IRJET- Software Defined Network: DDOS Attack Detection

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072
© 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 7302
Software Defined Network: DDoS Attack Detection
Mr. Ajinkya Patil1, Mr. Pratik Jain2, Mr. Ravi Ram3, Mr. Venkatesh Vayachal4, Prof. S. P. Bendale5
1,2,3,4B. E. Student, Dept. of Computer Engineering, NBN Sinhgad School of Engineering, Ambegaon, Pune – 411041,
Maharashtra, India
5Professor, Dept. of Computer. Engineering, NBN Sinhgad School of Engineering, Ambegaon, Pune – 411041,
Maharashtra, India
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract – Software Defined Networking (SDN) is a cloud
computing approach for programmatically configuring and
managing the networks. It enables easy and efficient
troubleshooting from a single point in the network. As SDN
follows centralized architecture by separatingtheforwarding
process of network packets from routing process. It also
enables security risks such as Denial-of-Service Attacks on the
network, the main goal of the attack is to flood the network
resources in such a way that the target machine overloadsthe
network and its resources making it unable to handle the
requests from legitimate users. The attacker mostly floods the
network but sometimes it may also load maliciouscodesin the
network, further disrupting the network until it fails.
This paper aims to address those risks and focusses on
Distributed Denial-of-Service (DDoS) Attack specifically.
Timely detection of DDoS attack is important to prevent the
system failure and information leak. Various algorithms like
TCM-KNN and DPTCM-KNN are used for detectionofattack in
the network traffic flow. The comparison between the two
algorithms is done using parameters like length of packet and
response time of the packet from the source. The use of two
parameters in DPTCM-KNN algorithm makes the detection
more accurate and efficient than TCM-KNN algorithm.
Key Words: Software Defined Network (SDN), Denial-of-
Service (DoS), Distributed Denial-of-Service (DDoS), Attack
Techniques, Detection Algorithms.
1. INTRODUCTION
As the continuous development of Internet technology, the
network consisting of networking devices, has increased
suddenly. Everyoffice,home,institute,variouscompaniesare
constantly connected to the Internet. As for the networks,
they are still constructed using switches and routers and
configuration of these types of networks are done manually.
This introduces some risks such as vulnerabilities in old
networking devices,trafficflowclogging,interfacesandhosts
error, controller failures, also providing attackers to target
servers.
As for internet security there are several threats,
Distributed Denial of Service (DDoS) attacks is most
dangerous from the other attacks. [1] A DDoS attack is
attempt to disrupt the normal traffic flow in a network, by
targeting the server (central network), or a service by
flooding the target with fakepacketstoexhausttheresources
of victims, such as CPU, memory and network bandwidth.
Fig – 1: Distributed Denial-of-Service Attack
A DDoS attack requires an attacker to gain control of the
network devices to perform anattack.Devicesinthenetwork
such as computers, networking devices, Internet of Things
(IoT) devices are infected with malware, making them into
bots. The collection of these bots is called botnet. When an
attacker gains control over a botnet, he starts the attack by
sending instructions remotely to the devices. The devices
then flood the network with sending requests to the target
server or network. Once a botnet is created the malware
keeps running in the background either waiting for
instructions form the botnet header (attacker) or automated
program by sending continuous requests to the server. Once
a machineis affectedbymalware,separatingtheattacktraffic
from normal traffic is difficult. There are many
countermeasuresproposedforthesetypesofattacksbutvery
few of them have been implemented because of their
deployment complexities as well as prohibitive operational
cost. One of the reasons is that such approaches require
placing high end-equipment at routers and switches and
sometimesevenrequirehumanintervention,whichincreases
extra storage and computational costs.
1.1 Software Defined Network
A Software Defined Network (SDN) is an architecture, [2]
whose goal is to create an open and programmable network
which can be managedeasilyasthenetworkgrowsand/orits
needs changes. The centralized control of SDN provides the
organization a better and useful approach to control and
manage the network (trafficengineering,security,andsoon).

