Detecting and Mitigating DDoS Attacks in SDN Using Spatial-Temporal Graph Convolutional Network

• Published in: IEEE transactions on dependable and secure computing Vol. 19; no. 6; pp. 3855 - 3872
• Main Authors: Cao, Yongyi, Jiang, Hao, Deng, Yuchuan, Wu, Jing, Zhou, Pan, Luo, Wei
• Format: Journal Article
• Language: English
• Published: Washington IEEE 01.11.2022; IEEE Computer Society
• Subjects: Artificial neural networks; Communications traffic; Computer crime; Cybersecurity; data plane programmable SDN; DDoS; Delays; Denial of service attacks; Denial-of-service attack; Distributed databases; Feature extraction; in-band network telemetry; Software-defined networking; spatial-temporal graph convolutional network; Switches; Telemetry; Whitelists
• ISSN: 1545-5971; 1941-0018
• DOI: 10.1109/TDSC.2021.3108782

With the development of data plane programmable Software-Defined Networking (SDN), Distributed Denial of Service (DDoS) attacks on the data plane increasingly become fatal. Currently, traditional attack detection methods are mainly used to detect whether a DDoS attack occurs and it is difficult to find the path that the attack flow traverses the network, which makes it difficult to accurately mitigate DDoS attacks. In this article, we propose a detection method based on Spatial-Temporal Graph Convolutional Network (ST-GCN) over the data plane programmable SDN, which maps the network into a graph. It senses the state of switches through In-band Network Telemetry (INT) with sampling, inputs the network state into the spatial-temporal graph convolutional network detection model, and finally finds out the switches through which DDoS attack flows pass. Based on this, we propose a defense method combined with an enhanced whitelist and a precise dropping strategy, which can effectively mitigate DDoS attacks and minimize the impact on legitimate network traffic. The evaluation results show that our detection method can accurately detect the path that the DDoS attack flows pass through, and can effectively mitigate the DDoS attack. Compared to classic methods, our method improves the detection accuracy by nearly 10%. At the same time, the southbound interface load and CPU overhead brought by our detection and defense process are much lower than the classic methods.