A Hybrid Method of Joint Entropy and Multiple Clustering Based DDoS Detection in SDN

doi:10.3969/j.issn.1671-1122.2023.10.001

Abstract

Abstract:

Software Defined Networking (SDN), an emerging networking paradigm, has introduced more severe Distributed Denial of Service attacks (DDoS) along with convenience. Existing works typically use machine learning models to detect DDoS attacks, but ignore the additional overhead that models impose on SDN controllers. In order to detect DDoS attacks more efficiently and accurately, this paper adoptd a strategy of multi-level detection modules: the first-level module detectd suspicious traffic by calculating the joint entropy of the traffic in the current window; the second-level module used a semi- supervised model that used techniques such as feature selection, multi-training algorithms, and multiple clustering to improve detection performance by training multiple local models. Compared with other existing models, this model performs best on multiple data sets and has better detection accuracy and generalization ability.

Key words: SDN, DDoS, semi-supervised learning, statistical learning

CLC Number:

TP309

WANG Zhi, ZHANG Hao, Jason GU. A Hybrid Method of Joint Entropy and Multiple Clustering Based DDoS Detection in SDN[J]. Netinfo Security, 2023, 23(10): 1-7.

Figures/Tables 10

References 19

[1]	KOPONEN T, CASADO M, GUDE N, et al. Distributed Control Platform for Large-Scale Production Networks: USA, 8. 830. 823[P]. 2014-09-09.
[2]	KAUR S, KUMAR K, AGGARWAL N, et al. A Comprehensive Survey of DDoS Defense Solutions in SDN: Taxonomy, Research Challenges, and Future Directions[J]. Computers & Security, 2021, 110(1): 102423-102431. doi: 10.1016/j.cose.2021.102423 URL
[3]	SINGH J, BEHAL S. Detection and Mitigation of DDoS Attacks in SDN: A Comprehensive Review, Research Challenges and Future Directions[J]. Computer Science Review, 2020, 37: 100279-100294. doi: 10.1016/j.cosrev.2020.100279 URL
[4]	JASIM M N, GAATA M T. K-Means Clustering-Based Semi-Supervised for DDoS Attacks Classification[J]. Bulletin of Electrical Engineering and Informatics, 2022, 11(6): 3570-3576. doi: 10.11591/eei.v11i6 URL
[5]	KALKAN K, ALTAY L, GUR G, et al. JESS: Joint Entropy-Based DDoS Defense Scheme in SDN[J]. IEEE Journal on Selected Areas in Communications, 2018, 36(10): 2358-2372. doi: 10.1109/JSAC.2018.2869997 URL
[6]	MAHESHWARI A, MEHRAJ B, KHAN M S, et al. An Optimized Weighted Voting Based Ensemble Model for DDoS Attack Detection and Mitigation in SDN Environment[J]. Microprocessors and Microsystems, 2022, 89: 104412-104438. doi: 10.1016/j.micpro.2021.104412 URL
[7]	YU Junqing, LI Zizun, WU Chi, et al. A Two-Stage DDoS Attack Detection and Defense Method in Software Defined Network[J]. Netinfo Security, 2022, 22(1): 1-8.
	于俊清, 李自尊, 吴驰, 等. 面向软件定义网络的两级DDoS攻击检测与防御[J]. 信息网络安全, 2022, 22(1): 1-8.
