DDoS Attack Detection and Classification Using Hybrid Model for Multicontroller SDN

Gebremeskel, Tewelde Gebremedhin; Gemeda, Ketema Adere; Krishna, T. Gopi; Ramulu, Perumalla Janaki

doi:https://doi.org/10.1155/2023/9965945

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Literature Review Discussion Conclusions Data Availability Ethical Approval Consent Disclosure Conflicts of Interest Authors’ Contributions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 9965945 | https://doi.org/10.1155/2023/9965945

DDoS Attack Detection and Classification Using Hybrid Model for Multicontroller SDN

Tewelde Gebremedhin Gebremeskel,¹Ketema Adere Gemeda,¹T. Gopi Krishna,¹and Perumalla Janaki Ramulu²

Academic Editor: Weiwei Cai

Received13 Feb 2023

Revised29 May 2023

Accepted07 Jun 2023

Published23 Jun 2023

Abstract

A software-defined network (SDN) brings a lot of advantages to the world of networking through flexibility and centralized management; however, this centralized control makes it susceptible to different types of attacks. Distributed denial of service (DDoS) is one of the most dangerous attacks that are frequently launched against the controller to put it out of service. This work takes the special ability of SDN to propose a solution that is an implementation run at the multicontroller to detect a DDoS attack at the early stage. This method not only detects the attacks but also identifies the attacking paths and starts a mitigation process to provide protection for the network devices. This method is based on the entropy variation of the destination host targeted with its IP address and can detect the attack within the first 250 packets of malicious traffic attacking a particular host. Then, fine-grained packet-based detection is performed using a deep-learning model to classify the attack into different types of attack categories. Lastly, the controller sends the updated traffic information to neighbor controllers. The chi-squared () test feature selection algorithm was also employed to reveal the most relevant features that scored the highest in the provided data set. The experiment result demonstrated that the proposed Long Short-Term Memory (LSTM) model achieved an accuracy of up to 99.42% using the data set CICDDoS2019, which has the potential to detect and classify the DDoS attack traffic effectively in the multicontroller SDN environment. In this regard, it has an enhanced accuracy level to 0.42% compared with the RNN-AE model with data set CICDDoS2019, while it has improved up to 0.44% in comparison with the CNN model with the different data set ICICDDoS2017.

1. Introduction

SDN is a new design that consists of three layers: data, control, and application plane, with the data and control planes being independent of one another [1]. The data plane is made up of switches and routers that forward network traffic; the control plane is comprised of NOX, POX, Beacon, Floodlight, and Open Daylight controllers; and the application plane contains applications that configure SDN. When the network is under a DDoS attack, the SDN controller is unable to respond to the normal traffic that is coming from the rest of the network, and the SDN loses centralized control. As a result, the key benefit of SDN, which is a centralized network control, is threatened by DDoS attacks [2, 3].

In this regard, most of the recent works are focused on detecting and classifying DDoS attacks with a single controller using different mechanisms and are also focused on either the accuracy or efficiency, not both. There are multiple controllers in data centers that need to be protected from DDoS attacks. Each of these controllers has a different network traffic tolerance level. Spoofing the source (also called as fake source address) is one approach to hiding the perpetrator’s identity when this kind of attack occurs [4, 5]. Furthermore, the attackers attempt to overwhelm the target with bogus packets for the malicious packets to be served. The causes of such attacks are as follows [6]: DDoS is a powerful weapon when there is a conflict between two groups or two individuals by obstructing an opponent’s applications and infrastructure; an person may intentionally become an attacker and carry out unwanted activities in response to a perceived injustice through this attack; and through cyber warfare (which is motivated by politics or geopolitics), a terrorist cell attempts to attack some of the sensitive zones to destroy the economic system. There are different forms of DDoS attacks that are indicated in Figure 1.

In the literature, there are several techniques available for detecting, classifying, and mitigating the DDoS attack. As such, the strategies are categorized into entropy-based, machine-learning-based, and deep-learning-based techniques [7]. The proposed entropy mechanism compares the entropy flow values of source and destination IP addresses that are detected by the SDN controller to predefined entropy threshold values that change adaptively based on network dynamics [8]. In this regard, some of the entropy-based DDoS attack detection solutions are located in various studies and explained in the following section [9–16].

The open challenges in DDoS attack detection and classification using entropy and a deep-learning model for multicontroller SDN could include the following: Developing more robust and accurate models: while the current study proposes a model for detecting and classifying DDoS attacks using entropy and deep learning, there is still room for improvement in terms of accuracy and robustness. Future studies could explore different machine-learning algorithms, feature selection techniques, and architectures to improve the performance of the model. Evaluating the model’s performance in a real-world environment: the current study evaluates the proposed model using simulated DDoS attacks. However, it is important to evaluate the model’s performance in a real-world environment where there are multiple types of traffic and network conditions are constantly changing. Future studies could explore how the model performs in actual network environments. Addressing the issue of false positives: false positives can be a significant issue in DDoS attack detection, as they can lead to unnecessary network downtime or resource allocation. Future studies could explore ways to reduce the number of false positives generated by the model. Considering the impact of DDoS attacks on different types of networks: the current study focuses on DDoS attacks in a multicontroller SDN environment, but DDoS attacks can target different types of networks such as cloud networks and IoT networks. Future studies could explore the impact of DDoS attacks on these different types of networks and develop models that are tailored to their specific characteristics.

By addressing these open challenges, future researchers can help advance the field of DDoS attack detection and classification and develop more effective and efficient techniques for protecting networks against these types of attacks.

