See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/342256675

Comparison of machine learning algorithms for DDoS attack detection in

SDNСравнение алгоритмов машинного обучения при обнаружении DDoS-
атак в программно-определяемых сетях

Article  in  Information and Control Systems · June 2020

DOI: 10.31799/1684-8853-2020-3-59-70

CITATION READS

1 500

3 authors, including:

Duc Tran Le Quyen Nguyen

The University of DaNang - University of Science and Technology University of Science and Technology - The University of Danang
31 PUBLICATIONS   40 CITATIONS    2 PUBLICATIONS   6 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

V2I communication in VANET View project

Malware Spreading Model View project

All content following this page was uploaded by Quyen Nguyen on 08 October 2021.

The user has requested enhancement of the downloaded file.

 ЗАЩИТА ИНФОРМАЦИИ

UDC 004.056.5 Articles

doi:10.31799/1684-8853-2020-3-59-70

Comparison of machine learning algorithms

for DDoS attack detection in SDN
D. T. Lea, PhD, Lecturer, orcid.org/0000-0003-3735-0314, letranduc@dut.udn.vn
M. H. Daoa, Master Student, orcid.org/0000-0002-0998-6078
Q. L. T. Nguyena, M. Sc., Lecturer, orcid.org/0000-0003-4578-9925
aThe University of Danang — University of Science and Technology, Information Technology Faculty,
54 Nguyen Luong Bang, 550000, Da Nang, Vietnam
Introduction: Distributed denial-of-service (DDoS) has become a common attack type in cyber security. Apart from the
conventional DDoS attacks, software-defined networks also face some other typical DDoS attacks, such as flow-table attack or
controller attack. One of the most recent solutions to detect a DDoS attack is using machine learning algorithms to classify the
traffic. Purpose: Analysis of applying machine learning algorithms in order to prevent DDoS attacks in software-defined network.
Results: A comparison of six algorithms (random forest, decision tree, naive Bayes, support vector machine, multilayer perceptron,
k-nearest neighbors) with accuracy and process time as the criteria has shown that a decision tree and naïve Bayes are the most
suitable algorithms for DDoS attack detection. As compared to other algorithms, they have higher accuracy, faster processing
time and lower resource consumption. The main features that identify malicious traffic compared to normal one are the number
of bytes in a flow, time flow, Ethernet source address, and Ethernet destination address. A flow-table attack can be detected
easier than a bandwidth attack, as all the six algorithms can predict this type with a high accuracy. Practical relevance: Important
features which play a supporting role in correct data classification facilitate the development of a DDoS protection system with
a smaller dataset, focusing only on the necessary data. The algorithms more suitable for machine learning can help us to detect
DDoS attacks in software-defined networks more accurately.
Keywords — DDoS, machine learning algorithms, flow-table attack, bandwidth attack.

For citation: Le D. T., Dao M. H., Nguyen Q. L. T. Comparison of machine learning algorithms for DDoS attack detection in SDN.
Informatsionno-upravliaiushchie sistemy [Information and Control Systems], 2020, no. 3, pp. 59–70. doi:10.31799/1684-8853-2020-
3-59-70

Introduction system to be paralyzed, we also face other types of

attacks. For example, instead of attacking with a
Nowadays, software defined network (SDN) is large number of large packets to occupy bandwidth,
becoming increasingly popular due to the benefits the attacker will constantly flood the network with
it provides, such as scalability, flexibility, moni- strange packets so that the controller is forced to
toring [1]. SDN architecture separates the network create new rules for these packets and write them
control from forwarding devices and enables the in flow-table. Then, the table on the switch will in-
controller to become directly programmable. The crease until there is no more space to new rules, and
controller processes the packets and decides wheth- as a consequence, the time to respond to each new
er the packets will be forwarded in the switch or requisition increased [6].
dropped. Due to its centralized nature, the control- There have been several proposed solutions to
ler can get a global view of the network, and it helps solve this problem. For example, drop packets,
the network administrators to adjust the network block port, redirection, control bandwidth, deep
traffic flow dynamically [2]. Besides, for network packet inspection, network reconfiguration, and
components to interact with each other, several ap- topology change; each solution has its advantages
plication programming interfaces were developed and disadvantages [5]. However, for the above at-
with this network model, typically the OpenFlow tack mitigation techniques to be effective, SDN
(OF) protocol [3]. needs to implement effective DDoS attack detec-
However, the SDN network also faces many se- tion techniques. The paper [5] introduces several
curity threats [4]. When management becomes cen- methods for detecting DDoS attacks, such as using
tralized, it will be easier for the administration, but entropy [7], traffic pattern analysis [8], connection
it will also be easier to be collapsed under attacks. rate [9], machine learning [6, 10]. Among them,
One of the attacks that have the most devastating DDoS detection techniques using machine learning
effect on an SDN network is the distributed deni- have received much attention in the computational
al-of-service (DDoS) attack [5]. It is explained based intelligence community [11].
on the distinct characteristics of the SDN network. This technique is not new. There have been many
In the SDN network, besides conventional DDoS at- studies considering the ability of machine learning
tacks by taking up network resources, causing the to classify traffic on the SDN environment as in

№ 3, 2020 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ 59
 ЗАЩИТА ИНФОРМАЦИИ

