Software-Defined Network (SDN) brings a lot of advantages to the world of networking through its flexibility and centralized management; however this centralized control makes it susceptible to different types of attacks. Distributed Denial of Service (DDoS) is one of the most dangerous attacks which can frequently launch DDoS attacks towards the controller in order to make it out of service. This work takes the special ability of SDN to propose a solution that an implementation running at the multi-controller to detect DDoS attack at the early stage. The method not only detect the attacks but also identify the attacking paths and start a mitigation process to provide protection for the network devices the moment an attack is detected. This method is based on the entropy variation of the destination host targeted with its IP address and can detect the attack within the first 250 packets of malicious traffic attacking a particular host. Then, fine-grained packet-based detection is performed using deep learning model to classify the attack into different type of attack categories. Lastly, the controller sends the updated traffic information to neighbor controllers. To avoid a single point of controller failure, a multi-controller which is a logically centralized and physically distributed controller has used. The issues related to lack of detailed attack description have been addressed using categorical classification which is allowed to make specific attack descriptions by considering the traffic coming to the controller. The chi-square (x2) test feature selection algorithm has also employed to reveal the most relevant features that scored the highest in the provided data set. The experiment result demonstrate that the proposed Long Short-Term Memory (LSTM) model achieved an accuracy of up to 99.42% using the data set CIC-DDoS2019 which has the potential to detect and classify the DDoS attack traffic effectively in the multi-controller SDN environment. In this regard, it has enhanced accuracy level to 0.42% when we compared with RNN-AE model with data set CIC-DDoS2019, while it has improved up to 0.44% in comparison with CNN model with different data set ICICDDoS2017.
Research Article
DDoS Attack Detection and Classification Using Hybrid Model for Multi-controller SDN
https://doi.org/10.21203/rs.3.rs-2243470/v1
This work is licensed under a CC BY 4.0 License
Version 1
posted
You are reading this latest preprint version
SDN
DDoS Attack
Deep learning
Multi-controller
Detection and classification mechanisms
SDN is a new design which consists of three layers: data, control, and application plane, with the data and control planes being independent of one another [1]. The data plane is made up of switches and routers that forward network traffic; the control plane is comprised of NOX, POX, Beacon, Floodlight, and Open Daylight controllers; and the application plane contains applications that configure SDN. When the network is under a DDoS attack, the SDN controller was unable to respond to the normal traffic that was coming from the rest of the network, and SDN lose centralized control [2]. As a result, the key benefits of SDN, centralized network control, threatened by DDoS attacks [3].
A New SDN paradigm which is also gained significant attention was developed in order to address the demands of data centers. A single central entity with high processing capacity and good data management techniques required to respond to flow requests from forwarding switches [4, 5]. The centralized controller overwhelmed with flow setup requests arriving at a rapid rate, and risk network changes degrading response times. As per the researchers [6, 7], as the number of switches and end hosts grows, the SDN controller led to a bottleneck. Hackers, cyber extortionists, and cyber terrorists turned to DDoS attacks as a weapon of choice [8]. A new network paradigm is still required to face difficult security challenges. The goal of a DDoS attack is to use multi-source attacks to disrupt the target's services [9]. Due to an increasing number of DDoS attacks and a growing diversity of their forms, detecting, mitigating, and preventing such attacks have become a major security priority [10, 11]. Several researchers had shown interest in building SDN-based network security solutions as a result of recent developments in the network. Since deployment, in large-scale wide area networks, SDN-based solutions have grown greater attention [12, 13].
In this regard, most of the recent works were focusing on detecting and classifying DDoS attacks with a single controller using different mechanisms, and also, focused on either the accuracy or efficiency not both. However, what can be done in data centers with multiple controllers? And how it can improve the accuracy and efficiency at the same time? This will be the interrogation for next. There are multiple controllers in data centers that need to be protected from DDoS attacks. Each of these controllers has a different network traffic tolerance level. Spoofing the source (also called as fake source address) is one approach to hiding the perpetrator's identity when this kind of attacks occur [14, 15]. As result, there will be a flood of inbound packets with random IP addresses. The main benefit of employing a controller is that the first packet's rules to be added and withdrawn from the table.
In a DDoS attack, the compromised computer systems attempt to attack a website, server, or other computing resources, such as RAM and CPU. It causes the unavailability of resources for the users in the targeted system [25]. Messages in bulk Connection requests or malicious packets cause the victim's machine to slow down or even crash, preventing legitimate users from accessing the services they want. Many organizations, including nationalized and private banks, enterprises, and individuals linked to the internet, can be infected by a DDoS attack.
In the last few years, the occurrence of performing a DDoS attack has substantially increased. Although the criminal side of this attack is obvious, the motivation is always unclear [26]. For instance, Lizard Squad, a hacking group, undermined the gaming services of Sony and Microsoft in 2014 on the eve of Christmas day. When the reason behind this attack was investigated, one alleged member statement was “It was for laugh!” It's frequently difficult to figure out what motivates these attacks and why they occur. The fundamental reason for this is that some unknown external sources are in control of the computing resources used in such attacks [27].
While it is difficult to find out who is performing the attacks, at the same time, it is even tougher to guess why. Many reasons for such attacks are hypothetical, which are based on speculation with small amounts of evidence. It is not difficult to carry out a DDoS attack nowadays. A detailed step-by-step process can help someone with low technical skills to start the attack. If not counter-measured, it is a time-consuming and costly process.
The DDoS attack is intended to hinder the available resources in the network, and this is initiated by multiple connected devices. Furthermore, the attackers attempt to overwhelm the target with bogus packets for the malicious packets to be served. The causes of such attacks are [28]: DDoS is a powerful weapon when there is a conflict between two groups or two individuals for obstructing an opponent’s applications and infrastructure; an intentional person may become an attacker and carry out unwanted activities in response to a perceived injustice through this attack; and through cyber warfare (which is motivated by politics or geopolitics), a terrorist cell attempts to attack some of the sensitive zones to destroy the economic system. There are different forms of DDoS attacks which are indicated in Fig. 1.
In the literature, there are several techniques available for detecting, classifying, and mitigating the DDoS attack. As such, the strategies are categorized into: entropy-based, machine learning-based, and deep learning based techniques [27]. With regard to the entropy-based solution, the system evaluates the entropy value of three things throughout the detection process: port address, IP address, and packet count. Entropy is a statistical measure of an entity's randomness over a given period in which high entropy denotes a high level of randomness in an attribute, as well as a low calculation overhead. For example, if all packets are sent to the same host (or the same destination IP), an attack can occur. To reduce the workload of the controller, the detection module runs in the edge switch of the network. The proposed entropy mechanism compared the entropy flow values of source and destination IP addresses that are detected by the SDN controller to predefined entropy threshold values that change adaptively based on network dynamics [26]. In this regard, some of the entropy-based DDoS attack detection solutions are located at [17], [21], [22], [29–33].
