XGBoost Classifier for DDOS Attack Detection in Software Defined Network Using sFlow Protocol

Nadhir Fachrul Rozam, Mardhani Riasetiawan


From a security perspective, Software Defined Network (SDN) separates security concerns into Control Plane and Data Plane. The Control Plane is responsible for managing the entire network centrally. Centralized SDN generates high vulnerability against the Distributed Denial of Service (DDOS). When the Software Defined Network overwhelms by DDOS, both Control Plane and Data Plane will lack resources. It can cause the SDN to fail to work if not detected early. Using the ability of sFlow Protocol to capture the flow traffic in real time, the data could be used to detect DDOS attacks. This sFlow sampling approach can reduce the workload of the network by lower down the processing in switches. This paper uses Extreme Gradient Boosting (XGBoost), Support Vector Machine (SVM), and Random Forest as detection methods. We use ONOS as SDN Controller and build the topology in GNS3. Prometheus retrieves data from the sFlow Collector as a time series database. The classifier then uses the data from Prometheus for DDOS detection. For the dataset, we use four different datasets. Datasets 1 and 2 consist of 6109 data, each divided into two classes and three classes. Datasets 3 and 4 consist of 400488 data divided into 2 and 3 classes, respectively. The evaluation results have proved the effectiveness of the proposed method. XGBoost has the highest accuracy of another algorithm. The best accuracy is 99.84% using Dataset 4 as the training set.


Software defined network; sFlow; distributed denial of service; extreme gradient boosting

Full Text:



Y. Zhao, Y. Li, X. Zhang, G. Geng, W. Zhang, and Y. Sun, “A Survey of Networking Applications Applying the Software Defined Networking Concept Based on Machine Learning,†IEEE Access, vol. 7, pp. 95397–95417, 2019, doi: 10.1109/ACCESS.2019.2928564.

Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking (SDN) and distributed denial of service (DDOS) attacks in cloud computing environments: A survey, some research issues, and challenges,†IEEE Commun. Surv. Tutorials, vol. 18, no. 1, pp. 602–622, 2016, doi: 10.1109/COMST.2015.2487361.

S. Gupta and D. Grover, “A Comprehensive Review on Detection of DDoS Attacks using ML in SDN Environment,†Proc. - Int. Conf. Artif. Intell. Smart Syst. ICAIS 2021, pp. 1158–1163, 2021, doi: 10.1109/ICAIS50930.2021.9395987.

S. Kaur, K. Kumar, and N. Aggarwal, “Analysis of DDoS Attacks in Software Defined Networking,†2022 IEEE Delhi Sect. Conf. DELCON 2022, 2022, doi: 10.1109/DELCON54057.2022.9753224.

N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad, “Survey on SDN based network intrusion detection system using machine learning approaches,†Peer-to-Peer Netw. Appl., vol. 12, no. 2, pp. 493–501, 2019, doi: 10.1007/s12083-017-0630-0.

Y. Cui et al., “Towards DDoS detection mechanisms in Software-Defined Networking,†J. Netw. Comput. Appl., vol. 190, no. November 2020, p. 103156, 2021, doi: 10.1016/j.jnca.2021.103156.

M. P. Singh and A. Bhandari, “New-flow based DDoS attacks in SDN: Taxonomy, rationales, and research challenges,†Comput. Commun., vol. 154, no. March, pp. 509–527, 2020, doi: 10.1016/j.comcom.2020.02.085.

B. Mladenov, “Studying the DDoS Attack Effect over SDN Controller Southbound Channel,†in 2019 X National Conference with International Participation (ELECTRONICA), May 2019, pp. 1–4, doi: 10.1109/ELECTRONICA.2019.8825601.

Institute of Electrical and Electronics Engineers, “Detection of DDoS in SDN Environment Using Entropy-based Detection,†in 2019 IEEE International Symposium on Technologies for Homeland Security (HST), Nov. 2019, pp. 1–4, doi: 10.1109/HST47167.2019.9032893.

R. Neres Carvalho, J. Luiz Bordim, and E. Adilio Pelinson Alchieri, “Entropy-based DoS attack identification in SDN,†in Proceedings - 2019 IEEE 33rd International Parallel and Distributed Processing Symposium Workshops, IPDPSW 2019, May 2019, pp. 627–634, doi: 10.1109/IPDPSW.2019.00108.

U. Ahmed, J. C. W. Lin, and G. Srivastava, “Network-Aware SDN Load Balancer with Deep Active Learning based Intrusion Detection Model,†Proc. Int. Jt. Conf. Neural Networks, vol. 2021-July, 2021, doi: 10.1109/IJCNN52387.2021.9534424.

B. H. Lawal and A. T. Nuray, “Real-time detection and mitigation of distributed denial of service (DDoS) attacks in software defined networking (SDN),†26th IEEE Signal Process. Commun. Appl. Conf. SIU 2018, pp. 1–4, 2018, doi: 10.1109/SIU.2018.8404674.

M. Imran, M. H. Durad, F. A. Khan, and H. Abbas, “DAISY: A Detection and Mitigation System against Denial-of-Service Attacks in Software-Defined Networks,†IEEE Syst. J., vol. 14, no. 2, pp. 1933–1944, 2020, doi: 10.1109/JSYST.2019.2927223.

P. Maity, S. Saxena, S. Srivastava, K. S. Sahoo, A. K. Pradhan, and N. Kumar, “An Effective Probabilistic Technique for DDoS Detection in OpenFlow Controller,†IEEE Syst. J., vol. 16, no. 1, pp. 1345–1354, 2022, doi: 10.1109/JSYST.2021.3110948.

Y. Wang, T. Hu, G. Tang, J. Xie, and J. Lu, “SGS: Safe-Guard Scheme for Protecting Control Plane Against DDoS Attacks in Software-Defined Networking,†IEEE Access, vol. 7, pp. 34699–34710, 2019, doi: 10.1109/ACCESS.2019.2895092.

F. Khashab, J. Moubarak, A. Feghali, and C. Bassil, “DDoS Attack Detection and Mitigation in SDN using Machine Learning,†Proc. 2021 IEEE Conf. Netw. Softwarization Accel. Netw. Softwarization Cogn. Age, NetSoft 2021, pp. 395–401, 2021, doi: 10.1109/NetSoft51509.2021.9492558.

C. B. Zerbini, L. F. Carvalho, T. Abrão, and M. L. Proença, “Wavelet against random forest for anomaly mitigation in software-defined networking,†Appl. Soft Comput. J., vol. 80, pp. 138–153, 2019, doi: 10.1016/j.asoc.2019.02.046.

R. Santos, D. Souza, W. Santo, A. Ribeiro, and E. Moreno, “Machine learning algorithms to detect DDoS attacks in SDN,†Concurr. Comput. Pract. Exp., vol. 32, no. 16, pp. 1–14, 2020, doi: 10.1002/cpe.5402.

M. Myint Oo, S. Kamolphiwong, T. Kamolphiwong, and S. Vasupongayya, “Advanced Support Vector Machine-(ASVM-) based detection for Distributed Denial of Service (DDoS) attack on Software Defined Networking (SDN),†J. Comput. Networks Commun., vol. 2019, 2019, doi: 10.1155/2019/8012568.

K. S. Sahoo et al., “An Evolutionary SVM Model for DDOS Attack Detection in Software Defined Networks,†IEEE Access, vol. 8, pp. 132502–132513, 2020, doi: 10.1109/ACCESS.2020.3009733.

R. Fadaei, O. Ermiş, and E. Anarim, “A DDoS attack detection and countermeasure scheme based on DWT and auto-encoder neural network for SDN,†Comput. Networks, vol. 214, no. March, p. 109140, 2022, doi: 10.1016/j.comnet.2022.109140.

R. M. A. Ujjan, Z. Pervez, K. Dahal, A. K. Bashir, R. Mumtaz, and J. González, “Towards sFlow and adaptive polling sampling for deep learning based DDoS detection in SDN,†Futur. Gener. Comput. Syst., vol. 111, pp. 763–779, 2020, doi: 10.1016/j.future.2019.10.015.

M. Wang, Y. Lu, and J. Qin, “Source-Based Defense Against DDoS Attacks in SDN Based on sFlow and SOM,†IEEE Access, vol. 10, pp. 2097–2116, 2022, doi: 10.1109/ACCESS.2021.3139511.

Z. A. El Houda, A. S. Hafid, and L. Khoukhi, “A Novel Machine Learning Framework for Advanced Attack Detection using SDN,†2021 IEEE Glob. Commun. Conf. GLOBECOM 2021 - Proc., 2021, doi: 10.1109/GLOBECOM46510.2021.9685643.

H. A. Alamri and V. Thayananthan, “Bandwidth control mechanism and extreme gradient boosting algorithm for protecting software-defined networks against DDoS attacks,†IEEE Access, vol. 8, pp. 194269–194288, 2020, doi: 10.1109/ACCESS.2020.3033942.

S. Sirijaroensombat, C. P. Nangsue, and C. Aswakul, “Development of software-defined mesh network emulator testbed for DDoS defence study,†2019 IEEE 4th Int. Conf. Comput. Commun. Syst. ICCCS 2019, pp. 468–472, 2019, doi: 10.1109/CCOMS.2019.8821667.

P. Berde et al., “ONOS: Towards an Open, Distributed SDN OS,†pp. 1–6, 2014, doi: 10.1145/2620728.2620744.

TRex, “Cisco T-Rex: Realistic traffic generator.,†https://trex-tgn.cisco.com/. https://trex-tgn.cisco.com/ (accessed May 21, 2022).

O. N. Foundation, “Software-Defined Networking: The New Norm for Networks [white paper],†ONF White Pap., pp. 1–12, 2012, doi: citeulike-article-id:12475417.

A. T. Kyaw, M. Zin Oo, and C. S. Khin, “Machine-Learning Based DDOS Attack Classifier in Software Defined Network,†in 2020 17th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON), Jun. 2020, pp. 431–434, doi: 10.1109/ECTI-CON49241.2020.9158230.

K. Smida, H. Tounsi, M. Frikha, and Y. Q. Song, “Efficient SDN Controller for Safety Applications in SDN-Based Vehicular Networks: POX, Floodlight, ONOS or OpenDaylight?,†2020 8th Int. Conf. Commun. Networking, ComNet2020 - Proc., pp. 1–6, 2020, doi: 10.1109/ComNet47917.2020.9306095.

A. Bader, O. Kopp, and M. Falkenthal, “Survey and Comparison of Open Source Time Series Databases,†Gesellschaft für Inform., vol. P-266, pp. 249–268, 2017.

T. Chen and C. Guestrin, “XGBoost: A Scalable Tree Boosting System,†in Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Aug. 2016, vol. 42, no. 8, pp. 785–794, doi: 10.1145/2939672.2939785.

J. Singh and S. Behal, “Detection and mitigation of DDoS attacks in SDN: A comprehensive review, research challenges and future directions,†Comput. Sci. Rev., vol. 37, p. 100279, 2020, doi: 10.1016/j.cosrev.2020.100279.

A. A. Alashhab, M. S. M. Zahid, M. A. Azim, M. Y. Daha, B. Isyaku, and S. Ali, “A Survey of Low Rate DDoS Detection Techniques Based on Machine Learning in Software-Defined Networks,†Symmetry (Basel)., vol. 14, no. 8, p. 1563, Jul. 2022, doi: 10.3390/sym14081563.

DOI: http://dx.doi.org/10.18517/ijaseit.13.2.17810


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development