DDoS Attack Detection Method Based on Improved KNN



DoS attacks, which disrupt service for many users at once, have become a focal point of cyber security discussion in recent years. Software-defined networking (SDN) has been the subject of much study and development in recent years. Taking advantage of the separation of the control and data planes in an SDN, Shin and Gu developed a network scanning tool capable of identifying such networks and then conducted a denial-of-service attack against one. Since the controller’s querying had resulted in differing flow response time values for the current and new flows, the scanner, which could scan the network in order to alter network header fields, gathered the time values depending on the header field. The flow requests were sent to the destination network and arrived at the controller through the data path once it was established that the network was an SDN network. However, the controller will fail as the number of flows on the data line increases and flow setup requests are sent to the switches.

To find methods for DDoS detection in an SDN network, the authors here provided a variety of characteristics and analysed traffic behaviour during a DDoS assault. Researchers have also suggested DDoS detection systems using severity of attack (DDADA) and machine learning (called DAMDL).


Because the SDN network is different from the traditional network in how it is built, DDoS attacks could make it hard for the SDN to work. The SDN controller is the part that is most likely to be attacked by a DDoS. In general, a DoS attack tries to block real users from using network resources.


This research will examine four factors to determine the efficacy of DDoS attack detection while the SDN controller is under assault (named flow length, flow duration, flow size, and flow ratio). To aid in identifying a Distributed Denial of Service (DDoS) assault, the concept of “degree of attack” is proposed.

This research will provide a means of learning about the assault, the severity of which should be taken into account (dubbed DDADA). Finally, a novel machine learning-based detection approach called DDAML is utilised to locate the DDoS assault, enhancing the effectiveness of detection.


Several methods for detecting distributed denial of service attacks were developed by the research community. Examination of these techniques revealed that while behavioral aspects were crucial for DDoS detection in SDN, they were also influenced by other parameters. In order to discover methods for detecting DDoS assaults in the SDN network, researchers in this study included many attributes and analyzed traffic patterns during an attack. In addition, a Machine Learning-based DDoS detection algorithm and a DDoS detection algorithm based on the Degree of Attack (abbreviated DDADA) have been proposed (called DAMDL). The proposed techniques allow one to detect DDoS assaults in an SDN setting. First, when the SDN controller is under DDoS assault, researchers have developed four approaches to evaluate the effectiveness of DDoS attack detection (named flow length, flow duration, flow size, and flow ratio). Second, a novel concept known as “degree of attack” is developed to identify the specific DDoS assault type. A third suggestion is made for determining whether or not an assault is in progress. As a term, this is known as DDADA. Finally, a novel machine learning-based detection approach called DDAML is utilized to locate the DDoS assault, enhancing the effectiveness of detection.


Researchers obtained results from the traffic generator when we faked a distributed denial of service assault as shown in figure 1. All kinds of data from the network, including UDP, TCP, and ICMP, have been gathered. Hping3 is responsible for the DDoS attacks, and it can launch TCP, UDP, and ICMP flood attacks. When compared to the other NB, KNN, SVM, and CIC SVM methods, DDADA and DDAML fare the best. The effectiveness of the detection process may be gauged, in large part, by the precision of the detection analysis. The F-measures of the six comparing algorithms are displayed in Figure 2 at various times. Figure 3 displays the receiver operating characteristic curves for the six DDoS detection techniques that were evaluated. The DDAML approach has a high area under the curve (AUC) of 0.912, indicating that it provides accurate predictions. Compared to the NB, SVM, CIC-SVM, and DDADA algorithms, which have values of 0.891, 0.893, 0.895, and 0.899, respectively, this is superior.

FIGURE 1. SDN architecture

FIGURE 2. DDoS attack generation and detection.

FIGURE 3. Comparison of ROC curves.


The DDoS attack is now the biggest threat to the SDN network’s security. For DDoS attacks to be stopped, you must be able to recognize the attack. Even the most advanced methods for spotting DDoS attacks have low accuracy and can be thrown off by other things. In order to solve the problems listed above, the following have been done: First, we look at how the SDN controller is affected by a DDoS attack based on our four proposed features: flow length, flow duration, flow size, and flow ratio. Second, a new idea called “level of attack” is introduced and used to describe a DDoS attack. The DDADA algorithm is proposed as a way to find something based on this idea. The DDAML algorithm is a second way to find DDoS attacks. It is used to improve the effectiveness of detection. The test results show that our proposed methods are better at spotting DDoS attacks than those that are currently used, and they also have a higher rate of spotting. Lastly, the results of the experiments show that the DDAML algorithm is better than the competition in a number of ways. The DDADA and DDAML algorithms will continue to be improved by researchers so that they can be used in the real SDN environment in future work.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top