The document discusses a proposed system for detecting malicious switches and DDoS attacks in Software Defined Networking (SDN) by using a statistical approach known as the Sequential Probability Ratio Test (SPRT). It contrasts this method with existing threshold value control (TVC) techniques which are vulnerable to various attacks. The results demonstrate that the SPRT method provides better performance in terms of lower latency and higher throughput compared to TVC, concluding that SPRT is a more effective solution for malicious traffic detection in SDN environments.

1. TRAFFIC-BASED MALICIOUS
SWITCH And DDoS DETECTION
IN SOFTWARE DEFINED
NETWORKING
By:
Akshaya Arunan
Roll No: 1
MTech [IT]
Guided By:
Simi Krishna K.R
AssistantProfessor[IT]

2. OUTLINE
• Introduction
• Existing system
• Proposed system
• System design
• Tools
• Implementation
• Threshold value control
• Sequentialprobabilityratio test
• Results
• Conclusion
• Future works
• References
6/29/2017 2Government Engineering College, Barton Hill, Trivandrum

3. INTRODUCTION
Software Defined Network [SDN]:
• Complexity of the network shifts towards the controller.
• Brings simplicity and abstraction to the network operator.
• SDN decouples the control plane from the data plane.
• Migrates to a logically centralized software-based network controller.
• Controller is network-aware.
• Dynamic updating of traffic rules.
6/29/2017 3Government Engineering College, Barton Hill, Trivandrum

4. SDN Architecture [3]
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 4

5. 6/30/2017 Government Engineering College, Barton Hill, Trivandrum 5
• Application Plane: Contains SDN applications for various functionalities.
• Control Plane: It is a logically centralized control framework that
• runs the NOS,
• maintains global view of the network, and
• provides hardware abstractions to SDN applications.
• Data Plane: It is the combination of forwarding elements used to forward traffic
flows based on instructions from the control plane.

6. OpenFlow [6]:
• Communication protocol
• A protocol - SDN controller communication with the network devices.
• Standardizes the communication - a software-based controller and switches - Open
Flow channel.
• An OpenFlow-compliant switch exposes an abstraction of its forwarding table to
the Open Flow controller.
6/29/2017 6Government Engineering College, Barton Hill, Trivandrum

7. • An Open Flow Switch consists of
at least three parts:
• A Flow Table,
• A Secure Channel,
• The Open Flow Protocol.
6/30/2017 Government Engineering College, Barton Hill, Trivandrum 7

8. EXISTING SYSTEM
• Goal: To detect mobile malware by identifying suspicious network activities
through real-time traffic analysis, which only requires connection establishment
packets.
• A simulation environment on SDN topology is created.
• The TVC is implemented - used to detect malicious switches.
• Each switch has its own threshold
• The controllermaintains the maximum threshold of each switch from its working history.
• Bandwidth between each switch is noted by the controller.
• If the bandwidth crosses the actual bandwidth, then the flow to that particularswitch is
blocked.
• Maintained by the controller.
• The controllerwill not assign flows through any switch beyond its thresholdvalue.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 8

9. Controller
Admin
E-mail/SMS
Notification
1
2
3
4
5
6
Incoming
malicioustraffic
Goes for
traffic
monitoring
Finding malicious
activities
Flow to OF
switch 2
stopped
No malicious
traffic reaches
destination
Source PC DestinationPC
OF Switch 1 OF Switch 2
Normal packet
Maliciouspacket
Control Plane
Data Plane
SYSTEMDESIGN
6/29/2017 9Government Engineering College, Barton Hill, Trivandrum

10. • Disadvantage of TVC:
• Since there can be more flows which are not malicious and may try to enter,
the controller blocks them.
• Also some switches may not know the assigned TVC and may let in the
packets. Here, they may also be blocked.
• Thus, the controller here can be easily compromised.
• Most common attack in SDN is Distributed Denial of Service which also in
not possible to detect with TVC.
• Therefore, to overcome this, SPRT method is introduced.
6/29/2017 10Government Engineering College, Barton Hill, Trivandrum

11. PROPOSED SYSTEM
• Goal: To propose an effective detection method for the DDoS attacks against SDN
controllers by vast new low traffic flows.
• The SDN controller is a vulnerable target of DDoS attacks.
• Many packet-in messages maybe generated and sent to the controller exhausting it or
failing it.
• Breaks down a controller and disrupts the whole network.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 11