The aim of the SDN is to create an environment where the
network evolves as the software evolves.
The SDN model separates the network control logic and
forwarding logic, mainly referred as Southbound APIs and
Northbound APIs, the Southbound APIs have devices which
receive packets, perform operations on packets, find out its
destination,thensendingthosepacketstoforwardingdevices
by making changes to packet header. This process of
forwarding of packets is instantaneous so when handling
many such packets there can be cases wherethepacketsmay
not be legitimate. To overcome thisSDNControllersareused,
the controllers contains the programmable logic which
control the flow of rules for any data flow or network traffic.
The Northbound APIs are the business logic or networking
application which actually perform operations on the
transferredpacketsandresponsesaregeneratedaccordingly.
Fig – 2: Software Defined Architecture
The attackers aim is to overflow the network with fake
packets to make the network unusablefortheflowlegitimate
packets. [3] The SDN controllers cannot detect a DDoSattack
by traditional methods because:
First, the switches cannot determine a malicious packet.
The attacker hides himself so well in subnets and uses low-
traffic flows to perform an attack, the switches cannot detect
each packet flowing through each subnet and determine
whether it is legitimate or not.
Second, it is not possible for the controller to determine
based on the incomingpackets,whetherthenetworkisunder
a DDoS attack.
Third, the attacker may not attack the controller directly
but based on protocols such as UDP, TCP, etc.
In this paper, we propose an effective detection of attack
detection in SDN flows, based on different algorithms. The
algorithms are tested and compared with other algorithms.
2. DDOS ATTACKS AND EXISTING SOLUTIONS
2.1 DDoS Attack Techniques
Nowadays, various methods for performing an attack in
the network to malfunction the working of a server. [4] They
are:
A. SYN Flooding
In SYN Flooding, attacker sends SYN packets to the target
containing incorrect source address which makes it
impossible to receive SYN/ACK packets. As the ACK will not
complete the port remains halted till the connection times
out.
B. ICMP Flooding
In this attack the attacker sends multiple number of ICMP
packets to the targets machine with fake return address,
unable to transfer any data the server cannot handle other
services. The bandwidth is jammed and the legitimate
requests are declined. By creating an opportunity, the
attacker loads Virus/Malicious Program on anothermachine
spreading the attack.
C. UDP Flooding
The goal of the attacker is to fill random ports of server with
UDP packets, as the host searches for corresponding
application and finds no application is listening for that port.
The host replies ICMP Destination Unreachable packet. As
this cycle continues the requests from other clients are
ignored.
2.2 Existing Solutions
DDoS Solutions consists of certain components, such as
Attack Detection, Defense, and IP traceback. There are
various ways for the attacker to mask his IP address and try
to hog the traffic flow. The main aim of any security in
Software Defined Network is detect the attack. Some of the
methods to detect DDoS are-
Document [5] proposes to secure the SDN control plane
using packet-in filtering mechanism. The mechanism at first
keeps the packet header information before forwarding it,
and then filters out IP addresses which aren’t present in the
list.
Document [6] introduces to entropy variation method,
where it is used to trace back the source of DDoS attacks. It is
defined by the randomness of the flows on routers. It tries to
createanattack pattern based on Entropy offlowmetric.The
flow metric for non-DDoS attack is stable, and low for DDoS
Attacks.
Document [7] proposes the controllers to contain the
detection method, specifically the Northbound Controller,as
it receivesall information ofthetrafficflowfromtheswitches
and routers directly it contains collection of behavioral data
of legitimate users over period of time. It is done by

