On-the-fly (D)DoS attack mitigation in SDN using Deep Neural Network-based rate limiting

Software Defined Networking (SDN) has emerged as a promising paradigm offering an unprecedented programmability, scalability and fine-grained control over forwarding elements (FE). Mainly, SDN decouples the forwarding plane from the control plane which is moved to a central controller that is in charge of taking routing decisions in the network. However, SDN is rife with vulnerabilities so that several network attacks, especially Distributed Denial of Service (DDoS), can be launched from compromised hosts connected to switches. DDoS attacks can easily overload the controller processing capacity and flood switch flow-tables. This paper deals with the security issue in SDN. It proposes a real-time protection against DDoS attacks that is based on a controller-side sliding window rate limiting approach which relies on a weighted abstraction of the underlying network. A weight defines the allowable amount of data that can be transmitted by a node and is dynamically updated according to its contribution to: (1) the queueing capacity of the controller, and (2) the number of flow-rules in the switch. Hence, a new deep learning algorithm, denoted the Parallel Online Deep Learning algorithm (PODL), is defined in order to update weights on the-fly according to both aforementioned constraints simultaneously. Furthermore, the behavior of each host and each switch is evaluated through a measure of trustworthiness which is used to penalize mis-behaving ones by prohibiting new flow requests or PacketIn messages for a period of time. Host trustworthiness is based on their weights while switch trustworthiness is achieved through a computation of the Average Nearest-Neighbor Degree (ANND). Realistic experiments show that the proposed solution succeeds in minimizing the impact of DDoS attacks on both the controllers and the switches regarding the PacketIn arrival rate at the controller, the rate of accepted requests and the flow-table usage.