Software-defined networking (SDN) is a new networking paradigm that provides centralized control, programmability, and a global view of topology in the controller. SDN is becoming more popular due to its high audibility, which also raises security and privacy concerns. SDN must be outfitted with the best security scheme to counter the evolving security attacks. A Distributed Denial-of-Service (DDoS) attack is a network attack that floods network links with illegitimate data using high-rate packet transmission. Illegitimate data traffic can overload network links, causing legitimate data to be dropped and network services to be unavailable. Low-rate Distributed Denial-of-Service (LDDoS) is a recent evolution of DDoS attack that has been emerged as one of the most serious vulnerabilities for the Internet, cloud computing platforms, the Internet of Things (IoT), and large data centers. Moreover, LDDoS attacks are more challenging to detect because this attack sends a large amount of illegitimate data that are disguised as legitimate traffic. Thus, traditional security mechanisms such as symmetric/asymmetric detection schemes that have been proposed to protect SDN from DDoS attacks may not be suitable or inefficient for detecting LDDoS attacks. Therefore, more research studies are needed in this domain. There are several survey papers addressing the detection mechanisms of DDoS attacks in SDN, but these studies have focused mainly on high-rate DDoS attacks. Alternatively, in this paper, we present an extensive survey of different detection mechanisms proposed to protect the SDN from LDDoS attacks using machine learning approaches. Our survey describes vulnerability issues in all layers of the SDN architecture that LDDoS attacks can exploit. Current challenges and future directions are also discussed. The survey can be used by researchers to explore and develop innovative and efficient techniques to enhance SDN’s protection against LDDoS attacks.

/pdf/a-survey-of-low-rate-ddos-detection-techniques-based-on-3bv0yzki.pdf

A Survey of Low Rate DDoS Detection Techniques Based on Machine Learning in Software-Defined Networks

The dynamic nature of the vehicular space exposes it to distributed malicious attacks irrespective of the integration of enabling technologies. The software-defined network (SDN) represents one of these enabling technologies, providing an integrated improvement over the traditional vehicular ad-hoc network (VANET). Due to the centralized characteristics of SDN, they are vulnerable to attacks that may result in life-threatening situations. Securing SDN-based VANETs is vital and requires incorporating artificial intelligence (AI) techniques. Hence, this work proposed an intrusion detection model (IDM) to identify Distributed Denial-of-Service (DDoS) attacks in the vehicular space. The proposed solution employs the radial basis function (RBF) kernel of the support vector machine (SVM) classifier and an exhaustive parameter search technique called grid search cross-validation (GSCV). In this framework, the proposed architecture can be deployed on the onboard units (OBUs) of each vehicle, which receive the vehicular data and run intrusion detection tasks to classify a message sequence as a DDoS attack or benign. The performance of the proposed algorithm compared to other ML algorithms using key performance metrics. The proposed framework is validated through experimental simulations to demonstrate its effectiveness in detecting DDoS intrusion. Using the GridSearchCV, optimal values of the RBF-SVM kernel parameters “C” and “gamma” <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$(\gamma)$ </tex-math></inline-formula> of 100 and 0.1, respectively, gave the optimal performance. The proposed scheme showed an overall accuracy of 99.33%, a detection rate of 99.22%, and an average squared error of 0.007, outperforming existing benchmarks. 

Optimization of RBF-SVM Kernel Using Grid Search Algorithm for DDoS Attack Detection in SDN-Based VANET

— The Open-RAN architecture is a highly promising and future-oriented architecture. It is intended to open up the radio access network and enable more innovation and competition in the market. This will lead to RANs for current 5G networks, but especially for future 6G networks, to move away from the current centralised, provider-speciﬁc 3G RAN architecture and therefore even better meet the requirements for future RANs. However, the change in design has also created a drastic shift in the attack surface compared to conventional RANs. In the past, this has often led to negative headlines, which in summary have often associated O-RAN with faulty or inadequate security. In this paper, we analyze what components are involved in an Open-RAN deployment, how the current state of security is to be assessed and what measures need to be taken to ensure secure operation.

Open or not open: Are conventional radio access networks more secure and trustworthy than Open-RAN?

The software-defined network (SDN) has created the conditions for the optimization and development of network structures. However, its architecture is still not sufficient to resist or identify all denial of service (DoS) attacks, such as low-rate DoS (LDoS) attacks. Due to their low transporting rate and flash-crowd-like nature, LDoS attacks are well hidden in the background traffic and difficult to identify by anti-DoS mechanisms in the SDN. By implementing LDoS attacks in the SDN, we confirm that they can severely degrade the quality of service. We further propose a framework based on the histogram-based gradient boosting and finding peaks (HGB-FP) algorithm to detect LDoS attacks and mitigate their influence in the SDN in real-time. The histogram-based gradient boosting (HGB) algorithm, an ensemble learning with high quality and low complexity, can identify LDoS attacks quickly and accurately. The finding peaks (FP) algorithm locates the attacker via peak properties of the flow and installs flow rules on the switches to drop the attack flows. Experiments prove that our framework has higher accuracy and F-measure in identifying LDoS attacks than other machine learning approaches and mitigates the impact of LDoS attacks on bottleneck links in the SDN within seconds on average. 

