TY - GEN
T1 - Detecting Saturation Attacks in SDN via Machine Learning
AU - Khamaiseh, Samer
AU - Serra, Edoardo
AU - Li, Zhiyuan
AU - Xu, Dianxiang
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/10
Y1 - 2019/10
N2 - Software Defined Networking (SDN) is a new network paradigm that facilitates network management by separating the control plane from the data plane. Studies have shown that an SDN may experience a high packet loss rate and a long delay in forwarding messages when the OpenFlow channel is overwhelmed by a saturation attack. The existing approaches have focused on the detection of saturation attacks caused by TCP-SYN flooding through periodic analysis of network traffic. However, there are two issues. First, previous approaches are incapable of detecting other types, especially unknown types, of saturation attacks. Second, they rely on predetermined time-window of network traffic and thus are unable to determine what time window of traffic data would be appropriate for effective attack detection. To tackle these problems, this paper first investigates the impact of different time-windows of OpenFlow traffic on the detection performance of three classification algorithms: The Support Vector Machine (SVM), the Naïve Bayes (NB) classifier, and the K-Nearest Neighbors (K-NN) classifier. We have built and analyzed a total of 150 models on OpenFlow traffic datasets generated from both physical and simulated SDN environments. The experiment results show that the chosen time-interval of OpenFlow traffic heavily influences the detection performance-larger time-windows may result in decreased detection performance. In addition, we were able to achieve reasonable accuracy on detection of unknown attacks by applying proper time-windows of OpenFlow traffic.
AB - Software Defined Networking (SDN) is a new network paradigm that facilitates network management by separating the control plane from the data plane. Studies have shown that an SDN may experience a high packet loss rate and a long delay in forwarding messages when the OpenFlow channel is overwhelmed by a saturation attack. The existing approaches have focused on the detection of saturation attacks caused by TCP-SYN flooding through periodic analysis of network traffic. However, there are two issues. First, previous approaches are incapable of detecting other types, especially unknown types, of saturation attacks. Second, they rely on predetermined time-window of network traffic and thus are unable to determine what time window of traffic data would be appropriate for effective attack detection. To tackle these problems, this paper first investigates the impact of different time-windows of OpenFlow traffic on the detection performance of three classification algorithms: The Support Vector Machine (SVM), the Naïve Bayes (NB) classifier, and the K-Nearest Neighbors (K-NN) classifier. We have built and analyzed a total of 150 models on OpenFlow traffic datasets generated from both physical and simulated SDN environments. The experiment results show that the chosen time-interval of OpenFlow traffic heavily influences the detection performance-larger time-windows may result in decreased detection performance. In addition, we were able to achieve reasonable accuracy on detection of unknown attacks by applying proper time-windows of OpenFlow traffic.
KW - Anomaly detection
KW - Machine learning
KW - OpenFlow
KW - Saturation attack
KW - Software-defined networking
UR - https://www.scopus.com/pages/publications/85075400904
U2 - 10.1109/CCCS.2019.8888049
DO - 10.1109/CCCS.2019.8888049
M3 - Conference contribution
AN - SCOPUS:85075400904
T3 - 2019 4th International Conference on Computing, Communications and Security, ICCCS 2019
BT - 2019 4th International Conference on Computing, Communications and Security, ICCCS 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 4th International Conference on Computing, Communications and Security, ICCCS 2019
Y2 - 10 October 2019 through 12 October 2019
ER -