P4-HLDMC: Comparison
View Latest Version
Please note this is a comparison between Version 2 by Camila Xu and Version 1 by Ameer El-Sayed Gouda.

Distributed Denial of Service (DDoS) and Address Resolution Protocol (ARP) attacks pose significant threats to the security of Software-Defined Internet of Things (SD-IoT) networks. The standard Software-Defined Networking (SDN) architecture faces challenges in effectively detecting, preventing, and mitigating these attacks due to its centralized control and limited intelligence.

  • SD-IoT
  • DDoS detection
  • ARP detection
  • machine learning

1. Introduction

The Internet of Things (IoT) has become ubiquitous and is increasingly being deployed in various applications, including healthcare, transportation, and smart homes [1]. However, IoT networks are highly vulnerable to security threats, including Distributed Denial of Service (DDoS) attacks and Address Resolution Protocol (ARP) attacks [2,3][2][3]. The increasing scale and complexity of IoT networks make traditional security mechanisms ineffective, highlighting the need for new approaches to secure IoT networks [4,5][4][5]. In addition, it is essential to ensure the security of every layer of the IoT ecosystem. The IoT can be vulnerable to attacks at three distinct levels: the node layer, where data are collected; the network layer, where data are transmitted for processing; and the cloud layer, where data are stored [6].
DDoS and ARP attacks pose significant threats to IoT networks. These attacks exploit vulnerabilities in network infrastructure and can have a severe impact on the overall functioning and security of IoT systems. Understanding DDoS and ARP attacks and their relationship is crucial for mitigating their effects and protecting IoT networks from potential damage [7]. DDoS attacks are malicious attempts to disrupt the normal operation of a network or a specific service by overwhelming it with a massive volume of traffic. These attacks can be devastating for IoT networks as they target the limited resources of IoT devices and the underlying infrastructure [8]. By flooding the network with an enormous amount of data, DDoS attacks consume bandwidth, processing power, and memory, rendering IoT devices and services inaccessible to legitimate users [9].
On the other hand, ARP attacks exploit vulnerabilities in the ARP protocol, which is responsible for mapping IP addresses to MAC addresses in a network. In an ARP attack, an attacker sends fake ARP messages, known as ARP spoofing, to associate their MAC address with the IP address of a legitimate device on the network. In this manner, the attacker gains the ability to capture network data, divert it towards their own device, and engage in a range of nefarious actions, including eavesdropping, unauthorized access, and manipulation of data.
The relationship between DDoS and ARP attacks becomes evident when considering the potential collaboration between attackers. In some scenarios, DDoS attacks can be used as a smokescreen to divert attention and resources while ARP attacks are carried out to exploit vulnerabilities in the network. For example, during a DDoS attack, the network and security infrastructure might become overwhelmed, leading to decreased monitoring capabilities and increased susceptibility to ARP attacks. This collaboration between different attack vectors can magnify the impact on IoT networks, causing severe disruptions and compromising the security and privacy of connected devices and their users.
Additionally, the compromised security of IoT networks due to these attacks opens the door to further exploits and unauthorized access. Once an attacker gains control over IoT devices through ARP attacks, they can leverage these compromised devices to launch more sophisticated attacks, such as botnet-based DDoS attacks or data breaches. This not only poses a threat to the IoT network itself but also to other connected systems and networks that may interact with the compromised devices.
Software-Defined Networking (SDN) has emerged as a promising paradigm for managing and securing large-scale IoT networks [10]. SDN’s centralized control enables network administrators to dynamically manage network resources and deploy security mechanisms to detect and mitigate attacks. Despite the various advantages of SDN architecture, it has two major weaknesses. Firstly, the standard SDN architecture centralizes all intelligence in a single controller, resulting in a Single Point of Failure (SPOF) and limiting scalability and performance. To overcome this, the integration of multiple controllers becomes crucial to address the SPOF problem and enhance system performance. Secondly, scalability and performance issues persist due to the limited intelligence of OpenFlow switches, which adopt a stateless approach for packet processing [11]. These switches heavily rely on the controller for network traffic forwarding and monitoring, leading to communication overhead between the data and control planes [12]. Furthermore, OpenFlow switches exhibit fixed behavior determined by the OpenFlow version, processing packets with a predefined set of actions [13,14][13][14]. This lack of flexibility makes it challenging for network administrators to customize header fields and actions according to diverse application requirements.