[12–15]. However, due to the variety of algorithms, (BayesNet), which can be used to detect DDoS at-
each machine learning algorithm (simplified here tacks in the networking system and no further ex-
by ML-algorithms) has its own approach to the planation of how to detect and mitigate DDoS at-
problem, maybe appropriate, maybe not, but it gives tack was given.
us more options to solve the problem, as well as to Kokila et al. in [13] explored the possibility of
pick out the algorithm that best suits the goal of de- launching DDoS attacks and detection of DDoS us-
tecting DDoS attack. ing the SVM classifier. The experiments are carried
In this paper, besides focusing on how to apply out using the DARPA dataset. They suggested that
machine learning to detect DDoS in the SDN en- the use of a support vector machine for detection
vironment, we will implement six different ML- of DDoS with a previously trained dataset will give
algorithms, making comparisons based on some the least false-positive results compared with other
criteria to expand the choice and finding the opti- machine learning techniques.
mal solution. These algorithms are random forest Dao et al. in [20] presented a solution based on the
(RF), decision tree (DT), naive Bayes (NB), sup- IP-filtering technique to defeat DDoS attacks. The
port vector machine (SVM), multilayer perceptron proposed scheme analyzes user behaviour and uses
(MLP), k-nearest neighbors (KNN), all supported it to assign the timeouts for the flow entries. Long
by Python libraries. timeouts are used for trusted users’ flows, while a
short timeout is assigned for malicious ones. It works
well when the attack traffic is not very massive.
Related works However, this solution drops all malicious traffic,
which may be problematic for false-positive flows.
In [16], Braga et al. proposed a lightweight meth- In [21], Nanda et al. propose using machine
od for DDoS attack detection based on traffic flow learning algorithms, trained on historical network
features. This method is implemented over a NOX- attack data, to identify the potential malicious con-
based network, where OF switches keep Flow Tables nections and potential attack destinations. They
with statistics about all active flows. This system used four ML-algorithms: DT, BayesNet, decision
monitors NOX switches at regular intervals and table and NB to predict the host that will be at-
uses self-organizing maps to classify the traffic as tacked based on the historical data. The SDN con-
normal or malicious. troller uses the prediction results to define securi-
The authors in [17] introduced a deep learning ty rules to protect the potentially vulnerable hosts
based multi-vector DDoS detection system in a SDN and restrict the access of potential attackers by
environment. A DDoS detection system that incor- blocking the entire subnet.
porates stacked autoencoder based deep learning Our paper is motivated by Santos’s paper [6],
approach in an SDN environment was implemented. in which the authors managed to exploit differ-
The authors evaluated its performance on a dataset ent kinds of machine learning algorithms to avoid
that consists of normal Internet traffic and vari- three types of DDoS attacks (controller attack, flow
ous DDoS attacks. However, as every packet has to table attack, and bandwidth attack). However, they
be collected for extracting features, this approach only focused on the typical attack type of SDN net-
may limit the performance of the controller in large works. In our paper, we are going to consider both
networks. conventional and typical DDoS attacks. We also add
In [18], Giotis et al. combined an OpenFlow and more ML-algorithms as well as modify some param-
sFlow for anomaly detection to reduce processing eters to make a comprehensive comparison and try
overhead in native OF statistics collection. It de- to find out appropriate algorithms for detecting
signs a modular mechanism that permits anomaly DDoS attacks in the SDN environment.
detection and mitigation on SDN environments, in-
cluding collector, anomaly detection and anomaly
mitigation. It leverages the packet sampling capa- Machine learning algorithms
bility of sFlow to acquire scalability improvements for DDoS detection
and to reduce the required communication between
switches and OF controllers. However, as the imple- In this paper, we will implement six different
mentation was based on flow sampling using sFlow, ML-algorithms, making comparisons based on
false-positive was quite high in attack detection. some criteria to expand the choice and finding the
In [19], Ashraf et al. aimed to handle intrusion optimal solution. These algorithms are RF, DT, NB,
and DDoS attacks in the SDN environment applying SVM, MLP, KNN [22].
machine learning techniques. However, they on- Decision tree. The DT is one of the classification
ly analyzed various machine learning techniques, techniques, which performs classification through
such as support vector machine, fuzzy logic, deci- a learning tree. In the tree, each node represents
sion tree, neural networks, and Bayesian networks a feature (attribute) of a data, all branches repre-

60 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ № 3, 2020
 ЗАЩИТА ИНФОРМАЦИИ

sent the conjunctions of features that lead to clas- are: a) put the data sample to each tree in the forest;
sifications, and each leaf node is a class label. The b) each tree gives a classification result, which is
unlabeled sample can be classified by comparing the tree’s “vote”; c) the data sample will be classi-
its feature values with the nodes of the DT. The DT fied into the class, which has the most votes.
has many advantages, such as intuitive knowledge k-nearest neighbors. The KNN is a supervised
expression, simple implementation, and high clas- learning technique, where the classification of a
sification accuracy. However, due to its instability, data sample is determined based on the k nearest
even a small change in the training dataset can re- neighbors of that unclassified sample. The process
sult in significant changes in the DT-model. of the KNN-algorithm is very simple: if most of the
Random forest. The RF-algorithm, also known KNN belong to a specific class, the unclassified
as random decision forest, can be used for classifi- sample will be classified into that class. This algo-
cation and regression tasks. A RF consists of many rithm is simple to implement but computationally
DTs. This algorithm works well on the large train- expensive due to the distance calculation of each
ing dataset and reduces instability (relative to DT). training data sample to classify a new sample.
However, it has low training speed. The steps to Naïve Bayes uses Bayesian theory that pre-
classify a new data sample by using a RF-algorithm dicts the type of the unknown samples based on

