SlideShare a Scribd company logo

Traffic Based Malicious Switch and DDoS Detection in Software Defined Network

Akshaya Arunan
Akshaya Arunan

In this project secured threshold value (STV) and sequential probability ratio test (SPRT) were developed and used to detect and eliminate malicious switches and DDoS attacks in the SDN network.

1 of 43
Downloaded 17 times
TRAFFIC-BASED MALICIOUS SWITCH And DDoS DETECTION IN SOFTWARE DEFINED NETWORKING By: Akshaya Arunan Roll No: 1 MTech [IT] Guided By: Simi Krishna K.R AssistantProfessor[IT]
OUTLINE • Introduction • Existing system • Proposed system • System design • Tools • Implementation • Threshold value control • Sequentialprobabilityratio test • Results • Conclusion • Future works • References 6/29/2017 2Government Engineering College, Barton Hill, Trivandrum
INTRODUCTION Software Defined Network [SDN]: • Complexity of the network shifts towards the controller. • Brings simplicity and abstraction to the network operator. • SDN decouples the control plane from the data plane. • Migrates to a logically centralized software-based network controller. • Controller is network-aware. • Dynamic updating of traffic rules. 6/29/2017 3Government Engineering College, Barton Hill, Trivandrum
SDN Architecture [3] 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 4
6/30/2017 Government Engineering College, Barton Hill, Trivandrum 5 • Application Plane: Contains SDN applications for various functionalities. • Control Plane: It is a logically centralized control framework that • runs the NOS, • maintains global view of the network, and • provides hardware abstractions to SDN applications. • Data Plane: It is the combination of forwarding elements used to forward traffic flows based on instructions from the control plane.
OpenFlow [6]: • Communication protocol • A protocol - SDN controller communication with the network devices. • Standardizes the communication - a software-based controller and switches - Open Flow channel. • An OpenFlow-compliant switch exposes an abstraction of its forwarding table to the Open Flow controller. 6/29/2017 6Government Engineering College, Barton Hill, Trivandrum
• An Open Flow Switch consists of at least three parts: • A Flow Table, • A Secure Channel, • The Open Flow Protocol. 6/30/2017 Government Engineering College, Barton Hill, Trivandrum 7
EXISTING SYSTEM • Goal: To detect mobile malware by identifying suspicious network activities through real-time traffic analysis, which only requires connection establishment packets. • A simulation environment on SDN topology is created. • The TVC is implemented - used to detect malicious switches. • Each switch has its own threshold • The controllermaintains the maximum threshold of each switch from its working history. • Bandwidth between each switch is noted by the controller. • If the bandwidth crosses the actual bandwidth, then the flow to that particularswitch is blocked. • Maintained by the controller. • The controllerwill not assign flows through any switch beyond its thresholdvalue. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 8
Controller Admin E-mail/SMS Notification 1 2 3 4 5 6 Incoming malicioustraffic Goes for traffic monitoring Finding malicious activities Flow to OF switch 2 stopped No malicious traffic reaches destination Source PC DestinationPC OF Switch 1 OF Switch 2 Normal packet Maliciouspacket Control Plane Data Plane SYSTEMDESIGN 6/29/2017 9Government Engineering College, Barton Hill, Trivandrum
• Disadvantage of TVC: • Since there can be more flows which are not malicious and may try to enter, the controller blocks them. • Also some switches may not know the assigned TVC and may let in the packets. Here, they may also be blocked. • Thus, the controller here can be easily compromised. • Most common attack in SDN is Distributed Denial of Service which also in not possible to detect with TVC. • Therefore, to overcome this, SPRT method is introduced. 6/29/2017 10Government Engineering College, Barton Hill, Trivandrum
PROPOSED SYSTEM • Goal: To propose an effective detection method for the DDoS attacks against SDN controllers by vast new low traffic flows. • The SDN controller is a vulnerable target of DDoS attacks. • Many packet-in messages maybe generated and sent to the controller exhausting it or failing it. • Breaks down a controller and disrupts the whole network. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 11
TOOLS • Virtual Box (Version 5.1.12r112440) • Ubuntu 14.04 • Mininet 2.2.0 • Open Daylight Controller (Beryllium) • Miniedit 6/29/2017 12Government Engineering College, Barton Hill, Trivandrum
IMPLEMENTATION 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 13
EXISTING SYSTEM • Each switch has a threshold field. • The controller finds out the threshold value of each switch’s maximum traffic flows by learning from its working history. • The controller also knows the bandwidth between every two switches. • These information's will be maintained at the controller. • If the controller finds a threshold value greater than the normal value of a particular switch, it will detect it as malicious and isolate it from the network. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 14
6/29/2017 15Government Engineering College, Barton Hill, Trivandrum
PROPOSED SYSTEM Detection based on SPRT: • Aim: To detect whether an interface is compromised. • Assumption: • Each switch is capable of obtaining statistical info of the incoming flows and reporting it to the controller (via OpenFlow, NetwFlow, sFlow). • Each flow statistics will pass our DDoS detection modules. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 16
6/29/2017 17 Government Engineering College, Barton Hill, Trivandrum
Flow Classification[2]: • Normal flow • Low traffic flow Assignments: • Pr - Probability • Fb i – Flow event corresponding to sequence of flows • xi – sequence of flows • cb i - packet counts of flows in a flow event F • C – Threshold value ( can be obtained and recalibrated) • b – Observations (1,2,…, n) • H – Hypothesis • α – False positive • β – False negative • D – Detection function 6/29/2017 18Government Engineering College, Barton Hill, Trivandrum
• Flow event Fb i is defines as Bernoulli random variable: Fb i = 1, if cb i <= Cmax 0, if cb i >= Cmax • After classification, function reports to attack detection function. 6/29/2017 19Government Engineering College, Barton Hill, Trivandrum
