Renyi Joint Entropy-Based Dynamic Threshold Approach to Detect DDoS Attacks against SDN Controller with Various Traffic Rates

Abstract

The increasing incidence of distributed denial-of-service (DDoS) attacks has made software-defined networking (SDN) more vulnerable to the depletion of controller resources. DDoS attacks prevent the SDN controller from processing all incoming data efficiently, potentially disrupting a network or denying legitimate users access to network services. Thus, the protection of the SDN controller is crucial, especially from the ones that exploit the SDN characteristics. In this paper, the authors propose an efficient detection approach for low- and high-rate DDoS attacks on the controller with a high detection rate and a low false positive rate by adapting a dynamic threshold algorithm rather than a static one and proposing a new rule-based detection mechanism. In addition, the proposed approach was evaluated using eight simulation scenarios representing all potential attacks against the SDN controller in terms of attack traffic rates (low or high), sources (either single or multiple hosts), and targets (single or multiple victims). The experiment results show that the proposed approach is more effective than the existing approaches based on attack detection and false positive rates.

1. Introduction

Software-defined networking (SDN) is a revolutionary network technology that will eventually replace traditional networks. SDN revolutionizes network management by offering creative solutions to traditional network challenges. As a result, various features distinguish SDN from traditional networks, such as a separation of the control plane and the data plane. The separation enables the SDN to provide data center operators with centralized network management through a controller [1,2,3], resulting in reduced operational costs by boosting the efficiency of network traffic management [4,5]. For example, the SDN allows the operators to comprehensively control network properties to meet the ever-changing network business requirements.

The controller’s importance to the SDN network makes it an appealing target for attackers looking to disrupt the network. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are two types of attacks that can cause network disruption [6]. There are many threats to the controller, but a DDoS attack is one of the most significant threats because it could shut down the entire network and prevent legitimate users from accessing network services [7,8]. DDoS attacks against the SDN controller can be launched using a variety of methods [9], such as flooding the network or the controller with vast amounts of packets or traffic to the point where the controller’s resources are exhausted and unable to handle subsequent incoming packets. Another way to flood the network hosts with massive traffic is by using spoofed source IP addresses, forcing the switches to send all incoming packets to the controller for processing. Eventually, the controller’s resources will be exhausted, affecting its ability to process incoming packets that result in network deterioration, network collapse, and the denial of legitimate users’ access to network services or resources [10].

A threshold mechanism is one of the techniques used for detecting DDoS attacks by enabling the identification of network traffic flow, whether normal or attack traffic [11,12]. However, it is not easy to effectively establish the threshold value since it is dependent on the network traffic flow characteristics. However, some researchers rely on observation and experimentation to determine the threshold value. The fundamental disadvantage of predefined threshold-based detection systems is that a fixed threshold may be useless if the attack traffic rate changes, resulting in a low DDoS attack detection rate and a high false positive rate [13]. Consequently, undetected DDoS attacks often exceed the threshold value, resulting in the controller being subjected to attack traffic.

Mousavi et al. [14] proposed a fixed threshold value based on their detection approach experiment to detect DDoS attacks on the SDN controller involving a single victim. Nonetheless, several current techniques that rely on a dynamic threshold in non-SDN networks to detect DDoS attacks, such as [15,16], contribute to our understanding of the dynamic threshold fundamentals to be implemented in the SDN environment. Furthermore, using the adaptive threshold improves the detection rate and decreases false positive rates.

The adoption rate of the SDN architecture is increasing due to the need to manage vast amounts of data and this requires the use of a controller that can be updated with new rules or instructions to manage new incoming traffic flows and be flexible enough to deal with various types of network traffic using a programmable controller [17,18]. Meanwhile, disruptive attempts on the SDN controller are becoming increasingly frequent with DDoS attacks. The most significant network threats are DDoS attacks with varying traffic rates (low or high). Many researchers have conducted studies on the security of SDN [19,20,21], including techniques related to detecting and mitigating DDoS attacks on SDN [22,23]. Meanwhile, techniques proposed for detecting DDoS attacks with varying attack rates have low accuracy and a high false positive rate when dealing with attacks targeting several victims. Therefore, this work offers a novel technique capable of detecting DDoS attacks with a high detection rate and a low false positive rate, regardless of attack traffic rate or victim number.