 Table 1. Hyperparameters and ML-algorithms

Models Hyperparameters Description
criterion The function to measure the quality of a split
Decision splitter The strategy used to choose the split at each node
tree min_samples_split The minimum number of samples required to split an internal node
min_samples_leaf The minimum number of samples required to be at a leaf node
n_estimators The number of trees in the forest
Random criterion The function to measure the quality of a split
forest min_samples_split The minimum number of samples required to split an internal node
min_samples_leaf The minimum number of samples required to be at a leaf node
Naive A portion of the largest variance of all features that is added to variances for
var_smoothing
Bayes calculation stability
n_neighbors The number of neighbors to use
weights Weight function used in prediction
k-nearest leaf_size Leaf size passed to BallTree or KDTree
neighbor p Power parameter for the Minkowski metric
metric The distance metric to use for the tree
algorithm Auto between: ball_tree, kd_tree, brute
Kernel Specifies the kernel type to be used in the algorithm
Gamma Kernel coefficient for ‘rbf’, ‘poly’ and ‘sigmoid’
Support
vector C Regularization parameter
machine
Tol Tolerance for stopping criterion
max_iter Hard limit on iterations within solver
hidden_layer_sizes The ith element represents the number of neurons in the ith hidden layer
activation Activation function for the hidden layer
solver The solver for weight optimization
Multilayer
alpha L2 penalty (regularization term) parameter
perceptron
max_iter The maximum number of iterations
tol Tolerance for optimization
max_fun The maximum number of loss function calls

№ 3, 2020 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ 61
 ЗАЩИТА ИНФОРМАЦИИ

prior probability using the training samples. The  Table 2. Description of studied features
Bayesian classification model relies on statistical
№ Features Description
analysis and Bayesian theory that consists of the
Bayesian learning. The NB-algorithm operates by 0 Byte_count Number of bytes in a flow
segregating the training set into an attribute vec- Opaque controller-issued
tor and a decision variable. The algorithm also as- 1 Cookie
identifier
sumes that every member of the attribute vector
2 Eth_src Ethernet source address
independently acts on the decision variables.
Support vector machine. SVM is another popular 3 Eth_dst Ethernet destination address
supervised learning method, which has been wide- Time flow has been alive in
ly used in classification and pattern recognition. 4 Duration_nsec
nanoseconds
The basic idea of SVM is to map the input vectors
into a high-dimensional feature space. This map- Time flow has been alive in
5 Duration_sec
seconds
ping is achieved by applying different kernel func-
tions, such as linear, polynomial and radial based 6 Hard_timeout
Max time before discarding
function (RBF). The objective of SVM is to find a (seconds)
separating hyperplane in the feature space to maxi- Idle time before discarding
mize the margin between different classes. The dis- 7 Idle_timeout
(seconds)
advantage of this algorithm is hard to train large
8 In_port Port ID
datasets because the training is computationally
expensive. Max length to send to the
9 Max_len
Multilayer perceptron. The MLP is a class of controller
feedforward artificial neural network and has 10 Packet_count Number of packets in the flows
been widely adopted neural network for intrusion
11 Priority The priority level of a flow entry
detection in conventional systems. An MLP con-
sists of at least three layers of nodes: an input lay- 12 Port Output port
er, a hidden layer, and an output layer. Except for The ID of the table to put the
the input nodes, each node is a neuron that uses a 13 Table_id
flow in
nonlinear activation function. MLP utilizes a su-
14 Type Type of action
pervised learning technique called backpropaga-
tion for training. Its multiple layers and non-linear
activation distinguish MLP from a linear percep-
tron. It can distinguish data that is not linearly tures needed to reduce data in building models of
separable. other algorithms.
Each algorithm has its own strengths. We will
test each algorithm as well as compare them togeth-
er to select the optimal algorithm for the detection Goals and implementation plan
of DDoS attacks in the SDN network. Table 1 shows
the hyperparameters used in this experiment asso- Goals
ciated with the respective machine learning algo- The primary purpose of our experiment is to
rithm. find ways to apply machine learning to detect DDoS
The studied features used to build the model for attacks in SDN networks. Besides, another goal that
the algorithms are shown in Table 2. we are aiming at in this paper is to compare differ-
The number of studied features is up to 14, which ent ML-algorithms as a solution to the problem, be-
is almost all of the data that we can get from the cause each algorithm has its own characteristics.
flow-table through OpenFlow Switch. Among the Based on [23], the basic criteria to evaluate a
above features, not all features help to detect abnor- model in detecting abnormal traffic such as DDoS
mal and normal traffic classification. However, at include accuracy, data quality, correctness, and ef-
this time, it is not known which features will play a ficiency. In this paper, since all the tests take place
decisive role in detecting DDoS attacks, so the mod- in a simulation environment, and there is always a
els will be built based on all these features. At the difference between simulation data and actual col-
end of the experiment, we can review and take out lected data, we will not perform an evaluation based
the important features table to find out which fea- on data quality.
tures will play a decisive role in this case. Because Usually, with classification problems for any
the characteristics of each algorithm are differ- model of machine learning, accuracy criterion is a
ent, important features are particular parameters suitable criterion for evaluation. It indicates how
that can only be derived when studying DT and RF. much percentage of a model’s accuracy is rated,
However, these features still help identify the fea- which makes it easy to visualize. For processing

62 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ № 3, 2020
 ЗАЩИТА ИНФОРМАЦИИ

time, this is the time for a model to classify a flow 20

from input into normal traffic or abnormal traffic. 18

Packets per sec u 104

In other words, the accuracy and processing time 16
criteria will represent the efficacy and efficiency 14
of the machine learning model, respectively. Also, 12
10
to evaluate the algorithms more objectively, we rely
80
on information from the receiver operating charac-
60
teristic (ROC) curve (correctness) [6] to be able to 40
choose the suitable model. 20
0
Planning 1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91
Time, s
Network architecture  Fig. 2. Bandwidth flooding traffic
The entire experiment is carried out on Ubuntu
18.04 virtual machine VMware with hardware con-
figuration Core i5-5200U (2.2 GHz, 4 cores, 4 pro- 16
cessors), 2 GB of RAM, and 40 GB hard drive space.