2. Literature Review

Wang et al. [1] proposed a self-feedback dynamic thresholding system based on the previous results of trigger and detection. In this system, the threshold was used as a trigger and adjusted dynamically. Their proposed results showed that the number of calls was reduced significantly to the resource-consuming detection algorithm. Omar et al. [2] analyzed the effects of distributed denial-of-service (DDS) attacks on a software-defined networking environment and proposed an entropy-based approach to detect these attacks. They used the flexibility of the OpenFlow protocol and an OpenFlow controller (POX) to mitigate the attacks upon detection. Through simulation, the results of the detection algorithm were observed and then implemented into a small-scaled network test bed, and finally, the results of the proposed algorithm were presented and analyzed. Wang et al. [3] extended a copy of the packet number counter of the flow entry in the OpenFlow table. Based on the flow-based nature of SDN, they designed a flow statistics process in the switch. Later, they proposed an entropy-based lightweight DDoS flooding attack detection model running in the OF edge switch. This achieved distributed anomaly detection in SDN and reduced the flow collection overload to the controller. Also, the detailed algorithm was provided for a small calculation overload and implemented in SDN software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results showed that this detection mechanism detected the attack quickly and achieved a high detection accuracy with a low false-positive rate.

Fawcett et al. [4] introduced TENNISON, a novel distributed SDN security framework that combines the efficiency of SDN control and monitoring with the resilience and scalability of a distributed system. They demonstrated the effectiveness and capabilities of the TENNISON framework through the use of four attack scenarios. Zubaydi et al. [5] reviewed the different detection techniques that were available to prevent DDoS attacks and the characteristics of these techniques. Wang et al. [10] proposed an SDN scalability architecture for multidomain, multivendor networking. They designed and implemented the coordinator controller to enable different SDN administrative domains. This method was validated by building a multidomain experiment environment consisting of three vendors. The results showed great ability in maintaining the consistency of the network state view and end-to-end provisioning services. Kavitha et al. [11] proposed a collaborative approach for DDoS attack detection in a distributed SDN multicontroller platform. It also analyzed DDoS attacks in distributed controllers, which differ from centralized controllers in SDNs. The study detected attacks and provided an attack mitigation process through the implementation of a monitoring solution that used the POX controller with the Open vSwitch.

Bawany et al. [17] proposed a framework capable of meeting application-specific DDoS attack detection and mitigation requirements. They explained how this framework can be utilized to secure applications built for smart cities. Furthermore, this work highlighted open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation. Scott-Hayward et al. [18] presented a broad survey of the research relating to security in software-defined networking. Ahmad and Mir [19] presented the various control plane architectures and discussed various SDN controllers. They analyzed more than forty SDN controllers in terms scalability, reliability, consistency, and security performance parameters. They also examined the mechanisms used by various SDN controllers.

Bannour et al. [20] reviewed an SDN with a special focus on the distributed SDN control. A thorough discussion was made on the major challenges of distributed SDN control along with some insights into emerging and future trends in that area. Krishnan and Najeem [21] presented the taxonomy of threats, risks, and attack vectors that can disrupt the SDN stack and extended various approaches to solve these problems, to deploy SDN securely in production environments. Pandikumar et al. [22] proposed a solution with an implementation running at the multicontroller to detect the DDoS attack at the early stage. The proposed method was based on the entropy variation of the destination host targeted with its IP address and detected the attack within the first 250 packets of malicious traffic attacking a particular host in the SDN. Lawal and Nuray [23] presented a real-time detection of the distributed denial-of-service (DDoS) attacks on the SDN and a control method based on the sFlow mitigation technology. For this, sFlow analysis samples of packets were collected from the network traffic, and handling rules were generated to be sent to the controller in case of an attack detection. The implementation was done by emulating the network in Mininet which runs on a Virtual Machine (VM), and it was shown that the proposed method effectively detects and mitigates DDoS attacks. Sebbar et al. [24] presented different attacks in SDN layers and interfaces, proposing two scenarios in order to describe the methodology of the Man-in-the-Middle (MITM) attack in different controllers like OpenDayLight (ODL), Open Network Operating System (ONOS), and RYU. They focused on the ODL controller which was the subject of this study. The simulation results indicated that the attackers easily controlled the SDN controller, and communication between the control layer and infrastructure layer was not secure. This result shows that ODL was vulnerable with respect to MITM attack. In this research, many recommendations and solutions to prevent and detect the MITM attack were offered.

Xu et al. [25] presented a twofold complication of management: one is an isolation mechanism enabling regional customization and overcoming flatness of OpenFlow networks, and the second one is achieved by dividing information into several sorts. Mohsin and Hamid [26] investigated the impact of a DDoS attack on an SDN environment and proposed a light and effective method for detecting this attack at an early stage based on calculating the entropy of destination network traffic IP addresses. The proposed method proved their ability to detect the DDoS attack with minimum detection time in three different SDN network topologies that were single, linear, and multicontroller. The RYU controller was used with the Mininet emulator and OpenFlow protocol. Sahoo et al. [27] reviewed security concerns of SDN, possible DDoS attacks in individual layers of SDN, and ongoing research efforts on SDN-enabled DDoS detection solutions. Based on the findings, an information distance-based flow discriminator framework was discussed.

Mousavi and St-Hilaire [9] proposed using the central control of an SDN for attack detection and introduced a solution that was effective and lightweight in terms of the resources. Dalou et al. [28] proposed an entropy-based mechanism for the distributed denial-of-service (DDoS) attack detection and mitigation in SDN networks that was evaluated through extensive simulation experiments. Wang and Liu [29] proposed a DDoS attack detection method based on information entropy and deep learning; the experiments indicated that the accuracy of this method reaches 98.98%, which has the potential to detect a DDoS attack traffic effectively in the SDN environment. Wei et al. [30] proposed a hybrid deep-learning technique that utilizes two deep neural network models for effective feature extraction and accurate DDoS attack detection and classification without human intervention.

Elsayed et al. [31] proposed the DDoSNet, against DDoS attacks in SDN environments. This method was based on a deep-learning (DL) technique, combining the Recurrent Neural Network (RNN) with an autoencoder. This model was evaluated using the newly released data set CICDDoS2019, which contains a comprehensive variety of DDoS attacks and addresses the gaps of the existing current data sets. The authors have noted a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our model provides great confidence in securing these networks.

