DataPlane-ML: An integrated attack detection and mitigation solution for software defined networks

Software defined network (SDN) is a paradigm that emphasizes the separation of the control plane from the data plane, offering advantages such as flexibility and programmability. However, from a security perspective, SDN also introduces new vulnerabilities due to the communication required between these planes. SYN Flood attacks are typical distributed denial-of-service (DDoS) attacks that especially challenge network administrators since they produce a large volume of semi-open TCP connections to a target, compromising its availability. Most of the current solutions to detect and mitigate these attacks are designed to operate at the control plane, imposing an additional overhead on controller functions. Moreover, traffic-blocking mechanisms, a widely used alternative to protect network resources, have the drawback of restricting legitimate traffic. This work proposes DataPlane-ML, an integrated solution to detect and mitigate DDoS attacks on SDN, acting directly in the data plane. DataPlane-ML uses machine learning techniques for attack detection and a mitigation solution based on the node's reputation to avoid blocking legitimate traffic during an attack. Experimental results show that DataPlane-ML is approximate to 26%$$ \approx 26\% $$ faster than statistical-based solutions for attack detection while presenting better accuracy. Moreover, the DataPlane-ML mitigation solution can preserve more than 95%$$ 95\% $$ of legitimate traffic during an attack.