2.1 Introduction

          This chapter describes SDN and DDoS attacks and how DDoS
attacks harms SDN-based environments, also describe available DDoS detecting
models in SDN-based environment. Machine Learning description also in this
chapter with its methodology and its available methods that can detect DDoS
attacks in SDN-based environment.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

2.2 Software Defined
Network (SDN)

          SDN in network architecture dedicated in 2011 by Open
network Foundation (ONF) 2provides
management, by centralized the control plane of the network devices into
application called network controller3. It has three
main layers as in figure 2.1. Infrastructure Layer (data plan) is
consists of Forwarding Elements (FEs) such as physical, virtual switches and
other network devices. The second layer is control layer (control plan)
that consists of software-based controllers provides control and manage of the
network via open APIs. The last layer is the application layer that
contains end-user application that consumes the SDN communication and network
services. The communication between those layers is done by APIs are Northbound
APIs that communicate between application layer and control layer. Another APIs
is Southbound APIs that communicate between the control layer and
infrastructure layer7. Also there are
Eastbound and Westbound APIs that communicate between the control
plane controllers.  The widely used
protocol in these APIs in OpenFlow that based on the switches that contain a
table called flow table. This table contains packets header data 8.

          SDN has good features in security area like Separation of
the control plane from the data plane and centralized controller and view of
the network those make it easily to establish attacks, also the Programmability
of the network by external applications and software-based traffic analysis
help protection SDN and improving the capability of the network devices 7.

2.1 SDN Architecture7

2.3 Denial of Service
(DoS) attacks

          Denial of Service (DoS) Attack is action that makes a
machine or network resource unavailable for its users. This attack can be done
by many ways such as sending many requests to the target machine / network
resource which makes it busy with these requests, thus affect the availability
of it. Distributed Denial of Service (DDoS) means multiple DoS attacks in same
time from different sources to one destination. DDoS attacks have two
categories depends on the target protocol, the first category is
Network/transport DDoS attacks that used TCP, UDP, ICMP and DNS protocol
packets and acts the connectivity by Consuming the network bandwidth. The
second category is Application-level DDoS that used application protocols like
XML, HTTP, SOAP protocols to acts the service by exhausting the server
resources like CPU, memory I/O bandwidth7,
9. DDoS attack
has four components: the real attacker, compromised hosts called as handlers, the
agent hosts who generate a large number of packets towards the target host and
the target host8.

          Recently statistics show that DDoS attacks growth that
makes it a serious problem and needs more actions to protect computer
environment from it, table 2.1 describe DDoS attacks in the recently five years
that cause big loss.





of US-based security vendor

June 2016

Botnet http requests – 50,000 request per second  

of Greece Web site

May 2016

the website service for more than 6 hours

internet banking

January 2016

HSBC internet banking in UK 

government websites

the website, central statistics office, court service, health service
executive, and the house of the Oireachtas


December 2015

the website, main iPlayer catch-up service, and iPlayer radio app

government websites

October 2015

Thai government Web sites, ministry of information, communications and
technology (ICT) by a suspected distributed denial-of-service (DDoS) attack.


June 2015

the flight plan system for 5 hours, about 1400 passengers impacted

Government Web sites

June 2015

Canadian government’s computer servers that caused federal emails and several
department websites to shutdown


March 2015

by thousands of illegitimate requests causing intermittent outages

of CloudFlare

February 2014

one of CloudFlar clients with 400Gbps traffic.
attackers leveraged a flaw in the network time protocol (NTP) to launch the
DDoS attack


March 2013

has been hit by DDoS attack of 300Gbps

2.1 recently DDoS attacks10

2.4 DDoS attacks in
SDN-based Environment

          SDN-based environment as any network system can be attacked
by DDoS. SDN-based environment has one obstacle that also can be an advantage;
its bottleneck that comes from centralized control can be used to attack
SDN-based environment because every packet must pass throw SDN to filter it,
but also it can be used to detect DDoS attacks. There are some ways for
attacking SDN-based environments such as attacking the SDN layers, breaking
down the traffic between the SDN layers, attacking the controller resources,
the SDN controller itself, switches memory or attacking the applications 7,

there is some attacks ways in SDN-based environment, there are some detection
mechanisms for some attacks can be classified depends on the DDoS attack target
as infrastructure attacks detection mechanisms (e.g. managing flow table in SDN
switches, using machine learning to detect DDoS packets in SDN switches),
control layer detection mechanisms (e.g. Using hash-based mechanism with round
robin method, SVM classifier) and application layer detection mechanisms (e.g.
using FortNOX mechanism and using OpenFlow application).

