FMDADM: A Multi-Layer DDoS Attack Detection and Mitigation Framework Using Machine Learning for Stateful SDN-Based IoT Networks

The absence of standards and the diverse nature of the Internet of Things (IoT) have made security and privacy concerns more acute. Attacks such as distributed denial of service (DDoS) are becoming increasingly widespread in IoT, and the need for ways to stop them is growing. The use of newly formed Software-Defined Networking (SDN) significantly lowers the computational burden on IoT network nodes and makes it possible to perform more security measurements. This paper proposes an SDN-based, four module DDoS attack detection and mitigation framework for IoT networks called FMDADM. The proposed FMDADM framework comprises four main modules and five-tier architecture. The first module implements an early detection process based on the average drop rate (ADR) principle using a 32-packet window size. The second module uses a novel double-check mapping function (DCMF), that aids in earlier attack detection at the data plane level. The third module is an ML-based detection application comprising four phases: data preprocessing, feature extraction, training and testing, and classification. This module detects DDoS attacks using only seven features: two selected and five newly computed features. The last module introduces an attack mitigation process. We applied the proposed framework to three test cases: one single-node attack test case and two multi-node attack test cases, all with real IoT traffic generated and deployed in Mininet-IoT. The proposed FMDADM framework efficiently detects DDoS attacks at high and low rates, can discriminate between attack traffic and flash crowds, and protects both local and remote IoT nodes by preventing infection from propagating to the ISP level. The FMDADM outperformed most existing cutting-edge approaches across ten different evaluation criteria. According to the experimental results, FMDADM achieved the following accuracy, precision, F-measure, recall, specificity, negative predictive value, false positive rate, false detection rate, false negative rate, and average detection time benchmarks:-99.79%, 99.43%, 99.77%, 99.79%, 99.95%, 00.21%, 00.91%, 00.23%, and 2.64 mu s, respectively.