An Evolutionary SVM Model for DDOS Attack Detection


a) Context

The concept of “software-defined networks” (SDNs) has recently attracted a lot of attention in the academic community (SDN). When using the SDN paradigm, it is much simpler to design a resilient, adaptable, and safe network infrastructure. The key innovation of SDN is the decoupling of the control plane from the underlying infrastructure. The final approval for publishing was given by assistant editor Luis Javier Garcia Villalba. The flow table is examined whenever a packet is received by a switch. After checking for a match, the packet is sent if one is found. The OpenFlow-enabled switch will send a control packet to the controller if there is no match in the flow table. The controller may then make a decision. In order to program the SDN control layer, the controller may take care of the OpenFlow switch’s many flow tables. Despite these advancements, new security flaws have been discovered in various components of SDN’s design. Most people agree that ensuring the safety of an SDN is the first priority.

The Machine Learning (ML) technique simplifies the development of network behavior with the ability to learn from data history and produce packet-level predictions based on training data. We have been able to distinguish between legitimate traffic and malicious attacks using these techniques. The features were selected using kernel principal component analysis (KPCA), and the SVM parameters were adjusted using a genetic approach (GA). For better accuracy and faster testing, we advise adopting the SVM model developed by Kuang et al.


When it comes to security, distributed denial of service (DDoS) is one of the biggest concerns. In this assault, blocking legitimate users from accessing system resources is the primary objective. This kind of assault is often carried out by a swarm of bots running malicious software. In order to have a significant impact on the network, a DDoS assault relies on a simple yet effective technique: a flood of traffic. On the other hand, it’s not easy to mount a counterattack. Although a network administrator may be aware of an impending assault, it may be impossible to halt all of them at once. As a result, it is crucial to restrict the controller’s capabilities for the sake of safety. This necessitates the development of new detection and mitigation techniques for use in next-generation network topologies like SDN.

c) Objective

SVM are considered to be strong classifiers in terms of accuracy and generalizability; however, training time is much higher. Therefore, several feature selection approaches have been developed that may be utilized with SVM to improve outcomes with lower-dimensional data.


For the purposes of this study, the SVM technique is used as the primary classifier for establishing whether or not traffic is fake. There were three distinct SVMs used to evaluate the effectiveness of a security solution for a software-defined network. KPCA, GA, and SVM are all examples of search algorithms. In order to categorize attacks, a KPCA feature extractor and a support vector machine classifier were used. To further reduce training time, an enhanced radial basis kernel function has been included. Evolving methods were also used to fine-tune the classifier’s parameters. The detection module is activated, and the controller is activated above it. A POX controller, an OVS emulator, and a Mininet emulator may be used to imitate a real-world network and put the proposed DDoS detection system through its paces. The attack detection results demonstrate that the proposed SVM model is more accurate and better at classifying than existing classifiers.


According to the experimental findings, the proposed model outperforms single-SVM in terms of classification accuracy and general effectiveness. Future-proof security policies that include the proposed model for the controller are possible. The training and testing data came from a contemporary DDoS dataset with 1,216,666 records and 27 attributes. As an example, NSL-KDD encompasses a wide variety of attacks including Probe, DoS, R2L, and U2R. Since there are no duplicates in either set of data, the machine learning classifiers will be less likely to over-weight frequent occurrences. As a result, it’s possible that many ML algorithms will function as intended. An accurate machine learning (ML) model may predict the nature of an impending assault.

The model’s performance was evaluated based on the confusion matrix, which might have a positive or negative value. After 50 iterations, we identified the optimal values for the SVM parameters, which are listed in Table 1. The N-KPCA+GA+SVM model has a greater accuracy and false rate than the other models. The effectiveness of the proposed model’s predictive abilities and memorization was analyzed in a second experiment using state-of-the-art algorithmic methods.

TABLE 1. The optimal parameters for the available SVM models

Based on the results of this research, PCA and K-PCA are superior than a single SVM that does not use feature extraction approaches in terms of accuracy. As an online test of the suggested detection approach, a tree topology consisting of 15 switches and a POX controller was constructed. The “normal” and “UDP-flood” groups improved in precision and memory retention with the help of both models. It’s difficult to identify whether the traffic is an attack or not since “smurf” sends so many ICMP echo signals. The controller was first set up using the proposed model, and its results are now being analyzed using the sFlow-rt software package.


The research offered a novel approach to detecting and stopping DDoS assaults on SDN infrastructures. Support Vector Machine (SVM) classifiers, which include multiple layers, were employed for detection. KPCA and GA were used to improve the accuracy of this model and decrease the amount of time spent testing it. Analyze the confusion matrix with the use of NKPCA, GA, and SVM classifier settings. Training times may be reduced with the help of N-RBF as well. KPCA performs better than PCA on the DDoS dataset, as shown by the experiment results. The suggested model outperforms the remainder of the model in accuracy, coming in at 98.907%. For this reason, it is possible that kernel function PCA is more effective than traditional PCA since it eliminates more fundamental components. Over time, this study aspires to merge kernel functions with other classification strategies to provide more engaging classification algorithms. A real-world SDN testbed will also prioritize streamlining the detection of “smurf class” and “SiDDoS class” traffic. Although the model performs well in a single-controller setup, it may struggle to differentiate attack traffic from benign traffic in a multi-controller setup. It’s possible that in the future, we’ll tweak our model to the point where we can anticipate an assault on many controllers.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top