DDoS Detection Over SDN Using Machine Learning Approach

SDN networks are a new innovation in the network world. The control layer and the data layer are separated and an interface (OpenFlow) is provided to make the network easier to control.

Mininet is a tool that is used to simulate a SDN network. A DDOS (distributed denial of service) attack is a planned attack carried out by a large number of devices that have been hacked. This is called a botnet. The Bot is the main server which instructs all other devices to carry out the attack.

The other devices combine to form the botnet (Robot Network). It is often very difficult to detect such an attack. The project aims to detect a DDoS attack using 3 algorithms. We compare the accuracy of supervised learning algorithm (Random Forest), semi supervised (SVM )and unsupervised learning algorithm(K-means).

Index Terms DDoS Attack, GET Flooding Attack, Web Security, MapReduce, Anomaly, a hidden Markov model (HMM), hostbased intrusion detection, postmortem intrusion detection, sequitur, Packet capture, traffic analysis


A DDOS attack is a vicious attempt to avoid ordinary traffic by overwhelming the target or its surrounding infrastructure by attempting to achieve a specific server, service or network with large amounts of traffic.

Get quality help now
Marrie pro writer
Verified writer

Proficient in: Attack

5 (204)

“ She followed all my directions. It was really easy to contact her and respond very fast as well. ”

+84 relevant experts are online
Hire writer

A DDoS attack is difficult to detect because of the high bandwidth pathways that the networks require.


SDN are networking architecture that targets to make a net-work quick and flexible. SDN’s main objective is to improve a network by using a software application to intelligently control or program.

Get to Know The Price Estimate For Your Paper
Number of pages
Email Invalid email

By clicking “Check Writers’ Offers”, you agree to our terms of service and privacy policy. We’ll occasionally send you promo and account related email

"You must agree to out terms of services and privacy policy"
Write my paper

You won’t be charged yet!

In order to compete with evolving company trends, several service providers and companies are inclined towards SDN technology. SDN enables the continuous man-agement of complex networks.

THE WORKING OF SDN: SDN techniques tend to unify network control by dividing the control logic from the funds of off-device computers. An SDN controller, northbound APIs and southbound APIs are included in all SDN networking alternatives.


It is also known as the networks’ “brain”. Its aim is to provide the general network with a centralized element.


These APIs are majorly used for communication purpose with applications and business logic and also support in deploying services.


Software Defined Network uses southbound APIs to provide router and switch data.


  • SDN has significant benefits for the globe of networking:
  • SDN offers a unified aspect of the whole network, making it simpler to manage and deliver businesses.
  • It offers an extensive enterprise management scheme by enabling the network manager to examine the structure of the network without affecting it.
  • Another significant benefit is that the safety system is extremely comprehensive.
  • SDN systems tend to have low operating costs and high effectiveness in administration.
  • It is capable of controlling and shaping information traffic on a cloud.


[1]There are many benefits in placing DDoS defenses close to the sources of the attack. The attack flows can be halted before they reach the Internet core and mix with other flows. Being near to the source can make traceback and inquiry of the attack simpler. The small degree of flow aggregation enables greater precision to use more complicated detection strategies. It is also probable that routers nearer to the sources will relay less traffic than key routers and can devote more of their energy to DDoS defense.

The D-WARD system is mounted on the source router which acts as a portal between the network deploying (source network) and the remainder of the Internet.

[2]Keeping traffic statistics on a backbone router for each location is obviously infeasible. Here we consider a traffic profile that can be gathered with little overhead and most intruders should be detected. Only high-traffic destinations need to be considered at any stage of moment, as those are precisely the ones that are likely to be under assault. Thus, each router uses a sample-and-hold algorithm to monitor destinations whose traffic occupies more than a fraction of the outgoing link’s capability C. We call these destinations common and not unpopular in this list.Traffic profiles are essentially a collection of traffic fin-gerprints (Fi) to famous locations at each router. The key to characterizing traffic streams is an efficient selection of such fingerprints. However, excessive memory and/or computation may be required to compute arbitrary fingerprints. We rec-ognized several fingerprints that can be calculated effectively using stream sampling algorithms.

[3]This utilizes Source IP Address Monitoring SIM, which includes two components: off-line instruction, and teaching and detection[ 3]. The first part is off-line training, where a learning engine adds valid IP addresses to an IP Address Database (IAD) and keeps the IAD updated by adding fresh valid IP addresses and deleting expired IP addresses[ 3]. This is performed off-line to ensure that there are no bandwidth attacks in the traffic data used for instruction[ 3]. It is possible to use a straightforward rule to decide whether or not a fresh IP address is valid[ 3]. For instance, an abnormal IP flow is regarded to be a TCP connection with less than 3 packets[3] .

[4]A single autonomous system (AS) corresponds to each net-work domain. The AS domain is fitted with a CAT server for aggregating data on traffic changes identified on the routers. All CAT servers exchange data on flooding alerts to make choices on worldwide detection across various domains[ 4]. A fresh safe infrastructure protocol (SIP) is created to create confidence between them to resolve the disputes in security policies in distinct supplier domains. Scalable performance findings are recorded in the DETER testbed for the imple-mentation of the DCP detection scheme over 16 domains. The simulated Internet environment shows that 4 domains are adequate to deliver 98% precision detection of TCP SYN and UDP flooding assaults with less than 1% fake alarms. The DCP scheme is demonstrated to be scalable to 84 domains by using ISP-controlled AS domains, which appeals for real-life internet deployment.

[5]In this system for DoS detection, we track incoming traffic to evaluate different decision-making characteristics and use the highest probability criterion for detection make individual choices for every input characteristics[5] . In a fusion stage, the gathered data is then merged to produce a general traffic choice. It utilizes a technique of comparing the likelihood ratio and implementation of two distinct RNN architectures (feed forward and recurrent).

[6]This highlights all these problems and suggests a distributed weight-fair router throttling algorithm that counteracts denial-of-service attacks directed to an internet server. In the context of throttling upstream routers, the protection mechanism is comparable to that of [Yau et al. ]. However, leaky buckets of various types are mounted and the buckets are placed in a subset of routers on all routers instead of a standardized leaky bucket. Fairness is accomplished by providing the routers linked to a greater amount of legitimate customers more bandwidth and vice versa.

[7]The suggested structure consists of some heterogeneous defense mechanisms that work together to safeguard against assaults. Use of statistical methods to protect against DDoS attacks and mitigate their effect [Ohsita et al. 2004, Li et al. 2005, Jin and Yeung 2004, Chuah et al. 2004 ] is becoming increasingly interesting. Packet statistics from on-line history data are monitored to classify normal and attack traffic.

[8]An approach for predicting the service rate on a server to avoid overloading the server. With such a forecast, we can take precautionary steps to avoid a server crackdown that can be triggered by DDoS assaults or other factors such as system malfunctions.

[9]This is a new model for detecting DDoS attacks based on CRF (conditional random fields). It includes signature-based and anomaly-based techniques of detection to form a hybrid system[9]. This is possible because CRFs have the ability to synthesize many features into a union detection vector without needing independence[9].

The traffic tracking status is described by a term, IP Flow Entropy (IPE)[9]. The model can be used by combining IPE, One-Way Connection Density (OWCD) and other features into one metric to recognize various DDoS attacks with high sensitivity and low false alarm rate[9].

[10]Checking incoming traffic against outgoing traffic is a technique to detect TCP hosted DDoS attacks at the earliest. This would differ massively (than usual) in the event of an assault. Even transit routers can detect the DDoS attack through this technique. A sudden rise in traffic and behavioral resemblance are excellent indicators for other DDoS assaults.

The sampling method is invoked if the preliminary detection of the attack is positive. For each IP address, the sampling method instantly assigns a distinct rate counter. Number of samples are collected by the rate counter where a sample is the collection of all incoming packets per second.

[11]In the current information communication setting, network and system safety are of paramount significance. Hackers and intruders can generate many effective efforts by unauthorized intrusion to cause the crash of networks and web services[11]. New threats and related solutions are emerging along with secured system evolution to avoid these threats[11]. An Intrusion Detection analyses and predicts user behaviours and then classifies these behaviours as either an assault or a normal behaviour. To detect network intrusions, we use Rough Set Theory (RST) and Support Vector Machine (SVM)[11]. First, packets are captured from the network, then RST is used for information pre-processing and size reduction. The characteristics chosen by RST will be sent for learning and testing to the SVM model. The technique is efficient in reducing information spatial density. The studies compare the outcomes with Principal Component Analysis (PCA) and demonstrate that the scheme of RST and SVM could decrease the false positive rate and boost precision[11].

