization approaches saturation.Similarly, the results, as shown in Fig. 23, illustrate that the CPU and memory utilization increases almost linearly with the capacity of flow table.It is important to note that the linear topology used for stress testing is impractical for realworld deployment, and the switches may not necessarily be VOLUME 11, 2023 123673 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.managed by a single SDN controller.Despite the experiment being conducted on a single virtual machine, the findings indicate that the performance overhead of POAGuard is acceptable.

VI. CONCLUSION AND DISCUSSION
To date, considerable research has been conducted on rate-based overflow attacks (ROA).However, studies on preemptive overflow attacks (POA) are scarce.This study aims to address this gap in literature.First, we demonstrate how POA works and the differences between ROA and POA.Next, we establish models to analyze the optimal attack mode under the LFU eviction algorithm.We then propose a defense mechanism POAGuard, which consists of three modules.The table segmentation module manages flow table using a segmentation mechanism, to protect temporal flows through isolating persistent flows in a specific segment.The eviction module evicts suspicious flows according to the defined score function.The detection module detects whether an attack occurs based on monitoring the continuous concept drift of flow feature models and blocks malicious switch ports that trigger the attack.Finally, we conduct experiments to evaluate the performance of each POAGuard module.The results demonstrate that POAGuard can effectively detect and defend against POA.
It is worth discussing the following points: 1) The difficulty in POA detection lies in the lack of distinctive flow features.For such attacks, we believe that combining the characteristics of the application scenario with unsupervised learning methods is a feasible approach for detection.2) Although this paper focuses on POA attacks targeting the LFU flow entry eviction algorithm, POA attacks remain effective when deploying other flow entry eviction algorithms.Under the experimental background described in Section V-A, the attack effects are shown in Fig. 24.Additionally, based on the system architecture of POAGuard depicted in Fig. 7, it is evident that the effectiveness of attack detection and defense is independent of the deployed flow table entry eviction algorithm.3) In the context of multi-level flow tables, the flow table management method proposed in this paper requires specific adaptation.If the multi-level flow tables are implemented with a coarse-to-fine installation approach, we can employ multi-level dictionaries to manage virtual flow table entries, thereby improving indexing efficiency.
It should be noted that POAGuard may not be universally applicable to all scenarios.For instance, in the concept drift-based detection method, we consider application scenarios with relatively stable flow feature models, such as those found in data centers [17] or storage centers [56].However, in complex application scenarios in which the flow feature model changes rapidly, the detection method may fail.Additionally, this study exclusively focuses on the optimal attack mode within the context of the widely adopted LFU eviction algorithm.Although LFU demonstrates superior flow table utilization, it is crucial to acknowledge the existence of various alternative eviction algorithms employed in practice.Consequently, our future research endeavors will center on investigating the optimal attack modes applicable to these alternative eviction algorithms and designing a robust and adaptable framework that can be applied to a broader range of scenarios.

FIGURE 2 .
FIGURE 2. The workflow of flow entry eviction mechanism.

FIGURE 3 .
FIGURE 3. Schematic diagram of the attack modes of ROA and POA.

Fig. 4 FIGURE 4 .
Fig. 4 illustrates the workflow of POA.The POA flows are constructed in Steps 1-3 to overflow the flow table, which operates similarly to ROA flows.When overflow occurs, the flow entry eviction mechanism is triggered.In Step 4, the POA flows remain highly active to exploit the flow entry eviction mechanism.Under the LFU eviction algorithm, the entries of slower-rate flows are preferentially evicted, causing

FIGURE 5 .
FIGURE 5. Transmission delay of 1MB data under varying overflow attacks.
N L N i=1 and the occupied flow entries of normal applications e i N L N i=1 , λ increases with λ j M .

FIGURE 6 .
FIGURE 6. Transmission delay of 1MB data under POA with varying packet intervals.

FIGURE 9 .
FIGURE 9.The involvement of new entries without concept drift.

FIGURE 10 .
FIGURE 10.The involvement of new entries with concept drift.

FIGURE 13 .
FIGURE 13.The control channel load before and after the deployment of eviction probability.

FIGURE 14 .
FIGURE 14.The eviction rate of attack flows under different attack rate and the background flows generated by D-ITG.

FIGURE 15 .
FIGURE 15.The eviction rate of attack flows under different attack rate and the background flows generated by trace.

FIGURE 16 .
FIGURE 16.The obtained AUC values under varying attack parameters.

FIGURE 17 .
FIGURE 17.The detection rate with varying proportion of attack flows under fixed packet size.

FIGURE 18 .
FIGURE 18.The detection rate with varying proportion of attack flows under random packet size.

FIGURE 19 .
FIGURE 19.The detection rate of other methods under fixed packet size.

FIGURE 20 .
FIGURE 20.The detection rate of other methods under random packet size.

FIGURE 21 .
FIGURE 21.The effectiveness of defense module under varying attack scenarios.
(a)-(c), we set both the number of background flows and attack flows to 100, which should ideally result in the occupation of 200 flow entries.In practice, the overflow still occurs due to additional background flows internally generated by D-ITG.2) Compared to Fig. 21(e) and Fig. 21(f), the attacks conducted in Fig.

FIGURE 22 .
FIGURE 22. CPU and memory utilization under varying number of switches.

FIGURE 23 .FIGURE 24 .
FIGURE 23.CPU and memory utilization under varying flow table

TABLE 1 .
Comparison of the ROA and POA.
FIGURE 1.The workflow of packet processing in SDN networks.

TABLE 2 .
Notation and description.

table . Algorithm 1
Flow Rule Installation Process 1: record ← Looking up flow record from VTS or VPS 2: if record in VTS then 3: if the flow has been timeout for δ out times then 4:Migrate the entry to PPS with idle-timeout value t idle

TABLE 3 .
AUC values under fixed packet size.

TABLE 4 .
AUC values under random packet size.