Attack detection based on SPRT: • Analyzes the list of observed events to decide. • Consider H1 – detection of compromised interface H0 – normality • There are two types of errors: • False positive – acceptance of H1 when H0 is true • False negative – acceptance of H0 when H1 is true. • To avoid the two errors we introduce – α and β as the user defined probabilities of them, respectively. • The error rates should not exceed the α and β for false positive and false negative, respectively. 6/29/2017 20Government Engineering College, Barton Hill, Trivandrum
• Consider Dn i as an evaluation of interface i’s behavior by detection function. Let Dn i be the probability ratio considering all n normal flow and low traffic flow events noted for interface i. • Upon receiving an event Fb, the detection function evaluates: Dn i = Ʃ ln Pr(F1 i,……..,Fn i | H1) Pr(F1 i,…….., Fn i | H0) • Since Fb is a Bernoulli random variable, let Pr(Fb i = 1| H0) = 1- Pr(Fb i = 0| H0) = λ1 Pr(Fb i = 1| H1) = 1- Pr(Fb i = 0| H1) = λ0 where λ1 > λ0 because a compromised interface is more likely to be injected into low traffic flows to overload controller 6/29/2017 21Government Engineering College, Barton Hill, Trivandrum
• λ0 and λ1 are the probability distribution parameters for the flow events and affect the number of observations required for the detection function to reach a decision (either H0 or H1). • SPRT based detection method can be considered as a one dimensional random walk. • When low traffic, Fb i = 1, walk moves upward one step. • When normal, Fb i = 0, walk moves downward one step. • From this two boundaries A and B is produced. 6/29/2017 22Government Engineering College, Barton Hill, Trivandrum
Testing compromised interface against a normal interface: • Given : Two boundaries A and B where B<A on basis of probability ratio, Dn i SPRT for H0 against H1 is set as: A = β / (1- α) B = (1- β) / α • The SPRT for H0 against H1 is given as : Dn i <= B : accept H0 and terminate the test. Dn i >= A : accept H1 and terminate the test. B < Dn i < A : continue the test process with an additional observation. 6/29/2017 23Government Engineering College, Barton Hill, Trivandrum
RESULTS • Latency and throughput are the two most fundamental measures of network performance. • They are closely related, but whereas latency measures the overall delay in time for transmission of data between the start of an action and its completion, throughput is how much data has been transmitted in a given amount of time. • Therefore here we take the average latency and the throughput to compare between the two methods. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 24
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 25 15.8373 14.9247 14.2378 13.8743 13.1289 12.7909 11.6848 10.4576 9.2378 8.9453 8.6953 7.9909 0 2 4 6 8 10 12 14 16 18 5 10 15 20 25 30 AVERAGELATENCY(MS) TIME(S) AVERAGE LATENCY THRESHOLD VALUE LATENCY SPRT LATENCY From this graph it is clear that the delay in overall data transmission of SPRT method is lesser compared to the TVC. Thus the quality of service of SPRT method is better than the TVC.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 26 123.5935 125.9403 128.5839 131.9643 138.8543 140.0955141.8343 143.5934 147.4898 153.3857 158.4872 163.8238 0 20 40 60 80 100 120 140 160 180 5 10 15 20 25 30 THROUGHPUT(MBPS) TIME(S) THROUGHPUT THRESHOLD VALUE THROUGHPUT SPRT THROUGHPUT From this graph it is understood that the data transmitted was more when the SPRT method was running in a particular time. Thus from this also we can understand that the quality od service of SPRT is better than TVC and also the success rate of data transmission is also more in SPRT.
CONCLUSION • It can be concluded that it is challenging to choose a threshold value control for the SDN network as the controller and switches can be easily compromised. • SPRT detection method is a statistical tool which is a better method to detect malicious switch especially DDoS attack in SDN compared to the threshold value and thus removes the possibilities of compromised nodes. 6/29/2017 27Government Engineering College, Barton Hill, Trivandrum
FUTURE WORKS • Implementation of a security method like OpenSec[4] can be implemented as a further protection in SDN. • Various types networks (tree, hierarchy) can be used to implement this method and an comparison can be done to find the better network performance. 6/29/2017 28Government Engineering College, Barton Hill, Trivandrum
REFERENCES 1. Xiaodong Du, Ming Zhong Wang, Xiaoping Zhang, “Traffic based malicious switch Detection in SDN”, International Journal of Security and its applications, 2014. 2. Ping Dong, Xiaojiang Du, Hongke Zhang, “A detection Method for a Novel DDoS Attack against SDN Controllers by Vast New Low traffic Flows”, IEEE, 2016. 3. Diego Krutz, Fernando M.V. Ramos, Paulo Verissimo, “Software Defined Networking: A comprehensive Survey”, IEEE, 2014. 4. Adrian Lara and Byrav Ramamurthy, “OpenSec: Policy Based Security Using Software Defined Networking”, IEEE transactions on network and service management, 2016. 6/29/2017 29Government Engineering College, Barton Hill, Trivandrum
5. Mihai Nicolae, Laura Gheorge, “SDN Based Security Mechanism”, IEEE, 2015. 6. N. McKeown et al., “Open Flow: Enabling innovation in campus networks,” SIGCOMM Comput. Commun. Mar. 2008. 7. “http://sdnhub.org/tutorials/ryu/” 8. “http://mininet.org/walkthrough/” 9. “https://github.com/mininet/mininet” 10. “http://www.brianlinkletter.com/how-to-use-miniedit-mininets-graphical-user- interface/” 6/29/2017 30Government Engineering College, Barton Hill, Trivandrum
THANK YOU 6/29/2017 31Government Engineering College, Barton Hill, Trivandrum
SCREENSHOTS 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 32
Starting a mininet with IP address eth1 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 33
Starting open daylight controller 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 34
Opening the open daylight controller with the IP address eth0 in the browser 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 35
Creating a topology in the mininet terminal 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 36
Viewing the topology in the browser 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 37
Creating a topology in the miniedit 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 38
Running the threshold value control program with waf in xterm. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 39
Running the SPRT program with waf in xterm. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 40
Flow can be viewed in Wireshark if needed 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 41
Throughput plotted 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 42
Latency plotted 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 43
Ad

