A robust tuned classifier-based distributed denial of service attacks detection for quality of service enhancement in software-defined network

Abstract

In today’s world, Software-Defined Networking (SDN) plays a significant role in the advancement of next-generation network architecture that offers vast control to the network operators. However, the control layer is vulnerable to Distributed Denial of Service (DDoS) attacks where DDoS is one of the most powerful and devastating cyber-attacks. Thus, the development of a DDoS attack detection mechanism is very essential since these kinds of attacks have a direct impact on the overall performance of the SDN. In this paper, a new robust Tuned support vector machine-based DDoS attack detection methodology has been proposed to categorize the benign traffic from DDoS attack traffic on the SDN. Primarily, the network is created with controller and OpenFlow switch and the communication can be carried out through secure channels among different benign users and also attackers. Afterward, the multi-characteristic values are extracted by the effective extraction strategy which consists of the six-tuple characteristic values matrix. Finally, the tuned classifier has been implemented with the aid of optimization algorithm for differentiating the abnormal traffic and the normal traffic. The performance results manifest that the proposed detection framework achieves a higher accuracy of 98% and precision of 99% when compared with existing classifiers.

Keywords

Denial of service attack cyber security hybrid classifier software-defined network quality of service machine learning optimization algorithm

1 Introduction

In recent years, SDN is widely considered as a new networking paradigm that runs several network applications and also maintains various network functionalities and services. The network architecture of SDN is logically centralized through control and data planes where it efficiently served as packet forwarding devices [1]. The basic security concept in any form of centralized network architecture is DDoS attacks [2 –4]. The entire network is crippled by the DDoS attacks through the saturation of the bandwidth and the remaining network resources. The modern solutions are formed on the basis of two techniques: machine learning and thresholding techniques [5].

A static threshold is employed by the first technique on the basis of several flow parameters like byte rate and average packet [6]. Yet, this technique leads to an enhancement in the packet drop ratio and less detection effectiveness since it does not consider the bursty characteristics of the present normal traffic. Further, the accuracy of the threshold produces important resources such as bandwidth and reliability. Out of the present security conflicts, one of the major hardest as well as the urgent security conflicts are the DDoS [7]. The DDoS produces much damage since it is simpler to initiate and hard to trace and defend. Hence, the resisting and detecting of DDoS attacks in an efficient manner in the SDN are important for further network architecture deployments [8].

The earlier studies mostly concentrate on the mitigation mechanisms as well as the detection techniques. Presently, the majority of the traditional detection techniques initiate in a periodical manner. The response time makes the switches and controller maintain a vast quantity of attack packets, and the switches as well as the controllers are also destroyed in some cases [9]. Conversely, it initiates in a much frequent manner that made the controller waste numerous resources such as network bandwidth and CPU as well as damage the effectiveness of the controller. Still, the trigger mechanism, which damages the performance of the system and the detection effectiveness, is not attracted from the industry as well as academia. Further, the mitigation and the traceback of DDoS attack techniques are enhanced for utilizing the SDN characteristics that are much valuable for network security.

The DDoS can be launched in various ways includes smart home Internet of Things (IoT) botnet, malware-infected Linux IoT, Mirai malware-infected IoT, etc. This made it more complex for mitigating and detecting DDoS. The several forms of launching it on the IoT server using the wireless IoT produce serious damages as well as difficulties in mitigating and detecting the DDoS [10]. The majority of the existing solutions include the drop rules that are present in the flow table. A vast count of IoT is compromised for launching a successful DDoS attack. The lessened flow table space is saturated by setting individual rules.

Nowadays, the concepts of the SDN are broadly researched and developed. The SDN is threatened by DDoS attacks because of the architecture difference between the existing and the SDN network. The SDN grabs more attention since it is a promising network management technique, which provides efficient network-oriented DDoS defense. Here, the network-wide knowledge of the self-network is leveraged by the centralized SDN controller for detecting the DDoS attacks via the techniques like machine learning or traffic pattern analysis [11]. After detecting the DDoS attacks, the SDN controller utilizes the mitigation schemes like redirecting legitimate traffic or blocking the flow of the attacker to a secure system through the deployment of an updated security policy. The flexible network management is also provided by the control planes and decoupling forwarding process [12].

In the case of SDN architecture, the network management is centralized in a logical manner at the control plane. The packets are forwarded by the forwarding plane. The SDN is broadly learned for its benefits in wireless networks, access networks, enterprise networks, data centers, backbone networks, etc., [13]. It is difficult to overcome the security conflicts of the SDN. The major potential security conflicts are unavailability of trusted resources for remediation and forensics, attacks on administrative station vulnerabilities, unavailability of mechanisms for guaranteeing the trust among the management and the controller applications. Nevertheless, with the help of dynamic flow policies implementation, network monitoring, and easy network programming of the SDN, security service insertion, security policy variations, and network forensics can be attained in SDN [14].

Still, strong new measures are considered for the purpose of timely detection that permits consequent countermeasures for mitigating or preventing DDoS attacks. The techniques such as the deep learning and machine learning approaches are exploited for eradicating the sophisticated DDoS attacks even though there are challenges in modeling the effective and efficient DDoS mitigation schemes [15]. The machine learning-oriented research for the DDoS requires a vast quantity as well as vast traffic data in a continuously varying environment. In this technique, the network traffic features are gathered in a periodical manner. Next, the traffic classification is accomplished by a trained machine learning method for detecting an attack. Nonetheless, traffic classification and continuous feature collection create various security concerns [16]. This means that it enhances the communication and processing overhead.

An adversary is permitted by a long-time-interval for launching an attack before the attack is detected by the classification method. Understanding the learning method needs an up-to-date dataset that describes the normal traffic and realistic attack. Moreover, the misleading detection accuracies are avoided by testing, proper training, and the appropriate data pre-processing techniques [17 –19].

In this work, an efficient Tuned Support Vector Machine (TSVM)-based DDoS attack detection framework has been introduced to alleviate the attacking issues in SDN. The major reason for choosing the TSVM model is to produce a global result and does not converge into local minima. The TSVM is attained from the classification hyperplane which is trained properly for smaller as well as the larger datasets. The parameters of the TSVM classifier are properly tuned with the aid of an appropriate optimization algorithm. According to simulation results, the TSVM is preserved as a better classifier with respect to the generalization and accuracy abilities. It efficiently categorizes the benign traffic from DDoS attack traffic on the SDN with minimum testing time and classification error.

