Skip to main content

Classification of DDoS attack traffic on SDN network environment using deep learning

Abstract

Distributed Denial of Service (DDoS) attack is a major threat to the Internet of Things (IoT), Software Defined Networks (SDN), and Cloud Computing Networks. Due to the tremendous applications of IoT networks, the number of DDoS attacks is increasing significantly, and most sophisticated DDoS attacks are generated through IoT botnets. An IoT botnet-based DDoS attack can disrupt the network quickly with a surge of malicious traffic. Especially in an SDN network, it is important to detect the DDoS attack before it occurs to the SDN controller. DDoS attacks on the centralized controller of the SDN can disrupt the whole network. So, identifying DDoS attacks at the earliest is a critical security measure for network experts and practitioners. In this paper, we analyze the DDoS attack on an SDN environment and develop a method to identify the DDoS attack using Deep Learning (DL). The proposed method converts the captured raw network traffic to image data and classifies the malicious data from normal data. The method is evaluated on our test-bed simulated dataset and two other benchmark datasets. The experimental comparison shows that the proposed method performs better on all three datasets, giving more than 99% classification accuracy.

Introduction

Software Defined Networking (SDN) emerges as a new paradigm of communication that introduces tools for network configurations and management. SDN operates the network as a centralized entity, where the control plane is decoupled from the data plane. A global view of the entire network is achieved through the centralized controller. In the traditional TCP/IP network, the network management and security policies are not distributed over the data and control plane, mounted on the same plane. However, in the SDN network, the network management and security policies are defined on the centralized controller, which is programmable. Due to this centralized control of the SDN network, it is easy to configure/manage and enhances security measures.

Unlike traditional networking, in SDN, data are forwarded from one system to another based on the flow rules (FRs) of the flow tables (FTs) defined in the switches. The SDN controller does the deployment of the FRs to the FTs through the southbound API, and the network applications like Intrusion Detection System (IDS), load balancer, routing algorithm, etc., are deployed at the application plane by communicating with the controller through northbound API (Kreutz et al. 2015). For example, when a source system forwards a network packet to a destination system in an SDN environment, the connecting switches between these systems will check whether there is a flow rule (FR) in the FTs for forwarding the packet to the destination based on the packet’s source and destination addresses. If there is a matching FR, the packet will be forwarded to the destination, or the necessary steps will be performed according to the action of the rule. The switch will send the packet to the controller if no FR is defined. Accordingly, to the network applications in the application plane, the controller will generate an FR with some action (like out, drop, block, etc.) and deploy the rule to the FTs. Once the FR is in the FTs, the transmission of the packets from the source to the destination system is acted based on the action of the rule.

Since the SDN controller plays a major role in network traffic management, the controller becomes the target of the attackers. The attackers always try to compromise the controller by sending a huge amount of malicious network traffic, and one such common vulnerability of SDN is botnet-based DDoS attacks. A Botnet is a cluster of malware-infected systems or devices controlled and communicated by an attacker known as Bot-Master through a command and control server (Hoque et al. 2015). A typical botnet DDoS attack is shown in Fig. 1.

Fig. 1
figure 1

DDoS attack using Botnet

In an SDN network, DDoS attacks can be launched on any SDN planes, i.e., controllers, forwarding devices, Northbound APIs, or communication links (Kreutz et al. 2013), as shown in Fig. 2. The centralized nature of the control plane in the SDN network can be one potential site of failure, as the SDN controller is responsible for managing the FTs on network switches. If a DDoS attack is successfully launched on the controller and it is compromised, the SDN network will be down, and the forwarding devices will not be able to forward the traffic. This becomes the controller a target for launching DDoS attacks to disrupt the SDN network. A DDoS attack can be launched on SDN data planes’ forwarding devices to be overwhelmed and unable to communicate with the SDN controller. During a DDoS attack in the data plane, the use of spoofed random source addresses by the attacker to attack the forwarding devices results in the creation of multiple FRs by the controller for each packet that arrives. This results in the exhaustion of controller resources and may not be able to create FRs for legitimate packets. This way, a DDoS attack can be launched simultaneously at both the SDN controller and the data plane. Similarly, the Northbound APIs can also be a target of DDoS attacks that make the controller unable to communicate with the SDN application plane. Like in traditional networks, web-based Northbound APIs are still vulnerable to application layer DDoS attacks (Hoque et al. 2015). Attackers can attack the web-based APIs by sending or requesting huge amounts of HTTP/HTTPS traffic. Moreover, DDoS attacks can also launch on the communication links between the controller and forwarding devices or among the forwarding devices to deplete the bandwidth of the communication link. By simply flooding a target, the bandwidth of the path or the communication links between the attacker and the target is depleted.

Fig. 2
figure 2

Targets where DDoS can be launched in SDN

Since the SDN components are always vulnerable to DDoS attacks, there is a need for an effective DDoS attack detection and prevention method for the identification of the attack at the earliest. Moreover, the method should prevent DDoS attacks at every SDN plane. Although the SDN network is always vulnerable to attackers, the programmability and visibility characteristics of the SDN architecture provide advantages in mitigating DDoS attacks. The SDN controller can implement mitigation strategies to mitigate the attack in real-time, such as dropping or rerouting traffic by monitoring the network for suspicious activity or deploying an IDS. In addition, the use of flow-based traffic control and network segmentation can also help to mitigate DDoS attacks. This paper addresses the DDoS vulnerabilities in the data plane as well as in the control plane of the SDN network, leveraging the effectiveness of DL methods. Since DL methods can handle a huge amount of network traffic during raw network traffic analysis, so we develop an effective DL model incorporating convolution Neural Network (CNN) architecture to identify DDoS attack traffic on the SDN network.

Motivation

As SDN becomes the new approach in networking, it provides many advantages, but security issues like DDoS attacks hinder the full leverage of the benefits of SDN. Detection of DDoS attacks in SDN is a critical issue for ensuring security and reliability. The work to secure the SDN network is still in the early stages. Detection systems based on Statistics, ML, and DL have been developed by many researchers. The current methods or systems for detecting DDoS attacks in SDN are prone to false alarms and not very effective in dealing with new and complex attack patterns. DL models like CNN have remarkably succeeded in various computer vision and pattern recognition tasks. These provide a new and promising approach for DDoS attack detection in SDN. The use of CNN for detecting DDoS attacks in SDN has several advantages. It can automatically extract and learn complex features from raw network data and generalize well to new attack patterns, reducing the need for constant updates to the detection system. As CNN is designed especially for image data, the full potential of CNN can be exploited using image data, even though it can work on non-image data. These motivate us to develop a way for the conversion of network data to image data and a DL model based on CNN to classify DDoS attacks in SDN by using the network’s image data.

Contributions

The major contributions of this paper are listed below.

  1. 1.

    We develop a conceptual framework incorporating an effective DL model for identifying DDoS attack traffic. The method can protect the SDN network’s data plane and control plane from flooding DDoS attacks. The proposed model considers raw network traffic as image data during attack identification.

  2. 2.

    We compare the proposed model with five fundamental CNN models, viz., VGG, RestNet, DenseNet, EfficientNet, and Inception models, as well as against state-of-the-art methods for detecting DDoS attacks in an SDN environment.

  3. 3.

    The performance of the proposed model is validated on three datasets using accuracy, precision, recall, F1-score, and MCC scores.

The novelty of the proposed method is that it considers a huge amount of raw network traffic in image form and extracts the most informative features from the images. Since the method uses CNN, the detection accuracy is comparatively high, although the computational cost is expensive. Moreover, the proposed method can effectively block the network traffic to improve the performance of the SDN controller during flooding attack time. Although the proposed method looks very similar to existing methods, the technique differs from others in terms of the following characteristics.

  1. 1.

    Unlike other methods, our method considers the raw network traffic as raw image data.

  2. 2.

    Unlike other methods that use hand-crafted features, our method uses features extracted from images by CNN.

  3. 3.

    Like other methods, our method also analyzes network traffic with some informative features.

  4. 4.

    Our method enhances the security of the SDN network by blocking the malicious network traffic at the application level itself.

