Full Text:   <291>

Summary:  <111>

CLC number: TP39

On-line Access: 2019-10-08

Received: 2018-07-18

Revision Accepted: 2018-09-14

Crosschecked: 2019-08-23

Cited: 0

Clicked: 805

Citations:  Bibtex RefMan EndNote GB/T7714


Zhi-jie Fan


-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2019 Vol.20 No.9 P.1195-1208


Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model

Author(s):  Ya Xiao, Zhi-jie Fan, Amiya Nayak, Cheng-xiang Tan

Affiliation(s):  College of Electronics and Information Engineering, Tongji University, Shanghai 201804, China; more

Corresponding email(s):   1710053@tongji.edu.cn, aaronzfan@126.com, nayak@uottawa.ca

Key Words:  Software-defined network, Distributed denial-of-service (DDoS), Behavior discovery, Distance metric learning, Feature-pattern graph

Ya Xiao, Zhi-jie Fan, Amiya Nayak, Cheng-xiang Tan. Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model[J]. Frontiers of Information Technology & Electronic Engineering, 2019, 20(9): 1195-1208.

@article{title="Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model",
author="Ya Xiao, Zhi-jie Fan, Amiya Nayak, Cheng-xiang Tan",
journal="Frontiers of Information Technology & Electronic Engineering",
publisher="Zhejiang University Press & Springer",

%0 Journal Article
%T Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model
%A Ya Xiao
%A Zhi-jie Fan
%A Amiya Nayak
%A Cheng-xiang Tan
%J Frontiers of Information Technology & Electronic Engineering
%V 20
%N 9
%P 1195-1208
%@ 2095-9184
%D 2019
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1800436

T1 - Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model
A1 - Ya Xiao
A1 - Zhi-jie Fan
A1 - Amiya Nayak
A1 - Cheng-xiang Tan
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 20
IS - 9
SP - 1195
EP - 1208
%@ 2095-9184
Y1 - 2019
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1800436

The security threats to software-defined networks (SDNs) have become a significant problem, generally because of the open framework of SDNs. Among all the threats, distributed denial-of-service (DDoS) attacks can have a devastating impact on the network. We propose a method to discover DDoS attack behaviors in SDNs using a feature-pattern graph model. The feature-pattern graph model presented employs network patterns as nodes and similarity as weighted links; it can demonstrate not only the traffic header information but also the relationships among all the network patterns. The similarity between nodes is modeled by metric learning and the Mahalanobis distance. The proposed method can discover DDoS attacks using a graph-based neighborhood classification method; it is capable of automatically finding unknown attacks and is scalable by inserting new nodes to the graph model via local or global updates. Experiments on two datasets prove the feasibility of the proposed method for attack behavior discovery and graph update tasks, and demonstrate that the graph-based method to discover DDoS attack behaviors substantially outperforms the methods compared herein.


摘要:由于软件定义网络(software-defined networks, SDN)的开方式结构,软件定义网络环境下的安全威胁已成为一个重要问题。在所有威胁中,分布式拒绝服务攻击(distribute ddenial-of-service, DDoS)对网络具有巨大影响。本文提出一种基于特征-模式图模型的方法来发现软件定义网络环境下的DDoS攻击行为。所提出的特征-模式图采用网络模式作为节点,将其相似度作为加权边。该图模型可同时表示网络包的头信息和各网络模式之间的关系信息。节点之间的相似度由度量学习和马氏距离表示。所提方法可以基于图的邻近分类模型发现DDoS攻击,并具有自动发现未知攻击的能力且可通过全局或局部插入新节点的方式扩展已有图结构。两个数据集上的实验证明了所提方法在攻击行为检测和图更新任务上的可行性,并证明了本文基于图的模型在DDoS攻击检测上优于对比模型。


Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article


[1]Albin E, Rowe NC, 2012. A realistic experimental comparison of the Suricata and Snort intrusion-detection systems. Proc $26^text{th}$ Int Conf on Advanced Information Networking and Applications Workshops, p.122-127.

[2]AlEroud A, Alsmadi I, 2017. Identifying cyber-attacks on software defined networks: an inference-based intrusion detection approach. J Netw Comput Appl, 80:152-164.

[3]Antikainen M, Aura T, Särelä M, 2014. Spook in your network: attacking an SDN with a compromised OpenFlow switch. Proc 19th Nordic Conf on Secure IT Systems, p.229-244.

[4]Aziz MZA, Okamura K, 2017. Leveraging SDN for detection and mitigation SMTP flood attack through deep learning analysis techniques. Int J Comput Sci Netw Secur, 17(10):166-172.

