A Statistical Model for Early Detection of DDoS Attacks on Random Targets in SDN

Software Defined Networks (SDNs) have accelerated and simplified the management, configuration and error detection in today’s networking systems. However, SDN is prone to some new security threats, the most important of which is its vulnerability to a new generation of Distributed Denial of Service (DDoS) attack in which fake packets target random destinations instead of targeting a single server. In this paper, we show that the existing early detection methods such as entropy- and principal component analysis (PCA)-based methods are not sufficiently capable of detecting this type of attack. Instead, we propose a novel network traffic anomaly detection framework for tackling with DDoS in SDN. Our framework consists of four stages: first, we draw on extensive experiments on an SDN test-bed to analyze the behavior of normal and attack traffic. Second, a statistical trapezoid model is proposed to estimate the number of table misses in the controller. Third, we estimate the threshold of the table misses in regular time intervals using linear regression together with EWMA estimation. In the last stage, we use the derived model as a reference to detect DDoS attacks as anomalous deviations. The evaluation results demonstrate that using this method, one can detect DDoS attacks against an SDN-based network in its early stages, with few false positives, and regardless of the specifics of the attack.