Concept of Intelligent Detection of DDoS Attacks in SDN Networks Using Machine Learning

Abstract

In this paperwe propose the concept of intelligent detection of DDoS attacks in SDN networks by log analyzing. Due to SDN management and implementation of the self-learning element, we propose to teach the SDN controller to detect attacks using information about the state of the flow, the duration of the session and its source, using information from logs and flow tables. To do this, it is necessary to divide the total traffic flow into anomalous and normal. Realizing which client requests are the result of DDoS-attack, one can create the appropriate rules for their blocking. We propose to do this by determining the metrics of traffic behavior using the Kulbak-Leibler approach to detect flow anomalies over the session time. In our case, we will compare the average session time with time to access the server from specific IP addresses. The obtained values will be recorded in the Machine Learning database. If the result of the comparison did not bring results, the duration of access to the service during the last seven days is compared. Similarly, the value of KL is determined and written to the ML database. KL accumulation values in a ML will identify anomalies in the flow admission requests by analyzing the length of service and access to prescribe rules of Controller. As a result of using machine learning, the SDN controller will block IP domains from which DDoS attacks are just starting