Real-Time Detection and Mitigation of LDoS Attacks in the SDN Using the HGB-FP Algorithm

The potential for being the target of Denial of Service (DoS) attacks is one of the most severe security threats on the Internet. Attackers have been modifying their attack format over the years, damaging specific conditions of operating systems and protocols in an attempt to deny or diminish the quality of the service provided to legitimate users. Nowadays, attacks are stealthier and mimic legitimate user traffic in such a way that detection mechanisms against High-rate DoS attacks are no longer sufficient. This evolving type of attack, known as LDoS (Low-rate Denial of Service) attacks, has the potential to produce more damage than its predecessor due to its stealth nature and the lack of suitable detection and defense methods. This survey summarizes and complements previous studies and surveys related to this specific type of attack. First, we propose a taxonomy of the LDoS attacks, which were divided into three broad categories based on their modus operandi: QoS attacks, Slow rate attacks, and Service queue attacks. Next, we detail numerous detection mechanisms and counter-measures available against eight types of LDoS attacks. More specifically, we describe the methods used to throttle the attack traffic. Finally, we provide a feature comparison table for some existing attack tools. This survey aims at providing an extensive review of the literature for helping researchers and network administrators find up-to-date knowledge on LDoS attacks.

Detection and Mitigation of Low-Rate Denial-of-Service Attacks: A Survey

Anomalies could be the threats to the network that have ever/never happened. To protect networks against malicious access is always challenging even though it has been studied for a long time. Due to the evolution of network in both new technologies and fast growth of connected devices, network attacks are getting versatile as well. Comparing to the traditional detection approaches, machine learning is a novel and flexible method to detect intrusions in the network, it is applicable to any network structure. In this paper, we introduce the challenges of anomaly detection in the traditional network, as well as in the next generation network, and review the implementation of machine learning in the anomaly detection under different network contexts. The procedure of each machine learning category is explained, as well as the methodologies and advantages are presented. The comparison of using different machine learning models is also summarised.

Machine Learning in Network Anomaly Detection: A Survey

A survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and virtual networks

Software-Defined Networking (SDN) decoupled architecture provides greater network visibility for network operators allowing effective resource management and enhances networks security. However, the SDN centralized architecture, the communication channels between planes and the limited resources can make SDN systems vulnerable against DoS/DDoS attacks. To have a better understanding of the attack dynamics and lead to future mitigation techniques, modeling DoS/DDoS attacks for SDN is necessary. The main goal of modeling is to provide i) better understanding about the attack effect, and consequently ii) more effective mitigation techniques. Specially when DDoS attacks costs oscillated between $25,000 and $249,000 for %58 of companies around the world in 2018 [1]. We propose a model for the low-rate (shrew) stealthy DDoS attacks, which exploit vulnerabilities in the TCP’s re-transmission time out mechanism (RTO). We found that these attacks are able to target the southbound TCP channel, used by OpenFlow and P4 protocol, in SDN.

Low-rate TCP DDoS Attack Model in the Southbound Channel of Software Defined Networks

During COVID-19 the new normal became an increased reliance on remote connectivity, and that fact is far away to change any time soon. The increasing number of networked devices connected to the Internet is causing an exponential growth of botnets. Subsequently, the number of DDoS (Distributed Denial of Service) attacks registered around the world also increased, especially during the pandemic lockdown. Therefore, it is crucial to understand how botnets are formed and how bots propagate within networks. In particular, analytic modelling of the botnets epidemic process is an essential component for understanding DDoS attacks, and thus mitigate their impact. In this paper, we propose two analytic epidemic models; (i) the first one for enterprise Software Define Networks (SDN) based on the SEIRS (Susceptible - Exposed - Infected - Recovered) approach, while (ii) the second model is designed for service providers’ SDN, and it is based on a novel extension of a SEIRS-SEIRS vector-borne approach. Both models illustrate how bots spread in different types of SDN networks. We found that bot infection behaves in a similar way to human epidemics, such as the novel COVID-19 outbreak. We present the calculation of the basic reproduction number $R_{\mathrm {o}}$ for both models and we test the system stability using the next generation matrix approach. We have validated the models using the final value theorem (FVT), with which we can determine the steady-state values that provide a better understanding of the propagation process.

/pdf/dynamics-of-botnet-propagation-in-software-defined-networks-334ow1gj0l.pdf

Juan Fernando Balarezo

Papers

Machine Learning in Network Anomaly Detection: A Survey

A survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and virtual networks

Low-rate TCP DDoS Attack Model in the Southbound Channel of Software Defined Networks

Dynamics of Botnet Propagation in Software Defined Networks Using Epidemic Models