Advanced Support Vector Machine-(ASVM-) Based Detection for Distributed Denial of Service (DDoS) Attack on Software Defined Networking (SDN)

Software Deﬁned Networking (SDN) has many advantages over a traditional network. The great advantage of SDN is that the network control is physically separated from forwarding devices. SDN can solve many security issues of a legacy network. Nevertheless, SDN has many security vulnerabilities. The biggest issue of SDN vulnerabilities is Distributed Denial of Service (DDoS) attack. The DDoS attack on SDN becomes an important problem, and varieties of methods had been applied for detection and mitigation purposes. The objectives of this paper are to propose a detection method of DDoS attacks by using SDN based technique that will disturb the legitimate user’s activities at the minimum and to propose Advanced Support Vector Machine (ASVM) technique as an enhancement of existing Support Vector Machine (SVM) algorithm to detect DDoS attacks. ASVM technique is a multiclass classiﬁcation method consisting of three classes. In this paper, we can successfully detect two types of ﬂooding-based DDoS attacks. Our detection technique can reduce the training time as well as the testing time by using two key features, namely, the volumetric and the asymmetric features. We evaluate the results by measuring a false alarm rate, a detection rate, and accuracy. The detection accuracy of our detection technique is approximately 97% with the fastest training time and testing time.


Introduction
Nowadays, networking technologies are gradually developed for advanced infrastructure. With the development of advanced technologies, the explosion of mobile devices, server virtualization techniques, and cloud services are the strongest points in a traditional network architecture. Most traditional network architectures are hierarchical arrangement in a client-server model. Todayʼs applications access different databases and servers in different network domains. erefore, multiple clients and multiple server cases are expected. us, the traffic patterns may not be the same. Enterprise businessesʼ public and private cloud services want to provide the agility to access applications, infrastructures, and other IT resources on demand. is can be solved by using Software Defined Networking (SDN) to provide a network infrastructure. SDN becomes an important role in overcoming the limitations of a traditional networking. e most obvious thing in SDN is decoupling of the data plane and the control plane. e control plane is the plane that determines where to send the traffic, and the data plane is the plane that executes this decision and actually forwards the traffic. Although SDN has many advantages, some challenging issues that need to be solved still exist. One of the big challenging issues is the SDN security issue. ere are many kinds of network attacks on SDN. Among them, Distributed Denial of Service (DDoS) attack is very well known and has the highest impact on SDN [1]. ere are varieties of researches for detection of the DDoS attack on SDN network [2].
In this paper, we propose Advanced Support Vector Machine (ASVM) technique as an enhancement of an existing Support Vector Machine (SVM) algorithm to detect DDoS attacks. We have explored three research problems with our proposed technique [3]. e first problem is the extension of the multiclass problem in the Support Vector Machine (SVM) algorithm. If the SVM algorithm is applied in a DDoS attack detection problem on a SDN network, some of the network traffic attributes are multivalue attributes. However, the SVM is originally designed for a binary classification. erefore, multiclass classification is a big problem for applying SVM. e second problem is the long training and testing time required for the SVM algorithm.
e SVM classifier gives a low false-positive rate and a high classification accuracy. However, the SVM algorithm takes more time to train and test for the detection of the attack. e third problem is the efficiency of the SDN enabled centralized network. In previous proposed SDN architectures, the network system used only a single controller. erefore, using multiple controllers is the most important issue for our proposed network infrastructure. Our contributions are summarized as follows.
We create test cases of the proposed model by using Miniedit and OpenDaylight controllers [4]. In the traffic generation process, we generate normal traffics, UDP flooding DDoS attack traffics [5], and SYN flooding DDoS attack traffics [6]. In the traffic collection process, we collect the traffic from each switch. In the feature generation process, we generate the volumetric features, average number of packets in a flow, average number of flow bytes and the asymmetric features, amount of packet variations in a flow, the variation of flow bytes, and the average duration of traffics in the sampling interval. In the classification process, we propose the Advance Support Vector Machine (ASVM) method. In the evaluation process, we evaluate the classification result by measuring false alarm rate, detection rate, and accuracy. e paper is organized as follows: in the second section, we survey a number of related works to our proposed method. In the third section, we discuss the theoretical background used by our research work, Software Defined Networking and Distributed Denial of Service (DDoS) attack. In the fourth section, we present the architecture of our proposed system. In the fifth section, we provide the implementation details of the proposed detection system. In the sixth section, we briefly discuss the experimental results. We discuss the performance evaluation part of our results in the seventh section. Lastly, the eighth section concludes our work and some future works.

