Next Article in Journal
Pseudo-Coloring as an Effective Tool to Improve the Readability of Images Obtained in an Electromagnetic Infiltration Process
Previous Article in Journal
M13 Bacteriophage-Assisted Synergistic Optical Enhancement of Perovskite Quantum Dots
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 13
Issue 17
10.3390/app13179488
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Comparative Study of AI-Enabled DDoS Detection Technologies in SDN

by
Kwang-Man Ko
1,
Jong-Min Baek
1,
Byung-Suk Seo
1 and
Wan-Bum Lee
2,*
1
Department of Computer Engineering, Sangji University, Wonju City 26339, Republic of Korea
2
Department of Computer and Software Engineering, Wonkwang University, Iksan City 54538, Republic of Korea
*
Author to whom correspondence should be addressed.
Appl. Sci. 2023, 13(17), 9488; https://doi.org/10.3390/app13179488
Submission received: 8 August 2023 / Revised: 17 August 2023 / Accepted: 21 August 2023 / Published: 22 August 2023
(This article belongs to the Section Computing and Artificial Intelligence)
Browse Figures
Review Reports Versions Notes

Abstract

:
Software-defined networking (SDN) is becoming the standard for the management of networks due to its scalability and flexibility to program the network. SDN provides many advantages but it also involves some specific security problems; for example, the controller can be taken down using cyber attacks, which can result in the whole network shutting down, creating a single point of failure. In this paper, DDoS attacks in SDN are detected using AI-enabled machine and deep learning models with some specific features for a dataset under normal DDoS traffic. In our approach, the initial dataset is collected from 84 features on Kaggle and then the 20 top features are selected using a permutation importance algorithm. The dataset is learned and tested with five AI-enabled models. Our experimental results show that the use of a machine learning-based random forest model achieves the highest accuracy rate of 99.97% in DDoS attack detection in SDN. Our contributions through this study are, firstly, that we found the top 20 features that contributed to DDoS attacks. Secondly, we reduce the time and cost of comparing various learning models and their performance in determining a learning model suitable for DDoS detection. Finally, various experimental methods to evaluate the performance of the learning model are presented so that related researchers can utilize them.

1. Introduction

SDN [1] has gained popularity due to the services and benefits that it provides, such as scalability, flexibility, and monitoring [2]. In the past decade, devices connected to the internet have increased enormously, which has led to different problems with traditional networks, and one of them is the management of networks. To resolve this issue, a new paradigm, software-defined networking, has been proposed. The whole network’s management and configuration is performed through a controller, which simplifies the network management [3]. The separation of the control and data planes plays a critical role by providing high performance in large-scale network systems, but the simplified network management comes with the cost of centralization. In an SDN environment, one can simply enforce policy and network configurations in real time through the controller [4].
However, the controller is a single point that has the ability to control the whole network, and if the controller is compromised, then the whole network can fall under attack. The SDN controller exposes the network to a variety of security threats; among them are DDoS attacks. A DDoS can render the controller or OpenFlow switch overwhelmed if the network is not reasonably secured. In a DDoS attack, a number of bough requests are sent to the controller, which makes the network slow and affects the legitimate traffic. DDoS attacks also expose the data plane through the flow table. To protect the SDN controller from DDoS attacks, intrusion detection systems have been used in the network to sniff the packets and alert the administrator when a DDoS attack is detected, and many researchers have conducted research aimed at detecting and mitigating DDoS attacks using different techniques. Recently, machine and deep learning-based approaches have been shown to be more dynamic, efficient, and intelligent solutions for SDN management. In this paper, we study both approaches, aiming to determine the most suitable artificial intelligent algorithm to detect a DDoS attack in SDN.
The goal of this paper is to detect a DDoS attack in an SDN environment without compromising the security and effecting the legitimate traffic, ensuring high-level security against DDoS attacks on SDN. We achieve this through applying different machine and deep learning algorithms. Firstly, the traffic is analyzed by SDN controller rules set by the network administrator. We further analyze the traffic and divide it into legitimate and attack traffic using different algorithms. We use machine learning-based random forest, decision tree and naïve Bayes algorithms and a deep learning-based convolution neural network and recurrent neural network for the classification of traffic. For the learning and testing of the model, we use the Kaggle dataset to check the DDoS detection performance. Finally, the 20 features that affect DDoS detection are determined by applying the two-step permutation importance algorithm (PIA) to the original Kaggle data.
Our contributions in this paper are as follows. Firstly, it is possible to reduce the amount and collection time for DDoS attack datasets, which affects the performance of the learning model. Secondly, we can reduce the time and cost of comparing various learning models and their performance in determining a learning model suitable for DDoS detection. We verify that it is possible to reduce the detection time of DDoS and appropriately utilize it when determining a detection model. Finally, various experimental methods to evaluate the performance of the learning model are presented so that related researchers can utilize them. Based on the results of this study, we are currently developing a new learning model for DDoS detection and mitigation in a blockchain network environment and are conducting experiments and verification in real environments.
The rest of the paper is organized into the following sections. Section 2 describes the research background and related work previously conducted regarding the detection of DDoS attacks in SDN. Section 3 presents our methodology and a model overview in detail for the experiments. Section 4 contains the experiments and analysis, which also includes the experimental environment, and finally Section 5 presents the conclusions and future works.