12. TOOLS
• Virtual Box (Version 5.1.12r112440)
• Ubuntu 14.04
• Mininet 2.2.0
• Open Daylight Controller (Beryllium)
• Miniedit
6/29/2017 12Government Engineering College, Barton Hill, Trivandrum

13. IMPLEMENTATION
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 13

14. EXISTING SYSTEM
• Each switch has a threshold field.
• The controller finds out the threshold value of each switch’s maximum traffic
flows by learning from its working history.
• The controller also knows the bandwidth between every two switches.
• These information's will be maintained at the controller.
• If the controller finds a threshold value greater than the normal value of a
particular switch, it will detect it as malicious and isolate it from the network.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 14

15. 6/29/2017 15Government Engineering College, Barton Hill, Trivandrum

16. PROPOSED SYSTEM
Detection based on SPRT:
• Aim: To detect whether an interface is compromised.
• Assumption:
• Each switch is capable of obtaining statistical info of the incoming flows and
reporting it to the controller (via OpenFlow, NetwFlow, sFlow).
• Each flow statistics will pass our DDoS detection modules.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 16

17. 6/29/2017 17
Government Engineering College, Barton Hill, Trivandrum

18. Flow Classification[2]:
• Normal flow
• Low traffic flow
Assignments:
• Pr - Probability
• Fb
i – Flow event corresponding to sequence of flows
• xi – sequence of flows
• cb
i - packet counts of flows in a flow event F
• C – Threshold value ( can be obtained and recalibrated)
• b – Observations (1,2,…, n)
• H – Hypothesis
• α – False positive
• β – False negative
• D – Detection function
6/29/2017 18Government Engineering College, Barton Hill, Trivandrum

19. • Flow event Fb
i is defines as Bernoulli random variable:
Fb
i = 1, if cb
i <= Cmax
0, if cb
i >= Cmax
• After classification, function reports to attack detection function.
6/29/2017 19Government Engineering College, Barton Hill, Trivandrum

20. Attack detection based on SPRT:
• Analyzes the list of observed events to decide.
• Consider H1 – detection of compromised interface
H0 – normality
• There are two types of errors:
• False positive – acceptance of H1 when H0 is true
• False negative – acceptance of H0 when H1 is true.
• To avoid the two errors we introduce – α and β as the user defined probabilities of
them, respectively.
• The error rates should not exceed the α and β for false positive and false negative,
respectively.
6/29/2017 20Government Engineering College, Barton Hill, Trivandrum

21. • Consider Dn
i as an evaluation of interface i’s behavior by detection function. Let Dn
i be
the probability ratio considering all n normal flow and low traffic flow events noted for
interface i.
• Upon receiving an event Fb, the detection function evaluates:
Dn
i = Ʃ ln Pr(F1
i,……..,Fn
i | H1)
Pr(F1
i,…….., Fn
i | H0)
• Since Fb is a Bernoulli random variable, let
Pr(Fb
i = 1| H0) = 1- Pr(Fb
i = 0| H0) = λ1
Pr(Fb
i = 1| H1) = 1- Pr(Fb
i = 0| H1) = λ0
where λ1 > λ0 because a compromised interface is more likely to be injected into low traffic
flows to overload controller
6/29/2017 21Government Engineering College, Barton Hill, Trivandrum

22. • λ0 and λ1 are the probability distribution parameters for the flow events and affect
the number of observations required for the detection function to reach a decision
(either H0 or H1).
• SPRT based detection method can be considered as a one dimensional random
walk.
• When low traffic, Fb
i = 1, walk moves upward one step.
• When normal, Fb
i = 0, walk moves downward one step.
• From this two boundaries A and B is produced.
6/29/2017 22Government Engineering College, Barton Hill, Trivandrum

23. Testing compromised interface against a normal interface:
• Given : Two boundaries A and B where B<A on basis of probability ratio, Dn
i
SPRT for H0 against H1 is set as:
A = β / (1- α)
B = (1- β) / α
• The SPRT for H0 against H1 is given as :
Dn
i <= B : accept H0 and terminate the test.
Dn
i >= A : accept H1 and terminate the test.
B < Dn
i < A : continue the test process with an additional observation.
6/29/2017 23Government Engineering College, Barton Hill, Trivandrum

