Abstract

A new class of link flooding attacks (LFA) can cut off internet connections of target links by employing legitimate flows to congest these without being detected. LFA is especially powerful in disrupting traffic in software-defined networks if the control channel is targeted. Most of the existing solutions work by conducting a deep packet-level inspection of the physical network links. Therefore these techniques incur a significant performance overhead, are reactive, and result in damage to the network before a delayed defense is mounted. Machine learning (ML) of captured network statistics is emerging as a promising, lightweight, and proactive solution to defend against LFA. In this paper, we propose a ML-based security framework, CyberPulse++, that utilizes a pretrained ML repository to test captured network statistics in real-time to detect abnormal path performance on network links. It effectively tackles several challenges faced by network security solutions such as the practicality of large-scale network-level monitoring and collection of network status information. The framework can use a wide variety of algorithms for training the ML repository and allows the analyst a birds-eye view by generating interactive graphs to investigate an attack in its ramp-up stage. An extensive evaluation demonstrates that the framework offers limited bandwidth and computational overhead in proactively detecting and defending against LFA in real-time.