2. Research Background and Motivations

2.1. Background

Software-defined networking has simplified network management and provides the easiest way to manage the network infrastructure through the SDN controller and programmable switches. However, SDN has some major issues and researchers are continually trying to overcome them. We discuss briefly the issues related to SDN DDoS detection in the following subsections. The main component of SDN is a controller, which controls the whole infrastructure of the network and provides simplified network management. There are three layers in an SDN architecture: firstly, the application layer, which provides a facility for the network to interact with applications; secondly, the control plane layer, which is considered as the brain of SDN because it controls the network flow; lastly, the infrastructure layer, which is responsible for traffic forwarding. A preliminary step that takes place before the actual packet forwarding in an SDN network includes the discovery of the topology [5]. The SDN controller keeps the updated information related to the data plane using the OpenFlow discovery protocol, while all other network devices using the Link Layer Discovery Protocol advertise their identities and neighbors in the network.
In [6], the authors state that “a DDoS is an attack on a server where a massive number of packets are sent to create an outage or service degradation for legitimate user”. According to [7], the attacker’s main focus is resource consumption and bandwidth reduction. Thus, the detection of these attacks is necessary to protect the network. The attacker has two main targets: controllers and network elements. To protect the network from DDoS attacks, we must monitor and analyze the network traffic to identify malicious traffic. The detection of DDoS attacks is very complicated because malicious traffic appears as normal traffic. Even if we identify the attack traffic, we cannot block the attacker’s IP due to IP spoofing. When the SDN suffers from DDoS attacks, the switch eventually loses its connection to the controller. It will look for another controller if there is a standby controller available and then it will connect with it [8,9,10]. In terms of time-based techniques, the time characteristics are an important factor in attacks such as DDoS. The authors of [11] proposed a technique that uses the time duration to detect DDoS attacks and uses the time pattern to prevent attacks in the future. Such solutions are not sufficient to respond to the current attacks. A small window and short-term statistic can be used in an SDN network, as in [12], which proposed an entropy-based DDoS detection scheme that was used in a non-SDN network. This method uses the randomness to calculate the number of incoming packets to specific hosts [13] and then it compares this to a threshold value. The detection is based on a comparison of the results. In [14], the authors proposed an entropy-based technique to detect DDoS attacks, but there is no solution to mitigate them in the future. There is a need for some intelligent algorithms to detect these attacks.
Table 1 shows the recent research methods applied in detecting DDoS attacks and the advantages and disadvantages of each.

2.2. Related Works and Research Motivations

We discuss some machine learning and deep learning-based solutions. The authors of [15] used different machine learning algorithms for the detection of DDoS attacks in an SDN environment and compared the results. Ref. [16] provided a survey of current research related to the security of the SDN paradigm. In [17], the authors proposed a lightweight DDoS attack detection mechanism. In [18], an energy-based model was proposed, with recurrent, conventional and fully connected components, and the reported F-measure was 73.9% and 73.2%. In [19], a deep neural network was used for anomaly detection, with a 75% F-measure. In [20], three hidden layers and one output layer were used. Two hidden layers trained the model using Autoencoder, and classification took place in the last layer using SoftMax. They reported a 97% F-measure. In [21], the authors designed FCN, VAE and LSTM-Seq2Seq structures for anomaly detection in a network and stated that the LSTM-Seq2Seq structure yielded 99% classification accuracy. In [22], a study was conducted to detect DDoS in a cloud environment by applying multiple regression analysis to the CICIDS 2017 benchmark dataset. In order to detect DDoS attacks in real time, big data access methods have been studied [23], and research to detect Botnet attacks has also progressed [24,25,26]. Recently, research aimed at detecting and mitigating DDoS attacks based on machine learning [27,28,29,30] and deep learning [31,32] has been conducted.
The motivation of our study is to devise an excellent DDoS detection performance model by comparing existing machine learning and deep learning models in an SDN environment. The fundamental intention of our study is to reduce the developer’s initial burden by presenting a comparison of the detection performance of the existing models when developing a new AI-enabled DDoS detection model. Initially, we apply 84 DDoS candidates’ data in the original Kaggle dataset, and the features affecting detection are reduced to 64 and 20. After analyzing the DDoS dataset collected from the first Kaggle dataset, 84 candidates’ data are manually selected. In the next step, a meaningful dataset for DDoS attacks is determined step by step using the permutation importance algorithm. In this process, it is confirmed that even if various types of DDoS attacks occur, the top 20 attacks that affect the performance of SDN are affected. Through this, it can be used to construct a dataset that affects the design of a new learning model for DDoS attack detection. In many related studies, the DDoS detection performance and time are the main factors. Thus, we conduct a study that compares the DDoS detection performance and time. These studies provide the basis for selecting an appropriate learning model for subsequent researchers. We also provide DDoS attack information that has a fatal impact on SDNs.

3. Model Overview and Methodology

3.1. Model Overview

The DDoS attacks have become more complex and challenging with the emergence of new technologies. Generally, network traffic consists of normal and malicious traffic. This traffic needs to be monitored and analyzed by organizations to prevent the violation of policies and protect against attacks. A major approach that has been popular in recent years in the research community is the use of machine learning techniques in SDN. There are machine learning-based techniques that have been used to develop network intrusion detection systems. The deep learning-based techniques have both supervised and unsupervised learning qualities. Convolution neural networks and recurrent neural networks, as classifier models, also are being utilized for the detection of DDoS attacks. In this paper, in order to evaluate the DDoS detection performance, a feature is first selected from 84 features and 20 key attacks are finally selected, as shown in Figure 1. Figure 2 shows the structure and parameters of the CNN and RNN.