distinguishing between the flow’s statistics. Doing so,
generates rules whichlowersthe false alarm rate for attacks.
Document [8] uses feature selection and feature weight
mechanisms which helps optimizing the algorithm also
reducing the cost and improvingperformance.Itfindsoutthe
deviations by calculatingpvalues,betweenthenormalsets.It
is also called as Transductive Confidence Machine for K-
Nearest Neighbors (TCM-KNN).
Document [9] merges AntColonyOptimizationAlgorithm
with K-Nearest Neighbor algorithm to improve the results, it
is applied on various classifiers. As the misclassified features
can be combined and used for improving the time. Similarly,
the classification of features is done by ACO which selects
classifiers which take less time to compute. It also does
feature reduction using ID3 (decision tree) algorithm.
Document [10] aims on anomaly flow detection method
by collecting information from the switches and controllers
such as flow details, type, features and classifiers between
multiple flows. The Double P-value of Transductive
ConfidenceMachinesforK-NearestNeighbors(DPTCM-KNN)
is used for classifying the features and network flow. It has
robust real-timeliness and it learns easily. It improves its
detection precision by taking two p values from the TCM-
KNN algorithm. The two p values are concept of
independence of estimation of absolute deviation, and
strangeness of relative deviations.
2.3 Detection Mechanism based on SDN
The SDN Controllersare usedto collecttheinformationof
flow feature vectors in large numbers. Using the collected
data, the vectors areclassifiedusingtwoparts:preprocessing
module and detection module. The preprocessing module
uses methods such as standardizing and normalizing the
feature flow vectors. Assume that each vector has t features
(Xpq (1 ≤ p ≤ n, 1 ≤ q ≤ t)).
 Standardization
where,
In Eq. (1), Meanq is the mean value and AvgDevq is mean
absolute deviation value. At the time of standardization,
following points are also considered:
1. If Meanq = 0, Xpq = 0
2. If AvgDevq = 0, Xpq = 0
 Normalization
It normalizes the standardized data into [0, 1].
where,
After the preprocessing module finishes its operations
next part is anomaly detection. The detection module uses
the DPTCM-KNN algorithm to detect the traffic.
In the anomaly detection system, the elements are divided
into two parts Normal and Abnormal Elements.
Classification is done with the help of following definitions.
Euclidean Distance:
It is a fundamental step in KNN algorithm as it finds out
the proximity or absolute spatial distance between
multiple points. The formula is denoted by:
where, Xp and Xq are used for extracting the features of p
and q respectively, Xpa is ath value of set Xp and t is length of Xp
Strangeness:
The strangeness assumes that y and –y is used to denote
the normal and abnormal elements. When the results for
calculating the Euclidean distance between p and other
points is sorted in accordance with KNN algorithm. The ratio
of the two is defined as strangeness in DPTCM-KNN.
where, k is number of nearest neighbor and py is
strangeness. If the strangeness is greater that point doesn’t
belongs to specified category.
Independence:
The independence calculates the absolute distance
between a point and category. It is sum of Euclidian distance
between the point and its neighbors.
where, θpq is independence, and Dpq is distance between
the point and nearest neighbor. If independence is smaller
that point starts belonging to the category.
Double p Value:
The detection of the point is calculated by taking the
probability of relative point to the neighboring points, the