Related Works
ere are two kinds of DDoS detection techniques: signature-based detection and anomaly-based detection techniques. e signature-based detection technique uses the network behaviours. e anomaly-based detection uses the machine-learning techniques. Commonly used machine learning techniques for DDoS attack detection include an artificial neural network (ANN), Support Vector Machine (SVM), Fuzzy Logic, Decision tree, Evolutionary algorithm, Navies Bayes, and k-means clustering algorithms. ANN has been used in the detection of known and unknown DDoS attacks research [7], which shows that we can detect the DDoS attack on the SDN controller with a noticeable accuracy and prevent serious damage to the controller. e perceptron neural network was used in [7], and the evaluation results showed that a significant improvement on the detection rate were achieved while a reduction in false alarm rate is also achieved in comparison with the closest previous work. Furthermore, their system was able to maintain the average detection time at an acceptable level. ey would investigate an efficient method to mitigate the attack for the future work. Support Vector Machine (SVM) is used to classify the DDoS attack with normal traffic because of its high accuracy and less falsepositive rate in [8]. SVM classifier was compared with other classifiers for detection of the DDoS attack and SVM provided an accurate classification than other techniques. DDoS real-time detection and the integration of the traffic pattern built in SVM with SDN controller were their future work. Fuzzy Logic can be used for real traffic detection of the DDoS attack on SDN [2]. e authors have solved the existing problems of the OpenFlow protocol. ey proposed Fuzzy Logic-based DDoS mitigation algorithm that deployed multiple criterion for DDoS detection. eir system demonstrated the ability to detect and filter 97% of the attack flows with a false-positive rate of 5%. ey would like to extend the OpenFlow protocol to achieve robust and faster performance.
Moreover, the researchers have designed the system to detect DDoS attacks based on a decision-tree technique, and they traced back to the approximate locations of the attacker with a traffic flow pattern-matching technique [9]. eir system could detect the attack with the false-positive ratio of 1.2%-2.4%. ey conducted their experiment on the DETER system. eir results indicated that their proposed system was capable of detecting the attacks and tracing back with a high accuracy. Evolutionary algorithms (EAs) for detecting DDoS attack are presented in SDN [10]. e researchers reviewed four types of EAs that widely applied in current SDNs: Genetic algorithms (GAs), Particle Swarm Optimization (PSO), Ant Colony Optimization (ACO), and Simulated Annealing (SA). All four EAs were compared, and the applications of these four EAs in SDNs were categorized. In order to get a good DDoS detection technique, the researchers have provided a better solution of detections using a features analysis [11]. Naive Bayes classifier algorithm was used in order to classify the packets into normal and attack packets. e use of information gain algorithm increases the performance. CAIDA 2008 and CAIDA anonymous trace 2015 datasets were used for their feature selection and classification. A method to detect a DoS attack using clustering technique with the k-means algorithm that available to be modified and developed in many possible ways was used in [12]. By using this algorithm, their result was evaluated on detection rate, accuracy, and false-positive rate. eir method has been evaluated by using DARPA 98 dataset with the satisfying result. In the future, they would like to improve in minimize false-positive rate.

Software Defined Networking (SDN)
Software De ned Networking (SDN) is an emergent network architecture where the network control is dynamic, manageable, adaptable, and physically separated from forwarding devices [13]. ere are three layers in a SDN architecture, including the infrastructure layer (Data plane), the Control layer (Control Plane), and the Application layer (Management plane), as shown in Figure 1. e rst layer, the infrastructure layer is composed of switches. e major work of these switches is forwarding the incoming packets according to the ow tables. Forwarding decisions can be decided and con gured by the control plane through the southbound protocol. e rst standard of the southbound protocol is the OpenFlow protocol [14]. OpenFlow is de ned from the OpenFlow switch speci cation published by Open Network Foundation (ONF). e second layer, the control layer, maintains a centralized view of the network and open interfaces.
is layer allows applications to control the underlying networking. is layer also provides the interconnection of applications on the top and the bottom of the architecture. e third layer, the application layer is composed of applications managing and securing the underlying network. e application could be running on the controller or the application could communicate through the northbound Application Programming Interface (API) of the controller. ere is no standard API for the northbound protocol. e main idea of SDN architecture is the separation of the data plane and the control plane. is network separation has many bene ts in terms of the network exibility and controllability.
Although SDN has many advantages over the traditional network, it faces some challenges. e main challenges of SDN are reliability, scalability, security, and interoperability. Among the challenges, we emphasize on the security of SDN. Each plane of SDN has vulnerabilities. In the data plane, single network devices, switches are quite vulnerable to di erent kind of attacks such as Denial of Service (DoS) attack, Distributed Denial of Service (DDoS) attack, data modi cation, repudiation, blackhole attack, and side channel attack. DoS and DDoS are the most popular attacks on the data plane so that the network cannot be accessed by the legitimate users. In the control plane, the controller is the easiest target of DDoS because the rst packet of each ow must be sent to the controller, and sometimes it can cause a bottleneck condition. Moreover, some malicious attacks, DoS, blackhole, and fake ow rule generation can also occur at the control plane. In the application plane, there is some vulnerability concerning the DDoS attack, for example, in Smart City application [15]. Good features of SDN o er new opportunities to defeat attacks in cloud computing environments. DoS, DDoS ooding attacks, are the main methods to destroy the availability of cloud computing [16]. erefore, many researchers propose solutions and countermeasures of DDoS attacks on a SDN network.

Distributed Denial of Service (DDoS) Attack
Distributed Denial of Service (DDoS) attack is a kind of DoS attack that the bombardment of simultaneous data is accessing to the server to hide the availability of resources in the network. According to the state of the internet security, summer 2018 report [17], the largest DDoS attack with a record peak 1.35 Tbps was observed on Wednesday, February 28, 2018. In this kind of DDoS attack, the attackers did not use any botnet network. ey use weaponized miscon gured Memcached servers to conduct the DDoS attack. e attack size is more than twice that of Mirai botnet DDoS attack in 2016.
is attack originated from thousand autonomous systems (ASNs) across tens of thousands of endpoints. It was an ampli cation attack using the Memcached-based approach producing 126.9 million packets per second [18]. e DDoS attack can be classi ed into three basic categories: volume-based attacks, protocol attacks, and application attacks. Under a volume-based attack, the target can be ooded with heavy tra cs in order to exhaust its bandwidth. is type of attack can be detected by byte per second. Flooding attacks, User Datagram Protocol (UDP) ood, and Internet Control Message Protocol (ICMP) ood are volume-based attacks. In this research, we have been analyzed volume-based attacks. Under a protocol attack, the resources can be exhausted by exploiting the network protocol. e result of this attack is the unavailable underlying operating system. is type of attack can be detected by packets per second. SYN ood, ping of death, and smurf attacks are protocol attacks. Under an application attack, the application or server can be crashed by exploiting the application layer protocol. is attack can be detected by request per second. Hypertext Transfer Protocol (HTTP) ooding and Slowloris are application attacks [19]. e most common type of DDoS attacks include SYN ooding attack, UDP ooding, ICMP ooding, HTP

Journal of Computer Networks and Communications
flooding, ping of death attack, smurf attack, and slowloris attack. e details of each attack are as follow. SYN flooding attack can exploit the weakness of TCP connection sequence, three-way handshake [20]. At first, the host machine receives a synchronized (SYN) message to start the "handshake." e server acknowledges the message by sending an acknowledge (ACK) flag to the first host and then closes the connection. Under a SYN flooding attack, the spoofed messages are sent and the connection does not close, and the service can be shutting down. UDP flooding attack can exploit the session less User Datagram Protocol (UDP) [21]. At first, the attackers send a large amount of UDP packets to random ports on the target, and the target host checks for applications on that port. No listening application on that port is found, so it replies with ICMP destination unreachable packet. is attack can consume more resources even though the host is unreachable. ICMP flooding attack can exploit by consuming a large number of ICMP pings [22]. Under an ICMP attack, ICMP echo packets are frequently sent without waiting for any echo reply, and the target attempts to reply these ICMP echo requests. erefore, its outgoing bandwidth can be affected. HTTP flooding attack can be exploited by using legitimate GET or POST requests [23]. Although this attack uses less bandwidth than other kinds of DDoS attacks, it can force the server to use its maximum resources. Ping of death attack can exploit IP protocols by sending malicious pings to the system [24]. is attack does not require huge data to bring down the victim; it only needs to exploit the standard protocol. Smurf attack can exploit IP and ICMP protocol by using a malware program called smurf [25]. is attack spoofs an IP address and pings these addresses on a given network using smurf. Slowloris attack can break down the server by having maximum connections with attackers [26]. At first, attackers send partial HTTP requests to the server. e server keeps the connection for these requests, and the result is DoS to legitimate requests.

Detection of DDoS Attack on SDN by Using Advanced Support Vector Machine (ASVM)
Under our proposed framework, the DDoS attack will be detected on the SDN network by using the Advanced Support Vector Machine (ASVM) method. e proposed research presents a customizable DDoS defence framework which generates DDoS attack alerts by considering the application's security requirements [1]. Our proposed framework has been motivated by the concept that different applications have different security requirements. From our proposed framework, a DDoS attack detection solution must include a customizable reaction mechanism for generating DDoS attack alerts. Our proposed system leverages the programming and dynamic nature of SDN and implements an adaptive DDoS protection mechanism. Figure 2 illustrates the architecture of the proposed framework.
Attackers or normal users have been sent the packets to the OpenFlow Switches. When the packet arrives at the OpenFlow switch, the packet information will be checked such as the information on the packet header fields including source port, destination port, source IP address, and destination IP address. e information of the incoming packets will be checked against the flow entries, if a match is found then a specified action can be executed. Otherwise, the packet will be sent to the OpenDaylight controller via the southbound API using a packet_in control message. Controllers are connected as a cluster. When the traffics arrived at the OpenDaylight controller cluster, they will be forwarded via the northbound API to the Detection of DDoS attack by ASVM of application layer. e packet will be classified as a DDoS attack traffic or a normal traffic. e components of our proposed framework consist of four modules including the traffic generation, the traffic data collection, the feature extraction, and the classification of attack or normal by ASVM method. Two kinds of flooding-based DDoS attacks and normal traffics are generated. We have collected the traffic data from each OpenFlow switche. e five features have been extracted and classified as DDoS attacks or normal traffics by ASVM method. e graphical representation of these modules can be seen in Figure 3.

Traffic Generation
e generation of two DDoS attack traffics and normal traffics is implemented in this work. Two DDoS attacks are UDP flooding attacks and SYN flooding attacks. UDP flooding attack is a type of Denial of Service (DoS) attack in which the random ports on the target's host will be flooded with IP packets using User Datagram Protocol (UDP). Under a UDP flooding attack, first, the victim's IP addresses are determined; then the source port and the destination port are initialized to 80 and 1. Each time, 2000 packets are generated. e packets interarrival time for UDP attack traffics is 0.03 seconds. Scapy, a packet generation tool for computer networks written in python language, is used for generating the packets in this work. For each random source IP address, a packet is created with the source IP and the destination IP using scapy. Scapy can forge or decode packets; Scapy can send the packets on the wire; Scapy can capture the packets; and Scapy can match the requests and the replies. Scapy can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. After the packet is created, it must be sent to the destination IP address within the time interval. e step by step process of the UDP flooding attack on the SDN network can be seen in Figure 4.
SYN flooding attack is a type of DoS attack that exploits the normal three-way handshake procedure to consume the resources on the targeted server and render it unresponsive by using the TCP connection. Under a SYN flooding attack, the victim IP addresses, the victim Port, and the number of packets must be determined. en, an IP packet with a random source IP and the victim IP will be generated. We also need to create the TCP packet with a random source port, the victim port, 's' flag, packet sequence, and time window. At last, both the IP and TCP packets will be sent to the victim host. e step by step process of a SYN ooding attack on the SDN network can be seen in Figure 5. e normal tra cs are also generated as shown in Figure 6. For a normal tra c generation, the last number of host's destination IP address must be determined. Each time, 1000 packets are generated because the average number of packets at a normal condition is approximately 1000 packets. e packets interarrival time for normal tra c generation is 0.1 second. e random source IP address is used each time. Scapy is also used for creating the normal tra c packets to be sent to the destination host.

Traffic Data Collection
For the detection of a DDoS attack on a SDN network, the tra c data collection is the main part of the system. We can collect the tra c data information through the OpenFlow protocol from the OpenFlow switches. In SDN, the tra c data are stored in the ow table within the OpenFlow switches. When we want to extract the tra c data, the OpenFlow switch responds to the onp_-ow_stats_requst message and periodically sends this request message to the controller. OpenDaylight controller is used in our research to manage and control the data-obtaining period and ow-deleting period within the time interval. We can send the ow request command, "sudo ovs-ofctl dump-ows s1" to each switch in order to collect the tra c ow information of the ow table. An example of the extracted tra c ow information from a switch is shown in Figure 7.

Traffic generation
Traffic data collection

Features extraction
Classification of attack or normal by using ASVM Figure 3: Four modules of our proposed system framework.

Feature Extraction
After collecting the tra c data, the next step is the extraction of tra c features. e collected malicious tra c ows on the SDN network can be analyzed by inspecting various characteristic values of the ow table. When the tra c data from the switch is extracted, we can collect the number of packets that the host is sending, the number of bytes that the host is used, and the duration that takes for sending a packet to or receiving a packet from other hosts. e nature of the SYN and UDP ooding attack tra cs are in a form of normal distribution [27]. For volumetric and asymmetric nature of the tra c patterns, there are ve di erent kinds of tra c features to be analyzed, including average number of ow packets in the sampling interval (ANPI), average number of ow bytes in the sampling interval (ANBI), variation of ow packets in the sampling interval (VPI), variation of ow bytes in the sampling interval (VBI), and average duration of tra cs in the sampling interval (ADTI).
ANPI is the sum of the number of ow packets in each ow per total ows at the sampling interval as shown in Equation (1). ANPI is used for a detection of the DDoS attack on the SDN network because the nature of the DDoS attack is sending a large number of packets in order to disable the controller. erefore, we can detect a malicious tra c by measuring the number of ow packets. (1) ANBI is the sum of the number of ow bytes in each ow per total ows at the sampling interval as shown in Equation (2). ANBI is used for a detection of the DDoS attack on the SDN network because most DDoS attackers want to send the packet; they do not consider the data bytes of the packets. us, the ow byte measurement can indicate a malicious tra c.
VPI is the measurement of the standard deviation of the number of ow packets at sampling interval as shown in Equation (3). We can detect the DDoS attack on SDN network by considering the VPI feature because most DDoS attackers randomly create the packets in order to send to the hosts; they do not consider the full data packet, and mostly empty packets are used.
VBI is the measurement of the standard deviation of the number of ow bytes at the sampling interval as shown in Equation (4). We can use the VBI feature in the detection of the DDoS attack on the SDN network because most DDoS attackers do not consider the ow bytes of the packets. erefore, we can detect malicious tra c by measuring the variation of the ow bytes.
ADTI is the sum of each duration of the SDN tra c per a sampling interval as shown in Equation (5)

ASVM Classification of Attack or Normal Traffic
In our proposed system, the ASVM method is utilized to classify each packet to be attack or normal tra c. e ASVM method is the advanced Support Vector Machine (SVM) algorithm. SVM is a supervised machine learning algorithm that can be used on both classi cation and regression problems [3]. SVM is widely used in many application areas because of its high accuracy, ability to deal with high-dimensional data, and exibility in modelling diverse data. SVM is originally used for liner two-class classi cation problems. In a sample linear two-class classi cation problem, the assumption is that there are two classes, +1 (positive class) and −1 (negative class). Small letter ʻxʼ denotes a vector with components x i . e dataset of n points can be shown as where x i denotes the i th characteristic vector in a dataset and y i is the label associated with x i . e value of y i is +1 or −1. e example of linear classi cation by SVM is shown in Figure 8.
According to Figure 5, there is a straight line separating the vector of class +1 from the vector of class −1.
is straight line is denoted as w · x + b 0, where the vector w is called the weight vector and the scalar b is called the bias. e hyperplane of the class label 1 above the straight line is denoted as w · x + b 1 and another hyperplane of the class label −1 below the straight line is denoted as w · x + b −1. When the dataset is linearly separable, this two hyperplanes can be seen as parallel and the distance between them must be as large as possible. e distance between them is calculated as follows: distance between two hyperplanes 2 w . (7) erefore, the distance between the planes must be maximized. As a result, w 2 /2 must be minimized. We also need to consider the prevention of the data points from falling into the margin. We need to add the constraint for each "i" either w · X i -b ≥ 1 if y i 1 or w · X i -b ≤ −1, if y i −1. e constraint for each data points need to be lied at the correct side of the margin which is erefore, the optimization problem here is minimize w 2 /2 subject to y i (w · X i -b) ≥ 1, for i 1, ., n. In practice, the data are not linearly separable.
ere are multiclass. Sometimes, the maximization of margin can cause an error because of a misclassi cation of the data. In this work, we extend the SVM with Advanced Support Vector Machine (ASVM). We need to consider the slack variables (ξ_i) and the classi cation error (C). Slack variable is the variable that measures the distance of the point to its marginal hyperplane [28]. e optimal problem is shown in the following equation 8: e classi cation error, C > 0, gives the relative importance of maximizing the margin and minimizing the amount of slack. In a multiclass classi cation problem, we need to consider the classi er judgment including one-versus-one and one-versus-some. In one-versus-one, the classi cation pattern is constructed as n(n − 1)/2. ere are two classes. e sample of the rst class is trained as a positive sample and the second class is trained as a negative one. All of these classi ers are needed to classify the data in the testing phases. In one-against-some, the classi cation pattern is constructed such that each class is trained with the remaining n − 1 classes. One class of the sample is denoted as positive, and all other samples are denoted as negatives. When we make a decision, it is needed to produce a real-valued con dence mininet> sh ovs-ofctl dump-flows s1 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=165.700s, table=0, n_packets=8, n_bytes=560, idle_age=20, in_port=1 actions=FLOOD Figure 7: An example of the tra c ow information from a switch.

Journal of Computer Networks and Communications
score. When we use the SVM algorithm in the classification problem, the most important thing is choosing the kernel function. Kernel function K(x_n, x_i) takes the dataset into a higher dimension space in order to make it possible to separate the data [29]. e kernel function in this work is of the form where x n is the support vector data with n � 1, 2, 3, 4, . . ., N. e most useful kernel functions of SVM algorithm are a linear kernel function, Radial Basis Function (RBF), sigmoid, and polynomial. Kernel functions are listed in Table 1.
In this system, we have detected UDP and SYN flooding attacks. Nature of both attacks is normal distribution [30]. In this work, linear kernel and OVS (one-versus-some) decision function are used for classifying the DDoS attack and the normal traffics. OpenDaylight is an open source Javabased SDN controller that is supported by VMware, managed by the Linux Foundation [31]. e OpenDaylight controller has a very large platform with a lot of plugins and features. Mininet is a network emulator that runs the collection of end-hosts, switches, routers, and links on a single Linux kernel, and its results are as same as a real network [32]. Most DDoS attacks use at least three hosts, and the number of hosts can be up to approximately one hundred hosts; at least one switch is used, and the number of controllers used can range from one to as much as possible. Our SDN testbed consists of one hundred hosts (h1 to h100), nine switches (s1 to s9), and three controllers (c0, c1, c2). Four subnets are arranged in our testbed. e experiments are set up on Miniedit. Miniedit is a simple GUI editor for Mininet. Figure 9 shows our implemented testbed.