Recommended

Enhanced Traffic Based Malicious Switch Detection in SDN
Enhanced Traffic Based Malicious Switch Detection in SDNEnhanced Traffic Based Malicious Switch Detection in SDN
Enhanced Traffic Based Malicious Switch Detection in SDN
Akshaya Arunan
 
Redundancy Management in Heterogeneous Wireless Sensor Networks
Redundancy Management in Heterogeneous Wireless Sensor NetworksRedundancy Management in Heterogeneous Wireless Sensor Networks
Redundancy Management in Heterogeneous Wireless Sensor Networks
Saeid Hossein Pour
 
VeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real TimeVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real Time
Open Networking Summits
 
SFA: Stateful Forwarding Abstraction in SDN Data Plane
SFA: Stateful Forwarding Abstraction in SDN Data PlaneSFA: Stateful Forwarding Abstraction in SDN Data Plane
SFA: Stateful Forwarding Abstraction in SDN Data Plane
Open Networking Summits
 
Evaluation of Mobile IPV6 Protocols in Handover Environments
Evaluation of Mobile IPV6 Protocols in Handover EnvironmentsEvaluation of Mobile IPV6 Protocols in Handover Environments
Evaluation of Mobile IPV6 Protocols in Handover Environments
Anline Jerusha
 
FLOODING ATTACK DETECTION AND MITIGATION IN SDN WITH MODIFIED ADAPTIVE THRESH...
FLOODING ATTACK DETECTION AND MITIGATION IN SDN WITH MODIFIED ADAPTIVE THRESH...FLOODING ATTACK DETECTION AND MITIGATION IN SDN WITH MODIFIED ADAPTIVE THRESH...
FLOODING ATTACK DETECTION AND MITIGATION IN SDN WITH MODIFIED ADAPTIVE THRESH...
IJCNCJournal
 
Anomaly Detection of IP Header Threats
Anomaly Detection of IP Header ThreatsAnomaly Detection of IP Header Threats
Anomaly Detection of IP Header Threats
CSCJournals
 
1766 1770
1766 17701766 1770
1766 1770
Editor IJARCET
 
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET Journal
 
Grds conferences icst and icbelsh (9)
Grds conferences icst and icbelsh (9)Grds conferences icst and icbelsh (9)
Grds conferences icst and icbelsh (9)
Global R & D Services
 
Day 1.3 osi reference
Day 1.3 osi referenceDay 1.3 osi reference
Day 1.3 osi reference
CYBERINTELLIGENTS
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
Phil Huggins FBCS CITP
 
OpenSec Policy-Based Security Using
OpenSec Policy-Based Security UsingOpenSec Policy-Based Security Using
OpenSec Policy-Based Security Using
Akshaya Arunan
 
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
chennaijp
 
Fire wall security
Fire wall securityFire wall security
Fire wall security
Chandresh Suthar
 
ITOC
ITOCITOC
ITOC
Gerald Thomas
 
5G-USA-Telemetry
5G-USA-Telemetry5G-USA-Telemetry
5G-USA-Telemetry
snrism
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
Mumbai Academisc
 
A Survey on Data Intrusion schemes used in MANET
A Survey on Data Intrusion schemes used in MANETA Survey on Data Intrusion schemes used in MANET
A Survey on Data Intrusion schemes used in MANET
IRJET Journal
 