degree of a point to a category. The greater the p-value the
more it belongs to subsequent category. It is calculated using
formula:
where, αp is strangeness andθp is independencerelativey
set to pth point; # is element number.
p1 (αp) and p2 (θp) are both used to calculate and
considered fordetection standardinDPTCM-KNNalgorithm.
3. ALGORITHMIC APPROACH
In this section we discuss about the available attack
detection techniques the TCM-KNN combines the
Transductive Confidence Machine with K-Nearest Neighbor
classification algorithm, it calculates the distance from an
unknown point to class u. Taking the ratio of both,
classification is done and p-value is found out from this
information the class in which the unknown point belongs to
is found out. In TCM-KNN algorithm a single precision
technique is used to detect the attack on a network. That
parameterisStrangeness.Onlyrelativedeviationbetweenthe
unknown point and class is considered.
To further enhance the performance of TCM-KNN
algorithm, an additional parameter is introduced, and the
algorithm is modified accordingly. Thus, forming Double P-
value of Transductive Confidence Machine for K-Nearest
Neighbor(DPTMM-KNN)algorithm,theadditionalparameter
is Independence, the accuracy of the algorithm is greatly
improved. By combining both Strangeness andIndependence
a result is obtained.
Step 1: Standardization and Normalization
In the first step, westandardize the data and find theaverage
deviation which is calculatedusingmeanvaluesandabsolute
deviation values from the Training Set. In the normalization
step the minimum and maximum values are calculated those
values are stored and further used for other operations.
Step 2: Calculate the Euclidean Distance of the Training Set
To calculate the Euclidean distance between the normal
points and abnormal points in the training set. This is an
important step which is used in the TCM-KNN algorithm and
it's usedas the basis for all the operations. Thisstepclassifies
the detection points into normal and abnormal points.
Step 3: Calculate the Strangeness and Independence of the
Training Set
The strangeness is calculated using the various points which
are found using K-Nearest Neighbor algorithm and with
Euclidean distance found out in Step 2. Using the formulas
mentioned above for standardization and normalization.
Step 4: Calculate the Strangeness and Independence of
detection point with reference to training Set
This is done by calculating the Euclidean distance between a
point a and other points available in the training set. A list is
created which sorts all the results based on distance values.
Step 5: Get the Double-p values of the detection points
The p1 value it is calculated with the αp which obtained from
sorting the normal points in descendingorderinStrangeness
Set. Similarly, the p2 value is calculated with θp by
Independence of normalset.Furtherusingboththep1andp2
values detection for an Attack is done.
Step 6: Classification of the data points
In this step, the classification if the detection points are done
by using the parameters suchas Resp_Time. By clusteringthe
detection points by τ1 and τ2 with the confidence values like
(0.01 or 0.05 or 0.1), the detection points aresetasnormalor
abnormal.
4. ALGORITHM DESIGN
Algorithm 1: Attribute based DPTCM-KNN Algorithm
Parameters:
Number of nearest neighbors – (k), Number of normal
subset y – (m1), abnormal subset -y - (m2), and
confidence τ1 and τ2
Input:
Points for detection
Output:
Normal or Abnormal
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
for p =1 to m1 do
Calculate the Euclidean distances of points
in normal subset
Save the results
end for
for i=1 to m2 do
Calculate the Euclidian distance of points in
abnormal subset
Save the results
end for
Calculate α for each point in normal subset
Calculate θ for each point in normal subset
Calculate αp for detection point p
Calculate θp for detection point p
Sort the strangeness and independence of point in
normal subset
Calculate p1 and p2 of detection point p for every

15.
16.
17.
18.
19.
attribute
If p1 ≥ τ1 && p2 ≥ τ2 then
return normal
else
return abnormal
end if
5. ANALYSIS AND EXPERIMENTS
Based on the experimental results performed on KDD’99
Dataset which is most used data set for anomaly detection
methods and research. [11] KDD99 is feature extracted
version of DARPA which is the base raw dataset. In the 1998
DARPA Intrusion Detection System Evaluation Program was
prepared, consistingofanattackscenariotoAir-Forcebase.It
consists of host and network dataset files; Host dataset file is
small dataset containing system calls. Network Dataset is
mostly used because it consists of seven weeks of network
traffic (TCP/IP dump)
Table -1: Confusion Matrix
Confusion Matrix is used to measure the performance of
the classification algorithm or classifier. We can derivemany
ratios from confusion matrix:
 True Positive (TP): These are cases in which we
predict ‘Yes’ and the actual result shows ‘Yes’.
 True Negatives (TN): These are cases in which we
predict ‘Yes’ but the actual result shows ‘No’
 False Positive (FP): Here wepredict‘Yes’,andactual
result is ‘No’. This is also called Type I error.
 False Negative (FN): Here wepredict‘No’andactual
result is ‘Yes’. This is also called Type II error.
The major change between the DPTCM-KNN and the
attribute based DPTCM-KNN is that double-precision values
have been calculated for selected attributes instead of
cumulating the attributes deviations. This gives the network
more control over the traffic flow in the network as per the
requirements, of the network administrator.
Since, Software Defined Network (SDN) majorly used in
large organizations where the traffic flow is varying
dynamically. The attributewiseddouble-precisionvaluedata
packets help to detect the unwanted packets more precisely.
Considering the KDD’99 Dataset following are the results
for randomly selected packets.
Table -2: Results
Packe
t
Count
Actual Predicted
Accuracy
%Norma
l
DDo
S
Norma
l
DDo
S
1996 1001 995 988 994 99.298597
1996 1001 995 1000 980 99.198397
2200 1162 1038 1112 1074 99.363636
2200 1162 1038 1138 987 96.590909
2332 1478 1022 1293 896 93.867925
2332 1478 1022 1392 893 97.984563
2856 1255 1601 1156 1563 95.203081
2856 1255 1601 1332 1493 98.914566
2652 1270 1382 1303 1198 94.30618
4
2652 1270 1382 1167 1176 88.348416
The attribute wise Double-Precision calculations for
individualpacketshasshownmoreaccuracyandcontrolover
the data.
6. CONCLUSIONS
In this paper, we have studied various methodologies which
are used for detection of Distributed Denial-of-Service
(DDoS) Attacks on Software Defined Network (SDN), based
on the findings and results we have concluded that the
Attribute based Double P-value of Transductive Confidence
Machines for K-Nearest Neighbors method gives more
efficient way to find out anomalous flow in Software Defined
Network.
REFERENCES
[1] A. S. Patil, P. S. Jain, R. G. Ram, V. N. Vayachal, S. P.
Bendale (2018) Detection of Distributed Denial-of-
Service (DDoS) Attack on Software Defined Network
(SDN), IRJET
[2] Peng, H., Sun, Z., Zhao, X., Tan, S., & Sun, Z. (2018). A
detection method for anomaly flow in software defined
network. IEEE Access.
[3] Nadeau, T. D., & Gray, K. (2013). SDN: Software Defined
Networks: An Authoritative Review of Network
Programmability Technologies. “O’Reilly Media, Inc.".
[4] Dong, P., Du, X., Zhang, H., & Xu, T. (2016, May). A
detection method for a novel DDoS attack against SDN
controllers by vast new low-traffic flows. In
Predicted
Values
Actual Values
Positive (1) Negative (0)
Positive (1) TP FP
Negative (0) FN TN

