A DDoS attack detection and countermeasure scheme based on DWT and auto-encoder neural network for SDN

Software Defined Networking provides new functionalities to easily manage, configure, and optimize network resources by introducing a clear separation between the control entity and the forwarding devices. Such functionalities also help network operators detect and mitigate the security attacks to the network and provide better security level when compared to the traditional networks. However, some security threats, particularly distributed denial of service (DDoS) attacks, keep their effectiveness in degrading the availability of the networks even if the networking paradigm have changed. Existing DDoS attack detection approaches for SDN are mainly based on statistical (threshold-based) and Machine Learning-based (ML) approaches. Considering the dynamic characteristics of the network traffic, finding a dynamic threshold is somehow problematic. On the other hand, finding an appropriate feature that can discriminate DDoS attack from normal traffic is challenging for ML-based approaches. Therefore, to address the aforementioned issues, in this work, we propose a DDoS attack detection and countermeasure scheme based on discrete wavelet transform (DWT) and auto-encoder neural network for SDN. The proposed scheme extracts statistical features from the wavelet transform to be processed by an auto-encoder neural network to detect samples of DDoS attack traffic. Later, to reduce the computational burden imposed by the neural network model, the average hit rate in the flow table of the switches is used to activate the DDoS detection of the scheme. We also provide a detailed performance analysis by considering the computational cost complexity of the algorithms proposed in scheme and the evaluation of the successful detection rate with simulations. Our experimental results show that the proposed scheme achieves high detection rate against DNS amplification, Network Time Protocol and TCP SYN flood attacks with a remarkably low false alarm rate.