Abstract: The security threats to software-defined networks (SDNs) have become a significant problem, generally because of the open framework of SDNs. Among all the threats, distributed denial-of-service (DDoS) attacks can have a devastating impact on the network. We propose a method to discover DDoS attack behaviors in SDNs using a feature-pattern graph model. The feature-pattern graph model presented employs network patterns as nodes and similarity as weighted links; it can demonstrate not only the traffic header information but also the relationships among all the network patterns. The similarity between nodes is modeled by metric learning and the Mahalanobis distance. The proposed method can discover DDoS attacks using a graph-based neighborhood classification method; it is capable of automatically finding unknown attacks and is scalable by inserting new nodes to the graph model via local or global updates. Experiments on two datasets prove the feasibility of the proposed method for attack behavior discovery and graph update tasks, and demonstrate that the graph-based method to discover DDoS attack behaviors substantially outperforms the methods compared herein.

基于特征-模式图的SDN下分布式拒绝服务攻击发现方法

[1]Albin E, Rowe NC, 2012. A realistic experimental comparison of the Suricata and Snort intrusion-detection systems. Proc $26^text{th}$ Int Conf on Advanced Information Networking and Applications Workshops, p.122-127.

[2]AlEroud A, Alsmadi I, 2017. Identifying cyber-attacks on software defined networks: an inference-based intrusion detection approach. J Netw Comput Appl, 80:152-164.

[3]Antikainen M, Aura T, Särelä M, 2014. Spook in your network: attacking an SDN with a compromised OpenFlow switch. Proc 19^th Nordic Conf on Secure IT Systems, p.229-244.

[4]Aziz MZA, Okamura K, 2017. Leveraging SDN for detection and mitigation SMTP flood attack through deep learning analysis techniques. Int J Comput Sci Netw Secur, 17(10):166-172.

[5]Bawany NZ, Shamsi JA, Salah K, 2017. DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab J Sci Eng, 42(2):425-441.

[6]Braga R, Mota E, Passito A, 2010. Lightweight DDoS flooding attack detection using NOX/OpenFlow. Proc IEEE Local Computer Network Conf, p.408-415.

[7]Chung CJ, Khatkar P, Xing TY, et al., 2013. NICE: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans Depend Sec Comput, 10(4):198-211.

[8]de Oliveira RLS, Schweitzer CM, Shinoda AA, et al., 2014. Using Mininet for emulation and prototyping software-defined networks. Proc IEEE Colombian Conf on Communications and Computing, p.1-6.

[9]Fan ZJ, Xiao Y, Nayak A, et al., 2019. An improved network security situation assessment approach in software defined networks. Peer-to-Peer Netw Appl, 12(2):295-309.

[10]Fiadino P, D’Alconzo A, Schiavone M, et al., 2015. Challenging entropy-based anomaly detection and diagnosis in cellular networks. ACM SIGCOMM Comput Commun Rev, 45(4):87-88.

[11]Giotis K, Argyropoulos C, Androulidakis G, et al., 2014. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw, 62:122-136.

[12]Goldberger J, Roweis S, Hinton G, et al., 2004. Neighbourhood components analysis. Proc 17^th Int Conf on Neural Information Processing Systems, p.513-520.

[13]Klöti R, Kotronis V, Smith P, 2013. OpenFlow: a security analysis. Proc 21^st IEEE Int Conf on Network Protocols, p.1-6.

[14]Kobayashi TH, Batista AB, Brito AM, et al., 2007. Using a packet manipulation tool for security analysis of industrial network protocols. Proc IEEE Conf on Emerging Technologies and Factory Automation, p.744-747.

[15]Kreutz D, Ramos FM, Veríssimo PE, et al., 2015. Software-defined networking: a comprehensive survey. Proc IEEE, 103(1):14-76.

[16]Nguyen HV, Bai L, 2010. Cosine similarity metric learning for face verification. Proc 10^th Asian Conf on Computer Vision, p.709-720.

[17]Niyaz Q, Sun WQ, Javaid AY, 2017. A deep learning based DDoS detection system in software-defined networking (SDN). EAI Endorsed Trans Secur Safety, 4(12):e2.

[18]Roesch M, 1999. Snort: lightweight intrusion detection for networks. Proc 13^th USENIX Conf on System Administration, p.229-238.

[19]Scott-Hayward S, O’Callaghan G, Sezer S, 2013. SDN security: a survey. IEEE SDN for Future Networks and Services, p.1-7.

[20]Shalimov A, Zuikov D, Zimarina D, et al., 2013. Advanced study of SDN/OpenFlow controllers. Proc 9^th Central & Eastern European Software Engineering Conf in Russia, Article 1.

[21]Shen C, Kim J, Wang L, 2010. Scalable large-margin mahalanobis distance metric learning. IEEE Trans Neur Netw, 21(9):1524-1530.

[22]Shiravi A, Shiravi H, Tavallaee M, et al., 2012. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput Secur, 31(3):357-374.

[23]van Erven T, Harremos P, 2014. Rényi divergence and Kullback-Leibler divergence. IEEE Trans Inform Theory, 60(7):3797-3820.

[24]Wang B, Zheng Y, Lou WJ, et al., 2015. DDoS attack protection in the era of cloud computing and software-defined networking. Comput Netw, 81:308-319.

[25]Wang R, Jia ZP, Ju L, 2015. An entropy-based distributed DDoS detection mechanism in software-defined networking. Proc IEEE Trustcom/BigDataSE/ISPA, p.310-317.

[26]Wu QS, Ferebee D, Lin YY, et al., 2009. An integrated cyber security monitoring system using correlation-based techniques. Proc IEEE Int Conf on System of Systems Engineering, p.1-6.

[27]Xu Y, Liu Y, 2016. DDoS attack detection under SDN context. Proc 35^th Annual IEEE Int Conf on Computer Communications, p.1-9.

[28]Yan Q, Yu FR, Gong QX, et al., 2016. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor, 18(1):602-622.

[29]Yu S, Guo S, Stojmenovic I, 2012. Can we beat legitimate cyber behavior mimicking attacks from botnets? Proc IEEE INFOCOM, p.2851-2855.