The old network, machine learning techniques such as SVM, decision trees, random forests, and others were also employed commonly for anomaly detection. Some of such works are found at [34–39]. Further, deep learning models are also used the packet-based detection to classify the attack into different types of DDoS attacks. These models are used mathematical concept to mimic the human brain as it is meant to solve problems using unstructured data. They are created in form of a neural network that consists of neurons [40]. The input layer (first layer of neural network), hidden layer (middle layer of neural network), and output layer (final layer of neural network) are the three major layers of a neural network. These neural networks are classified based upon types of data as LSTM, RNN, MLP, GRU, etc. Some of the DDoS attack solutions: LSTM [24], [25], [41], [19], RNN [23], MLP [20], and GRU.
Tao Wang et al. [1] proposed a self-feedback dynamic thresholding system based on the previous results of trigger and detection. In this system, threshold was used as a trigger and adjusted dynamically. Their proposed results showed that the number of calls was reduced significantly to the resource-consuming detection algorithm. Tamer Omar et al. [2] analysed the effects of Distributed Denial of Service (DDS) attacks on a software-defined networking environment and proposed an entropy-based approach to detect these attacks. They used the flexibility of OpenFlow protocol, and an OpenFlow controller (POX) to mitigate the attacks upon detection. Through simulation the results of the detection algorithm was observed, and then implemented into a small-scaled network test bed, and finally the results of the proposed algorithm were presented and analyzed. Rui Wang et al. [3] extended a copy of the packet number counter of the flow entry in the OpenFlow table. Based on the flow-based nature of SDN, they designed a flow statistics process in the switch. Later, proposed an entropy-based lightweight DDoS flooding attack detection model running in the OF edge switch. This achieved distributed anomaly detection in SDN and reduces the flow collection overload to the controller. Also, the detailed algorithm was provided for a small calculation overload and implemented in SDN software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results showed that this detection mechanism detected the attack quickly and achieve high detection accuracy with a low false positive rate.
Bawany et al. [4] proposed a framework with a capable of meeting application-specific DDoS attack detection and mitigation requirements. They explained how this framework utilized to secure applications built for smart cities. Furthermore, this work highlighted open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation. Sandra et al. [5] presented a broad survey of the research relating to security in software-defined networking. Suhail Ahmad and Ajaz Hussain Mir [6] presented the various control plane architectures and discussed various SDN controllers. They analysed more than forty SDN controllers in terms scalability, reliability, consistency and security performance parameters. Also, examined the mechanisms used by various SDN controllers.
Bannour et al. [7] reviewed on SDN with a special focus on the distributed SDN control. A thorough discussion was made on the major challenges of distributed SDN control also provided along with some insights into emerging and future trends in that area. Prabhakar and Jisha [8] presented the taxonomy of threats, risks and attack vectors those can disrupt the SDN stack and extended various approaches to solve these problems, to deploy SDN securely in production environments. Pandikumar et al. [9] proposed a solution with an implementation running at the multi-controller to detect DDoS attack at the early stage. The proposed method was based on the entropy variation of the destination host targeted with its IP address and detects the attack within the first 250 packets of malicious traffic attacking a particular host in the SDN. Babatunde and Nuray [10] presented a real time detection of the distributed denial of service (DDoS) attacks on the SDN and a control method based on the sFlow mitigation technology. For this, sFlow analyses samples of packets were collected from the network traffic and generated handling rules to be sent to the controller in case of an attack detection. The implementation was done by emulating the network in Mininet which runs on a Virtual Machine (VM) and it was shown that the proposed method effectively detects and mitigates DDoS attacks. Sebbar et al. [11] presented different attacks in SDN layers and interfaces, proposing two scenarios in order to describe the methodology of Man in the Middle (MITM) attack in different controllers like OpenDayLight (ODL), Open Network Operating System (ONOS) and RYU. They focused on the ODL controller which was the subject of this study. The simulation results indicated that the attackers easily controlled the SDN Controller, and communication between control layer and infrastructure layer was not secure. This result shows that ODL was vulnerable with respect to MITM attack. In this research, many recommendation and solutions measure to prevent and detect MITM attack was offered.
Yifei Xu et al. [12] presented two-fold, one an isolation mechanism enabling regional customization and overcoming flatness of OpenFlow networks and second one, by dividing information into several sorts, complication of management. Mohsin and Hamid [13] investigated the impact of a DDoS attack on an SDN environment and proposed a light and effective method for detecting this attack at an early stage based on calculating the entropy of destination network traffic IP addresses. The proposed method proved their ability to detect the DDoS attack with minimum detection time in three different SDN network topologies which were single, linear, and multi-controller. RYU controller was used with Mininet emulator and OpenFlow protocol. Fawcett et al. [14] introduced TENNISON, a novel distributed SDN security framework that combines the efficiency of SDN control and monitoring with the resilience and scalability of a distributed system. They demonstrated the effectiveness and capabilities of the TENNISON framework through the use of four attack scenarios. Zubaydi et al. [15] reviewed the different detection techniques which were available to prevent DDoS attacks, characteristics of these techniques. Sahoo et al. [16] reviewed of security concerns of SDN, possible DDoS attack in individual layers of SDN and ongoing research efforts on SDN-enabled DDoS detection solutions. Based on the findings, an information distance-based flow discriminator framework was discussed.
Seyed Mohammad Mousavi and Marc St-Hilaire [17] proposed to use the central control of SDN for attack detection and introduced a solution that was effective and lightweight in terms of the resources. Dalou et al. [18] proposed an entropy-based mechanism for Distributed Denial of Service (DDoS) attack detection and mitigation in SDN networks and evaluated through extensive simulation experiments. Wang and Liu [19] proposed a DDoS attack detection method based on information entropy and deep learning the experiments indicated that the accuracy of this method reaches 98.98%, which has the potential to detect DDoS attack traffic effectively in the SDN environment. Wei et al. [20] proposed a hybrid deep learning technique that utilizes two deep neural network models for effective feature extraction and accurate DDoS attack detection and classification without human intervention.