[12]This research recommends a technique of integration between GET flooding between DDOS attacks and MapReduce processing for quick attack detection in a cloud computing environment [12]. This research proposes a technique of integration between GET flooding between DDOS attacks and MapReduce processing to quickly detect attacks in a cloud computing setting[12]. This technique needs the accessibility of a target scheme based on GET flooding for precise and reliable detection. This technique is discovered to be better than Snort detection in studies because processing time is short even with increased congestion.

[13]This article describes separate attack patterns for DDoS attacks on nodes in wireless sensor networks for three most frequently used network topologies. A decentralized pattern recognition system based on Graph Neuron (GN) is suggested for attack detection. The system analyses the network’s inner traffic flow for patterns of DDoS attack.

[14]When an intrusion happens, the security staff must assess the compromised IT resources to determine how it was accessed. This evaluation generally demonstrates that the attacker has run an exploit that takes benefit of a scheme weakness. Pinpointing, in a specified log file, is very useful for computer security to execute one such exploit, if any. This is both because it speeds up the process of gathering evidence of intrusion and because it helps to take action to prevent any more intrusion. This issue that we are calling post-mortem intrusion detection, It is quite complicated due to the difficulty of precisely identifying where the intrusion happened. A strategy is suggested for the identification of post-mortem intrusion. A classifier differentiates abnormal behaviour from normal behaviour. This classifier is based on a technique that combines with k-means and concealed Markov model.

[15]Computer software is regarded as a packet sniffer capable of intercepting and recording traffic through a digital network or part of a network. By setting the NIC card in promiscuous mode, the sniffer captures and eventually decodes these packets. The decoded data can be used to identify an attack in any manner necessary. Depending on the network structure, you can select all or just traffic parts from a single device within the network. However, there are several methods to stop traffic narrowing from switching in order to gain access to traffic from other network devices. Packet sniffer is used to detect intrusion and its work. It also seeks to identify such a software’s presence on the network and attempts to manage it effectively. Due to a self-developed packet sniffer, the focus was also set to analyze the bottleneck situation that arises in the network[15]. A minute observation had been made before the development of this indigenous software on the working behavior of already existing sniffer software such as Wireshark (formerly known as ethereal), TCP dump, and snort, which serve as the basis for the development of our sniffer software[15]. A library known as LIBPCAP was used to catch the packets[15]. Developing such software provides the developer an opportunity to create extra characteristics that might be needed.


The existing system compares four different machine learning algorithms ,viz, J48, Random Forest (RF), Support Vector Machine (SVM), and K-Nearest Neighbors (K-NN) [21]. to obtain a modal that provides the best detection rate.

The current system performs Signature Detection by classifying the incoming requests as normal or anomaly and then depending upon the values that are obtained the users sending the anomaly requests are warned.


The major disadvantage of the present system is that Naive Bayes takes a lot of time for training and processing the data. As training dataset increase it takes more time to train the data. Na?ve Bayes uses a large dataset and thus the classifier consumes a lot of time to get trained.

Proposed System

The following section describes the proposed system to detect the DDoS attacks in SDN. We are using machine learning algorithms, namely, supervised learning algorithm (Random Forest), semi supervised (SVM)and unsupervised learning algorithm(K-means). We will use POX Controller to implement the detection system. Initially we will create the required topology using Mininet. Mininet is a software that creates virtual hosts, links, switches and controllers. It runs on a Linux software and also supports OpenFlow. Once we have created the topologies, we will simulate a DDoS attack using Scapy(creates custom packets), Cbench( stresses an openflow controller), Hping(generates TCP/UDP/ICMP attacks).

The next step is to create a feature vector using features like speed of source IP, speed of source port, standard deviation of flow packets, deviation of flow bytes, speed of flow entries.


