TY - GEN
T1 - A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows
AU - Dong, Ping
AU - Du, Xiaojiang
AU - Zhang, Hongke
AU - Xu, Tong
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/7/12
Y1 - 2016/7/12
N2 - A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.
AB - A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.
KW - DDoS
KW - SDN
KW - controller
KW - detection
UR - http://www.scopus.com/inward/record.url?scp=84981331785&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84981331785&partnerID=8YFLogxK
U2 - 10.1109/ICC.2016.7510992
DO - 10.1109/ICC.2016.7510992
M3 - Conference contribution
AN - SCOPUS:84981331785
T3 - 2016 IEEE International Conference on Communications, ICC 2016
BT - 2016 IEEE International Conference on Communications, ICC 2016
T2 - 2016 IEEE International Conference on Communications, ICC 2016
Y2 - 22 May 2016 through 27 May 2016
ER -