A lightweight DDoS detection scheme under SDN context

Software-defined networking (SDN), a novel network paradigm, separates the control plane and data plane into different network equipment to realize the flexible control of network traffic. Its excellent programmability and global view present many new opportunities. DDoS detection under the SDN context is an important and challenging research field. Some previous works attempted to collect and analyze statistics related to flows, usually recorded in switches, to address DDoS threats. In contrast, other works applied machine learning-based solutions to identify DDoS and achieved promising results. Generally, most previous works need to periodically request flow rules or packets to obtain flow statistics or features to detect stealthy exceptions. Nevertheless, the request for flow rules is very time-consuming and CPU-consuming; moreover may congest the communication channel between the controller and the switches. Therefore, we present FORT, a lightweight DDoS detection scheme, which spreads the rule-based detection algorithm at edge switches and determines whether to start it by periodically retrieving the ports state. A time-series algorithm, ARIMA, is utilized to determine the port statistics adaptively, and an SVM algorithm is applied to detect whether a DDoS attack does occur. Representative experiments demonstrate that FORT can significantly reduce the controller load and provide a reliable detection accuracy. Referring to the false alarm rate of 1.24% in the comparison scheme, the false alarm rate of this scheme is only 0.039%, which significantly reduces the probability of false alarm. Besides, by introducing the alarm mechanism, this scheme can reduce the load of the southbound channel by more than 60% in the normal state.