Detecting distributed denial of service (DDoS) in SD-IoT environment with enhanced firefly algorithm and convolution neural network

The Internet of Things (IoT) devices have become part of today’s human life and the amplified use of smart phones as well as number of IoT devices in everyday life has made network security more important. These IoT devices are less secure and often abandoned making them a easy target of DDoS attacks which caused by extreme network packet flow threaten vital network services. The DoS is a single-server attack in which the DDoS is a multi-server attack and IoT devices are managed through Software-defined networks (SDN). This research is proposed to improve the Firefly method in optimizing the Convolution neural network (CNN) for detecting DDoS attacks in Software Defined-IoT (SD-IoT). The suggested SD-IoT framework has been structured into three layers, namely application layer, control layer and user infrastructure layer. The SDN-IoT architecture layer model, Security apps identify DDoS attack in Application layer C-DAD attack detection. The second layer manages the SD-IoT network with the SDNWISE controller and the IoT controller. The infrastructure layer contains SOFS (Sensor Open Flow Switch) and IoT devices. However, this proposal has considered each firefly as a single hyperparameter and by updating the position of firefly periodically results in the reduction of the search iteration. Hence, the proposed model is evaluated by Root mean square and used for measuring the training accuracy of the proposed model. DDoS attacks use a backtracking technique to pinpoint the source, which increases response time. Four CNN models by varying layers and parameters has implemented to improve DDoS detection yielded results with 98% accuracy.