[5]Bawany NZ, Shamsi JA, Salah K, 2017. DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab J Sci Eng, 42(2):425-441.

[6]Braga R, Mota E, Passito A, 2010. Lightweight DDoS flooding attack detection using NOX/OpenFlow. Proc IEEE Local Computer Network Conf, p.408-415.

[7]Chung CJ, Khatkar P, Xing TY, et al., 2013. NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans Depend Sec Comput, 10(4):198-211.

[8]de Oliveira RLS, Schweitzer CM, Shinoda AA, et al., 2014. Using Mininet for emulation and prototyping software-defined networks. Proc IEEE Colombian Conf on Communications and Computing, p.1-6.

[9]Fan ZJ, Xiao Y, Nayak A, et al., 2019. An improved network security situation assessment approach in software defined networks. Peer-to-Peer Netw Appl, 12(2):295-309.

[10]Fiadino P, D’Alconzo A, Schiavone M, et al., 2015. Challenging entropy-based anomaly detection and diagnosis in cellular networks. ACM SIGCOMM Comput Commun Rev, 45(4):87-88.

[11]Giotis K, Argyropoulos C, Androulidakis G, et al., 2014. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw, 62:122-136.

[12]Goldberger J, Roweis S, Hinton G, et al., 2004. Neighbourhood components analysis. Proc 17th Int Conf on Neural Information Processing Systems, p.513-520.

[13]Klöti R, Kotronis V, Smith P, 2013. OpenFlow: a security analysis. Proc 21st IEEE Int Conf on Network Protocols, p.1-6.

[14]Kobayashi TH, Batista AB, Brito AM, et al., 2007. Using a packet manipulation tool for security analysis of industrial network protocols. Proc IEEE Conf on Emerging Technologies and Factory Automation, p.744-747.

[15]Kreutz D, Ramos FM, Veríssimo PE, et al., 2015. Software-defined networking: a comprehensive survey. Proc IEEE, 103(1):14-76.

[16]Nguyen HV, Bai L, 2010. Cosine similarity metric learning for face verification. Proc 10th Asian Conf on Computer Vision, p.709-720.

[17]Niyaz Q, Sun WQ, Javaid AY, 2017. A deep learning based DDoS detection system in software-defined networking (SDN). EAI Endorsed Trans Secur Safety, 4(12):e2.

[18]Roesch M, 1999. Snort: lightweight intrusion detection for networks. Proc 13th USENIX Conf on System Administration, p.229-238.

[19]Scott-Hayward S, O’Callaghan G, Sezer S, 2013. SDN security: a survey. IEEE SDN for Future Networks and Services, p.1-7.

[20]Shalimov A, Zuikov D, Zimarina D, et al., 2013. Advanced study of SDN/OpenFlow controllers. Proc 9th Central & Eastern European Software Engineering Conf in Russia, Article 1.

[21]Shen C, Kim J, Wang L, 2010. Scalable large-margin mahalanobis distance metric learning. IEEE Trans Neur Netw, 21(9):1524-1530.

[22]Shiravi A, Shiravi H, Tavallaee M, et al., 2012. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput Secur, 31(3):357-374.

[23]van Erven T, Harremos P, 2014. Rényi divergence and Kullback-Leibler divergence. IEEE Trans Inform Theory, 60(7):3797-3820.

[24]Wang B, Zheng Y, Lou WJ, et al., 2015. DDoS attack protection in the era of cloud computing and software-defined networking. Comput Netw, 81:308-319.

[25]Wang R, Jia ZP, Ju L, 2015. An entropy-based distributed DDoS detection mechanism in software-defined networking. Proc IEEE Trustcom/BigDataSE/ISPA, p.310-317.

[26]Wu QS, Ferebee D, Lin YY, et al., 2009. An integrated cyber security monitoring system using correlation-based techniques. Proc IEEE Int Conf on System of Systems Engineering, p.1-6.

[27]Xu Y, Liu Y, 2016. DDoS attack detection under SDN context. Proc 35th Annual IEEE Int Conf on Computer Communications, p.1-9.

[28]Yan Q, Yu FR, Gong QX, et al., 2016. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor, 18(1):602-622.

[29]Yu S, Guo S, Stojmenovic I, 2012. Can we beat legitimate cyber behavior mimicking attacks from botnets? Proc IEEE INFOCOM, p.2851-2855.

Open peer comments: Debate/Discuss/Question/Opinion


Please provide your name, email address and a comment

Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - Journal of Zhejiang University-SCIENCE