Day 14: Reviewing DDoS Attack detection method using SVM in SDN network

Hey guys, as promised yesterday, let's review a recent work on DDoS attack detection method using Support Vector Machines (SVM) today.

This paper beautifully describes how SDN flows can be used to build a feature set to train SVM model to detect a DDoS attack. Kudos to the authors!
Jin Ye, Xiangyang Cheng, Jian Zhu, Luting Feng, and Ling Song, “A DDoS Attack Detection Method Based on SVM in Software Defined Network,” Security and Communication Networks, vol. 2018, Article ID 9804061, 8 pages, 2018. https://doi.org/10.1155/2018/9804061


Let's start by understanding the contents of a flow. The diagram below is a good flow structure representation.


Next, a six-tuple characteristic values matrix containing the following features is built.
In all the features T is the sample interval.

  • The speed of source IP (SSIP) is the number of source IP addresses per unit of time:If SSIP is large, more likely it is an attack.
  • The speed of source port (SSP) is the number of attack source ports per unit of timeIf SSP is large, more likely that it is an attack.
  • The Standard Deviation of Flow Packets (SDFP), that is, the standard deviation of the number of packets in the  period, is as follows:where  represent the average number of the packets in the  period.  is the total number of flow entries per period, in the event of an attack; in order to produce the attack effect, since entropy decreases, SDFP also decreases.
  • The Deviation of Flow Bytes (SDFB), that is, the standard deviation of the number of bits in the  period, is as follows:where , represent the average of the number of bits in the  period. In the event of an attack, in order to reduce the packet load, attacker will send a smaller bit of data packets and the standard deviation flow bits will be smaller than the normal flow.
  • The speed of flow entries (SFE), that is, the number of flow entries per unit time, is as follows:
SFE dramatically increases when an attack occurs.
  • The Ratio of Pair-Flow (RPF), that is, the ratio of interactive flow entries to total flow entries, is as follows:where  is the number of interactive flow entries. i.e The server responds back to the client. When an attack occurs, the flow entries sent to the destination host in a  period increase sharply, the destination host cannot respond to the interactive flow in time, and in general the attacker typically uses massive pseudo-source addresses when attacking, so the number of interactive flow entries per will drop in the  period.
So, the above features make up the feature-set for training SVM model. SVM works well even with lesser data, and it is indeed a good classifier.

The network topology for testing the model employed by the authors


In the experiment, the normal traffic is composed of three basic communication kinds of traffic (TCP, UDP, and ICMP) and the attack traffic consists of three separate types of attack traffic: TCP, UDP, and ICMP. So, the metrics used for measuring the performance of the model are Detection rate and False alarm rate given by the following formula.

The performance of the attack detection is displayed by the detection rate (DR) and false alarm rate (FAR); the formulas are calculated as the values:In this formula,  indicates that the attack flow is detected as an attack flow, and  means that the attack flow is detected as a normal flow.In the formula,  means that the normal flow is detected as an attack flow, and  indicates that the normal flow is detected as a normal flow.

A good detection rate and lower false alarm rate was obtained by the authors.

From my perspective, 
What could be added to this paper is the concept of making the model real time and scalable so that it can be incorporated into the real SDN network.


That's it for today folks! Tomorrow lets study some architectures to make the model real time and scalable! 


Comments

Post a Comment

Popular posts from this blog

Day 12: Master Slave SDN Controller Architecture

In the previous post, I was struggling to figure out why all controllers can install flows in all switches irrespective of the code. Well, today the mystery is getting resolved. I found this book that explains beautifully the various roles that a controller can play. The three roles are: Equal : this happens by default all the equal controllers in a network that are connected to the switch can add and delete flows from it Slave: it has a read-only limitation to the switch openflow tables Master: very similar to the switch, but only 1 master can be connected to the switch at that point of time, and no other flows can intercept the communication between switch and master. I highly recommend you go through the above link to get a better picture. Since the default role of any controller is "Equal", we couldn't really differentiate between the three controller flows yesterday. But one good news from this is that we don't really need extensive coding to assi
Read more

Day 50: Tcpreplay and tcpliveplay approach

Today we shall be exploring how to copy and redirect the OpenFlow packets to more than one controller from the load balancer. The load balancer is anyway sending the OpenFlow packets to one of the slave controllers - c1 or c2. The packets sent to these two controllers needs to be sent to master controller so the master controller can update the new flows added by c1 or c2 on the switches. This ensures synchronization between controllers. There are two implementation methods to achieve the same: Copy all packets generated from the load balancer to the controller side. Only the packets having destination IP address of c1 and c2 can be redirected to the master controller. Thus we can prevent the packets which already are reaching the master controller to be sent as duplicates Copy and redirect packets from the slave controllers - c1 and c2. We need not take care of duplicate packets reaching master controller. This will reduce the time taken to redirect packets. Since the second a
Read more

Day 10: Mininet Simulation of a basic distributed SDN controller architeture

Hi and welcome back! We have not been able to update the blog since we were busy debugging and figuring out!!! We are back to give you an in-detail explanation of how we have simulated a basic distributed SDN controller architecture. Requirement: 2 Hosts Mininet up and running Ryu controller up and running on each 1 D-link switch We have used two linux machines with Ubuntu 16.04 OS running on them.  How to install Mininet? Run the following command on a terminal to install mininet: > sudo apt-get install mininet How to install Ryu Controller? Make sure to install Ryu controller on each of the Linux machines so that they can act as a controller. Run the following commands for a successful installation of Ryu controller: > git clone git://github.com/osrg/ryu.git > cd ryu > sudo apt-get install python-dev python-pip python-setuptools   > sudo pip install . > sudo pip install webob eventlet paramiko routes Set Up the network
Read more