The major contribution of the proposed DDoS detection model in SDN is as follows:

To present a new DDoS attack detection model in SDN by adopting a machine learning classifier, where the network is created with controller and OpenFlow switch and the communication is carried out through secure channel among different benign users and also attackers.

A novel TSVM classifier has been proposed for differentiating the abnormal traffic and the normal traffic. The optimum values of TSVM parameters are tuned through the effective optimization algorithm. The proper tuning of the TSVM classifier provides a higher detection accuracy in the SDN environment.

To detect the DDoS attacks by utilizing the TSVM classifier by considering the processes like a collection of flow states, characteristic value extraction, and classifier judgment.

To evaluate the performance of the designed model to ensure the attack detection in the SDN by considering diverse performance metrics through comparing with different existing classified on standard datasets. Furthermore, the numerous analyses have been examined to test the efficacy of the proposed classifier.

The nomenclature used in the entire research article is depicted in Table 1. The rest of the current research work is as follows: Section 2 encapsulates the existing work related to DDoS attack detection. The Material and Methods are described in Section 3. The proposed framework is illustrated in Section 4. The results and discussions are presented in Section 5. Finally, Section 6 concludes the paper.

Table 1
Nomenclature

Abbreviation Description

IoT Internet of Things

KPCA Kernel Principal Component analysis

SSIP Speed of Source IP

KNN K-Nearest Neighbours

ML Machine Learning

FPR False Positive Rate

SSP Speed of Source Port

SDN Software-Defined Network

ID Information Distance

GE Generalized Entropy

SDFP Standard Deviation of Flow Packets

DDoS Distributed Denial of Services

RPF Ratio of Pair-Flow

GA Genetic Algorithm

SDFB Standard Deviation of Flow Bytes

SVM Support Vector Machine

SFE Speed of Flow Entries

CNN Convolutional Neural Network

CPG Cybernetic Proving Ground

HTTP Hypertext Transfer Protocol

Abbreviation	Description
IoT	Internet of Things
KPCA	Kernel Principal Component analysis
SSIP	Speed of Source IP
KNN	K-Nearest Neighbours
ML	Machine Learning
FPR	False Positive Rate
SSP	Speed of Source Port
SDN	Software-Defined Network
ID	Information Distance
GE	Generalized Entropy
SDFP	Standard Deviation of Flow Packets
DDoS	Distributed Denial of Services
RPF	Ratio of Pair-Flow
GA	Genetic Algorithm
SDFB	Standard Deviation of Flow Bytes
SVM	Support Vector Machine
SFE	Speed of Flow Entries
CNN	Convolutional Neural Network
CPG	Cybernetic Proving Ground
HTTP	Hypertext Transfer Protocol

2 Related work

The following section summarizes various extensive research studies related to the detection of DDoS attacks. The features and challenges of existing state-of-the-art DDoS attack detection methods in SDN are summarized in Table 2. Hong et al. [20] have addressed a network-oriented Slow HTTP DDoS attack technique that was utilized using an SDN. The simulation outcomes revealed that the anticipated technique could safeguard the Web servers over the Slow HTTP DDoS attacks in a very successful manner. However, this technique failed to attain higher accuracy due to ineffective network resource usage in the SDN.

Table 2
Features and challenges of state-of-the-art DDoS attack detection in SDN

Ref. Methods Accuracy Features Challenges

[20] Slow HTTP High A web server is permitted to sustain the normal operation. The slow HTTP DDoS attacks are blocked in an efficient manner. A seamless HTTP response is received by the slow client from the web server.

[21] KNN Medium It attains high detection rates. It analyzes the flow ratio, flow size, flow duration, and flow length. It cannot be applied to the real SDN environment.

[22] RF Very Low The security mechanism prevented the DDoS from the users. Only less time is recorded here. It does not utilize various ML models for enhancing the attack detection precision.

[25] XGBoost High It is applicable in real-time. The bandwidth is fully utilized and preserved. It does not focus on processing overhead.

[28] KPCA-GA Very Low It minimizes more count of principal components that describes the better performance. The model is not enhanced to describe the attack in a multi-controller context.

[29] Deep CNN Medium It provides better computational complexity. The detection accuracy is improved. It is not verified in terms of memory consumption and model testing.

[30] ID metric Low The attack traffic is identified from legitimate traffic to a larger extent. It is not utilized for the high rate of DDoS attack.

[31] LR Low It minimizes the network load, CPU load, and response time. It does not learn novel mitigation techniques.

Ref.	Methods	Accuracy	Features	Challenges
[20]	Slow HTTP	High	A web server is permitted to sustain the normal operation. The slow HTTP DDoS attacks are blocked in an efficient manner.	A seamless HTTP response is received by the slow client from the web server.
[21]	KNN	Medium	It attains high detection rates. It analyzes the flow ratio, flow size, flow duration, and flow length.	It cannot be applied to the real SDN environment.
[22]	RF	Very Low	The security mechanism prevented the DDoS from the users. Only less time is recorded here.	It does not utilize various ML models for enhancing the attack detection precision.
[25]	XGBoost	High	It is applicable in real-time. The bandwidth is fully utilized and preserved.	It does not focus on processing overhead.
[28]	KPCA-GA	Very Low	It minimizes more count of principal components that describes the better performance.	The model is not enhanced to describe the attack in a multi-controller context.
[29]	Deep CNN	Medium	It provides better computational complexity. The detection accuracy is improved.	It is not verified in terms of memory consumption and model testing.
[30]	ID metric	Low	The attack traffic is identified from legitimate traffic to a larger extent.	It is not utilized for the high rate of DDoS attack.
[31]	LR	Low	It minimizes the network load, CPU load, and response time.	It does not learn novel mitigation techniques.

Dong and Sarem have proposed two techniques for detecting the DDoS attack in the SDN. The first technique has utilized the degree of DDoS attack. The second technique employed the KNN algorithm on the basis of the ML. The outcomes of the experimental as well as the theoretical analysis described that the suggested techniques could detect the DDoS attack in a very better way than the remaining techniques. Nevertheless, the learning approach does not address the network traffic that degrades the overall performance in the network paradigm.

