KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Moving Window Principal Components Analysis Based Anomaly Detection and Mitigation Approach in SDN Network

  • Wang, Mingxin (National Laboratory of Next Generation Internet Interconnection Devices, School of Electronic and Information Engineering, Beijing Jiaotong University) ;
  • Zhou, Huachun (National Laboratory of Next Generation Internet Interconnection Devices, School of Electronic and Information Engineering, Beijing Jiaotong University) ;
  • Chen, Jia (National Laboratory of Next Generation Internet Interconnection Devices, School of Electronic and Information Engineering, Beijing Jiaotong University)
  • Received : 2017.07.09
  • Accepted : 2018.03.19
  • Published : 2018.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Network anomaly detection in Software Defined Networking, especially the detection of DDoS attack, has been given great attention in recent years. It is convenient to build the Traffic Matrix from a global view in SDN. However, the monitoring and management of high-volume feature-rich traffic in large networks brings significant challenges. In this paper, we propose a moving window Principal Components Analysis based anomaly detection and mitigation approach to map data onto a low-dimensional subspace and keep monitoring the network state in real-time. Once the anomaly is detected, the controller will install the defense flow table rules onto the corresponding data plane switches to mitigate the attack. Furthermore, we evaluate our approach with experiments. The Receiver Operating Characteristic curves show that our approach performs well in both detection probability and false alarm probability compared with the entropy-based approach. In addition, the mitigation effect is impressive that our approach can prevent most of the attacking traffic. At last, we evaluate the overhead of the system, including the detection delay and utilization of CPU, which is not excessive. Our anomaly detection approach is lightweight and effective.

Keywords

References

  1. ONF, "Software-Defined Networking: The New Norm for Networks," 2012.
  2. N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "Openflow: Enabling innovation in campus networks," SIGCOMM CCR, vol. 38, no. 2.
  3. Adrichem, N. L. M. Van, C. Doerr, and F. A. Kuipers. "OpenNetMon: Network monitoring in OpenFlow Software-Defined Networks," Network Operations and Management Symposium IEEE, 2014:1-8.
  4. POX. At
  5. Yu, Curtis, et al. "FlowSense: monitoring network utilization with zero measurement cost," in Proc. of International Conference on Passive and Active Measurement Springer-Verlag, pp. 31-41, 2013.
  6. Lantz, Bob, Brandon Heller, and Nick McKeown. "A network in a laptop: rapid prototyping for software-defined networks," in Proc. of Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, ACM, 2010.
  7. Lakhina, Anukool, M. Crovella, and C. Diot. "Mining anomalies using traffic feature distributions," in Proc. of ACM SIGCOMM 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, Pennsylvania, Usa, August DBLP, pp. 217-228, 2005.
  8. Soule, Augustin, and N. Taft. "Combining filtering and statistical methods for anomaly detection," in Proc. of Conference on Internet Measurement 2005, Berkeley, California, Usa, October DBLP, pp. 31-31, 2005.
  9. Li, Ming. "Change trend of averaged Hurst parameter of traffic under DDOS flood attacks," Computers & Security, vol. 25, no. 3, pp. 213-220, 2006. https://doi.org/10.1016/j.cose.2005.11.007
  10. Giotis, K, et al. "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments," Computer Networks the International Journal of Computer & Telecommunications Networking, vol. 62, no. 5, pp. 122-136, 2014.
  11. Mousavi, Seyed Mohammad, and M. St-Hilaire. "Early detection of DDoS attacks against SDN controllers," in Proc. of International Conference on Computing, NETWORKING and Communications IEEE, pp. 77-81, 2015.
  12. Braga, Rodrigo, E. Mota, and A. Passito. "Lightweight DDoS flooding attack detection using NOX/OpenFlow," in Proc. of IEEE Conference on Local Computer Networks, LCN 2010, 10-14 October 2010, Denver, Colorado, Usa, Proceedings DBLP, 408-415, 2010.
  13. Wold, Svante, K. Esbensen, and P. Geladi. "Principal component analysis," Chemometrics & Intelligent Laboratory Systems, vol. 2, no. 1, pp. 37-52, 1987. https://doi.org/10.1016/0169-7439(87)80084-9
  14. Lakhina, Anukool, M. Crovella, and C. Diot. "Diagnosing network-wide traffic anomalies," Acm Sigcomm Computer Communication Review, vol. 34, no. 4, pp. 219-230, 2004. https://doi.org/10.1145/1030194.1015492
  15. Silva, Anderson Santos Da, et al. "Identification and Selection of Flow Features for Accurate Traffic Classification in SDN," in Proc. of IEEE, International Symposium on Network Computing and Applications IEEE, 134-141, 2015.
  16. Scapy. At
  17. Jackson, J. Edward, and G. S. Mudholkar. "Control Procedures for Residuals Associated with Principal Component Analysis," Technometrics, vol. 21, no.3, pp. 341-349, 1979. https://doi.org/10.1080/00401706.1979.10489779
  18. Tootoonchian, Amin, M. Ghobadi, and Y. Ganjali. "OpenTM: Traffic Matrix Estimator for OpenFlow Networks," in Proc. of International Conference on Passive and Active Measurement Springer-Verlag, 201-210, 2010.
  19. Historical Abilene Connection Traffic Statistics. At
  20. Lim, S., et al. "A SDN-oriented DDoS blocking scheme for botnet-based attacks," in Proc. of Sixth International Conf on Ubiquitous and Future Networks IEEE, pp. 63-68, 2014.
  21. Wang, Rui, Z. Jia, and L. Ju. "An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking," Trustcom/bigdatase/ispa IEEE, pp. 310-317, 2015.
  22. Niyaz, Quamar, W. Sun, and A. Y. Javaid. "A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN)," 2016.
  23. Francois, J, and O. Festor. "Anomaly traceback using software defined networking," in Proc. of IEEE International Workshop on Information Forensics and Security IEEE, pp. 203-208, 2014.
  24. Giotis, Kostas, G. Androulidakis, and V. Maglaris. "Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks," in Proc. of Third European Workshop on Software Defined Networks IEEE Computer Society, 85-90, 2014.
  25. Li, Chuanhuang, et al. "Detection and defense of DDoS attack-based on deep learning in OpenFlow based SDN," International Journal of Communication Systems, 2018.

Cited by

  1. Security in Network Virtualization: A Survey vol.17, pp.4, 2018, https://doi.org/10.3745/jips.04.0220