Pre-filters in-transit malware packets detection in the network
Pre-filters in-transit malware packets detection in the networkPre-filters in-transit malware packets detection in the network
Pre-filters in-transit malware packets detection in the network
TELKOMNIKA JOURNAL
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 
Software Define Network
Software Define NetworkSoftware Define Network
Software Define Network
Subith Babu
 
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Lionel Briand
 
Performance Analysis and Optimization of Next Generation Wireless Networks (P...
Performance Analysis and Optimization of Next Generation Wireless Networks (P...Performance Analysis and Optimization of Next Generation Wireless Networks (P...
Performance Analysis and Optimization of Next Generation Wireless Networks (P...
University of Piraeus
 
Icimt 2010 procediing rp118 vol.2 d10122
Icimt 2010 procediing rp118 vol.2 d10122Icimt 2010 procediing rp118 vol.2 d10122
Icimt 2010 procediing rp118 vol.2 d10122
Gulshan Shrivastava
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12
ThousandEyes
 
MP2P 2008 (PerCom 2008) - Elisa Rondini
MP2P 2008 (PerCom 2008) - Elisa RondiniMP2P 2008 (PerCom 2008) - Elisa Rondini
MP2P 2008 (PerCom 2008) - Elisa Rondini
Elisa Rondini
 
A data driven approach for monitoring network events
A data driven approach for monitoring network eventsA data driven approach for monitoring network events
A data driven approach for monitoring network events
Jisc
 
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSISA TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
Akshaya Arunan
 
Icacci presentation-ssh traffic
Icacci presentation-ssh trafficIcacci presentation-ssh traffic
Icacci presentation-ssh traffic
vinaykumar R
 
Ad

More Related Content

What's hot (13)

IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET Journal
 
Grds conferences icst and icbelsh (9)
Grds conferences icst and icbelsh (9)Grds conferences icst and icbelsh (9)
Grds conferences icst and icbelsh (9)
Global R & D Services
 
Day 1.3 osi reference
Day 1.3 osi referenceDay 1.3 osi reference
Day 1.3 osi reference
CYBERINTELLIGENTS
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
Phil Huggins FBCS CITP
 
OpenSec Policy-Based Security Using
OpenSec Policy-Based Security UsingOpenSec Policy-Based Security Using
OpenSec Policy-Based Security Using
Akshaya Arunan
 
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
chennaijp
 
Fire wall security
Fire wall securityFire wall security
Fire wall security
Chandresh Suthar
 
ITOC
ITOCITOC
ITOC
Gerald Thomas
 
5G-USA-Telemetry
5G-USA-Telemetry5G-USA-Telemetry
5G-USA-Telemetry
snrism
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
Mumbai Academisc
 
A Survey on Data Intrusion schemes used in MANET
A Survey on Data Intrusion schemes used in MANETA Survey on Data Intrusion schemes used in MANET
A Survey on Data Intrusion schemes used in MANET
IRJET Journal
 
Pre-filters in-transit malware packets detection in the network
Pre-filters in-transit malware packets detection in the networkPre-filters in-transit malware packets detection in the network
Pre-filters in-transit malware packets detection in the network
TELKOMNIKA JOURNAL
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET- DDOS Detection System using C4.5 Decision Tree Algorithm
IRJET Journal
 
Grds conferences icst and icbelsh (9)
Grds conferences icst and icbelsh (9)Grds conferences icst and icbelsh (9)
Grds conferences icst and icbelsh (9)
Global R & D Services
 
Day 1.3 osi reference
Day 1.3 osi referenceDay 1.3 osi reference
Day 1.3 osi reference
CYBERINTELLIGENTS
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
Phil Huggins FBCS CITP
 
OpenSec Policy-Based Security Using
OpenSec Policy-Based Security UsingOpenSec Policy-Based Security Using
OpenSec Policy-Based Security Using
Akshaya Arunan
 
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
JPN1402 A Study on False Channel Condition Reporting Attacks in Wireless Ne...
chennaijp
 
Fire wall security
Fire wall securityFire wall security
Fire wall security
Chandresh Suthar
 
ITOC
ITOCITOC
ITOC
Gerald Thomas
 
5G-USA-Telemetry
5G-USA-Telemetry5G-USA-Telemetry
5G-USA-Telemetry
snrism
 
Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...
Mumbai Academisc
 
A Survey on Data Intrusion schemes used in MANET
A Survey on Data Intrusion schemes used in MANETA Survey on Data Intrusion schemes used in MANET
A Survey on Data Intrusion schemes used in MANET
IRJET Journal
 
Pre-filters in-transit malware packets detection in the network
Pre-filters in-transit malware packets detection in the networkPre-filters in-transit malware packets detection in the network
Pre-filters in-transit malware packets detection in the network
TELKOMNIKA JOURNAL
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 

Similar to Traffic Based Malicious Switch and DDoS Detection in Software Defined Network (20)

Software Define Network
Software Define NetworkSoftware Define Network
Software Define Network
Subith Babu
 