Communications (ICC), 2016 IEEE International
Conference on (pp. 1-6). IEEE.
[5] Kamboj, Priyanka & Chandra Trivedi, Munesh & Kumar
Yadav, Virendra & Kumar Singh, Vikash. (2017).
Detection techniques of DDoS attacks: A survey. 675-
679. 10.1109/UPCON.2017.8251130.
[6] Kotani, D., & Okabe, Y. (2014, October). A packet-in
message filtering mechanism for protection of control
plane in openflow networks. In Proceedingsofthetenth
ACM/IEEE symposium on Architectures for networking
and communications systems (pp. 29-40). ACM.
[7] Mousavi, S. M. (2014). Early detectionofDDoSattacksin
software defined networks controller (Doctoral
dissertation, Carleton University).
[8] Dong, P., Du, X., Zhang, H., & Xu, T. (2016, May). A
detection method for a novel DDoS attack against SDN
controllers by vast new low-traffic flows.
In Communications (ICC), 2016 IEEE International
Conference on (pp. 1-6). IEEE.
[9] Li, Y., & Guo, L. (2008, March). TCM-KNN scheme for
network anomaly detection using feature-based
optimizations. In Proceedings of the 2008 ACM
symposium on Applied computing (pp. 2103-2109).
ACM.
[10] Jaiswal, S., Saxena, K., Mishra, A., & Sahu, S. K. (2016,
March). A KNN-ACO approach for intrusion detection
using KDDCUP'99 dataset. In ComputingforSustainable
Global Development (INDIACom), 2016 3rd
International Conference on (pp. 628-633). IEEE.
[11] Peng, H., Sun, Z., Zhao, X., Tan, S., & Sun, Z. (2018). A
detection method for anomaly flow in software defined
network. IEEE Access.
[12] S. P. Bendale, J. R. Prasad, “Security threats and
challenges in Future Mobile Wireless Networks”, IEEE
International Conference proceeding GCWCN, 2018-19.

IRJET- Software Defined Network: DDOS Attack Detection

Recommended

More Related Content

What's hot (20)

Similar to IRJET- Software Defined Network: DDOS Attack Detection (20)

More from IRJET Journal (20)

Recently uploaded (20)

IRJET- Software Defined Network: DDOS Attack Detection