Wang et al. [21] proposed SDN scalability architecture for multi-domain, multi-vendor networking. They designed and implemented the Coordinator Controller to enable different SDN administrative domains. This method was validated by building a multi-domain experiment environment consisting of three vendors. The results showed the great ability in the network state view consistency and end-to-end provisioning services. Kavitha et al. [22] proposed a collaborative approach for DDOS attack detection in a distributed SDN multicontroller platform. It also analysed DDOS attacks in distributed controllers, which differ from centralized controllers in SDNs. The study detected attacks and provided an attack mitigation process through the implementation of a monitoring solution that used the POX controller with the Open vSwitch. Elsayed et al. [23] proposed DDoSNet, against DDoS attacks in SDN environments. This method was based on Deep Learning (DL) technique, combining the Recurrent Neural Network (RNN) with autoencoder. This model was evaluated using the newly released dataset CICDDoS2019, which contains a comprehensive variety of DDoS attacks and addresses the gaps of the existing current datasets. We obtain a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our model provides great confidence in securing these networks.
Alghazzawi et al. [24] suggested the DDoS attacks prediction using a hybrid deep learning (DL) model, namely a CNN with BiLSTM (bidirectional long/short-term memory), in order to effectively anticipate DDoS attacks using benchmark data. By ranking and choosing features that scored the highest in the provided data set, only the most pertinent features were picked. Experiment findings demonstrate that the proposed CNN-BI-LSTM attained an accuracy of up to 94.52 percent using the data set CIC-DDoS2019 during training, testing, and validation. The detailed research outputs and research gaps are indicating in Table 1.
| Authors | Title | Method used | Controller architecture | Data set used | Gaps |
|---|---|---|---|---|---|
| Kavitha et al., (2019) [22] | The Detection and Mitigation of DDOS Attacks in SDN using Distributed Controllers | Entropy-based | Poxmulti-controller (3 controllers) | Scapy and Wireshark are used to generate traffic | • Low attack detection classification accuracy rate • Its correctness depends on the threshold selection • And it has some one sidness |
| Wang and Liu, (2020) [3] | A DDoS Attack Detection Method Based on Information Entropy and Deep Learning in SDN | information entropy and CNN | POX single controller | CICIDS2017 | • Single point of controller failure. • Lack of reliability and scalability • High-controller performance overhead |
| Gadze et al., (2021) [25] | An Investigation into the Application of Deep Learning in the Detection and Mitigation of DDOS Attack on SDN Controllers | RNN_LSTM | Floodlight in a single controller | malicious traffic was generated using hping3 | • Not effective in a large-scale network • A single point of failure causes a full network failure |
| Alghazzawi et al., (2021) [24] | Efficient Detection of DDoS Attacks Using a Hybrid Deep Learning Model with Improved Feature Selection | CNN-BI-LSTM | Single controller | CIC-DDoS2019 | • Lack of detailed attack type description • binary classification |
| Elsayed et al., (2020) [23] | DDoSNet: A Deep-Learning Model for Detecting Network Attacks | RNN with autoencoder | Single controller | CICDDoS2019 | • Lack of detailed attack type description • High-controller performance overhead |
| Pandikumaret al., (2017) [9] | Early Detection of DDoS Attacks in a Multi-Controller Based SDN | based on the entropy variation of the destination IP address | Multi-controller POX | Packet generation is done by Scapy | • Low accuracy rate • Its correctness depends on the threshold selection • And it has some one sidness |
From Table 1, the most ML and deep learning algorithms got the highest accuracy than traditional methods that can recognize both known and unknown DDoS attacks; however, till now, the high accuracy achieved in trained, however the accuracy in tests is still lower, and there is a need to investigate new methods that can improve accuracy for unknown DDoS attacks and find a solution to it accurately.
This section describes the material and method of the paper. The systematic diagram of the process steps for the implementation of feature selection methods and machine learning classifiers is presented in Fig. 2. For the investigation of explanatory in this research we discussed the methods that we used in the proposed solution in the SDN multi-controller. The following procedures were undertaken:
-
Literature Review: different existing works in the literature were reviewed several concepts were adopted.
-
Design the architecture and develop model: modeling of the system and designing an appropriate architecture for detection and classification DDoS attack .
-
Code Writing: to simulate the DDoS attack detection and classification in multi-controller SDN using entropy and deep learning model
-
Simulation: the proposed systems will be tested and simulated using google Colab and Mininet
-
Validation: validation of results obtained from the simulation results and performance evaluation. To evaluate the performance of the machine learning classifiers, different evaluation metrics including accuracy, precision and recall have been selected. Confusion matrix is used to compute these metrics. This is important for the accurately detection of attack in the multi-coltroller SDN.
3.1. Dataset Description
Data sets were used to prepare adequate training and testing datasets for the desired solution. CIC-DDoS2019: DDoS attacks are a type of network security threat that aims to overload target networks with malicious traffic. The data prepared for the training model directly. CICDDoS2019 dataset is available in a .csv format where more than 80 features are extracted using CICFlowMeter.
The following steps are adopted to preprocess the data before the module training.
3.2. Feature Selection
Instead of choosing all features in the source data, concentration on identifying the appropriate attributes to forecast DDoS attacks. To choose the most optimum features from the raw data, numerous approaches, such as principal component analysis (PCA), decision tree, Random Forest Regressor, and chi-squared (x2) test, can be used. An x2 test analyzes whether the frequencies of particular classes and features are independent or reliant on the correlation among predictor and target variables.
3.3. Parameter Setting
To increase the likelihood of getting an appropriate classification while back testing the proposed model, the hyperparameters must be set up correctly and changed during creating the deep learning model. Higher accuracy and a reduced chance of overfitting the data are two benefits of using the suggested ideal hyperparameters. The evaluation of the deep learning model by back testing it with the test data reveals the optimal value for a hyperparameter.
3.4. Model Training
After feature selection, the suggested framework Keras' input format is supported by the deep learning model, which is created utilizing the input layer's regularization, recurrent, activation, and dense layer shapes. Consequently, the model needs to be compiled after the model and network are created. The model can define the loss function, metrics, and optimizers once it has been created. The model compilation defines and binds the loss function in this stage. The evaluation metrics are a requirement for the following stage of model training.
The main contribution of the study is DDoS attack detection and classification in multi-controller SDN which is also implemented with three POX controllers. Its performance is also evaluated through accuracy, recall, f1-measure, and precision.
