2.1 Introduction This chapter describes SDN and DDoS attacks and how DDoSattacks harms SDN-based environments, also describe available DDoS detectingmodels in SDN-based environment. Machine Learning description also in thischapter with its methodology and its available methods that can detect DDoSattacks in SDN-based environment.2.2 Software DefinedNetwork (SDN) SDN in network architecture dedicated in 2011 by Opennetwork Foundation (ONF) 2providesmanagement, by centralized the control plane of the network devices intoapplication called network controller3. It has threemain layers as in figure 2.
1. Infrastructure Layer (data plan) isconsists of Forwarding Elements (FEs) such as physical, virtual switches andother network devices. The second layer is control layer (control plan)that consists of software-based controllers provides control and manage of thenetwork via open APIs. The last layer is the application layer thatcontains end-user application that consumes the SDN communication and networkservices. The communication between those layers is done by APIs are NorthboundAPIs that communicate between application layer and control layer. Another APIsis Southbound APIs that communicate between the control layer andinfrastructure layer7. Also there areEastbound and Westbound APIs that communicate between the controlplane controllers.
The widely usedprotocol in these APIs in OpenFlow that based on the switches that contain atable called flow table. This table contains packets header data 8. SDN has good features in security area like Separation ofthe control plane from the data plane and centralized controller and view ofthe network those make it easily to establish attacks, also the Programmabilityof the network by external applications and software-based traffic analysishelp protection SDN and improving the capability of the network devices 7. Figure2.1 SDN Architecture7 2.
3 Denial of Service(DoS) attacks Denial of Service (DoS) Attack is action that makes amachine or network resource unavailable for its users. This attack can be doneby many ways such as sending many requests to the target machine / networkresource which makes it busy with these requests, thus affect the availabilityof it. Distributed Denial of Service (DDoS) means multiple DoS attacks in sametime from different sources to one destination. DDoS attacks have twocategories depends on the target protocol, the first category isNetwork/transport DDoS attacks that used TCP, UDP, ICMP and DNS protocolpackets and acts the connectivity by Consuming the network bandwidth. Thesecond category is Application-level DDoS that used application protocols likeXML, HTTP, SOAP protocols to acts the service by exhausting the serverresources like CPU, memory I/O bandwidth7,9. DDoS attackhas four components: the real attacker, compromised hosts called as handlers, theagent hosts who generate a large number of packets towards the target host andthe target host8. Recently statistics show that DDoS attacks growth thatmakes it a serious problem and needs more actions to protect computerenvironment from it, table 2.
1 describe DDoS attacks in the recently five yearsthat cause big loss. Target Data Description Client of US-based security vendor June 2016 CCTV-Based Botnet http requests – 50,000 request per second Bank of Greece Web site May 2016 Stopped the website service for more than 6 hours HSBC internet banking January 2016 Stop HSBC internet banking in UK Irish government websites Affect the website, central statistics office, court service, health service executive, and the house of the Oireachtas BBC websites December 2015 Affect the website, main iPlayer catch-up service, and iPlayer radio app Thai government websites October 2015 Affect Thai government Web sites, ministry of information, communications and technology (ICT) by a suspected distributed denial-of-service (DDoS) attack. Polish airline June 2015 Affect the flight plan system for 5 hours, about 1400 passengers impacted Canadian Government Web sites June 2015 Stopped Canadian government’s computer servers that caused federal emails and several department websites to shutdown GitHub March 2015 Affected by thousands of illegitimate requests causing intermittent outages Client of CloudFlare February 2014 Affect one of CloudFlar clients with 400Gbps traffic.
The attackers leveraged a flaw in the network time protocol (NTP) to launch the DDoS attack Spamhaus March 2013 Spamhaus has been hit by DDoS attack of 300Gbps Table2.1 recently DDoS attacks102.4 DDoS attacks inSDN-based Environment SDN-based environment as any network system can be attackedby DDoS. SDN-based environment has one obstacle that also can be an advantage;its bottleneck that comes from centralized control can be used to attackSDN-based environment because every packet must pass throw SDN to filter it,but also it can be used to detect DDoS attacks. There are some ways forattacking SDN-based environments such as attacking the SDN layers, breakingdown the traffic between the SDN layers, attacking the controller resources,the SDN controller itself, switches memory or attacking the applications 7,11. Asthere is some attacks ways in SDN-based environment, there are some detectionmechanisms for some attacks can be classified depends on the DDoS attack targetas infrastructure attacks detection mechanisms (e.g.
managing flow table in SDNswitches, using machine learning to detect DDoS packets in SDN switches),control layer detection mechanisms (e.g. Using hash-based mechanism with roundrobin method, SVM classifier) and application layer detection mechanisms (e.
g.using FortNOX mechanism and using OpenFlow application). Figure2.2 DDoS detection Countermeasures12 Thedetection mechanisms can be classified depending on detection method as infigure 2.