2.2 DDoS detection Countermeasures12

detection mechanisms can be classified depending on detection method as in
figure 2.2. Also they can be classified depending on the target such as Infrastructure
Layer Detection models, Control Layer Detection models and Application layer Detection
models. Also detection mechanisms can be classified depending on detection
technique such as Entropy, Machine Learning, Traffic Pattern Analysis, and
Connection Rate10

2.5 Machine Learning

          Machine leaning is set of Mechanisms that helps machine to
set it decision based on a set of training data. This technique applied to
detect and mitigate DDoS attacks in SDN-based environment by using collection
of data examples or instances13. Some of its
Mechanisms that used in DDoS detecting in SDN-based environment are described

2.5.1 Artificial Neural
Networks (ANN)

          ANN is a set of interconnected processing elements aimed to
transfer a set of input to a set of desired output based on biological nervous
system processes. These processing elements depend on Multilayer Perceptions
(MLP) figure2.2 that is widely adopted neural network. ANN is Capable to
generalize from
limited noisy and incomplete data also it does not need expert knowledge and it
can find unknown or novel intrusions but it’s not suitable for real-time
detection because its training process is slow also over-fitting may happen
during training process13.

2.5.2 Support Vector
Machine (SVM)

          SVM is one of the most common methods for classification
the machine learning tasks, it can learn the pattern by a few training samples
by marked ever sample into one of two categories and set the decision depends
on comparing between every category data and the incoming data. SVN has high
decision and training rate but its needs more time for training and didn’t give
any additional information about detected attacks8,

2.5.3 Genetic Algorithm

          GA is a meta-heuristic search approach
algorithm proposed by Holland in 1972, is starts with an initial set of
solutions and optimize them throw genetic operations such as climbing method
until reaching the acceptable solution. GA cannot assure constant optimization
response times also it’s suffered from over-fitting in training process but it
has Ability to derive best classification rules and
selecting optimal parameters 13-15.

Figure 2.2 MLP 13

 2.5.4 Fuzzy Logic

logic is an approximation technique that based on fuzzy set theory witch works
on reasoning. Fuzzy logic concept is to run an object into different classes
simultaneously that is very useful in some cases. Fuzzy logic is effective in
ports and probes scanning 13.

2.5.5 Bayesian Networks

network is an encoded directed graph based on probabilistic relationships among
distinctions of interest in an uncertain-reasoning problem16.

2.5.6 Decision Tree

          DT is one of the most widely modeling
techniques that used in data mining, machine learning and statistics, its use inductive
inference to get the decision solution. It’s a tree of testing nodes that every
node test specific action depends on the previous node result and with the
testing result the process will continue until the leaf node that contains the
final result13.


          This section describes the recently DDoS detection models
and some rules for detecting DDoS attacks on SDN-based environment that grouped
as infrastructure layer that care about detection mechanisms in SDN resource
such as network devices and the traffic between the network devices and other
devices. The second group is control layer that talk about the detection model
in SDN controller and the traffic these controllers. Another group is
application layer that talk about detection DDoS attacks that act the SDN
applications layer. The last group is SDN detection group that care about DDoS
detection models those runs in all SDN environment. These groups also act with
the APIs detection such as northbound API DDoS attack detection in application
layer and control layer, southbound API DDoS attack detection in control layer
and infrastructure layer and eastbound and southbound APIs DDoS attack
detection in control layer.