Gadze et al. [32] suggested the DDoS attack prediction using a hybrid deep-learning (DL) model, namely, a CNN with BiLSTM (bidirectional long/short-term memory), in order to effectively anticipate DDoS attacks using benchmark data from other models [33–38]. By ranking and choosing features that scored the highest in the provided data set, only the most pertinent features were picked. Experiment findings demonstrate that the proposed CNN-BI-LSTM attained an accuracy of up to 94.52 percent using the data set CICDDoS2019 during training, testing, and validation. The detailed research outputs and research gaps are indicating in Table 1.

From Table 1, most ML and deep-learning algorithms got the highest accuracy compared to traditional methods that can recognize both known and unknown DDoS attacks. However, to date, high accuracy is achieved during training but the accuracy in tests is lower, and there is a need to investigate new methods that can improve accuracy for unknown DDoS attacks and find an accurate solution for them.

3. Research Methodology

This section describes the material and methodology of the present work. The systematic diagram of the process steps for the implementation of feature selection methods and machine-learning classifiers is presented in Figure 2. To explain the investigation, this research discusses the methods that were used in the proposed solution in the SDN multicontroller.

3.1. Data Set Description

Adequate training and testing data sets were prepared for the desired solution. CICDDoS2019: DDoS attacks are a type of network security threat that is aimed at overloading target networks with malicious traffic. The data is prepared for the training model directly. The CICDDoS2019 data set was available in a .CSV format where more than 80 features were extracted using CICFlowMeter. The following steps were adopted to preprocess the data before the module training.

3.2. Feature Selection

Instead of choosing all features in the source data, we concentrated on identifying the appropriate attributes to forecast DDoS attacks. To choose the most optimum features from the raw data, numerous approaches, such as principal component analysis (PCA), decision tree, random forest regressor, and chi-squared () test, can be used. An test analyzes whether the frequencies of particular classes and features are independent or reliant on the correlation among predictor and target variables.

3.3. Parameter Setting

To increase the likelihood of getting an appropriate classification while backtesting the proposed model, the hyperparameters must be set up correctly and changed during creation of the deep-learning model. Higher accuracy and a reduced chance of overfitting the data are two benefits of using the suggested ideal hyperparameters. The evaluation of the deep-learning model by backtesting it with the test data reveals the optimal value for a hyperparameter.

3.4. Model Training

After feature selection, the suggested framework Keras input format is supported by the deep-learning model, which is created utilizing the input layer’s regularization, recurrent, activation, and dense layer shapes. Consequently, the model needs to be compiled after the model and network are created. The evaluation metrics are a requirement for the following stage of model training.

4. Proposed DDoS Attack Detection and Classification

The main contribution of the study is DDoS attack detection and classification in a multicontroller SDN that is also implemented with three POX controllers. Its performance is also evaluated through accuracy, recall, F1-measure, and precision.

4.1. Proposed Model Architecture

Figure 3 shows the architecture for the DDoS attack detection system and classification method. Based on this context, the gaps of the proposed model architecture solution are addressed. (i)The irrelevant attribute and high training time are addressed using a feature selection algorithm(ii)The binary classification (attack and normal) does not have a detailed description of the attack type. This proposed model addresses this issue by adding a categorical classification(iii)Using the single controller topology leads to the single point of failure. This proposed model addresses this issue by using multiple controller detection

4.2. Entropy-Based Method (Controller Detection Design)

Entropy-based methods depend on network feature distributions to detect anomalous network activities [19]. Entropy is calculated using probability distributions for several network features including source IP address, destination IP address, and port numbers. Anomalies are detected using predetermined criteria on changes in the entropy values. The initial section of the overall method includes PACKET_IN message rate detection, port entropy detection, and the control module. The controller is responsible for filtering suspicious traffic previously to improve recall. The control module is implemented by the controller itself.

4.3. Rate Detection Module

An attacker can launch a DDoS in an SDN system by sending spoof packets that do not match any switch flow entries. The switch will send PACKET_IN messages to the controller to request the processing method. Thus, the received packet rate by the controller increases in a short time. When it exceeds the normal threshold, the possibility of the current network being attacked increases. The following step is to determine if the abnormal performance is caused by a network attack or flash crowd behavior.

4.4. Entropy Detection Module

In a normal network, packets are distributed to diverse hosts, but in a DDoS attack, large numbers of attack packets are dispatched to the same IP address. The attack can be analyzed and detected, based on either the data size or the number of packets in the flow table entry with the same IP address. The proposed work defines the conditions required of the POX controller to handle DDoS attack packets. Here, every controller has a threshold level for security metrics. When a packet from a client arrives at the open switch, the switch updates the flow table entry with all the packet details. It then verifies the packet fields with the controller rule set (i.e., packet sizes, IP address, port, and window size).

Once the condition is matched, the packets are forwarded to the allocated destination port. When large numbers of packets arrive with a repeated IP address, the switch identifies the rule mismatches and redirects them to the controller. The controller calculates the entropy given by the switches. The entropy is based on the threshold value, found against the rule set, in every suspicious host. The controller decides that a DDoS attack has taken place. Meanwhile, the controller sends the packets based on the high entropy value to the deep detection server module for additional attack detection and classification. Then, the attack detection and classification information are sent to the neighborhood controllers which are connected in a distributed setup. Attacks must be detected at the earliest to protect the controllers and other forwarding components. In the existing study, attack detection was done for the first 50 packets, while the subsequent study considered the first 50 incoming packets for detection.

4.5. Deep Detection Server Design (Deep Learning)

In this research, a method for detecting DDoS attacks in multicontroller SDNs based on information entropy and deep learning is offered. To begin, the controller can review suspicious (untrusted packets) traffic by detecting information entropy. The deep-learning model then uses detailed packet-based detection to classify the attack into different attack types (Figure 4). This technique brings together the advantages of information entropy and deep learning. Finally, the controller distributes the change to all neighborhood controllers.

