Using Random Forests for Efficient Identification of Decoys Under Link Flooding Attacks in SDNs

Software-defined networks (SDNs) face significant challenges from link flooding attacks (LFAs), where malicious bots flood towards a limited number of hidden hosts, known as decoys, at a low rate. Efficient decoy identification is crucial for mitigating LFAs and is more resource-efficient than traditional bot detection methods, given the smaller number of decoys compared to bots. This paper proposes a novel decoy identification mechanism (DIM) that utilizes the SDN controller to generate forwarding rules for critical switches, enabling them to classify and report decoy addresses effectively. DIM addresses the challenges of minimizing communication overhead between the controller and data plane while maintaining high classification accuracy. It optimizes critical switch selection by partitioning the network into smaller areas, which reduces communication costs while maximizing monitoring efficiency. Within each area, DIM pre-trains random forest (RF) models for the selected switches and generates their respective binary-encoded forwarding rules. These rules empower the switches to identify decoy addresses in LFA traffic at line speed. The identified addresses are then reported back to DIM for further analysis. Theoretical analysis demonstrates that DIM scales efficiently in terms of time and space complexity. Our evaluation with the NS-3 simulator—using real CAIDA traffic and a synthesized topology of over 30,000 nodes—shows DIM achieves 98.3% decoy identification accuracy, outperforming state-of-the-art models like LSTM and CNN in both accuracy and speed. Tests under routing changes and moving target defense scenarios confirm DIM’s robustness and adaptability, highlighting its practical effectiveness against LFAs.