[8]	VILLA-PÉREZ M E, ALVAREZ-CARMONA M A, LOYOLA-GONZALEZ O, et al. Semi-Supervised Anomaly Detection Algorithms: A Comparative Summary and Future Research Directions[J]. Knowledge-Based Systems, 2021, 218: 106878-100686. doi: 10.1016/j.knosys.2021.106878 URL
[9]	TAN Liang, PAN Yue, WU Jing, et al. A New Framework for DDoS Attack Detection and Defense in SDN Environment[J]. IEEE Access, 2020, 8: 161908-161919. doi: 10.1109/Access.6287639 URL
[10]	WANG Cong, CUI Yunhe, GAO Hongfeng. DDoS Attack Detection Based on Improved D-S Theory in SDN[J]. Computer System & Applications, 2022, 31(8): 354-360.
	王聪, 崔允贺, 高鸿峰. SDN环境下基于改进D-S理论的DDoS攻击检测[J]. 计算机系统应用, 2022, 31(8): 354-360.
[11]	SABIROV D S, SHEPELEVICH I S. Information Entropy in Chemistry: An Overview[J]. Entropy, 2021, 23(10): 1240-1249. doi: 10.3390/e23101240 URL
[12]	ZHANG Long, WANG Jinsong. A Hybrid Method of Entropy and SSAE-SVM Based DDoS Detection and Mitigation Mechanism in SDN[J]. Computers & Security, 2022, 115: 102604-102620. doi: 10.1016/j.cose.2022.102604 URL
[13]	SINAGA K P, YANG M S. Unsupervised K-Means Clustering Algorithm[J]. IEEE Access, 2020, 8: 80716-80727. doi: 10.1109/Access.6287639 URL
[14]	RAHMAN A, VERMA B. Novel Layered Clustering-Based Approach for Generating Ensemble of Classifiers[J]. IEEE Transactions on Neural Networks, 2011, 22(5): 781-792. doi: 10.1109/TNN.2011.2118765 pmid: 21486714
[15]	QUINLAN J R. Induction of Decision Trees[J]. Machine Learning, 1986, 1: 81-106.
[16]	ZHOU Zhihua, LI Ming. Tri-Training: Exploiting Unlabeled Data Using Three Classifiers[J]. IEEE Transactions on Knowledge and Data Engineering, 2005, 17(11): 1529-1541. doi: 10.1109/TKDE.2005.186 URL
[17]	AHUJA N, SINGAL G, MUKHOPADHYAY D, et al. Automated DDOS Attack Detection in Software DefIned Networking[J]. Journal of Network and Computer Applications, 2021, 187: 103108-102122. doi: 10.1016/j.jnca.2021.103108 URL
[18]	NING Xin, WANG Xinran, XU Shaohui, et al. A Review of Research on Co-Training[J]. Concurrency and Computation: Practice and Experience, 2021, 35(18): 1-16.
[19]	Al-JARRAH O Y, Al-HAMMDI Y, YOO P D, et al. Semi-Supervised Multi-Layered Clustering Model for Intrusion Detection[J]. Digital Communications and Networks, 2018, 4(4): 277-286. doi: 10.1016/j.dcan.2017.09.009 URL

模型	ACC	Recall	Precision	F1值
Co-training	93.56%	92.88%	94.62%	93.43%
Tri-training	91.52%	90.79%	91.87%	91.43%
SMLC	85.94%	86.72%	88.47%	85.85%
Multi-training	94.84 %	94.41%	94.93%	94.58%
本文方法	96.23%	95.94%	97.16%	96.43%

	ACC	Recall	Precision	F1值	FPR	TT/s
71个特征	96.23%	95.94%	97.16%	96.43%	5.59%	26.31
15个特征	96.36%	95.81%	96.76%	96.22%	5.04%	12.84

模型	ACC	Recall	Precision	F1值
Co-training	80.90%	83.14%	82.74%	80.89%
Tri-training	70.83 %	78.07%	74.05%	70.32%
SMLC	81.44 %	83.50%	82.72%	81.44%
本文方法	82.19 %	83.97%	83.87%	82.19%

模型	ACC	Recall	Precision	F1值
Co-training	99.8662%	99.8664%	99.8610%	99.8637%
Tri-training	99.8742%	99.8663%	99.8775%	99.8719%
SMLC	99.8817%	99.8845%	99.8745%	99.8795%
本文方法	99.8830%	99.8858%	99.8849%	99.8890%