Scribd
Upload
4 views

Methodology

The document outlines a methodology for real-time DDoS detection in Software Defined Networking (SDN) using lightweight deep learning and programmable data planes. It describes a system architecture consisting of a programmable data plane, a lightweight CNN model, and a control plane interface, along with processes for feature extraction, anomaly detection, and alarm generation. Evaluation results indicate high detection accuracy (98.2%) and low latency (approximately 250ms) while maintaining low resource usage.

Uploaded by

Chiranjeevi Anand
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views

Methodology

The document outlines a methodology for real-time DDoS detection in Software Defined Networking (SDN) using lightweight deep learning and programmable data planes. It describes a system architecture consisting of a programmable data plane, a lightweight CNN model, and a control plane interface, along with processes for feature extraction, anomaly detection, and alarm generation. Evaluation results indicate high detection accuracy (98.2%) and low latency (approximately 250ms) while maintaining low resource usage.

Uploaded by

Chiranjeevi Anand
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Methodology

Our methodology for implementing lightweight deep learning for real-time DDoS
detection in SDN using programmable data planes consists of several key components
and processes. The approach leverages the capabilities of programmable switches to
perform sophisticated detection at line rate without burdening the SDN controller.

System Architecture

The proposed system architecture consists of three main components:

1. Programmable Data Plane: Implemented using P4 (Programming Protocol-


independent Packet Processors) language to enable packet-level feature extraction
and analysis directly in the forwarding plane [1][2].

2. Lightweight Deep Learning Model: A Convolutional Neural Network (CNN) based


detection model optimized for resource-constrained environments [3].

3. Control Plane Interface: For model updates, configuration, and attack mitigation
responses.

Feature Extraction and Preprocessing

Our approach extracts relevant features directly in the data plane to minimize the
overhead of transmitting raw traffic data to external analysis systems:

1. Packet-Level Feature Extraction: The programmable data plane extracts


features from packet headers including source/destination IP addresses, port
numbers, protocol types, and TCP flags[4].

2. Flow Statistics Collection: The system maintains flow-level statistics such as


packet counts, byte counts, and inter-arrival times.

3. Entropy-based Analysis: We calculate entropy values for source and destination


IP addresses to detect anomalies in traffic distribution patterns [5][2].
4. Dimensionality Reduction: To ensure efficient processing, we apply
dimensionality reduction techniques to create compact traffic representations while
preserving discriminative information[4].

Lightweight CNN Model Design

Our CNN model is specifically designed to operate within the constraints of


programmable switches:

1. Model Architecture: A single convolutional layer with 64 filters, followed by max


pooling and a fully connected layer, resulting in only 2,241 trainable parameters [3].

2. Optimization for Resource Constraints: The model is optimized to minimize


memory usage and processing overhead while maintaining high detection accuracy.

3. Dataset-agnostic Preprocessing: We employ a preprocessing mechanism that


works across different datasets, making the model more generalizable [3].

Detection Process

The detection process operates as follows:

1. Real-time Traffic Monitoring: The programmable switch continuously monitors


network traffic at line rate.

2. Observation Windows: Traffic is analyzed in fixed-size observation windows (e.g.,


250 windows as used in some implementations) [2][6].

3. Feature Computation: For each observation window, the system computes


statistical features including entropy values.

4. Anomaly Detection: The CNN model processes these features to identify potential
DDoS attacks.

5. Alarm Generation: When an attack is detected, an alarm is generated with


relevant metadata about the attack characteristics[6].

Implementation Details

The implementation leverages several technical approaches:


1. P4 Programming: We use P4 to program the data plane for feature extraction and
preprocessing[1][2].

2. Count Sketch Algorithm: For efficient flow monitoring and statistics collection [2][6].

3. Exponentially Weighted Moving Average (EWMA): For tracking the evolution of


traffic patterns over time[6].

4. Selective Processing: To minimize resource usage, we selectively process only


the features required by the detection model[4].

Evaluation Methodology

We evaluate our system using:

1. Modern Datasets: Including CIC-IDS2017, CSE-CIC-2018, CICIDS2019, and CAIDA


datasets[5][2].

2. Performance Metrics: Accuracy, precision, recall, F1-score, and detection latency.

3. Resource Utilization: Memory usage (SRAM and TCAM) and processing overhead.

4. Comparative Analysis: Comparison with state-of-the-art approaches including


controller-based detection systems.

Our experimental results demonstrate that the proposed approach can detect DDoS
attacks with high accuracy (98.2%) and low latency (approximately 250ms) while
maintaining low resource usage (dozens of kilobytes in SRAM per 1 Gbps link) [2].

1. https://www.simulamet.no/education/masters-students/masters-projects/detecting-ddos-attacks-
programmable-data-planes

2. https://lume.ufrgs.br/bitstream/handle/10183/204658/001110525.pdf

3. https://pure.qub.ac.uk/files/200160837/LUCID_PUBLIC_VERSION.pdf

4. https://arxiv.org/abs/2307.05936

5. https://www.nature.com/articles/s41598-024-67984-w
6. https://github.com/aclapolli/ddosd-p4

You might also like