ADMS: An online attack detection and mitigation system for LDoS attacks via SDN

Low-rate Denial of Service (LDoS) attacks cause severe destructiveness to network security. Consequently, the implementation of detection and defense against them is a concern among the research communities. But it is formidable to deploy extension modules to detect and mitigate attacks online in traditional networks, because devices are deficient of flexibility and scalability. To address the problem, we design and implement an online attack detection and mitigation system (ADMS) framework via the scalable and programmable Software Defined Networking (SDN). ADMS is installed on SDN controllers and conforms to the OpenFlow policy without extra devices. ADMS consists of two modules: the two-phase detection module and the mitigation module. The two-phase detection module combines the new port traffic feature and the Lightgbm classifier based on flow table statistics traffic to precisely detect LDoS attacks. The mitigation module utilizes the novel Sequence Matching based Dynamic Series Analysing (SMDSA) algorithm to locate the attacker, and efficiently mitigates attack traffic by packet filter. The SMDSA algorithm distinguishes the victim port from benign ports by calculating the anomaly score of each port. Our evaluation on a prototype implementation of ADMS shows that the framework is able to precisely identify and efficiently mitigate LDoS attacks in real-time.