DDoS Attack Detection in SDN Using CUSUM

Abstract

Software Defined Networking (SDN) is a network paradigm which separates the control plane from data plane. Due to this separation, SDN gives the advantages of programmability, flexibility, and centralized control to the network. However, SDN requires communication between the data plane and control plane, which may create a bottleneck in the network due to limited bandwidth. In addition, there may be a possibility of an attack over centralized controller. Because of the abovementioned requirement and issue, SDN may be a victim of DoS/DDoS attack. In this paper, detection of DDoS attack is carried out by periodically monitoring TCP handshake packets. It is based on TCP protocol behavior. It applies the cumulative sum (CUSUM) algorithm to detect change point in number of half-open connections. It is implemented in the controller. We have compared our work with existing DDoS solutions with CUSUM and shown that our method gives better results.