Packets per sec u 102

14
Mininet VN (version 2.3.0d6) is used for creating the 12
SDN network with an RYU controller (version 4.32), 10
one OpenFlow Switch and three hosts, as shown in 8
Fig. 1. 6
4
Methods of attacks 2
In addition to conventional attacks to a host 0
or a group of hosts such as UDP flood, ping flood 1 6 11 16 21 26 31 36 41 46 5156 61 66 7176 81 86 91 96
or smurf attack (collectively called bandwidth at- Time, s
tacks), SDN network can also be attacked by new  Fig. 3. Normal traffic
DDoS attack types due to its own structural charac-
teristics such as controller attack, flow-table attack
[6]. Therefore, to be able to study objectively and
more fully, we will try the bandwidth attack and the For bandwidth attack, we will focus on taking
flow-table attack in SDN at the same time. up the network bandwidth by continuously flooding
For flow-table attack, we will use Scapy tool to large packets (256–512 KB) to hosts in the network.
continuously send packets from different addresses We will combine many different types, including
(there are 20,000 randomly generated Ips saved in ICMP flood, TCP SYN flood and UDP flood. We
a file) to the attacked device. When the switch re- use the hping3 tool to get the best results. Unlike
ceives this type of packet, it creates a new rule and flow-table attack when it only focuses on increasing
adds to its flow-table. As the number of incoming the number of entries in the flow-table as quickly
packets grows, the number of entries in flow-table as possible, for this attack method instead of focus-
increases and leads to overloading, causing a delay ing on the number of attacker machines, we focus
in responding to other requests from the controller. on packet-flood rate (pps — packets per second) and
packet size to take up the network bandwidth.
Figure 2 shows the average network traffic under
a DDoS attack with bandwidth attack (pps ~ 120,000).
We can see a huge difference comparing to nor-
Controller mal traffic shown in Fig. 3. Normal traffic is sim-
ulated using Scapy. UDP, HTTP, ICMP packets are
continuously created for sending inside the net-
work, generating reasonable traffic (pps ~ 1.000).
OpenFlow
Switch
Experiment Execution

Data Collection
To collect the necessary data from the switch’s
Host flow-table, we built a separate module. This module
is responsible for reading entries in the flow-table
every second, recording the required information
 Fig. 1. SDN network architecture for the experiment into a data file, and labelling it.

№ 3, 2020 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ 63
 ЗАЩИТА ИНФОРМАЦИИ

We then use hping3 from one of the three hosts  Table 3. The best hyperparameters set for each ML-
inside the network (see Fig. 1) to create a bandwidth algorithm
attack on the remaining hosts. Similarly, we use Model Hyperparameter Value
Scapy to create flow-table attack as well as normal
n_estimators 10
traffic.
In the end, the data collected is 7500 data for Random criterion Gini
each type (2500 data of the dataflow table for band- forest min_samples_split 2
width attack, 2500 for flow-table attack, and 2500
min_samples_leaf 1
for normal traffic). Based on this data set, we will
create two separate datasets: train dataset and test Criterion Gini
dataset for the next process. Splitter Best
Decision tree
min_samples_split 2
Building model
We use the training dataset prepared above to min_samples_leaf 1
build the models. After that, we will check with the Naive Bayes var_smoothing 1e-9
test dataset to get the best results. To avoid mod- n_neighbors 3
el overfitting (especially for NB, KNN, SVM, and
MLP), standardization of the values of the features weights Uniform
was applied to the data using StandardScaler in k-nearest leaf_size 30
scikit-learn [24]. neighbors p 2
Next is the process of tuning hyperparameters.
metric Minkowski
We use the GridSearch technique (from Sklearn
Library) to find the best hyperparameters set. It algorithm Auto
helps to build a suitable model that is highly effec- Kernel Rbf
tive.
Support Gamma Auto
After having obtained a reasonable hyperpa-
rameter set, during the next training period, we vector C 1e+5
use cross-validation to avoid algorithms’ overfit- machine Tol 1e-3
ting with the training dataset. Specifically, we use
Max_iter -1
StratifiedKFold [24] with ten folds and then evalu-
ate the returned results, from which the conclusion hidden_layer_sizes (5,)
is made. activation Relu
solver Lbfgs
Multilayer
Results alpha 1e-3
perceptron
max_iter 2000
After the process of tuning hyperparameter, we Tol 1e-4
obtain the following parameters, as in Table 3.
The main objective of this study is to apply ma- max_fun 2000
chine learning to detect DDoS attacks, compare
algorithms, and build a model that can classify as
many types of traffic as possible. Therefore, from this value is 1 (100 %), it means that the algorithm
the initial data (7500 data of dataflow table, 2500 has no error and classifies the data perfectly.
of each type), we will create six different datasets, Figure 4 shows a comparison of the accuracy of
including train/test datasets for normal traffic and ML-algorithms.
bandwidth attack traffic (ratio 1:1); train/test data- It is easy to realize that for the current problem,
sets for normal traffic and flow-table attack traffic the lazy learner algorithm — KNN is entirely in-
(ratio 1:1); finally, train/test datasets for all three appropriate. It gives results with low accuracy for
traffic types at once (ratio 1:1:1). bandwidth attack. For flow-table attack, although
To evaluate the accuracy of the ML-algorithms the results are quite good, it is inferior to the re-
for each attack simulated, we use the following for- maining algorithms.
mula [6]: The two algorithms SVM and MLP are useful
algorithms for this problem with high accuracy.
Number of correct classifications
Accuracy  . However, SVM still has many errors in the classifi-
Total of samples cation of bandwidth attack.
The other three algorithms are RF, DT, and NB
The accuracy is a statistical value that deter- are excellent algorithms with an almost absolute
mines how close our ML-algorithm is to the ideal. If precise classification capability.