3.2. Experimental Dataset

In this section, we describe how the dataset is obtained from Kaggle [33] and the features of the dataset are explained. DDoS-based traffic contains 84 features, including 83 features and 1 classifier. The reason for selecting features by applying the permutation importance algorithm in the Kaggle data is to delete features that do not affect the learning. Through this process, the learning time is reduced and the DDoS attack detection rate is improved. The calculation of every feature in every flow per second causes a large overhead in our model. This is why we use a feature selection method, the permutation importance algorithm, to reduce the dataset to the 20 most important features, with 12,500,000 samples that are vital to the SDN architecture for the classification of traffic in our classifier model. In the literature, recent research suggests that there is no universal model for classification tasks. In this study, we analyze the performance in detecting DDoS attacks with random forest, decision trees, naïve Bayes, CNNs and RNNs on the obtained feature set with original and reduced features, respectively.
A DDoS and normal traffic dataset are captured to avoid confusion in labeling the dataset. To detect DDoS attacks, the permutation importance algorithm is used to extract features from the dataset. The dataset used in the training of machine learning and deep learning-based models can contain a large number of features. The goal is to reduce the low-impact features in the classification and to provide highly effective features. The dataset of DDoS traffic was obtained from Kaggle, in which the DDoS-based traffic contained 84 features, including 83 features and 1 classifier. Using the permutation importance algorithm, we selected the best 20 features [34] from these 84 features to train in our classifier models, as shown in Table 2. The raw data undergo pre-processing to make them suitable to train the proposed model and avoid overfitting.

3.3. Experimental Environment

Our DDoS detection model is based on an SDN-based topology that is built on Mininet to simulate the results of the experiments, as shown in Figure 3. Our system topology consists of six PCs, one OpenFlow switch and an RYU SDN controller. Among the six PCs, two are attacker PCs, while the other four PCs generate normal traffic. To detect the attacker traffic, we use the RF, NB, DT, CNN and RNN classifiers on the controller for the testing and training of the traffic. Deep learning is essentially derived from machine learning and researchers have found that machine learning performs better in DDoS attack scenarios.
Mininet is a network emulator that provides the functionality to create a virtual network environment with the ability to communicate with virtual devices using virtual links [35]. It also provides capabilities to integrate different SDN controllers, such as RYU SDN controllers based on Python. Mininet provides some great advantages that make it an ideal choice: it supports the OpenFlow protocol and is capable of running Linux applications in a virtual environment. The RYU controller is an open-source component-based SDN framework and provides software components with a well-defined API, which makes it easy for developers to create new network management and control applications [36]. RYU supports different versions of OpenFlow protocols, and it supports the NETCONF and OF-config protocols [37]. RYU uses scripts and the OpenFlow protocol to communicate and manage the switches [38]. The experiments are carried out on a Ubuntu (18.10) virtual machine setup on VMware with 2 GB of RAM and 200 GB hard drive space and Mininet (ver2.3) is used with an RYU (ver4.3) controller. The SDN network contains the following units: an RYU controller, an OpenFlow switch and 6 PCs, in which one is an attacker PC, another one is a victim PC and all other PCs are normal PCs, as shown in Figure 3. In the experimental first stage, the classifiers are trained and tested using all features in the dataset. In the second stage, the permutation importance algorithm is used to select the most effective features in the entire dataset. The performance ratio is determined with the RF, NB, DT, CNN and RNN algorithms on the basis of the selected features.