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Lionel Briand
 
Performance Analysis and Optimization of Next Generation Wireless Networks (P...
Performance Analysis and Optimization of Next Generation Wireless Networks (P...Performance Analysis and Optimization of Next Generation Wireless Networks (P...
Performance Analysis and Optimization of Next Generation Wireless Networks (P...
University of Piraeus
 
Icimt 2010 procediing rp118 vol.2 d10122
Icimt 2010 procediing rp118 vol.2 d10122Icimt 2010 procediing rp118 vol.2 d10122
Icimt 2010 procediing rp118 vol.2 d10122
Gulshan Shrivastava
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12
ThousandEyes
 
MP2P 2008 (PerCom 2008) - Elisa Rondini
MP2P 2008 (PerCom 2008) - Elisa RondiniMP2P 2008 (PerCom 2008) - Elisa Rondini
MP2P 2008 (PerCom 2008) - Elisa Rondini
Elisa Rondini
 
A data driven approach for monitoring network events
A data driven approach for monitoring network eventsA data driven approach for monitoring network events
A data driven approach for monitoring network events
Jisc
 
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSISA TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
Akshaya Arunan
 
Icacci presentation-ssh traffic
Icacci presentation-ssh trafficIcacci presentation-ssh traffic
Icacci presentation-ssh traffic
vinaykumar R
 
isc2015
isc2015isc2015
isc2015
Yi Ling
 
Vrajesh parikh handoff_presentation1
Vrajesh parikh handoff_presentation1Vrajesh parikh handoff_presentation1
Vrajesh parikh handoff_presentation1
ITM Universe - Vadodara
 
Traffic data fusion methodology
Traffic data fusion methodologyTraffic data fusion methodology
Traffic data fusion methodology
JumpingJaq
 
B0210714
B0210714B0210714
B0210714
IOSR Journals
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
cscpconf
 
7 ijcse-01229
7 ijcse-012297 ijcse-01229
7 ijcse-01229
Shivlal Mewada
 
P1141213149
P1141213149P1141213149
P1141213149
Ashraf Aboshosha
 
Clustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow DetectionClustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow Detection
APNIC
 
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
IJCNCJournal
 
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
IJCNCJournal
 
Paper id 23201411
Paper id 23201411Paper id 23201411
Paper id 23201411
IJRAT
 
Software Define Network
Software Define NetworkSoftware Define Network
Software Define Network
Subith Babu
 
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Lionel Briand
 
Performance Analysis and Optimization of Next Generation Wireless Networks (P...
Performance Analysis and Optimization of Next Generation Wireless Networks (P...Performance Analysis and Optimization of Next Generation Wireless Networks (P...
Performance Analysis and Optimization of Next Generation Wireless Networks (P...
University of Piraeus
 
Icimt 2010 procediing rp118 vol.2 d10122
Icimt 2010 procediing rp118 vol.2 d10122Icimt 2010 procediing rp118 vol.2 d10122
Icimt 2010 procediing rp118 vol.2 d10122
Gulshan Shrivastava
 
ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12ThousandEyes at Network Field Day 12
ThousandEyes at Network Field Day 12
ThousandEyes
 
MP2P 2008 (PerCom 2008) - Elisa Rondini
MP2P 2008 (PerCom 2008) - Elisa RondiniMP2P 2008 (PerCom 2008) - Elisa Rondini
MP2P 2008 (PerCom 2008) - Elisa Rondini
Elisa Rondini
 
A data driven approach for monitoring network events
A data driven approach for monitoring network eventsA data driven approach for monitoring network events
A data driven approach for monitoring network events
Jisc
 
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSISA TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
A TRANSDUCTIVE SCHEME BASED INFERENCE TECHNIQUES FOR NETWORK FORENSIC ANALYSIS
Akshaya Arunan
 
Icacci presentation-ssh traffic
Icacci presentation-ssh trafficIcacci presentation-ssh traffic
Icacci presentation-ssh traffic
vinaykumar R
 
isc2015
isc2015isc2015
isc2015
Yi Ling
 
Vrajesh parikh handoff_presentation1
Vrajesh parikh handoff_presentation1Vrajesh parikh handoff_presentation1
Vrajesh parikh handoff_presentation1
ITM Universe - Vadodara
 
Traffic data fusion methodology
Traffic data fusion methodologyTraffic data fusion methodology
Traffic data fusion methodology
JumpingJaq
 
B0210714
B0210714B0210714
B0210714
IOSR Journals
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
cscpconf
 
7 ijcse-01229
7 ijcse-012297 ijcse-01229
7 ijcse-01229
Shivlal Mewada
 
P1141213149
P1141213149P1141213149
P1141213149
Ashraf Aboshosha
 
Clustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow DetectionClustering-based Analysis for Heavy-Hitter Flow Detection
Clustering-based Analysis for Heavy-Hitter Flow Detection
APNIC
 
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
IJCNCJournal
 
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
IJCNCJournal
 
Paper id 23201411
Paper id 23201411Paper id 23201411
Paper id 23201411
IJRAT
 
Ad

More from Akshaya Arunan (7)

Akshayappt
AkshayapptAkshayappt
Akshayappt
Akshaya Arunan
 
Intermediate code generation
Intermediate code generationIntermediate code generation
Intermediate code generation
Akshaya Arunan
 
Syntax directed translation
Syntax directed translationSyntax directed translation
Syntax directed translation
Akshaya Arunan
 
Operator precedence
Operator precedenceOperator precedence
Operator precedence
Akshaya Arunan
 
Syntax analysis
Syntax analysisSyntax analysis
Syntax analysis
Akshaya Arunan
 
Bottom up parser
Bottom up parserBottom up parser
Bottom up parser
Akshaya Arunan
 
Compilers Design
Compilers DesignCompilers Design
Compilers Design
Akshaya Arunan
 
Akshayappt
AkshayapptAkshayappt
Akshayappt
Akshaya Arunan
 
Intermediate code generation
Intermediate code generationIntermediate code generation
Intermediate code generation
Akshaya Arunan
 
Syntax directed translation
Syntax directed translationSyntax directed translation
Syntax directed translation
Akshaya Arunan
 
Operator precedence
Operator precedenceOperator precedence
Operator precedence
Akshaya Arunan
 
Syntax analysis
Syntax analysisSyntax analysis
Syntax analysis
Akshaya Arunan
 
Bottom up parser
Bottom up parserBottom up parser
Bottom up parser
Akshaya Arunan
 
Compilers Design
Compilers DesignCompilers Design
Compilers Design
Akshaya Arunan
 
Ad

Recently uploaded (16)

AI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AIAI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AI
Prashant Singh
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdfBreaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Nirmalthapa24
 
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
AndrHenrique77
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Grade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptxGrade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptx
AllanGuevarra1
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Seminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project vivaSeminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project viva
daditya2501
 
Organizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptxOrganizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptx
AllanGuevarra1
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.
manugodinhogentil
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdfcxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
ssuser060b2e1
 
AI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AIAI Days 2025_GM1 : Interface in theage of AI
AI Days 2025_GM1 : Interface in theage of AI
Prashant Singh
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdfBreaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Nirmalthapa24
 
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
5-Ways-To-Future-Proof-Your-SIEM-Securonix[1].pdf
AndrHenrique77
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
Grade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptxGrade 7 Google_Sites_Lesson creating website.pptx
Grade 7 Google_Sites_Lesson creating website.pptx
AllanGuevarra1
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Seminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project vivaSeminar.MAJor presentation for final project viva
Seminar.MAJor presentation for final project viva
daditya2501
 
Organizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptxOrganizing_Data_Grade4 how to organize.pptx
Organizing_Data_Grade4 how to organize.pptx
AllanGuevarra1
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.Cyber Safety: security measure about navegating on internet.
Cyber Safety: security measure about navegating on internet.
manugodinhogentil
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdfcxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
cxbcxfzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7.pdf
ssuser060b2e1
 