2. Also they can be classified depending on the target such as InfrastructureLayer Detection models, Control Layer Detection models and Application layer Detectionmodels. Also detection mechanisms can be classified depending on detectiontechnique such as Entropy, Machine Learning, Traffic Pattern Analysis, andConnection Rate102.5 Machine Learning Machine leaning is set of Mechanisms that helps machine toset it decision based on a set of training data.
This technique applied todetect and mitigate DDoS attacks in SDN-based environment by using collectionof data examples or instances13. Some of itsMechanisms that used in DDoS detecting in SDN-based environment are describedbelow:2.5.1 Artificial NeuralNetworks (ANN) ANN is a set of interconnected processing elements aimed totransfer a set of input to a set of desired output based on biological nervoussystem processes.
These processing elements depend on Multilayer Perceptions(MLP) figure2.2 that is widely adopted neural network. ANN is Capable togeneralize fromlimited noisy and incomplete data also it does not need expert knowledge and itcan find unknown or novel intrusions but it’s not suitable for real-timedetection because its training process is slow also over-fitting may happenduring training process13.2.
5.2 Support VectorMachine (SVM) SVM is one of the most common methods for classificationthe machine learning tasks, it can learn the pattern by a few training samplesby marked ever sample into one of two categories and set the decision dependson comparing between every category data and the incoming data. SVN has highdecision and training rate but its needs more time for training and didn’t giveany additional information about detected attacks8,220.127.116.11 Genetic Algorithm GA is a meta-heuristic search approachalgorithm proposed by Holland in 1972, is starts with an initial set ofsolutions and optimize them throw genetic operations such as climbing methoduntil reaching the acceptable solution. GA cannot assure constant optimizationresponse times also it’s suffered from over-fitting in training process but ithas Ability to derive best classification rules andselecting optimal parameters 13-15.
Figure 2.2 MLP 13 2.5.4 Fuzzy LogicFuzzylogic is an approximation technique that based on fuzzy set theory witch workson reasoning.
Fuzzy logic concept is to run an object into different classessimultaneously that is very useful in some cases. Fuzzy logic is effective inports and probes scanning 18.104.22.168 Bayesian NetworksBayesiannetwork is an encoded directed graph based on probabilistic relationships amongdistinctions of interest in an uncertain-reasoning problem16.2.5.
6 Decision Tree DT is one of the most widely modelingtechniques that used in data mining, machine learning and statistics, its use inductiveinference to get the decision solution. It’s a tree of testing nodes that everynode test specific action depends on the previous node result and with thetesting result the process will continue until the leaf node that contains thefinal result13.2.6 RELATED WORK: This section describes the recently DDoS detection modelsand some rules for detecting DDoS attacks on SDN-based environment that groupedas infrastructure layer that care about detection mechanisms in SDN resourcesuch as network devices and the traffic between the network devices and otherdevices. The second group is control layer that talk about the detection modelin SDN controller and the traffic these controllers.
Another group isapplication layer that talk about detection DDoS attacks that act the SDNapplications layer. The last group is SDN detection group that care about DDoSdetection models those runs in all SDN environment. These groups also act withthe APIs detection such as northbound API DDoS attack detection in applicationlayer and control layer, southbound API DDoS attack detection in control layerand infrastructure layer and eastbound and southbound APIs DDoS attackdetection in control layer. 2.