Paper organization

The paper is structured as follows: A brief review of works related to this paper is narrated in “Related work” section. The development of network test-bed and traffic generation is given in “Network setup for the experiment” section. The details of the proposed method, including the image conversion, the proposed model, and the conceptual framework, are described in “Proposed method”. A summary of existing DL models, which are used in comparing with the proposed model, is given in “Existing DL models used for comparison”. Experimental results, including the model training, performance metrics, results analysis, and discussion, are given in “Experimental results” and “Conclusion and future work” sections concludes and opens the future scope of this work.

Related work

Many authors developed various DDoS attack detection and mitigation methods in SDN environments. The common steps involved in the methods are network traffic capturing, monitoring, analysing the captured network data, extracting features from the captured network data, detecting attacks, and mitigating the attacks. Network traffic can be analysed based on packets or by flows. In packet-based analysis, each value contained inside a packet is considered as one instance and analysed to classify the type of traffic. In flow-based analysis, the packets are grouped based on some packet features, like source and destination IP, ports, time intervals, etc., and extract a flow instance to classify the traffic.

Defence mechanisms that are developed based on statistics, ML, DL and hybrids are quite popular because of their effectiveness in detecting attacks. SDNScore (Kalkan et al. 2017) and MMSA(Batool et al. 2022) are statistical-based defence mechanisms against DDoS attacks in an SDN environment. The network traffic is captured and analysed in both mechanisms to detect and mitigate DDoS attacks. SDNScore is a hybrid defence mechanism, which is similar to the PacketScore (Kim et al. 2004). The only difference from PacketScore is in selecting relevant features for each attack type. In SDNScore, SDN switches can collect statistical data to analyse. It can detect attacks on time by coordinating the switches and the controller. Since SDNScore performed packet-based analysis, it can mitigate DDoS attacks by dropping only the attack packets. While MMSA is a flow-based statistical approach for DDoS attack detection using entropy. It depends on the Standard Deviation (SD) and Weighted Moving Average (WMA). It monitors the incoming SYN packets in a fixed window size and saves them temporarily. Using SD and WMA, a value is computed and compared with a threshold value. Based on this threshold value, MMSA will presume the flow is an attack flow. Again, MMSA will confirm the flow as an attack flow based on comparing the entropy of incoming packets to another threshold value. Then, it mitigates the attacks by comparing the incoming source IPs against the legitimate IPs available to the IP database. It also computes a ratio of the single packet flow to the total number of flows and then compares it to another threshold value. Based on the threshold, the IPs will be considered as the attacker’s IP, and then the IP will be blocked using the sinkhole. As SDNScore and MMSA are based on statistics, they are lightweight and can detect known and unknown network traffic. Although these mechanisms depend highly on manually extracted features and threshold values, which might lead to a high false positive rate.

Besides statistical approaches, ML and DL can automatically learn the patterns or weights to classify the network traffic using the past available network data. ML techniques like Support Vector Machine (SVM), k-nearest Neighbors(KNN), and ensemble techniques like Random forest (RF) and Gradient Boosting (GB) show effectiveness in classifying the network traffic. To detect and mitigate DDoS attacks, Hu et al. (2017) proposed an efficient and lightweight framework called FADM. It includes data collection, feature extraction, and mitigation modules. Data are collected through the SDN controller and sflow agents. Based on entropy, the traffic features are extracted, and the anomalies of traffic are detected using SVM. The mitigation module of FADM enables quick recovery of the network, and it is based on a white list and traffic migration mechanism. Likewise, Yang and Zhao (2018) provide an SDN framework that includes a Traffic collection module, DDoS classification module, and FTs delivery module to defend against DDoS attacks. The Traffic collection module extracts the traffic features based on the statistical measures (entropy), and the DDoS classification module uses SVM to classify the network traffic. If an attack is detected, using the FT delivery module, the controller will send FRs to the FTs to filter the attack packets.

Ensemble techniques, like combining SVM classifiers, Ye et al. (2018) developed a detection model for detecting DDoS attacks. The detection model includes a feature extraction method based on statistics of the flow stats and extracted six features, viz., Speed of source IP, port, and flow entries, Standard deviation of flow packets, flow bytes, and Ratio of per-flow. In less flow collection, on average, the model can give a detection accuracy of 95.24% with low FP. However, the feature extraction method is not feasible for ICMP traffic because of the port value. By combining the supervised learning algorithms viz., kNN, Naive Bayes(NB), SVM, with the unsupervised learning algorithm called Self Organizing Map (SOM), (Deepa et al. 2019) developed a technique to detect anomaly traffic in SDN controller. The technique can operate in the control plane and is able to identify incoming traffic from a particular source as normal or anomalous. The performance of the technique is validated using the qualitative and quantitative features extracted from the CAIDA2016 dataset. Concerning the consequences of DDoS attacks in the V2I communication system, Singh et al. (2018) develop an effective DDoS detection system for not to affect genuine vehicles in an SDN network. The detection system used the Flow statistic of every 1 s to perform two levels of feature extraction. The system performance shows that the GB model gives better performance than the various compared ML models with high detection and Low FP rate. The detection system is able to work in the encrypted payload, and it can run parallel with other applications in the application plane. However, the experiment didn’t consider the data imbalance problem and had a high chance of data contamination during the data collection process since it was collected in real time.

Ma and Li (2020) developed a framework that utilises the SVM and kNN to build a hybrid detection model to defend against DDoS attacks in SDN. Using the centralization facility provided by the SDN controller, the framework can collect flow statistics efficiently to classify the flows either as attack or normal. To build the hybrid model, five feature values, viz., the average number of flow values, average bit number, and growth rate of port, flow, and source IP were extracted. The framework used SVM to identify whether the flow is an attack pattern or not, and if it is found that the pattern is an attack, then the data flow will be transferred to the kNN module. The module will then decide the outcome of the flow, whether it is under a DDoS attack or not. In case both the SVM and kNN determine the flow as an attack, then the flow will be identified as an attack, and if one is the opposite of another, it will alert the system of a suspect attack. Although this framework gives above 99% accuracy, it is limited to attack types and doesn’t consider the FP rate. Similarly, Ahuja et al. (2021) developed a hybrid model called SVC-RF incorporating SVM and RF to detect DDOS attacks. SVC-RF shows higher performance as compared to other ML models on their simulated SDN dataset.

Compared to DL, ML models are lightweight and have low computational costs. However, the ML model requires manually extracted network features to detect the attacks. Its performance is highly dependent on the extracted feature. In comparison, the DL models have the facilities to extract the network feature automatically from the raw network data and are able to give better performance. DL models based on CNN, Recurrent Neural Networks (RNN), AutoEncoder (AE), Generative Adversarial Networks (GAN), Multi-layer Perceptrons (MLPs), etc., have been developed to defend against DDoS attacks in SDN. Similar to building ML models, authors also used manually extracted network features to develop DL models, and their performance is highly dependent on the extracted features. Lee et al. (2020) developed DL-IDPS, a DL-based intrusion detection and prevention system to prevent Brute force and DDoS attacks in SDN. The system used the packet that arrived at the SDN switches by collecting it in a sequence and extracting features based on the packet length of the traffic flow. Compared to MLP, CNN, long short-term memory (LSTM), and stack-AE (SAE), DL-IDPS gives good detection accuracy with less computation.

Using the capability of RNN in handling temporal data, DL models based on RNN can give high detection accuracy. Tang et al. (2016) developed DeepIDS by combining Gated Recurrent Unit (GRU) and RNN. DeepIDS detects anomalies based on the network traffic flow. It is built by three sub-datasets, viz. basic, traffic, and mixed feature sets extracted from the NSL-KDD dataset. In the basic features set, individual TCP connections are kept. In the traffic features set, the network traffic is stored, and in the mixed features set, both the basic and traffic features are stored. The model gives high detection accuracy with less computation and doesn’t affect the controller performance. Alashhab et al. (2022) developed LDDoS, a DL approach using an RNN for detecting the attacks low-rate DDoS attacks in SDN-enable IoT networks. LDDoS is designed and implemented in an experimental SDN-enable IoT test-bed that includes IoT devices and OpenFlow messages managed by the SDN controller. The detection RNN model is built using the benchmark dataset called the Edge-IIoTset dataset. And it can achieve high detection accuracy.

