DDoS Attack on Controller Detection Method Based on Machine Learning for Distributed Control Plane in Software Defined Networks

In software-defined networks (SDN) the key network control functions are concentrated in the control plane (or SDN controller). Controller supports and monitors an actual global network view that includes the state of network devices, links, hosts and topology. Based on this global network view the controller with its applications is carrying out the logically centralized control of network devices' configurations and data flows in the network. Thus, the controller is a single point of failure in SDN. Therefore, in real software-defined networks, a distributed control plane is used, which allows for increased reliability, performance and availability for switches. Distributed control plane allows to redistribute of control in case of controller failures or controller overloads. But one of the serious security threats of the SDN network is DDoS-attack on the control plane. Such attacks can lead to temporary or complete controller unavailability for switches in the network. Also, DDoS attacks could flood the control plane, the data plane, or the communication channels between controller and switches. Thus, DDoS attacks on the control plane can lead to network failure or failures in its operation, to failures in the operation of user services, and unavailability of services for end users. The paper presents an analysis of security threats to the control plane in software-defined networks. The paper considers the problem of detecting DDoS attacks on the controller in SDN, because software-defined networks are most sensitive to them. The paper presents a formal formulation of the problem of detecting DDoS attacks on the controller in SDN. The paper provides an overview of existing solutions and methods based on machine learning to detect DDoS attacks on the controller. The experimental part of the paper compares the implementations of the proposed machine learning methods (logistic regression, Decision Tree, Random Forest, KNN, SVM, RNN, CNN) on open DDoS-SDN and InSDN datasets. In the practical part, an experimental stand based on Mininet environment and the RUNOS 2.0 controller is created, within which a DDoS attack on the controller is simulated. The effectiveness of machine learning methods for detecting a DDoS attack on the RUNOS controller is also compared on the collected dataset.