A two-stage detection system of DDoS attacks in SDN using a trigger with multiple features and self-adaptive thresholds

Software-defined networking (SDN) has received a lot of attention in academia and industry in recent years, and DDoS attacks are still one of the most dangerous threats. As cyberattacks become more sophisticated, detection systems also become more complex and computationally intensive, for example, Deep Learning-based detection. Against this background, two-stage detection is proposed, in which a trigger is introduced before the complex detection being invoked. That is, the heavy detection module is called only when the requirements in the trigger are satisfied. Clearly, the triggering mechanism plays an important role in such detection systems as it determines when the second stage is invoked. Most of the existing relevant studies utilize one feature and a fixed threshold. However, it is not easy to predefine suitable thresholds in practice, and one feature is often not sufficient for effective trigger conditions that have a significant impact on detection performance of the whole detection system. The latest related work uses dynamic thresholding, but still only one feature, and the threshold adaptation mechanism is too simplistic, which make it too difficult to be used in real applications. Moreover, the performance of the approach in the most of related works are verified only using simulated data. In this study, we increase the number of features and optimized the threshold adjustment method in the trigger. In addition, in the detection module of the second stage, six features carefully determined from traffic bytes, packets, and IP addresses are used. The performance of the proposal is demonstrated in a simulated SDN environment using a public dataset. The experimental results indicate that the times of calling the computationally intensive detection module is significantly reduced, while at the same time the detection performance of the overall system is not degraded.