An unsupervised hybrid DL approach is developed by Mhamdi et al. (2020), using SAE and One-class SVM (1-SVM) to detect DDoS attacks in SDN. It can work with both unlabeled and imbalanced data. Using a small set of limited flow features, this approach can achieve high detection accuracy with less computation cost. Novaes et al. (2021) developed a GAN framework to detect and identify possible adversarial DDoS attacks. The framework includes a mitigation module to minimize the damages during an attack by discarding anomalous packets. The performance of the GAN framework is carried out using the CICDDoS dataset and yields better results than other compared methods.

By utilizing the automatic feature extraction capability of CNN, ElSayed et al. (2021) developed a hybrid intrusion detection model for SDN using CNN with a new regularization technique and an effective ML model. The network data is converted to grey-scale image data to extract features using CNN from the network data. The model considered the over-fitting problem and used SD-Reg, based on a standard deviation of the weight matrix, to overcome the over-fitting problem and detect the unseen data. Then, an ML classifier is used to classify the traffic. The experiment shows that CNN with RF gives the highest accuracy against other compared models. Although, SD-Reg isn’t effective in high-dimensional data with low samples.

Similarly, Janabi et al. (2022) developed a detection system called DL-EWPS using CNN. The detection system has three modules viz. 1) Flow table statistic’s sender, 2) Statistic receiver, and 3) feature extractor, and Flow classification and counter. Module 1 collects the statistics of each flow from SDN switches, and module 2 receives all the FT statistics and extracts IP features based on the number counts of flows and messages received. Then, in module 3, the extracted features are converted into RGB images and fed to the CNN model to detect attacks. DL-EWPS provides flexible and scalable performance with low latency and throughput.

However, by generating network traffic in an SDN environment and considering the data plane network traffic, this paper aims to convert the raw network traffic data into RGB image data and extract network features automatically using CNN to yield high performance in detecting DDoS attacks in an SDN environment. A comparison of related works is illustrated in Table 1.

Table 1 Comparison of related works

Network setup for the experiment

A simulated SDN network test-bed is developed to validate the proposed method. The test-bed is used to generate attacks and normal network traffic flows. The network traffic flows in the test-bed are captured and stored using a network sniffing tool. The detailed procedures are given next.

Network test-bed development

An SDN-enable network test-bed is built for the experiment with the network topology shown in Fig. 3. The setup includes one SDN controller (Ryu), five OpenFlow-enable network switches (version 1.3), and eight hosts. The setup is developed using the miniedit, a GUI option of a network emulator called mininet.

Fig. 3
figure 3

Experimental SDN-enable network test-bed setup

DDoS attack generation

A flooding DDoS attack is launched on the SDN data plane using the Hping3 tool. The tool can perform different protocol-specific flooding attacks, such as TCP, UDP, HTTP, ICMP etc on the victim network. As shown in Fig. 4, hosts 7 and 8 (i.e., h7 and h8 ) are treated as victims, whereas the remaining hosts (i.e., h1 to h6) are treated as attackers. Using the Hping3 command, the attackers launch the DDoS flooding attacks on the victims with random source IP addresses. From the controller c0, at the switch s4-eth3 interface, the attack network traffic is captured and stored in the local system as attack_traffic.pcap file using the TCPDUMP.

Fig. 4
figure 4

DDoS attack traffic generation

Normal network traffic generation

Getting normal network traffic is a complex task as it may contain users’ sensitive information. So, people don’t like to share network data without privacy preservation measures. In our experiment, we generate the normal network traffic using our own test-bed. The normal traffic is generated by video streaming using the VLC media player and client–server communications in two web applications. The two web applications are Python’s simple HTTP server and a custom website using Django (a Python-based web framework). Simultaneously, using the VLC, three videos were streamed in three different network protocols, viz., HTTP, UDP, and Real-time protocol(RTP). The videos are hosted from hosts 6, 7, and 8 (i.e., h6, h7, and h8 as in Fig. 5) and streamed by hosts 1 to 4 (i.e., h1, h2, h3, and h4). The custom website is also hosted, acts as a server by hosts 3 and 5 (i.e., h3 and h5), and provides services to all other hosts. Similarly, Python’s simple HTTP server is also served from hosts 2 and 4 (i.e., h2 and h4), and the other hosts get the service. Then, like capturing the attack network traffic from the controller c0 side, at the switch s4 (s4-eth0, s4-eth1, s4-eth2, and s4-eth3 interface), the normal traffic is also captured and stored in the local system as normal_traffic.pcap file using the TCPDUMP.

Fig. 5
figure 5

Normal traffic generation

Proposed method

The proposed DDoS attack detection method is developed to identify attack traffic on the SDN network environment. The method comprises two basic steps: (i) conversion of network traffic to image data and (ii) identification of attack traffic. The details of these steps are discussed next.

Conversion of network data to image data

To convert the network traffic data to image data, first, we split the original raw captured files into multiple small windows of size 1MB. We maintain the values of IP, UDP, and ETHER for each packet of a window in an array. The array is preprocessed to convert all the values into numerical data type and normalized in the range 0 to 255. Next, the array is divided into three smaller sub-arrays of the same size, treating the first array as an array of RGB’s R pixel value, the second array as G’s pixel value, and the third array as B’s pixel value. These arrays of RGB are combined and form one array of 3 dimensions. Using OpenCV2 (a module of computer vision), the resulting 3-dimensional array is converted into image data. Since the size of the images is different, as the number of packets available in each window is different, the images are resized to a common pixel size using PILLOW (also a module for computer vision). Then, the image is saved in the file system for further use. The process of converting network traffic data to image data is shown in Fig. 6. In this experiment, the performance of the proposed DL model is evaluated on 100x100, 150x150, 200x200, and 250x250 image pixel sizes. We considered the split of packets based on memory size and the size as 1MB for the following reasons:

  1. 1.

    The experiment aims to examine the network flows based on particular memory size, assuming there will be differences in patterns between the attack and normal network flows.

  2. 2.

    In TCPDUMP, the smallest file size supported during split is 1MB, and it doesn’t support floating point sizes like 0.5, 1.5, etc.

  3. 3.

    If the window’s size is increased (say 2MB), the number of images generated will reduce (by half from the number of images generated using 1MB), and since DL models require an abundance of data to be trained effectively, we stick the window’s size to 1MB.

Since the method needs to handle a large number of images during network attack detection, it consumes a significant amount of data preprocessing time. So, to speed up the detection process, we need to preprocess the raw network traffic using parallel programming. In our implementation, we used Python’s multiprocessing module to accelerate the process of converting the network data to image data. In the experiment, due to our resource constraints, only two cores or processes are used and accelerated twice the processing speed in converting network data to image data.

Fig. 6
figure 6

Conversion of network data to image data

Algorithm 1
figure a

Conversion of network data to image data.

The steps used to convert the network data to image data are shown in Algorithm 1.

In step 1, the spliting module splits the original raw network file into multiple windows of size 1MB and keeps it into \(split\_files\). The module is back-end by the TCPDUMP’s split command, i.e., tcpdump -r filename_to_be_read -C1 -w common_filename_of_splited_pcap.

In step 2, for each window sf of 1MB, the following process are performed:

  1. 1.

    The extract module (back-end by Scapy tool) extracts the IP, UDP, and ETHER values from each packet present in the sf and creates a 2Darray.

  2. 2.

    The prepocess module handles missing values, encoding and normalization of the 2Darray and stores it temporarily in the \(processed\_2Darray\) variable. We used the common method, i.e., mean and mode, to handle the missing value and the label encoding scheme to convert the categorical values into numerical values. Using MinMax-Scaler, the values in the 2Darray are normalized in the range of 0 to 255.

  3. 3.

    The 3Dconversion module takes the \(processed\_2Darray\) and converts it into a 3D array. This module slices a 2D array into three sub-arrays of the same size and again combines to form a 3D array.

  4. 4.

    Considering the three sub-arrays of the 3D array as RGB’s channels, the \(image\_conversion\) module (back-end by OpenCV2) converts it into an image.

  5. 5.

    The resizing module (back-end by PILLOW) resized the image into the desired \(width*height\) pixel size.

  6. 6.

    Then, the resized image is saved in the file system in PNG image format.

