Detecting Saturation Attacks in SDN via Machine Learning

Document Type

Conference Proceeding

Publication Date



Software Defined Networking (SDN) is a new network paradigm that facilitates network management by separating the control plane from the data plane. Studies have shown that an SDN may experience a high packet loss rate and a long delay in forwarding messages when the OpenFlow channel is overwhelmed by a saturation attack. The existing approaches have focused on the detection of saturation attacks caused by TCP-SYN flooding through periodic analysis of network traffic. However, there are two issues. First, previous approaches are incapable of detecting other types, especially unknown types, of saturation attacks. Second, they rely on predetermined time-window of network traffic and thus are unable to determine what time window of traffic data would be appropriate for effective attack detection. To tackle these problems, this paper first investigates the impact of different time-windows of OpenFlow traffic on the detection performance of three classification algorithms: the Support Vector Machine (SVM), the Naïve Bayes (NB) classifier, and the K-Nearest Neighbors (K-NN) classifier. We have built and analyzed a total of 150 models on OpenFlow traffic datasets generated from both physical and simulated SDN environments. The experiment results show that the chosen time-interval of OpenFlow traffic heavily influences the detection performance - larger time-windows may result in decreased detection performance. In addition, we were able to achieve reasonable accuracy on detection of unknown attacks by applying proper time-windows of OpenFlow traffic.