P4-Secure: In-Band DDoS Detection in Software Defined Networks

Efficient detection of Distributed Denial of Service (DDoS) attacks in datacentres and corporate networks is an active research domain. This paper introduces, P4-Secure, an efficient approach for in-band detection of DDoS attacks, without using the controller resources and channel. The pure in-band implementation of DDoS detection, makes it a practical and viable solution for real-world network security applications, including large-scale backbone networks. The proposed DDoS detection uses an axis-aligned classifier based on the packet asymmetry metric, trained through the negative selection approach. The trained axis-aligned classifier was then implemented in the data plane using P4 programming and managed to classify network flows with a configurable false-positive ratio. Through experiments on two independent real-world network datasets (UQ and ISP) and the CAIDA DDoS attack dataset, the robustness of the proposed approach was evaluated across varying network characteristics. The approach demonstrated a notably superior performance in minimising false positives compared to alternative methods, with a rate of only 0.5%. This achievement was coupled with a 90% F1 score, highlighting its effectiveness in addressing DDoS attacks while avoiding unnecessary false alarms. The evaluation on real-world hardware demonstrates that P4-Secure incurs minimal overhead even at high packet rates, such as 8 Mpps, making it highly suitable for datacentres and backbone network security applications.