Complexity analysis of the image conversion algorithm

Since the splitting module is back-end by TCPDUMP, let’s say its complexity is O(1). As mentioned earlier, we generate a total N number of small window files, and each file will be considered separately during image conversion. Therefore, the method consumes O(n) times to process the N number of files. Inside the process of converting a small network file to an image, the extract module will take \(O(n_1)\) since it will take one packet at a time from the small network file. As in the preprocess module, since it handles the missing value and encodes the columns categorical column, and normalization one at a time, the complexity will be \(O(n_2)\) for missing value handling, \(O(n_3)\) for encoding, and O(1) for normalization. In the 3Dconversion module, since it slices the 2D array and combines it again to form a 3D array, the complexity will be O(2). Since it used opvencv2 for \(image\_conversion\) module and PILLOW for resizing module, let’s say the complexity for both modules is O(1). So, the complexity of the algorithm for converting network data to image data can be written as:

$$\begin{aligned} O(1)+O(n)*(O(n_1)+O(n_2)+O(n_3)+O(1)+O(2)+O(1)+O(1)) \end{aligned}$$

Taking the highest complexity, It is possible to write: \(O(n)*O(m)\) or \(O(n*m)\). Using the process-based parallel computing programming, for k number of cores or process used to speed up the image conversion, the whole complexity will be reduced to the final complexity \(O((n*m)/k)\).

The images generated from the raw network traffic are fed into the CNN architecture model. We use the CNN to extract the most informative features automatically from the network traffic image data. The CNN architecture is designed in such a way that it can evaluate the features during training time incorporating mathematical operations like convolution, pooling, and filtering to extract the optimal set of features for further processing.

Identification of attack traffic

To identify the attack traffic in the SDN network, we proposed a DL model based on CNN architecture. CNN (Lecun et al. 1998) is a powerful type of DL model that has been used in various image classification and object recognition tasks due to its ability to learn and extract high-level features from image data. A CNN consists of convolution, activation, pooling, and fully connected layers. The main idea behind CNN is to learn by extracting high-level features from the input data using a series of convolution and pooling operations. The convolution layers apply a set of filters to the input data, producing a feature map representing the learned features. The activation layer is used to introduce non-linearity into the network, allowing the model to learn complex representations of the input data. Activation functions like Rectified Linear Unit (ReLU), Leaky-ReLu, Softmax, Sigmoid, Hyperbolic Tangent (Tanh), etc., have been used in CNN. The pooling layer is used to decrease the spatial size of the feature map while retaining the most important information. The fully connected or dense layers at the end of the network are used to make the final prediction based on the learned features. CNN is trained using various optimization algorithms like Adam (Adaptive moment estimation), SGD (stochastic gradient descent), resilient back-propagation (Rprop), etc., where the network weights are updated based on the difference between the actual and the outcome. Some fundamental CNN architecture includes VGG, RestNet, DenseNet, EfficientNet, Inception (GoogleLeNet), etc. The description of the proposed DL model is given next.

Model description

The proposed DL model is based on CNN architecture as shown in Fig. 7. The model includes thirty-two layers, i.e., thirteen 2D-convolution layers, five 2D-max-pooling layers, one Flatten layer, six dense layers, six Batch-Normalization layers, and one output layer with the softmax activation function. The 2D-convolution layers comprise filter sizes 64, 128, 256, and 512, with the activation functions ReLU. At the same time, the dense layers comprise neurons 512, 256, 128, 64, 32, and 16, with the activation function ReLU. The model has five consecutive convolution blocks where each block has two to four 2D-Convolution layers, followed by one 2D-max-pooling layer of pool size \(3\times 3\) of stride 2. Then, it is followed by one Flatten layer, six dense blocks, and the output. Each dense block has one dense layer followed by a Batch-Normalization layer. The convolution layers are used to extract high-dimensional features from the input, whereas the max-pooling layers are used to reduce the dimension of the input. The Dense layer is used to learn the complex input representation to process the output. Meanwhile, the Batch-normalization layer is used to improve the stability and accelerate the convergence of the model’s training process. The model has a total of 2,61,01,266 trainable parameters. It is compiled with the Adam optimizer with its default learning rate (i.e., 0.001) with the loss function ‘categorical_crossentropy’. The input size, number of filters, filter size, and stride for each layer in the proposed DL model are shown in Table 2.

Table 2 Proposed DL model description

ReLU is used for its non-linearity, computational efficiency, sparse activation, and ease of optimization. ReLU can reduce the number of parameters to learn and helps reduce the overfitting problem. It has a straightforward gradient calculation and does not suffer from the vanishing gradient problem.

The softmax is a commonly used activation function in the output layer of a DL model, mostly in multi-class classification problems. It provides a way to convert the network’s output into a meaningful probability distribution over the class labels. The outcome of the softmax function is a fuzzy set that includes the probabilities of an example belonging to each class. The class with the highest probability is given out as the model’s prediction.

We used the Adaptive Moment Estimation (Adam) optimization algorithm to train the proposed model. Adam combines the advantages of two other optimization algorithms, i.e., AdaGrad and RMSProp, and provides fast and efficient convergence to a local minimum of a loss function.

Fig. 7
figure 7

Proposed DL model

Conceptual framework

Figure 8 shows the conceptual framework of the proposed system. Firstly, an SDN-enable network test-bed is set up. Inside the test-bed, the attack and normal network traffic are generated. The generated network traffic is captured and stored as a network PCAP file. Secondly, the captured PCAP file is split into multiple smaller 1MB memory window PCAP files. Each smaller PCAP is converted to a 2D array, pre-processed, and again converted to a 3D array. The 3D array is converted into an RGB image, which is well-resized into a common size to feed into a DL model for training. A DL model based on CNN is built using the image data, and the performance of the model is evaluated.

Fig. 8
figure 8

Conceptual framework

In this paper, we aim to detect and mitigate DDoS attacks in the data plane as well as in the control plane of an SDN environment. The proposed model will protect these planes from DDoS attacks. Through the controller, in the data plane, at the edge switch of every source system, the network traffic will be captured and stored as raw network data (as PCAP data). Every 1MB network PCAP data interval will be converted into image data. The proposed DL model will take this image as input and classify the image as an attack or normal image. This way, the proposed model will detect DDoS attacks.

Practically, experiments for prevention against DDoS attacks in an SDN environment are not performed. However, if the proposed model classifies the image as an attack, the network packets that make the image will be inspected, and the destination IP included in every network packet of this 1MB PCAP data will be recorded. Then, the controller will create a FR to drop the network packets or traffic coming to the particular edge switch if the destination IP is the same as the recorded destination IPs. This way, the DDoS attacks can be mitigated.

We consider dropping the network packets based on the destination IP as it will be a challenge to create an FR based on the source IP to drop the attack network traffic and mitigate the attack, as it is common for cyber attackers to launch DDoS attacks using botnets and random spoof source IPs. In this strategy, it is obvious that legitimate packets can be dropped if the destination IP is the same as the attack packets. However, we can cooperate with other strategies or methods to generate FR that can fine-grain only the attack network packets to reduce legitimate drops, like statistical analysis or applying ML and DL methods.

Since the detection of attack traffic occurs at the edge of the source systems, it will help prevent DDoS attacks at the earliest and from degrading the bandwidth of the SDN network. Eventually, it will contribute to mitigating DDoS attacks at the controller as there is an FR to consider the packet as an attack packet based on the packet’s destination IP and to drop it. The controller will not create a new FR when a new packet arrives at the edge switch from the source system with the same or different source IP with the matching destination IP. Instead, it will match the FR to drop the packets with the specific destination IP. This will prevent the controller from creating FRs for illegitimate packets and overflowing the FTs.

Existing DL models used for comparison

The performance of the proposed model is compared against the widely used five fundamental CNN models, viz., VGG, RestNet, DenseNet, EfficientNet, and Inception, as well as against the state-of-the-art methods. A brief description of these existing models is given here.

Fundamental CNN models used for comparison

VGG (Visual Geometry Group) (Mascarenhas and Agarwal 2021) architecture is a deep CNN architecture. It is widely used as a benchmark for computer vision tasks and has been applied to various problems, including image classification, object detection, and segmentation. Several variants of the VGG architecture, such as VGG-16, VGG-19, and VGG-32, with batch normalization, have been developed since its inception.

