Enhancing DDoS defense in SDN using hierarchical machine learning models

Abstract

Software Defined Networking (SDN) enhances network management by decoupling the control plane from the data plane, centralizing control in a software-based controller. While this architecture simplifies network administration, it also introduces vulnerabilities, particularly to Distributed Denial of Service (DDoS) attacks that can overwhelm the central controller and disrupt network operations. Current DDoS defense mechanisms, often based on conventional network datasets, fail to address SDN-specific challenges and typically focus on high-rate attacks, overlooking other critical types. To address these issues, we propose a hierarchical DDoS defense system (HDDS) tailored for SDN environments, capable of adapting to various network conditions through retraining. To support this, we introduce SDN-DAD, a dataset tailored for SDN that includes diverse attack traffic, such as legitimate traffic, flash traffic, and a variety of DDoS attacks, including low-rate, slow, and flood attacks targeting both the application and transport layers. Furthermore, we identify optimal features for attack detection that minimize computational load on the SDN controller. Our HDDS model achieves 95% detection accuracy for a wide range of DDoS attacks, with 100% accuracy for high-rate attacks, ensuring robust defense while preventing bottlenecks during high-traffic events. This approach enhances the security and resilience of SDN environments against a broad spectrum of DDoS threats, ensuring robust defense across varying network conditions.