4. Experiment Analysis and Verification

Experimental Results

In order to obtain the high-priority features that have a high impact on the prediction, the feature selection method permutation importance was applied. The normal traffic data and DDoS attack data were analyzed on our SDN architecture with a total dataset of 12,794,627 samples. The training dataset used comprised 7,676,776 samples, which was 60% of the total dataset. In testing, 5,117,851 samples (40% of the total dataset) were used. The reduced features obtained by the feature selection were applied to our classifier models and the parameters were the same as those used in our previous study. As the reduced feature set, 64, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5 and 4, respectively, were selected as per the given classifier model. The features were trained by the classifier algorithm based on the RF, NB, DT, CNN and RNN models.
The obtained results are presented in Table 3. The parameters used to analyze the traffic are the evaluation time, accuracy, sensitivity, precision and F1_Score. The F_Score is the weighted average of the precision and sensitivity. Finally, the specificity is the ability to assess unequivocally the analysis in the presence of components. The results obtained show that if we reduce the features, we cannot guarantee a performance increase in parameters such as accuracy, sensitivity, precision, specificity and the F1_Score; however, the evaluation is strengthened by reducing the features. To summarize the results obtained, we can state that obtaining the best features that have a strong impact on the detection of DDoS attacks can enhance the performance. The results of our DDoS detection model based on the random forest model, using five feature sets and the permutation importance algorithm, show 99.976% accuracy and F1_Score values.
In the second part of study, we analyzed each model’s performance to briefly provide the results of individual models with different features selected from the dataset. We started from 64 feature sets and then, according to the classifier model, features were selected that ranged from 15 to 4. The classifier models based on machine learning and deep learning both had their own impacts on the results. The results of the individual classifier models are shown in Table 4, Table 5, Table 6, Table 7 and Table 8, respectively. The obtained results from the different classifier models with different feature sets are quite interesting. Every classifier model’s result shows the importance of selecting features. As we can see in Table 2, random forest performs better with five features in detecting and mitigating DDoS attacks in the SDN environment. The individual results show that machine learning-based models perform better than deep learning models. The decision tree and random forest results surpass those of other classifier models with different feature sets. The deep learning-based model’s highest accuracy and F1_Score are 98.723% and 98.70% with the RNN, and the results with the CNN model are 96.654% and 96.537%, respectively. However, the machine learning-based random forest and decision tree models have over a 99% accuracy rate and over a 99% F1_Score.
In the third part of study, we compared the performance of our models on the basis of the detection time of attacks. In this study, we analyzed the shortest time taken by our classifier models to detect DDoS attacks in the SDN environment. The graph is presented in Figure 4. The results shows that the decision tree model has the shortest time taken to detect the DDoS attack, followed by the naïve Bayes. The random forest shows the longest time taken for DDoS attack detection. In the fourth part of study, the accuracy and F1_Score were compared to analyze the performance of individual classifiers. The graph is presented in Figure 5. The graph shows the results after using the classifier models. The accuracy and F1_Score are the most important parameters in detecting and mitigating DDoS attacks. The results indicate that the highest accuracy and F1_Score are obtained by the random forest and decision tree models. The CNN and RNN models’ performance is lower than that of the the machine learning-based models, except the naïve Bayes model. The random forest and decision tree models achieve the accuracy and F1_Score values above 99%. The performance of both models shows how useful they both can be in detecting and mitigating DDoS attacks in SDN.
The performance on the basis of the remaining parameters, such as sensitivity, precision and specificity, was evaluated and is shown in the graph in Figure 6. The results again shows the highest values for the random forest and decision tree classifier models. After analyzing the overall and individual performance of our classifier models, we can state that the machine learning-based random forest and decision tree classifier models show better performance in detecting and mitigating DDoS attacks in SDN.
As we have analyzed the performance of the classifier models with different feature sets, we now examine and analyze the performance of the classifier models with 10 features. First, we evaluate the overall performance of our classifier models, which is shown in Table 9. The results show the same behavior and random forest is better than the other classifier models.
Now, we present the performance of our classifier models according to the evaluation time, accuracy and F1_Score, and with sensitivity, specificity and precision, as we have studied in the previous section. The purpose of selecting 10 features and showing the results is to demonstrate that there is no notable impact on the performances of the classifier models. The performance graphs of the classifier models with respect to the evaluation time, accuracy and F1_Score, and with sensitivity, specificity and precision, respectively, are presented in Figure 7, Figure 8 and Figure 9. Moreover, for the training carried out with the CNN model in detecting and mitigating DDoS attacks in SDN, we have presented the performance of the network with the help of graphs. The graphs show the parameters of the bandwidth and time to show the performance of our system without attacks, with attacks but without mitigation and with attacks but without mitigation, respectively. The purpose of presenting the graphs is to show the impact of our CNN model in detecting and mitigating DDoS attacks in an SDN environment. The graphs are shown in Figure 10, Figure 11 and Figure 12, respectively.
The results show that the SDN architecture can be the best solution in terms of detecting DDoS attacks with machine learning techniques such as random forest models. With the planned approach, a secure and efficient SDN architecture can be developed. In the SDN topology, the location of the controllers is important at this point. We have shown with our results that a machine learning-based random forest model achieves the best performance by classifying the traffic into attack and normal traffic. We hope to implement our model on a multi-controller SDN network to detect and mitigate DDoS attacks. The random forest model is the best among the models described with the created dataset using the permutation importance algorithm.

5. Conclusions

In this paper, we have presented a study implementing machine learning and deep learning-based models in detecting a DDoS attack in an SDN environment. The results obtained in our study show that random forest achieved the highest performance in detecting DDoS attacks because of the centralized nature of the controller. The basic information related to network traffic can be obtained by the controller and can be evaluated by the machine learning-based random forest detection module. We analyzed the accuracy and F1_Score, with a result of over 99% with the random forest classifier model. We analyzed the traffic with the flexibility of the SDN structure, and we used the permutation importance algorithm to extract the 20 features that contain the most valuable information for our CNN classifier model related to the type of attack, in our case DDoS.
Our results show the required performance, with high accuracy of 99.985%, precision above 99% and an F1_Score of 99.985%. We implemented our model in a Mininet-based SDN environment. In the future, we will also try to implement this approach in a real SDN environment with real network traffic and evaluate the performance of the whole network in terms of other parameters, such as spoofing, latency and throughput. Our present experimental verification involved the identification of 20 data features that had a significant impact on DDoS detection. It was confirmed that the random forest model had excellent DDoS detection performance in SDN.
We plan to conduct research in the field in the future. This is because more unexpected attacks and various types of DDoS attacks are possible in the field than in the laboratory. Research to overcome and improve this situation is very important. In addition, a new machine learning-based learning model will be developed to prove the superiority of the detection performance.