2. DDoS Detection-Related Works

2.1. Non-ML DDoS Detection Approaches

One method for detecting DDoS attacks relies on statistical techniques. In [20][15], researchers introduced a statistics-based approach to identify DDoS attacks by assessing the entropy of packet payloads. They harnessed machine learning to evaluate entropy values and categorize traffic as normal or malicious. However, this approach neglected the stateful nature of SD-IoT networks, posing challenges in detecting attacks spanning multiple packets. Zhang et al. [21][16] proposed a method to detect low-rate (LR) DoS attacks using Power Spectral Density (PSD). In this context, distinct PSD entropy limits were established for normal and attack groups. Their non-AI-based intrusion detection system (IDS) exhibited a trade-off between accuracy and detection rates. Another strategy involves flow-based mechanisms for DDoS detection. Xie et al. [22][17] leveraged traffic-flow patterns to discern DDoS attacks, demonstrating effective detection with relatively low overhead compared to other methods. However, this approach proves less effective in high network traffic scenarios, necessitating the adoption of more advanced security measures. In [23][18], authors introduced a flow-based technique to uncover DDoS attacks in SDN. By employing OpenFlow switches to gather flow statistics and detect abnormal traffic patterns, this method did not account for the dynamic nature of SD-IoT networks, where devices frequently join and depart. Approaching the issue uniquely, ref. [24][19] introduced an innovative approach to actively detect attacks in resource-constrained cyber-physical systems, focusing on thwarted actuation attacks. These attacks disrupt communication between controllers and actuators. The proposed system comprises two core elements: (1) detection and (2) control. The detection module employs parallel detectors crafted through a multiple-model adaptive estimation strategy to identify attack occurrences and targeted actuators. The control unit employs a constrained optimization technique to compute optimal control inputs that satisfy both control and detection goals. A probabilistic framework was adopted to formulate detection and control objectives, capitalizing on available a priori information. To underscore the approach’s effectiveness, a simulation study was conducted on an irrigation channel, yielding demonstrative outcomes.

2.2. ML and DL DDoS Detection Approaches

To address the limitations inherent in statistical and flow-based methodologies, recent research endeavors have proposed an amalgamation of machine and deep learning techniques with SDN to enhance DDoS detection in IoT environments. For instance, a DDoS detection solution tailored to SDN-based IoT networks, known as LEDEM, was introduced in [25][20]. However, LEDEM’s effectiveness is hindered by its rigid reliance on a single classification method, rendering it inadequate for combating diverse DDoS attack types. In a similar vein, Yin et al. [26][21] outlined a comprehensive architecture for SD-IoT, intending to scrutinize IoT network traffic and detect DDoS attacks through network attribute analysis. Regrettably, this model’s potential is curtailed due to limitations in its ML-based categorization algorithms. Taking an innovative approach, researchers in [27][22] put forth a novel framework comprised of two integral components: DoS/DDoS detection and DoS/DDoS mitigation. This novel approach facilitates precise identification of attack types and associated packet types, thereby enabling targeted application of mitigation strategies. Operating as a multi-class classifier based on the “Looking-Back” concept, the proposed DoS/DDoS detection component was evaluated using the Bot-IoT dataset, culminating in an impressive 99.81% accuracy rate with a Looking-Back-enabled Random Forest classifier. Ullah et al. [28][23] contributed an anomaly-based detection system for IoT networks, featuring a multiclass classification technique employing a convolutional neural network (CNN) algorithm. Despite its commendable performance, ML approaches are the preferred choice for intrusion detection systems (IDSs) necessitating robust security capabilities [29][24]. In [29][24], an exploration of diverse ML models revealed that the XGBoost technique consistently yielded superior performance outcomes compared to other classifiers. While the performance results were drawn from two test cases, it was acknowledged that the dataset’s scope was inadequate for comprehensively analyzing IoT network traffic behavior. To bridge the gap, Yousuf et al. [30][25] introduced DALCNN, leveraging OpenDayLight (ODL) as a suitable SDN controller to identify DDoS attacks in IoT. A notable limitation was observed, wherein the RNN algorithm’s training using the NSL-KDD dataset did not align with the intricacies of IoT network traffic characteristics. Another noteworthy approach involved a Deep Neural Network (DNN) method proposed in [31][26] to identify DDoS attacks in SDN scenarios. Test results demonstrated the efficacy of the Deep IDS system with minimal network load, and without impacting the functionality of the POX controller. Yet, refinement is warranted to enhance detection rates and minimize false alarms across multiple OpenFlow Controllers. Shifting the focus to [32][27], authors introduced a framework for DDoS detection in SDN-IoT incorporating machine learning and stateful packet processing. A novel Double-Check Mapping Function (DCMF) was proposed to process packets and extract features at the data plane level. While machine learning techniques were employed to analyze the extracted features and classify traffic, the approach neglected the potential of a hierarchical, logically distributed multi-controller architecture to enhance scalability and reliability. A distinctive deep reinforcement learning (DRL)-based approach for detecting low-rate DDoS attacks in SDN was introduced by [33][28]. This approach embraced features such as traffic monitoring, traffic flow sampling, and a lightweight intrusion prevention system (IPS) for swift mitigation. However, the approach fell short in addressing the scalability nuances of SD-IoT networks. In a different vein, [34][29] proposed a novel DL approach intertwining CNN with the SD-Reg method to classify flow traffic as normal or attack. While effective in enhancing NIDSs’ ability to detect unseen intrusion events, this stateless approach necessitated testing across diverse datasets encompassing various attack scenarios. Similarly, a CNN-based system was proposed in [35][30] for detecting DDoS attacks in IoT networks, focusing on blocking attacks at the source. However, the evaluation on the CIC-DDoS2019 dataset highlighted its limitations in effectively analyzing IoT network traffic behavior. Lastly, a study conducted by the authors of [36][31] harnessed an AutoML intrusion detection framework to identify suitable supervised classifiers, subsequently crafting an optimal ensemble strategy via soft voting. The proposed framework exhibited high accuracy in detecting intrusions; however, it was recognized that the datasets employed were not the most up-to-date and did not comprehensively encompass all types of attack intrusions. Furthermore, network stateful cases were not considered.

2.3. P4-Based DDoS Detection Approaches

In [37][32], DDoS attack detection using P4 is addressed by implementing a hash value calculation of the source IP and MAC address in the data plane switch, which is then compared to the previously stored hash value. The detection of an attack occurs when there is no match and the time difference between the last attack and the current packet is less than 5 s. However, this method has some limitations such as increased CPU consumption at switches, inability to detect complex attack patterns, and failure to differentiate between flash and attack traffic. Febro et al. [38][33] proposed a source-based DDoS defense solution that detects attacks close to the source to save computational and bandwidth resources. In this approach, P4-enabled edge switches count the number of packets sent by the hosts connected to each port, and the controller compares these values with a static threshold. Once the threshold is exceeded, the controller sends a command to the P4 switch to drop all subsequent packets from the same ingress port. However, this method cannot differentiate between legitimate traffic and attack traffic, as it relies on a static threshold value. Lastly, a study conducted by the authors of [39][34] delved into the potential of AI and ML algorithms for automating the detection of Transmission Control Protocol (TCP) flood attacks. A comparison between Standalone and Correlated DDoS attack detection (DAD) architectures was conducted, whereby traffic feature collection and attack detection were performed locally at network switches or controllers. However, the approach failed to account for the nuanced features of IoT traffic and was confined to detecting a single type of DDoS attack. Furthermore, comprehensive dataset testing was lacking.

3. ARP Detection-Related Works

Existing solutions for detecting ARP attacks involve methods such as analyzing traffic patterns, utilizing cryptographic solutions, creating flow graphs, or applying statistical techniques. However, these approaches can be time-consuming, computationally intensive, or complex in terms of processing power. Additionally, some of these methods rely on threshold-based analysis of only one parameter.

3.1. Non-ML ARP Detection Approaches

Hong et al. [40][35] proposed a detection mechanism that collects dynamic information about the network’s topology, including the switches, flow paths, IP addresses, and MAC addresses. By analyzing these features, the attack can be detected. Sebbar et al. [41][36] focused on detecting Man-in-the-Middle (MITM) and traffic redirection attacks. They check the state of a new node connecting to the controller and drop the connection if it is not labeled as “New”, indicating a potential malicious node. Additionally, suspicious delays in host responses are monitored, and responses exceeding a specific threshold are considered possible delay attacks. Zhang et al. [42][37] detect MITM attacks by calculating packet delays in TCP connections. They compare the mean delay of a session with predefined reference values. If the delay exceeds the threshold, it is flagged as a suspicious outlier and reported to the monitoring module. Deng et al. [43][38] tackle controller attacks by validating the legitimacy of Packet-In messages. When a new packet_in arrives at the controller, it is compared to the MAC addresses in the Mac-Port mapping table. If a match is found, the packet is processed; otherwise, it is dropped. Kaur [44][39] presented three distinct approaches for detecting ARP spoofing attacks, namely a signature-based method, a manual Wireshark packet analysis method, and a machine learning method. Among these, the Naive Bayes algorithm demonstrated the highest accuracy of 93% and the lowest false alarm rate (FAR).

3.2. ML-Based ARP Detection Approaches

Ma et al. [45][40] introduced a Bayesian method to calculate the probability of an attack and employed various ML algorithms for attack detection. Despite utilizing only four features and lacking experimental data verification, the author acknowledged detecting the attack. In [46][41], the utilization of ML was evident in their endeavor to identify ARP attacks within SDN. They constructed a Python application within the SDN controller via Mininet, tasked with gathering and recording the requisite attack-detection features into a designated file referred to as the traffic dataset. This dataset was subsequently harnessed for both model training and attack detection purposes. The amalgamated Convolutional Neural Network-Long Short Term Memory (CNN-LSTM) model demonstrated superior performance compared to other ML models. Overall, while some works have proposed effective methods for DDoS and ARP detection in SDN or IoT networks, there is still a need for a comprehensive framework that takes into account the stateful nature of SD-IoT networks, the dynamic topology, and the need for consistency, scalability, and reliability.

References

  1. Shah, H.; Shah, D.; Jadav, N.K.; Gupta, R.; Tanwar, S.; Alfarraj, O.; Tolba, A.; Raboaca, M.S.; Marina, V. Deep learning-based malicious smart contract and intrusion detection system for IoT environment. Mathematics 2023, 11, 418.
  2. Aldhyani, T.H.; Alkahtani, H. Cyber Security for Detecting Distributed Denial of Service Attacks in Agriculture 4.0: Deep Learning Model. Mathematics 2023, 11, 233.
  3. Omolara, A.E.; Alabdulatif, A.; Abiodun, O.I.; Alawida, M.; Alabdulatif, A.; Arshad, H. The internet of things security: A survey encompassing unexplored areas and new insights. Comput. Secur. 2022, 112, 102494.
  4. Katib, I.; Ragab, M. Blockchain-Assisted Hybrid Harris Hawks Optimization Based Deep DDoS Attack Detection in the IoT Environment. Mathematics 2023, 11, 1887.
  5. Mothukuri, V.; Khare, P.; Parizi, R.M.; Pouriyeh, S.; Dehghantanha, A.; Srivastava, G. Federated-Learning-Based Anomaly Detection for IoT Security Attacks. IEEE Internet Things J. 2021, 9, 2545–2554.
  6. Ahanger, T.A.; Tariq, U.; Dahan, F.; Chaudhry, S.A.; Malik, Y. Securing IoT Devices Running PureOS from Ransomware Attacks: Leveraging Hybrid Machine Learning Techniques. Mathematics 2023, 11, 2481.
  7. Touqeer, H.; Zaman, S.; Amin, R.; Hussain, M.; Al-Turjman, F.; Bilal, M. Smart home security: Challenges, issues and solutions at different IoT layers. J. Supercomput. 2021, 77, 14053–14089.
  8. Shieh, C.-S.; Nguyen, T.-T.; Horng, M.-F. Detection of Unknown DDoS Attack Using Convolutional Neural Networks Featuring Geometrical Metric. Mathematics 2023, 11, 2145.
  9. Ahmed, A.A.; Malebary, S.J.; Ali, W.; Alzahrani, A.A. A Provable Secure Cybersecurity Mechanism Based on Combination of Lightweight Cryptography and Authentication for Internet of Things. Mathematics 2023, 11, 220.
  10. Zhao, X.; Su, H.; Sun, Z. An Intrusion Detection System Based on Genetic Algorithm for Software-Defined Networks. Mathematics 2022, 10, 3941.
  11. Isyaku, B.; Bakar, K.B.A.; Ghaleb, F.A.; Al-Nahari, A. Dynamic Routing and Failure Recovery Approaches for Efficient Resource Utilization in OpenFlow-SDN: A Survey. IEEE Access 2022, 10, 121791–121815.
  12. Paolucci, F.; Cugini, F.; Castoldi, P.; Osiński, T. Enhancing 5G SDN/NFV edge with P4 data plane programmability. IEEE Netw. 2021, 35, 154–160.
  13. Zhang, X.; Cui, L.; Wei, K.; Tso, F.P.; Ji, Y.; Jia, W. A survey on stateful data plane in software defined networks. Comput. Netw. 2021, 184, 107597.
  14. Mahmood, A.; Casetti, C.; Chiasserini, C.F.; Giaccone, P.; Härri, J. Efficient caching through stateful SDN in named data networking. Trans. Emerg. Telecommun. Technol. 2018, 29, e3271.
  15. Long, Z.; Jinsong, W. A hybrid method of entropy and SSAE-SVM based DDoS detection and mitigation mechanism in SDN. Comput. Secur. 2022, 115, 102604.
  16. Zhang, N.; Jaafar, F.; Malik, Y. Low-rate DoS attack detection using PSD based entropy and machine learning. In Proceedings of the 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), Paris, France, 21–23 June 2019; pp. 59–62.
  17. Xie, J.; Yu, F.R.; Huang, T.; Xie, R.; Liu, J.; Wang, C.; Liu, Y. A survey of machine learning techniques applied to software defined networking (SDN): Research issues and challenges. IEEE Commun. Surv. Tutor. 2018, 21, 393–430.
  18. Hosny, K.M.; Gouda, A.E.-S.; Mohamed, E.R. New detection mechanism for distributed denial of service attacks in software defined networks. Int. J. Sociotechnol. Knowl. Dev. (IJSKD) 2020, 12, 1–30.
  19. Hosseinzadeh, M.; Sinopoli, B. Active attack detection and control in constrained cyber-physical systems under prevented actuation attack. In Proceedings of the 2021 American Control Conference (ACC), New Orleans, LA, USA, 25–28 May 2021; pp. 3242–3247.
  20. Ravi, N.; Shalinie, S.M. Learning-driven detection and mitigation of DDoS attack in IoT via SDN-cloud architecture. IEEE Internet Things J. 2020, 7, 3559–3570.
  21. Yin, D.; Zhang, L.; Yang, K. A DDoS attack detection and mitigation with software-defined Internet of Things framework. IEEE Access 2018, 6, 24694–24705.
  22. Mihoub, A.; Fredj, O.B.; Cheikhrouhou, O.; Derhab, A.; Krichen, M. Denial of service attack detection and mitigation for internet of things using looking-back-enabled machine learning techniques. Comput. Electr. Eng. 2022, 98, 107716.
  23. Ullah, I.; Mahmoud, Q.H. Design and development of a deep learning-based model for anomaly detection in IoT networks. IEEE Access 2021, 9, 103906–103926.
  24. Gad, A.R.; Nashat, A.A.; Barkat, T.M. Intrusion detection system using machine learning for vehicular ad hoc networks based on ToN-IoT dataset. IEEE Access 2021, 9, 142206–142217.
  25. Yousuf, O.; Mir, R.N. DDoS attack detection in Internet of Things using recurrent neural network. Comput. Electr. Eng. 2022, 101, 108034.
  26. Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep learning approach for network intrusion detection in software defined networking. In Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco, 26–29 October 2016; pp. 258–263.
  27. Khedr, W.I.; Gouda, A.E.; Mohamed, E.R. FMDADM: A Multi-Layer DDoS Attack Detection and Mitigation Framework Using Machine Learning for Stateful SDN-Based IoT Networks. IEEE Access 2023, 11, 28934–28954.
  28. Yungaicela-Naula, N.M.; Vargas-Rosales, C.; Pérez-Díaz, J.A.; Carrera, D.F. A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning. J. Netw. Comput. Appl. 2022, 205, 103444.
  29. ElSayed, M.S.; Le-Khac, N.-A.; Albahar, M.A.; Jurcut, A. A novel hybrid model for intrusion detection systems in SDNs based on CNN and a new regularization technique. J. Netw. Comput. Appl. 2021, 191, 103160.
  30. de Assis, M.V.; Carvalho, L.F.; Rodrigues, J.J.; Lloret, J.; Proença, M.L., Jr. Near real-time security system applied to SDN environments in IoT networks using convolutional neural network. Comput. Electr. Eng. 2020, 86, 106738.
  31. Khan, M.A.; Iqbal, N.; Jamil, H.; Kim, D.-H. An optimized ensemble prediction model using AutoML based on soft voting classifier for network intrusion detection. J. Netw. Comput. Appl. 2023, 212, 103560.
  32. Simsek, G.; Bostan, H.; Sarica, A.K.; Sarikaya, E.; Keles, A.; Angin, P.; Alemdar, H.; Onur, E. Dropppp: A P4 approach to mitigating dos attacks in SDN. In Proceedings of the Information Security Applications: 20th International Conference, WISA 2019, Jeju Island, Republic of Korea, 21–24 August 2019; Revised Selected Papers 20. pp. 55–66.
  33. Febro, A.; Xiao, H.; Spring, J. Distributed SIP DDoS defense with P4. In Proceedings of the 2019 IEEE Wireless Communications and Networking Conference (WCNC), Marrakesh, Morocco, 15–18 April 2019; pp. 1–8.
  34. Musumeci, F.; Fidanci, A.C.; Paolucci, F.; Cugini, F.; Tornatore, M. Machine-learning-enabled DDoS attacks detection in P4 programmable networks. J. Netw. Syst. Manag. 2022, 30, 21.
  35. Hong, S.; Xu, L.; Wang, H.; Gu, G. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In Proceedings of the Ndss, San Diego, CA, USA, 8–11 February 2015; pp. 8–11.
  36. Sebbar, A.; Zkik, K.; Boulmalf, M.; El Kettani, M.D.E.-C. New context-based node acceptance CBNA framework for MitM detection in SDN Architecture. Procedia Comput. Sci. 2019, 160, 825–830.
  37. Zhang, K.; Qiu, X. CMD: A convincing mechanism for MITM detection in SDN. In Proceedings of the 2018 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 12–14 January 2018; pp. 1–6.
  38. Deng, S.; Gao, X.; Lu, Z.; Gao, X. Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensics Secur. 2017, 13, 695–705.
  39. Kaur, J. Wired LAN and wireless LAN attack detection using signature based and machine learning tools. In Networking Communication and Data Knowledge Engineering: Volume 1; Springer Nature: Singapore, 2018; pp. 15–24.
  40. Ma, H.; Ding, H.; Yang, Y.; Mi, Z.; Yang, J.Y.; Xiong, Z. Bayes-based ARP attack detection algorithm for cloud centers. Tsinghua Sci. Technol. 2016, 21, 17–28.
  41. Ahuja, N.; Singal, G.; Mukhopadhyay, D.; Nehra, A. Ascertain the efficient machine learning approach to detect different ARP attacks. Comput. Electr. Eng. 2022, 99, 107757.
More
© Text is available under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/)
Video Production Service
Feedback