Traffic Based Malicious Switch and DDoS Detection in Software Defined Network

  • 1. TRAFFIC-BASED MALICIOUS SWITCH And DDoS DETECTION IN SOFTWARE DEFINED NETWORKING By: Akshaya Arunan Roll No: 1 MTech [IT] Guided By: Simi Krishna K.R AssistantProfessor[IT]
  • 2. OUTLINE • Introduction • Existing system • Proposed system • System design • Tools • Implementation • Threshold value control • Sequentialprobabilityratio test • Results • Conclusion • Future works • References 6/29/2017 2Government Engineering College, Barton Hill, Trivandrum
  • 3. INTRODUCTION Software Defined Network [SDN]: • Complexity of the network shifts towards the controller. • Brings simplicity and abstraction to the network operator. • SDN decouples the control plane from the data plane. • Migrates to a logically centralized software-based network controller. • Controller is network-aware. • Dynamic updating of traffic rules. 6/29/2017 3Government Engineering College, Barton Hill, Trivandrum
  • 4. SDN Architecture [3] 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 4
  • 5. 6/30/2017 Government Engineering College, Barton Hill, Trivandrum 5 • Application Plane: Contains SDN applications for various functionalities. • Control Plane: It is a logically centralized control framework that • runs the NOS, • maintains global view of the network, and • provides hardware abstractions to SDN applications. • Data Plane: It is the combination of forwarding elements used to forward traffic flows based on instructions from the control plane.
  • 6. OpenFlow [6]: • Communication protocol • A protocol - SDN controller communication with the network devices. • Standardizes the communication - a software-based controller and switches - Open Flow channel. • An OpenFlow-compliant switch exposes an abstraction of its forwarding table to the Open Flow controller. 6/29/2017 6Government Engineering College, Barton Hill, Trivandrum
  • 7. • An Open Flow Switch consists of at least three parts: • A Flow Table, • A Secure Channel, • The Open Flow Protocol. 6/30/2017 Government Engineering College, Barton Hill, Trivandrum 7
  • 8. EXISTING SYSTEM • Goal: To detect mobile malware by identifying suspicious network activities through real-time traffic analysis, which only requires connection establishment packets. • A simulation environment on SDN topology is created. • The TVC is implemented - used to detect malicious switches. • Each switch has its own threshold • The controllermaintains the maximum threshold of each switch from its working history. • Bandwidth between each switch is noted by the controller. • If the bandwidth crosses the actual bandwidth, then the flow to that particularswitch is blocked. • Maintained by the controller. • The controllerwill not assign flows through any switch beyond its thresholdvalue. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 8
  • 9. Controller Admin E-mail/SMS Notification 1 2 3 4 5 6 Incoming malicioustraffic Goes for traffic monitoring Finding malicious activities Flow to OF switch 2 stopped No malicious traffic reaches destination Source PC DestinationPC OF Switch 1 OF Switch 2 Normal packet Maliciouspacket Control Plane Data Plane SYSTEMDESIGN 6/29/2017 9Government Engineering College, Barton Hill, Trivandrum
  • 10. • Disadvantage of TVC: • Since there can be more flows which are not malicious and may try to enter, the controller blocks them. • Also some switches may not know the assigned TVC and may let in the packets. Here, they may also be blocked. • Thus, the controller here can be easily compromised. • Most common attack in SDN is Distributed Denial of Service which also in not possible to detect with TVC. • Therefore, to overcome this, SPRT method is introduced. 6/29/2017 10Government Engineering College, Barton Hill, Trivandrum
  • 11. PROPOSED SYSTEM • Goal: To propose an effective detection method for the DDoS attacks against SDN controllers by vast new low traffic flows. • The SDN controller is a vulnerable target of DDoS attacks. • Many packet-in messages maybe generated and sent to the controller exhausting it or failing it. • Breaks down a controller and disrupts the whole network. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 11
  • 12. TOOLS • Virtual Box (Version 5.1.12r112440) • Ubuntu 14.04 • Mininet 2.2.0 • Open Daylight Controller (Beryllium) • Miniedit 6/29/2017 12Government Engineering College, Barton Hill, Trivandrum
  • 13. IMPLEMENTATION 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 13
  • 14. EXISTING SYSTEM • Each switch has a threshold field. • The controller finds out the threshold value of each switch’s maximum traffic flows by learning from its working history. • The controller also knows the bandwidth between every two switches. • These information's will be maintained at the controller. • If the controller finds a threshold value greater than the normal value of a particular switch, it will detect it as malicious and isolate it from the network. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 14
  • 15. 6/29/2017 15Government Engineering College, Barton Hill, Trivandrum
  • 16. PROPOSED SYSTEM Detection based on SPRT: • Aim: To detect whether an interface is compromised. • Assumption: • Each switch is capable of obtaining statistical info of the incoming flows and reporting it to the controller (via OpenFlow, NetwFlow, sFlow). • Each flow statistics will pass our DDoS detection modules. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 16
  • 17. 6/29/2017 17 Government Engineering College, Barton Hill, Trivandrum
  • 18. Flow Classification[2]: • Normal flow • Low traffic flow Assignments: • Pr - Probability • Fb i – Flow event corresponding to sequence of flows • xi – sequence of flows • cb i - packet counts of flows in a flow event F • C – Threshold value ( can be obtained and recalibrated) • b – Observations (1,2,…, n) • H – Hypothesis • α – False positive • β – False negative • D – Detection function 6/29/2017 18Government Engineering College, Barton Hill, Trivandrum
  • 19. • Flow event Fb i is defines as Bernoulli random variable: Fb i = 1, if cb i <= Cmax 0, if cb i >= Cmax • After classification, function reports to attack detection function. 6/29/2017 19Government Engineering College, Barton Hill, Trivandrum
  • 20. Attack detection based on SPRT: • Analyzes the list of observed events to decide. • Consider H1 – detection of compromised interface H0 – normality • There are two types of errors: • False positive – acceptance of H1 when H0 is true • False negative – acceptance of H0 when H1 is true. • To avoid the two errors we introduce – α and β as the user defined probabilities of them, respectively. • The error rates should not exceed the α and β for false positive and false negative, respectively. 6/29/2017 20Government Engineering College, Barton Hill, Trivandrum
