Publication Date


Date of Final Oral Examination (Defense)


Type of Culminating Activity


Degree Title

Doctor of Philosophy in Computing


Computer Science

Major Advisor

Dianxiang Xu, Ph.D.


Edoardo Serra, Ph.D.


Jyh-Haw Yeh, Ph.D.


Min Long, Ph.D.


The decoupling of control and data planes in software-defined networking (SDN) facilitates orchestrating the network traffic. However, SDN suffers from critical security issues, such as DoS saturation attacks on the data plane. These attacks can exhaust the SDN component resources, including the computational resources of the control plane, create a high packet loss rate and a long delay in delivering the OpenFlow messages due to the bandwidth consumption of the OpenFlow connection channel, and exhausting the buffer memory of the data plane.

Currently, most of the existing machine learning detection methods rely on a predefined time-window to start analyzing the network traffic to detect the saturation attacks caused by TCP-SYN flooding. However, saturation attacks range in duration, and a long-lasting attack can affect the entire SDN network. Therefore, if the time window is too large, the detection method response time will be long, and the attack may have an opportunity to saturate the network. If the time window is too small, the amount of the traffic may be insufficient to provide reliable detection results and the detection method will start frequently, which may cause a huge performance overhead for the SDN environment. Thus, identifying the proper time window for running the detection method and analyzing the traffic is a key concern.

For saturation attacks, the adoption of machine learning detection systems in the “real world” has been very limited. This is partly because of their deficiencies in detecting unknown saturation attacks. An unknown attack is an attack which is not represented in the dataset used to train the attack detection model. Therefore, evaluating the detection performance of the state-of-the-art supervised machine learning and semi-supervised algorithms on unknown saturation attacks is another key concern.

Furthermore, many of the proposed anomaly defense systems are deficient in mitigating the unknown saturation attacks and involve techniques which may not be compatible with OpenFlow protocol, such as modifying the data plane by adding extra devices, migrating the network traffic to a scrubbing center, and/or require extensive computational resources. Thus, an effective solution that is capable of detecting and mitigating the known and unknown saturation attacks is an urgent need.

In this dissertation, we propose a defense framework to mitigate known and unknown saturation attacks for SDN. It resides on the application layer and can protect the computational resources of the control plane and data plane. The proposed defense system combines (1) a saturation attack detection module that is capable of detecting both known and unknown saturation attacks by leveraging the proper time window of OpenFlow traffic analysis combined with machine learning to identify the attacks, (2) a victim switch detection module that can detect and identify the victim OpenFlow switches when they are targeted by known and unknown saturation attacks, and (3) a countermeasure module that can mitigate a family of saturation attacks and return the data plane settings to the pre-attack ones.

Implementation and experimental results demonstrate that, in comparison with the state-of-the-art defense systems, the proposed system provides effective protection for the SDN network — control plane, data plane, and OpenFlow connection channel — without extensive control plane computational resources and data plane flow table utilization.