6.1 Detection modelsin Infrastructure Layer H. T.
N. Tri et all 17 describe theDDoS resource attacks and talk about the important of managing the flow tablelimitation to protect SDN from this attacks, also the controller applicationshould be ready for the case of the fully of the flow table, also replace therequired flow entries with the old entries can help when the flow table becomefull , also adding an intermediate model to store the flow entries may berequired for protection. This has a huge important as part of detectionmechanisms for DDoS attacks that harm infrastructure layer because anydetection method needs time for detecting the attack and mitigation the attack,if there is no enough space in flow table the environment may be destroyedbefore the detection and mitigation tools complete its job 17. R. Wang et all 18 proposed an entropy-basedlightweight DDoS attack detection model that runs in the OF edge switches.The experimental results show that this model can detect DDoS attacks at earlymonitoring intervals with a low false positive rate 18.
B. Wang, et al.3 proposed newdetection model called DaMask that runs in network switches. It has twomodels DaMask-D for DDoS attacks detection, the other one is DaMask-M for DDoSattacks reaction, this model detect DDoS attacks by analysis packet by specificsteps in DaMask-D starting with switches flow tables and ends with acceptanceor rejection by sending an alert to DaMask-M to stop the rejected packet. Thismodel has a single problem that it cannot detect all DDoS attacks especiallysignature base attacks3.2.6.
2 Detection modelsin Control LayerR.Kokila, et all 8 used SVMclassifier for detection DDoS attacks in controller that is a learningalgorithm that recognizes the data and use the pattern for rating. SVM analysispackets by learning the pattern of it with a few training samples, this helpsto knowing the DDoS packets pattern and stop it. With SVM it’s becomes easy totraining the SDN network to protect the network from unknown packets or anyother attacks. The results get good detecting rate but the method needs long timefor generate detection model and training it 8. S. M.
Mousavi 19 proposed methodto detect DDoS attacks in controller that based on entropy variation ofdestination IP address, this method can detect DDoS attacks in first fivehundred attack packets, also its has simple code and does not affect the CPUperformance. This makes detection simple and easy when the DDoS attack targetis single host but if the target becomes multiple locations such as networkswitches or web servers based on multiple machines this method may become notsuitable for detecting DDoS attacks. With multiple target attack problem thismethod has good performance and has simple code and did not affect the CPUload, it can be combined with other detecting mechanism to get betterperformance and good detecting rate19. S.
-W. Hsu, et all 20 preset a hash-basedmechanism with round robin method to separate incoming packet into queues,this increase the reliability and performance of the SDN network, also thereresult shows controller that using the hash-based mechanism can handle morethan 5000 flows/s, but without this mechanism the controller suffers from theflow failure when the packet pass 2000 flow/s 20. Y. Cui, et all 6 proposed new DDoSattack detection, trackback and mitigation method called Software DefinedAnti-DDoS (SD-AntiDDoS) that based on novel mechanism and BackPropagation Neural Network (BPNN). The main features in this environmentare reducing detection time and decrease network and CPU load. Running thismethod depends on (packet in message) that is a special message sent form theswitch to the controller when the switch received an abnormal packets.
Withthis dependence on the message there is no more load to the CPU and network. Alsoto reduce detecting time the method starts analyzing the packet Concurrentlywith controller response depends on the packet information in the switch flowtable. Also it can detect DDoS attack in one second in minimum and can initiateand trained very quickly. This method gets good detection rate, its needs onesecond as minim time to detect DDoS attacks but what if there is a DDoS attackpacket pass throw the switches as normal packet such as HTTP-based DDoS attackpackets6.T.V.
Phan, et al., 21 proposed a novelhybrid flow-based handler using SVM and Self-organizing map (SOM)that is type of ANN that trained by using unsupervised learning mechanism.This combination gets the advantages of SVM and SOM in detecting DDoS attacksto get better detecting rate than SVM and SOM separately with range of 4% in detection, false alarm, and Accuracy butadds more load to CPU and time for training and detecting 21.Q.Yan, et al.
,22 proposed a SDN controllerscheduling algorithm called MultiSlot isolate the switches flowrequests and allocate them to prevent DDoS attacks that harms the communicationbetween the switches and controller22 T.Sindia, et all 23 proposed a BifoldSDN based Solution using machine learning Genetic algorithm and Covariance matrix(BSSGC) that detect DDoS attacks by analysis packet depends on source anddestination IP address and Time of Existence (ToE) which is 150 seconds. Thissolution focus on false positive (FP) and true negative (TN) values that arethe main values in detecting DDoS attacks. It detect DDoS attacks in range of onesecond 22.214.171.124 Detection modelsin Application layerP.
