TY - GEN
T1 - A two-stage detection system of DDoS attacks in SDN using a trigger with multiple features and self-adaptive thresholds
AU - Niu, Muyuan
AU - Feng, Yaokai
AU - Sakurai, Kouichi
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Software-defined networking (SDN) has received a lot of attention in academia and industry in recent years, and DDoS attacks are still one of the most dangerous threats. As cyberattacks become more sophisticated, detection systems also become more complex and computationally intensive, for example, Deep Learning-based detection. Against this background, two-stage detection is proposed, in which a trigger is introduced before the complex detection being invoked. That is, the heavy detection module is called only when the requirements in the trigger are satisfied. Clearly, the triggering mechanism plays an important role in such detection systems as it determines when the second stage is invoked. Most of the existing relevant studies utilize one feature and a fixed threshold. However, it is not easy to predefine suitable thresholds in practice, and one feature is often not sufficient for effective trigger conditions that have a significant impact on detection performance of the whole detection system. The latest related work uses dynamic thresholding, but still only one feature, and the threshold adaptation mechanism is too simplistic, which make it too difficult to be used in real applications. Moreover, the performance of the approach in the most of related works are verified only using simulated data. In this study, we increase the number of features and optimized the threshold adjustment method in the trigger. In addition, in the detection module of the second stage, six features carefully determined from traffic bytes, packets, and IP addresses are used. The performance of the proposal is demonstrated in a simulated SDN environment using a public dataset. The experimental results indicate that the times of calling the computationally intensive detection module is significantly reduced, while at the same time the detection performance of the overall system is not degraded.
AB - Software-defined networking (SDN) has received a lot of attention in academia and industry in recent years, and DDoS attacks are still one of the most dangerous threats. As cyberattacks become more sophisticated, detection systems also become more complex and computationally intensive, for example, Deep Learning-based detection. Against this background, two-stage detection is proposed, in which a trigger is introduced before the complex detection being invoked. That is, the heavy detection module is called only when the requirements in the trigger are satisfied. Clearly, the triggering mechanism plays an important role in such detection systems as it determines when the second stage is invoked. Most of the existing relevant studies utilize one feature and a fixed threshold. However, it is not easy to predefine suitable thresholds in practice, and one feature is often not sufficient for effective trigger conditions that have a significant impact on detection performance of the whole detection system. The latest related work uses dynamic thresholding, but still only one feature, and the threshold adaptation mechanism is too simplistic, which make it too difficult to be used in real applications. Moreover, the performance of the approach in the most of related works are verified only using simulated data. In this study, we increase the number of features and optimized the threshold adjustment method in the trigger. In addition, in the detection module of the second stage, six features carefully determined from traffic bytes, packets, and IP addresses are used. The performance of the proposal is demonstrated in a simulated SDN environment using a public dataset. The experimental results indicate that the times of calling the computationally intensive detection module is significantly reduced, while at the same time the detection performance of the overall system is not degraded.
UR - http://www.scopus.com/inward/record.url?scp=85148649683&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85148649683&partnerID=8YFLogxK
U2 - 10.1109/IMCOM56909.2023.10035661
DO - 10.1109/IMCOM56909.2023.10035661
M3 - Conference contribution
AN - SCOPUS:85148649683
T3 - Proceedings of the 2023 17th International Conference on Ubiquitous Information Management and Communication, IMCOM 2023
BT - Proceedings of the 2023 17th International Conference on Ubiquitous Information Management and Communication, IMCOM 2023
A2 - Lee, Sukhan
A2 - Choo, Hyunseung
A2 - Ismail, Roslan
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 17th International Conference on Ubiquitous Information Management and Communication, IMCOM 2023
Y2 - 3 January 2023 through 5 January 2023
ER -