Skip to main content
SpringerLink
Log in

Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking

  • Original Research
  • Published:
International Journal of Information Technology Aims and scope Submit manuscript

Abstract

A new network architecture called the Software-Defined Network (SDN) gives next-generation networks a more flexible and efficiently controlled network architecture. Using the programmable central controller design, network supervisors may easily supervise and manage the entire infrastructure. However, due to its centralized structure, SDN has been a target of various attack vectors. The most successful attack method against the SDN among these has been Distributed Denial of Service (DDoS). Therefore, this study proposes a snort and Zeek enabled with machine learning (ML) based model to classify the benign traffic from DDoS attack traffic. This study main contribution is the discovery of new features for DDoS attack detection, which made it difficult to distinguish authorized traffic from attack traffic when spread across so many points of origin. Using the ML-based enabled RYU controller with SNORT and ZEEK created fewer false positives and a smaller variety of true positives per attack than the existing methods. The processing time of ML-based enabled with SNORT and ZEEK on the real-time testbed is better contrasted to the existing methods. Using the open resource technologies offered a far better understanding of cyber safety and its benefits from the readily available programs to construct a solid network keeping an eye on the traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1 
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data availability statement

The data will be made available upon reasonable request by the corresponding author.

References

  1. Al-Thaedan, A., Shakir, Z., Mjhool, A. Y., Alsabah, R., Al-Sabbagh, A., Salah, M., & Zec, J. (2023). Downlink throughput prediction using machine learning models on 4G-LTE networks. International Journal of Information Technology, 1–7.

  2. Hong, S., Xu, L., Wang, H., & Gu, G. (2015, February). Poisoning network visibility in software-defined networks: New attacks and countermeasures. In Ndss (Vol. 15, pp. 8–11).

  3. Wang, R., Jia, Z., & Ju, L. (2015, August). An entropy-based distributed DDoS detection mechanism in software-defined networking. In 2015 IEEE Trustcom/BigDataSE/ISPA (Vol. 1, pp. 310–317). IEEE.

  4. Rawat, R., Chakrawarti, R. K., Raj, A., Mani, G., Chidambarathanu, K., & Bhardwaj, R. (2023). Association rule learning for threat analysis using traffic analysis and packet filtering approach. International Journal of Information Technology, 1–11.

  5. Tonkal Ö, Polat H, Başaran E, Cömert Z, Kocaoğlu R (2021) Machine learning approach equipped with neighbourhood component analysis for ddos attack detection in software-defined networking. Electronics 10(11):1227

    Article  Google Scholar 

  6. Biswas P, Samanta T (2021) Anomaly detection using ensemble random forest in wireless sensor network. Int J Inf Technol 13(5):2043–2052

    Google Scholar 

  7. Chin, T., Mountrouidou, X., Li, X., & Xiong, K. (2015, October). An SDN-supported collaborative approach for DDoS flooding detection and containment. In MILCOM 2015–2015 IEEE Military Communications Conference (pp. 659–664). IEEE.

  8. Hnamte, V., & Hussain, J. (2023). An efficient DDoS attack detection mechanism in SDN environment. International Journal of Information Technology, 1–14.

  9. Ahuja N, Singal G, Mukhopadhyay D, Kumar N (2021) Automated DDOS attack detection in software defined networking. J Netw Comput Appl 187:103108

    Article  Google Scholar 

  10. Dhawan, M., Poddar, R., Mahajan, K., & Mann, V. (2015, February). Sphinx: detecting security attacks in software-defined networks. In Ndss (Vol. 15, pp. 8–11).

  11. Arunkumar M, Kumar KA (2023) GOSVM: Gannet optimization based support vector machine for malicious attack detection in cloud environment. Int J Inf Technol 15(3):1653–1660

    Google Scholar 

  12. Valdovinos, I. A., Pérez-Díaz, J. A., Choo, K. K. R., & Botero, J. F. (2021). Emerging DDoS attack detection and mitigation strategies in software-defined networks: Taxonomy, challenges and future directions. Journal of Network and Computer Applications, 187(May). https://doi.org/10.1016/j.jnca.2021.103093

  13. Badotra S, Panda SN (2021) SNORT based early DDoS detection system using Opendaylight and open networking operating system in software defined networking. Clust Comput 24(1):501–513. https://doi.org/10.1007/s10586-020-03133-y

    Article  Google Scholar 

  14. Ahuja, N., Singal, G., & Mukhopadhyay, D. (2020). DDOS attack SDN dataset. Mendeley Data, 1.

  15. AbdulRaheem, M., Oladipo, I. D., González-Briones, A., Awotunde, J. B., Tomori, A. R., & Jimoh, R. G. (2022). An efficient lightweight speck technique for edge-IoT-based smart healthcare systems. In 5G IoT and Edge Computing for Smart Healthcare (pp. 139–162). Academic Press.