2.6.1 Detection models
in Infrastructure Layer

          H. T. N. Tri et all 17 describe the
DDoS resource attacks and talk about the important of managing the flow table
limitation to protect SDN from this attacks, also the controller application
should be ready for the case of the fully of the flow table, also replace the
required flow entries with the old entries can help when the flow table become
full , also adding an intermediate model to store the flow entries may be
required for protection. This has a huge important as part of detection
mechanisms for DDoS attacks that harm infrastructure layer because any
detection method needs time for detecting the attack and mitigation the attack,
if there is no enough space in flow table the environment may be destroyed
before the detection and mitigation tools complete its job 17.

          R. Wang et all 18 proposed an entropy-based
lightweight DDoS attack detection model that runs in the OF edge switches.
The experimental results show that this model can detect DDoS attacks at early
monitoring intervals with a low false positive rate 18.

          B. Wang, et al.3 proposed new
detection model called DaMask that runs in network switches. It has two
models DaMask-D for DDoS attacks detection, the other one is DaMask-M for DDoS
attacks reaction, this model detect DDoS attacks by analysis packet by specific
steps in DaMask-D starting with switches flow tables and ends with acceptance
or rejection by sending an alert to DaMask-M to stop the rejected packet. This
model has a single problem that it cannot detect all DDoS attacks especially
signature base attacks3.

2.6.2 Detection models
in Control Layer

Kokila, et all 8 used SVM
classifier for detection DDoS attacks in controller that is a learning
algorithm that recognizes the data and use the pattern for rating. SVM analysis
packets by learning the pattern of it with a few training samples, this helps
to knowing the DDoS packets pattern and stop it. With SVM it’s becomes easy to
training the SDN network to protect the network from unknown packets or any
other attacks. The results get good detecting rate but the method needs long time
for generate detection model and training it 8.

          S. M. Mousavi 19 proposed method
to detect DDoS attacks in controller that based on entropy variation of
destination IP address, this method can detect DDoS attacks in first five
hundred attack packets, also its has simple code and does not affect the CPU
performance. This makes detection simple and easy when the DDoS attack target
is single host but if the target becomes multiple locations such as network
switches or web servers based on multiple machines this method may become not
suitable for detecting DDoS attacks. With multiple target attack problem this
method has good performance and has simple code and did not affect the CPU
load, it can be combined with other detecting mechanism to get better
performance and good detecting rate19.


            S.-W. Hsu, et all 20 preset a hash-based
mechanism with round robin method to separate incoming packet into queues,
this increase the reliability and performance of the SDN network, also there
result shows controller that using the hash-based mechanism can handle more
than 5000 flows/s, but without this mechanism the controller suffers from the
flow failure when the packet pass 2000 flow/s 20.

          Y. Cui, et all 6 proposed new DDoS
attack detection, trackback and mitigation method called Software Defined
Anti-DDoS (SD-AntiDDoS) that based on novel mechanism and Back
Propagation Neural Network (BPNN). The main features in this environment
are reducing detection time and decrease network and CPU load. Running this
method depends on (packet in message) that is a special message sent form the
switch to the controller when the switch received an abnormal packets. With
this dependence on the message there is no more load to the CPU and network. Also
to reduce detecting time the method starts analyzing the packet Concurrently
with controller response depends on the packet information in the switch flow
table. Also it can detect DDoS attack in one second in minimum and can initiate
and trained very quickly. This method gets good detection rate, its needs one
second as minim time to detect DDoS attacks but what if there is a DDoS attack
packet pass throw the switches as normal packet such as HTTP-based DDoS attack

V. Phan, et al., 21 proposed a novel
hybrid flow-based handler using SVM and Self-organizing map (SOM)
that is type of ANN that trained by using unsupervised learning mechanism.
This combination gets the advantages of SVM and SOM in detecting DDoS attacks
to get better detecting rate than SVM and SOM separately with range of 4%  in detection, false alarm, and Accuracy but
adds more load to CPU and time for training and detecting 21.

Yan, et al.,22 proposed a SDN controller
scheduling algorithm called MultiSlot isolate the switches flow
requests and allocate them to prevent DDoS attacks that harms the communication
between the switches and controller22

Sindia, et all 23 proposed a Bifold
SDN based Solution using machine learning  Genetic algorithm and Covariance matrix
(BSSGC) that detect DDoS attacks by analysis packet depends on source and
destination IP address and Time of Existence (ToE) which is 150 seconds. This
solution focus on false positive (FP) and true negative (TN) values that are
the main values in detecting DDoS attacks. It detect DDoS attacks in range of one
second 23.