  • 21. • Consider Dn i as an evaluation of interface i’s behavior by detection function. Let Dn i be the probability ratio considering all n normal flow and low traffic flow events noted for interface i. • Upon receiving an event Fb, the detection function evaluates: Dn i = Ʃ ln Pr(F1 i,……..,Fn i | H1) Pr(F1 i,…….., Fn i | H0) • Since Fb is a Bernoulli random variable, let Pr(Fb i = 1| H0) = 1- Pr(Fb i = 0| H0) = λ1 Pr(Fb i = 1| H1) = 1- Pr(Fb i = 0| H1) = λ0 where λ1 > λ0 because a compromised interface is more likely to be injected into low traffic flows to overload controller 6/29/2017 21Government Engineering College, Barton Hill, Trivandrum
  • 22. • λ0 and λ1 are the probability distribution parameters for the flow events and affect the number of observations required for the detection function to reach a decision (either H0 or H1). • SPRT based detection method can be considered as a one dimensional random walk. • When low traffic, Fb i = 1, walk moves upward one step. • When normal, Fb i = 0, walk moves downward one step. • From this two boundaries A and B is produced. 6/29/2017 22Government Engineering College, Barton Hill, Trivandrum
  • 23. Testing compromised interface against a normal interface: • Given : Two boundaries A and B where B<A on basis of probability ratio, Dn i SPRT for H0 against H1 is set as: A = β / (1- α) B = (1- β) / α • The SPRT for H0 against H1 is given as : Dn i <= B : accept H0 and terminate the test. Dn i >= A : accept H1 and terminate the test. B < Dn i < A : continue the test process with an additional observation. 6/29/2017 23Government Engineering College, Barton Hill, Trivandrum
  • 24. RESULTS • Latency and throughput are the two most fundamental measures of network performance. • They are closely related, but whereas latency measures the overall delay in time for transmission of data between the start of an action and its completion, throughput is how much data has been transmitted in a given amount of time. • Therefore here we take the average latency and the throughput to compare between the two methods. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 24
  • 25. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 25 15.8373 14.9247 14.2378 13.8743 13.1289 12.7909 11.6848 10.4576 9.2378 8.9453 8.6953 7.9909 0 2 4 6 8 10 12 14 16 18 5 10 15 20 25 30 AVERAGELATENCY(MS) TIME(S) AVERAGE LATENCY THRESHOLD VALUE LATENCY SPRT LATENCY From this graph it is clear that the delay in overall data transmission of SPRT method is lesser compared to the TVC. Thus the quality of service of SPRT method is better than the TVC.
  • 26. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 26 123.5935 125.9403 128.5839 131.9643 138.8543 140.0955141.8343 143.5934 147.4898 153.3857 158.4872 163.8238 0 20 40 60 80 100 120 140 160 180 5 10 15 20 25 30 THROUGHPUT(MBPS) TIME(S) THROUGHPUT THRESHOLD VALUE THROUGHPUT SPRT THROUGHPUT From this graph it is understood that the data transmitted was more when the SPRT method was running in a particular time. Thus from this also we can understand that the quality od service of SPRT is better than TVC and also the success rate of data transmission is also more in SPRT.
  • 27. CONCLUSION • It can be concluded that it is challenging to choose a threshold value control for the SDN network as the controller and switches can be easily compromised. • SPRT detection method is a statistical tool which is a better method to detect malicious switch especially DDoS attack in SDN compared to the threshold value and thus removes the possibilities of compromised nodes. 6/29/2017 27Government Engineering College, Barton Hill, Trivandrum
  • 28. FUTURE WORKS • Implementation of a security method like OpenSec[4] can be implemented as a further protection in SDN. • Various types networks (tree, hierarchy) can be used to implement this method and an comparison can be done to find the better network performance. 6/29/2017 28Government Engineering College, Barton Hill, Trivandrum
  • 29. REFERENCES 1. Xiaodong Du, Ming Zhong Wang, Xiaoping Zhang, “Traffic based malicious switch Detection in SDN”, International Journal of Security and its applications, 2014. 2. Ping Dong, Xiaojiang Du, Hongke Zhang, “A detection Method for a Novel DDoS Attack against SDN Controllers by Vast New Low traffic Flows”, IEEE, 2016. 3. Diego Krutz, Fernando M.V. Ramos, Paulo Verissimo, “Software Defined Networking: A comprehensive Survey”, IEEE, 2014. 4. Adrian Lara and Byrav Ramamurthy, “OpenSec: Policy Based Security Using Software Defined Networking”, IEEE transactions on network and service management, 2016. 6/29/2017 29Government Engineering College, Barton Hill, Trivandrum
  • 30. 5. Mihai Nicolae, Laura Gheorge, “SDN Based Security Mechanism”, IEEE, 2015. 6. N. McKeown et al., “Open Flow: Enabling innovation in campus networks,” SIGCOMM Comput. Commun. Mar. 2008. 7. “http://sdnhub.org/tutorials/ryu/” 8. “http://mininet.org/walkthrough/” 9. “https://github.com/mininet/mininet” 10. “http://www.brianlinkletter.com/how-to-use-miniedit-mininets-graphical-user- interface/” 6/29/2017 30Government Engineering College, Barton Hill, Trivandrum
  • 31. THANK YOU 6/29/2017 31Government Engineering College, Barton Hill, Trivandrum
  • 32. SCREENSHOTS 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 32
  • 33. Starting a mininet with IP address eth1 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 33
  • 34. Starting open daylight controller 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 34
  • 35. Opening the open daylight controller with the IP address eth0 in the browser 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 35
  • 36. Creating a topology in the mininet terminal 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 36
  • 37. Viewing the topology in the browser 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 37
  • 38. Creating a topology in the miniedit 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 38
  • 39. Running the threshold value control program with waf in xterm. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 39
  • 40. Running the SPRT program with waf in xterm. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 40
  • 41. Flow can be viewed in Wireshark if needed 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 41
  • 42. Throughput plotted 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 42
  • 43. Latency plotted 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 43