Two-level detection is used for network traffic to ensure high accuracy and minimal computing complexity at the same time. To ensure great efficiency, the controller runs a preliminary section based on information entropy. The packet-based deep section uses deep detection to ensure fine granularity and high accuracy. The detection includes the data-processing section and the deep-learning detection section. The traffic will be transformed into the acceptable input shape in the first section. The second section outputs the detection and classification results based on the deep-learning method. (1)Data-processing module: before feeding the input data to the training model, we need to prepare the data via normalization, encoding, feature extraction, and feature selection(2)Feature selection: feature selection, one of the main components of feature engineering, is the process of selecting the most important features to input into deep-learning algorithms. Feature selection techniques are employed to reduce the number of input features by eliminating redundant or irrelevant features and narrowing down the set of features to those most relevant to the deep-learning model. This feature selection makes our model more accurate in detection and classification, reduces overfitting, reduces running time, and lessens the error rate(3)Deep-learning detection module: here in this module, four deep-learning models have been applied and and compared for the best accuracy and the lowest error rate among all. These algorithms are MLP, RNN, LSTM, and GRU. The dropout layer is added before the output layer to prevent overfitting and improve the generalization ability of the model. It enables neurons (for activation or deactivation) with the probability of the parameter

4.6. Multicontroller Architecture

In this research study, a logically centralized and physically distributed controller architecture is used. Logically centralized means that the architecture takes advantage of the concept of a multicontroller design; at the same time, a single controller is also considered. In a logically centralized architecture, all the controllers have the same responsibilities, and they split the charge equally. They are always aware of every change in the network, and they share the same information instantly, thanks to network synchronization. The network information is stored in the NIB (Network Information Base) and writes and reads the contents of NIB to synchronize the state of each controller. Controllers detect malicious activity quickly, based on the threshold level of packets, and decide on whether the packets are to be forwarded or sent to the deep detection server for attack classification. This analysis will be updated in the controller database and sent to other controllers in the distributed controller connection domain, so their databases are updated as well, as shown in Figure 5.

4.7. Algorithm Implementation and Evaluation

4.7.1. Experiments on Entropy-Based Method

Entropy measures the probability of an event happening concerning the total number of events. Lower values of entropy will be regarded as attacks based on the tests conducted, which helps to determine a threshold for entropy. Any time the network configuration changes, the threshold can be adjusted. Figure 6 shows the virtual box window running Mininet.

The experiment covers four cases of normal and attack traffic runs. (i)Normal traffic is run on all switches with randomly generated packets going to all hosts to find the threshold for usual traffic (normal)(ii)Attack traffic is run from two hosts. Attacks were run manually

4.7.2. Deep-Learning Simulation

The DDoS2019 data set is used in this experiment. This includes 12 categories of the most recent common DDoS assaults as well as normal traffic (benign) DDoS attacks. This DDoS is based on real-world facts (PCAPs) and with labeled flows based on attack vectors (.CSV files). These DDoS attack type data sets have a size of 20.7 GB, and it is quite difficult to get the type of device to process this type of large-sized b/s; it needs a high GPU. In this experiment, 81 features, 300,000 total rows for each attack type, and more than 1 million rows in the data set were selected. And the attack type that used in this experiment is LDAP, UDP, UDP_lag, SYN, WebDDoS, and BENIGN.

4.7.3. Feature Selection

Principal component analysis (PCA), decision tree, random forest regressor, and chi-squared () test [29] can all be used to select the most optimal features from raw data. This study used an test to rank and choose features as indicated in the following equation.

5. Performance Evaluations and Discussion

In this section, performance evaluations of the proposed models for DDoS attack detection and classification using entropy and deep learning are discussed. In this case, we first considered testing the entropy-based experiment and also the four deep-learning models to evaluate their performance achievements. Finally, the comparison was made with selected existing works.

5.1. Result of the Entropy-Based Experiment

Figure 7 shows when normal traffic is flowing to the controller; as a result, the controller is also expected to do nothing except calculate the entropy value. This value helps the controller to determine whether the packet is an attack or not. In this regard, the entropy value is stable, and there is no sudden change that would make the controller suspect the existence of an attack; therefore, the controller takes no action.

In Figure 8, in a condition where there is an attack detected in the network, the entropy value does not stay as stable as in the normal environment. The entropy value goes down below the threshold value which, in this case, is equal to 1. In this scenario, the attack traffic has been generated from two hosts, making one of the other hosts as the target. Figure 6 shows the sudden change in the packet flow as expected.

Figure 9, which is shown below, compares the outcomes of normal traffic and attack traffic entropy value variations. As a result, as the normal traffic is being generated and growing from the threshold set, its entropy value changes and is displayed. However, when a controller detects attack traffic, the entropy value decreases and falls below the threshold level. Here, it can be concluded that entropy-based attack detection has good efficiency with less accuracy. To increase the accuracy of the controller, the traffic which is lower than the threshold value is forwarded into the deep detection server which is running a deep-learning algorithm; then, the deep detection server detects the attack and classifies it into different attack types.

Based on Figure 9, by generating normal traffic, the entropy value is calculated as 1.15 to avoid false positives, and for false negatives, the entropy value is taken as 1. This entropy value will be a threshold for detecting the attack. In Figure 9, when traffic is generated from hosts 1 and 2, the entropy value decreases to 0.04; this decrement of the entropy value increases the probability of an attack.

5.2. Results of the Deep-Learning Models

Here we made four experiments under the same data set (i.e., DDoS2019) with regard to different deep-learning algorithms, including GRU, RNN, LSTM, and MLP. In all experiments, initialization of the sequential function of the SoftMax layer takes the input and classifies the data into six different types of attacks independently using categorical classification. In the loss function, categorical cross-entropy is used with the Adam optimizer that has a learning rate of 0.001 for RNN, GRU, and LSTM models, while categorical cross-entropy with the Adadelta optimizer having a learning rate of 0.001 has been used for the MLP model. In order to minimize overfitting of the model, a dropout of 0.01 is used for the RNN, GRU, and LSTM models, while for the MLP model, it is 0.03. The models are also trained with several epochs and batch sizes of 1000 for RNN, GRU, and LSTM, while the batches sizes of MLP are 800. The experiment has been made on each algorithm separately in order to finally consider the optimal one with respect to the accuracy of the evaluation metric.