Many existing detection approaches are limited due to the reliance on a static threshold to detect DDoS attacks with varying attack traffic rates. Unfortunately, some entropy-based techniques [23,24] that depend on static thresholds cannot detect DDoS attacks with a high detection rate and low false positive rate, particularly when involving low-rate DDoS attacks on multiple victims [25,26,27]. Additionally, most existing detection approaches depend on a single incoming packet header feature to detect DDoS attacks on controllers launched by a single host on a single or on multiple victims. As a result, the detection rate is low and the false positive rate is high [28].

This paper contributes to the body of knowledge by (i) adapting a dynamic threshold that caters to varying DDoS attack traffic rates, resulting in reduced false positive rates and increased detection rates, and (ii) proposing a rule-based detection mechanism to detect DDoS attacks against the controller. Furthermore, the proposed approach is compared to the existing approaches using the proposed approach environment for different DDoS attack rates (low or high), sources of the attacks (single or multiple), and the number of victim hosts (single or multiple).

The paper is organized as follows: Section 2 presents the related work and the motivation behind this research, followed by Section 3, which presents the proposed DDoS attack detection approach. Section 4 describes the experimental result in terms of dataset generation, discusses the proposed performance evaluation, and compares the proposed approach with existing detection approaches. Finally, Section 5 summarizes this paper and recommends several directions for future research.

2. Related Work

Several significant studies on SDN security proposed approaches [29,30] to detect and mitigate DDoS attacks on SDN. Unfortunately, most existing approaches have limitations in detecting low- and high-rate DDoS attacks when both occur simultaneously. In addition, approaches for detecting DDoS attacks with different attack traffic rates have low detection rates and high false positive rates when attackers simultaneously attack multiple targets.

Similarly, many existing approaches for detecting DDoS attacks on the SDN have limitations in detecting DDoS attacks with different attack traffic rates since they rely on a static threshold. As a result, the controller is still vulnerable to DDoS attacks, which might bring the entire network down or deny legitimate users access to network services [31]. Therefore, a dynamic threshold is proposed in this work to detect DDoS attacks on SDN controllers that use varying traffic rates (low- and high-traffic attack rates), originate from single or multiple hosts, and target one or more victims. Consequently, the proposed method is expected to have a high detection rate and a low false positive rate for DDoS attack detection.

Fan et al. [32] proposed a fusion entropy method for computing network traffic randomness to detect DDoS attacks in the SDN network environment. A dataset was used to evaluate and test the proposed approach. Furthermore, the proposed approach effectively detects the attack by showing an entropy value 91.25% lower than the entropy value of normal traffic flow. However, the proposed approach uses a fixed threshold, which reduces detection rates and increases false positive rates. In addition, the information about the dataset and the features used to detect DDoS attacks is lacking. Finally, it is only limited to high-rate DDoS attacks.

Tan et al. [33] proposed a new technique for detecting DDoS attacks on SDN controllers that operates in the network’s data layer. The technique combines the k-means machine-learning method to leverage the rate features and asymmetry features of the traffic flow to be used in the detection trigger mechanism for detecting DDoS attacks. The collaboration between the control plane and the data plane resulted in highly accurate attack detection. However, the effectiveness of their proposed technique decreases when high-rate network traffic is involved.

Singh et al. [34] introduced a unique approach known as Jensen–Renyi divergence (JRD) based on information theory. The proposed method identifies DDoS attacks at a high rate in SDN-based network flows. Because there are fewer traffic characteristics to calculate, this approach has a reduced computing requirement. The detecting method begins with time intervals and then extracts the appropriate traffic characteristics (i.e., source and destination IP, source and destination port, and protocol operated). Finally, the technique calculates information theory metrics for detection using source IP addresses. The proposed technique, on the other hand, achieves lower performance, especially for low-rate DDoS attacks.

Wu et al. [35] proposed a machine-based factorization detection technique for detecting low DDoS attack traffic rates. The proposed method was integrated with a support vector machine (SVM) and extracted features to categorize low-rate DDoS attack traffic using the dynamic deletion of flow rules.

Wang et al. [36] proposed a new approach termed a safeguard scheme that mitigates DDoS attacks on the SDN controller (SGS). It uses behavior features for DDoS attack detection. The proposed method has two models. The first model detects any suspicious traffic in the data plane, and the second model is the controller’s dynamic defense in the control plane. The technique, however, is incapable of detecting low-rate DDoS attacks, and it relies on multiple controllers, which take longer to detect DDoS attacks.