Author Contributions

K.-M.K. designed the entire system for DDoS detection and devised a specific solution based on various previous research. J.-M.B. investigated ML and DL learning models, conducted various experimental studies and then performed the initial writing. B.-S.S. analyzed the content of the study and designed the function of each component of the entire system. In addition, he read the written content of the paper and performed detailed reviewing and editing. W.-B.L. was responsible for funding acquisition and verifying the experimental results. All authors have read and agreed to the published version of the manuscript.

Funding

This paper was supported by Wonkwang University in 2021.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Ko, K.M. A DDoS Attack Detection Technique through CNN Model in Software Define Network. J. Korea Inst. Inf. Electron. Commun. Technol. 2020, 13, 605–610. [Google Scholar]
  2. Imran, M.; Durad, M.H.; Khan, F.A.; Derhab, A. Toward an optimal solution against denial of service attacks in software defined networks. Future Gener. Comput. Syst. 2019, 92, 444–453. [Google Scholar] [CrossRef]
  3. Rahman, O.; Quraishi, M.A.G.; Lung, C.H. DDoS attacks detection and mitigation in SDN using machine learning. In Proceedings of the 2019 IEEE World Congress on Services (SERVICES), Milan, Italy, 8–13 July 2019; Volume 2642, pp. 184–189. [Google Scholar]
  4. Tselios, C.; Politis, I.; Kotsopoulos, S. Enhancing SDN security for IoT-related deployments through blockchain. In Proceedings of the 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Berlin, Germany, 6–8 November 2017; pp. 303–308. [Google Scholar]
  5. Tahaei, H.; Salleh, R.B.; Razak, M.F.A.; Ko, K.; Anuar, N.B. Cost Effective Network Flow Measurement for Software Defined Networks: A Distributed Controller Scenario. IEEE Access 2018, 6, 5182–5198. [Google Scholar] [CrossRef]
  6. Smith-Perrone, J.; Sims, J. Securing cloud, SDN and large data network environments from emerging DDoS attacks. In Proceedings of the 2017 7th International Conference on Cloud Computing, Data Science & Engineering-Confluence, Noida, India, 12–13 January 2017; pp. 466–469. [Google Scholar]
  7. Douligeris, C.; Mitrokotsa, A. DDoS attacks and defense mechanisms: A classification. In Proceedings of the 3rd IEEE International Symposium on Signal Processing and Information Technology (IEEE Cat. No. 03EX795), Darmstadt, Germany, 17 December 2003; pp. 190–193. [Google Scholar]
  8. Fonseca, P.; Bennesby, R.; Mota, E.; Passito, A. A replication component for resilient OpenFlow-based networking. In Proceedings of the 2012 IEEE Network Operations and Management Symposium, Maui, HI, USA, 16–20 April 2012; pp. 933–939. [Google Scholar]
  9. Wang, J.; Wang, L. SDN-Defend: A Lightweight Online Attack Detection and Mitigation System for DDoS Attacks in SDN. Sensors 2022, 22, 8287. [Google Scholar] [CrossRef] [PubMed]
  10. Manso, P.; Moura, J.; Serrão, C. SDN-Based Intrusion Detection System for Early Detection and Mitigation of DDoS Attacks. IEEE Access 2019, 10, 106. [Google Scholar] [CrossRef]
  11. Dharma, N.G.; Muthohar, M.F.; Prayuda, J.A.; Priagung, K.; Choi, D. Time-based DDoS detection and mitigation for SDN controller. In Proceedings of the 2015 17th Asia-Pacific Network Operations and Management Symposium (APNOMS), Busan, Republic of Korea, 19–21 August 2015; pp. 550–553. [Google Scholar]
  12. Oshima, S.; Nakashima, T.; Sueyoshi, T. Early DDoS detection method using short-term statistics. In Proceedings of the 2010 International Conference on Complex, Intelligent and Software Intensive Systems, Krakow, Poland, 15–18 February 2010; pp. 168–173. [Google Scholar]
  13. Zubaydi, H.D.; Anbar, M.; Wey, C.Y. Review on Detection Techniques against DDoS Attacks on a Software-Defined Networking Controller. In Proceedings of the IEEE 2017 Palestinian International Conference on Information and Communication Technology (PICICT), Gaza, Palestine, 8–9 May 2017; pp. 22–31. [Google Scholar]
  14. Wang, R.; Jia, Z.; Ju, L. An entropy-based distributed DDoS detection mechanism in software-defined networking. In Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, 20–22 August 2015; Volume 1, pp. 310–317. [Google Scholar]
  15. Ashraf, J.; Latif, S. Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques. In Proceedings of the 2014 National Software Engineering Conference, Rawalpindi, Pakistan, 11–12 November 2014; pp. 55–60. [Google Scholar]
  16. Sultana, N.; Chilamkurti, N.; Peng, W.; Alhadad, R. Survey on SDN based network intrusion detection system using machine learning approaches. Peer-to-Peer Netw. Appl. 2019, 12, 493–501. [Google Scholar] [CrossRef]
  17. Braga, R.; Mota, E.; Passito, A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In Proceedings of the IEEE Local Computer Network Conference, Denver, CO, USA, 10–14 October 2010; pp. 408–415. [Google Scholar]