4.1. Proposed Model Architecture
Figure 3 shows the proposed architecture for DDoS attack detection and classification method. Based on this context, we address the following gaps with the proposed model architecture solution.
-
The irrelevant attribute and high training time addressed using feature selection algorithm.
-
The Binary classification (attack and normal) which is lack of detailed description of the attack type. This proposed model addresses by adding Categorical classification.
-
Using single controller topology which leads to the single point of failure. In this proposed model is addressed by multiple controller detection.
4.2. Entropy-based Method (Controller Detection Design)
Entropy-based methods depend on network feature distributions to detect anomalous network activities [19]. Entropy is calculated using probability distributions for several network features including source IP address, destination IP address, and port numbers. Anomalies are detected using predetermined criteria on changes in the entropy values. The initial section of the overall method includes PACKET_IN messages rate detection, port entropy detection, and control module. The controller is responsible for filtering suspicious traffic previously to improve recall. The control module is implemented by the controller itself. In the present work, multi-controller architecture, the control module is implemented by two controllers, and finally, detection and classification occur by one deep detection server.
4.3. Rate Detection Module
An attacker can launch a DDoS in an SDN system by sending spoof packets that don't match any switch flow entries. The switch will send PACKET_IN messages to the controller to request the processing method. Thus, the received packet rate by the controller increases in a short time. When it exceeds the normal threshold, the possibility of the current network being attacked increases. The following step is to determine if the abnormal performance is caused by a network attack or flash crowd behavior.
4.4. Entropy Detection Module
In a normal network, packets are distributed to diverse hosts, but in a DDoS attack, large numbers of attack packets are dispatched to the same IP address. The attack can be analyzed and detected, based on either the data size or the number of packets in the flow table entry with the same IP address. The proposed work defines the conditions required of the POX controller to handle DDOS attack packets. Here, every controller has a threshold level for security metrics. When a packet from a client arrives at the Open switch, the switch updates the flow table entry with all the packet details. It then verifies the packet fields with the controller rule set (i.e., packet sizes, IP address, port, and window size).
Once the condition is matched, the packets are forwarded to the allocated destination port. When large numbers of packets arrive with a repeated IP address, the switch identifies the rule mismatches and redirects them to the controller. The controller calculates the entropy given by the switches. The entropy is based on the threshold value, found against the rule set, in every suspicious host. The controller decides that a DDOS attack has taken place. Meanwhile, the controller sends the packets based on the high entropy value to the deep detection server module for additional attack detection and classification. Then the attack detection and classification information are sent to the neighborhood controllers which are connected in a distributed setup. Attacks must be detected at the earliest to protect the controllers and other forwarding components. In the existing study, attack detection was done for the first 50 packets, while the subsequent study considered the first 50 incoming packets for detection.
4.5. Deep Detection Server Design (Deep Learning)
In this research, a method for detecting DDoS attacks in multi-controller SDNs based on information entropy and deep learning is offered. To begin, the controller can review suspicious (untrusted packets) traffic by detecting information entropy. The Deep Learning model then uses detailed packet-based detection to classify the attack into different attack types (Fig. 4). This technique brings together the advantages of information entropy and deep learning. Finally, the controller distributes the change to all neighborhood controllers.
Two-level detection is used for network traffic to ensure high accuracy and minimal computing complexity at the same time. To ensure great efficiency, the controller runs a preliminary section based on information entropy. The packet-based deep-section uses deep detection to ensure fine granularity and high accuracy. The detection includes the data processing section and the deep learning detection section. The traffic will be transformed into the acceptable input shape in the first section. The second section outputs the detection and classification results based on the deep learning method.
-
Data Processing Module: before feeding the input data to the training model we need to prepare the data like normalization, encoding, feature extraction, and feature selection.
-
Feature Selection: Feature selection, one of the main components of feature engineering, is the process of selecting the most important features to input deep learning algorithms [44]. Feature selection techniques are employed to reduce the number of input features by eliminating redundant or irrelevant features and narrowing down the set of features to those most relevant to the deep learning model. This feature selection makes our model higher accurate in detection and classification, reduces overfitting, and reduces running time and less error rate.
-
Deep Learning Detection Module: here in this module, we applied four deep learning models and compare the best accuracy and low error rate. These algorithms are MLP, RNN, LSTM, and GRU. The dropout layer is added before the output layer to prevent overfitting and improve the generalization ability of the model. It enables neurons to be activated or deactivated with the probability of parameter.
4.6. Multi-Controller Architecture
In this research study, logically centralized and physically distributed controller architecture is used. Logically centralized means that take advantage of the concept of a multi-controller design, at the same time, single controller also considered. In a logically centralized architecture, all the controllers have the same responsibilities, and they split the charge equally. They are always aware of every change in the network, and they share the same information instantly, thanks to network synchronization. The network information is stored in the NIB (Network Information Base) and writes and reads the contents of NIB to synchronize the state of each controller. Controllers detect malicious activity quickly, based on the threshold level of packets, and decide on whether the packets are to be forwarded or send to the deep detection server for attack classification. This analysis will be updated in the controller database and sent to other controllers in the distributed controller connection domain so their databases are updated as well as shown in Fig. 5.
4.7. Algorithms Implementation and Evaluation
4.7.1. Experiments on Entropy-based Method
Entropy measures the probability of an event happening concerning the total number of events. Lower values of entropy will be regarded as attacks based on the tests conducted, which helped to determine a threshold for entropy. Any time the network configuration changes, the threshold can be adjusted. Figure 6 shows the virtual box window running mininet.
The experiment covers four cases of normal and an attack traffic run.
-
Normal traffic is run on all switches with randomly generated packets going to all hosts to Find the Threshold for usual Traffic (normal)
-
Attack traffic is run from two hosts. Attacks were run manually.
4.7.2. Deep Learning Simulation
The DDoS2019 dataset is used in this experiment. This includes 12 categories of the most recent common DDoS assaults as well as normal traffic (benign) DDoS attacks. This DDoS is based on real-world facts (PCAPs) and with labeled flows based on attack vectors (.CSV files). These DDoS attack types dataset have a size of 20.7GB and it is quite difficult to get the type of device to process this type of huge size b/s it needs a high GPU. In this experiment, 81 features selected and 300,000 Total rows for each attack type and got more than 1 million rows in the dataset. And the attack type that used in this experiment is LDAP, UDP, UDP_lag, SYN, WEBDDoS, and BENIGN.
4.7.3. Feature selection
Principal component analysis (PCA), decision tree, random forest regressor, and chi-squared (x2) test [19] can all be used to select the most optimal features from raw data. This study used an x2 test to rank and choose features.
In this section, performance evaluations of the proposed models for DDoS attack detection and classification using entropy-based and deep learning are discussed. In this case, first considered to test entropy based experiment and also four deep learning models in which their performance achievements were evaluated. Finally, the comparison was made with selected existing works.
5.1. Result of the entropy based experiment
Figure 7 shows when normal traffic is flowing to the controller as a result the controller is also expected to do nothing except calculating the entropy value. This value helps the controller to determine whether the packet is an attack or not. In this regard, the entropy value is stable and there is no sudden change that would make the controller suspect the existence of an attack therefore controller takes no action.
In Fig. 8, in a condition where there is an attack detected in the network the entropy value does not stay as stable as in the normal environment. The entropy value goes down below the threshold value which in this case is equal to 1. In this scenario, the attack traffic from two hosts making one of the other hosts targets have generated. Figure 6 shows; the sudden change in the packet flow occurs as expected.
Based on Fig. 9, which is shown below, compares the outcomes of normal traffic and attack traffic entropy value variations. As a result, as normal traffic is generating and growing from the set of threshold, its entropy value changes and displays. However, when a controller detects attack traffic, the entropy value decreases and falls below the threshold level. Here, the attack detection can be concluded that with entropy-based has good efficiency with less accuracy. To increase the accuracy of the controller, forward the traffic which has lower than the threshold value into the deep detection server which is running a deep learning algorithm then the deep detection server detects the attack and classifies it into different attack types.
Based on Fig. 9 by generating normal traffic the entropy value is calculated as 1.15 to avoid false positives and negatives, the entropy value is taken as 1. This entropy value will be a threshold for detecting the attack. In Fig. 9, when traffic is generated from hosts 1 and 2 the entropy value decreases to 0.04, this decrement of entropy value increases the probability of an attack.
5.2. Results of the deep learning models
Here we made four experiments under the same data set (i.e., DDoS2019) with regard to different deep learning algorithms, including GRU, RNN, LSTM, and MLP. In all experiments, initialization of sequential function the SoftMax layer takes the input and classifies the data into six different types of attacks independently using categorical classification. In the loss function, categorical-cross-entropy is used with Adam optimizer that having a learning rate of 0.001 for RNN, GRU, and LSTM models while categorical-cross-entropy with Adadelta optimizer is having a learning rate of 0.001 has been used for MLP model. In order to minimize the model over fitting, used a dropout (0.01) for RNN, GRU, and LSTM models while it has been (0.03) for MLP model. The models are also trained with several epochs and batch sizes of 1000 for RNN, GRU, and LSTM while the batches sizes of MLP has been 800. The experiment has been made on each algorithm separately in order to finally consider the optimal one with respect to the accuracy of evaluation metric.
a. RNN model assessment
Figure 10 and 11 show the RNN model trains up to 30 epochs. The result shows that the training loss has reduced from 0.9674 to 0.0692, while the testing loss reduced from 0.6023 to 0.0521. Also, the training accuracy has improved from 0.6847 to 0.9811 and the testing accuracy enhanced from 0.7300 to 0.9861.
b. GRU model assessment
This model trains up to 18 epochs have been shown in the below Figs. 12 and 13. The results are showing that the training loss has reduced from 1.3092 to 0.2140, while the testing loss reduced from 1.0126 to 0.1664. Also, the training accuracy has improved from 0.4858 to 0.9526 and the testing accuracy enhanced from 0.5413 to 0.9642.
c. LSTM model assessment
Figure 14 and 15 shows the LSTM model trains up to 23 epochs. The training loss has reduced from 1.2709 to 0.0178, similarly the testing loss also reduced from 0.7896 to 0.0184. Also, the training accuracy has improved from 0.6372 to 0.9952 and the testing accuracy enhanced from 0.7458 to 0.9943.
d. MLP model assessment
Lastly, the result under Figs. 16 and 17 shows the MLP model trains up to 40 epochs. The training loss has reduced from 1.3105 to 0.0822, in which the testing loss reduced from 0.8991 to 0.0786. Also, the training accuracy has improved from 0.7151 to 0.9819 and the testing accuracy enhanced from 0.7899 to 0.9833.
Therefore, from the obtained results, one can conclude that the LSTM model beats the other three models since it reduces training_loss by 0.0280 and testing_loss by 0.0193 which is lower than the other models. As a result, this model also improved the training accuracy by 0.99311 and testing accuracy by 0.9957.
5.3. Performance Evaluation of Proposed Models
First, performance evaluation of four selective deep learning models (RNN, GRU, MLP and LSTM) has been conducted using accuracy, precision, recall, and F-score. In accordance with the six DDoS attack types, their respective results have shown in the below Table 1. Based on the evaluation matrices like accuracy, recall, F-score, precision, training_loss, val_loss, training accuracy, and val_accuracy of the proposed models. The LSTM model is better for the classification of the given dataset into 6 different attack types. In this experiment of the LSTM model, an accuracy of 99.56 which is better than the other three deep learning algorithms. And also, LSTM has reduced the training_loss = 0.028 and the Testing_loss = 0.0193 which is a lower loss rate than the other algorithms. Lastly, in the comparison the accuracy which is also better than the others that have Training accuracy = 0.9931 and Testing _accuracy of 0.9957. Based on the experiment LSTM have also better precision, recall, and F-score as described in the Table 1. So, based on the four experiments, it is conclude that LSTM have better classification accuracy than the others. Further, Fig. 18 is representing their experiment results.
|
Algorithm type |
Attack type |
Performance matrices |
|||
|
Accuracy (%) |
Precision |
Recall |
F1-score |
||
|
RNN (with Feature selection) |
BENIGN |
98.6 |
0.00 |
0.00 |
0.00 |
|
DrDoS_LDAP |
1.00 |
1.00 |
1.00 |
||
|
DrDoS_UDP |
0.99 |
1.00 |
1.00 |
||
|
SYN |
0.97 |
0.99 |
0.98 |
||
|
UDP-lag |
0.97 |
0.98 |
0.97 |
||
|
WebDDoS |
0.00 |
0.00 |
0.00 |
||
|
GRU (with Feature selection) |
BENIGN |
96.4 |
0.00 |
0.00 |
0.00 |
|
DrDoS_LDAP |
1.00 |
1.00 |
1.00 |
||
|
DrDoS_UDP |
0.90 |
0.99 |
0.94 |
||
|
SYN |
1.00 |
0.97 |
0.99 |
||
|
UDP-lag |
0.98 |
0.91 |
0.94 |
||
|
WebDDoS |
0.00 |
0.00 |
0.00 |
||
|
MLP (with Feature selection) |
BENIGN |
98.3 |
0.96 |
0.34 |
0.50 |
|
DrDoS_LDAP |
0.99 |
1.00 |
0.99 |
||
|
DrDoS_UDP |
0.98 |
0.98 |
0.98 |
||
|
SYN |
1.00 |
0.98 |
0.99 |
||
|
UDP-lag |
0.97 |
0.98 |
0.98 |
||
|
WebDDoS |
0.00 |
0.00 |
0.00 |
||
|
LSTM with Feature selection (Proposed solution) |
BENIGN |
99.42 |
0.78 |
0.63 |
0.70 |
|
DrDoS_LDAP |
1.00 |
1.00 |
1.00 |
||
|
DrDoS_UDP |
0.99 |
1.00 |
1.00 |
||
|
SYN |
1.00 |
0.99 |
1.00 |
||
|
UDP-lag |
1.00 |
0.99 |
0.99 |
||
|
WebDDoS |
0.00 |
0.00 |
0.00 |
||
The ROC curve is used to measure and verify those models operate accurately. The ROC curve indicates the relation between two parameters: True and False classes. The area underneath the ROC Curve (AUC) measures reparability between false positive and true positive rates.
In other experiment results, the ROC of proposed four deep learning models such as GRU (Fig. 19), RNN (Fig. 20), MLP (Fig. 21) and LSTM (Fig. 22) with data set DDoS2019 has shown.
Lastly, the experiment result of proposed LSTM model has been compared with other well-known models in the related work. Baseline papers are selected and other related papers with the same data set. Their performance results have shown in the below Table 3 as well as Fig. 23. From the result, it is conclude that the current proposed model which is LSTM with feature selection has high accuracy than the others.
|
Articles |
Techniques |
Domain |
Dataset |
Performance |
|||
|---|---|---|---|---|---|---|---|
|
Accuracy |
Precision |
Recall |
F1-score |
||||
|
(Elsayed et al., 2020) |
(RNN) with AE |
IDS |
CICDDoS2019 |
99 |
99 |
99 |
99 |
|
(Wei et al., 2021) |
MLP with AE |
- |
CICDDoS2019 |
98.34 |
97.91 |
98.48 |
98.18 |
|
(Alghazzawi et al., 2021) |
CNN + BiLSTM |
CICDDoS2019 |
94.52 |
94.74 |
92.04 |
93.44 |
|
|
(Gadze et al., 2021) |
RNN LSTM |
SDN |
CICDDoS2019 |
89.63 |
- |
- |
- |
|
(L. Wang & Liu, 2020) |
CNN |
SDM |
CICDDoS2017 |
98.98 |
98.99 |
98.96 |
98.97 |
|
Our Proposed model |
LSTM With feature selection |
Multi-controller SDN |
CICDDoS2019 |
99.421 |
99.40 |
99.464 |
99.429 |
In comparison with LSTM model with the baseline model, it enhances by 0.421%, which is higher than the RNN-AE model on the CICDDoS2019 data set. Also, it improves by 0.44%, which is higher than the CNN model on the ICICDDoS2017 data set.
To increase reliability, in this model used logically centralized and physically distributed controller architecture. To increase efficiency and accuracy entropy-based and deep learning models are used. This entropy based model improved the efficiency whereas deep learning increased accuracy. The attack comes from the data plane forward to the entropy module controller then this module calculates the probability of being an attack then if it has a high probability the controller forward to the deep learning module for better accuracy. This entropy based allows the controller to prevent overloading which will increase efficiency and accuracy. These two methods together can improve the efficiency and accuracy of the model.
The feature selection method (chi-squared (x2)) provides better accuracy by selecting only essential or high-weighted features from the dataset. Therefore, the LSTM model with the feature selection technique has high accuracy and low error classification. Then this LSTM model was deployed in the deep detection server in our controller architecture. Also, it classifies the attack by categorical classification to specifically know which attack type comes to the controller.
5.4. Result Discussions
Based on the experiments outcome by using the CICDDoS2019 data-set, the entropy-based and deep learning model obtained better results in terms of efficiency and accuracy in detecting and classifying DDoS attacks. In entropy-based detection identify the probability of the attack and send it to the deep learning module. This increases the efficiency of the controller and decreases the deep detection server from overloading. In this deep learning model experiment, we use a feature selection method that is the chi-squared (x2) technique which helps us to focus on the essential and high-weighted features. So, in the experiment RNN, MLP, LSTM, and GRU approach had used. Before training the model, we preprocess the data-set and after that, we use the x2 feature selection method to get high weighted features and then feed into RNN, MLP, LSTM, and GRU deep learning models. The standard RNN is easier to use and requires less training time. GRU uses fewer training parameters and therefore uses less memory and executes faster than LSTM. While LSTM is capable of learning long-term sequences on a larger sample and is more accurate.
However, the outcomes of the detection and classification of DDoS attack using the feature selection method is promising when the qualitative results evaluated. When compared with the overall features of information in the data set it leads to the fact that the detection and classification accuracy increase and the error rate decrease of the model using the given data set. Accordingly, the result of LSTM model has achieved accuracy of 3.02%, 1.82%, and 1.12% in comparison with GRU, RNN, and MLP respectively. On the other hand, we have compared our proposed model with baseline and related work models in which LSTM has brought significant improvements. When compared with RNN-AE model with data set CICDDoS2019 and CNN model with data set ICICDDoS2017, it has achieved respectively 0.421% and 0.44%.
The networking industry and academia have concluded that distributed controller designs are necessary for the future of SDN because centralized systems cannot meet the demands of efficiency, scalability, and availability. And also, DDoS attack detection and classification in multi-controller SDN have significant benefits to the new SDN-based designing data centers. Entropy-based and Deep learning is the proposed model for effectively and accurately classifying the attacks. To ensure high accuracy and low computational complexity at the same time, two-level detection is applied for network traffic. The controller performs a preliminary section based on information entropy to assure high efficiency. The deep detection server is used for the packet-based deep detection to guarantee fine granularity and high accuracy.