5.2.1. RNN Model Assessment

Figures 10 and 11 show that the RNN model trains up to 30 epochs. The result shows that the training loss was reduced from 0.9674 to 0.0692, while the testing loss was reduced from 0.6023 to 0.0521. Also, the training accuracy has improved from 0.6847 to 0.9811, and the testing accuracy was enhanced from 0.7300 to 0.9861.

5.2.2. GRU Model Assessment

This model trains up to 18 epochs, which are shown in Figures 12 and 13 below. The results show that the training loss has been reduced from 1.3092 to 0.2140, while the testing loss was reduced from 1.0126 to 0.1664. Also, the training accuracy has improved from 0.4858 to 0.9526, and the testing accuracy enhanced from 0.5413 to 0.9642.

5.2.3. LSTM Model Assessment

Figures 14 and 15 show that the LSTM model trains up to 23 epochs. The training loss has been reduced from 1.2709 to 0.0178; similarly, the testing loss was also reduced from 0.7896 to 0.0184. Also, the training accuracy has been improved from 0.6372 to 0.9952, and the testing accuracy was enhanced from 0.7458 to 0.9943.

5.2.4. MLP Model Assessment

Lastly, the result under Figures 16 and 17 shows that the MLP model trains up to 40 epochs. The training loss has been reduced from 1.3105 to 0.0822, and the testing loss was reduced from 0.8991 to 0.0786. Also, the training accuracy has been improved from 0.7151 to 0.9819, and the testing accuracy was enhanced from 0.7899 to 0.9833.

Therefore, from the obtained results, one can conclude that the LSTM model beats the other three models since it reduces training_loss by 0.0280 and testing_loss by 0.0193, which is lower than the other models. As a result, this model also improved the training accuracy by 0.99311 and the testing accuracy by 0.9957.

5.3. Performance Evaluation of Proposed Models

First, a performance evaluation of four selective deep-learning models (RNN, GRU, MLP, and LSTM) has been conducted using accuracy, precision, recall, and F1-score. In accordance with the six DDoS attack types, their respective results are shown in Table 1, based on the evaluation matrices like accuracy, recall, F1-score, precision, training_loss, val_loss, training accuracy, and val_accuracy of the proposed models. The LSTM model is better for the classification of the given data set into 6 different attack types. In this experiment of the LSTM model, an accuracy of 99.56 is achieved that is better than those of the other three deep-learning algorithms. And also, LSTM has reduced the and the that are lower loss rates than in the other algorithms. Lastly, in the comparison, the accuracy is also better than those of the others with a training accuracy of 0.9931 and testing_accuracy of 0.9957. Based on the experiment, LSTM also has better precision, recall, and F1-score as described in Table 2. So, based on the four experiments, it is concluded that LSTM has better classification accuracy than the others. Furthermore, Figure 18 represents their experiment results.

The ROC curve is used to measure and verify that those models operate accurately. The ROC curve indicates the relation between two parameters: true and false classes. The area underneath the ROC curve (AUC) measures reparability between false-positive and true-positive rates.

In other experiment results, the ROC of the proposed four deep-learning models such as GRU (Figure 19), RNN (Figure 20), MLP (Figure 21), and LSTM (Figure 22) with the data set DDoS2019 are shown.

Lastly, the experiment result of the proposed LSTM model has been compared with other well-known models in the related work. Baseline papers and other related papers with the same data set are selected. Their performance results are shown in Table 3 as well as Figure 23. From the result, it is concluded that the current proposed model that is LSTM with feature selection has a higher accuracy than the others.

In comparison with the LSTM model with the baseline model, it is enhanced by 0.421%, which is higher than that of the RNN-AE model on the CICDDoS2019 data set. Also, it is improved by 0.44%, which is higher than that of the CNN model on the ICICDDoS2017 data set.

To increase reliability, this model used a logically centralized and physically distributed controller architecture. To increase efficiency and accuracy, entropy-based and deep-learning models are used. This entropy-based model improved the efficiency, whereas deep learning increased accuracy. The attack comes from the data plane forwarded to the entropy module controller; then, this module calculates the probability of being an attack. If it has a high probability, the controller forwards it to the deep-learning module for better accuracy. This entropy-based model prevents the controller from overloading which will increase efficiency and accuracy. These two methods together can improve the efficiency and accuracy of the model.

The feature selection method (chi-squared ()) provides better accuracy by selecting only essential or high-weighted features from the data set. Therefore, the LSTM model with the feature selection technique has high accuracy and low error classification. Then, this LSTM model was deployed in the deep detection server in our controller architecture. Also, it classifies the attack via categorical classification to specifically know which attack type comes to the controller.

5.4. Results and Discussion

Based on the experiment outcome by using the CICDDoS2019 data set, the entropy-based and deep-learning model obtained better results in terms of efficiency and accuracy in detecting and classifying DDoS attacks. In entropy-based detection, the probability of the attack is identified, and then it is sent to the deep-learning module. This increases the efficiency of the controller and decreases overloading the deep detection server. In this deep-learning model experiment, a feature selection method has been used that is the chi-squared () technique that helps us to focus on the essential and high-weighted features. So, in the experiment, RNN, MLP, LSTM, and GRU approaches were used. Before training the model, the data set is preprocessed, and after that, the feature selection method is used to get high weighted features and then fed into RNN, MLP, LSTM, and GRU deep-learning models. The standard RNN is easier to use and requires less training time. GRU uses fewer training parameters and, therefore, uses less memory and executes faster than LSTM, while LSTM is capable of learning long-term sequences on a larger sample and is more accurate.