  18. Zhai, S.; Cheng, Y.; Lu, W.; Zhang, Z. Deep structured energy based models for anomaly detection. arXiv 2016, arXiv:1605.07717. [Google Scholar]
  19. Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep learning approach for network intrusion detection in software defined networking. In Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco, 26–29 October 2016; pp. 258–263. [Google Scholar]
  20. Potluri, S.; Diedrich, C. Accelerated deep neural networks for enhanced intrusion detection system. In Proceedings of the 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA), Berlin, Germany, 6–9 September 2016; pp. 1–8. [Google Scholar]
  21. Malaiya, R.K.; Kwon, D.; Kim, J.; Suh, S.C.; Kim, H.; Kim, I. An empirical evaluation of deep learning for network anomaly detection. In Proceedings of the 2018 International Conference on Computing, Networking and Communications (ICNC), Maui, HI, USA, 5–8 March 2018; pp. 893–898. [Google Scholar]
  22. Sambangi, S.; Gondi, L. A Machine Learning Approach for DDoS (Distributed Denial of Service) Attack Detection Using Multiple Linear Regression. Proceedings 2020, 63, 51. [Google Scholar]
  23. Awan, M.J.; Farooq, U.; Babar, H.M.A.; Yasin, A.; Nobanee, H.; Hussain, M.; Hakeem, O.; Zain, A.M. Real-Time DDoS Attack Detection System Using Big Data Approach. Sustainability 2021, 13, 10743. [Google Scholar] [CrossRef]
  24. Nakip, M.; Gelenbe, E. Mirai botnet attack detection with auto-associative dense random neural network. In Proceedings of the in IEEE Global Communications Conference, GLOBECOM, Madrid, Spain, 7–11 December 2021; pp. 1–6. [Google Scholar]
  25. Nakip, M.; Gelenbe, E. Botnet attack detection with incremental online learning. In Proceedings of the 2018 IEEE International Conference on Current Trends in Advanced Computing (ICCTAC), Chennai, India, 10–11 September 2018; pp. 51–60. [Google Scholar]
  26. Onyema, E.M.; Kumar, M.A.; Balasubaramanian, S.; Bharany, S.; Rehman, A.U.; Eldin, E.T.; Shafiq, M. A Security Policy Protocol for Detection and Prevention of Internet Control Message Protocol Attacks in Software Defined Networks. Sustainability 2022, 14, 11950. [Google Scholar] [CrossRef]
  27. Polat, H.; Polat, O.; Cetin, A. Detecting DDoS Attacks in Software-Defined Networks Through Feature Selection Methods and Machine Learning Models. Sustainability 2020, 12, 1035. [Google Scholar] [CrossRef]
  28. Tuan, T.A.; Long, H.V.; Son, L.H.; Kumar, R.; Priyadarshini, I.; Son, N.T.K. Performance evaluation of botnet ddos attack detection using machine learning. In Proceedings of the 2018 IEEE International Conference on Current Trends in Advanced Computing (ICCTAC), Evolutionary Intelligence, Xiamen, China, 29 March 2018; pp. 1–12. [Google Scholar]
  29. Khashab, F.; Moubarak, J.; Feghali, A.; Bassil, C. DDoS attack detection and mitigation in SDN using machine learning. In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June–2 July 2021. [Google Scholar]
  30. Sanjeetha, R.; Kanavalli, A.; Gupta, A.; Pattanaik, A.; Agarwal, S. Real-time DDoS Detection and Mitigation in Software Defined Networks using Machine Learning Techniques. Int. J. Comput. 2022, 21, 353–359. [Google Scholar]
  31. Alkahtani, H.; Aldhyani, T.H. Developing Cybersecurity Systems Based on Machine Learning and Deep Learning Algorithms for Protecting Food Security Systems: Industrial Control Systems. Electronics 2022, 11, 1717. [Google Scholar] [CrossRef]
  32. Theyazn, H.H.; Aldhyani, H.A. Attacks to Automatous Vehicles: A Deep Learning Algorithm for Cybersecurity. Sensors 2022, 22, 360. [Google Scholar]
  33. Devendra. DDoS Dataset- Kaggle. Available online: https://www.kaggle.com/devendra416/ddos-datasets (accessed on 20 July 2020).
  34. Yeo, M.; Koo, Y.; Yoon, Y.; Hwang, T.; Ryu, J.; Song, J.; Park, C. Flow-based malware detection using convolutional neural network. In Proceedings of the IEEE 2018 International Conference on Information Networking (ICOIN), Korean Society for Internet Information (KSII), Chiang Mai, Thailand, 10–12 January 2018; pp. 1–26. [Google Scholar]
  35. Team, M. Mininet Overview- Mininet. 2018. Available online: http://mininet.org/overview/ (accessed on 15 July 2020).
  36. Chen, Y.S.; Tsai, Y.T. A Mobility Management Using Follow-Me Cloud-Cloudlet in Fog-Computing-Based RANs for Smart Cities. Sensors 2018, 18, 489. [Google Scholar] [CrossRef] [PubMed]
  37. Ryu, A. Component-Based Software-Defined Networking Framework; Nippon Telegraph and Telephone Corporation: Tokyo, Japan, 2013. [Google Scholar]
  38. Asadollahi, S.; Goswami, B.; Sameer, M. Ryu controller’s scalability experiment on software defined networks. In Proceedings of the 2018 IEEE International Conference on Current Trends in Advanced Computing (ICCTAC), Bangalore, India, 1–2 February 2018; pp. 1–5. [Google Scholar]
