A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning

Yungaicela-Naula, Noe M.; Vargas-Rosales, César; Díaz, Jesús Arturo Pérez; Carrera, Diego Fernando

doi:10.1016/j.jnca.2022.103444

Cited by 41 publications

(34 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1 and Appendix C). Second, the few prior works that study emulated infrastructures similar to ours either consider static attackers in fully observed environments [28]- [31], [36], [37], [48], [51], [120] or focus on use cases that are different from the one considered in this article [120], [121].…”

Section: A Learning Equilibrium Strategies Through Self-playmentioning

confidence: 99%

“…A large number of studies have focused on applying reinforcement learning to use cases similar to the intrusion response use case we discuss in this paper [9]- [11], [17]- [52], [64], [72]. These works use a variety of models, including MDPs [20], [23], [25], [26], [31], [34], [36], [42], [51], [52], [64], Stochastic games [10], [18], [28], [33], [45], [72], attack graphs [35], Petri nets [43], and POMDPs [9], [11], [21], [27], as well as various reinforcement learning algorithms, including Q-learning [18], [20], [23], [40], [43], [48], [64], [69], SARSA [21], PPO [10], [11], [34], [35], [37], hierarchical reinforcement learning [25], DQN [26], [36]-…”

Section: Reinforcement Learning For Automated Intrusion Responsementioning

confidence: 99%

“…Some prior work on automated learning of security strategies that make use of emulation are: [48], [28], [29], [30], [31], [36], [47], [49], [51], [53], and [37]. They either emulate software-defined networks based on Mininet [161] or use custom testbeds.…”

Section: Reinforcement Learning For Automated Intrusion Responsementioning

confidence: 99%

“…This novel formulation allows us a) to derive and prove structural properties of optimal strategies; and b) to find defender strategies that are effective against an attacker with a dynamic strategy. We thus address a key limitation of many related works, which only consider static attackers [9], [11], [17], [20], [21], [23], [25]- [27], [31], [36], [37], [39], [40], [42], [48], [51]- [53], [60]- [65]. Second, we propose T-FP, an efficient reinforcement learning algorithm that exploits threshold properties of optimal stopping strategies and outperforms a state-of-the-art algorithm for our use case.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Hammar¹,

Stadler²

2023

Preprint

View full text Add to dashboard Cite

We study automated intrusion response and formulate the interaction between an attacker and a defender as an optimal stopping game where attack and defense strategies evolve through reinforcement learning and self-play. The gametheoretic modeling enables us to find defender strategies that are effective against a dynamic attacker, i.e. an attacker that adapts its strategy in response to the defender strategy. Further, the optimal stopping formulation allows us to prove that optimal strategies have threshold properties. To obtain nearoptimal defender strategies, we develop Threshold Fictitious Self-Play (T-FP), a fictitious self-play algorithm that learns Nash equilibria through stochastic approximation. We show that T-FP outperforms a state-of-the-art algorithm for our use case. The experimental part of this investigation includes two systems: a simulation system where defender strategies are incrementally learned and an emulation system where statistics are collected that drive simulation runs and where learned strategies are evaluated. We argue that this approach can produce effective defender strategies for a practical IT infrastructure.

show abstract

Section: A Learning Equilibrium Strategies Through Self-playmentioning

confidence: 99%

Section: Reinforcement Learning For Automated Intrusion Responsementioning

confidence: 99%

Section: Reinforcement Learning For Automated Intrusion Responsementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Hammar¹,

Stadler²

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…In order to monitor the risks of the occurrence of such situations, it is necessary to monitor the time parameters of the traffic flow constantly. However, the analysis of the averaged values of the traffic characteristics gives us a smoothed view of the process, in which it is not possible to track the appearance of load fluctuations, which are characteristic of heterogeneous traffic "Triple Play" (voice + video + data) or "Quadruple Play" (voice + video + data + mobile subscribers) [23].…”

Section: Literature Reviewmentioning

confidence: 99%

Monitoring of Link-Level Congestion in Telecommunication Systems Using Information Criteria

Yakymchuk

Selepyna²,

Yevsiuk³

et al. 2022

IAPGOS

View full text Add to dashboard Cite

The successful functioning of telecommunication networks largely depends on the effectiveness of algorithms for detection and protection against overloads. The article describes the main differences that arise when forecasting, monitoring and managing congestion at the node level and at the channel level. An algorithm for detecting congestion by estimating the entropy of time distributions of traffic parameters is proposed. The entropy measures of data sets for various types of model distribution, in particular for the Pareto distribution, which optimally describes the behavior of self-similar random processes, were calculated and analyzed. The advantages of this approach include scalability, sensitivity to changes in distributions of traffic characteristics and ease of implementation and accessible interpretation.

show abstract

K‐DDoS‐SDN: A distributed DDoS attacks detection approach for protecting SDN environment

Kaur,

Krishna,

Patil

2023

Concurrency and Computation

View full text Add to dashboard Cite

SummarySoftware‐defined networking (SDN) is an advanced networking paradigm that decouples forwarding control logic from the data plane. Therefore, it provides a loosely‐coupled architecture between the control and data plane. This separation provides flexibility in the SDN environment for addressing any transformations. Further, it delivers a centralized way of managing networks due to control logic embedded in the SDN controller. However, this advanced networking paradigm has been facing several security issues, such as topology spoofing, exhausting bandwidth, flow table updating, and distributed denial of service (DDoS) attacks. A DDoS attack is one of the most powerful menaces to the SDN environment. Further, the central data controller of SDN becomes the primary target of DDoS attacks. In this article, we propose a Kafka‐based distributed DDoS attacks detection approach for protecting the SDN environment named K‐DDoS‐SDN. The K‐DDoS‐SDN consists of two modules: (i) Network traffic classification (NTClassification) module and (ii) Network traffic storage (NTStorage) module. The NTClassification module is the detection approach designed using scalable H2O ML techniques in a distributed manner and deployed an efficient model on the two‐nodes Kafka Streams cluster to classify incoming network traces in real‐time. The NTStorage module collects raw packets, network flows, and 21 essential attributes and then systematically stores them in the HDFS to re‐train existing models. The proposed K‐DDoS‐SDN designed and evaluated using the recent and publically available CICDDoS2019 dataset. The average classification accuracy of the proposed distributed K‐DDoS‐SDN for classifying network traces into legitimate and one of the most popular attacks, such as DDoS_UDP is 99.22%. Further, the outcomes demonstrate that proposed distributed K‐DDoS‐SDN classifies traffic traces into five categories with at least 81% classification accuracy.

show abstract

A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning

Cited by 41 publications

References 22 publications

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Monitoring of Link-Level Congestion in Telecommunication Systems Using Information Criteria

K‐DDoS‐SDN: A distributed DDoS attacks detection approach for protecting SDN environment

Contact Info

Product

Resources

About