Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square test

Software Defined Networking (SDN) is a network paradigm with the separation of the control plane from the data plane. Centralized management of the network and dynamic programming ability are the advantages of this separation. However, SDN suffers from security threats like DDoS attacks. In this pap...

Full description

Saved in:
Bibliographic Details
Published inThe Journal of supercomputing Vol. 79; no. 9; pp. 10353 - 10385
Main Authors Shalini, P. V., Radha, V., Sanjeevi, Sriram G.
Format Journal Article
LanguageEnglish
Published New York Springer US 01.06.2023
Springer Nature B.V
Subjects
Chi-square test
Communications traffic
Compilers
Computer Science
Controllers
Cybersecurity
Denial of service attacks
Dynamic programming
Goodness of fit
Interpreters
Processor Architectures
Programming Languages
Separation
Software-defined networking
Statistical tests
Traffic control
Chi-square
DDoS
TCP SYN flood
SDN
Online AccessGet full text

Cover

More Information
Summary:Software Defined Networking (SDN) is a network paradigm with the separation of the control plane from the data plane. Centralized management of the network and dynamic programming ability are the advantages of this separation. However, SDN suffers from security threats like DDoS attacks. In this paper, we propose an early detection and mitigation model to detect the DDoS attacks caused by the TCP SYN flood. This model uses the programming ability of SDN to collect features from network traffic at the centralized controller. For that, we implement the proposed model as a module in the POX controller. Our model extracts the header features: MAC addresses and TCP flags to construct the list of number of half-open connections per each host in the network within a given time period. The extended chi-square goodness of fit test serves as a basis for the detection method in our model. We calculate the χ 2 value for the list of half-open connections and from this p _ value is derived. When p _ value drops below the threshold value, the attack is detected. We also mitigate the attack by blocking the attack traffic from the attackers’ within the network using source MAC addresses. The experiments results show that the model is successful in TCP SYN flood detection and mitigation at the source end, i.e. attack-originating network. We compare our model with existing literature and show improvement over attack detection and discuss the advantages of the proposed model over the existing schemes in the literature.
ISSN:0920-8542
1573-0484
DOI:10.1007/s11227-023-05057-x