SLOW DISTRIBUTED DENIAL OF SERVICE DETECTION AND MITIGATION IN SOFTWARE DEFINED NETWORKS USING SUPPORT VECTOR MACHINE AND SELECTIVE ADAPTIVE BUBBLE BURST ALGORITHM APPROACHES

Abstract

Distributed Denial of Services (DDoS) has been used by attackers over the years to disrupt the availability of services in a networked environment. However, the increased attention in detecting and mitigating DDoS by security researchers has made attackers resort to an application layer attack known as slow DDoS which mimics the behaviour of a legitimate client using a slow connection or which has limited message window size thus making the attack difficult to detect. Although some researchers have examined the detection and mitigation of slow Hypertext Transfer Protocol (HTTP) DDoS, a form of slow DDoS, their research focused on either slow read or slow post and get attacks only without considering attack detection for the three types of slow HTTP DDoS. Furthermore, other researchers who have achieved competitive results in detecting slow read, post, and get attacks examined slow Denial of Service (DoS) attack which originates from one attacker. Since the slow DoS originates from an attacker, it is relatively easy to detect and, consequently, mitigate. Therefore, this research examined a machine learning- based slow HTTP DDoS detection and a Selective Adaptive Bubble Burst (SABB) mitigation of detected slow HTTP DDoS attacks, while considering slow read, post and get attacks in a Software-Defined Network (SDN) environment. The SDN environment was simulated in Graphical Network Simulator-3 (GNS3) where the Ryu controller was used to collect attack and benign Netflow flowsets for feature selection using Genetic Algorithm (GA) and attack detection using Radial Basis Function (RBF) kernel-based Support Vector Machine (SVM). Consequently, the trained SVM model was uploaded to the controller for real-time detection and activation of the SABB mitigation mechanism. Results obtained showed that the SVM classification of Netflow flowsets into attack and benign categories achieved an Area Under the Receiver Operating Characteristic Curve (AUC), accuracy, True Positive Rate (TPR), False Positive Rate (FPR), and False Negative Rate (FNR) of 99.89%, 99.89%, 99.95%, 0.18%, and 0.05% respectively. Furthermore, the SABB mitigation mechanism achieved an average response time and percentage of the completed request of 387.743 milliseconds (ms) and 92% respectively when eight slow HTTP DDoS attackers launched the assault compared to an average response time and percentage of the completed request of 1121.369 ms and 76% respectively when SABB was not utilized with the same number of attackers. The effectiveness of the SVM slow HTTP DDoS attack detection and the proposed SABB mitigation mechanism contributes to ongoing research into the use of SDN to enhance network security. Further studies into enhancing the average response time and the percentage of completed requests through a multi-controller SDN setup is recommended.