Applsci 13 09488 g001
Figure 1. The process of applying the feature selection method using ML and DL models.
Figure 1. The process of applying the feature selection method using ML and DL models.
Applsci 13 09488 g001
Applsci 13 09488 g002
Figure 2. RNN and CNN layer structure.
Figure 2. RNN and CNN layer structure.
Applsci 13 09488 g002
Applsci 13 09488 g003
Figure 3. An SDN topology on Mininet for DDoS attack testing.
Figure 3. An SDN topology on Mininet for DDoS attack testing.
Applsci 13 09488 g003
Applsci 13 09488 g004
Figure 4. Performance comparison of classifier models in detecting DDoS attacks in SDN.
Figure 4. Performance comparison of classifier models in detecting DDoS attacks in SDN.
Applsci 13 09488 g004
Applsci 13 09488 g005
Figure 5. Performance comparison of classifier models in accuracy and F1_Score.
Figure 5. Performance comparison of classifier models in accuracy and F1_Score.
Applsci 13 09488 g005
Applsci 13 09488 g006
Figure 6. Performance comparison of classifier models in sensitivity, precision and specificity.
Figure 6. Performance comparison of classifier models in sensitivity, precision and specificity.
Applsci 13 09488 g006
Applsci 13 09488 g007
Figure 7. Performance comparison of classifier models in detecting DDoS attack in SDN with 10 features.
Figure 7. Performance comparison of classifier models in detecting DDoS attack in SDN with 10 features.
Applsci 13 09488 g007
Applsci 13 09488 g008
Figure 8. Performance comparison of classifier models in accuracy and F1_Score with 10 features.
Figure 8. Performance comparison of classifier models in accuracy and F1_Score with 10 features.
Applsci 13 09488 g008
Applsci 13 09488 g009
Figure 9. Performance comparison of classifier models in sensitivity, precision and specificity with 10 Features.
Figure 9. Performance comparison of classifier models in sensitivity, precision and specificity with 10 Features.
Applsci 13 09488 g009
Applsci 13 09488 g010
Figure 10. Performance for traffic without attacks in SDN.
Figure 10. Performance for traffic without attacks in SDN.
Applsci 13 09488 g010
Applsci 13 09488 g011
Figure 11. Performance for attack traffic without mitigation in SDN.
Figure 11. Performance for attack traffic without mitigation in SDN.
Applsci 13 09488 g011
Applsci 13 09488 g012
Figure 12. Performance for attack traffic with mitigation in SDN.
Figure 12. Performance for attack traffic with mitigation in SDN.
Applsci 13 09488 g012
Table 1. Comparison of different methods used for DDoS attacks in SDN.
Table 1. Comparison of different methods used for DDoS attacks in SDN.
MethodAdvantagesIssues
Time-Based DDoS DetectionContains a mitigation process by creating time patterns to prevent future attacks. Reduces controller processing rate because the flow collector handles this task.Causes time delay because the processor adds more processing for non-valid packets. Requires additional implementation.
Entropy-Based DDoS DetectionLightweight method. Detects DDoS attack at early stages. Flexible; can modify any parameter.Additional overhead from window size. Unable to detect DDoS attacks on multiple hosts. No prevention technique.
Machine Learning-Based DDoS DetectionIntroduces a high overhead reduction compared to other techniques.
-
Less CPU load.
-
Fast detection time.
-
Ability to monitor multiple points instead of one.
This technique is not implemented with normal switches. It requires additional implementation.
Deep Learning-Based DDoS DetectionIt provides accurate information on anomalous behavior. It is able to evaluate big sets of data, with less time and CPU load.Can be implemented on network system. Requires additional functionalities.
Table 2. The top 20 features selected using permutation importance algorithm.
Table 2. The top 20 features selected using permutation importance algorithm.
#FeatureImportanceDescription
1fl_iat_avg0.5334Two flows average time
2fw_iat_max0.3351Maximum time of two packets sent
3fw_win_byt0.3248Number of bytes
4fw_iat_tot0.3231Total time of two packets sent
5fl_dur0.3162Time of duration
6fl_iat_min0.2778Minimum time of two flows
7bw_iat_min0.2655Minimum time of two packets sent
8fl_iat_max0.2426Maximum time of two flows
9fw_iat_avg0.2203Mean time of two packets sent
10Bw_pkt_l_max0.2139Maximum size of packet
11bw_iat_max0.2077Maximum time of two packets sent
12bw_win_byt0.1944Number of bytes sent
13bw_iat_tot0.1942Total time of two packets sent
14fw_iat_min0.1520Minimum time of two packets sent
15bw_iat_avg0.1513Mean time of two packets sent
16idl_max0.1139Flow maximum time before becoming active
17bw_seg_avg0.0926Average size observed
18Bw_pkt_l_avg0.0922Packet average size
19fw_pkt_l_avg0.0913Packet average size
20pkt_size_avg0.0910Packet average size
