STDC: A SDN-Oriented Two-Stage DDoS Detection and Defence System Based on Clustering

• Published in: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) pp. 339 - 347
• Main Authors: Wei, Shuang, Dai, Shuaifu, Wu, Xinfeng, Han, Xinhui
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.08.2018
• Subjects: Clustering; Computer crime; Control systems; DDoS; Detection; Electronic mail; Feature extraction; Hardware; Mitigation; SDN; Software
• ISSN: 2324-9013
• DOI: 10.1109/TrustCom/BigDataSE.2018.00059

DDoS has now become the most severe security problem of the Internet. Without in time report, DDoS attack can knock down the victim in no time by exhausting the victim's computing and communicating resources. In this paper we propose STDC-a DDoS defense system. STDC is a two-stage system based on clustering. In the first stage STDC leverage the benefit of SDN and NFV to apply flow-based detection method. STDC use the flow information gathered to do clustering. Since we use cluster analysis as the basic detection algorithm, STDC can separate the DDoS attacks from the legitimate flush crowd easily. In the second stage, we extract attack traffic pattern from the clustering result of the first stage to make blocking rules and use the structure of SDN to quickly dispatch them to achieve effictive and efficient DDoS mitigation. We test STDC using public DDoS dataset and the traffic captured through the gateway. Both of the experiments achieve good detection percision and high filtering ratio.