2014 Sixth International Conference on Advanced Computing(ICoAC)

DDoS Detection and Analysis in SDN-based

Environment Using Support Vector Machine
Classifier
Kokila RT', s. Thamarai Selvi', Kannan Govindarajan2
lDepartment of Computer Technology, Anna University (MIT Campus), Chennai
2MIMOS, Malaysia.
{kokilart@[Link], stselvi@[Link], [Link]@[Link]}

Abstract-Software Defined Networking (SDN) provides SDN controller interacts with networking devices
separation of data plane and control plane. The controller has using southbound API's like OpenFlow and interaction with
centralized control of the entire network. SDN offers the ability applications is performed using northbound API's.
to program the network and allows dynamic creation of flow
OpenFlow [22] is a standard that allows researchers to run
policies. The controller is vulnerable to Distributed Denial of
experimental protocols in the network. It is based on
Service (DDoS) attacks that leads to resource exhaustion which
causes non-reachability of services given by the controller. The
Ethernet switch, which has an internal flow table. It
detection of DDoS requires adaptive and accurate classifier that provides a standard interface called OpenFlow protocol to
does decision making from uncertain information. It is critical to add or modify the entries in the flow table.
detect the attack in the controller at earlier stage. SVM is widely The switches in SDN environment can be OpenFlow
used classifier with high accuracy and less false positive rate. We switches (only forwards the packets) or hybrid OpenFlow­
analyze the SVM classifier and compare it with other classifiers Ethernet switches (bridging, routing along with
for DDoS detection. The experiments show that SVM performs forwarding). In the traditional network switches or routers,
accurate classification than others.
the fast packet forwarding (data plane) and routing
decisions (control plane) occurs in the same device.
Keywords-SDN, DDoS, SVM, OpenFlow, DARPA dataset
However, OpenFlow switch in SDN environment separates
[Link] these two functions. The components of OpenFlow switch
are shown in Fig 1.
Computer network consists of a group of devices like
switches and routers that are controlled via proprietary
interfaces implemented on it. The network administrator is
responsible for configuring the network policies in those
devices using simple command line interface. This task has
to be accomplished with limited tools. The existing network OpenFlow
Secure Channel
device interfaces are closed and collaboration among
multiple vendor software is a challenging issue. It creates a
barrier for creating innovations in the networking. Due to
the emerging trend of Internet, the network conditions are
changing tremendously. It is difficult to perform real world
experiments (deployment of new protocol) in a large Fig 1 Components of OpenFlow Switch [5]

production environment. OpenFlow switch consists of flow tables and group

Open Networking Foundation (ONF) defmes Software table that is used to perform packet lookup and forwarding.
Defined Networking (SDN) as "physical separation of the The OpenFlow secure channel connects the switch to
network control plane from the forwarding plane, and where external controller. The communication between switch and
a control plane controls several devices" [1]. In SDN, the controller occurs through OpenFlow protocol. The
data plane acts simply as packet forwarding hardware and controller uses OpenFlow protocol to create, modify and
control plane acts as "brain" of the device. The network remove flow entries in the flow table. The secure channel is
control plane is easily programmable and it provides an a TLS (Transport Layer Security) or TCP (Transmission
abstraction of the underlying network infrastructure. It Control Protocol) connection established between the
simplifies the networking devices and they accept the controller and the switch. The Group table consists of group
instructions from the centralized controller (control plane) entries and contains actions applicable for packets sent to
[2].The operator does not need to configure the network specific groups. The sample flow table entry is shown in
devices individually; the routing and forwarding decisions Fig 2.
has been implemented in the centralized SDN controller [3]
978-1-4799-81S9-S/14/$31.00©2014 IEEE.