64 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ № 3, 2020
 ЗАЩИТА ИНФОРМАЦИИ

100 prediction and the rate of omission depending on

the characteristics of each specific case.
95
In the graphs, we also show the area under curve
(AUC) metric, that is, the area under the curve.
Accuracy, %

90
When this metric is higher, then the classification
85 is better. Fig. 6, a–f presents the ROC curve for all
algorithms.
80

75
Analysis and interpretation
70
DT NB SVM MLP KNN RF Based on the results we have obtained above,
Machine learning algorithm we can say that the type of algorithm lazy learn-
all DDoS attack bandwidth attack er — KNN is not appropriate for DDoS detection.
flow-table attack Because the accuracy prediction rate is low, and it
 Fig. 4. Accuracies of ML-algorithms for each DDoS takes a lot of processing time. The reason may be
attack due to the similarity between the traffics at the
start of the attack. It leads to misjudging the re-
sults because the evaluation is based on nearby
18 neighbors. At the same time, for KNN, the process
16 to make predictions always takes place when new
14
data is received, meaning it requires a longer time
to calculate and produce results.
12
Time unit

The two algorithms, SVM and MLP, are useful

10 algorithms, capable of applying in detecting DDoS
8 attack with high accuracy and the processing speed
6 is not slow, which is at an average level. However,
looking at ROC curve with cross-validation, we
4
found that there are still quite large errors for some
2 data groups; this is relatively understandable be-
0 cause, for SVM, when the noise appears, the hyper-
DT NB SVM MLP KNN RF
plane cannot divide the data exactly, but most are
Machine learning algorithm
still acceptable.
 Fig. 5. Relative time to process The other three algorithms, RF, DT, and NB, are
all excellent algorithms with almost exact classifi-
cation ability, showing the suitability of these al-
Besides accuracy, we also use process time for gorithms for the classification of anomalies traffic
comparison. Fig. 5 presents this comparison. and normal traffic. Nevertheless, although the RF
As we can see, the two algorithms RF and KNN, has almost absolute accuracy, it takes a lot of time
take too much time to process compared to other al- to process. The number of trees (10 trees) explains
gorithms. Among the remaining four algorithms, this. Each tree consumes a particular time, re-
although the DT has a faster processing speed than sulting in significantly increased time. Therefore,
NB, SVM, and MLP, all four algorithms show that when we need high processing speed and low re-
they are consistent with the traffic classification. source consumption, RF will not be appreciated as
Besides, in this paper, we also build ROC сurve DT and NB algorithms.
graphs in the model evaluation phase by cross-vali- In contrast to RF, both DT and NB algorithms
dation for each algorithm in each attack. have very fast processing speed. For the DT-
The ROC curve represents a relation between algorithm, the fast processing speed is explained
true positive rate — represented by the percentage by its advantage. After training to build a deci-
of data classified as malicious that is really mali- sion, the next classification of this algorithm will
cious and false positive rate — the percentage of not need much calculation. For NB, this is always
data classified as normal, but that is malicious. considered an easy algorithm to implement and
This curve is very used in the machine learning to train even with small data sets. NB is a light-
choose a good point for the classifiers, given by the weight algorithm, but the results are still very
point above the central curve in which the distance good.
between them is maximum. With such results, DT and NB are suitable algo-
To determine a good model, we need to consider rithms for the problem of detecting DDoS attacks in
the shape of the сurve as well as the rate of false the SDN network.

№ 3, 2020 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ 65
 ЗАЩИТА ИНФОРМАЦИИ

а) 1.0 1.0

0.8 0.8

True positive rate

True positive rate

0.6 0.6

0.4 0.4

0.2 0.2

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False positive rate False positive rate
ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00)
ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00)
ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00)
ROC fold 3 (AUC 1.00) Chance ROC fold 3 (AUC 1.00) Chance
ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00) ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00)
ROC fold 5 (AUC 1.00) r 1 std. dev. ROC fold 5 (AUC 1.00) r 1 std. dev.
ROC fold 6 (AUC 1.00) ROC fold 6 (AUC 1.00)

b) 1.0 1.0

0.8 0.8
True positive rate

True positive rate

0.6 0.6

0.4 0.4

0.2 0.2

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False positive rate False positive rate
ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00)
ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00)
ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00)
ROC fold 3 (AUC 1.00) Chance ROC fold 3 (AUC 1.00) Chance
ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00) ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00)
ROC fold 5 (AUC 1.00) r 1 std. dev. ROC fold 5 (AUC 1.00) r 1 std. dev.
ROC fold 6 (AUC 1.00) ROC fold 6 (AUC 1.00)

c) 1.0 1.0

0.8 0.8
True positive rate

True positive rate

0.6 0.6

0.4 0.4

0.2 0.2

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False positive rate False positive rate
ROC fold 0 (AUC 0.75) ROC fold 0 (AUC 0.88) ROC fold 0 (AUC 0.96) ROC fold 0 (AUC 0.99)
ROC fold 1 (AUC 0.49) ROC fold 1 (AUC 0.88) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 0.97)
ROC fold 2 (AUC 0.53) ROC fold 2 (AUC 0.91) ROC fold 2 (AUC 0.97) ROC fold 2 (AUC 0.95)
ROC fold 3 (AUC 0.90) Chance ROC fold 3 (AUC 0.98) Chance
ROC fold 4 (AUC 0.88) Mean ROC (AUC 0.77 r 0.16) ROC fold 4 (AUC 0.93) Mean ROC (AUC 0.97 r 0.02)
ROC fold 5 (AUC 0.65) r 1 std. dev. ROC fold 5 (AUC 0.96) r 1 std. dev.
ROC fold 6 (AUC 0.89) ROC fold 6 (AUC 0.99)