Chen et al. [22] have detected the DDoS attack that was caused on the IoT servers by the malicious wireless IoT. Here, the Random Forest (RF) strategy leveraged the SDN for lessening the DDoS attack. It was validated in the emulated topology and testbed, and the outcomes were compared with the existing solutions. An enhanced accuracy rate was attained in this technique during DDoS attack detection. At the same time, the anticipated technique does not consider automatic learning which fails to recognize attacks in multidimensional data.

In [23], a Double P-value of Transductive Confidence Machines for K-Nearest Neighbors (DPTCM-KNN) and Transductive Confidence Machines for K-Nearest Neighbors (TCM-KNN) have been proposed to address the DDoS attack in SDN. They estimate the distance from an unidentified point to the class. Afterward, the classification can be carried out by determining the ratio function. A single characteristic value is extracted to identify the attack on SDN. This single value leads to attaining misclassification error during the training process.

In [24], the KNN classifier with Ant Colony Optimization (KNN-ACO) has been presented to detect the DDoS attack in SDN. Primarily, the KNN is exploited for the clustering process whereas ACO is integrated with KNN to enhance the classification strategy for categorizing the various attacks in the network. However, the ACO does not balance the exploitation and exploration problem in the searching region that causes lesser precision and F1 score. It also provides additional complexity and execution time to the anticipated classifier.

Alamri and Thayananthan [25] have labeled a DDoS mitigation strategy for the SDN for the purpose of effective network resource usage and appropriate detection of attacks. The bandwidth control algorithm and an adaptive bandwidth profile-oriented threshold triggered the XGBoost algorithm when the threshold violations took place. The network traffic flow was categorized by the XGBoost algorithm, which violated the set threshold into abnormal or normal traffic. Moreover, the suggested solution was tested in real-time. The outcomes achieved reveal that this strategy safeguarded the SDN over the DDoS attacks having effective utilization, less error, and more accuracy of the network resources. It attained better accuracy in the DDoS attack detection having a lesser false rate in SDN.

In recent days, several ML approaches were deployed for malicious traffic detection in SDN [26,27, 26,27]. Apart from these works, the selection of the appropriate classifiers and the significant features for detecting the attack remains a challenge. Sahoo et al. [28] have performed the attack traffic detection with the SDN. For appropriate accuracy detection, the anticipated technique implemented the KPCA along with the GA. In this method, KPCA minimized the feature vector dimension and GA optimized distinct classifier parameters. The experimental outcomes revealed that the suggested technique attained much appropriate classification having superior generalization. Further, the suggested method could be embedded inside the controller for describing the security rules in preventing the applicable attacks through the attackers.

Haider et al. [29] have addressed a deep CNN for detecting the effective DDoS attack in the SDNs. It was performed on an existing flow-oriented dataset below the provided benchmarks. The enhanced accuracy was described over the conventional associated detection techniques. Nonetheless, the CNN technique lagged to extract appropriate features and hence it causes a higher classification error. Another impediment of the CNN technique is the higher layer deployments which arise redundancy for larger datasets and consume more computation time.

Sagar et al. [30] have exploited the ID for detecting the attack traffic that was present at the controller. The network traffic deviations were quantified with distinct probability distributions. Considering the benefits of flow-oriented SDN, a GE-oriented metric was suggested. The experimental outcomes described that this detection method enhanced the several statistical information distance metrics as well as the Shannon entropy. On the other hand, this technique does not manipulate the various traffic and lagged to prevent the applicable attacks through the attackers. The computational complexity is also higher in this technique owing to the employment of ID strategy during the detection phase.

Barbhuiya et al. [31] have introduced a Linear Regression (LR)-based mechanism that was composed of four modules such as the attack mitigation, attack traceback, attack detection, and attack detection trigger. The attack detection trigger minimized the workload of the switches and controllers as well as responded quickly over the DDoS. This technique on the basis of the NN was implemented for detecting the attack. Moreover, an attack traceback technique was introduced which took the benefits of the SDN characteristics [32, 33]. The experimental outcomes revealed that the source of attacks was also traced in an appropriate manner. An attack could also be blocked in the source, and the occupied switch resources were also released.

To summarize, the existing models also pose several challenges like lower precision rate, more processing, and communication overhead, requires more memory for processing and needs large scale datasets, lack of attack detection rate, and inefficiency of learning the detection of attacks at automatic manner. In particular, the detection accuracy is not greater in most of the recent works where the performance of accuracy is widely dependent on learning parameters and the training phase. They do not focus on various traffics and security threats. In addition, inappropriate characteristic value selections in the previous work provide lesser accuracy and precision. These challenges motivate the researchers for focusing on attack detection in SDN using a well-performing TSVM model. Multi-characteristic values extraction is also integrated into the proposed methodology to obtain the accurate detection of DDoS attacks in SDN.

3 Materials and methods

3.1 Proposed architecture

The Openflow switch in the SDN architecture transmits the major data at a very high speed. The significant network traffic is handled by the SDN through the finding of the entries of the flow table, in which the packet is forwarded by the flow entry to multiple interfaces. Every entry is composed of the actions, counters, and header field where multiple flow entries are present in each flow table.

In order to forward the data, the entries in the flow table provide the rules. The architecture of the proposed DDoS detection on SDN is exposed in Fig. 1. The flow table entry structure diagram is depicted in Fig. 2. Finally, the attack detection flow is composed of collecting flow states, characteristic value extraction, and classifier judgment as depicted in Fig. 3.

Fig. 1

Proposed architectural model.

Fig. 2

Diagrammaticrepresentation of the structure of the flow table.

Fig. 3

Process of proposed attack detection model.

A flow table request is sent by the collection of flow state to the Openflow switch, and the reply is sent by the switch to the collection of flow state. The characteristic values are extracted by an appropriate extraction mechanism that is associated with the DDoS attack and it consists of the six-tuple characteristic values matrix. It is characterized with the help of a TSVM-oriented algorithm for differentiating between the attacking abnormal traffic and the normal traffic.

3.2 Dataset description

In this work, the dataset for performing the DDoS attack detection on SDN is collected from two standard benchmark datasets called the Network Security Laboratory (NSL) KDD 2000 and BUET 2020.

NSL KDD 2000: This dataset is composed of the internet traffic records viewed by a simple ID framework and is considered as the ghosts of the traffic and is encountered by the traces and real IDS.

BUET 2020: This dataset is created by normal traffic and captured attack traffic. It is composed of 6 classes and 1081633 records in which 1001984 are considered as DDoS attacks.

3.3 Extraction of multi-characteristic values from dataset

The network forges a vast count of source IP addresses in a random manner for sending a specific packet size in order to attack the target. In some cases, the variation of the source port speed is not defined while detecting the attack. When the traffic characteristic values are extracted, a vast count of novel port addresses was produced in a random manner in the process of attack. Here, various traditional researches on SDN are investigated and differentiated and the data processing and analysis is performed by the information extraction of the flow status based on the earlier research. The six tuple characteristic values are attained for detecting the DDoS attack is as follows:

(a) SSIP: It is defined as the count of source IP addresses per time unit. $SSIP = \frac{Sum_I P_{srca}}{TA}$ (1)

Here, the sampling interval is defined by TA, and the source IP number is defined by Sum_IP_srca. When an attack occurs, a vast count of attacks is produced by the forgery for sending the data packets in a random manner and the source IP address count enhances in a rapid format.

(b) SSP: It states that the count of source ports per time unit. $SSP = \frac{Sum_p {ort}_{srca}}{TA}$ (2)

In the above equation, the count of attack source ports is indicated by Sum _ port_srca. When a vast count of attack requests happens, a vast count of port counts is produced in a random manner.

(c) SDFP: It is defined as the standard deviation of the number of packets in the TA period. $SDFP = \sqrt{\frac{1}{NA} \sum_{ia = 1}^{NA} {({packets}_{ia} - Mean_packets)}^{2}}$ (3)

Here, the average packet count in the TA period is defined by $Mean_packets = (1 / NA) \sum_{ia = 1}^{NA} {packets}_{ia}$ . The total flow entry count per period when an attack occurs is defined by NA. For generating the effect of attacks, the general attack data packets are very small and the SD associated with the flow packets is lesser than the normal flow.

(d) SDFB: It states that the count of bits in the TA period. $SDFB = \sqrt{\frac{1}{NA} \sum_{ia = 1}^{NA} {({bytes}_{ia} - Mean_bytes)}^{2}}$ (4)

In the above equation, the average of the count of bits is denoted by $Mean_bytes = (1 / NA) \sum_{ia = 1}^{NA} {bytes}_{ia}$ . When an event occurs, the packet load is minimized by sending a smaller amount of data packets.

(e) SFE: It is defined as the count of flow entries per time of unit. $SFE = \frac{NA}{TA}$ (5)

(f) RPF: It is defined as the ratio of interactive to total flow entries. $RPF = \frac{2 * Pair_Sum}{NA}$ (6) where the interactive flow entry count is symbolized by Pair_Sum. A request is sent by the source host to the destination host that is composed of the below conditions.

The source IP of pckt _ ia is similar to the destination IP of pckt _ ja. The destination port count of pckt _ ia is identical to the source port count of pckt _ ja. The destination IP of pckt _ ia is identical as the source IP of pckt _ ja and the source port count of pckt_ia are identical as the destination port count of pckt _ ja. There exist two interactive flow entries and it fulfills Equation (7). $\begin{matrix} Src_I P_{ia} = Dst_I P_{ja} \\ Src_p {ort}_{ia} = Dst_p {ort}_{ja} \\ Src_I P_{ja} = Dst_I P_{ia} \\ Dst_p {ort}_{ja} = Dst_I P_{ia} \end{matrix}$ (7)

When an attack happens, the flow entries enhance in a sharp manner. It is not possible to respond to the interactive flow by the destination host in a timely manner. Normally, during the attacking process, the attacker utilizes the huge pseudo source addresses.

4 Proposed TSVM-Based DDoS Attack Detection Approach

In general, traditional SVM is attained from the classification hyperplane that is a linearly separable one and its primary idea is described using the 2D case. There exists a training group DA ={ (XA₁, ya₁) , (XA₂, ya₂) , ⋯ , (XA_na, ya_na) , }, in which the associated class label is defined by ya_ia and the characteristic vector related to the training sample is defined by XA_ia. The term ya_ia represents+1 or -1 (ya_ia ∈ { + 1, - 1 }) and ya_ia considers 1 or 0. This represents that the vector is a part of this class or not. In the case of a linear separable case as in Fig. 4, a straight line is drawn for dividing the vector of class+1 from the –1.

Fig. 4

Classification hyper plane diagram.

There exist infinity lines in an accurate manner and the interval of separation must be very high. The sample classification is completed by the SVM by finding the one with the highest interval of classification. The optimal classification line is defined using the equation $ω \cdot xa + ba = 0 (ω \in R^{na}, ba \in R)$ , in which the term ω implies the weight vector and the bias is denoted by ba respectively.

The points below the separation hyper plane are fulfilled as in Equation (8). $ω \cdot xa + ba > 0$ (8)

In general, the points below the separation hyper plane are fulfilled as in Equation (9). $ω \cdot xa + ba < 0$ (9)

The weight is adjusted for making the edge side of the hyper plane as in Equation (10). $\begin{matrix} HA 1 : ω \cdot xa + ba ⩾ 1, {forya}_{ia} = 1 \\ HA 2 : ω \cdot xa + ba ⩽ 1, {forya}_{ia} = - 1 \end{matrix}$ (10)

This defines that the vectors falling above or on HA1 are of class+1 and the vectors falling below or on HA2 are of class –1. Hence, Equation (10) becomes Equation (11). ${ya}_{ia} (ω \cdot xa + ba) ⩾ 1, \forall ia$ (11)

The training tuples that fall on HA1 and HA2 describe the support vectors and the equal sign is also revealed. It is equal to handling the constrained optimization problem as in Equation (12). $\begin{matrix} min_{ω, ba} \frac{1}{2} {∥ ω ∥}^{2} + CA \sum_{ia = 1}^{NA} ξ_{ia} \\ s . t . {ya}_{ia} (ω \cdot {xa}_{ia} + ba) \\ ⩾ 1 - ξ_{ia}, ξ_{ia} ⩾ 0, ia = 1, \dots, NA \end{matrix}$ (12)

In the above equation, the relaxation variable is defined by ξ_ia and the term CA > 0 represents the penalty parameter. Finally, it is tested by the test data and the classification outcomes are attained. The process of DDoS attack detection using the TSVM classifier is demonstrated in Fig. 5.

Fig. 5

Procedure of DDoS attack detection in SDN using TSVM classifier.

Algorithm 1

TSVM classifier
Begin
Step 1: Population initialization;
Step 2: Predict the classes by initializing it as X and Y;
Step 3: Find unknowns by transforming it into an optimization problem;
Step 4: Find maximum margin through a loss function called hinge loss function;
Step 5: Call MFO to optimize the TSVM parameters (ξ_ia, CA);
Step 6: Obtain the optimized parameters from MFO;
Step 7: Optimize weights by computing gradients through enhanced mathematical concepts;
Step 8: Update gradients by the optimized parameter;
Step 9: Utilize loss function when misclassification occurs;
Step 10: Return best solution as final update;
End

The efficiency of the traditional SVM classifier mainly depends on the selection of kernel parameters (ξ_ia, CA). Nevertheless, the traditional SVM lags to select the optimum parameters which cause the larger misclassification rate during the learning process. In order to alleviate this limitation, a new improved SVM called Tuned SVM (TSVM) is introduced in this proposed work as shown in Algorithm 1. The moth flame optimization [34] has been employed to optimize the kernel parameters of traditional SVM. The key phenomenon is to choosing this optimization algorithm is the simple utilization and superior exploration capabilities in the searching stage. This higher exploration capability will minimize the computational time and misclassification rate generated by the traditional SVM. Moreover, the MFO algorithm provides a fast convergence rate and better performance in terms of balanced exploitation and exploration capabilities and does not fall into local optima. The sequential flow of the TSVM classifier is enumerated in Fig. 6.

Fig. 6

Sequential flow of TSVM classifier with MFO algorithm.

5 Results and discussions

The proposed model using the TSVM was implemented in the MATLAB 2020a and the results were carried out to analyze the performance of the proposed framework. Typically, MATLAB is a numeric computing environment and proprietary multi-paradigm programming language implemented using Math Works. The effectiveness of the proposed framework was demonstrated in terms of several performance measures such as accuracy, F1 Score, precision, True Positive Rate (TPR), False Positive Rate (FPR), Mean Square Error (MSE), and specificity against the number of samples for both the NSL KDD and the BUET datasets. The simulation parameters used for executing the proposed attack detection model are exposed in Table 3.

Table 3
Simulation parameters

Parameters Value

Number of primary users 5

Number of secondary users 10

Number of malicious users 4

Number of iterations 100

Number of samples 4000

Parameters	Value
Number of primary users	5
Number of secondary users	10
Number of malicious users	4
Number of iterations	100
Number of samples	4000

5.1 Comparison of proposed TSVM with different classifiers

The comparison of the proposed TSVM-based DDoS attack detection on SDN with the existing DPTCM-KNN [23], TCM-KNN [23], KNN-ACO [24], CNN [29], RF [22], and LR [31] is depicted in Fig. 7. It is manifest from Fig. 7 that the proposed methodology achieved a higher accuracy of 98% in detecting the DDoS attacks followed by DPTCM-KNN, CNN, KNN-ACO, and TCM-KNN.

Fig. 7

Comparison of proposed TSVM and distinct classifiers with respect to Accuracy.

The key reason for this enhancement in classification accuracy is owing to the ability to extract six tuple characteristic values in decrementing the category of DDoS attack through the novel multi-characteristic extraction strategy. Besides, the employment of flow table along with the secure channel transmission strategy in the proposed methodology facilitates to determine the attack traffic and thus it prolongs the overall accuracy during the larger dataset. The higher precision and specificity of the proposed methodology are attained by minimizing the classification error.

In contrast, the accuracy of the existing classifiers is poorer due to the maximization of the classification error in the validation phase. Especially, the KNN-ACO and TCM-KNN classifiers failed to determine the optimum characteristic values yields lesser accuracy than the proposed methodology. The CNN method integrates several concealed layers to accomplish convolution and sub-sampling models to extract the characteristic values. Meanwhile, the implementation of multi-layers causes larger computational complexity which obtains the accuracy of 95%. Finally, the DPTCM-KNN method neglected to search the entire traffic of the SDN and do not stimulate the optimal elucidation for characteristic value selection. This paves a way to acquire lesser accuracy than the proposed methodology.

The confusion matrix of the proposed scheme is depicted in Fig. 8. In this research, three classes (Class 1, 2, 3) of data are tested in the proposed scheme. Class 1 intends the normal class used for testing, Class 2 indicates the benign class, and class 3 symbolizes abnormal class. The purple diagonal infers accurate detections and light brown diagonal denotes the incorrect detections. Normal and benign classes are detected correctly but one data is incorrectly detected as benign class instead of abnormal class from the selected 17 image. The confusion matrix is exploited to access common performance metrics. The simulation result shows that the testing accuracy of the confusion matrix is acquired as 98.02%.

Fig. 8

The confusion matrix of the proposed scheme.

According to Table 4, it is evident that the proposed TSVM classifier offers better results as compared with existing classifiers in terms of TPR, FPR, and MSE. The proposed TSVM classifier has superior by 44%, 50%, 49%, and 28% when compared with DPTCM-KNN, TCM-KNN, KNN-ACO, and CNN respectively. These results are due to the execution of an optimum classification model (TSVM classifier) in the proposed methodology. The appropriate tuning parameter selection from the Moth Flame Optimization produces lower misclassification errors during the training phase. Furthermore, the TSVM balances the exploitation and exploration in searching space that permits the searching agent to search the whole region for accomplishing the finest solutions. Conversely, the MSE value is maximum for the TCM-KNN which is closely followed by KNN-ACO, DPTCM-KNN, and CNN. The improper parameter selection in existing classifiers yields larger classification errors in the network traffic.

Table 4

Performance comparison of proposed TSVM over existing classifiers

Classifier	TPR	FPR	MSE
DPTCM-KNN	0.920	4.08X10^–3	0.062
TCM-KNN	0.912	4.98X10^–3	0.082
KNN-ACO	0.904	4.82X10^–3	0.080
CNN	0.948	2.92X10^–3	0.034
RF	0.932	2.92X10^–3	0.029
LR	0.940	2.92X10^–3	0.031
SVM	0.957	2.92X10^–3	0.038
Proposed	0.996	1.75X10^–3	0.020

5.2 Performance analysis of various metrics under different datasets

1. Accuracy analysis

It is defined as the discrepancy in the recognized outcome to the ground value [35]. $Accuracy = \frac{TSP + TSN}{TSP + TSN + FSP + FSN}$ (13) where the TSP, TSN, FSP, and FSN represent the true positive, true negative, false positive, and false negative respectively.

The accuracy analysis for the NSL KDD and BUET dataset in terms of the number of samples is depicted in Fig. 9. On considering Fig. 9(a), for the NSL KDD dataset, the accuracy of the proposed TSVM at 4000 samples is 0.978. From Fig. 9(b), for the BUET dataset, the accuracy of the proposed TSVM at 4000 samples is 0.734. Therefore, the accuracy of the proposed TSVM outperforms well for both datasets under different samples. This can be attributed to observing various DDoS attacks simultaneously of the deployed network in SDN. These different kinds of attacks are categorized through the multi-class TSVM mechanism. The TSVM-based detection system in the proposed methodology assists in classifying the attacks rapidly.

Fig. 9

Accuracy analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

2. F1 Score Analysis

It is the mean value between sensitivity and specificity [36]. $F 1 score = \frac{2 TSP}{2 TSP + FSP + FSN}$ (14)

The F1 Score Analysis for the two datasets is illustrated in Fig. 10. In the case of 4000 samples, as in Fig. 10(a), the F1 Score of the NSL KDD is 0.984. Similarly, in Fig. 10(b), the F1 Score of the BUET at 4000 samples is 0.66. Hence, the F1 Score analysis holds better with the proposed TSVM for the 2 datasets for detecting the DDoS attack detection on SDN. This is because of utilizing the nominal layers in the proposed methodology to evade over-fitting and classification error problems. It directs the proposed TSVM to detect all types of attacks effectively in the SDN.

Fig. 10

F1 Score analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

3. Precision Analysis

It states that the measure of the deviation in the data retrieval from the original data [37]. $Precision = \frac{TSP}{TSP + FSP}$ (15)

The precision analysis for the proposed TSVM for the DDoS attack detection on SDN for the 2 datasets is represented in Fig. 11. In Fig. 11(a), the precision of TSVM for 4000 samples with the NSL KDD dataset is 0.976. On considering Fig. 11(b), the precision of TSVM with the BUET dataset for 4000 samples is 0.660. Thus, the precision analysis holds better outcomes for the proposed methodology. The proposed classifier can train at a faster rate which assists to categorize benign traffic from DDoS attack traffic on the SDN.

Fig. 11

Precision analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

4. TPR Analysis

It is defined as the probability that an actual positive will test positive. $TPR = \frac{TSP}{TSP + FSN}$ (16)

The TPR analysis of the proposed model for the two datasets is shown in Fig. 12. From Fig. 12(a), for the NSL KDD dataset, the TPR of the proposed TSVM at 4000 samples is 0.99. Similarly, in Fig. 12(b), for the BUET dataset, the TPR of the proposed TSVM is 0.66 at 4000 samples. Hence, the TPR of the proposed TSVM holds superior outcomes with respect to both datasets for the DDoS attack detection on SDN. This is owing to the intrusion prevention phase of the proposed methodology automatically invoked and forward a flow-entry to SDN to drop frames from an attacker. This dropping strategy will lead to achieving a higher TPR value in the network.

Fig. 12

TPR analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

5. FPR Analysis

It refers to the total positive results within the negative output [38]. $FPR = \frac{FSP}{FSP + TSN}$ (17)

The FPR analysis of the proposed TSVM in the case of two datasets is depicted in Fig. 13. From Fig. 13(a), the FPR of the recommended TSVM for the NSL KDD dataset is 0.175 at 4000 samples. Moreover, in Fig. 13(b), for the BUET dataset, the FPR of the TSVM at 4000 samples is 0.275. The learning parameters of the proposed TSVM classifier are tuned accurately with the help of the appropriate optimization algorithm. Thus, the FPR analysis of the proposed TSVM is far better for the DDoS attack detection on SDN.

Fig. 13

FPR analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

6. MSE Analysis

It measures the difference between the estimated and the actual value. $MSE = \frac{1}{nk} \sum_{ik = 1}^{nk} {({YK}_{ik} - Y {\hat{K}}_{ik})}^{2}$ (18)

where the total number of samples is signified by nk, the actual and the predicted values are represented by YK_ik and $Y {\hat{K}}_{ik}$ respectively.

The MSE analysis of the TSVM for the 2 datasets is pictorially given in Fig. 14. In the case of Fig. 14(a), the MSE of TSVM for NSL KDD at 4000 samples is 0.023. On considering Fig. 14(b), for the BUET dataset, the MSE of TSVM at 4000 samples is 0.265. Therefore, the MSE analysis portrayed better outcomes for the proposed model for both datasets. The key rationale behind this reduction is that the proposed classifier incorporated the proper detection strategy during the training phase. Further, the proposed classifier does not require any pre-training parameters for attack classification. This paves a way to acquire lower classification error and MSE.

Fig. 14

MSE analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

7. Specificity Analysis

It expresses the rate of the wrong data correctly neglected during the data retrieval [39]. $Specificity = \frac{TSN}{FSP + TSN}$ (19)

The specificity analysis for the proposed TSVM with respect to two datasets is depicted in Fig. 15. From Fig. 15(a), for the NSL KDD dataset, the specificity of TSVM for the NSL KDD dataset is 0.999 at 4000 samples. While considering Fig. 15(b), for the BUET dataset, the specificity of TSVM is 0.67 at 4000 samples. Consequently, the specificity analysis holds superior outcomes for the proposed model for both datasets. These better results owing to providing the appropriate balance between the accuracy and the convergence rate of the acquired characteristic values in the proposed classifier. This appropriate balance influences the proposed framework properly robust to embrace it to incorporate any new DDoS attack in SDN.

Fig. 15

Specificity analysis of TSVM with respect to (a) NSL KDD, (b) BUET.

8. ROC Analysis

The Receiver Operating Characteristic (ROC) analysis of the proposed method with existing techniques is shown in Fig. 16 for BUET as well as the NSL-KDD dataset. It can be clearly observed that the proposed method exposes better ROC than the other methods, revealing its superiority. Hence, it can be demonstrated that the proposed method is better than the other methods in terms of ROC analysis respectively.

Fig. 16

ROC analysis of TSVM with respect to (a) NSL KDD dataset, (b) BUET dataset.

9. AUC Analysis

The Area under the ROC Curve (AUC) analysis of different methods for DDoS attacks is depicted in Table 5. It can be seen that the proposed method shows better AUC analysis than the other methods. The proposed method for the BUET dataset is 6.13%, 11.07%, and 8.48% superior to SVM, LR, and RF respectively. The key reason for this enhancement is that the proposed method utilizes the optimization algorithm for optimizing the parameters.

Table 5

AUC comparison of the proposed TSVM over existing classifiers

BUET dataset
Methods	AUC analysis
SVM	0.9228
LR	0.8818
RF	0.9028
Proposed	0.9794
NSL KDD dataset
Methods	AUC analysis
SVM	0.9332
LR	0.9204
RF	0.9194
Proposed	0.9790

5.3 Dataset comparison analysis

The dataset comparison between NSL KDD and BUET dataset for several measures such as accuracy, misclass, specificity, precision, sensitivity (recall), and F1 Score are demonstrated in Fig. 17. On considering Fig. 17(a), the accuracy is more with the BUET followed by NSL KDD. The misclass is more with the NSL KDD followed by BUET. The specificity is more with the BUET followed by NSL KDD. From Fig. 17(b), the precision of TSVM is more with the BUET followed by NSL KDD. The recall of TSVM is more with the BUET followed by NSL KDD. Moreover, the F1 Score of TSVM is more with the BUET followed by NSL KDD. Thus, in the majority of the cases, the BUET dataset reveals better performance analysis than the NSL KDD dataset for the proposed TSVM-based DDoS attack detection on SDN.

Fig. 17

Dataset Comparison analysis of TSVM with respect to (a) Accuracy, Misclass, and Specificity, (b) Precision, Recall, and F1 Score.

It can be concluded from the aforesaid results that the proposed methodology performs robust against the different datasets. The traffic attacks can be identified from legitimate traffic to a larger extent. The spacing among normal traffic and attack enhances for increasing the accuracy in the proposed methodology. It offers superior accuracy in terms of attack detection and it does not need training datasets associated with malicious data. Furthermore, the attack detection is initiated quickly and is traced in an appropriate manner which minimizes the network load, CPU load, response time, and training period. These features pave the way to apply the proposed detection methodology for numerous real-time applications.

6 Conclusion and future work

In this work, TSVM-based DDoS attack detection has been established to mitigate the security issues in the SDN. The proposed detection methodology consists of three phases such as collecting flow states, characteristic value extraction, and the classifier phase. Initially, the flow table request is sent by the collection of flow state to the Openflow switch, and the reply is sent by the switch to the collection of flow state. Subsequently, the six tuple characteristic values are extracted by the efficient extraction mechanisms which are associated with the DDoS attack. These characteristic values assisted the TSVM classifier to differentiate the abnormal traffic and the normal traffic in the SDN.

The effectiveness of the proposed TSVM has been assessed through the MATLAB environment. The simulation results evident that the performance of the proposed methodology is far better than existing classifiers under different datasets. Especially, the proposed TSVM classifier obtains a higher F1 score of 99.45%, specificity of 99.88%, and TPR of 99.60%. Next, the accuracy of the proposed TSVM at 4000 samples was 0.978 and 0.98 for the NSL KDD and BUET datasets respectively. These superior results help to detect several DDoS attacks and thus it simplifies the examining process of the SDN.

6.1 Future works

Future research work for mitigating the DDoS attack on the SDN could be performed in the following directions.

In the future, different classification models using deep learning can be employed for detecting DDoS attacks on SDN. Moreover, the less analysis revealed in a few cases must be simulated by the normal data flow in a more comprehensive manner.

To compare and analyze the variations among current networks and SDN and to investigate the monitoring possibilities in the SDN.

To introduce a technique that can optimally mitigate the non-spoofed and spoofed attacks present in an SDN environment and to consider the trace-back by the benefits of the SDN architecture.

To understand the characteristics of the IoT subscribers for refining the description of the threshold is distinct applications and the output is verified with traffic and real IoT devices on the basis of smart city applications.

To propose a DDoS detection method with the help of generalized theory for minimizing the complete overhead.

References

Idhammad

, Afdel

and Belouch

, Semi-supervised machine learning approach for DDoS detection, Applied Intelligence 48 (2018), 3193–3208.

Silva

L.E.

and Coury

D.V.

, Network traffic prediction for detecting DDoS attacks in IEC 0 communication networks, Computers & Electrical Engineering 87 (2020), 106793:1–20.

Catak

F.O.

and Mustacoglu

A.F.

, Distributed denial of service attack detection using autoencoder and deep neural networks, Journal of Intelligent & Fuzzy Systems 37(3) (2019), 3969–3979.

Tayfour

O.E.

and Marsono

M.N.

, Collaborative Detection and Mitigation of Distributed Denial-of-Service Attacks on Software-Defined Network, Mobile Networks and Applications 25 (2020), 1338–1347.

Misenga Mumpela

and Young-Hoon

, Strategies for detecting and mitigating DDoS attacks in SDN: A survey, Journal of Intelligent & Fuzzy Systems 35(6) (2018), 5913–5925.

, Cheng

and Zhu

, A DDoS attack detection method based on SVM in software defined network, Security and Communication Network 2018 (2018), 1–17.

Wang

, Hu

, Tang

, Xie

and Lu

, SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking, IEEE Access 7 (2019), 34699–34710.

Dong

, Abbas

and Jain

, A survey on distributed denial ofservice (DDoS) attacks in SDN and cloud computing environments, IEEE Access 7 (2019), 80813–80828.

Yin

, Zhang

and Yang

, A DDoS attack detection and mitigation with software-defined Internet of Things framework, IEEE Access 6 (2018), 24694–24705.

10.

Prasanth

and Jayachitra

, A Novel Multi-Objective Optimization Strategy for Enhancing Quality of Service in IoT enabled WSN Applications, Peer-to-Peer Networking and Applications 13 (2020), 1905–1920.

11.

, Wu

, Yuan

, Sun

, Wang

, Li

and Gong

, Detection and defense of DDoS attack-based on deep learning in Open Flow-based SDN, International Journal of Communication Systems 31(5) (2018), e3497:1–16.

