Hybrid Detection Mitigates DDoS Attacks in SDNs

By Soham NandiReviewed by Susha Cheriyedath, M.Sc.Aug 19 2024

In an article recently published in the journal Nature, researchers presented a hybrid approach for detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks (SDNs). They combined statistical methods using an entropy-based detection mechanism with machine learning (ML) and employing k-means clustering to analyze user impact on system entropy.

Tested on Canadian Institute of Cybersecurity (CIC)-intrusion detection systems (IDS)2017, Communications Security Establishment (CSE)-CIC-2018, and CICIDS2019 datasets, the approach proved effective in identifying and blocking rapid attacks, enhancing SDN security.

Background

SDN revolutionizes network management by centralizing control and separating it from data planes, enhancing adaptability and programmability. However, this centralization introduces vulnerabilities, particularly to DDoS attacks, which exploit SDN’s single control point to obscure malicious traffic patterns and disrupt service quality.

Traditional DDoS mitigation approaches, including statistical methods and ML techniques, have made strides but often struggle with limitations such as imbalanced datasets, high false positive rates, and slow adaptation to evolving threats. While statistical methods like entropy-based techniques offer insights into traffic anomalies, they are insufficient on their own for real-time and scalable DDoS defense. ML algorithms, although promising, face challenges in adapting to new attack patterns and managing the high computational demands of real-time detection.

This paper addressed these gaps by proposing a novel model that integrated system entropy with ML clustering techniques. By leveraging entropy to monitor network disorder and using clustering algorithms like k-means to detect anomalies, the model enhanced real-time DDoS detection and mitigation. It offered improved accuracy, reduced false positives, and scalability, addressing previous limitations and providing a more robust defense against sophisticated DDoS attacks in SDN environments. 

Entropy-Based and ML Approach

The proposed scheme enhanced DDoS attack detection through an integration of entropy-based and ML clustering modules. The system's architecture included several key steps:

• Data Preprocessing: Features such as internet protocol (IP) addresses and packet sizes were extracted and cleaned. Missing information was removed.
• Feature Extraction: Network flow attributes were analyzed to specify normal or anomalous packets.
• Entropy Calculation: Entropy values were computed for data segments to detect anomalies. A threshold was used to identify potential attacks, with entropy serving as an indicator of system randomness.
• Clustering: During detected attacks, K-means clustering grouped users into normal, suspicious, and attacker categories. K was set to three to effectively differentiate these groups.
• Evaluation: The impact of suspicious and attacker users on normal user entropy was assessed to identify potential threats.

The system operated with a time and space complexity of function of n(O(n)), where n represented active users per interval. Key parameters, including interval size and thresholds, were optimized for system accuracy, following a normal distribution curve in behavior analysis.

Evaluation Framework and Performance Metrics

The authors outlined the evaluation framework for the study, detailing dataset descriptions and performance metrics. The CIC-IDS2017, CSECIC2018, and CICDDoS2019 datasets were used, offering diverse network traffic data and attack scenarios. Performance was assessed using confusion matrix metrics, such as true positive, true negative, false positive, and false negative, along with accuracy, false positive rate (FPR), precision, recall, and F1-score.

The authors addressed data imbalance issues with metrics like Matthews correlation coefficient (MCC) and geometric M\mean (G-means) to ensure comprehensive model evaluation. These metrics facilitated a thorough understanding of model performance, guiding effective DDoS detection.

System Performance and Comparative Findings

The researchers evaluated the proposed DDoS detection system through various experiments, including self-assessment and comparative analysis. Initially, a single-protocol dataset generator was used to test system parameters, followed by comprehensive testing on the CIC-IDS2017 dataset. The system’s performance was further assessed across multiple datasets: CIC-IDS2017, CSECIC2018, and CIC-DDoS2019. Key parameters, such as interval size, entropy lower threshold (β), and entropy deltas (δ), were examined for their impact on system accuracy and FPR.

Results showed that β influenced accuracy in three phases, with varying impacts on FPR and false negatives. The parameter δ also affected performance but less significantly compared to β. The system was compared against existing techniques, including Lucid29 and various deep learning models. It consistently outperformed these methods in accuracy and robustness, though it showed varying behavior across datasets, with notable increases in FPR in some cases. Overall, the proposed model demonstrated superior performance in DDoS detection, highlighting its potential for real-world applications and providing a foundation for further research in enhancing detection systems.

Conclusion

In conclusion, the researchers presented a hybrid approach for DDoS attack detection and mitigation in SDNs by integrating entropy-based detection with ML clustering techniques. Evaluated using CIC-IDS2017, CSECIC2018, and CIC-DDoS2019 datasets, the approach effectively identified and blocked rapid attacks, demonstrating superior accuracy and robustness.

The integration of entropy-based alerting with k-means clustering enhanced real-time detection and system resilience. Future research should explore advanced ML algorithms, alternative clustering methods, trust-management mechanisms, and optimizations to further improve detection accuracy and system performance in SDN environments. The proposed model laid a solid foundation for advancing DDoS defense strategies.