Traffic Based Malicious Switch and DDoS Detection in Software Defined Network

TRAFFIC-BASED MALICIOUS
SWITCH And DDoS DETECTION
IN SOFTWARE DEFINED
NETWORKING
By:
Akshaya Arunan
Roll No: 1
MTech [IT]
Guided By:
Simi Krishna K.R
AssistantProfessor[IT]

OUTLINE
• Introduction
• Existing system
• Proposed system
• System design
• Tools
• Implementation
• Threshold value control
• Sequentialprobabilityratio test
• Results
• Conclusion
• Future works
• References
6/29/2017 2Government Engineering College, Barton Hill, Trivandrum

INTRODUCTION
Software Defined Network [SDN]:
• Complexity of the network shifts towards the controller.
• Brings simplicity and abstraction to the network operator.
• SDN decouples the control plane from the data plane.
• Migrates to a logically centralized software-based network controller.
• Controller is network-aware.
• Dynamic updating of trafﬁc rules.

SDN Architecture [3]
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 4

• Application Plane: Contains SDN applications for various functionalities.
• Control Plane: It is a logically centralized control framework that
• runs the NOS,
• maintains global view of the network, and
• provides hardware abstractions to SDN applications.
• Data Plane: It is the combination of forwarding elements used to forward trafﬁc
ﬂows based on instructions from the control plane.

OpenFlow [6]:
• Communication protocol
• A protocol - SDN controller communication with the network devices.
• Standardizes the communication - a software-based controller and switches - Open
Flow channel.
• An OpenFlow-compliant switch exposes an abstraction of its forwarding table to
the Open Flow controller.

• An Open Flow Switch consists of
at least three parts:
• A Flow Table,
• A Secure Channel,
• The Open Flow Protocol.

EXISTING SYSTEM
• Goal: To detect mobile malware by identifying suspicious network activities
through real-time trafﬁc analysis, which only requires connection establishment
packets.
• A simulation environment on SDN topology is created.
• The TVC is implemented - used to detect malicious switches.
• Each switch has its own threshold
• The controllermaintains the maximum threshold of each switch from its working history.
• Bandwidth between each switch is noted by the controller.
• If the bandwidth crosses the actual bandwidth, then the flow to that particularswitch is
blocked.
• Maintained by the controller.
• The controllerwill not assign flows through any switch beyond its thresholdvalue.

Controller
Admin
E-mail/SMS
Notification
1
2
3
4
5
6
Incoming
malicioustraffic
Goes for
traffic
monitoring
Finding malicious
activities
Flow to OF
switch 2
stopped
No malicious
traffic reaches
destination
Source PC DestinationPC
OF Switch 1 OF Switch 2
Normal packet
Maliciouspacket
Control Plane
Data Plane
SYSTEMDESIGN

• Disadvantage of TVC:
• Since there can be more flows which are not malicious and may try to enter,
the controller blocks them.
• Also some switches may not know the assigned TVC and may let in the
packets. Here, they may also be blocked.
• Thus, the controller here can be easily compromised.
• Most common attack in SDN is Distributed Denial of Service which also in
not possible to detect with TVC.
• Therefore, to overcome this, SPRT method is introduced.

PROPOSED SYSTEM
• Goal: To propose an effective detection method for the DDoS attacks against SDN
controllers by vast new low traffic flows.
• The SDN controller is a vulnerable target of DDoS attacks.
• Many packet-in messages maybe generated and sent to the controller exhausting it or
failing it.
• Breaks down a controller and disrupts the whole network.

TOOLS
• Virtual Box (Version 5.1.12r112440)
• Ubuntu 14.04
• Mininet 2.2.0
• Open Daylight Controller (Beryllium)
• Miniedit

IMPLEMENTATION

EXISTING SYSTEM
• Each switch has a threshold field.
• The controller finds out the threshold value of each switch’s maximum traffic
flows by learning from its working history.
• The controller also knows the bandwidth between every two switches.
• These information's will be maintained at the controller.
• If the controller finds a threshold value greater than the normal value of a
particular switch, it will detect it as malicious and isolate it from the network.

PROPOSED SYSTEM
Detection based on SPRT:
• Aim: To detect whether an interface is compromised.
• Assumption:
• Each switch is capable of obtaining statistical info of the incoming flows and
reporting it to the controller (via OpenFlow, NetwFlow, sFlow).
• Each flow statistics will pass our DDoS detection modules.

6/29/2017 17
Government Engineering College, Barton Hill, Trivandrum

Flow Classification[2]:
• Normal flow
• Low traffic flow
Assignments:
• Pr - Probability
• Fb
i – Flow event corresponding to sequence of flows
• xi – sequence of flows
• cb
i - packet counts of flows in a flow event F
• C – Threshold value ( can be obtained and recalibrated)
• b – Observations (1,2,…, n)
• H – Hypothesis
• α – False positive
• β – False negative
• D – Detection function

• Flow event Fb
i is defines as Bernoulli random variable:
Fb
i = 1, if cb
i <= Cmax
0, if cb
i >= Cmax
• After classification, function reports to attack detection function.

Attack detection based on SPRT:
• Analyzes the list of observed events to decide.
• Consider H1 – detection of compromised interface
H0 – normality
• There are two types of errors:
• False positive – acceptance of H1 when H0 is true
• False negative – acceptance of H0 when H1 is true.
• To avoid the two errors we introduce – α and β as the user defined probabilities of
them, respectively.
• The error rates should not exceed the α and β for false positive and false negative,
respectively.