ResNet (He et al. 2016), which stands for Residual Network, is one of the fundamental CNN architecture. It is found to be highly effective for image recognition tasks. Since the model architecture has been extended to deeper models, adding hundreds of layers, it performs well on various image recognition tasks. The ResNet architecture allows learning from residual functions instead of directly learning the mapping from the input to the output. This architecture helps solve the vanishing gradient problem, where the gradients become too small during back-propagation, leading to slow learning. The ResNet architecture also uses skip connections, which bypass one or more layers, allowing the information to flow directly from the input to the output, which helps to preserve the information from the original input, allowing the network to learn features at different levels of abstraction.

DenseNet (Huang et al. 2017) is a DL architecture for CNN. It has been successfully applied in several computer vision fields due to its ability to handle complex representations and incorporate information from multiple levels of abstraction. The main idea behind DenseNet is to connect each layer to all subsequent layers, thereby creating a dense, feed-forward network. In this architecture, each layer gets input from all levels before it and transmits its own feature maps to all layers after it. Thus, the network can effectively incorporate information from all levels of abstraction and avoid the vanishing gradient problem. DenseNet uses a feature concatenation operation to combine the outputs of all preceding layers rather than only using a sum or average operation as in other architectures.

EfficientNet (Tan and Le 2019) is widely adopted and has performed well on many computer vision benchmarks. It is designed to be scalable, efficient, and accurate even with fewer parameters and computations. EfficientNet uses a scale-wise pyramid structure that dynamically adjusts the dimensions of the input image, layers, filters, and resolution, allowing for a better balance between accuracy and computation. The architecture uses a compound scaling formula that scales the network along multiple dimensions, including width, depth, and resolution, thus allowing the network to adapt to different-sized inputs and tasks. EfficientNet uses Squeeze-and-Excitation blocks to improve the model’s ability to attend to different input regions, resulting in improved accuracy and reduced over-fitting.

The Inception architecture is widely used for image classification tasks (Szegedy et al. 2015). The Inception module consists of several parallel branches, each performing a different type of operation on the input data, such as a convolution operation with different filter sizes, a max pooling operation, or a simple pass-through operation. The final output of the module is formed by contacting the output from each branch. The architecture is designed to be computationally efficient by using the Inception modules to reduce the parameters in the network and the computation required to process each layer.

The DL models behave differently during network traffic classification based on their model architecture, input types, activation function, and other parameters such as epochs, batch size, validation split, and callback option. For example, VGG19 uses a total of 19 layers, whereas ResNet uses 18 layers. These models extract different sets of features that are fed into the dense layer during classification. Moreover, when these models take the network traffic image data as input during training, their computational complexity will also vary with respect to the number of trainable parameters.

State-of-the-art methods used for comparison

Apart from fundamental CNN models, the proposed model is also compared against the state-of-the-art methods based on RNN, LSTM, GRU, AE, and GAN. RNN is a well-known DL model that handles sequential data and is used in many application domains in computer networks (Almeida 1990). RNN can maintain an updated internal state at each time step and capture information from all previous steps. This allows RNNs to model temporal dependencies between inputs and to make predictions based on the entire input sequence. However, RNN has a Vanishing Gradient Problem (VGP). The problem arises when training an RNN on a long sequence of data, and the gradients (i.e., the rates of changing the weights) become too small to update the weights effectively. It makes RNN more challenging to identify long-term data dependencies.

LSTM and GRU are types of RNNs that are also explicitly designed to work with data where the order of the data is essential to address the VGP. LSTM is a versatile and powerful neural network architecture that can be applied to many data types and problems. An LSTM comprises units called cells that have three main components, i.e., the input gate, the forget gate, and the output gate. These gates compute the information to be remembered from the previous cell and decide how much new information from the current input should be incorporated. During training, the LSTM learns to adjust the weights of these gates to optimize its performance on a specific task (Hochreiter and Schmidhuber 1997). This allows it to capture long-term dependencies in the input data, which is important for many sequence data problems.

As an alternative to LSTM, GRU (Cho et al. 2014) is efficient in dealing with moderate-sized data samples, or computational efficiency is a concern. GRU is designed to have a simpler structure compared to LSTM while still being capable of capturing and remembering relevant information in sequences. Compared to LSTM, GRU is simpler, has a lower computational cost, and has fewer parameters. Unlike LSTM, GRU has only two gates, i.e., the Update gate and the Reset gate. These gates decide whether to incorporate or how much new information will be incorporated into the hidden state and what information to be reset from the previous state for each time step.

Unsupervised DL learning models like AE and GAN are used in various computer network applications like anomaly detection, feature extraction, data synthesis and augmentation, dimensional reduction, etc. AE is made up of two parts, i.e., Encoder and Decoder. The encoder encodes the original data input and transforms it into a compressed or encoded representation, while the decoder takes the compressed or encoded representation as input and decodes it as possible as the original data input. In the training process, AE aims to minimize the reconstruction error, i.e., the difference between the original data input and the reconstructed data (Kramer 1991).

At the same time, GAN aims to generate data that are virtually indistinguishable from real data (Goodfellow et al. 2014). It involves two neural networks or models, i.e., a generator and a discriminator. The generator network takes random values as input and generates data samples to produce data samples that are indistinguishable from real data. The generator starts by producing random outputs, which are then gradually refined through training to resemble the real data distribution. At the same time, the discriminator network tries to distinguish between real data and data produced by the generator. The discriminator is trained on real data samples and generated samples produced by the generator.

Experimental results

Our experiment is performed on a Ubuntu 22.04.1 LTS machine having 4GB RAM. We used Python programming language with the Keras packages for building the proposed model. The proposed DL model is developed in the Google Colab platform. In addition to our simulated network data, two benchmark network datasets, viz, CTU-13 and InSDN, are used to test the proposed model. A total of 1968 images are created by extracting from our simulation network data, where 1022 images are attacks, and 946 are normal. Likewise, from the CTU-13 network dataset, 10594 images are created, where 5912 images are for attack, and 4682 are for normal. In the experiment, all the normal data available in the CTU-13 data repository are used, whereas only one attack data file, i.e., CTU-Malware-Capture-Botnet-42, is considered to train the models. For the InSDN dataset, out of 5777 images, 2041 images are attack, and the remaining 3736 are normal. To build and analyze the performance of the models under different volumes of data, we split the image data into various volumes of training and testing sets, i.e. 70–30%, 80–20%, and 90–10%.

Model training

The proposed model is trained for 50 epochs with a batch size of 32 on various validation_split of 20%, 30%, and 40%. During the training, to maintain the best model weight as well as to speed up the training process, we used the callback option, i.e., EarlyStoping with the patient parameter equal to 5 and restore_best_weight as True. The accuracy and the loss comparison graph between the training and validation of the proposed model on each of the three datasets while using 200x200 image’s pixel size under the data volume of 80% training set and 20% testing set with validation_split of 30%, are given in Figs. 9, 10, and 11.

Fig. 9
figure 9

Proposed model training and validation performance in simulation dataset

Fig. 10
figure 10

Proposed model training and validation performance in CTU-13 dataset

Fig. 11
figure 11

Proposed model training and validation performance in InSDN dataset

Performance evaluation metrics

The performance of the proposed model is evaluated in terms of accuracy, precision, recall, F1-score, and Matthew’s Correlation Coefficient (MCC). In a binary classification problem of network traffic, if a classifier predicts traffic as an attack and the actual is also an attack, it is True Positive (TP). Similarly, if the classifier predicts traffic as normal and the actual is also normal, it is True Negative (TN). If the classifier predicts traffic as an attack, but the actual is normal, then it is False Positive (FP). Whereas, if the classifier predicts traffic as normal, but the actual attack, then it is False Negative (FN).

