A Flexible SDN-Based Architecture Identifying Low Rate DDoS



One of the most difficult types of distributed denial of service (DDoS) attacks to detect is the low-rate kind (LR-DDoS). In contrast to high-rate DDoS assaults, low-rate DDoS (LR-DDoS) attacks do not overwhelm a network with an overwhelming volume of data. Instead, it selectively activates parts of the protocol, such as TCP’s retransmission after timeout and congestion control. In this case, Li Zhang served as the assistant editor, who monitored the review process and ultimately gave the manuscript the green light for publication. HTTP’s keep-alive functionality, which utilizes the host computer at the destination,

By physically separating the control and forwarding planes of network devices, the relatively new networking concept known as software-defined networking (SDN) intends to create a logically centralized control and management entity (such as routers and switches). Meanwhile, SDN might be put to use in the detection and mitigation of DDoS assaults that make limited use of network resources. In this study, the authors detail a revised architecture for SDN systems that can detect and halt LR-DDoS assaults. The intrusion detection system (IDS) receives traffic routed from the intrusion prevention system (IPS). This will help us determine whether or not the flow is malicious. In order to determine the flow, the IDS API will use one of the numerous preexisting machine learning (ML) models.


A DDoS assault may be detected in one of two ways: either by signatures or abnormalities. The first method compares incoming data against signatures consisting of patterns or strings extracted from protocol header fields in order to identify malicious flows (or not). Low-Rate Distributed Denial-of-Service Attack Detection and Mitigation Architecture One of the most challenging aspects of employing ML algorithms to detect LR-DDoS is selecting appropriate threshold values, since these methods rely on them. Coming up with realistic solutions to LR-DDoS assaults is similarly challenging. Although updating the router’s firmware is sometimes feasible, it is not always a viable option.

c. Objectives:

  • To offer an advanced, adaptable architecture for monitoring and mitigating LR-DDoS assaults in SDN environments.
  • To Locate and mitigate LR-DDoS assaults in production networks, and provide generalizable countermeasures.

In this investigation, a modular and malleable security architecture was developed and deployed to detect and thwart LR-DDoS assaults in SDN environments. The modular structure allows for easy customization without disrupting the overall architecture. In order to identify flows, the architecture’s IDS component employs a collection of trained ML models that may be constructed using a variety of languages and frameworks.

In order to detect and halt LR-DDoS assaults, researchers offer a scalable security architecture based on SDN that makes use of machine learning and deep learning in several ways. Multiple low-resource denial-of-service (LR-DDoS) attack simulation tools and real-world assaults (such as DDoSSim, GoldenEye, H.U.L.K., R.U.S.Y., Slow Body, Slow Headers, Slowloris, and Slow Read) are used to test the viability of the suggested approach and identify countermeasures. Multiple methods were tested for detecting and stopping LR-DDoS attacks: J48, Random Trees, REP Tree, Random Forest, Multi-Layer Perceptron (MLP), and Support Vector Machines (SVM).

A method for preventing SDN-based, low-rate DDoS assaults has been developed by researchers. The framework decouples issue detection and resolution in network applications and may be implemented in any programming language or technology. The controller’s processing load is therefore reduced.


The evaluation found that even while LR-DoS assaults are difficult to uncover, our technique had a 95% detection rate. According to the study authors, the open network operating system (ONOS) controller installed on the Mininet virtual machine helps make the deployment as realistic as feasible. In our testing topology, the intrusion prevention detection system handles any threats previously identified by the IDS. This demonstrates that our system can effectively detect and halt LR-DDoS assaults.


We may expect LR-DDoS assaults to remain a problem, particularly for highly centralized systems (e.g., cloud computing platforms). This article details the development and deployment of a flexible, modular security architecture for SDN networks capable of detecting and mitigating LR-DDoS threats. The modular structure allows for easy customization without disrupting the overall architecture. In order to identify flows, the architecture’s IDS component employs a collection of trained ML models that may be constructed using a variety of languages and frameworks. Six alternative ML algorithms were evaluated on the CIC DoS dataset, with findings showing that 95% of them were accurate. Our system was developed in a research lab employing a virtualized environment, VirtualBox, the ONOS controller, and the Mininet virtual computer. Also, the (complex) ONOS controller was employed, which is often used in production, notably in datacenters, making it simple to extrapolate our findings to real-world production situations. We utilized two distinct topologies in our deployment to prove that all of the security issues we had previously discovered had been eliminated. Modern machine learning and deep learning techniques are something that researchers want to include into their work in the near future to boost performance, for example, against a broader spectrum of threats. In order to provide a more thorough assessment of the system, researchers wish to include other deep learning algorithms that are effective at identifying LR-DDoS assaults. Researchers may employ statistical filters like the Kalman and Exponentially Weighted Moving Average (EWMA) filters to increase the ease with which flow rule installations are decided. The amount of false positives increases when these techniques are used, yet genuine users are still able to bypass the system. To further enhance scalability, we’d want to provide a means of testing just certain flows between the IPS and the IDS. This technique should be applicable to real-world production networks, such as those found in datacenters, as well as larger network topologies.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top