 Fig. 6. ROC curve for DT-algorithm (a); RF-algorithm (b); KNN-algorithm (c); MLP-algorithm (d); SVM-algorithm (e);

66 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ № 3, 2020
 ЗАЩИТА ИНФОРМАЦИИ

d) 1.0 1.0

0.8 0.8

True positive rate

True positive rate

0.6 0.6

0.4 0.4

0.2 0.2

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False positive rate False positive rate
ROC fold 0 (AUC 0.75) ROC fold 0 (AUC 0.88) ROC fold 0 (AUC 0.96) ROC fold 0 (AUC 0.99)
ROC fold 1 (AUC 0.49) ROC fold 1 (AUC 0.88) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 0.97)
ROC fold 2 (AUC 0.53) ROC fold 2 (AUC 0.91) ROC fold 2 (AUC 0.97) ROC fold 2 (AUC 0.95)
ROC fold 3 (AUC 0.90) Chance ROC fold 3 (AUC 0.98) Chance
ROC fold 4 (AUC 0.88) Mean ROC (AUC 0.77 r 0.16) ROC fold 4 (AUC 0.93) Mean ROC (AUC 0.97 r 0.02)
ROC fold 5 (AUC 0.65) r 1 std. dev. ROC fold 5 (AUC 1.00) r 1 std. dev.
ROC fold 6 (AUC 0.89) ROC fold 6 (AUC 0.96)
e) 1.0 1.0

0.8 0.8
True positive rate

True positive rate

0.6 0.6

0.4 0.4

0.2 0.2

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False positive rate False positive rate
ROC fold 0 (AUC 0.97) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00)
ROC fold 1 (AUC 0.92) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00)
ROC fold 2 (AUC 0.99) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00)
ROC fold 3 (AUC 1.00) Chance ROC fold 3 (AUC 1.00) Chance
ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.98 r 0.03) ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00)
ROC fold 5 (AUC 0.96) r 1 std. dev. ROC fold 5 (AUC 1.00) r 1 std. dev.
ROC fold 6 (AUC 1.00) ROC fold 6 (AUC 1.00)

f) 1.0 1.0

0.8 0.8
True positive rate

True positive rate

0.6 0.6

0.4 0.4

0.2 0.2

0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False positive rate False positive rate
ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00) ROC fold 0 (AUC 1.00)
ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00) ROC fold 1 (AUC 1.00)
ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00) ROC fold 2 (AUC 1.00)
ROC fold 3 (AUC 1.00) Chance ROC fold 3 (AUC 1.00) Chance
ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00) ROC fold 4 (AUC 1.00) Mean ROC (AUC 0.99 r 0.00)
ROC fold 5 (AUC 1.00) r 1 std. dev. ROC fold 5 (AUC 1.00) r 1 std. dev.
ROC fold 6 (AUC 1.00) ROC fold 6 (AUC 1.00)

NB-algorithm (f) under bandwidth attack (left) and flow-table attack (on right)

№ 3, 2020 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ 67
 ЗАЩИТА ИНФОРМАЦИИ

In terms of attack type, the data shows that mal traffic’s packet_count. Same with byte_count.
flow-table attack is a more recognizable type of at- However, most of the features that we collect from
tack than a bandwidth attack using the above algo- OpenFlow Switch are almost useless. The result is
rithms. shown in Fig. 7.
We also try to check the features, which play a Table 4 presents the features according to its
supporting role (important features) to the process importance for the detection of the anomalies.
of correctly classifying data for the DT-algorithm.
Features that play the essential role are byte_count,
duration_sec, packet_count, and some other fea- Conclusion
tures. It is also to be expected because, with DDoS
attacks, the large amount of incoming packets The benefits of SDN network to overcome the
makes packet_count change a lot compared to nor- drawbacks of a traditional network model are un-
disputed, but there are also certain limitations. For
example, the entire system will collapse if the con-
0.8 troller receives a DDoS attack and cannot respond
0.7 to other valid requests. But based on what we have
Importance

0.6 tested above and the results we have obtained, the

0.5
application of ML-algorithms to detect these DDoS
0.4
0.3
attacks is entirely possible, and gives very good re-
0.2 sults.
0.1 We tested six different ML-algorithms includ-
0 ing RF, NB, KNN, SVM, MLP, and DT, to classify
0 3 10 5 2 4 14 13 11 12 9 8 7 6 1
different types of traffic, including normal traf-
№ of feature in Table 2
fic, bandwidth attack traffic, and flow-table attack
 Fig. 7. Importance of each feature traffic. We have proved that DT, as well as NB, are
suitable algorithms for DDoS attack detection (high
accuracy and fast processing time, consume less re-
 Table 4. Important features for classification source compared to other algorithms).
Besides, we also pointed out that the main fea-
Position Feature Description tures that identify malicious traffic compared
1st Byte_count Number of bytes in a flow to normal traffic. It will make it easier to build a
Time flow has been alive DDoS protection system with a more compact data-
2nd Duration_sec set, focusing only on the data needed.
in seconds
Furthermore, we realized that flow-table attack
Number of packets in the
3rd Packet_count is a more easily discovered attack than Bandwidth
flows
attack, as all six algorithms can predict this type
4th Eth_src Ethernet source address with high accuracy. The efficiency of bandwidth at-
Time flow has been alive tack detection is lower, so we need to focus more on
5th Duration_nsec
in nanoseconds this type to improve the predictive results.
Ethernet destination In future work, we will focus on data quality cri-
6th Eth_dst teria by comparing the results of detection between
address
simulation dataset and real dataset.

