An Earth Mover’s Distance Algorithm Based DDoS Detection Mechanism in SDN
Software-defined networking (SDN) provides a solution
for scalable network framework with decoupled control and data
plane. However, this architecture also induces a particular distributed
denial-of-service (DDoS) attack that can affect or even overwhelm
the SDN network. DDoS attack detection problem has to date been
mostly researched as entropy comparison problem. However, this
problem lacks the utilization of SDN, and the results are not accurate.
In this paper, we propose a DDoS attack detection method, which
interprets DDoS detection as a signature matching problem and is
formulated as Earth Mover’s Distance (EMD) model. Considering
the feasibility and accuracy, we further propose to define the cost
function of EMD to be a generalized Kullback-Leibler divergence.
Simulation results show that our proposed method can detect DDoS
attacks by comparing EMD values with the ones computed in the case
without attacks. Moreover, our method can significantly increase the
true positive rate of detection.
[1] P. Zhang, H. Wang, C. Hu, and C. Lin, “On denial of service attacks
in software defined networks,” IEEE Network, vol. 30, no. 6, pp. 28-33,
2016.
[2] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS
attacks against SDN controllers,” in Computing, Networking and
Communications (ICNC), 2015 International Conference on. IEEE, 2015,
pp. 77-81.
[3] R. Kokila, S. T. Selvi, and K. Govindarajan, “DDos detection and analysis
in SDN-based environment using support vector machine classifier,” in
Advanced Computing (ICoAC), 2014 Sixth International Conference on.
IEEE, 2014, pp. 205-210.
[4] K. Kumar, R. Joshi, and K. Singh, “A distributed approach using
entropy to detect DDoS attacks in ISP domain,” in Signal Processing,
Communications and Networking, 2007. ICSCN’07. International
Conference on. IEEE, 2007, pp. 331-337.
[5] X. Ma and Y. Chen, “DDoS detection method based on chaos analysis
of network traffic entropy,” IEEE Communications Letters, vol. 18, no.
1, pp. 114-117, 2014.
[6] Y. Xiang, K. Li, and W. Zhou, “Low-rate DDoS attacks detection and
traceback by using new information metrics,” IEEE Transactions on
Information Forensics and Security, vol. 6, no. 2, pp. 426-437, 2011.
[7] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking
(SDN) and distributed denial of service (DDoS) attacks in cloud
computing environments: A survey, some research issues, and
challenges,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1,
pp. 602-622, 2016.
[8] L. Barki, A. Shidling, N. Meti, D. Narayan, and M. M. Mulla,“Detection
of distributed denial of service attacks in software defined networks,”
in Advances in Computing, Communications and Informatics (ICACCI),
2016 International Conference on. IEEE, 2016, pp. 2576-2581.
[9] N.-N. Dao, J. Park, M. Park, and S. Cho, “A feasible method to combat
against DDoS attack in SDN network,” in Information Networking
(ICOIN), 2015 International Conference on. IEEE, 2015, pp. 309-311.
[10] X. Huang, X. Du, and B. Song, “An effective DDoS defense scheme for
SDN,” in Communications (ICC), 2017 IEEE International Conference
on. IEEE, 2017, pp. 1-6.
[11] Y. Rubner, C. Tomasi, and L. J. Guibas, “The earth mover’s distance
as a metric for image retrieval,” International journal of computer vision,
vol. 40, no. 2, pp. 99-121, 2000.
[12] D. Zhang and G. Lu, “Evaluation of similarity measurement for image
retrieval,” in Neural Networks and Signal Processing, 2003. Proceedings
of the 2003 International Conference on, vol. 2. IEEE, 2003, pp. 928-931.
[13] K. Benton, L. J. Camp, and C. Small, “OpenFlow vulnerability
assessment,” in Proceedings of the second ACM SIGCOMM workshop
on Hot topics in software defined networking. ACM, 2013, pp. 151-152.
[14] M. Team, “Mininet,” 2014.
[15] S. Floodlight, “OpenFlow controller,” Web:
https://github.com/floodlight/floodlight.
[16] P. Biondi, “Scapy, a powerful interactive packet manipulation program,”
2010.
[17] Y Zhou, W Ni, K Zheng, R. P. Liu, and Y. Yang, “Scalable Node-Centric
Route Mutation for Defense of Large-Scale Software-Defined Networks,”
Security and Communication Networks, 2017.
[18] Y Zhou, K Zheng, W Ni, and R. P. Liu. “Elastic Switch Migration
for Control Plane Load Balancing in SDN,” IEEE Access, 2018, DOI
10.1109/ACCESS.2018.2795576.
[1] P. Zhang, H. Wang, C. Hu, and C. Lin, “On denial of service attacks
in software defined networks,” IEEE Network, vol. 30, no. 6, pp. 28-33,
2016.