Introduction
Nowadays, smart phones are equipped with a wide range of embedded sensors, with varied local and wide area connectivity capabilities, and thus they offer a unique opportunity to serve as mobile gateways for other more constrained devices with local connectivity. At the same time, they can gather context data about users and environment from the embedded sensors. These capabilities may be crucial for mobile M2M applications. The Internet of Things (IoT) with its unlimited range of applications that rely on everyday objects becoming intelligent connected devices is a major driver for M2M applications. The potential booming of M2M applications can exponentially increase the number and diversity of devices and traffic in the next years, which shall introduce further challenges to communications. The IoT is the connectivity of material entities that can see, absorb, and respond to their surroundings using fundamental network protocols. It is the result of advancements in embedded technology, Wireless Sensor Networks (WSNs), and standard networking protocols for allowing communication among smart things (Gubbi et al. 2013). Many IoT devices are most often used in almost every domain, including smart homes, smart cities, smart grid systems, manufacturing, transportation, healthcare, and smart disaster management systems, where human involvement is problematic. There are numerous issues in IoT networks that necessitate the evolution of traditional internet topology (Neshenko et al. 2019). IoT is a technology, which aids the smart grid to collect, monitor, and analyze power grid status and performance, as well as issue control signals (Saleem et al. 2019). In 2018, IEC 61,850-8-2, a new mapping of information based on XMPP was published to support the integration of the smart grid and IoT, which requires communication in WAN (XMPP 2018). However, smart grid communication requires different characteristics, including latency, jittery, bandwidth, and security, based on applications. A large number of other protocols have been nominated for communication in the smart grid over a public network in the literature. The most prominent ones are Common Object Request Broker Architecture (CORBA), Open Platform Communications United Architecture (OPC UA), Data Distribution Services (DDS), Message Queue Telemetry Transport (MQTT), Constrained Application Protocol (CoAP), Advanced Message Queuing Protocol (AMQP), and Zero Message Queue (ZeroMQ), all of which can be investigated based on their features in the smart grid and their pros and cons to facilitate the smart grid application communication requirements. Network security has recently become especially critical because DDoS (Cvitic et al. 2021) poses a serious threat to network safety. DDoS attack becomes common as cyber threats due to increase in IoT devices, complexity and growth of hire attack service (Song et al. 2021). The DDoS attack is considered to be the heaviest in history, with a peak bandwidth of 1.35 Tbps. The number of IoT devices with risk factors has expanded substantially, and by 2025, there will be 24.6 billion linked gadgets (Catak 2018). A DDoS attack prevents genuine internet users from gaining access the suspect's services. To accomplish this, the attacker floods the targeted system with trash packets, overloading its processing and storage capacity and eventually causing the system to crash. The botnet army is the most often used way for conducting large-scale attacks (Bertino and Islam 2017). DDoS attacks on IoT devices are becoming more common, causing many IoT devices to malfunction and leaking personal information. As a result of the rapid expansion of IoT, relevant network security measures should be upgraded at the same time. Above mentioned DDoS issue were minimized by using SDN. Due to the success of SDN in network management and security maintenance, an increasing number of domestic and international researchers have attempted to incorporate their conceptual models into IoT and developed a software-defined internet of things (SD-IoT) framework. The segmentation of the control plane and the forwarding plane is a crucial feature of the SD-IoT framework. The SD-IoT controller often operates on a fast processing platform, enabling security techniques and detection procedures that regular network infrastructure cannot provide (Mishra et al. 2020).
DDoS attacks are generally one of the most challenging malicious activity to detect (Catak and Mustacoglu 2019). DDoS attacks are classified into two types: attacks that use resource bandwidth and attacks that consume system resources. Resource bandwidth attacks employ a large number of zombie servers to swiftly create a massive quantity of traffic that converges on the victim's server and entirely seizes its network bandwidth resources. Because of the numerous permutations of DDoS attacks, identification is becoming extremely difficult. Many DDoS attackers, use mixed protocol packets to attack their victims. To deal with a range of attack strategies, more complete and compelling defensive techniques should be created (Song et al. 2019;Donno et al. 2018;Cviti et al. 2019). The conventional signature-based detection mechanisms cannot identify innovative DDoS assaults, whilst the more regularly adopted detection methods based on statistical abnormalities are limited by the detection threshold. To address the shortcomings of statistical anomaly detection approaches, attack detection strategies based on machine learning methods are being investigated. Deep learning algorithms have been acknowledged for their ability to classify DDoS assaults and regular traffic. Deep learning algorithms can extract from the original data flow the features required by a DDoS attack and regular traffic flow. Furthermore, in the past, most attack detection solutions based on deep learning algorithms were implemented in conventional networks and required an excessive amount of resource supply. Present DDoS attack detection technologies, are not built for SD-IoT network offline attack detection. Detection algorithms in real SD-IoT networks must interact with networking traffic flows that have a preset data packet window (Chandola et al. 2009).
Based on the most recent DDoS (Bhushan and Gupta 2019) detection requirements, this paper proposes a unique detection approach that merges CNN algorithm into SD-IoT controller. The following are some of the most important contributions made by this paper: (1) We presented security architecture for SD-IoT. This architecture includes Internet of Things infrastructure, IoT switches that link IoT gateways, and an SD-IoT controller.
(2) A dataset-independent data packet preprocessing approach that needs detection algorithms to handle flow fragments obtained in preset packet windows. The SD-IoT controller with flexible programmability obtains the packet header from the SD-IoT switch on a regular basis, which significantly reduces the SD-IoT controller's processing overhead.
(3) To improve detection accuracy, we propose an improved firefly approach for optimizing neural network architecture. (4) The detection approach in this research employs a CNN algorithm to study potentially malicious traffic before detecting DDoS attacks. The approach presents greater detection accuracy while also having a minimal processing expenditure.
In (Mousavi and St-Hilaire 2015), DDoS attacks were detected using the entropy of the target IP address. When a packet is received and the switch is unsure what to do with it, it sends a Packet-in message to the SDN controller. The target IP address was contained in packet-in messages, and the controller estimated the entropy of the target IP address. In the controller, configure the sample window size and threshold. It was discovered that a DDoS attack happened when the estimated entropy value is much less than the predefined threshold value. In a policy-based detection technique (Dayal et al. 2016), the network flow investigated is deemed acceptable if the flows identified correspond to a given policy. In contrast, the network traffic being investigated is deemed harmful. In (Nobakht et al. 2016), researcher offered the IoT-IDM framework that was implemented on SDN and included an IoT attack vulnerability management system. It has the ability to detect the victim server and prevent the attack. The Internet of Things (IoT) is a platform that can connect everything and anyplace. Security in the context of IoT is a significant issue (Perakovi´et al. 2017). Numerous problems impede the security of IoT devices and their end-to-end connectivity in an IoT context (Chen and Yeung 2006). This paper is structured as follows: Sect. 2. DDoS attacks in proposed SD-IoT framework, Sect. 3. DDoS attack detection model, Sect. 4. Performance evaluation, Sect. 5. Conclusion.

DDoS attacks in proposed SD-IoT framework
DDoS attacks exploit network activities and consume bandwidth or resources. SD-IoT DDoS attack detection and mitigation method involves SDN implementation with entropybased statistical methods, Deep Learning (DL) based classification of hostile traffic techniques, and rule-based approach for DDoS detection.
The suggested SD-IoT framework is structured into three layers, like the SDN-based IoT architecture layer model, but our model has additional components dependent on the problem. First, security apps identify DDoS attacks. Application layer using cumulative sum time series (CSTS) based DDoS attack detection (CDAD). The second layer manages the SD-IoT network with the SDNWISE controller and the IoT controller. SDN-WISE extends network function virtualization (NFV) to WSNs. To this purpose we extend the Open Networking Operating System (ONOS), which is currently under development for infrastructured networks, and exploit the capability of sensor nodes to host an (often lightweight) operating system. The infrastructure layer contains SOFS (Sensor Open Flow Switch) and IoT devices in which SOFS has a programmable network interface protocol designed for controlling and monitoring all network devices. SOFS is considered to be one of the first SDN standards. Initially, it defined the communication protocol in SDN architectures that enabled the SDN controller to interact directly with the forwarding plane. Using the SOFS protocol, a switch may be programmed to run identically to a legacy switch without reconfiguring the switch manually if the network shifts. Figure 1 shows the proposed SD-IoT framework that is a broader version of SDN paired with IoT. In the proposed SD-IoT frame we have three layers like Application, control and user infrastructure layers.
The user infrastructure layer consists of network equipment as well switches that are supported for SD-IoT framework. In the proposed switches that are used for SDN and gateway used for IoT are independent. Our SD-IoT switches may be used to link IoT drivers and sensor equipment such as personal computers, digital cameras, and smart phones.
The control layer includes the SD-IoT controller. The SD-IoT controller uses the downstream interface to receive topological information from IoT devices, create a global perspective, and then fulfil network management operations on the infrastructure layer such as threat detection, traffic engineering, and load balancing. Simultaneously, this layer offers the API that the application layer can use.
On this architecture, the application layer consists of a range of apps that operate in the IoT server and communicate with the SD-IoT controller via a northbound interface. Simultaneously, it is beneficial to developers. SD-IoT developers no longer have to worry about variances in underlying device communication protocols(Communication protocols allow nodes to share information safely and reliably) because of the use of a common south interface protocol, which simplifies application development, streamlines application deployment, and lowers network maintenance costs.
The SD-IoT controller is responsible in our architecture for centralized logical control of IoT devices. The advantages of logical centralized control are configuration and management, but there are also clear disadvantages, such as the system being vulnerable to attack. Our suggested programmable SD-IoT architecture is similar to SDN, which aids in DDoS detection. DDoS attack in SD-IoT framework is shown in Fig. 2. (i) SD-IoT switches receive packets from both DDoS attacker and normal user. Attack script generates the attack packets. (ii) Details about SD-IoT packet header are collected in regular basis by using SD-IoT controller. (iii) Outcome of the SD-IoT controller is processed to next step by using SD-IoT switches.

Proposed enhanced firefly algorithm with CNN (EFACNN) model for DDoS attack detection
Enhanced Firefly Algorithm with CNN (EFACNN) model for detecting the DDoS attack is shown in Fig. 3.

Data collection
Current data packet header information is collected periodically from SD-IoT switches by the data collection module. Algorithm is created and placed in SD-IoT Controller to circulate the procedures to the SD-IoT switches to collect the packet information. The time interval for collecting the data is set as minimum as possible to avoid the DDoS attack and damage or loss of packets. Similarly less time interval will enhance the interaction between controller and switch. For the proposed work we set 5 s as an interval for collecting the packet information. where NL denotes 5-list network flow, ∈ s denotes sorted packet that are collected through network flow, NDPS denotes network data packet set.

Preprocessing data packets
A data packet that belongs to same network contains same source and destination IP address and source and destination port address. S-vector used to store the packet information such as source and destination IP address. x data packets are flowing across the network, from that m packets are consider as the packet window. For experimental purpose we have taken nearly 250 packets as window. Pre-processing transforms data before sending it to an algorithm. Data preparation cleans raw data.
where sfw denotes the sub-flow window, N i denotes network flow index.

Feature extraction
Characteristics of data packets that are gathered from data collection and preprocessing are computed through feature extraction module. These characteristics are closely related to detect the DDoS attack. From the literature we have selected 6 characteristics that are closely associated with DDoS attack. In network, Packet flow has various dissimilarities. Normal network flow carries extensive packets. DDoS attack network flow will generate fake IP address for source and try to communicate in the network to attack the victim host. To avoid such DDoS attack in network we selected Number of packets per network flow (NP n f ) as one of the feature.
Another DDoS attack strategy is making the data packets as tiny as possible. Usually normal data packet will be slightly larger in size. Where else attacker tries to reduce the packet size in bytes to attack the victim host as quick as possible. To avoid it Number of bytes per network flow (NB nf ) is added as a feature to detect the DDoS attack.
Next feature is Time taken for each data packet to flow in network, Normal data packet that flow in network takes more amount time. In case of attack, abnormal flow of data packet takes place.
Remaining features that are selected to verify the Source and Destination IP address. Since DDoS attack mainly occur with fake source and destination IP address.

Enhanced firefly algorithm
Fireflies are the minor bugs that provide light in the night with hard wing yield a light from glowing chemicals in their stomach organs (Karkouch et al. 2015). Firefly Algorithm (FA) is inspired by the flashing behavior of the fireflies. The less bright fireflies get attracted towards brighter fireflies taking into account the media around the problem domain.
Moving from one less brighter fireflies to brighter fireflies is considered as a single iteration. Best optimal solution is searched by step by step iteration process. In the algorithm, each firefly will be represented as a vector point. Position of the firefly is denoted by candidate solution S c Where, c = 1,2,…. ϑ. The brightness and attraction of firefly can be represented as shown in Eq. (1).ϑ where f b denotes the fluorescence firefly brightness over ∀ with assuming as zero. P denotes the light absorption parameter. Position of firefly will be denoted as ab. MD denotes the maximum degree of attraction. Distance between two fireflies can be calculated by using Euclidean distance as mention in Eq. (3).
When less brightness fireflies started moving to brighter fireflies then operational speed can be improved by substituting Eq. (4) in Eq. (2).
Firefly moving from position a to position b can be calculate by using Eq. (5) where j denotes the random value between 0 to 1. Number of iteration denoted by n and denotes the step size.
Till we have seen how firefly moves from one position to another and how the brightest firefly is identified. Usually position of firefly updated based on the attraction of fluorescence brightness and search is made based on random and global attributes. So to improve the accuracy and to obtain optimal solution, we proposed a methodology that updates the step size periodically, with the update in position of firefly periodically will decrease the search iteration of fluorescence brightness. Equation (6) describes how to calculate the distance between individual and group center for finding the group diversity initially.
where d i denotes the index of diversity. Size of the firefly population is denoted by (1) Number of iterations is increased to decrease the linear decrease function . Equation (7) used to calculate the with two factors, maximum number of iteration (max i ) and current number of iteration (curr i ).

Detection of DDoS attack
DDoS attack detection is considered as a classification problem since flow of attack network and normal network flow is entirely different. Figure 3 shows the attack detection module work flow in detail for the proposed EFACNN. The CNN layers initially assigned with random weights and bias value. Later based on the output of the first epoch, weights and bias value is update with respect to the error calculated between output obtained and actual output. Learning rate and structure of network are considered as the hyper parameter. The hyper parameter selection plays an important role to increase the accuracy and performance of detecting DDoS attack. Such hyper parameter is selected based on the Enhanced Firefly algorithm that is discussed in previous section. Each firefly is considered as a single hyper parameter. Root mean square is used for measuring the training accuracy of the proposed model. DDoS attacks use a backtracking technique to pinpoint the source, which increases response time.
Proposed work is built on deep learning concept, it consists of input layer that reads the data from network and divides into 5 different list. From this data it extracts the features and forms the 2-D matrix. Next convolution layer consist of kernels which are mapped with the input features obtained from input layer. Size of the kernel is defined as h. with the help of convolution layer useful features are gathered for classifying the DDoS attack request and normal network flow. Linear rectifier function (ReLU) activation function is used in Convolutional Layer and calculated as shown in Eq. (8).
where T k denotes the Training stage of k th filter.
To down sample the features max pooling layer is used and then output obtained from pooling layer is classified using fully connected layer with sigmoid activation function Sigmoid function will generate the output in the range of 0 to 1. Since we are going to classify the attack and normal network flow it flows either 0 or 1.

Experimental setup
SD-IoT environment is designed by using Software defined network solution for wireless sensor network (SDN-WISE) with help of Contiki Operating System. Experiment is carried out using virtual box platform installed in windows 10 operating system. Ubuntu OS is installed in virtual box with open source SD-IoT controller and switches. Proposed firefly algorithm with CNN is developed using Tensorflow library. Similarly UDP, TCP and ICMP packets for both trusted user and attacker is created by using scapy with the help of python script.
Network topology designed using mininet with 6 SD-IoT switches, 1 controller and 50 devices connected into it for detecting DDoS attack is shown in Fig. 4. The devices that are connected with the network include wired and wireless equipment. sw 1 … … .sw 6 denotes SD-IoT switches and hs 1 … … … … hs 50 denotes host that are connect with the network. For experimental purpose hs 2 , hs 4 and hs 6 that are connected with sw 2 are considered as attack host. That sends fake request continuously to the hs 40 . Performance of detecting DDoS attack is measured by using precision, recall and F1-score metrics.

Evaluation of EFACNN model
In the proposed model Enhanced firefly algorithm with CNN is used with two dimensional layers. Firefly is used for optimizing the input features and hidden layer node. Size of firefly is set to 60, maximum epoch is set to 1000 and step factor is set to 0.6. Figure 4 shows the improvement in fitting the firefly and Fig. 5 and 6 denotes the accuracy and loss for the proposed EFACNN model. The depth of the CNN layer plays an important role in improving the accuracy. For the experimental purpose we used 4 EFACNN model with different number of layers. Parameter used for all 4 models are described in Table 2. Figure 7 has illustrated the performance of proposed model is compared with models that are developed in Xiao et al. (2015) as Support Vector Machine with Self Organizing Map (SVM-SOM) and (Phan et al. 2016) as K-Nearest Neighbors traffic classification with Correlation analysis (CKNN). Figure 8 has illustrate the time consumed for the SDN-IoT with proposed EFACNN model is less with all specific iteration used namely 100, 200, 500 and 1000 correspondingly than existing CKNN and SVM-SMO model. The iteration considered in this research is 1000 as maximum.

Conclusion
DDoS attacks are critical to network security and the proposed design of SD-IoT framework including switches, controllers, and IoT devices that has been carried out through EFACNN model. An enhanced firefly method is used to identify and extract data features. Using the Firefly algorithm speeds up DDoS attack detection. The Firefly algorithm updates position every 5 s, reducing search time. CNN classifies attacks and regular network flows. This has been employed four CNN models through varying layers and parameters to improve DDoS detection. Precision, recall, and the F1 score assess algorithm performance is evaluated and determined that proposed EFACNN performs better while compared to existing methods with the model accuracy as 98%.  Step factor 0.6