Porras, et al24 proposed a softwareextension called FortNOX that enhance the security applications inSDN framework such as Openflow, this software deal with the communication betweenthe application layer and controller to protect application layer from anyattacks, its contains some components that help protecting Openflow applicationlayer such as role-based authorization, rule reduction, conflict evaluation,policy synchronization, and security directive translation. FortNOX adds someoverhead to the SDN works with average 7 ms but increased the protection ofOpenflow24.S.Lee, et al25 proposed new opensource framework called Athena that detect attacks based on Network-basedanomaly detection mode that support machine learning detection modes. Athenahas good features such as providing third-party developments, it’s don’trequire specific hardware like Openflow ,also its good choice for large SDN,also its supported as good framework from other researchers such as StevenFarrell and others25. I.Sreeram, et all 26 proposed aBio-Inspired Anomaly based HTTP-Flood Attack Detection (BIFAD) that aims ofachieving fast and early detection of DDoS attacks that harms SDN applicationlayer by using HTTP protocol. This detection mechanism uses machine learningmechanism and bio inspired bat algorithm26.
This technique is used by K. M. Prasad27 to detect thistype of attacks. 2.7 Related workanalysisAsin current detecting mechanisms that proposed between 2014 and 2017 as in table2.2 most of them deal with the control layer and infrastructure layer, exactlyin flow tables and the traffic between them and the controller as in most ofthe detecting methods. Also the packet must pass throw the controller thatdescribed in SDN definition as good and bad thing in same time, this makescontroller and infrastructure layers is good place to detect DDoS attacks inSDN environment. Ininfrastructure layer all detecting mechanisms talk about the data flow tableand the analyzing mechanisms for its data.
The shared problem is storing theanalyzed data in the flow table and the time for this analyzing and the trafficbetween the controller and the flow table that is shared problem with thecontrol layer detecting mechanisms. Another problem in these detectingmechanisms is the most of these mechanisms based on specific hardware that isthe switches that support flow tables.Incontrol layer that has the most detecting mechanisms that describes aprogrammatically solution that may have one problem added to the trafficproblem, its time cost and CPU load, but it has good detection performance andit describes the good feature in SDN environments that is the ability ofprogramming the controller to fix any future problem.
Inapplication layer the most detection mechanisms are frameworks or solutions forHTTP-based DDoS attacks because the most attacks in application layer based onHTTP protocol that harm web applications and operating systems26,28.Thedetecting mechanisms that didn’t based on machine learning technology can beclassified in two groups the first one care about infrastructure switches andmanaging the flow tables and provide hardware solutions for them. The second groupgets programmable solutions using many mechanisms (figure 2.
2).Machinelearning technologies becomes more suitable technology for detecting DDoSattacks, it used to provide good solutions in detecting DDoS attacks inSD-based environment in recently few years exactly in 2017. These solutions canbe grouped depend on the machine learning technique such as ANN, GeneticAlgorithm, Decision Tree, Bayesian Networks, Fuzzy Logic, and SVM alsocombining between two techniques or more provides better detecting solutions. Possible DDoS attack Available solution Machine Learning Year Author Infrastructure Layer attacks managing flow table limitation No 2015 H. T. N.
Tri et all 17 entropy-based lightweight No 2015 R. Wang et all 18 DaMask No 2015 B. Wang, et al.
3 Control Layer attacks SVM Yes 2014 R. Kokila, et all 8 entropy-based Methods No 2014 S. M. Mousavi 19 hash-based mechanism with round robin No 2015 S.-W.
Hsu, et all 20 SD-AntiDDoS Yes 2016 Y. Cui, et all 6 SVM+SOM Yes 2016 T. V. Phan, et al 21 controller scheduling algorithm No 2017 Q. Yan, et al 22 BSSGC Yes 2017 T. Sindia, et all 23 Application Layer attacks FortNOX No 2012 P. Porras, et al24 Athena Yes 2017 S. Lee, et al25 BIFAD Yes 2017 I.
Sreeram, et all 26 Table2.2 Available DDoS attacks detection Solutions2.7 conclusions This chapter introduces the Machine learning mechanisms anddescribes the SDN environment, its advantages, and its problems with DDoS andsome solutions for detecting DDoS attacks in SDN-based environments.