An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics

The primary innovations behind Software Defined Networks (SDN) are the decoupling of the control plane from the data plane and centralizing the network management through a specialized application running on the controller. In spite of many advantages, SDN based data centers' security issues is still a matter of concern among the research communities. Although SDN becomes a valuable tool to defeat attackers, at the same time SDN itself becomes a victim of Distributed Denial-of-Service (DDoS) attacks due to the potential vulnerabilities exist across various SDN layer. The logically centralized controller is always an attractive target for DDoS attack. Hence, it is important to have a fast as well as accurate detection model to detect the control layer attack traffic at an early stage. We have employed information distance (ID) as a metric to detect the attack traffic at the controller. The ID metric can quantify the deviations of network traffic with different probability distributions. In this paper, taking the advantages of flow based nature of SDN, we proposed a Generalized Entropy (GE) based metric to detect the low rate DDoS attack to the control layer. The experimental results show that our detection mechanism improves the detection accuracy as compared to Shannon entropy and other statistical information distance metrics.