However, the outcomes of the detection and classification of the DDoS attack using the feature selection method are promising when the qualitative results are evaluated. When comparing the overall features of information in the data set, the model’s detection and classification accuracy are increased and the error rate is decreased. Accordingly, the LSTM model has achieved an accuracy of 3.02%, 1.82%, and 1.12% in comparison with GRU, RNN, and MLP, respectively. On the other hand, the authors compared their proposed model with the baseline and related work models in which LSTM has brought significant improvements. When compared with the RNN-AE model with data set CICDDoS2019 and the CNN model with data set ICICDDoS2017, it has achieved, respectively, 0.421% and 0.44%.

5.4.1. Case Studies Based on This Method

A potential case study for the DDoS attack detection and classification using an entropy-based and deep-learning model for multicontroller SDN to solve the proposed architecture could be as follows:

(1) Scenario. A large e-commerce website is experiencing a DDoS attack that is causing a significant slowdown in its network traffic. Assume that the network has been configured with the SDN architecture. The network administrator is unable to detect and mitigate this attack using their traditional existing security measures and needs a more robust solution.

(2) Proposed Approach. The proposed architecture involves using an entropy-based and deep-learning model to detect and classify DDoS attacks in a multicontroller SDN environment. Our current architecture includes multiple controllers that work together to monitor and analyze network traffic and identify potential DDoS attacks in order to assist the network administrator.

5.4.2. Case Study Steps

(1) Implementation. The IT team implements the proposed architecture in the e-commerce website’s network infrastructure. The architecture is configured to monitor all incoming traffic and detect any anomalies that could indicate a DDoS attack.

(2) DDoS Attack Simulation. The IT team simulates a DDoS attack on the e-commerce website’s network by generating a large number of requests from multiple sources. The attack is designed to overwhelm the network and cause a significant slowdown in traffic.

(3) Detection and Classification. The proposed architecture detects and classifies the DDoS attack using the entropy-based and deep-learning model. The controllers work together to analyze the network traffic and identify the characteristics of the attack.

(4) Mitigation. Once the DDoS attack is detected and classified, the proposed architecture triggers a mitigation mechanism to block the attack traffic and restore normal network traffic. The mitigation mechanism could be implemented through a variety of methods, such as traffic filtering, traffic shaping, or blacklisting of the attacker’s IP addresses.

(5) Evaluation. The IT team evaluates the effectiveness of the proposed architecture in detecting and mitigating the DDoS attack. They analyze the accuracy of the detection and classification, the speed and effectiveness of the mitigation mechanism, and the overall impact on network performance.

(6) Comparison with Existing Solutions. The IT team compares the performance of the proposed architecture with their existing security measures for detecting and mitigating DDoS attacks. They evaluate the strengths and weaknesses of each approach and determine if the proposed architecture provides a more effective and efficient solution.

By implementing this case study, the researcher can demonstrate the effectiveness of their proposed architecture in a real-world scenario and provide evidence of its potential benefits. The case study can also highlight any challenges or limitations of the proposed architecture and provide insights into how these challenges can be addressed.

6. Conclusions

The networking industry and academia have concluded that distributed controller designs are necessary for the future of SDN because centralized systems cannot meet the demands of efficiency, scalability, and availability. Also, DDoS attack detection and classifications in multicontroller SDN have significant benefits to the new SDN-based data centers being designed. An entropy-based and deep-learning model is proposed for effectively and accurately classifying the attacks. To ensure high accuracy and low computational complexity at the same time, two-level detection is applied for network traffic. The controller performs a preliminary section based on information entropy to assure high efficiency. The deep detection server is used for the packet-based deep detection to guarantee fine granularity and high accuracy.

The chi-square () test is used as the feature selection algorithm to reveal the most relevant features and perform an effective classification. Secondly, the baseline model is limited to binary classification (attack and normal) which lacks a detailed description of the attack type. This problem is addressed by categorical classification. This categorical classification allowed making specific attack descriptions of the type of attack that is coming to the controller.

Thirdly, the baseline model is focused on a single controller topology which leads to the single point of failure. In this situation, the requirements for efficiency, scalability, security, and availability are not met by this architecture, to avoid a single point of failure or to increase efficiency, scalability, and availability.

In this paper, a comprehensive solution has been provided for SDN multicontroller architectures by explaining their characteristics and presenting different scenarios of the implementation. In this work, the effort to implement a multicontroller-based SDN solution to detect a DDoS attack on the controller is accomplished. The environment is implemented using a logically centralized but physically distributed POX controller. This brings many solutions to the shortcomings of the single controller-based environment. This research succeeded in detecting DDoS attacks early in a multicontroller structure.

Finally, incorporating the entropy-based and deep-learning method into a model that has a better efficiency and accuracy of DDoS attack detection and classification in multicontroller SDN is achieved. Based on the experiment results, accuracy of 98.6% from RNN, 98.3% from MLP, 96.4% from GRU, and 99.42% from LSTM are recorded. Among all, LSTM showed high accuracy compared to the other proposed models. With the baseline work comparison without feature selection, CNN with the ICICDDoS2017 data set has an accuracy of 98.98%, and the RNN autoencoder with the CICDDoS2019 data set has an accuracy of 99%.

The experiment result shows that the effectiveness and accuracy of the proposed model with feature selection have a higher accuracy of 99.42% than those of the baseline papers without feature selection. This work concludes that a logically centralized and physically distributed architecture, as well as use of the feature selection method, allows for increased reliability, efficiency, and availability.

Data Availability

The data sets used and/or analyzed during the current study are available from the corresponding author on reasonable request.

Ethical Approval

All procedures performed in the studies were in accordance with the ethical standards of the institutional and/or national research committee and with the comparable ethical standards.

For this type of study, formal consent is not required. Authors give consent for the publication of the submitted research article in Silicon.

Disclosure

A preprint has been previously published in the following link: https://www.researchsquare.com/article/rs-2243470/v1 [40].

Conflicts of Interest

The authors declare that they have no competing interest.

Authors’ Contributions

Tewelde Gebremedhin Gebremeskel was responsible for investigating and executing the entire objective of the work, using proper research methodology. Ketema Adere Gemeda was responsible for the topic selection and supervising and executing the research as per scientific principles. T. Gopi Krishna was responsible for development of the algorithms as per the research work and for executing the program. Perumalla Janaki Ramulu was responsible for the mathematical understanding, program verifications, literature execution, and compilation of the data. Every author has significant contribution towards the successful completion of the research work associated with the manuscript.

Acknowledgments

The authors would like to take this opportunity to acknowledge the Adama Science and Technology University for providing the necessary facilities to support this investigation.

References

T. Wang, Y. Feng, and K. Sakurai, “Improving the two-stage detection of cyberattacks in SDN environment using dynamic thresholding,” in 2021 15th International Conference on Ubiquitous Information Management and Communication (IMCOM), pp. 1–7, Seoul, Korea (South), January 2021.
View at: Publisher Site | Google Scholar
T. Omar, A. Ho, and B. Urbina, “Detection of DDoS in SDN environment using entropy-based detection,” in 2019 IEEE International Symposium on Technologies for Homeland Security (HST), Woburn, MA, USA, November 2019.
View at: Publisher Site | Google Scholar
R. Wang, Z. Jia, and L. Ju, “An entropy-based distributed DDoS detection mechanism in software-defined networking,” in 2015 IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, August 2015.
View at: Publisher Site | Google Scholar
L. Fawcett, S. Scott-Hayward, M. Broadbent, A. Wright, and N. Race, “Tennison: a distributed SDN framework for scalable network security,” IEEE Journal on Selected Areas in Communications, vol. 36, no. 12, pp. 2805–2818, 2018.
View at: Publisher Site | Google Scholar
H. D. Zubaydi, M. Anbar, and C. Y. Wey, “Review on detection techniques against DDoS attacks on a software-defined networking controller,” in 2017 Palestinian International Conference on Information and Communication Technology (PICICT), pp. 10–16, Gaza, Palestine, May 2017.
View at: Publisher Site | Google Scholar
N. Ahuja and G. Singal, “DDoS attack detection & prevention in SDN using OpenFlow statistics,” in 2019 IEEE 9th International Conference on Advanced Computing (IACC), pp. 147–152, Tiruchirappalli, India, December 2019.
View at: Publisher Site | Google Scholar
J. Pei, Y. Chen, and W. Ji, “A DDoS attack detection method based on machine learning,” Journal of Physics: Conference Series, vol. 1237, no. 3, article 032040, 2019.
View at: Publisher Site | Google Scholar
M. Mittal, K. Kumar, and S. Behal, “Deep learning approaches for detecting DDoS attacks: a systematic review,” Soft Computing, pp. 1–37, 2022.
View at: Publisher Site | Google Scholar
S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks against SDN controllers,” in 2015 International Conference on Computing, Networking and Communications (ICNC), pp. 77–81, Garden Grove, CA, USA, February 2015.
View at: Publisher Site | Google Scholar
J. Wang, G. Shou, Y. Hu, and Z. Guo, “A multi-domain SDN scalability architecture implementation based on the coordinate controller,” in 2016 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 494–499, Chengdu, China, October 2016.
View at: Publisher Site | Google Scholar
D. Kavitha, R. Ramalakshmi, and R. Murugeswari, “The detection and mitigation of distributed denial-of-service (DDOS) attacks in software defined networks using distributed controllers,” in 2019 IEEE International Conference on Clean Energy and Energy Efficient Electronics Circuit for Sustainable Development (INCCES), pp. 1–5, Krishnankoil, India, 2019.
View at: Publisher Site | Google Scholar
M. M. Joëlle and Y. H. Park, “Strategies for detecting and mitigating DDoS attacks in SDN: a survey,” Journal of Intelligent Fuzzy Systems, vol. 35, no. 6, pp. 5913–5925, 2018.
View at: Publisher Site | Google Scholar
S. Yu, J. Zhang, J. Liu, X. Zhang, Y. Li, and T. Xu, “A cooperative DDoS attack detection scheme based on entropy and ensemble learning in SDN,” EURASIP Journal on Wireless Communications and Networking, vol. 2021, Article ID 90, 21 pages, 2021.
View at: Publisher Site | Google Scholar
A. Ahalawat, S. S. Dash, A. Panda, and K. S. Babu, “Entropy based DDoS detection and mitigation in OpenFlow enabled SDN,” in 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN), pp. 1–5, Vellore, India, March 2019.
View at: Publisher Site | Google Scholar
O. E. Tayfour and M. N. Marsono, “Collaborative detection and mitigation of DDoS in software-defined networks,” The Journal of Supercomputing, vol. 77, no. 11, pp. 13166–13190, 2021.
View at: Publisher Site | Google Scholar
W. Etaiwi, M. Biltawi, and S. Almajali, “Securing distributed SDN controllers against DoS attacks,” in 2017 International Conference on New Trends in Computing Sciences (ICTCS), pp. 203–206, Amman, Jordan, October 2017.
View at: Publisher Site | Google Scholar
N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS attack detection and mitigation using SDN: methods, practices, and solutions,” Arabian Journal for Science and Engineering, vol. 42, no. 2, pp. 425–441, 2017.
View at: Publisher Site | Google Scholar
S. Scott-Hayward, G. O'Callaghan, and S. Sezer, “SDN security: a survey,” in 2013 IEEE SDN for Future Networks and Services (SDN4FNS), pp. 1–7, Trento, Italy, November 2013.
View at: Publisher Site | Google Scholar
S. Ahmad and A. H. Mir, “Scalability, consistency, reliability and security in SDN controllers: a survey of diverse SDN controllers,” Journal of Network and Systems Management, vol. 29, no. 1, pp. 1–59, 2021.
View at: Publisher Site | Google Scholar
F. Bannour, S. Souihi, and A. Mellouk, “Distributed SDN control: survey, taxonomy, and challenges,” IEEE Communication Surveys and Tutorials, vol. 20, no. 1, pp. 333–354, 2018.
View at: Publisher Site | Google Scholar
P. Krishnan and J. S. Najeem, “A review of security, threats and mitigation approaches for SDN architecture,” International Journal of Innovative Technology and Exploring Engineering, vol. 8, pp. 389–393, 2019.
View at: Google Scholar
T. Pandikumar, F. Atkilt, and C. A. Hassen, “Early detection of DDoS attacks in a multi-controller based SDN,” International Journal of Engineering Science, vol. 13422, 2017.
View at: Google Scholar
B. H. Lawal and A. T. Nuray, “Real-time detection and mitigation of distributed denial of service (DDoS) attacks in SDN (SDN),” in 2018 26th Signal Processing and Communications Applications Conference (SIU), pp. 1–4, Izmir, Turkey, May 2018.
View at: Publisher Site | Google Scholar
A. Sebbar, M. Boulmalf, M. D. E. C. El Kettani, and Y. Baddi, “Detection MITM attack in multi-SDN controller,” in 2018 IEEE 5th International Congress on Information Science and Technology (CiSt), pp. 583–587, Marrakech, Morocco, October 2018.
View at: Publisher Site | Google Scholar
Y. Xu, Y. Yan, Z. Dai, and X. Wang, “A management model for SDN-based data center networks,” in 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 113-114, Toronto, ON, Canada, April 2014.
View at: Publisher Site | Google Scholar
M. A. Mohsin and A. H. Hamad, “Implementation of entropy-based DDoS attack detection method in different SDN topologies,” American Academic Scientific Research Journal for Engineering, Technology, and Sciences, vol. 86, no. 1, pp. 63–76, 2022.
View at: Google Scholar
K. S. Sahoo, S. K. Panda, S. Sahoo, B. Sahoo, and R. Dash, “Toward secure software-defined networks against distributed denial of service attack,” The Journal of Supercomputing, vol. 75, no. 8, pp. 4829–4874, 2019.
View at: Publisher Site | Google Scholar
J. Dalou, B. Al-Duwairi, and M. Al-Jarrah, “Adaptive entropy-based detection and mitigation of DDoS attacks in software defined networks,” International Journal of Computing, vol. 19, no. 3, pp. 399–410, 2020.
View at: Publisher Site | Google Scholar
L. Wang and Y. Liu, “A DDoS attack detection method based on information entropy and deep learning in SDN,” in 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), pp. 1084–1088, Chongqing, China, June 2020.
View at: Publisher Site | Google Scholar
Y. Wei, J. Jang-Jaccard, F. Sabrina, A. Singh, W. Xu, and S. Camtepe, “AE-MLP: a hybrid deep learning approach for DDoS detection and classification,” IEEE Access, vol. 9, pp. 146810–146821, 2021.
View at: Publisher Site | Google Scholar
M. S. Elsayed, N. A. Le-Khac, S. Dev, and A. D. Jurcut, “DDoSNet: a deep-learning model for detecting network attacks,” in 2020 IEEE 21st International Symposium on “a World of Wireless, Mobile and Multimedia Networks” (WoWMoM), pp. 391–396, Cork, Ireland, August 2020.
View at: Publisher Site | Google Scholar
J. D. Gadze, A. A. Bamfo-Asante, J. O. Agyemang, H. Nunoo-Mensah, and K. A. B. Opare, “An investigation into the application of deep learning in the detection and mitigation of DDOS attack on SDN controllers,” Technologies, vol. 9, no. 1, p. 14, 2021.
View at: Publisher Site | Google Scholar
K. S. Sahoo, B. K. Tripathy, K. Naik et al., “An evolutionary SVM model for DDOS attack detection in software defined networks,” IEEE Access, vol. 8, pp. 132502–132513, 2020.
View at: Publisher Site | Google Scholar
A. Agarwal, M. Khari, and R. Singh, “Detection of DDOS attack using deep learning model in cloud storage application,” Wireless Personal Communications, vol. 127, pp. 419–439, 2021.
View at: Publisher Site | Google Scholar
N. Ahuja, G. Singal, D. Mukhopadhyay, and N. Kumar, “Automated DDOS attack detection in software defined networking,” Journal of Network and Computer Applications, vol. 187, article 103108, 2021.
View at: Publisher Site | Google Scholar
H. Wang and W. Li, “DDosTC: a transformer-based network attack detection hybrid mechanism in SDN,” Sensors, vol. 21, no. 15, p. 5047, 2021.
View at: Publisher Site | Google Scholar
A. Agarwal, R. Singh, and M. Khari, “Detection of DDOS attack using IDS mechanism: a review,” in 2022 1st International Conference on Informatics (ICI), pp. 36–46, Noida, India, April 2022.
View at: Publisher Site | Google Scholar
A. Agrawal, R. Singh, M. Khari, S. Vimal, and S. Lim, “Autoencoder for design of mitigation model for DDOS attacks via M-DBNN,” Wireless Communications and Mobile Computing, vol. 2022, Article ID 9855022, 14 pages, 2022.
View at: Publisher Site | Google Scholar
D. Alghazzawi, O. Bamasag, H. Ullah, and M. Z. Asghar, “Efficient detection of DDoS attacks using a hybrid deep learning model with improved feature selection,” Applied Sciences, vol. 11, no. 24, p. 11634, 2021.
View at: Publisher Site | Google Scholar
“A preprint has previously been published,” 2022, https://www.researchsquare.com/article/rs-2243470/v1.
View at: Google Scholar

Copyright

Copyright © 2023 Tewelde Gebremedhin Gebremeskel et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies