In this project secured threshold value (STV) and sequential probability ratio test (SPRT) were
developed and used to detect and eliminate malicious switches and DDoS attacks in the SDN network.
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Traffic Based Malicious Switch and DDoS Detection in Software Defined Network
1. TRAFFIC-BASED MALICIOUS
SWITCH And DDoS DETECTION
IN SOFTWARE DEFINED
NETWORKING
By:
Akshaya Arunan
Roll No: 1
MTech [IT]
Guided By:
Simi Krishna K.R
AssistantProfessor[IT]
2. OUTLINE
• Introduction
• Existing system
• Proposed system
• System design
• Tools
• Implementation
• Threshold value control
• Sequentialprobabilityratio test
• Results
• Conclusion
• Future works
• References
6/29/2017 2Government Engineering College, Barton Hill, Trivandrum
3. INTRODUCTION
Software Defined Network [SDN]:
• Complexity of the network shifts towards the controller.
• Brings simplicity and abstraction to the network operator.
• SDN decouples the control plane from the data plane.
• Migrates to a logically centralized software-based network controller.
• Controller is network-aware.
• Dynamic updating of traffic rules.
6/29/2017 3Government Engineering College, Barton Hill, Trivandrum
5. 6/30/2017 Government Engineering College, Barton Hill, Trivandrum 5
• Application Plane: Contains SDN applications for various functionalities.
• Control Plane: It is a logically centralized control framework that
• runs the NOS,
• maintains global view of the network, and
• provides hardware abstractions to SDN applications.
• Data Plane: It is the combination of forwarding elements used to forward traffic
flows based on instructions from the control plane.
6. OpenFlow [6]:
• Communication protocol
• A protocol - SDN controller communication with the network devices.
• Standardizes the communication - a software-based controller and switches - Open
Flow channel.
• An OpenFlow-compliant switch exposes an abstraction of its forwarding table to
the Open Flow controller.
6/29/2017 6Government Engineering College, Barton Hill, Trivandrum
7. • An Open Flow Switch consists of
at least three parts:
• A Flow Table,
• A Secure Channel,
• The Open Flow Protocol.
6/30/2017 Government Engineering College, Barton Hill, Trivandrum 7
8. EXISTING SYSTEM
• Goal: To detect mobile malware by identifying suspicious network activities
through real-time traffic analysis, which only requires connection establishment
packets.
• A simulation environment on SDN topology is created.
• The TVC is implemented - used to detect malicious switches.
• Each switch has its own threshold
• The controllermaintains the maximum threshold of each switch from its working history.
• Bandwidth between each switch is noted by the controller.
• If the bandwidth crosses the actual bandwidth, then the flow to that particularswitch is
blocked.
• Maintained by the controller.
• The controllerwill not assign flows through any switch beyond its thresholdvalue.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 8
10. • Disadvantage of TVC:
• Since there can be more flows which are not malicious and may try to enter,
the controller blocks them.
• Also some switches may not know the assigned TVC and may let in the
packets. Here, they may also be blocked.
• Thus, the controller here can be easily compromised.
• Most common attack in SDN is Distributed Denial of Service which also in
not possible to detect with TVC.
• Therefore, to overcome this, SPRT method is introduced.
6/29/2017 10Government Engineering College, Barton Hill, Trivandrum
11. PROPOSED SYSTEM
• Goal: To propose an effective detection method for the DDoS attacks against SDN
controllers by vast new low traffic flows.
• The SDN controller is a vulnerable target of DDoS attacks.
• Many packet-in messages maybe generated and sent to the controller exhausting it or
failing it.
• Breaks down a controller and disrupts the whole network.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 11
14. EXISTING SYSTEM
• Each switch has a threshold field.
• The controller finds out the threshold value of each switch’s maximum traffic
flows by learning from its working history.
• The controller also knows the bandwidth between every two switches.
• These information's will be maintained at the controller.
• If the controller finds a threshold value greater than the normal value of a
particular switch, it will detect it as malicious and isolate it from the network.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 14
16. PROPOSED SYSTEM
Detection based on SPRT:
• Aim: To detect whether an interface is compromised.
• Assumption:
• Each switch is capable of obtaining statistical info of the incoming flows and
reporting it to the controller (via OpenFlow, NetwFlow, sFlow).
• Each flow statistics will pass our DDoS detection modules.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 16
18. Flow Classification[2]:
• Normal flow
• Low traffic flow
Assignments:
• Pr - Probability
• Fb
i – Flow event corresponding to sequence of flows
• xi – sequence of flows
• cb
i - packet counts of flows in a flow event F
• C – Threshold value ( can be obtained and recalibrated)
• b – Observations (1,2,…, n)
• H – Hypothesis
• α – False positive
• β – False negative
• D – Detection function
6/29/2017 18Government Engineering College, Barton Hill, Trivandrum
19. • Flow event Fb
i is defines as Bernoulli random variable:
Fb
i = 1, if cb
i <= Cmax
0, if cb
i >= Cmax
• After classification, function reports to attack detection function.
6/29/2017 19Government Engineering College, Barton Hill, Trivandrum
20. Attack detection based on SPRT:
• Analyzes the list of observed events to decide.
• Consider H1 – detection of compromised interface
H0 – normality
• There are two types of errors:
• False positive – acceptance of H1 when H0 is true
• False negative – acceptance of H0 when H1 is true.
• To avoid the two errors we introduce – α and β as the user defined probabilities of
them, respectively.
• The error rates should not exceed the α and β for false positive and false negative,
respectively.
6/29/2017 20Government Engineering College, Barton Hill, Trivandrum
21. • Consider Dn
i as an evaluation of interface i’s behavior by detection function. Let Dn
i be
the probability ratio considering all n normal flow and low traffic flow events noted for
interface i.
• Upon receiving an event Fb, the detection function evaluates:
Dn
i = Ʃ ln Pr(F1
i,……..,Fn
i | H1)
Pr(F1
i,…….., Fn
i | H0)
• Since Fb is a Bernoulli random variable, let
Pr(Fb
i = 1| H0) = 1- Pr(Fb
i = 0| H0) = λ1
Pr(Fb
i = 1| H1) = 1- Pr(Fb
i = 0| H1) = λ0
where λ1 > λ0 because a compromised interface is more likely to be injected into low traffic
flows to overload controller
6/29/2017 21Government Engineering College, Barton Hill, Trivandrum
22. • λ0 and λ1 are the probability distribution parameters for the flow events and affect
the number of observations required for the detection function to reach a decision
(either H0 or H1).
• SPRT based detection method can be considered as a one dimensional random
walk.
• When low traffic, Fb
i = 1, walk moves upward one step.
• When normal, Fb
i = 0, walk moves downward one step.
• From this two boundaries A and B is produced.
6/29/2017 22Government Engineering College, Barton Hill, Trivandrum
23. Testing compromised interface against a normal interface:
• Given : Two boundaries A and B where B<A on basis of probability ratio, Dn
i
SPRT for H0 against H1 is set as:
A = β / (1- α)
B = (1- β) / α
• The SPRT for H0 against H1 is given as :
Dn
i <= B : accept H0 and terminate the test.
Dn
i >= A : accept H1 and terminate the test.
B < Dn
i < A : continue the test process with an additional observation.
6/29/2017 23Government Engineering College, Barton Hill, Trivandrum
24. RESULTS
• Latency and throughput are the two most fundamental measures of network
performance.
• They are closely related, but whereas latency measures the overall delay in time
for transmission of data between the start of an action and its completion,
throughput is how much data has been transmitted in a given amount of time.
• Therefore here we take the average latency and the throughput to compare
between the two methods.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 24
25. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 25
15.8373
14.9247
14.2378
13.8743
13.1289
12.7909
11.6848
10.4576
9.2378
8.9453 8.6953
7.9909
0
2
4
6
8
10
12
14
16
18
5 10 15 20 25 30
AVERAGELATENCY(MS)
TIME(S)
AVERAGE LATENCY
THRESHOLD VALUE LATENCY SPRT LATENCY
From this graph it is clear
that the delay in overall
data transmission of
SPRT method is lesser
compared to the TVC.
Thus the quality of
service of SPRT method
is better than the TVC.
26. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 26
123.5935 125.9403
128.5839
131.9643
138.8543 140.0955141.8343 143.5934
147.4898
153.3857
158.4872
163.8238
0
20
40
60
80
100
120
140
160
180
5 10 15 20 25 30
THROUGHPUT(MBPS)
TIME(S)
THROUGHPUT
THRESHOLD VALUE THROUGHPUT SPRT THROUGHPUT
From this graph it is
understood that the
data transmitted was
more when the SPRT
method was running
in a particular time.
Thus from this also
we can understand
that the quality od
service of SPRT is
better than TVC and
also the success rate
of data transmission is
also more in SPRT.
27. CONCLUSION
• It can be concluded that it is challenging to choose a threshold value control for
the SDN network as the controller and switches can be easily compromised.
• SPRT detection method is a statistical tool which is a better method to detect
malicious switch especially DDoS attack in SDN compared to the threshold value
and thus removes the possibilities of compromised nodes.
6/29/2017 27Government Engineering College, Barton Hill, Trivandrum
28. FUTURE WORKS
• Implementation of a security method like OpenSec[4] can be implemented as a
further protection in SDN.
• Various types networks (tree, hierarchy) can be used to implement this method and
an comparison can be done to find the better network performance.
6/29/2017 28Government Engineering College, Barton Hill, Trivandrum
29. REFERENCES
1. Xiaodong Du, Ming Zhong Wang, Xiaoping Zhang, “Traffic based malicious
switch Detection in SDN”, International Journal of Security and its applications,
2014.
2. Ping Dong, Xiaojiang Du, Hongke Zhang, “A detection Method for a Novel
DDoS Attack against SDN Controllers by Vast New Low traffic Flows”, IEEE,
2016.
3. Diego Krutz, Fernando M.V. Ramos, Paulo Verissimo, “Software Defined
Networking: A comprehensive Survey”, IEEE, 2014.
4. Adrian Lara and Byrav Ramamurthy, “OpenSec: Policy Based Security Using
Software Defined Networking”, IEEE transactions on network and service
management, 2016.
6/29/2017 29Government Engineering College, Barton Hill, Trivandrum
30. 5. Mihai Nicolae, Laura Gheorge, “SDN Based Security Mechanism”, IEEE, 2015.
6. N. McKeown et al., “Open Flow: Enabling innovation in campus networks,”
SIGCOMM Comput. Commun. Mar. 2008.
7. “http://sdnhub.org/tutorials/ryu/”
8. “http://mininet.org/walkthrough/”
9. “https://github.com/mininet/mininet”
10. “http://www.brianlinkletter.com/how-to-use-miniedit-mininets-graphical-user-
interface/”
6/29/2017 30Government Engineering College, Barton Hill, Trivandrum