• Consider Dn
i as an evaluation of interface i’s behavior by detection function. Let Dn
i be
the probability ratio considering all n normal flow and low traffic flow events noted for
interface i.
• Upon receiving an event Fb, the detection function evaluates:
Dn
i = Ʃ ln Pr(F1
i,……..,Fn
i | H1)
Pr(F1
i,…….., Fn
i | H0)
• Since Fb is a Bernoulli random variable, let
Pr(Fb
i = 1| H0) = 1- Pr(Fb
i = 0| H0) = λ1
Pr(Fb
i = 1| H1) = 1- Pr(Fb
i = 0| H1) = λ0
where λ1 > λ0 because a compromised interface is more likely to be injected into low traffic
flows to overload controller

• λ0 and λ1 are the probability distribution parameters for the flow events and affect
the number of observations required for the detection function to reach a decision
(either H0 or H1).
• SPRT based detection method can be considered as a one dimensional random
walk.
• When low traffic, Fb
i = 1, walk moves upward one step.
• When normal, Fb
i = 0, walk moves downward one step.
• From this two boundaries A and B is produced.

Testing compromised interface against a normal interface:
• Given : Two boundaries A and B where B<A on basis of probability ratio, Dn
i
SPRT for H0 against H1 is set as:
A = β / (1- α)
B = (1- β) / α
• The SPRT for H0 against H1 is given as :
Dn
i <= B : accept H0 and terminate the test.
Dn
i >= A : accept H1 and terminate the test.
B < Dn
i < A : continue the test process with an additional observation.

RESULTS
• Latency and throughput are the two most fundamental measures of network
performance.
• They are closely related, but whereas latency measures the overall delay in time
for transmission of data between the start of an action and its completion,
throughput is how much data has been transmitted in a given amount of time.
• Therefore here we take the average latency and the throughput to compare
between the two methods.

15.8373
14.9247
14.2378
13.8743
13.1289
12.7909
11.6848
10.4576
9.2378
8.9453 8.6953
7.9909
0
2
4
6
8
10
12
14
16
18
5 10 15 20 25 30
AVERAGELATENCY(MS)
TIME(S)
AVERAGE LATENCY
THRESHOLD VALUE LATENCY SPRT LATENCY
From this graph it is clear
that the delay in overall
data transmission of
SPRT method is lesser
compared to the TVC.
Thus the quality of
service of SPRT method
is better than the TVC.

123.5935 125.9403
128.5839
131.9643
138.8543 140.0955141.8343 143.5934
147.4898
153.3857
158.4872
163.8238
0
20
40
60
80
100
120
140
160
180
5 10 15 20 25 30
THROUGHPUT(MBPS)
TIME(S)
THROUGHPUT
THRESHOLD VALUE THROUGHPUT SPRT THROUGHPUT
From this graph it is
understood that the
data transmitted was
more when the SPRT
method was running
in a particular time.
Thus from this also
we can understand
that the quality od
service of SPRT is
better than TVC and
also the success rate
of data transmission is
also more in SPRT.

CONCLUSION
• It can be concluded that it is challenging to choose a threshold value control for
the SDN network as the controller and switches can be easily compromised.
• SPRT detection method is a statistical tool which is a better method to detect
malicious switch especially DDoS attack in SDN compared to the threshold value
and thus removes the possibilities of compromised nodes.

FUTURE WORKS
• Implementation of a security method like OpenSec[4] can be implemented as a
further protection in SDN.
• Various types networks (tree, hierarchy) can be used to implement this method and
an comparison can be done to find the better network performance.

REFERENCES
1. Xiaodong Du, Ming Zhong Wang, Xiaoping Zhang, “Traffic based malicious
switch Detection in SDN”, International Journal of Security and its applications,
2014.
2. Ping Dong, Xiaojiang Du, Hongke Zhang, “A detection Method for a Novel
DDoS Attack against SDN Controllers by Vast New Low traffic Flows”, IEEE,
2016.
3. Diego Krutz, Fernando M.V. Ramos, Paulo Verissimo, “Software Defined
Networking: A comprehensive Survey”, IEEE, 2014.
4. Adrian Lara and Byrav Ramamurthy, “OpenSec: Policy Based Security Using
Software Defined Networking”, IEEE transactions on network and service
management, 2016.

5. Mihai Nicolae, Laura Gheorge, “SDN Based Security Mechanism”, IEEE, 2015.
6. N. McKeown et al., “Open Flow: Enabling innovation in campus networks,”
SIGCOMM Comput. Commun. Mar. 2008.
7. “http://sdnhub.org/tutorials/ryu/”
8. “http://mininet.org/walkthrough/”
9. “https://github.com/mininet/mininet”
10. “http://www.brianlinkletter.com/how-to-use-miniedit-mininets-graphical-user-
interface/”

THANK YOU

SCREENSHOTS

Starting a mininet with IP address eth1

Starting open daylight controller

Opening the open daylight controller with the
IP address eth0 in the browser

Creating a topology in the mininet terminal

Viewing the topology in the browser

Creating a topology in the miniedit

Running the threshold value control program
with waf in xterm.

Running the SPRT program with waf in
xterm.

Flow can be viewed in Wireshark if needed

Throughput plotted

Latency plotted

Traffic Based Malicious Switch and DDoS Detection in Software Defined Network

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to Traffic Based Malicious Switch and DDoS Detection in Software Defined Network

Similar to Traffic Based Malicious Switch and DDoS Detection in Software Defined Network (20)

More from Akshaya Arunan

More from Akshaya Arunan (7)

Recently uploaded

Recently uploaded (20)

Traffic Based Malicious Switch and DDoS Detection in Software Defined Network