Furthermore, Sahoo et al. [37] proposed an attack detection method for detecting low-rate DDoS attacks on the SDN controller by combining information distance and generalized entropy. The difference in probability distributions signals a DDoS attack on the network. Experiments with the proposed technique show that combining the information distance with the generalized entropy effectively detects low-rate DDoS attacks. However, it is hard to figure out the dynamic threshold because of the changing attack traffic rates in the traffic flow.

Mousavi et al. [28] proposed a detection technique based on the entropy method. The suggested technique analyzes network traffic flows to determine the likelihood of packets entering the flow. Their technique seems effective and lightweight for detecting attacks in the early stages. However, although the proposed technique aims to detect attacks early, it has some limitations that reduce its effectiveness. An example of such a limitation is using a constant threshold, which is ineffective for detecting different DDoS attack traffic rates and raises the false positive rate.

Hu et al. [38] proposed a FADM approach based on traffic flow statistical analysis of network traffic data gathered by the controller’s sFlow agent. Furthermore, the proposed technique uses the entropy method that determines the probability of packet features to quantify network traffic changes. In addition, it detects DDoS attacks using a machine-learning algorithm (SVM). However, the false positive rate considerably increases when there is a burst of DDoS attack traffic that targets multiple victims within a short period.

Additionally, Jiang et al. [39] presented a DDoS defense mechanism (EDDM) based on an entropy method. The proposed approach prevents DDoS attacks on legitimate network users during flash crowd situations by tracking the attack traffic flows. The EDDM has three steps based on traffic statistics collected inside a specific window size and used to determine the entropy value for detecting DDoS attacks. In the sFlow, the entropy value is compared to a static threshold to reveal the traffic packet rate that targets a specific victim. However, there is a latency in processing new packets, and detection accuracy is low for multi-victim attacks.

Several techniques for dealing with DDoS attacks that target a single victim have been developed and have high detection accuracy. However, several techniques [37,38] struggle with multiple-victim attacks. Attackers might exploit this limitation to execute attacks against the controller, disrupting the whole network. Meanwhile, [36,38] attempted to protect the controller against high-rate DDoS attacks targeting a single victim or multiple victims with a high detection accuracy rate and a low false positive rate. However, most of these techniques only depend on static thresholds.

Table 1. Summary of DDoS attack on SDN controller detection techniques.

Ref.	Method	Strengths	Limitations
[32]	Fusion Entropy	Detect high-rate DDoS attacks	- Cannot detect low-rate DDoS attacks - Rely on a static threshold
[33]	Machine-learning algorithm	Cooperative between control and data plane	- Inefficient detection for high-rate network traffic - Rely on a static threshold
[34]	Theory-based information	Detect high-rate DDoS attacks	- Low detection rate for multi-victim attacks - Rely on a static threshold
[35]	Factorization machine	Classify low-rate DDoS attacks	- Low detection rate for multi-victim attacks - Rely on a static threshold
[36]	Safe-Guard Scheme	Detect high-rate DDoS attacks against the controller	- Cannot detect low-rate DDoS attacks - Delay in detecting DDoS attacks - Rely on a static threshold
[28]	Entropy	Early detect DDoS attacks	- Low detection rate for multi-victim attacks - Rely on a static threshold
[37]	ID	Detect DDoS attacks targeting a single victim	- Low detection rate for multi-victim attacks - Rely on a static threshold
[38]	FADM	Classifies traffic flowDetect DDoS attacks	- High false positive rate for multi-victim attacks - Rely on a static threshold
[39]	EDDM	Prevent legitimate packets from being lost	- Low detection rate for multi-victim attacks - Rely on a static threshold

summarizes the existing DDoS attack detection techniques by highlighting their strengths and limitations.

As shown in Table 1, all existing approaches rely on a static threshold. The fixed threshold will be ineffective when the attack traffic rate varies. In addition, the existing approaches can only detect either low-rate or high-rate DDoS attacks, but not both, unlike the current proposed approach, which relies on a dynamic threshold that adopted EWMA [40]. The usage of a dynamic threshold highly contributes to the detection of DDoS attacks regardless of DDoS attack type (low-rate or high-rate).

3. Proposed Approach

This study’s contribution adapts a dynamic threshold for the accurate detection of DDoS attacks with a low false positive rate. The value is adjusted in response to the dynamic network traffic flows since the attack traffic flow behaviors vary depending on the specified window size. However, the difference between the low and high DDoS attack traffic rates does little to improve the performance of detection techniques that depend on a static threshold.

Adapting a dynamic threshold resulted in a lower false positive rate, a higher attack detection rate, and reduced time for selecting a threshold value since most attack detection techniques rely on observation and experimentation to find a fitting threshold value (static threshold). Furthermore, the dynamic threshold influences the technique’s performance to detect low- and high-rate DDoS attacks. In addition, determining threshold values is usually time-consuming because it depends on observation and experimentation. So, the proposed method aims to dynamically find the threshold for detecting different DDoS attack traffic rates by autonomously observing the network traffic for attacks targeting single or multiple victims.

The proposed approach’s dynamic threshold value depends on three variables: (i) the number of incoming network traffic flows into the controller, (ii) the rate of DDoS attack traffic flows triggered toward the host victims, and (iii) the Renyi joint entropy value within a specific time interval (t).

The Renyi joint entropy algorithm is a statistical method used to calculate packets’ randomness in network traffic flows over a specific time interval. The proposed Renyi joint entropy algorithm is based on two variables from the packet header features, source IP and destination IP addresses, symbolized as x and y. The Renyi joint entropy equation formula, Equation (1) [41], is based on generalizing Renyi joint entropy by merging two concepts: the joint entropy method and the Renyi method for analyzing the network traffic, which calculates the probability of each packet in the traffic flow within a specified time that depends on two packet header features to obtain the randomness of incoming traffic flows. Based on that, this work adopted the Renyi joint entropy equation method as an input to the dynamic threshold equation.

$$H_{RJ\alpha }\left(x,y\right)=\frac{1}{1-\alpha } {\mathit{log}}_2\begin{array}{c}\left({\displaystyle {\displaystyle \sum }_{i=1}^N}{\displaystyle {\displaystyle \sum }_{j=1}^M}p{\left(x_i{y}_j\right)}^{\alpha }\right) \end{array}$$

(1)

where $H_{RJ\alpha }\left(x,y\right)$ indicates Renyi joint entropy and α is a positive parameter and exposes the main mass (the concentration of events that occurred frequently). Thus, α is an arbitrary value between 0 and 1 to provide a more accurate result and reduce the variance between observed values, which leads to more stability and convergence for the proposed approach [42]. Thus, the α value is determined based on experimental observation and $P\left(x_i{y}_j\right)$ represents the probability distribution between the source IP (x) and the destination IP (y) during the time t.

Furthermore, Equation (1) is used to calculate the randomness of these packets in the traffic flow (i.e., source/destination IP address) within a certain time t. The attack behaviour and legitimate packet behaviour vary and this variation can cause fluctuations in the calculation of the threshold. The Renyi joint entropy algorithm, used in the calculation of the dynamic threshold, is found by the analysis of the incoming traffic flow statistics. Thus, we adopted the exponentially weighted moving average algorithm (EWMA) [40] in our proposed approach to generate a dynamic threshold method. The dynamic threshold depends on the Renyi joint entropy algorithm, which analyzes network traffic flow statistics collected by the SDN controller. Equation (2) is the basic EWMA equation.

$$EWM{A}_i=\left(1-\alpha \right)·EWM{A}_{i-1}+\alpha ·Y_i$$

(2)

where the $Y_i$ value is observed at a particular t time and $EWM{A}_i$ is the mean of historical data. In the proposed approach, $Y_i$ is exchanged with $H_{RJ\alpha }{\left(x,y\right)}_i$, as shown in Equation (3), to compute the randomness of both the source and the destination IP addresses of the packet header features.

$$EWM{A}_i=\left(1-\alpha \right)·EWM{A}_{i-1}+\alpha ·H_{RJ\alpha }{\left(x,y\right)}_i$$

(3)

where $EWM{A}_i$ is the current value of the EWMA and $EWM{A}_{i-1}$ is the previously calculated EWMA value. The initial value of the threshold adopted in this research is 1.31, based on the calculation by [43], which allows accurate calculation of the first value of the dynamic threshold. $H_{RJ\alpha }{\left(x,y\right)}_i$ is the currently measured value; therefore, the assumed current value is a Renyi joint entropy value for a specific time duration (a single-window size), and α is the smoothing factor that filters the noise of $H_{RJ\alpha }{\left(x,y\right)}_i$ and stabilizes EMWA; i $\ge 1$, $0<\alpha <1$ because the new threshold will be more precise based on the experiments to limit the value of false negative error, although this choice is somewhat arbitrary [40].