Table 3. Performance comparison of the machine learning and deep learning models.
Table 3. Performance comparison of the machine learning and deep learning models.
ModelFeaturesEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
Random Forest55.09 s99.976%99.974%99.978%99.978%99.976%
Decision Tree70.44 s99.842%99.829%99.852%99.856%99.840%
Naive Bayes80.69 s93.645%96.293%91.317%91.059%93.739%
CNN134.13 s96.654%94.412%98.760%98.843%96.537%
RNN154.28 s98.723%98.200%99.207%99.234%98.701%
Table 4. Performance of the random forest (RF) model with permutation importance algorithm.
Table 4. Performance of the random forest (RF) model with permutation importance algorithm.
Feature SetEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
647.85 s99.979%99.978%99.980%99.980%99.979%
125.66 s99.986%99.985%99.986%99.987%99.986%
115.57 s99.986%99.985%91.986%99.987%99.986%
105.07 s99.985%99.984%98.986%98.986%99.985%
95.07 s99.978%99.977%99.978%99.979%99.978%
84.88 s99.976%99.975%99.977%99.978%99.976%
74.94 s99.976%99.975%99.977%99.978%99.976%
65.09 s99.977%99.975%99.978%99.978%99.976%
55.09 s99.976%99.974%99.978%99.978%99.976%
44.59 s99.908%99.862%99.952%99.953%99.907%
Table 5. Performance of the decision tree (DT) model with permutation importance algorithm.
Table 5. Performance of the decision tree (DT) model with permutation importance algorithm.
Feature SetEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
641.61 s99.984%99.982%99.985%99.985%99.984%
120.49 s99.983%99.981%99.985%99.985%99.983%
110.50 s99.853%99.841%99.862%99.865%99.852%
100.49 s99.853%99.839%99.863%98.866%99.851%
90.48 s99.842%99.829%99.852%99.855%99.841%
80.47 s99.842%99.829%99.851%99.855%99.840%
70.44 s99.842%99.829%99.852%99.856%99.840%
60.38 s97.740%99.960%99.660%95.572%97.763%
Table 6. Performance of the naïve Bayes (NB) model with permutation importance algorithm.
Table 6. Performance of the naïve Bayes (NB) model with permutation importance algorithm.
Feature SetEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
647.85 s99.979%99.978%99.980%99.980%99.979%
120.89 s93.637%96.300%91.297%91.036%93.732%
110.88 s93.645%96.293%91.317%91.059%93.739%
100.82 s93.645%96.293%91.317%91.059%93.739%
90.71 s93.645%96.293%91.317%91.059%93.739%
80.69 s93.645%96.293%91.317%91.059%93.739%
70.59 s92.108%93.124%91.100%91.117%92.101%
Table 7. Performance of the convolution neural network model (CNN) with permutation importance algorithm.
Table 7. Performance of the convolution neural network model (CNN) with permutation importance algorithm.
Feature SetEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
645.67 s96.244%95.161%97.178%97.301%96.159%
154.38 s95.450%95.266%95.513%95.630%95.389%
144.26 s96.471%94.103%98.694%98.784%96.344%
134.13 s96.654%94.412%98.760%98.843%96.537%
124.10 s95.349%91.718%98.780%98.894%95.118%
114.12 s96.184%93.226%98.841%98.971%95.951%
104.17 s95.537%96.233%94.812%94.858%95.517%
94.23 s89.137%86.972%90.661%91.251%88.778%
Table 8. Performance of the recurrent neural network model (CNN) with permutation importance algorithm.
Table 8. Performance of the recurrent neural network model (CNN) with permutation importance algorithm.
Feature SetEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
642.09 s95.874%97.830%94.056%93.963%95.906%
154.28 s98.723%98.200%99.207%99.234%98.701%
143.78 s97.407%95.579%99.141%99.192%97.328%
133.63 s97.449%95.611%99.197%99.244%97.371%
123.38 s97.366%95.477%99.161%99.211%97.284%
113.28 s97.454%95.601%99.218%99.264%97.376%
103.07 s97.440%95.589%99.199%99.247%97.361%
93.14 s97.061%94.672%99.348%99.394%96.954%
83.27 s97.059%94.756%99.257%99.308%96.954%
Table 9. Performance of the machine learning and deep learning models with 10 selected features.
Table 9. Performance of the machine learning and deep learning models with 10 selected features.
ModelFeaturesEvaluation TimeAccuracySensibilityPrecisionSpecificityF1_Score
Random Forest100.49 s99.853%99.839%99.863%99.866%99.851%
Decision Tree105.07 s99.985%99.984%99.986%99.986%99.985%
Naive Bayes100.82 s93.645%96.293%91.317%91.059%93.739%
CNN104.17 s95.537%96.233%94.812%94.858%95.517%
RNN103.07 s97.440%95.589%99.199%99.247%97.361%
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Ko, K.-M.; Baek, J.-M.; Seo, B.-S.; Lee, W.-B. Comparative Study of AI-Enabled DDoS Detection Technologies in SDN. Appl. Sci. 2023, 13, 9488. https://doi.org/10.3390/app13179488

AMA Style

Ko K-M, Baek J-M, Seo B-S, Lee W-B. Comparative Study of AI-Enabled DDoS Detection Technologies in SDN. Applied Sciences. 2023; 13(17):9488. https://doi.org/10.3390/app13179488

Chicago/Turabian Style

Ko, Kwang-Man, Jong-Min Baek, Byung-Suk Seo, and Wan-Bum Lee. 2023. "Comparative Study of AI-Enabled DDoS Detection Technologies in SDN" Applied Sciences 13, no. 17: 9488. https://doi.org/10.3390/app13179488

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop