Software-defined networking (SDN) nowadays is extensively being used in a variety of practical settings, provides a new way to manage networks by separating the data plane from its control plane. However, SDN is particularly vulnerable to Distributed Denial of Service (DDoS) attacks because of its centralized control logic. Many studies have been proposed to tackle DDoS attacks in an SDN design using machine-learning-based schemes; however, these feature-based detection schemes are highly resource-intensive and they are unable to perform reliably in such a large-scale SDN network where a massive amount of traffic data is generated from both control and data planes. This can deplete computing resources, degrade network performance, or even shut down the network systems owing to being exhausting resources. To address the above challenges, this paper proposes a big data framework to overcome traditional data processing limitations and to exploit distributed resources effectively for the most compute-intensive tasks such as DDoS attack detection using machine learning techniques, etc. We demonstrate the robustness, scalability, and effectiveness of our framework through practical experiments.

Cloud computing is now considered to be the most cost-effective platform for offering business and consumer IT services over the Internet. However, it is prone to new vulnerabilities. Specifically, a newly discovered type of attack, called an economic-denial-of-sustainability attack known as EDoS, exploits the pay-per-use model to scale up the resource usage over time to the degree that the cloud user has to pay for the unexpected usage charge. To prevent EDoS attacks, we propose an effective solution in the SDN-based cloud computing environment. We first introduce a machine-learning-based approach adopting a framework called MAD-GAN which applies an unsupervised multivariate anomaly detection technique based on Generative Adversarial Networks (GANs)...

In our previous work, we proposed an efficient scheme for detecting compromised SDN switches based on chaotic analysis of network traffic using an autoregressive-integrated-moving-average model. This scheme showed good results overall; however, it still showed high false-alarm rates due to a hard-set threshold. In this paper, we propose an enhanced scheme to detect compromised SDN switches effectively and reliably. The scheme consists of two phases (online and offline), leveraging the advantages of a stochastic recurrent neural network variant of multivariate time-series-based anomaly detection. Our main idea is to capture the normal patterns of multivariate time series by learning strong representations with the key techniques, such as planar normalizing flow and stochastic variable connection, then reconstruct input data by the representations, and use the reconstruction probabilities to find anomalies. Evaluation results of our proposed scheme yield outstanding performance in comparison with our previous work and other solutions.

To prevent EDoS attacks, we propose an efficient solution in the SDN-based cloud computing environment. In this paper, we first apply an unsupervised learning approach called Long Short-Term Memory (LSTM), which is a multivariate time series anomaly detection, to detect EDoS attacks. Its key idea is to try to predict values of the resource usage of a cloud consumer (CPU load, memory usage and etc). Furthermore, unlike other existing proposals using a predefined threshold to classify the anomalies which generate high rate errors, in this work, we utilize a dynamic error threshold which delivers much better performance. Through practical experiments, the proposed …

SYN Flooding Attack, one of the typical Denial of Service attacks, may not only exhaust the resource of a victim but also paralyze the entire SDN network by a large number of control messages between controllers and SDN switches. Although various approaches have been proposed to defend the SYN flooding attack, they still have some drawbacks such as packet processing overload and delay. Therefore, this paper proposes an efficient SYN flooding defense scheme utilizing the TCP Time Out mechanism and Round-Trip Time (RTT). The experiment results show the proposed scheme can defend the attack with low bandwidth occupation between the controller and SDN switches and little computing resources…

Network flow is susceptible to disruption through a software-defined network caused by malicious switches. The malicious behaviors such as dropping traffic, adding or delaying traffic are diverse. Once a switch is compromised by an attacker, the switch could be malfunctioning or configured incorrectly. In this paper, we propose a real-time method of detecting compromised SDN switches based on chaotic analysis of network traffic. An ARIMA model is used to predict the number of flows in every following three seconds. Then, by calculating the maximum Lyapunov exponent, the chaotic behavior of prediction error time-series is analyzed. Simulation findings indicate that 99.63% of traffic states can be accurately classified by the proposed algorithm.