  16. Shao, E. (2019). Encoding IP address as a feature for network intrusion detection (Doctoral dissertation, Purdue University Graduate School).

  17. Chin, T., Xiong, K., & Rahouti, M. (2018). SDN-based kernel modular countermeasure for intrusion detection. In Security and Privacy in Communication Networks: 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings 13 (pp. 270–290). Springer International Publishing.

  18. Scott-Hayward S, Natarajan S, Sezer S (2015) A survey of security in software defined networks. IEEE Communications Surveys & Tutorials 18(1):623–654

    Article  Google Scholar 

  19. Li, Y., Serrano, M., Chin, T., Xiong, K., & Lin, J. (2019, July). A Software-defined Networking-based Detection and Mitigation Approach against KRACK. In ICETE (2) (pp. 244–251).

  20. Chin T, Xiong K, Hu C (2018) Phishlimiter: A phishing detection and mitigation approach using software-defined networking. IEEE Access 6:42516–42531

    Article  Google Scholar 

  21. Curtis, A. R., Kim, W., & Yalagandula, P. (2011, April). Mahout: Low-overhead datacenter traffic management using end-host-based elephant detection. In 2011 Proceedings IEEE INFOCOM (pp. 1629–1637). IEEE.

  22. Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013, November). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 413–424).

  23. Tian, Y., Tran, V., & Kuerban, M. (2019, January). DoS attack mitigation strategies on SDN controller. In 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC) (pp. 0701–0707). IEEE.

  24. Wu, G., Li, Z., & Yao, L. (2018, December). DoS mitigation mechanism based on non-cooperative repeated game for SDN. In 2018 IEEE 24th International Conference on Parallel and Distributed Systems (ICPADS) (pp. 612–619). IEEE.

  25. Shang, G., Zhe, P., Bin, X., Aiqun, H., & Kui, R. (2017, May). FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. In IEEE INFOCOM 2017-IEEE Conference on Computer Communications (pp. 1–9). IEEE.

  26. Wu P, Yao L, Lin C, Wu G, Obaidat MS (2018) Fmd: A DoS mitigation scheme based on flow migration in software-defined networking. Int J Commun Syst 31(9):e3543

    Article  Google Scholar 

  27. Wang T, Chen H, Qi C (2018) Mindos: A priority-based SDN safe-guard architecture for DoS attacks. IEICE Trans Inf Syst 101(10):2458–2464

    Article  Google Scholar 

  28. Bharathi, N. A., Vetriselvi, V., & Parthasarathi, R. (2019). Mitigation of DoS in SDN using path randomization. In International Conference on Computer Networks and Communication Technologies: ICCNCT 2018 (pp. 229–239). Springer Singapore.

  29. Wang, S., Chavez, K. G., & Kandeepan, S. (2017, May). SECO: SDN sEcure COntroller algorithm for detecting and defending denial of service attacks. In 2017 5th International Conference on Information and Communication Technology (ICoIC7) (pp. 1–6). IEEE.

  30. Wang, S., Chandrasekharan, S., Gomez, K., Kandeepan, S., Al-Hourani, A., Asghar, M. R., ... & Zanna, P. (2018, April). SECOD: SDN sEcure control and data plane algorithm for detecting and defending against DoS attacks. In NOMS 2018–2018 IEEE/IFIP Network Operations and Management Symposium (pp. 1–5). IEEE.

  31. Zheng J, Li Q, Gu G, Cao J, Yau DK, Wu J (2018) Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans Inf Forensics Secur 13(7):1838–1853

    Article  Google Scholar 

  32. Alshamrani, A., Chowdhary, A., Pisharody, S., Lu, D., & Huang, D. (2017, November). A defense system for defeating DDoS attacks in SDN based networks. In Proceedings of the 15th ACM international symposium on mobility management and wireless access (pp. 83–92).

  33. Latah, M., & Toker, L. (2018). A novel intelligent approach for detecting DoS flooding attacks in software-defined networks. International Journal of Advances in Intelligent Informatics.

  34. Li C, Wu Y, Yuan X, Sun Z, Wang W, Li X, Gong L (2018) Detection and defense of DDoS attack–based on deep learning in OpenFlow-based SDN. Int J Commun Syst 31(5):e3497

    Article  Google Scholar 

  35. Ye, J., Cheng, X., Zhu, J., Feng, L., & Song, L. (2018). A DDoS attack detection method based on SVM in software defined network. Security and Communication Networks, 2018.

  36. Li, X., Yuan, D., Hu, H., Ran, J., & Li, S. (2015, December). DDoS detection in SDN switches using support vector machine classifier. In 2015 Joint International Mechanical, Electronic and Information Technology Conference (JIMET-15) (pp. 344–348). Atlantis Press.

  37. Nanda, S., Zafari, F., DeCusatis, C., Wedaa, E., & Yang, B. (2016, November). Predicting network attack patterns in SDN using machine learning approach. In 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN) (pp. 167–172). IEEE.

  38. Krishnan P, Duttagupta S, Achuthan K (2020) SDN/NFV security framework for fog-to-things computing infrastructure. Software - Practice and Experience 50(5):757–800. https://doi.org/10.1002/spe.2761

    Article  Google Scholar 

  39. Shin, Seungwon. (2013). AVANT-GUARD : Scalable and Vigilant Switch Flow Management in Software-Defined Networks Categories and Subject Descriptors. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, 413–424.

  40. Jain, G., & Anubha. (2021). Application of SNORT and Wireshark in Network Traffic Analysis. IOP Conference Series: Materials Science and Engineering, 1119(1), 012007. https://doi.org/10.1088/1757-899x/1119/1/012007

  41. Tan, H. C., Mohanraj, V., Chen, B., Mashima, D., Nan, S. K. S., & Yang, A. (2021, October). An iec 61850 mms traffic parser for customizable and efficient intrusion detection. In 2021 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm) (pp. 194–200). IEEE.

  42. Barbour, G., McDonald, A., & Mkuzangwe, N. (2021, June). Evasion of Port Scan Detection in Zeek and Snort and its Mitigation. In ECCWS 2021 20th European Conference on Cyber Warfare and Security (p. 25). Academic Conferences Inter Ltd.

  43. Juarez, L. (2021). NIDS on a Budget. University of Hawaiʻi West Oʻahu

  44. Jankowski, D., & Amanowicz, M. (2016). On efficiency of selected machine learning algorithms for intrusion detection in software defined networks. International Journal of Electronics and Telecommunications62(3).

  45. Mowla NI, Doh I, Chae K (2018) CSDSM: Cognitive switch-based DDoS sensing and mitigation in SDN-driven CDNi word. Comput Sci Inf Syst 15(1):163–185

    Article  Google Scholar 

  46. Polat H, Polat O, Cetin A (2020) Detecting DDoS attacks in software-defined networks through feature selection methods and machine learning models. Sustainability 12(3):1035

    Article  Google Scholar 

Download references

Acknowledgements

The authors thank the anonymous reviewers for the useful comments, which helped to improve the quality of the manuscript.

Funding

The work of Agbotiname Lucky Imoize is supported by the Nigerian Petroleum Technology Development Fund (PTDF) and the German Academic Exchange Service (DAAD) through the Nigerian-German Postgraduate Program under Grant 57473408.

Author information

Authors and Affiliations

  1. Department of Computer Science, Faculty of Information and Communication Sciences, University of Ilorin, Ilorin, 240003, Nigeria

    Muyideen AbdulRaheem, Idowu Dauda Oladipo, Joseph Bamidele Awotunde, Ghaniyyat Bolanle Balogun & Joshua Oluwatobi Adeoti

  2. Department of Electrical and Electronics Engineering, Faculty of Engineering, University of Lagos, Akoka, Lagos, 100213, Nigeria

    Agbotiname Lucky Imoize

  3. Department of Electrical Engineering and Information Technology, Institute of Digital Communication, Ruhr University, 44801, Bochum, Germany

    Agbotiname Lucky Imoize

  4. Research and Development Center for Physical Education, Health, and Information Technology, Department of Library and Information Science, Fu Jen Catholic University, New Taipei City, 24205, Taiwan

    Cheng-Chi Lee

  5. Department of Computer Science and Information Engineering, Asia University, Taichung City, 41354, Taiwan

    Cheng-Chi Lee

Authors
  1. Muyideen AbdulRaheem
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Idowu Dauda Oladipo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Agbotiname Lucky Imoize
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Joseph Bamidele Awotunde
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Cheng-Chi Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ghaniyyat Bolanle Balogun
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Joshua Oluwatobi Adeoti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cheng-Chi Lee.

Ethics declarations

Conflict of interest

The authors declare no conflict of interest related to this work.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

AbdulRaheem, M., Oladipo, I.D., Imoize, A.L. et al. Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking. Int. j. inf. tecnol. 16, 1627–1643 (2024). https://doi.org/10.1007/s41870-023-01469-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41870-023-01469-3

Keywords

Search

Navigation