Detecting Saturation Attacks in Software-Defined Networks

Software-Defined Networking (SDN) is a new networking paradigm that has revolutionized network architectures. The separation of data and control planes improves the efficiency of packet delivery. However, there exist various security attacks against SDN systems. For example, a saturation attack may disturb the normal delivery of packets and even make the SDN system out of service by flooding the data plane, the control plane, or both. This paper presents an anomaly detection method, called SA-Detector, for dealing with a family of saturation attacks. SA Detector builds upon the study of self-similarity of OpenFlow traffic, which has shown that the normal and abnormal traffic patterns between the controller and the OpenFlow switches have different characteristics. We have evaluated the performance of SA-Detector with different time scales, network scales, Internet applications, and attack implementations. The experimental results show that the average accuracy is 96.54% and the average precision is 92.06%. This indicates that SA-Detector is effective for detecting saturation attacks.