Moreover, the proposed approach depends on a rule-based detection mechanism, which has been used to detect DDoS attacks against the controller based on a statistical analysis of incoming network traffic flows. The proposed rule is based on the Renyi joint entropy value and dynamic threshold. A low- or high-rate DDoS attack within t time (window size) exists if the $H_{RJ\alpha }\left(x,y\right)$ value is less than the Th value; otherwise, the traffic is considered normal. Figure 1 shows the flowchart of the rule-based DDoS detection mechanism.

In Figure 1, Th is a dynamic threshold (refer to Equation (3)) and $H_{RJ\alpha }\left(x,y\right)$ denotes Renyi joint entropy (refer to Equation (1)). As stated before, contrary to some existing DDoS attack detection approaches that use a static threshold, as listed in Table 1, the proposed approach considers the rate and dynamic threshold of incoming attack traffic that feed the proposed rule-based detection mechanism to accurately detect DDoS attacks, regardless of attack traffic rates (low or high).

In a nutshell, the proposed adaptive dynamic threshold formula is capable of accurately detecting different DDoS attack traffic rates targeted at a single host victim or multiple host victims with a low false positive rate. Equation (3) is a general dynamic threshold formula used to find the optimal dynamic threshold based on Renyi joint entropy (refer to Equation (1)). Renyi joint entropy measures the randomness of the source and destination IP addresses of a packet in the network traffic flow that occurred within time t, which is used as a clue for detecting low- and high-rate DDoS attacks on an SDN controller, and proposes a new rule mechanism based on the dynamic threshold value and Renyi joint entropy value.

We use several scenarios to evaluate how the dynamic threshold method impacts the detection approach for low and high DDoS attack traffic rates. Thus, the optimal dynamic threshold value is found using various attack scenarios involving various attack sources (single or multiple hosts) that target single or multiple victim hosts. Based on this, the incoming packet’s behavior changes over time due to varying attack sources. As previously stated, the EWMA algorithm defines a dynamic threshold depending on changes in network traffic flow situations. Thus, the values keep changing through calculations automatically based on the evaluation of the current network traffic flow situation at a particular time. The adaptive threshold method facilitates attack detection. An attack is detected when the traffic behavior computed during a specified time exceeds or falls below the threshold value. In addition, a comparison between the Renyi joint entropy algorithm $H_{RJ\alpha }{\left(x,y\right)}_i$ and the dynamic threshold method $EWM{A}_i$ was made.

4. Experimental Result

The experimental step in the proposed approach topology has been used based on the existing approach topology, such as [28,44]. In this study, experiments were designed to conduct a quantitative research evaluation through a simulation of proposed approach scenarios that cover different attack scenarios. Simulation scenarios provide an easy assessment of the effectiveness of the proposed approach in terms of detecting DDoS attacks on the SDN controller. Figure 2 depicts the topology of the experimental SDN testbed. This section explains the dataset generation, performance evaluation, and the results in Section 4.1, Section 4.2 and Section 4.3, respectively.

4.1. Dataset Generation

This study generates several datasets based on the topology shown in Figure 2 to evaluate the effectiveness of the proposed approach in detecting low and high DDoS attack traffic rates on the controller due to a lack of available benchmark datasets. The generated databases include both normal and abnormal network traffic. Each dataset aggregates network traffic every 5 s, representing different attack scenarios. The attack scenarios are (i) a low-rate DDoS attack on a single victim host by a single host (LSS), (ii) a high-rate DDoS attack on a single victim by a single host (HSS), (iii) a low-rate DDoS attack on multiple victim hosts by a single host (LMS), (iv) a high-rate DDoS attack on multiple victim hosts by a single host (HMS), (v) a low-rate DDoS attack on a single victim host by multiple hosts (LSM), (vi) a high-rate DDoS attack on a single victim by multiple hosts (HSM), (vii) a low-rate DDoS attack on multiple victim hosts by multiple hosts (LMM), and (viii) a high-rate DDoS attack on multiple victim hosts by multiple hosts (HMM). These eight scenarios are replicated from previously published work [41]. The diversity of scenarios is required to evaluate the robustness of the proposed approach to detect DDoS attacks on SDN controllers under different circumstances. In addition, to the best of the authors’ knowledge, the employed dataset is the first to cover all DDoS attack scenarios on the SDN controller.