24. RESULTS
• Latency and throughput are the two most fundamental measures of network
performance.
• They are closely related, but whereas latency measures the overall delay in time
for transmission of data between the start of an action and its completion,
throughput is how much data has been transmitted in a given amount of time.
• Therefore here we take the average latency and the throughput to compare
between the two methods.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 24

25. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 25
15.8373
14.9247
14.2378
13.8743
13.1289
12.7909
11.6848
10.4576
9.2378
8.9453 8.6953
7.9909
0
2
4
6
8
10
12
14
16
18
5 10 15 20 25 30
AVERAGELATENCY(MS)
TIME(S)
AVERAGE LATENCY
THRESHOLD VALUE LATENCY SPRT LATENCY
From this graph it is clear
that the delay in overall
data transmission of
SPRT method is lesser
compared to the TVC.
Thus the quality of
service of SPRT method
is better than the TVC.

26. 6/29/2017 Government Engineering College, Barton Hill, Trivandrum 26
123.5935 125.9403
128.5839
131.9643
138.8543 140.0955141.8343 143.5934
147.4898
153.3857
158.4872
163.8238
0
20
40
60
80
100
120
140
160
180
5 10 15 20 25 30
THROUGHPUT(MBPS)
TIME(S)
THROUGHPUT
THRESHOLD VALUE THROUGHPUT SPRT THROUGHPUT
From this graph it is
understood that the
data transmitted was
more when the SPRT
method was running
in a particular time.
Thus from this also
we can understand
that the quality od
service of SPRT is
better than TVC and
also the success rate
of data transmission is
also more in SPRT.

27. CONCLUSION
• It can be concluded that it is challenging to choose a threshold value control for
the SDN network as the controller and switches can be easily compromised.
• SPRT detection method is a statistical tool which is a better method to detect
malicious switch especially DDoS attack in SDN compared to the threshold value
and thus removes the possibilities of compromised nodes.
6/29/2017 27Government Engineering College, Barton Hill, Trivandrum

28. FUTURE WORKS
• Implementation of a security method like OpenSec[4] can be implemented as a
further protection in SDN.
• Various types networks (tree, hierarchy) can be used to implement this method and
an comparison can be done to find the better network performance.
6/29/2017 28Government Engineering College, Barton Hill, Trivandrum

29. REFERENCES
1. Xiaodong Du, Ming Zhong Wang, Xiaoping Zhang, “Traffic based malicious
switch Detection in SDN”, International Journal of Security and its applications,
2014.
2. Ping Dong, Xiaojiang Du, Hongke Zhang, “A detection Method for a Novel
DDoS Attack against SDN Controllers by Vast New Low traffic Flows”, IEEE,
2016.
3. Diego Krutz, Fernando M.V. Ramos, Paulo Verissimo, “Software Defined
Networking: A comprehensive Survey”, IEEE, 2014.
4. Adrian Lara and Byrav Ramamurthy, “OpenSec: Policy Based Security Using
Software Defined Networking”, IEEE transactions on network and service
management, 2016.
6/29/2017 29Government Engineering College, Barton Hill, Trivandrum

30. 5. Mihai Nicolae, Laura Gheorge, “SDN Based Security Mechanism”, IEEE, 2015.
6. N. McKeown et al., “Open Flow: Enabling innovation in campus networks,”
SIGCOMM Comput. Commun. Mar. 2008.
7. “http://sdnhub.org/tutorials/ryu/”
8. “http://mininet.org/walkthrough/”
9. “https://github.com/mininet/mininet”
10. “http://www.brianlinkletter.com/how-to-use-miniedit-mininets-graphical-user-
interface/”
6/29/2017 30Government Engineering College, Barton Hill, Trivandrum

31. THANK YOU
6/29/2017 31Government Engineering College, Barton Hill, Trivandrum

32. SCREENSHOTS
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 32

33. Starting a mininet with IP address eth1
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 33

34. Starting open daylight controller
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 34

35. Opening the open daylight controller with the
IP address eth0 in the browser
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 35

36. Creating a topology in the mininet terminal
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 36

37. Viewing the topology in the browser
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 37

38. Creating a topology in the miniedit
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 38

39. Running the threshold value control program
with waf in xterm.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 39

40. Running the SPRT program with waf in
xterm.
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 40

41. Flow can be viewed in Wireshark if needed
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 41

42. Throughput plotted
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 42

43. Latency plotted
6/29/2017 Government Engineering College, Barton Hill, Trivandrum 43