From the related works point of view, three research domains have been separately addressed by current proposed models. The first thing is issue related to irrelevant attribute, high classification errors, and high training time. The researcher uses all types of features in the data set, which would have made the model to have high misleading data and high training time. In this regard, the employed feature selection is highly minimized the redundant data, misleading data, and training time, which can help the proposed model to increase accuracy and minimizes the error rate. We use the chi-square (x2) test feature selection algorithm to reveal the most relevant features by feature selection and perform an effective classification. Secondly, the baseline model is limited to Binary classification (attack and normal) which is lack of detailed description of the attack type. This problem is addressed by categorical classification. This categorical classification allowed making specific Attack Descriptions in which what type of attack is coming to the controller.
Thirdly, the baseline model is focused on a single controller topology which leads to the single point of failure. In this situation, the requirements for efficiency, scalability, security, and availability are not met by this architecture, to avoid a single point of failure or to increase efficiency, scalability, and availability.
In this paper, a comprehensive solution has provided for SDN multi-controller architectures by explaining their characteristics and presenting different scenarios of the implementation. In this work, the effort to implement a multi-controller-based SDN solution to detect a DDoS attack on the controller is accomplished. The environment is implemented using a logically centralized but physically distributed pox controller. This brings many solutions to the shortcomings of the single controller-based environment. This research succeeded in detecting DDoS attacks early in a multi-controller structure.
Finally, by incorporating the entropy-based and deep learning method a model that have a better efficiency and accuracy of DDoS attack detection and classification in multi-controller SDN is achieved. Based on the experiment results, Accuracy of 98.6%, from RNN, 98.3% from MLP, 96.4% from GRU and of 99.42% from LSTM respectively are recorded. Among all, LSTM showed high accuracy than the other proposed models. With the baseline works comparison without feature selection CNN with CICDDoS2017 data set which has an accuracy of 98.98%, and RNN-autoencoder with CICDDoS2019 dataset which has an accuracy of 99%.
The experiment result shows the effectiveness and accuracy of the proposed model with feature selection have higher accuracy than the baseline papers without feature selection which is 99.42%. This work concludes that logically centralized and physically distributed architecture allows for increased reliability, efficiency, and availability, and also by using the feature selection method.
In the current work, CICDDoS2019 that is having 12 attack types while each attack has been classified independently. Thus, in the future work, this study can be extended on the SDN network with various sorts of settings and attack traffics in order to generate a heterogeneous data set that represents actual internet traffic.
- Ethics approval and Consent to participate: “All procedures performed in studies were in accordance with the ethical standards of the institutional and/or national research committee and with the comparable ethical standards.”
“For this type of study, formal consent is not required.”
- Consent for publication: Authors give consent for the publication of the Submitted Research article in Silicon
- Availability of data and materials: The datasets used and/or analyzed during the current study are available from the corresponding author on reasonable request.
- Competing Interest: The authors declare that they have no competing interest.
- Funding: No funding is available for this work.
- Authors Contribution: Every author has significant contribution towards the successful completion of research work associated with the manuscript.
- Acknowledgment: The authors would like to take this opportunity to acknowledge the Githam Deemed to be University for providing necessary facilities support for this investigation.
- Wang, T., Feng, Y., & Sakurai, K. (2021, January). Improving the Two-stage Detection of Cyberattacks in SDN Environment Using Dynamic Thresholding. In 2021 15th International Conference on Ubiquitous Information Management and Communication (IMCOM) (pp. 1-7). IEEE.
- Omar, T., Ho, A., & Urbina, B. Detection of DDoS in SDN Environment Using Entropy-based Detection. Califonia State Polytechnic University.
- Wang, R., Jia, Z., & Ju, L. (2015, August). An entropy-based distributed DDoS detection mechanism in software-defined networking. In 2015 IEEE Trustcom/BigDataSE/ISPA (Vol. 1, pp. 310-317). IEEE.
- Bawany, N. Z., Shamsi, J. A., & Salah, K. (2017). DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arabian Journal for Science and Engineering, 42(2), 425-441.
- Scott-Hayward, S., O'Callaghan, G., & Sezer, S. (2013, November). SDN security: A survey. In 2013 IEEE SDN For Future Networks and Services (SDN4FNS) (pp. 1-7). IEEE.
- Ahmad, S., & Mir, A. H. (2021). Scalability, consistency, reliability and security in SDN controllers: a survey of diverse SDN controllers. Journal of Network and Systems Management, 29(1), 1-59.
- Bannour, F., Souihi, S., & Mellouk, A. (2017). Distributed SDN control: Survey, taxonomy, and challenges. IEEE Communications Surveys & Tutorials, 20(1), 333-354.
- Krishnan, P., & Najeem, J. S. (2019). A review of security, threats and mitigation approaches for SDN architecture. Int. J. Innov. Technol. Explor. Eng, 8, 389-393.
- Pandikumar, T., Atkilt, F., & Hassen, C. A. (2017). Early detection of DDoS attacks in a multi-controller based SDN. International Journal of Engineering Science, 13422.
- Lawal, B. H., & Nuray, A. T. (2018, May). Real-time detection and mitigation of distributed denial of service (DDoS) attacks in software defined networking (SDN). In 2018 26th Signal Processing and Communications Applications Conference (SIU) (pp. 1-4). IEEE.
- Sebbar, A., Boulmalf, M., El Kettani, M. D. E. C., & Baddi, Y. (2018, October). Detection MITM attack in multi-SDN controller. In 2018 IEEE 5th International Congress on Information Science and Technology (CiSt) (pp. 583-587). IEEE.
- Xu, Y., Yan, Y., Dai, Z., & Wang, X. (2014, April). A management model for SDN-based data center networks. In 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (pp. 113-114). IEEE.
- Mohsin, M. A., & Hamad, A. H. (2022). Implementation of Entropy-Based DDoS Attack Detection Method in Different SDN Topologies. American Academic Scientific Research Journal for Engineering, Technology, and Sciences, 86(1), 63-76.
- Fawcett, L., Scott-Hayward, S., Broadbent, M., Wright, A., & Race, N. (2018). Tennison: A distributed SDN framework for scalable network security. IEEE Journal on Selected Areas in Communications, 36(12), 2805-2818.
- Zubaydi, H. D., Anbar, M., & Wey, C. Y. (2017, May). Review on detection techniques against DDoS attacks on a software-defined networking controller. In 2017 Palestinian International Conference on Information and Communication Technology (PICICT) (pp. 10-16). IEEE.
- Sahoo, K. S., Panda, S. K., Sahoo, S., Sahoo, B., & Dash, R. (2019). Toward secure software-defined networks against distributed denial of service attack. The Journal of Supercomputing, 75(8), 4829-4874.