References munication, 2008, no. 38(2), pp. 69–74. doi:10.1145/

1355734.1355746
1. Kreutz D., Ramos F. M. V., Verissimo P. E., Rothen- 4. Ahmad Ijaz, Namal S., Ylianttila M. & Gurtov A.
berg C. E., Azodolmolky S., & Uhlig S. Software-de- Security in software defined networks: A Survey.
fined networking: A comprehensive survey. Proceed- IEEE Communications Surveys and Tutorials, 2015,
ings of the IEEE, 2015, no. 103(1), pp. 14–76. doi:10. no. 17(4), pp. 2317–2346. doi:10.1109/COMST.2015.
1109/jproc.2014.2371999 2474118
2. Farhady H., Lee H. & Nakao A. Software-defined net- 5. Bawany N. Z., Shamsi J. A. & Salah K. DDoS attack
working. Computer Networks, 2015, no. 81(81), pp. 79– detection and mitigation using SDN: Methods, prac-
95. doi:10.1016/j.comnet.2015.02.014 tices, and solutions. Arabian Journal for Science and
3. McKeown N., Anderson T., Balakrishnan H., Engineering, 2017, no. 42(2), pp. 425–441. doi:10.
Parulkar G., Peterson L., Rexford J., Shenker S. & 1007/s13369-017-2414-5
Turner J. OpenFlow: Enabling innovation in campus 6. Santos R., Souza D., Santo W., Ribeiro A. & More-
networks. Acm Special Interest Group on Data Com- no E. Machine learning algorithms to detect DDoS at-

68 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ № 3, 2020
 ЗАЩИТА ИНФОРМАЦИИ

tacks in SDN. Concurrency and Computation: Prac- ogy (ICSSIT), 2018, pp. 299–303. doi:10.1109/ics-
tice and Experience, 2019, e5402. doi:10.1002/ sit.2018.8748836
cpe.5402 16. Braga R., Mota E. & Passito A. Lightweight DDoS
7. Swami R., Dave M. & Ranga V. Defending DDoS flooding attack detection using NOX/OpenFlow.
against software defined networks using entropy. IEEE Local Computer Network Conference, 2010,
2019 4th International Conference on Internet of pp. 408–415. doi:10.1109/LCN.2010.5735752
Things: Smart Innovation and Usages (IoT-SIU), 17. Niyaz Q., Sun W., & Javaid A. Y. A deep learning
2019, pp. 1–5. doi:10.1109/IoT-SIU.2019.8777688 based DDoS detection system in Software-Defined
8. Yen T. F. & Reiter M. K. Traffic aggregation for mal- Networking (SDN). ICST Transactions on Security
ware detection. International Conference on Detec- and Safety, 2017, no. 4(12), p. 153515. doi:10.4108/
tion of Intrusions and Malware, and Vulnerability eai.28-12-2017.153515
Assessment, 2008, pp. 207–227. doi:10.1007/978-3- 18. Giotis K., Argyropoulos C., Androulidakis G., Kalo-
540-70542-0_11 geras D. & Maglaris V. Combining OpenFlow and
9. Mehdi S. A., Khalid J. & Khayam S. A. Revisiting sFlow for an effective and scalable anomaly detection
traffic anomaly detection using software defined net- and mitigation mechanism on SDN environments.
working. International Workshop on Recent Advances Computer Networks, 2014, vol. 62, pp. 122–136.
in Intrusion Detection, 2011, pp. 161–180. doi:10. doi:10.1016/j.bjp.2013.10.014
1007/978-3-642-23644-0_9 19. Javed A. & Latif S. Handling intrusion and DDoS at-
10. Elsayed M. S., Le-Khac N., Dev S., & Jurcut A. D. Ma- tacks in Software Defined Networks using machine
chine-learning techniques for detecting attacks in learning techniques. 2014 National Software Engi-
SDN. 2019 IEEE 7th International Conference on neering Conference, 2014, pp. 55–60. doi:10.1109/
Computer Science and Network Technology (ICCSNT), nsec.2014.6998241
2019, pp. 277–281. doi:10.1109/ICCSNT47585. 20. Dao N. N., Park J., Park M. & Cho S. A feasible meth-
2019.8962519 od to combat against DDoS attack in SDN network.
11. Xiaoqiong X., Hongfang Y. & Kun Y. DDoS attack in 2015 International Conference on Information Net-
software defined networks: a survey. ZTE Communi- working (ICOIN), 2015, pp. 309–311. doi:10.1109/
cations, 2017, no. 15(3), pp. 13–19. icoin.2015.7057902
12. Nam T. M., Phong P. H., Khoa T. D., Huong T. T., 21. Nanda S., Zafari F., DeCusatis C., Wedaa E. & Yang
Nam P. N., Thanh N. H., Thang L. X., Tuan P. A. B. Predicting network attack patterns in SDN using
& Loi V. D. Self-organizing map-based approaches in machine learning approach. 2016 IEEE Conference on
DDoS flooding detection using SDN. 2018 Interna- Network Function Virtualization and Software De-
tional Conference on Information Networking fined Networks (NFV-SDN), 2016, pp. 167–172.
(ICOIN), 2018, pp. 249–254. doi:10.1109/icoin.2018. doi:10.1109/NFV-SDN.2016.7919493
8343119 22. Xie J., Yu F. R., Huang T., Xie R., Liu J., Wang C. &
13. Kokila R. T., Selvi S. T. & Govindarajan K. DDoS Liu Y. A survey of machine learning techniques ap-
detection and analysis in SDN-based environment plied to software defined networking (SDN): Re-
using support vector machine classifier. 2014 search issues and challenges. IEEE Communications
Sixth International Conference on Advanced Com- Surveys & Tutorials, no. 21(1), 2018, pp. 393–430.
puting (ICoAC), 2014, pp. 205–210. doi:10.1109/ doi:10.1109/comst.2018.2866942
icoac.2014.7229711 23. Bhuyan M. H., Bhattacharyya D. K. & Kalita J. K.
14. Yang L. & Zhao H. DDoS attack identification and de- Network Traffic Anomaly Detection and Prevention:
fense using SDN based on machine learning method. Concepts, Techniques, and Tools. Springer, 2017.
2018 15th International Symposium on Pervasive Sys- 263 p. doi:10.1007/978-3-319-65188-0
tems, Algorithms and Networks (I-SPAN), 2018, 24. Pedregosa F., Varoquaux G., Gramfort A., Michel V.,
pp. 174–178. doi:10.1109/i-span.2018.00036 Thirion B., Grisel O., Blondel M., Prettenhofer P.,
15. Deepa V., Sudar K.M. & Deepalakshmi P. Detection Weiss R., Dubourg V. & Vanderplas J. Scikit-learn:
of DDoS attack on SDN control plane using hybrid Machine learning in Python. Journal of Machine
machine learning techniques. 2018 International Learning Research, 2011, no. 12, pp. 2825–2830.
Conference on Smart Systems and Inventive Technol-

