Collaborative Defense Against Hybrid Network Attacks by SDN Controllers and P4 Switches

Software-defined networking (SDN) uses a controller to manage the network. Applying SDN to resist distributed denial-of-service flood (DDoS-F) attacks receives attention. A controller identifies attack flows and gives rules to switches to discard attack packets. Doing so may cause the controller to be busy and impact SDN performance. P4 switches, on the other hand, can recognize DDoS-F attacks without controller involvement. However, some non-DDoS attacks like keylogging and data theft cannot be well identified by P4 switches due to their local views. Thus, the article makes the controller and P4 switches cooperate to defend against hybrid network attacks that include both DDoS-F attacks and non-DDoS attacks. To this end, we propose a collaborative defense by control and data planes (CD2P) framework. P4 switches (i.e., data plane) find DDoS-F packets by using an entropy-aware detection scheme that can adjust thresholds based on the network status. They also report flow information (excluding DDoS-F flows) to the controller. With the deep learning technique, the controller (i.e., control plane) analyzes these reports to discover non-DDoS attacks. Hence, the controller can focus on detecting these attacks without the disturbance of many DDoS-F packets. Experimental results reveal that CD2P can quickly block DDoS-F attacks and better identify keylogging and data theft. Our contribution is to propose a novel framework for the controller and P4 switches to collaborate to defend against hybrid network attacks efficiently.