Each simulation scenario lasts 60 min. The results of the average detection rate and the false positive rate will be presented every 10 min.

Table 2. Total number of normal and attack traffic packets for eight different scenarios.

Dataset	Description	Number of Normal Packets in the Traffic	Number of Attack Packets in the Traffic	Attack Traffic Ratio
Dataset 1	LSS	226,800	18,000	7%
Dataset 2	HSS	226,800	118,800	34%
Dataset 3	LSM	226,800	18,000	7%
Dataset 4	HSM	226,800	118,800	34%
Dataset 5	LMS	219,600	54,000	19%
Dataset 6	HMS	219,600	356,400	62%
Dataset 7	LMM	219,600	54,000	19%
Dataset 8	HMM	219,600	356,400	62%

lists the total number of normal and attack traffic packets in a DDoS attack targeting a single victim for 60 min in eight different scenarios.

The virtual network topology created on the Mininet network emulator comprises 64 hosts with IP addresses ranging from 10.0.0.1 to 10.0.0.64; a POX controller; an OpenFlow [45] switch, which has been widely used by researchers, such as by [28] and [44]; therefore, it has been selected in this research; and an attacker running Kali Linux, a Debian-based Linux distribution built for penetration testing and security research. All hosts run Ubuntu Linux OS and Python programming language. Furthermore, the experiment’s workstation runs on a 2.20 GHz Intel^® Core i5-5200U CPU with 8 GB of RAM and a 500 GB hard drive.

Suppose a single attack packet is sent in 0.2 s, then the send rate is five packets per second. Therefore, every five seconds, the total number of attack packets sent will be 25. The five packets per second sent rate indicates a low-rate DDoS attack, as stated in [44]. Meanwhile, for the high-rate attack scenario, if a single attack packet is sent in 0.03 s, then the total number of attack packets sent per second is 33. The 33 packets per second sent rate indicates a high-rate DDoS attack, according to [44].

Therefore, for a single attacker scenario with a low DDoS attack traffic rate, the total number of attacks and normal packets sent in five seconds is 25 and 63 × 5 = 315, respectively, regardless of the number of targets (single or multiple victims). As for the multiple attacker scenario with a low-rate DDoS attack, the total number of attacks and normal packets sent in five seconds is 75 and 61 × 5 = 305, respectively, regardless of the number of targets (single or multiple victims). Meanwhile, in a single attacker scenario with a high-rate DDoS attack, the total number of attacks and normal packets sent in five seconds is 166 and 63 × 5 = 315, respectively, regardless of the number of targets (single or multiple victims). As for the multiple attacker scenario with a high DDoS attack traffic rate, the total number of attacks and normal packets sent in five seconds is 500 and 61 × 5 = 305, respectively, regardless of the number of targets (single or multiple victims). However, due to the SDN characteristics that only forward a packet with a unique IP address towards the controller, only 63 or 61 packets are forwarded to the controller.

Consequently, using Equation (4), the attack traffic ratio within a 60 min window for single or multiple hosts’ low-rate DDoS attacks is 7% and 19%, respectively. Moreover, the attack ratio within the 60 min window for single or multiple hosts’ high-rate DDoS attacks is 34% and 62%, respectively.

$$ATTackTrafficRatio=\frac{AttackPacket}{packettotal}\times 100\%$$

(4)

where $AttackPacket$ denotes the number of attack packets and $PacketTotal$ represents the total number of packets generated throughout the simulation.

This work utilizes a new dynamic threshold based on the Renyi joint entropy values and proposes a rule-based detection mechanism to detect low- and high-rate DDoS attacks. Figure 3 illustrates the flowchart of the proposed approach.

As shown in Figure 3, the proposed approach consists of three core steps: (i) calculation of Renyi joint entropy to calculate the network traffic randomness, based on ($H_{RJ\alpha }{\left(x,y\right)}_i$); (ii) calculation of the dynamic threshold (Th), based on $H_{RJ\alpha }{\left(x,y\right)}_i$; and (iii) rule-based detection to detect DDoS attacks, based on Th and $H_{RJ\alpha }{\left(x,y\right)}_i$).

4.2. Performance Evaluation

The proposed approach was evaluated using well-known metrics, which are also used by existing research [46,47]: detection rate (DR) and false positive rate (FPR). The calculation of these metrics is based on confusion metrics attributes shown in

Table 3. Attributes of the confusion matrix.

Predicted Class
		Attack	Normal
Actual Class	Attack	True Positive	False Negative
	Normal	False Positive	True Negative

, while

Table 4. Description of confusion matrix attributes.

Metric	Description
True Positive (TP)	The data instance is correctly predicted as an attack by the classifier.
False Negative (FN)	The data instance is wrongly predicted as a normal instance.
False Positive (FP)	The data instance is wrongly classified as an attack.
True Negative (TN)	The instance is correctly classified as a normal instance.
Detection Rate (DR)	Calculated as the percentage of the correctly detected DDoS attack to the summation of the total number of attacks.

The equations used to calculate DR and FPR are as follows: detection rate (DR) = TP/TP + FN; false positive rate (FPR) = FP/FP + TN.

shows the description of these attributes.

4.3. Results

This section presents the analysis of the proposed approach’s performance in improving the DR and reducing the FPR for detecting low- and high-rate DDoS attacks on the controller, targeting single or multiple victims. The proposed approach’s performance was evaluated using eight simulation scenarios with varying attack traffic rates to measure the average DR and FPR. The proposed approach yielded the following results for low- and high-rate DDoS attack scenarios.

Figure 4 shows the proposed approach’s DR and FPR in detecting low-rate DDoS attacks. In this scenario, a single host or multiple hosts launch DDoS attacks on the SDN controllers regardless of the number of targets, with a low attack traffic ratio of up to 7 % and 19 %, respectively. In addition, the host acting as the attacker generates packets with unique spoofed IP addresses to trigger low-rate DDoS attacks. Since the switch’s flow table does not yet have any record of these source IP addresses, the packets will be forwarded to the controller for further processing and action.

Although the DDoS attack traffic rate is low (0.2/s) and similar to normal traffic, the proposed approach’s DR ranges between 95.11 % to 96.98 %, which means the proposed approach can accurately detect low-rate DDoS attacks against the controller. Meanwhile, the FPRs range from 3.02% to 4.90%. The detection effectiveness is due to the dynamic threshold that changes its value according to the varying network traffic rates within t time.

Meanwhile, Figure 5 shows the proposed approach’s DR and FPR in detecting high-rate DDoS attacks. In this scenario, a single host or multiple hosts launch DDoS attacks on the SDN controllers regardless of the number of targets, with a high attack traffic ratio of up to 34 to 62%. In addition, the host acting as the attacker generates spoofed IP packets with unique IP addresses to trigger high-rate DDoS attacks.

Figure 5 shows the proposed approach’s DDoS attack detection ratios at 34%, and 62% of the high attack traffic rates range between 99.03% to 97.03%, which means the proposed approach can accurately detect high-rate DDoS attacks on the SDN controller. Meanwhile, the FPR range is between 0.97% to 2.97% for high-rate DDoS attack scenarios.

Meanwhile, the proposed approach’s performance was compared with two existing approaches dependent on the entropy algorithm [28], the fusion entropy algorithm [32], and information theory [34]. Since the entropy technique is the basis for all entropy-based methods, those approaches share the same common limitations. For instance, the reliance on a fixed threshold to detect different DDoS attack traffic rates targeting single or multiple hosts makes it challenging to detect low-rate DDoS attacks with a high DR and low FPR. In this study, the comparison uses eight attack simulation scenarios and two evaluation metrics, DR and FPR.

The rest of this section first discusses the performance of the approaches [28,32,34] in detecting low and high DDoS attack traffic rates, regardless of whether the target is a single or multiple victims, then compares the results with the proposed approach.

Table 5. Comparison of proposed approaches vs. existing approaches using all scenarios.

Scenarios	Approaches	Average DR	Average FPR
LSS	[28]	89.33%	10.67%
	[32]	92.5%	7.5%
	[34]	95%	5%
	Proposed Approach	96.55%	3.45%
LSM	[28]	78.17%	21.83%
	[32]	89.88%	10.12%
	[34]	92.5%	7.5%
	Proposed Approach	95.10%	4.90%
LMS	[28]	90.88%	9.12%
	[32]	93.17%	6.83%
	[34]	94.2%	5.8%
	Proposed Approach	96.98%	3.02%
LMM	[28]	88.00%	12.00%
	[32]	91.25%	8.75%
	[34]	93.8%	6.2%
	Proposed Approach	95.78%	4.22%
HSS	[28]	94.92%	5.08%
	[32]	95.17%	4.83%
	[34]	97%	3%
	Proposed Approach	98.44%	1.56%
HSM	[28]	94.00%	6.00%
	[32]	95.05%	4.95%
	[34]	96.6%	3.4%
	Proposed Approach	97.03%	2.97%
HMS	[28]	97.00%	3.00%
	[32]	98.17%	1.83%
	[34]	98.5%	1.5%
	Proposed Approach	99.03%	0.97%
HMM	[28]	95.75%	4.25%
	[32]	97.55%	2.45%
	[34]	97.88%	2.12%
	Proposed Approach	98.11%	1.89%

compares the DR and FPR for all eight attack scenarios.

As shown in Table 5, the proposed approach outperformed existing approaches even though the attack traffic of the low-rate DDoS attack is almost indistinguishable from normal traffic flows. Therefore, the existing detection approaches need more statistical analysis within t time of the incoming network traffic to conduct further analysis of the DDoS attack behavior. The difference in the performance is because the proposed approach utilizes a dynamic threshold instead of a fixed threshold utilized by the existing approaches.

The experiments were performed on the proposed approach and the existing approaches [28,32] to prove the proposed approach could accurately detect low- and high-rate DDoS attacks on SDN controllers by single or multiple attackers regardless of whether the target is a single victim or multiple victims with high DR, without adding significant overhead to the SDN controller.

The difference in DR and FPR in Figure 3 and Figure 4 is due to the varying DDoS attack traffic rates. The highest DR and lowest FPR are obtained when multiple attackers target single or multiple victims with high-rate DDoS attacks. Meanwhile, the highest DR and FPR are obtained when a single attacker targets a single victim or multiple victims with a low-rate DDoS attack. The difference between high- and low-rate DDoS attacks is noticeable in the number of attack traffic flows that the victims receive.

Based on the average DDoS attack DRs, the results show that the proposed approach enhances the accuracy of DDoS attack detection. Similarly, when compared to the existing approaches, the proposed approach decreases average FPRs, as depicted in Figure 6, Figure 7 and Figure 8.

Figure 6, Figure 7 and Figure 8 show the proposed approach’s enhancement over the existing approach to detect DDoS attacks in terms of the DR and the FPR for all attack simulation scenarios. Meanwhile, the proposed approach outperformed existing approaches in all scenarios by reducing the average FPR. The low average FPR in Figure 6, Figure 7 and Figure 8 demonstrates the proposed approach’s performance against low and high DDoS attack rates, targeting either a single victim or multiple victims. On the other hand, the existing approaches have a high average FPR, primarily due to static thresholds.

5. Conclusions

An enormous amount of various traffic flows heading toward the SDN controller could overload it and exhaust the controller’s resources, resulting in the collapse of the whole SDN network. Therefore, the controller must be able to handle both high- and low-rate traffic flows efficiently. The main goal of this study was to detect DDoS attacks on SDN controllers regardless of the attack traffic flow rates, the source of the attack, or the number of victims, with a high DR and a low FPR. The goal was achieved by utilizing a dynamic threshold adaptable to varying incoming traffic rates, reducing false positive rates, and obtaining a higher DR.

This study adapted a dynamic threshold and the newly proposed rule-based detection mechanism to detect DDoS attacks on the SDN controller with different attack traffic rates. The proposed approach depends on a dynamic threshold and rule-based detection mechanism to reduce the FPR and increase the DR of the DDoS attack detection approach, which adapts to variations in the rates of the attack traffic. Thus, the dynamic threshold used the generalized Renyi joint entropy values as the input. Meanwhile, the rule-based DDoS attack detection used Renyi joint entropy values and dynamic threshold values. Future research could investigate the hybridization of the dynamic threshold with other information-theory-based algorithms. In addition, the rules can be generated using machine-learning algorithms.