[2] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS
attacks against SDN controllers,” in Computing, Networking and
Communications (ICNC), 2015 International Conference on. IEEE, 2015,
pp. 77-81.
[3] R. Kokila, S. T. Selvi, and K. Govindarajan, “DDos detection and analysis
in SDN-based environment using support vector machine classifier,” in
Advanced Computing (ICoAC), 2014 Sixth International Conference on.
IEEE, 2014, pp. 205-210.
[4] K. Kumar, R. Joshi, and K. Singh, “A distributed approach using
entropy to detect DDoS attacks in ISP domain,” in Signal Processing,
Communications and Networking, 2007. ICSCN’07. International
Conference on. IEEE, 2007, pp. 331-337.
[5] X. Ma and Y. Chen, “DDoS detection method based on chaos analysis
of network traffic entropy,” IEEE Communications Letters, vol. 18, no.
1, pp. 114-117, 2014.
[6] Y. Xiang, K. Li, and W. Zhou, “Low-rate DDoS attacks detection and
traceback by using new information metrics,” IEEE Transactions on
Information Forensics and Security, vol. 6, no. 2, pp. 426-437, 2011.
[7] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking
(SDN) and distributed denial of service (DDoS) attacks in cloud
computing environments: A survey, some research issues, and
challenges,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1,
pp. 602-622, 2016.
[8] L. Barki, A. Shidling, N. Meti, D. Narayan, and M. M. Mulla,“Detection
of distributed denial of service attacks in software defined networks,”
in Advances in Computing, Communications and Informatics (ICACCI),
2016 International Conference on. IEEE, 2016, pp. 2576-2581.
[9] N.-N. Dao, J. Park, M. Park, and S. Cho, “A feasible method to combat
against DDoS attack in SDN network,” in Information Networking
(ICOIN), 2015 International Conference on. IEEE, 2015, pp. 309-311.
[10] X. Huang, X. Du, and B. Song, “An effective DDoS defense scheme for
SDN,” in Communications (ICC), 2017 IEEE International Conference
on. IEEE, 2017, pp. 1-6.
[11] Y. Rubner, C. Tomasi, and L. J. Guibas, “The earth mover’s distance
as a metric for image retrieval,” International journal of computer vision,
vol. 40, no. 2, pp. 99-121, 2000.
[12] D. Zhang and G. Lu, “Evaluation of similarity measurement for image
retrieval,” in Neural Networks and Signal Processing, 2003. Proceedings
of the 2003 International Conference on, vol. 2. IEEE, 2003, pp. 928-931.
[13] K. Benton, L. J. Camp, and C. Small, “OpenFlow vulnerability
assessment,” in Proceedings of the second ACM SIGCOMM workshop
on Hot topics in software defined networking. ACM, 2013, pp. 151-152.
[14] M. Team, “Mininet,” 2014.
[15] S. Floodlight, “OpenFlow controller,” Web:
https://github.com/floodlight/floodlight.
[16] P. Biondi, “Scapy, a powerful interactive packet manipulation program,”
2010.
[17] Y Zhou, W Ni, K Zheng, R. P. Liu, and Y. Yang, “Scalable Node-Centric
Route Mutation for Defense of Large-Scale Software-Defined Networks,”
Security and Communication Networks, 2017.
[18] Y Zhou, K Zheng, W Ni, and R. P. Liu. “Elastic Switch Migration
for Control Plane Load Balancing in SDN,” IEEE Access, 2018, DOI
10.1109/ACCESS.2018.2795576.
@article{"International Journal of Information, Control and Computer Sciences:77477", author = "Yang Zhou and Kangfeng Zheng and Wei Ni and Ren Ping Liu", title = "An Earth Mover’s Distance Algorithm Based DDoS Detection Mechanism in SDN", abstract = "Software-defined networking (SDN) provides a solution
for scalable network framework with decoupled control and data
plane. However, this architecture also induces a particular distributed
denial-of-service (DDoS) attack that can affect or even overwhelm
the SDN network. DDoS attack detection problem has to date been
mostly researched as entropy comparison problem. However, this
problem lacks the utilization of SDN, and the results are not accurate.
In this paper, we propose a DDoS attack detection method, which
interprets DDoS detection as a signature matching problem and is
formulated as Earth Mover’s Distance (EMD) model. Considering
the feasibility and accuracy, we further propose to define the cost
function of EMD to be a generalized Kullback-Leibler divergence.
Simulation results show that our proposed method can detect DDoS
attacks by comparing EMD values with the ones computed in the case
without attacks. Moreover, our method can significantly increase the
true positive rate of detection.", keywords = "DDoS detection, EMD, relative entropy, SDN.", volume = "12", number = "6", pages = "389-6", }