Here, the accuracy is a measure to find how correctly a classifier predicts an input. It is calculated by dividing the correctly predicted value by the total number of the predicted values. Accuracy can be calculated as follows:

$$\begin{aligned} \frac{TP+TN}{TP+TN+FP+FN}. \end{aligned}$$

Precision is the percentage of predicted positive or negative values out of total predicted positive (TP+FP) or negative (TN+FN) values. It measures how precise a classifier can predict and helps to understand how many of the inputs predicted as positive or negative were actually correct. It is calculated as:

$$\begin{aligned} \frac{{TP}}{{TP}+{FP}} \hbox {or} \frac{{TN}}{{TN}+{FN}} \end{aligned}$$

Meanwhile, recall gives the percentage of predicted positive or negative values out of actual positive (TP+FN) or negative (TN+FP) values. It helps to understand how well the classifier identifies positive or negative instances. It is given by:

$$\begin{aligned} \frac{{TP}}{{TP}+{FN}} \hbox {or} \frac{{TN}}{{TN}+{FP}} \end{aligned}$$

F1-score is often used in binary classification tasks to give a single model performance value. It is the weighted average of precision and recall, which provides a balanced measurement of a classifier. It is handy when the data is imbalanced, i.e., one class significantly outnumbers the other. F1-score is calculated as:

$$\begin{aligned} \frac{2 * TP}{2 * TP+TN+FP+FN}. \end{aligned}$$

MCC is a statistical method that evaluates the model’s effectiveness by giving the performance score of the classifier model in the ranges [-1,1], where 1 indicates a perfect prediction, -1 depicts an utterly wrong prediction, and 0 denotes that the prediction is no better than random. It is also particularly useful in imbalanced classification problems. MCC also can be calculated as:

$$\begin{aligned} \frac{(TP * TN - FP * FN) }{ \sqrt{((TP + FP) * (TP + FN) * (TN + FP) * (TN + FN))}}. \end{aligned}$$

Result analysis

The performance of the proposed model is analysed and compared against the fundamental CNN architectures and the state-of-the-art methods based on the simulation, CTU-13, and InSDN datasets. A DL model’s performance depends on the data used during the model’s training, so finding the optimal image size is necessary. If the size of the image is lower than the size of the original image, the originality of the data will be lost; however, the computation cost will be lower. In contrast, if the size of the image is larger or near the original image’s size, the data’s originality will be retained. However, the computational cost during the learning of the model will be higher, and it doesn’t guarantee to achieve high performance. During the experiment, we checked the performance of the CNN models based on the different image sizes, i.e., \(100\times 100\), \(150\times 150\), \(200\times 200\), and \(250\times 250\), as shown in Tables 3, 4, 5, and 6, respectively. Due to resource constraints, we halted the experiment for further image sizes. However, the models seem to perform similarly in all different image sizes, based on the average values given by the respective image sizes, as in Table 7, the models that trained on \(200\times 200\) image size images perform better than the others. So, in this experiment, we take the \(200\times 200\) image size as the optimal image size for further analysis. Further, as shown in Tables 5, 8, and 9, we analyze the performance of the models under various training and testing volumes with different validation_split (training–testing-validation_split: 70%–30%–20%, 80%–20%–30%, and 90%–10%–40%). As in Table 10, the performance of the models is better in data volume 80% training set, 20% testing set, and validation_split of 30%.

Table 3 Performance comparison against fundamental CNN architectures based on \(100\times 100\) image size under the data volume of 80% training set and 20% testing set with validation_split of 30%
Table 4 Performance comparison against fundamental CNN architectures based on 150x150 image size under the data volume of 80% training set and 20% testing set with validation_split of 30%
Table 5 Performance comparison against fundamental CNN architectures based on 200x200 image size under the data volume of 80% training set and 20% testing set with validation_split of 30%
Table 6 Performance comparison against fundamental CNN architectures based on 250x250 image size under the data volume of 80% training set and 20% testing set with validation_split of 30%
Table 7 Comparison based on different image sizes
Table 8 Performance comparison against fundamental CNN architectures based on 200x200 image size under the data volume of 70% training set and 30% testing set with validation_split of 20%
Table 9 Performance comparison against fundamental CNN architectures based on 200x200 image size under the data volume of 90% training set and 10% testing set with validation_split of 40%
Table 10 Comparison based on \(200\times 200\) pixel size under different data volumes(training set - testing set - validation_split)

Result analysis using fundamental CNN architectures

Table 5 shows the comparison between the proposed and the fundamental CNN architecture models based on the performance obtained from 200x200 image size. While comparing based on the simulation dataset, the proposed model performs well by achieving the same 99.74% accuracy, precision, recall, and F1-score metrics, whereas the model yields 99.49% MCC score. As shown in Fig. 12, the proposed model performs better than all other competing methods except the EfficientNet model. The EfficientNet model gives 100% accuracy on the Simulated data, whereas our model’s performance is 99.74%. In the CTU-13 dataset, as shown in Fig. 13, the proposed model performs similarly to the DenseNet model and better than VGG19, RestNet, EfficientNet, and InceptionV3 models by achieving the same 99.90% accuracy, precision, recall, F1-score, and 99.80% MCC score. Moreover, as shown in Fig. 14, by achieving 99.74% accuracy, precision, recall, and F1-score and 99.44 MCC score, the proposed model performs better than the compared models in the InSDN dataset.

Fig. 12
figure 12

Performance in simulation dataset

Fig. 13
figure 13

Performance in CTU-13 dataset

Fig. 14
figure 14

Performance in InSDN dataset

Result analysis using state-of-the-art methods

While comparing the proposed model against the state-of-the-art methods, based on their respective simulation dataset, the proposed model gives similar accuracy with CNN+LSTM (Nugraha and Murthy 2020) method and better than all compared methods, as shown in Table 11 and Fig. 15. In the CTU-13 dataset, as shown in Table 12 and Fig. 16, the proposed model performs better than the other compared methods. Also, in the InSDN dataset, as shown in Table 13 and Fig. 17 the proposed model gives similar accuracy to the CNN-ELM (Wang and Wang 2022), DCNN Hnamte and Hussain (2023) and Almazyad et al. (2023) methods and better than the others comparing methods.

Fig. 15
figure 15

Accuracy comparison against existing works in simulation dataset

Fig. 16
figure 16

Accuracy comparison against existing works in CTU-13 dataset

Fig. 17
figure 17

Accuracy comparison against existing works in InSDN dataset

Table 11 Performance comparison against existing works in simulation dataset
Table 12 Performance comparison against existing works in CTU-13 dataset

Discussion

The proposed DL model is validated on our test-bed simulated dataset and two benchmark datasets. The experimental result shows more than 99% detection accuracy on all three datasets. From the experimental analysis, we can conclude that the proposed model shows better and equivalent performance than other competent DL models. Moreover, from our experimental analysis, we observed that our method yields better recall value as compared to all other methods except (Wang and Wang 2022) on the InSDN dataset as shown in Table 13. The main advantage of our model is that it takes network traffic data as an image and extracts the features by Convolution Layers. Moreover, the proposed method is found very effective in identifying the DDoS attack traffic on the SDN network. Although the method’s computational cost is high, it can handle large network traffic during attack identification. Our model’s main drawback is that the number of hidden layers is more, so its computation cost is higher. Following are the recommendations of the paper on SDN network traffic analysis for attack identification.

  1. 1.

    In the SDN network, a flooding attack is always possible in the control plane, data plane, APIs and application plane. So, it is recommended to develop a single DDoS attack detection and prevention method to secure the whole SDN network from flooding attacks. If we deploy different methods at different attack points on the SDN network, then there must be some synchronization mechanism among the detection methods for securing the network from all types of attacks.

  2. 2.

    It is very challenging to develop a DDoS attack mitigation technique to prevent all types of protocol-specific flooding attacks on SDN networks in near real-time.

  3. 3.

    From experimental evaluation, we observe that the proposed DL method and all other competing DL methods behave differently on different datasets due to various features extracted from the raw network traffic. The authors recommend to choose a common set of network features from all types of network intrusion datasets, which can always give high detection accuracy with a low false alarm rate.

Table 13 Performance comparison against existing works in InSDN dataset

Conclusion and future work

To classify the DDoS attacks in an SDN network, in this paper, an SDN-enable network test-bed is set up and generates DDoS attack traffic and normal traffic using Hping3, video streaming, custom web application, and Python’s simple HTTP server. The simulated network traffic is captured and split into multiples of 1MB memory-sized windows. Then, a method is proposed to convert each 1MB memory-sized window into RGB image data and resize the image into a common image size. A CNN-based DL model is proposed to classify the network images. The proposed model is trained by using the generated images. Then, the performance of the proposed model is compared with the fundamental CNN models, viz., VGG19, InceptionV3, EfficientNet, RestNet, and DenseNet, as well as against the state-of-the-art methods in terms of accuracy, precision, recall, F1-score, and MCC. The model’s performance is evaluated based on our simulation dataset and two other benchmark datasets, CTU-13 and InSDN datasets. From the experimental result, we observed that our proposed model gives a high performance of more than 99% accuracy, precision, recall, F1-score, and MCC in the overall average of all three datasets.

In later days, we will perform real-time traffic generation in an SDN environment, which includes various attack types and more normal traffic. We can also upgrade the proposed defence system by collaborating with other detection models based on other types of SDN traffic and performing more experiments to validate the model’s performance. Lastly, we will develop a prevention system to block the source of the attack and mitigate the DDoS attacks.

Availability of data and materials

Not applicable

References

  • Ahuja N, Singal G, Mukhopadhyay D, Kumar N (2021) Automated ddos attack detection in software defined networking. J Netw Comput Appl 187:103108. https://doi.org/10.1016/j.jnca.2021.103108

    Article  Google Scholar 

  • Alashhab AA, Zahid MSM, Muneer A, Abdullahi M (2022) Low-rate ddos attack detection using deep learning for sdn-enabled iot networks. Int J Adv Comput Sci Appl 13:1141. https://doi.org/10.14569/IJACSA.2022.0131141

    Article  Google Scholar 

  • Almazyad A, Halman L, Alsaeed A (2023) Probe attack detection using an improved intrusion detection system. Comput Mater Continua 74(3):3382. https://doi.org/10.32604/cmc.2023.033382

    Article  Google Scholar 

  • Almeida LB (1990) A learning rule for asynchronous perceptrons with feedback in a combinatorial environment. In: Artificial neural networks: concept learning, pp 102–111

  • Alshra’a AS, Farhat A, Seitz J (2021) Deep learning algorithms for detecting denial of service attacks in software-defined networks. Procedia Comput Sci 191:254–263. https://doi.org/10.1016/j.procs.2021.07.032 . The 18th International Conference on Mobile Systems and Pervasive Computing (MobiSPC), The 16th International Conference on Future Networks and Communications (FNC), The 11th International Conference on Sustainable Energy Information Technology

  • Banitalebi Dehkordi A, Soltanaghaei M (2020) A novel distributed denial of service (ddos) detection method in software defined networks. IEEE Trans Ind Appl. https://doi.org/10.1109/TIA.2020.3001535

    Article  Google Scholar 

  • Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni FZ (2021) The ddos attacks detection through machine learning and statistical methods in sdn. J Supercomput 77:2383–2415. https://doi.org/10.1007/s11227-020-03323-w

    Article  Google Scholar 

  • Bansal A, Mahapatra S (2017) A comparative analysis of machine learning techniques for botnet detection. In: Proceedings of the 10th International Conference on Security of Information and Networks. SIN’17, pp 91–98. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3136825.3136874

  • Batool S, Zeeshan Khan F, Qaiser Ali Shah S, Ahmed M, Alroobaea R, Baqasah AM, Ali I, Ahsan Raza M (2022) Lightweight statistical approach towards tcp syn flood ddos attack detection and mitigation in sdn environment. Secur Commun Netw 2022. https://doi.org/10.1155/2022/2593672

  • Cheng H, Liu J, Xu T, Ren B, Mao J, Zhang W (2020) Machine learning based low-rate ddos attack detection for sdn enabled iot networks. Int J Sens Netw 34(1):56–69. https://doi.org/10.1504/IJSNET.2020.109720

    Article  Google Scholar 

  • Cho K, Van Merriënboer B, Gulcehre C, Bahdanau D, Bougares F, Schwenk H, Bengio Y (2014) Learning phrase representations using rnn encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078. https://doi.org/10.48550/arXiv.1406.1078

  • Cui J, Wang M, Luo Y, Zhong H (2019) Ddos detection and defense mechanism based on cognitive-inspired computing in sdn. Futur Gener Comput Syst 97:275–283. https://doi.org/10.1016/j.future.2019.02.037

    Article  Google Scholar 

  • Deepa V, Sudar KM, Deepalakshmi P (2019) Design of ensemble learning methods for ddos detection in sdn environment. In: 2019 International conference on vision towards emerging trends in communication and networking (ViTECoN), pp 1–6. https://doi.org/10.1109/ViTECoN.2019.8899682

  • Elsayed MS, Le-Khac N-A, Dev S, Jurcut AD (2020) Ddosnet: A deep-learning model for detecting network attacks. In: 2020 IEEE 21st International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), pp. 391–396. https://doi.org/10.1109/WoWMoM49955.2020.00072

  • ElSayed MS, Le-Khac N-A, Albahar MA, Jurcut A (2021) A novel hybrid model for intrusion detection systems in sdns based on cnn and a new regularization technique. J Netw Comput Appl 191:103160. https://doi.org/10.1016/j.jnca.2021.103160

    Article  Google Scholar 

  • Elsayed MS, Jahromi HZ, Nazir MM, Jurcut AD (2021) The role of cnn for intrusion detection systems: an improved cnn learning approach for sdns. In: Perakovic D, Knapcikova L (eds) Future access enablers for ubiquitous and intelligent infrastructures. Springer, Cham, pp 91–104

    Chapter  Google Scholar 

  • Elsayed RA, Hamada RA, Abdalla MI, Elsaid SA (2023) Securing iot and sdn systems using deep-learning based automatic intrusion detection. Ain Shams Eng J 14(10):102211. https://doi.org/10.1016/j.asej.2023.102211

    Article  Google Scholar 

  • Feghhi S, Leith DJ (2016) A web traffic analysis attack using only timing information. IEEE Trans Inf Forensics Secur 11(8):1747–1759. https://doi.org/10.1109/TIFS.2016.2551203

    Article  Google Scholar 

  • Goodfellow I, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y (2014) Generative adversarial nets. Advances in neural information processing systems, vol 27

  • He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR)

  • Hnamte V, Hussain J (2023) An efficient ddos attack detection mechanism in sdn environment. Int J Inf Technol 2023:1–14. https://doi.org/10.1007/s41870-023-01332-5

    Article  Google Scholar 

  • Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural Comput 9(8):1735–1780. https://doi.org/10.1162/neco.1997.9.8.1735

    Article  PubMed  CAS  Google Scholar 

  • Hoque N, Bhattacharyya DK, Kalita JK (2015) Botnet in ddos attacks: trends and challenges. IEEE Commun Surv Tutor 17(4):2242–2270. https://doi.org/10.1109/COMST.2015.2457491

    Article  Google Scholar 

  • Huang G, Liu Z, Maaten L, Weinberger KQ (2017) Densely connected convolutional networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR)

  • Hu D, Hong P, Chen Y (2017) Fadm: Ddos flooding attack detection and mitigation system in software-defined networking. In: GLOBECOM 2017-2017 IEEE global communications conference, pp 1–7. https://doi.org/10.1109/GLOCOM.2017.8254023

  • Janabi AH, Kanakis T, Johnson M (2022) Convolutional neural network based algorithm for early warning proactive system security in software defined networks. IEEE Access 10:14301–14310. https://doi.org/10.1109/ACCESS.2022.3148134

    Article  Google Scholar 

  • Kalaivani P, Vijaya M (2016) Mining based detection of botnet traffic in network flow. Int J Comput Sci Inf Technol Secur 6:535–540

    Google Scholar 

  • Kalkan K, Gür G, Alagöz F (2017) Sdnscore: a statistical defense mechanism against ddos attacks in sdn environment. In: 2017 IEEE symposium on computers and communications (ISCC), pp 669–675. https://doi.org/10.1109/ISCC.2017.8024605

  • Kim Y, Lau WC, Chuah MC, Chao HJ (2004) Packetscore: statistics-based overload control against distributed denial-of-service attacks. In: IEEE INFOCOM 2004, vol. 4, pp 2594–26044. https://doi.org/10.1109/INFCOM.2004.1354679

  • Ko I, Chambers D, Barrett E (2020) Self-supervised network traffic management for ddos mitigation within the isp domain. Futur Gener Comput Syst 112:524–533. https://doi.org/10.1016/j.future.2020.06.002

    Article  Google Scholar 

  • Kramer MA (1991) Nonlinear principal component analysis using autoassociative neural networks. AIChE J 37(2):233–243

    Article  ADS  CAS  Google Scholar 

  • Kreutz D, Ramos FMV, Veríssimo PE, Rothenberg CE, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76. https://doi.org/10.1109/JPROC.2014.2371999

    Article  Google Scholar 

  • Kreutz D, Ramos FMV, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the second ACM SIGCOMM workshop on hot topics in software defined networking. HotSDN’13. Association for Computing Machinery, New York, NY, USA, pp 55–60. https://doi.org/10.1145/2491185.2491199

  • Lecun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324. https://doi.org/10.1109/5.726791

    Article  Google Scholar 

  • Lee T-H, Chang L-H, Syu C-W (2020) Deep learning enabled intrusion detection and prevention system over sdn networks. In: 2020 IEEE international conference on communications workshops (ICC Workshops), pp 1–6. https://doi.org/10.1109/ICCWorkshops49005.2020.9145085

  • Ma Z, Li B (2020) A ddos attack detection method based on svm and k-nearest neighbour in sdn environment. Int J Comput Sci Eng 23(3):224–234. https://doi.org/10.1504/IJCSE.2020.111431

    Article  Google Scholar 

  • Mascarenhas S, Agarwal M (2021) A comparison between vgg16, vgg19 and resnet50 architecture frameworks for image classification. In: 2021 international conference on disruptive technologies for multi-disciplinary research and applications (CENTCON), vol 1, pp 96–99. https://doi.org/10.1109/CENTCON52345.2021.9687944

  • Meti N, Narayan DG, Baligar VP (2017) Detection of distributed denial of service attacks using machine learning algorithms in software defined networks. In: 2017 international conference on advances in computing, communications and informatics (ICACCI), pp 1366–1371. https://doi.org/10.1109/ICACCI.2017.8126031

  • Mhamdi L, McLernon D, El-moussa F, Raza Zaidi SA, Ghogho M, Tang T (2020) A deep learning approach combining autoencoder with one-class svm for ddos attack detection in sdns. In: 2020 IEEE eighth international conference on communications and networking (ComNet), pp 1–6. https://doi.org/10.1109/ComNet47917.2020.9306073

  • Myint Oo M, Kamolphiwong S, Kamolphiwong T, Vasupongayya S, Zamani M (2019) Advanced support vector machine- (asvm-) based detection for distributed denial of service (ddos) attack on software defined networking (sdn). J Comput Netw Commun 2019:12. https://doi.org/10.1155/2019/8012568

    Article  Google Scholar 

  • Novaes MP, Carvalho LF, Lloret J, Proença ML (2021) Adversarial deep learning approach detection and defense against ddos attacks in sdn environments. Futur Gener Comput Syst 125:156–167. https://doi.org/10.1016/j.future.2021.06.047

    Article  Google Scholar 

  • Nugraha B, Murthy RN (2020) Deep learning-based slow ddos attack detection in sdn-based networks. In: 2020 IEEE conference on network function virtualization and software defined networks (NFV-SDN), pp 51–56. https://doi.org/10.1109/NFV-SDN50289.2020.9289894

  • Pektaş A, Acarman T (2019) Deep learning to detect botnet via network flow summaries. Neural Comput Appl 31:8021–8033. https://doi.org/10.1007/s00521-018-3595-x

    Article  Google Scholar 

  • Pérez-Díaz JA, Valdovinos IA, Choo K-KR, Zhu D (2020) A flexible sdn-based architecture for identifying and mitigating low-rate ddos attacks using machine learning. IEEE Access 8:155859–155872. https://doi.org/10.1109/ACCESS.2020.3019330

    Article  Google Scholar 

  • Polat H, Polat O, Cetin A (2020) Detecting ddos attacks in software-defined networks through feature selection methods and machine learning models. Sustainability 12(3):1035. https://doi.org/10.3390/su12031035

    Article  Google Scholar 

  • Said Elsayed M, Le-Khac N-A, Dev S, Jurcut AD (2020) Network anomaly detection using lstm based autoencoder. In: Proceedings of the 16th ACM Symposium on QoS and Security for Wireless and Mobile Networks. Q2SWinet ’20, pp 37–45. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3416013.3426457

  • Sangodoyin AO, Akinsolu MO, Pillai P, Grout V (2021) Detection and classification of ddos flooding attacks on software-defined networks: a case study for the application of machine learning. IEEE Access 9:122495–122508. https://doi.org/10.1109/ACCESS.2021.3109490

    Article  Google Scholar 

  • Santos R, Souza D, Santo W, Ribeiro A, Moreno E (2020) Machine learning algorithms to detect ddos attacks in sdn. Concurr Comput Pract Exp 32(16):5402. https://doi.org/10.1002/cpe.5402. (e5402 cpe.5402)

    Article  Google Scholar 

  • Singh PK, Kumar Jha S, Nandi SK, Nandi S (2018) Ml-based approach to detect ddos attack in v2i communication under sdn architecture. In: TENCON 2018 - 2018 IEEE Region 10 Conference, pp 0144–0149. https://doi.org/10.1109/TENCON.2018.8650452

  • Szegedy C, Liu W, Jia Y, Sermanet P, Reed S, Anguelov D, Erhan D, Vanhoucke V, Rabinovich A (2015) Going deeper with convolutions. In: Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR)

  • Tang TA, Mhamdi L, McLernon D, Zaidi SAR, Ghogho M (2016) Deep learning approach for network intrusion detection in software defined networking. In: 2016 international conference on wireless networks and mobile communications (WINCOM), pp 258–263. https://doi.org/10.1109/WINCOM.2016.7777224

  • Tan M, Le Q (2019) Efficientnet: Rethinking model scaling for convolutional neural networks. In: International conference on machine learning, pp 6105–6114. PMLR

  • Tuan NN, Hung PH, Nghia ND, Tho NV, Phan TV, Thanh NH (2020) A ddos attack mitigation scheme in isp networks using machine learning based on sdn. Electronics 9(3):413. https://doi.org/10.3390/electronics9030413

    Article  Google Scholar 

  • Wang J, Wang L (2022) Sdn-defend: A lightweight online attack detection and mitigation system for ddos attacks in sdn. Sensors 22(21):8287. https://doi.org/10.3390/s22218287

    Article  ADS  PubMed  PubMed Central  Google Scholar 

  • Yang L, Zhao H (2018) Ddos attack identification and defense using sdn based on machine learning method. In: 2018 15th international symposium on pervasive systems, algorithms and networks (I-SPAN), pp 174–178. https://doi.org/10.1109/I-SPAN.2018.00036

  • Ye J, Cheng X, Zhu J, Feng L, Song L (2018) A ddos attack detection method based on svm in software defined network. Secur Commun Netw 2018. https://doi.org/10.1155/2018/9804061

  • Zhang Y, Chen X, Jin L, Wang X, Guo D (2019) Network intrusion detection: Based on deep hierarchical network and original flow data. IEEE Access 7:37004–37016. https://doi.org/10.1109/ACCESS.2019.2905041

    Article  Google Scholar 

Download references

Acknowledgements

Part of the work is funded by DST-SERB Start-up-Grant bearing File No.: SRG/2022/001692 and UGC Start-up-Grant No: F.30-592/2021(BSR). The authors would like to acknowledge both the funding agencies DST-SERB and UGC, Govt. of India for funding the work.

Funding

DST-SERB Start-up-Grant bearing File No: SRG/2022/001692. UGC Start-up-Grant No: F.30-592/2021(BSR)

Author information

Authors and Affiliations

Authors

Contributions

UBC Conceptual Design, implementation, experimentation, validation, performed writing—original draft; NH: Conceptual Design, framework development, performed writing—review & editing, supervision; KRS: performed writing, review & editing, supervision.

Corresponding author

Correspondence to Nazrul Hoque.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Clinton, U.B., Hoque, N. & Robindro Singh, K. Classification of DDoS attack traffic on SDN network environment using deep learning. Cybersecurity 7, 23 (2024). https://doi.org/10.1186/s42400-024-00219-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s42400-024-00219-7

Keywords