2.6.3 Detection models
in Application layer

Porras, et al24 proposed a software
extension called FortNOX that enhance the security applications in
SDN framework such as Openflow, this software deal with the communication between
the application layer and controller to protect application layer from any
attacks, its contains some components that help protecting Openflow application
layer such as role-based authorization, rule reduction, conflict evaluation,
policy synchronization, and security directive translation. FortNOX adds some
overhead to the SDN works with average 7 ms but increased the protection of

Lee, et al25 proposed new open
source framework called Athena that detect attacks based on Network-based
anomaly detection mode that support machine learning detection modes. Athena
has good features such as providing third-party developments, it’s don’t
require specific hardware like Openflow ,also its good choice for large SDN,
also its supported as good framework from other researchers such as Steven
Farrell and others25.

Sreeram, et all 26 proposed a
Bio-Inspired Anomaly based HTTP-Flood Attack Detection (BIFAD) that aims of
achieving fast and early detection of DDoS attacks that harms SDN application
layer by using HTTP protocol. This detection mechanism uses machine learning
mechanism and bio inspired bat algorithm26. This technique is used by K. M. Prasad27 to detect this
type of attacks.


2.7 Related work

in current detecting mechanisms that proposed between 2014 and 2017 as in table
2.2 most of them deal with the control layer and infrastructure layer, exactly
in flow tables and the traffic between them and the controller as in most of
the detecting methods. Also the packet must pass throw the controller that
described in SDN definition as good and bad thing in same time, this makes
controller and infrastructure layers is good place to detect DDoS attacks in
SDN environment. 

infrastructure layer all detecting mechanisms talk about the data flow table
and the analyzing mechanisms for its data. The shared problem is storing the
analyzed data in the flow table and the time for this analyzing and the traffic
between the controller and the flow table that is shared problem with the
control layer detecting mechanisms. Another problem in these detecting
mechanisms is the most of these mechanisms based on specific hardware that is
the switches that support flow tables.

control layer that has the most detecting mechanisms that describes a
programmatically solution that may have one problem added to the traffic
problem, its time cost and CPU load, but it has good detection performance and
it describes the good feature in SDN environments that is the ability of
programming the controller to fix any future problem.

application layer the most detection mechanisms are frameworks or solutions for
HTTP-based DDoS attacks because the most attacks in application layer based on
HTTP protocol that harm web applications and operating systems26,

detecting mechanisms that didn’t based on machine learning technology can be
classified in two groups the first one care about infrastructure switches and
managing the flow tables and provide hardware solutions for them. The second group
gets programmable solutions using many mechanisms (figure 2.2).

learning technologies becomes more suitable technology for detecting DDoS
attacks, it used to provide good solutions in detecting DDoS attacks in
SD-based environment in recently few years exactly in 2017. These solutions can
be grouped depend on the machine learning technique such as ANN, Genetic
Algorithm, Decision Tree, Bayesian Networks, Fuzzy Logic, and SVM also
combining between two techniques or more provides better detecting solutions.



Possible DDoS attack

Available solution

Machine Learning



Infrastructure Layer attacks

managing flow table limitation



H. T. N. Tri et all 17

entropy-based lightweight



R. Wang et all 18




B. Wang, et al.3

Control Layer attacks




R. Kokila, et all 8

entropy-based Methods



S. M. Mousavi 19

hash-based mechanism with round robin



S.-W. Hsu, et all 20




Y. Cui, et all 6




T. V. Phan, et al 21

controller scheduling algorithm



Q. Yan, et al 22




T. Sindia, et all 23

Application Layer attacks




P. Porras, et al24




S. Lee, et al25




I. Sreeram, et all 26

2.2 Available DDoS attacks detection Solutions

2.7 conclusions

          This chapter introduces the Machine learning mechanisms and
describes the SDN environment, its advantages, and its problems with DDoS and
some solutions for detecting DDoS attacks in SDN-based environments.


I'm Erica!

Would you like to get a custom essay? How about receiving a customized one?

Check it out