№ 3, 2020 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ 69
 ЗАЩИТА ИНФОРМАЦИИ

УДК 004.056.5
doi:10.31799/1684-8853-2020-3-59-70
Сравнение алгоритмов машинного обучения при обнаружении DDoS-атак в программно-определяемых сетях
Д. Ч. Леa, канд. техн. наук, лектор, orcid.org/0000-0003-3735-0314, letranduc@dut.udn.vn
М. Х. Даоa, магистрант, orcid.org/0000-0002-0998-6078
К. Л. Т. Нгуэнa, магистр, лектор, orcid.org/0000-0003-4578-9925
aУниверситет Дананга — Университет науки и техники, факультет информационных технологий, 54, Нгуэн Лунг

Банг, Дананг, 550000, Вьетнам

Введение: распределенная атака типа «отказ в обслуживании» (DDoS) стала популярным типом атак в кибербезопасности. По-
мимо обычных DDoS-атак, программно-определяемые сети сталкиваются с некоторыми другими типичными DDoS-атаками, та-
кими как атака с использованием потоковой таблицы и атака контроллера. Одним из самых последних решений для обнаружения
DDoS-атак является использование алгоритмов машинного обучения для классификации трафика. Цель: анализ применения ал-
горитмов машинного обучения для предотвращения DDoS-атак программно-определяемых сетей. Результаты: сравнение шести
алгоритмов (случайный лес, дерево решений, наивный байесовский метод, машина опорных векторов, многослойный персептрон,
k-ближайшие соседи) по критериям точность и время обработки показало, что дерево решений, как и наивный байесовский, яв-
ляются лучшими алгоритмами для обнаружения DDoS-атак (высокая точность и быстрое время обработки, меньшее потребление
ресурсов по сравнению с другими алгоритмами). Указаны и проанализированы основные функции, которые идентифицируют
вредоносный трафик по сравнению с обычным трафиком: количество байтов в потоке, поток времени, Ethernet-адрес источника,
Ethernet-адрес назначения. По результатам исследований сделан вывод, что атака с использованием таблицы потоков является
более легкой для обнаружения, чем атака по пропускной способности. Практическая значимость: основные функции, которые
играют вспомогательную роль в процессе правильной классификации данных, облегчают создание системы защиты от DDoS-атак
с более компактным набором данных, включающим только необходимые данные. Алгоритмы, которые более подходят для ма-
шинного обучения, помогут точнее обнаруживать DDoS-атаки в программно-определяемых сетях.
Ключевые слова — DDoS, алгоритмы машинного обучения, атака по таблице потоков, атака по пропускной способности.

Для цитирования: Le D. T., Dao M. H., Nguyen Q. L. T. Comparison of machine learning algorithms for DDoS attack detection in SDN.
Информационно-управляющие системы, 2020, № 3, с. 59–70. doi:10.31799/1684-8853-2020-3-59-70
For citation: Le D. T., Dao M. H., Nguyen Q. L. T. Comparison of machine learning algorithms for DDoS attack detection in SDN.
Informatsionno-upravliaiushchie sistemy [Information and Control Systems], 2020, no. 3, pp. 59–70. doi:10.31799/1684-8853-2020-3-
59-70

ПАМЯТКА ДЛЯ АВТОРОВ

Поступающие в редакцию статьи проходят обязательное рецензирование.

При наличии положительной рецензии статья рассматривается редакционной коллеги-
ей. Принятая в печать статья направляется автору для согласования редакторских правок.
После согласования автор представляет в редакцию окончательный вариант текста статьи.
Процедуры согласования текста статьи могут осуществляться как непосредственно
в редакции, так и по е-mail (ius.spb@gmail.com).
При отклонении статьи редакция представляет автору мотивированное заключение
и рецензию, при необходимости доработать статью — рецензию.

Редакция журнала напоминает, что ответственность

за достоверность и точность рекламных материалов несут рекламодатели.

70 ИНФОРМАЦИОННО
УПРАВЛЯЮЩИЕ СИСТЕМЫ № 3, 2020

View publication stats