205
 2014 Sixth International Conference on Advanced Computing(ICoAC)
address is used as a spoofed source IP address in the attack
Packet Header Priority Counters Cookies Timeout Instructions
packets.
Match Fields SNMP amplification attack: SNMP (Simple Network
Management Protocol) is used to monitor the devices such
Fig 2 Components of flow entry in flow table
as router, printers and frrewalls attached to the network.
There may be many rules for the same flow. Priority SNMP uses default communication string which allows
specifies matching precedence for an entry. The programs to get the configuration information of the
combination of packet header match fields and priority devices. The GetBulk request can be sent to retrieve the
uniquely identifies an entry in the flow table. Counters will configuration details. Attackers send this request using a
default communication string with a spoofed source IP
be set for each flow that indicates received packets per flow,
address of the target system. Thus the victim system is
received bytes per flow, received packets per port, etc.
Cookies are used by the controller to filter the flow overwhelmed with responses.
CoremeIt Attack: The zombies will be divided into
statistics. The timeout can be hard timeout or soft timeout.
Hard timeout mentions the time needed for a flow to expire two groups. The attacker instructs the zombies to
since it was installed initially. Soft timeout value mentions communicate with the zombie in other group leading to
sending and receiving huge data. It is difficult to track this
the time needed for a flow to expire since the last packet
attack as the communication happens via legitimate packets.
match. The instructions specify the action set for an entry.
The packet header fields used to match the flow table entry Instead of targeting the single host, zombies communicate
with the incoming packet to the switch are shown in Fig 3. with each other to create network flood [7].
HTTP flood: The web server is flooded with HTTP

Ingress VLAN VLAN Ethernet IF TCP

(Hyper Text Transfer Protocol) requests. It is a volumetric
attack and does not belong to reflection or spoofmg
Port Priority SA DA Type SA DA Protocol Src Dst

I I I I I
ID
techniques.
Port Port
SIP flood attack: Voice over IP (VoIP)
Fig 3 Packet Header matching fields communications uses Session Initiation protocol (SIP) for
call signaling. SIP phone can be easily flooded with
The paper is organized as follows. An overview of messages so that it cannot serve legitimate requests.
various DDoS attacks is presented in section II, security Land Attack: Large nwnbers of packets are sent with
issues in SDN controller are discussed in section III. The same host and destination IP address and port number that
existing methods for intrusion detection in SDN and crash the system.
network intrusion detection using the concepts of SDN are TCP SYN attack: The weakness of the Transmission
described in section IV. The Section V discusses about Control protocol (TCP) is used for launching this attack.
some of the existing multiclass SVM classification The attacker sends large number of SYN (Synchronize)
methods. The DDoS detection method is presented in requests to the server. The server replies to the request by
section VI. The experimental results and discussions are sending SYN + ACK (Acknowledge) packet and waits for
available in section VII with concluding remarks in section the ACK packet from the client. Now the attacker doesn't
VIII. send ACK packet, and the server waits for nonexistent
ACK. The limited buffer queue of the server becomes full
I. DISTRIBUTED DENIAL OF SERVICE ATTACK
and incoming valid requests are rejected.
Brief description of DDoS attack and its major CGI Request attack: The attacker sends large number
classification are presented here. DDoS attack is launched of Common Gateway Interface (CGI) request that consumes
by multiple compromised computers called as bots or CPU cycles of the victim.
zombies targeting a single system. The four major Authentication Server attack: The authentication
components of DDoS attack are the real attacker, server verifies the bogus signature sent by the attacker
compromised hosts called as handlers or masters capable of which conswnes more resources than generating the
controlling multiple agents using software programs, the signature.
agent hosts who generate a large number of packets towards
the victim host, and the target host to which the attack is II. SECURITY IN SDN
launched. Taxonomies of DDoS, tools used to launch the
attack and possible countermeasures are discussed in detail A. Problem Discussion
[6]. OpenFlow switch checks the incoming packet (packet
header fields such as source port, destination port, source IP
UPD flood: The vIctim system attacked by sending address, destination IP address etc.) against the flow entries,
UDP (User Datagram Protocol) packets continuously to if a match is found then the specified action can be
specific or random port. executed. Otherwise, the packet will be sent to the
ICMP flood attack: Large number of ICMP (Internet controller using PacketIn control message. When a large
Control Message Protocol) echo request (ping flood) number of spoofed IP addresses packets are sent together,
packets with spoofed source IP address is sent to the victim. there will not be a match found in flow table and packet will
Smurf attack: Reflection or amplification attack is be sent to the controller. Using this processing delay the
targeted against routers and servers where the ICMP malicious attacker can modify the flow entries and make the
packets are redirected to these amplifiers with a spoofed legitimate packet to be dropped, clone the flow table entries
source IP address. The spoofed address will be victim host which leads to overflow in the flow table. There will not be
IP address. UDP and ICMP flood attack sources can be enough memory space to accept the new flow instructions
easily tracked, but it is difficult to track the source of Smurf given by the controller. The controller tries to process the
attack. legitimate and spoofed packets continuously and its
FraggJe attack: Similar to Smurf attack, but uses UDP resources are exhausted. This can be described as DDoS
packet instead of ICMP packet. Here also the victim's IP attack against the controller. Under this attack, the

206
 2014 Sixth International Conference on Advanced Computing(ICoAC)
controller becomes unreachable and it will not be able to The threat vectors with respect SDN environment and
process the new legitimate packets. Our approach treats this possible solutions for that are discussed in [4]. In this
scenario as launching DDoS attack after establishing the authors described various possibilities of attack with respect
connection between switch and controller. Fig 2 illustrates to switch and the controller. The forged flows can be
this scenario. injected into switch flow table resulting in launching of DoS
(Denial of Service) or DDoS attack against switches and
controllers. A possible solution could be deploying an
Anacker HOlt (Launcl! intrusion detection system.
SDN Controller
Flooding using
prorellingdel.y) C. Objective
DDoS attack against the controller can be detected
'.
o
using the machine learning algorithm that was trained with
Op�n Flow �pabled Switch Z
I
'.
attack and normal patterns. Hence, this paper explores the
Incoming Packet possibility of launching DDoS attacks and detection of
y<!s
----i-.l '>---+- forwarded to
Packet DDoS using the SVM ClassifIer. The experiments are
destination
carried out using DARPA dataset [20].
Fig 2 Modification to flow table by malicious host
III. RELATED WORKS
The controller has the centralized network intelligence. DDoS attacks and its detection methods is a long term
Anyone who has access to the server in which the controller research topic. However, very limited research is done in
software is running can get access to the network. It the area of security issues with respect to SDN
introduces the possibility of controlling entire network. The environments. We describe some of intrusion detection
applications like fIrewall, load balancing, routing, traffIc techniques related to SDN environment. K. Giotis et al. [8]
engineering will be running on top of the SDN control proposed anomaly detection mechanism on SDN using
plane. Once the access to controller applications is obtained Openflow and sFlow. The packet sampling capability of
for e.g. fIrewall application, then new Access Control List sFlow is utilized for traffic gathering and comparison of this
(ACL) can be created. Use of TLS/SSL connection between approach with sFlow is presented. The statistical entropy
the switch and the controller doesn't guarantee secure method is used for anomaly detection. The OpenFlow
communication. When the TLS connection is lost, the protocol is used to mitigate the attack by modifying the
switch will try to connect to a backup controller if it is priority values of existing flows and installing new flows
available. This is called "fail secure mode" or "fail with drop action and high priority. But entropy method has
standalone mode". In this mode the switch can use flow a strong assumption that traffic data follow a certain normal
tables in the way it wishes, the switch may add, modify or distribution. The detection rate decreases if the assumption
delete any entry in the flow table [5]. is incorrect.
The communication between switch and controller can Datacenter Overloading problems due to DDoS and
happen in two ways. The operator can confIgure the other internal factors such as workload changes, operator
switches with the IP address of the controller or the errors were discussed by Ye Wang et al. in [10]. The
controller can initiate the Hello request. During connection capability of OpenFlow switch was utilized to monitor the
breakup, an attacker can send Hello request to the switch network traffIc and multidimensional flow aggregation
acting as a legitimate controller and get access to flow mechanism is used to identify the overloading flows.
tables. This scenario is treated as launching DDoS attack Adaptive rate control using toxin-antitoxin mechanism is
before establishing the communication and it is illustrated applied to suspicious flows to reduce false alarm rate. The
in Fig 3. packet counters of OpenFlow switch have the accumulated
value from the time when flow rule was installed. But
SDN Controller anomaly detection technique requires data only during last
(Under attack) time period. DDoS flooding attack detection using
OpenFlow with trained SOM classifIer was proposed by
Braga et al. [15]. Only DDoS detection method has been
,/� ";f
-------,;,' ------------:--------, discussed and mitigation mechanism was not considered.
�----""-�� Jeffrey et al. [16] discussed about ALARMS flow
specifIcation language to limit the amount of traffic to be
forwarded to the controller. The network traffic was copied
into other systems using span ports available in switch
Open Flow
enabled Switch
which creates overhead. Detailed security analysis of
OpenFlow was presented in [17].
Lisa Schehlmann and Harald Baier proposed COFFEE
Fig 3 Malicious controller getting access to the entire network [11] which utilizes OpenFlow protocol to identify the botnet
activities and erase it. The network flow is monitored using
B. Effects of DDoS in SDN Cisco technology NetFlow. The suspected flows are further
validated by sending those packets to controller to extract
The brain of the network in SDN environment is the more features. The detection was done using machine
controller. It acts as operating systems to the switches. If the learning algorithms and reaction to the attack was done
TLS connection is broken, the hybrid switches can operate using an OpenFlow protocol by installing higher priority
in normal mode that does both routing and decision making. rules. This method doesn't delay the network traffic until
Incorrect flows can be installed and it can affect the the inspection is completed.
performance of the controller. Defending of Scanning, Worm propagation attacks
using SDN controller was discussed by Jafar et al. [13]. The

2 7
 2014 Sixth International Conference on Advanced Computing(ICoAC)
end hosts are assigned with random virtual IP by the test sample. But the BDT may not always be height
controller and the translation is done with real IP during balanced and tree may be skewed on left or right side.
communication. Security enhancements that can be made to
the network using SDN and the security challenges in SDN V. SYSTEM OVERVIEW
were discussed in [14]. In order to detect the DDoS attack, the intrusion
Wenying Feng et al. [9] proposed an intrusion detection detection system should be fed with traffic information. The
method by combing SVM with ant colony networks. They system utilizes widely used SVM classifier to detect the
concluded that CSVAC (Combining support vectors with attack. SVM can learn the pattern with few training samples
Ant colony) shows better results than SVM and Clustering and produce an accurate classification by reducing the false
based on Self-Organized Ant Colony Network (CSOACN). positive data. This is achieved using the generalization
Multiclass SVM classification was done using One-against­ capability, which refers to the ability of trained machine to
all method which trains N classifiers and consults all N
classify unknown samples with the model learned from
classifiers for testing unknown sample. This increases the
training dataset. SVM always find a global optimum
testing time, which is critical for detecting intrusion at an
solution rather than stopping with local optimwn. SVM
earlier stage. DDoS detection using an ensemble of adaptive
performs linear separation by finding an optimum
and hybrid neuro-fuzzy was proposed by Arun Raj Kwnar
hyperplane (largest margin) that separates two classes. The
and Selvakwnar [12]. KDD 99 dataset is taken for
evaluation purpose and NFBoost algorithm gives high training examples that are closer to the hyperplane are
accuracy with less false positive rate. called support vectors. SVM is linear classifier and kernel
The existing methods are based on traditional network functions are used to support the nonlinear classification.
and SDN was used as a mechanism to detect and mitigate Commonly used kernel functions are linear, polynomial,
the DDoS attack. But initiating an attack against the radial basis function and sigmoidal. A kernel function takes
controller causes switches losing its operating system. So a dataset and transforms into higher dimension through the
far, very limited papers address the security of SDN use of some of the functions described above. The
controller. transfonned data become linearly separable in higher
dimension, though it is not linearly separable in the original
IV. MULnCLASS SVM CLASSIFICAnON dimension. The Radial Basis Function (RBF) kernel
SVM is a supervised learning algorithm that recognizes supports nonlinear classification. It can be defined as
patterns by analyzing the data and use the pattern for 2
K (x , x) = exp (yll x. - xii ), y> 0 (1)
classification. Though it was initially designed as a binary I J I J

SVM classifier, it has been extended to support multiclass where Xi and Xj denotes the training data points and gamma
classification. Generally multiclass problem is decomposed is the adjustable width parameter of resulting classifier.
into binary problems and these classifiers are trained. This The of DDoS detection using SVM classifier is shown
section describes some widely used SVM methods. in Fig 4. The traffic data can have attributes like Source IP
address, Destination IP address, Source port, Destination
A. One-against-One (OVO) port, Protocol used for communication and the length of the
This algorithm constructs N(N-l)/2 two classifiers and packet. Some of these attributes will be multi-valued
samples of the first class are trained as positive and samples attributes. These attributes have to be converted as binary
of the second class as negative. Majority voting is applied to attributes, which has only two states or values. This
combine the classifiers while testing new unknown sample. conversion will be useful to perform the normalization
All the classifiers are consulted to classify the data in process that helps to prevent higher values in the attribute
testing phases. dominating the lower range values.
Let the nwnber of values in multi-valued attribute is n,
B. One-against-all (OVA)
after the conversion n binary attributes will be created to
N binary classifiers are constructed for the N class represent it. The value of the binary attribute has the value 1
problem and each class is trained against remaining N-l when the nominal attributes take that particular value
classes. But the disadvantage is all N-l classifiers have to otherwise it is O. During the normalization process, the
be tested to predict the sample point. attribute value is scaled to fit specific range (e.g. [0, 1D.
e. Binary Tree ofSVM The SVM classifier is trained with training data set and
model is built upon it. Using the pattern recognized, an
Binary Tree of SVM (BTS) proposed by Fei. B and Liu
SVM classifier performs prediction of the category for new
J [18] provide high classification efficiency for multiclass
unknown traffic sample. The outcome of the classifier for
problems. It decreases the number of binary classifiers to
the test data point would be either normal or attack.
the greatest extent without increasing the complexity of the
original problem. Testing time is better than both OVO and
OVA. But the disadvantage is training time is high as it
tests all samples with trained SVM to build the sub nodes of
the tree.
D. Binary Decision Tree SVM
SVM classifier utilizing Binary Decision Tree (SVM­
BDT) was proposed in [19]. The classes are recursively
divided into two groups by calculating the gravity centers of
each group. The classes with biggest Euclidean distance are
assigned to two different groups. Then classes with smallest
distance are assigned to the same group. They showed that
only log2N classifiers need to be consulted to classify the

208
 2014 Sixth International Conference on Advanced Computing(ICoAC)
minimum and maximum values set for the grid size. The
classification accuracy of varying gamma parameters is
given in Table 2.

TABLE 2 ACCURACY WITH DIFFERENT PARAMETERS

Cost Gamma Classification False Positive

Accuracy (%)
10 0.1 94.23 .011
attributes 10 0.01 95.11 .008
I
I 10 0.001 93.86 .013
: Data Preprocessing
I

From the result, the classification accuracy was high

when the gamma parameter is set [Link] and cost =10. The
result of the SVM classifier in terms of confusion matrix is
given in table 3.
Training Data
TABLE 3 CONFUSION MATRIX OF TEST DATA SET
Fig 4 System architecture

Classified Class
Actual
VI. EXPERIMENTAL RESULTS
Class Breakln DDoS lnstallsw IPSweep Normal Probe
In this section, we provide the results of multiclass BreakIn 184 78 88 0 2 22
classification using SVM classifier. The 2000 DARPA DDoS 0 1035 0 0 0 0
intrusion detection scenario specific dataset provided by Installsw 13 30 160 0 0 0
MIT Lincoln lab is taken for evaluation [20]. The dataset IPSweep 0 0 0 683 I 0
contains DDoS attack launched by a novice attacker. This Normal I 0 0 0 2500 0
attack scenario is carried out over multiple network and
Probe 3 0 0 0 0 91
audit sessions. These sessions have been grouped into 5
attack phases over the course of which the adversary
LIBSVM [21] package with RBF kernel is taken for
probes, breaks-in, installs Trojan mstream DDoS software,
experimental purpose. The results are compared with other
and launches a DDoS attack against an off-site server. The
DDoS detection methods listed below.
brief description of attack scenarios are given below. • NaIve Bayes
l. IPsweep of the AFB (Air Force base) from a
• Bagging
remote site
• Radial Basis Function Network
2. Probe of live IP's to look for the sadmind daemon
running on Solaris hosts
• J48 Decision Tree
3. Breakins via the sadmind vulnerability, both • Random Forest
successful and unsuccessful on those hosts The result in Fig 5 shows SVM performs better in
4. Installation of the Trojan mstream DDoS software terms of accuracy and false positive rate. The details of
on three hosts at the AFB false positive rate, training time and classification accuracy
5. Launching the DDoS attack are given in table 4. Though the RBF network achieves
This dataset includes only attack traffic. The normal similar results of SVM, the training time of the RBF is very
traffic data are included from the 1998 DARPA dataset. The high. SVM has high accuracy and less false positive rate
data instances are divided into two groups, training data, compared to other methods. In terms of training time, NaIve
and testing data. Details of these datasets are given in Table Bayes and Random forest models perform better compared
l. to other methods.
TABLE I DATASET DETAILS
TABLE 4 COMPARISON OF SVM WITH OTHER METHODS

Data Category No. of training No. of test

instances instances Method Accuracy False Positive Training
156 374 (%) rate Time
BreakIn
(sec)
963 1035
DDoS
RBF 94.56 0.01 1320
3 18 204
Installsw SVM 95.11 0.008 120
101 684
[PSweeo NaIve Baves 90.14 0.02 3
2500 2501
Normal Bagging 91.49 0.024 60
54 94 J48 91.82 0.024 7
Probe
4092 4892 Random Forest 90.53 0.046 3
Total

The classification accuracy and false positive rate of SVM

depends on the parameters used. SVM accepts soft margin
constant C as input parameter. A large value of C leads to
high penalty values for misclassification errors. The
optimizer tries to find smaller margin when the value of C is
large, it will fmd larger margin for smaller values of C. The
RBF kernel accepts gamma, adjustable width as input. The
selection of parameters is done through Gridsearch method.
The resultant optimum values of Gridsearch depend on the

2 9
 2014 Sixth International Conference on Advanced Computing(ICoAC)
r--96
- �
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- _
- _- --------,
[9] W. Feng, Q. Zhang, G. Hu, and J. Huang, "Mining network data for
intrusion detection through combining SVMs with ant colony
95 +---.--- networks," Future Generation Computer Systems, vol. 37, pp. 127-
94 +--._-_._------ - 140, July 2014
[10] Y. Wang, Y. Zhang, V. Singh, C. Lumezanu, and G. Jiang,
93 +-
_ _._-____ ------- - .Bagging
>
"NetFuse: Short-circuiting Traffic Surges in the Cloud," iEEE
� 92 +--_._-____-------- .J48 international Conf on communications, pp. 3514 - 3518, June 2013.
"

� 91 +--�-�---.. --- - • Navie Bayes [11] L. Schehlmann and H. Baier, "COFFEE: a Concept based on
OpenFlow to Filter and Erase Events of botnet activity at high-speed
90 +--�-�-�-..--_I- • Random Forest
nodes," Proc. of Lecture Notes in Informatics, vol. p-220, pp. 2225-
89 +--_._-____ - � � - -- __- 2239, Sep. 2013.

88 +--_._-____-�-�--__- [12] P. Arun Raj Kumar and S. Selvakumar, "Detection of distributed

denial of service attacks using an ensemble of adaptive and hybrid
87 �-�-�-�-�--�-
neuro-fuzzy systems," Computer Communications, vol. 36, pp. 303-
0.008 0.01 0.02 0.024 0.046
319, Feb. 2013
False postive rate [13] J. Jafarian, E. AI-Shaer, and Q. Duan, "OpenFlow Random Host
Mutation : Transparent Moving Target Defense using Software
Defined Networking," HotSDN i2, pp.127-132. Aug. 2012
Fig 5 Comparison of classification methods [14] S. Scott-Hayward, G. O'Callaghan, and S. Sezer "SDN Security: A
Survey," IEEE SDN for Future Networks and Services, pp. 1-7, Nov.
2013.
VII. CONCLUSION AND FUTURE WORK [15] R. Braga, E. Mota, and A. Passito, "Lightweight DDoS Flooding
Attack Detection Using NOXIOpenFlow," IEEE 35th Annual
SDN has emerged to improve the programmability Conference on Local Computer Networks, pp. 408-415, 2010.
within the network and also provides support for the [16] J. R. Ballard, T. Rae, and A. Akella "Extensible and Scalable
Network Monitoring using OpenSAFE", Froc. Of the 20iO internet
dynamic nature of future functions. In order to achieve this
network management conference on Research on enterprise
goal, security challenges in SDN have to be addressed. This networking, pp. 1-6, 2010.
paper describes about one of the security issues in SDN [17] R. Kloti, V. Kotronics, and P. Smith, "OpenFlow: A Security
controller. DDoS attack on the controller causes flow table Analysis," iEEE International Conference on Network Protocols, pp.
1-6, Oct. 2013.
flooding and dropping of legitimate packets. Hence, it is
[18] G. Madazarov, D. Gjorgevikj, and T. Chorbev, "A Multi-class SVM
important to detect the DDoS attack in the earlier stage. The classifier utilizing Binary Decision Tree" Informatica, pp. 233-241,
machine learning algorithms detects the DDoS attack with 2009.
the pattern generated from the dataset. The experiments [19] B. Fei and J. Liu, "Binary Tree of SVM: A new fast Multiclass
Training and Classification Algorithm", IEEE Transactions on
were carried out with existing DARPA dataset and results
Neural Networks, vol. 17, no. 3, pp. 696-704, May 2006.
of SVM classifier is compared with other DDoS detection [20] DARPA 2000 Scenario Specific dataset available from :
methods. Compared to other techniques, SVM classifier [Link]
gives less false positive rate and high classification eval/datal2000/LLS DDOS [Link]
[21] C. Chang, and C. Lin, "LIBSVM: A library for support vector
accuracy. However, SVM takes more time to train and
machines," ACM Transactions on Intelligent Systems and
generate the detection model, which is used to predict the Technology, vol. 2, no. 27, pp. 1-39,lssue 3, Apr. 2011.
traffic characteristics. [22] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L.
The future work aims to integrate the traffic pattern Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling
innovation in campus networks," SIGCOMM Comput. Commun.
built in SVM with the SDN controller and detect the DDoS
Rev., vol. 38, no. 2, pp. 69-74, 2008.
attack online. In further, the performance of the SVM
classifier can be improved by combining AVL tree with
SVM. The multiple binary SVM will be arranged in an
AVL tree structure. The height balancing property of AVL
tree helps to reduce the testing time.

REFERENCES
[1] "Software Defined Networking" https:[Link] [Link].
[2] "Software-Defined Networking: The New Norm for Networks,"
White Paper, Open Networking Foundation (ONF), Apr. 2012.
[Online] Available:
https:l/www. [Link]/stories/downloads/white­
papers/[Link].
[3] H. Kim and N. Feamster, "Improving network management with
software defined networking," IEEE Communications Mag., vol. 51,
no. 2, pp. 114-119, 2013.
[4] D. Kreutz, F.M.V. Ramos, and P. Verissimo, "Towards Secure and
Dependable Software-Defined Networks", ACM, HotSDN'13, pp. 1-
6, Aug, 2013.
[5] Open Networking Foundation, "OpenFlow Switch Specification,
V1.3.2," Apr. 25, 2013, 131 pages,
https:l/[Link]-resources/onfspecificationsl
[6] S. M. Specht and R.B. Lee "Distributed Denial Of Service:
Taxonomies of Attacks, Tools and Countermeasures," Proceedings of
the international Workshop on Security in Parallel and Distributed
Systems, pp. 543-550, 2004.
[7] A. Studer and A. Perrig, "The Coremelt attack," Proc of the 14th
European conference on Research in computer security, pp. 37-52,
2009.
[8] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V.
Maglaris, "Combining OpenFlow and sFlow for an effective and
Scalable anomaly detection and mitigation mechanism on SDN
environments," Journal on Computer networks, Elsevier, vol. 62, pp.
122-136, Apr. 2014.

21