12.

Kalkan

, Altay

, Gur

and Alagöz

, JESS: Joint entropy-based DDoS defense scheme in SDN, IEEE Journal on Selected Areas in Communications 36(10) (2018), 2358–2372.

13.

M.M.

, Kamolphiwong

and Vasupongayya

, Advanced support vector machine- (ASVM-) based detection for distributed denial of service (DDoS) attack on software defined networking (SDN), Journal of Computer Networks and Communications 2019 (2019), 1–12.

14.

Han

and Yang

, OverWatch: A cross-plane DDoS attack defense framework with collaborative intelligence in SDN, Security and Communication Network 2018 (2018), 1–15.

15.

Haque

M.R.

, Tan

S.C.

, Yusoff

, Lee

C.K.

and Kaspin

, DDoS attackmonitoring using smart controller placement in software definednetworking architecture, Computational Science and Technology 481 (2019), 195–203.

16.

Pérez-Díaz

J.A.

, Valdovinos

I.A.

, Chooand

K.-K.R.

and Zhu

, A flexible SDN-based architecture for identifying andmitigating low-rate DDoS attacks using machine learning, IEEEAccess 8 (2020), 155859–155872.

17.

Conti

, Lal

, Mohammadi

and Rawat

, Lightweight solutionsto counter DDoS attacks in software defined networking, Wireless Network 25(5) (2019), 2751–2768.

18.

Cui

, Yan

, Li

, Xing

, Pan

, Zhu

and Zheng

, SD-Anti- DDoS: Fast and efficient DDoS defense in software-defined networks, Journal of Network and Computer Applications 68 (2016), 65–79.

19.

Santos

, Souza

, Santo

, Ribeiro

and Moreno

, Machine learning algorithms to detect DDoS attacks in SDN, Concurrency and Computation: Practice and Experience 32(16) (2020), 1–14.

20.

Hong

, Kim

, Choi

and Park

, SDN-Assisted Slow HTTP DDoS Attack Defense Method, IEEE Communications Letters 22(4) (2018), 688–691.

21.

Dong

and Sarem

, DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks, IEEE Access 8 (2020), 5039–5048.

22.

Chen

, Hou

and Li

, DDoS Attack Detection Based on Random Forest, IEEE International Conference on Progress in Informatics and Computing, (2020), 1–6.

23.

Patil

, Jain

and Ram

, Software Defined Network: DDoS Attack Detection, International Research Journal of Engineering and Technology 6 (2019), 7302–7307.

24.

Vishwakarma

, Sharma

and Sharma

, An Intrusion Detection System using KNN-ACO Algorithm, International Journal of Computer Applications 171 (2017), 18–23.

25.

Alamri

H.A.

and Thayananthan

, Bandwidth Control Mechanism and Extreme Gradient Boosting Algorithm for Protecting Software-Defined Networks Against DDoS Attacks, IEEE Access 8 (2020), 194269–194288.

26.

Gokul

and Karthikeyan

, Test Scheduling of System-on-Chip Using Dragonfly and Ant Lion Optimization Algorithms, Journal of Intelligent & Fuzzy Systems 40 (2021), 4905–4917.

27.

Gokul

and Periyasamy

, Minimization of test time in system on chip using artificial intelligence-based test scheduling techniques, Neural Computing and Applications 32 (2020), 5303–5312.

28.

Sahoo

K.S.

and Tripathy

B.K.

, An Evolutionary SVM Model for DDOS Attack Detection in Software Defined Networks, IEEE Access 8 (2020), 132502–132513.

29.

Haider

, Akhunzada

and Mustafa

, A Deep CNN Ensemble Framework for Efficient DDoS Attack Detection in Software Defined Networks, IEEE Access 8 (2020), 53972–53983.

30.

Sagar

, Puthal

and Tiwary

, An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics, Future Generation Computer Systems 89 (2018), 685–697.

31.

Barbhuiya

and Kilpatrick

, Linear Regression Based DDoS Attack Detection, ICMLC 2021: International Conference on Machine Learning and Computing, (2021), 568–574.

32.

Rahman

, Chakraborty

and Anwar

, SDN–IoT empowered intelligent framework for industry 4.0 applications during COVID-19 pandemic, Cluster Computing (2021), 1–18.

33.

Yang

, Yu

, Yang

S.X.

and Chakraborty

, An Intelligent Trust Cloud Management Method for Secure Clustering in 5G enabled Internet of Medical Things, IEEE Transactions on Industrial Informatics, (2021), 1–6.

34.

Mirjalili

, Moth-Flame Optimization Algorithm: A Novel Nature-inspired Heuristic Paradigm, Knowledge-Based Systems 89 (2015), 228–249.

35.

Jayachitra

and Prasanth

, An Efficient Clinical Support System For Heart Disease Prediction Using TANFIS Classifier, Computational Intelligence (2021), 1–28.

36.

Kalli

, Suresh

and Prasanth

, An effective motion object detection using adaptive background modeling mechanism in video surveillance system, Journal of Intelligent & Fuzzy Systems 41 (2021), 1777–1789.

37.

Lavanya

, Prasanth

and Jayachitra

, A Tuned classification approach for efficient heterogeneous fault diagnosis in IoT-enabled WSN applications, Measurement 183 (2021), 109771:1–16.

38.

Prasanth

, Certain Investigations on Energy-Efficient FaultDetection and Recovery Management inUnderwater Wireless Sensor Networks, Journal of Circuits,Systems and Computers 30 (2150), 2150137:1–20.

39.

Jayachitra

and Prasanth

, Multi-Feature Analysis for Automated Brain Stroke Classification Using Weighted Gaussian Naïve Baye’s Classifier, Journal of Circuits, Systems, and Computers 30 (2150), 2150178:1–26.

A robust tuned classifier-based distributed denial of service attacks detection for quality of service enhancement in software-defined network

Abstract

Keywords

1 Introduction

3.1 Proposed architecture

3.3 Extraction of multi-characteristic values from dataset

Table 3 Simulation parameters Parameters Value Number of primary users 5 Number of secondary users 10 Number of malicious users 4 Number of iterations 100 Number of samples 4000

6.1 Future works

References

Table 3
Simulation parameters

Parameters Value

Number of primary users 5

Number of secondary users 10

Number of malicious users 4

Number of iterations 100

Number of samples 4000