- Mousavi, S. M., & St-Hilaire, M. (2015, February). Early detection of DDoS attacks against SDN controllers. In 2015 international conference on computing, networking and communications (ICNC) (pp. 77-81). IEEE.
- Dalou, J., Al-Duwairi, B., & Al-Jarrah, M. (2020). Adaptive entropy-based detection and mitigation of ddos attacks in software defined networks. International Journal of Computing, 19(3), 399-410.
- Wang, L., & Liu, Y. (2020, June). A DDoS attack detection method based on information entropy and deep learning in SDN. In 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC) (Vol. 1, pp. 1084-1088). IEEE.
- Wei, Y., Jang-Jaccard, J., Sabrina, F., Singh, A., Xu, W., & Camtepe, S. (2021). Ae-mlp: A hybrid deep learning approach for ddos detection and classification. IEEE Access, 9, 146810-146821.
- Wang, J., Shou, G., Hu, Y., & Guo, Z. (2016, October). A multi-domain SDN scalability architecture implementation based on the coordinate controller. In 2016 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC) (pp. 494-499). IEEE.
- D. Kavitha, R. Ramalakshmi and R. Murugeswari, "The Detection and Mitigation of Distributed Denial-of-Service (DDOS) Attacks in Software Defined Networks using Distributed Controllers," 2019 IEEE International Conference on Clean Energy and Energy Efficient Electronics Circuit for Sustainable Development (INCCES), 2019, pp. 1-5
- Elsayed, M. S., Le-Khac, N. A., Dev, S., & Jurcut, A. D. (2020, August). Ddosnet: A deep-learning model for detecting network attacks. In 2020 IEEE 21st International Symposium on" A World of Wireless, Mobile and Multimedia Networks"(WoWMoM) (pp. 391-396). IEEE.
- Alghazzawi, D., Bamasag, O., Ullah, H., & Asghar, M. Z. (2021). Efficient detection of DDoS attacks using a hybrid deep learning model with improved feature selection. Applied Sciences, 11(24), 11634.
- Gadze, J. D., Bamfo-Asante, A. A., Agyemang, J. O., Nunoo-Mensah, H., & Opare, K. A. B. (2021). An investigation into the application of deep learning in the detection and mitigation of DDOS attack on SDN controllers. Technologies, 9(1), 14.
- Mittal, M., Kumar, K., & Behal, S. (2022). Deep learning approaches for detecting DDoS attacks: a systematic review. Soft Computing, 1-37.
- Pei, J., Chen, Y., & Ji, W. (2019, June). A DDoS attack detection method based on machine learning. In Journal of Physics: Conference Series (Vol. 1237, No. 3, p. 032040). IOP Publishing.
- Ahuja, N., & Singal, G. (2019, December). DDoS attack detection & prevention in SDN using OpenFlow statistics. In 2019 IEEE 9th International Conference on Advanced Computing (IACC) (pp. 147-152). IEEE.
- Joëlle, M. M., & Park, Y. H. (2018). Strategies for detecting and mitigating DDoS attacks in SDN: A survey. Journal of Intelligent & Fuzzy Systems, 35(6), 5913-5925.
- Yu, S., Zhang, J., Liu, J., Zhang, X., Li, Y., & Xu, T. (2021). A cooperative DDoS attack detection scheme based on entropy and ensemble learning in SDN. EURASIP Journal on Wireless Communications and Networking, 2021(1), 1-21.
- Ahalawat, A., Dash, S. S., Panda, A., & Babu, K. S. (2019, March). Entropy based DDoS detection and mitigation in OpenFlow enabled SDN. In 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN) (pp. 1-5). IEEE.
- Tayfour, O. E., & Marsono, M. N. (2021). Collaborative detection and mitigation of DDoS in software-defined networks. The Journal of Supercomputing, 77(11), 13166-13190.
- Etaiwi, W., Biltawi, M., & Almajali, S. (2017, October). Securing distributed SDN controllers against dos attacks. In 2017 International Conference on New Trends in Computing Sciences (ICTCS) (pp. 203-206). IEEE.
- Tonkal, Ö., Polat, H., Başaran, E., Cömert, Z., & Kocaoğlu, R. (2021). Machine learning approach equipped with neighbourhood component analysis for DDoS attack detection in software-defined networking. Electronics, 10(11), 1227.
- Cui, J., Zhang, J., He, J., Zhong, H., & Lu, Y. (2020, December). DDoS detection and defense mechanism for SDN controllers with K-Means. In 2020 IEEE/ACM 13th International Conference on Utility and Cloud Computing (UCC) (pp. 394-401). IEEE.
- Tan, L., Pan, Y., Wu, J., Zhou, J., Jiang, H., & Deng, Y. (2020). A new framework for DDoS attack detection and defense in SDN environment. IEEE Access, 8, 161908-161919.
- Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. Z. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. The Journal of Supercomputing, 77(3), 2383-2415.
- Wang, H. Z., Zhang, P., Xiong, L., Liu, X., & Hu, C. C. (2016). A secure and high-performance multi-controller architecture for software-defined networking. Frontiers of Information Technology & Electronic Engineering, 17(7), 634-646.
- Deepa, V., Sudar, K. M., & Deepalakshmi, P. (2018, December). Detection of DDoS attack on SDN control plane using hybrid machine learning techniques. In 2018 International Conference on Smart Systems and Inventive Technology (ICSSIT) (pp. 299-303). IEEE.
- Agrawal, A., Singh, R., Khari, M., Vimal, S., & Lim, S. (2022). Autoencoder for Design of Mitigation Model for DDOS Attacks via M-DBNN. Wireless Communications and Mobile Computing, 2022.
- Nugraha, B., & Murthy, R. N. (2020, November). Deep learning-based slow DDoS attack detection in SDN-based networks. In 2020 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN) (pp. 51-56). IEEE.
- Paliwal, M., Shrimankar, D., & Tembhurne, O. (2018). Controllers in SDN: A review report. IEEE access, 6, 36256-36270.
- Tadros, C. N., Mokhtar, B., & Rizk, M. R. (2018, December). Logically centralized-physically distributed software defined network controller architecture. In 2018 IEEE Global Conference on Internet of Things (GCIoT) (pp. 1-5). IEEE.
- Niu, K., Jiao, H., Gao, Z., Jia, G., Yang, G., & Cheng, C. (2017, August). A developed feature selection method for classification based on united information gain. In 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI) (pp. 1-4). IEEE.
No competing interests reported.