Publication | Closed Access
LtRFT: Mitigate the Low-Rate Data Plane DDoS Attack With Learning-To-Rank Enabled Flow Tables
43
Citations
54
References
2023
Year
Internet Traffic AnalysisEngineeringInformation SecurityFlow TablesTargeted AttackData ScienceNetwork Attack DetectionDenial-of-service AttackAdvanced NetworkingData ManagementNetwork FlowsDdos DetectionSoftware-defined NetworkingDefense SystemsComputer EngineeringNetworked Computer SystemsComputer ScienceData SecurityNetwork Traffic Measurement
Software-Defined Networking (SDN) switches typically have limited ternary content addressable memory (TCAM) that caches the flow entries on the data plane. The scarcity and strong resource competitiveness of TCAM space put the flow tables at the risk of malicious Distributed Denial-of-Service (DDoS) attacks. In this paper, we propose LtRFT, a Learning-To-Rank (LtR) based scheme for mitigating the low-rate DDoS attacks targeted at flow tables. LtRFT consists of three modules: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">monitor</i> , <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ranker</i> , and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">mitigator</i> . <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Monitor</i> manages the flow table status and sends alerts to other modules after detecting attacks. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Ranker</i> models the attack mitigation problem as a flow entry ranking task, and ranks malicious flows with a high eviction priority using a pairwise-based LtR algorithm. The <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">mitigator</i> frees up the flow table space by deleting malicious flow entries according to the flow entry ranking sequence generated by <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ranker</i> . We introduce LtR to network attack detection innovatively and use both classification and information retrieval metrics to describe and evaluate LtRFT. Extensive experiments were conducted to validate the effectiveness and robustness of LtRFT in detecting and mitigating the low-rate data plane DDoS attacks. LtRFT can detect malicious attack flows with an accuracy of over 96%, and can reduce the attack flow duration by 97.7% with an average extra latency of 0.5 seconds, which proves that LtRFT is practicable in SDN deployments.
| Year | Citations | |
|---|---|---|
Page 1
Page 1