A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning

Distributed Denial-of-Service (DDoS) attacks are difficult to mitigate with existing defense tools. Fortunately, it has been demonstrated that Software-Defined Networking (SDN) with machine learning (ML) and deep learning (DL) techniques has a high potential to handle these threats effectively. However, although there are many SDN-based solutions for detecting DDoS attacks, only a few contain mitigation strategies. Additionally, most previous studies have focused on solving high-rate DDoS attacks. For the time being, recent slow-rate DDoS threats are hard to detect and mitigate. In this work, we propose a modular, flexible, and scalable SDN-based framework that integrates a DL-based intrusion detection system (IDS) and a deep reinforcement learning (DRL)-based intrusion prevention system (IPS) to address slow-rate DDoS threats. We incorporated scalability features into this framework, such as data-plane-based traffic monitoring and traffic flow sampling. Moreover, we have designed a lightweight DRL-based IPS to provide rapid mitigation responses. Furthermore, to evaluate the framework, we deployed a data center network using Mininet, Open Network Operating System (ONOS) controller, and Apache Web server. Next, we performed extensive experiments varying the number of attackers and the rate of attack connections. The proposed IDS achieved an average detection rate of 98%, with a flow sampling rate of 30%. In addition, IPS timely mitigated slow-rate DDoS with 100% of success for a few attackers. Taken together, these results show that the proposed framework provides effective responses to malicious and legitimate connections.