  • Mirkoviac J., Prier G. and Reiher P., “Attacking DDoS at the Source,” 2002.
  • Akella A., Bharambe A., Reiter M. and Seshan S., “Detecting DDoS Attack on ISP Networks”, 2003.
  • Peng T., Leckie C. and Ramamohanrao K. ,”Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring”., 2004.
  • Chen Y., Hwang K. and Ku W. S., “Distributed Change-Point Detection of DDoS Attacks Over Multiple Domains”, 2006.
  • ?ke G. and Loukas G., “A Denial of Service Detector Based on Maximum Likelihood Detection and the Random Neural Network”, 2007
  • Saifullah A.M., “Defending Against Distributed Denial- of- Service Attacks with Weight-Fair Throttling”, 2009.
  • Chen C.L., “A New Detection Method for Distributed Denial of Service Attack Traffic Based on Statistical Test”, 2009.
  • Zhang G., Jiang S., Wei G. and Guan Q., “A Prediction Based Detection Algorithm Against Distributed Denial- of- Service Attacks”, 2009.
  • Cheng J., Yin J., Wu C., Zhang B. and Li Y., “DDoS Attack Detection Method Based on Linear Prediction Model”, 2009.
  • Udhayan J. and Hamsapriya T., “Statistical Segregation Method to Minimize the False Detection During DDoS Attacks”, 2011.
  • Vipin, Das & Vijaya, Pathak & Sattvik, Sharma & , Sreevathsan & , MVVNS.Srikanth & Kumar T, Gireesh,”Network Intrusion Detection System Based On Machine Learning Algorithms”, 2010, International Journal of Computer Science & Information Technology.
  • Choi, J & Choi, Chang & Ko, Byeongkyu & Choi, D & Kim, P.,”Detecting Web Based DDoS Attack Using MapReduce Operations in Cloud Computing Environment”, 2013, Journal of Internet Services and Information Security. 3. 28-37.
  • Baig, Zubair and Baqer, M and Khan, Asad ,”A Pattern Recognition Scheme for Distributed Denial of Service Attacks (DDoS) in Wireless Sensor Networks”,2006, 1050 – 1054. 10.1109/ICPR.2006.147.
  • Gamboa, Karen & Monroy, Ra?l & Trejo, Luis & Aguirre Berm?dez, Eduardo & Mex-Perera, Carlos , “Analyzing Log Files for Post-mortem Intrusion Detection”, 2012, IEEE Transactions on Systems Man and Cybernetics Part C (Applications and Reviews). 42. 10.1109/TSMCC.2012.2217325.
  • Qadeer, Mohammed & Iqbal, Arshad & Zahid, Mohammad & Siddiqui, Misbahur, “Network Traffic Analysis and Intrusion Detection Using Packet Sniffer Communication Software and Networks, International Conference on. 313-317. 10.1109/ICCSN.2010.104.”
  • Monowar H. Bhuyan, H. J. Kashyap, D. K. Bhattacharyya, and J. K. Kalita, “Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions”.
  • Karuna S. Bhosale, Maria Nenova, Georgi Iliev ,”The Distributed Denial of Service Attacks (DDoS) Prevention Mechanisms on Application Layer”.
  • Rachana Yogesh Patil, Dr. Lata Ragha , Department of Computer Science and Engineering, A.C. Patil College of Engineering,Mumbai ,”A Dynamic Rate Limiting Mechanism For Flooding Based Distributed Denial of Service Attack”.
  • Yongdong Wu, Zhigang Zhao, Robert H. Deng ,”Software Puzzle: A Countermeasure to Resource-Inflated Denial-of-Service Attacks”.
  • Simon Liu, US National Library of Medicine,”Surviving Distributed Denial -of- Service Attacks”.
  • Obaid Rahman Mohammad Ali Gauhar Quraishi Chung-Horng Lung ,”DDoS Attacks Detection and Mitigation in SDN using Machine Learning”, 2019.
  • Lohit Barki, Amrit Shidling, Nisharani Meti, Narayan D G and Mohammed Moin Mulla, “Detection of Distributed Denial of Service Attacks in Software Defiined Networks”, 2016.
  • Yao Yu, Lei Guo, Ye Liu, Jian Zheng and Yue Zong, “An Efficient SDN-Based DDoS Attack Detection and Rapid Response Platform in Vehicular Networks”, 2018.
  • Ancy Sherin Jose, Latha R Nair, Varghese Paul ,”Mitigation of Distributed Denial of Service(DDoS) Attacks over Software Defined Networks (SDN) using Machine Learning and Deep Learning Techniques” ,2019.
  • Syed Mohammad Mousavi and Marc St-Hilaire, “Early Detection of DDoS Attacks against SDN Controllers”, 2015.
  • Pedro Manso, Jose Moura, Carlos Serrao, “SDN-Based Intrusion Detection System for Early Detection and Mitigation of DDoS Attacks”, 2019.
  • Jin Ye, Xiangyang Cheng, Jian Zhu, Luting Feng, Ling Song, “A DDoS Attack Detection Method Based on SVM in Software Defined Network”, 2018.

Cite this page

DDoS Detection Over SDN Using Machine Learning Approach. (2019, Nov 30). Retrieved from https://studymoose.com/dhwani-research-example-essay

DDoS Detection Over SDN Using Machine Learning Approach

👋 Hi! I’m your smart assistant Amy!

Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.

get help with your assignment