SCIENCE CHINA Information Sciences, Volume 62 , Issue 3 : 032106(2019) https://doi.org/10.1007/s11432-017-9439-7

CATH: an effective method for detecting denial-of-service attacks in software defined networks

More info
  • ReceivedNov 24, 2017
  • AcceptedMar 30, 2018
  • PublishedFeb 12, 2019



This work was supported by National Natural Science Foundation of China (Grant Nos. 61402525, 61402526, 61502528), Key Scientific Research Projects of Henan Province Education Department (Grant No. 18A520004), and Henan Province Science and Technology Projects (Grant No. 182102310925). We also thank Zhong HUA for interesting and helpful discussion on the ideas presented here.


[1] Nunes B A A, Mendonca M, Nguyen X N. A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun Surv Tut, 2014, 16: 1617-1634 CrossRef Google Scholar

[2] Kreutz D, Ramos F M V, Esteves Verissimo P. Software-Defined Networking: A Comprehensive Survey. Proc IEEE, 2015, 103: 14-76 CrossRef Google Scholar

[3] Kreutz D, Ramos F, Verissimo P. Towards secure and dependable software-defined networks. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, 2013. 55--60. Google Scholar

[4] Shin S, Gu G F. Attacking software-defined networks: a first feasibility study. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, 2013. 165--166. Google Scholar

[5] Kandoi R, Antikainen M. Denial-of-service attacks in OpenFlow SDN networks. In: Proceedings of IFIP/IEEE IM 2015 Workshop: the 1st International Workshop on Security for Emerging Distributed Network Technologies (DISSECT), Ottawa, 2015. 1323--1326. Google Scholar

[6] McKeown N, Anderson T, Balakrishnan H, et al. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comp Commun Rev, 2008, 38: 69--74. Google Scholar

[7] Yan Q, Yu F R, Gong Q. Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges. IEEE Commun Surv Tut, 2016, 18: 602-622 CrossRef Google Scholar

[8] Shin S, Yegneswaran V, Porras P, et al. Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of ACM SIGSAC Conference on Computer & Communications Security, Berlin, 2013. 413--424. Google Scholar

[9] Wang H P, Xu L, Gu G F. FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2015. Google Scholar

[10] Giotis K, Argyropoulos C, Androulidakis G. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Networks, 2014, 62: 122-136 CrossRef Google Scholar

[11] Mousavi S M, St-Hilaire M. Early detection of DDoS attacks against SDN controllers. In: Proceedings of 2015 International Conference on Computing, Networking and Communications, Communications and Information Security, Garden Grove, 2015. 77--81. Google Scholar

[12] Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of the 35th Annual IEEE Conference on Local Computer Networks, Denver, 2010. 408--415. Google Scholar

[13] Yao L Y, Dong P, Zhang H K. Distributed denial of service attack detection based on object character in software defined network. Chin J Electron Inform Tech, 2017, 39: 381--388. Google Scholar

[14] Porras P, Shin S, Yegneswaran V, et al. A security enforcement kernel for openflow networks. In: Proceedings of the 1st Workshop on HotSDN, SIGGCOMM. New York: ACM, 2012. 121--126. Google Scholar

[15] Shin S, Porras P, Yegneswaran V, et al. Fresco: modular composable security services for software-defined networks. In: Proceedings of NDSS, 2013. 1--15. Google Scholar

[16] Yao G, Bi J, Xiao P Y. Source address validation solution with openflow nox architecture. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 7--12. Google Scholar

[17] Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible and elastic DDoS defense. In: Proceedings of the 24th USENIX Conference on Security Symposium, Washington, 2015. 817--832. Google Scholar

[18] Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. Comput Commun Rev, 2004, 34: 39--53. Google Scholar

[19] Zargar S T, Joshi J, Tipper D. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Commun Surv Tut, 2013, 15: 2046-2069 CrossRef Google Scholar

[20] Huang Y, Geng X J, Whinston A B. Defeating DDoS attacks by fixing the incentive chain. ACM Trans Inter Tech, 2007, 7: 5. Google Scholar

[21] Thom R. Structure stability, catastrophe theory, and applied mathematics. SIAM Review. 1977, 19: 189--201. Google Scholar

[22] Stamovlasis D. Catastrophe theory: methodology, epistemology, and applications in learning science. In: Complex Dynamical Systems in Education. Berlin: Springer, 2016. 141--175. Google Scholar

[23] Guo R, Yin H, Wang D, et al. Research on the active DDoS filtering algorithm based on IP flow. In: Proceedings of IEEE 5th International Conference on Natural Computation, 2009. 628--632. Google Scholar

[24] Shin S, Yegneswaran V, Porras P, et al. Avantguard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, 2013. 413--424. Google Scholar

[25] Gude N, Koponen T, Pettit J, et al. NOX: towards an operating system for networks. Comput Commun Rev, 2008, 38: 105--110. Google Scholar

[26] Yao L Y, Dong P, Zhang H K. Distributed Denial of Service Attack Detection Based on Object Character in Software Defined Network. Journal of Electronics & Information Technology, 2017, 39: 381--388. Google Scholar

[27] Rauber A, Merkl D, Dittenbach M. The growing hierarchical self-organizing map: exploratory analysis of high-dimensional data.. IEEE Trans Neural Netw, 2002, 13: 1331-1341 CrossRef PubMed Google Scholar

[28] Ashraf J, Latif S. Handling intrusion and DDoS attacks in software defined networks using machine learning techniques. In: Proceedings of IEEE 2014 National Software Engineering Conference (NSEC), Event-Karachi, 2014. 55--60. Google Scholar

  • Figure 1

    (Color online) Workflow of CATH.

  • Figure 2

    (Color online) SDN-DoS attacks based on (a) forged source IP and (b) port transformation.

  • Figure 3

    Catastrophe between normal/abnormal equilibrium state.

  • Figure 4

    (Color online) CDF of the flow table matching rate in a DoS attack.

  • Figure 5

    Geometry of the cusp catastrophe model.

  • Figure 6

    (Color online) Criteria for determining network states.

  • Figure 7

    (Color online) Topology of (a) the SOHO network and (b) the larger scale enterprise network.

  • Figure 8

    (Color online) ANPF of normal and attack traffic.

  • Figure 11

    (Color online) ROC curve for the simple network.

  • Figure 12

    (Color online) ANPF of detected traffic when $t~$= 0.5 s.

  • Figure 15

    (Color online) ROC curves of CATH and GHOSM.

  • Table 1   Typical SDN-related DoS attack detection mechanisms
    Corresponding scenarioDoS detection methodBasic principle
    DoS detection in SDNAvantGuard [8]Using SYN proxy based module to verify the legality of each flow.
    FloodGuard [9]Utilizing the real-time rate of PACKET_IN messages and the infrastructure (controller memory and CPU) to identify potential flooding attacks.
    Entropy-based methods[10,11]Identifying attacks by comparing the values of selected flow features with their preset values.
    SOM-based methods[12,13]Using the self-organizing map machine learning technique for detecting SDN-aimed DoS attacks.
    SDN for DoS detectionFresco [14,15]Using the OpenFlow technology as a flow regulation tool to monitor traffic.
    VAVE [16]Utilizing the SDN architecture to validate source addresses.
    Bohatei [17]Using the flexibility of SDN to steer suspicious traffic through the defense VMs while minimizing user-perceived latency and network congestion.
  • Table 2   Detection results at different attack rates
    Attack-rate (p/s)TP or FPDetection result (%)
    $t=0.1$ s$t=0.2$ s$t=0.3$ s$t=0.4$ s$t=0.5$ s