Experimental Result and Analysis
After running the testbed, the network flows have been added to the nine switches. Open Virtual Switch (OVS) and OpenFlow protocol (version OpenFlow13) are used in our testbed. OVS is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license [33]. We have been the command, for example, in switch s1 as "sh ovs-ofctl add-flow s1 in-port � 1, action � flood" at our testbed terminal. 126 flows are added for nine switches. In our testbed, each traffic type is generated from 100 scenarios.
ere are three types of traffics including normal traffics, UDP flooding attacks, and SYN flooding attacks. Under a UDP flooding attack scenario, we use at least five hosts to nine hosts as the attacker hosts and four hosts as the victims.
Under a SYN flooding attack, four hosts are assigned as attacker hosts and only one victim host. In each scenario, the traffic generation is started first; then the traffic flow information from each switch will be manually collected from each switch. After processing the generation and the collection of traffic data for each scenario, five different traffic features are extracted in order for the ASVM to detect the DDoS attack.
In this experiment, the sampling traffic collection time for attack traffics and normal traffics is 200 seconds. e result of the first feature and ANPI for normal traffics are shown in Figure 10. e trend of the curve has gradually fluctuated within the sampling time. e ANPI feature of attack traffics are shown in Figure 11. During the attack period, the numbers of packets are growing rapidly. e trend of the curve is fluctuated at first, and sometimes, the value reached the highest point depending on the randomly generated attack traffic packets. e result of the second feature, ANBI in the sampling interval for normal traffics, is shown in Figure 12. e trend of the curve is fluctuated depending on the number of flow bytes for the normal traffics. e value of ANBI for attack traffics within the sampling time is expressed in Figure 13. e attackers send a large number of packets as fast as possible, but they do not consider the data value. erefore, the ANBI value of attack traffic is regularly from up to down and sometimes apparently reaches the highest point. e result of the third feature, VPI for normal traffics is shown in Figure 14. Normally, the variation of the flow packets is relatively unchanged. For the attack case, however, the VPI changes rapidly. e VPI curve trend for attack traffics is shown in Figure 15. When the attacks occur within the sampling time, the variation of traffics has fluctuated, and sometimes, it reaches the highest point. e result of the fourth feature, the normal traffics of VBI, is shown in Figure 16. e trend of the curve is gradually fluctuated, and sometimes, it reaches the lowest points at sampling time 65 and 169 seconds. When the attack occurs in the sampling time, the attackers did not consider the flow byte values of the sending packets. erefore, the curve trend gradually grows up and down as shown in Figure 17. e result of the last feature, ADTI for normal traffics and attack traffics, is shown in Figures 18 and 19, respectively. e curve of both types is the same, but the ADTI value of the attack traffics is apparently greater than that of the normal traffics. e extracted features from the traffic data have been stored as the feature dataset, namely, SDNtrafficDS. e next step is the classification of these dataset by the ASVM method. e classification process is shown in Figure 20. First, SDNtra cDS is read and the Type eld and the last elds is separated. e data is then split into Training DS and Testing DS using a cross-validation method in order to reduce an over tting problem [34]. Next, the model is produced by ASVM using the Training DS. Linear kernel, OVS decision function, classi cation error "C" (C > 0), and the auto Gamma value are used in our ASVM. After the training process is done, the resulting model is used for classifying the Testing DS. e confusion matrix is used for the performance evaluation of the classi cation results. e classi cation report for three classes is generated. Lastly, the accuracy of our proposed classi cation result from the Training DS and the Testing DS is also generated.
Journal of Computer Networks and Communications 9 problem extension. e second problem of the long training time and testing time of SVM algorithm has been solved by using the linear kernel with penalty parameter of the classi cation error term, 'C,ʼ considering the value of "gamma" and "OVS" decision function shape. False alarm rate, detection rate, and accuracy are used for evaluating our detection result. False alarm rate is the error rate of our detection system that is the incorrect result on a normal behaviour. us, less false alarm rate is preferred. Detection rate is the correct rate for detecting the malicious tra cs. e higher detection rate is the better system performance. Accuracy is the measurement of the system that correctly classi es both normal tra cs and malicious tra cs. All three measures are shown in the following equations: True positive (TP) is the amount of network tra cs that are correctly detected attack or normal tra c and forwarded. True negative (TN) is the amount of network tra cs that are correctly detected and dropped. False positive (FP) is the amount of network tra cs that are incorrectly detected and forwarded. False negative (FN) is the amount of network tra cs that are incorrectly detected and dropped. In this experiment, we have been trained and tested with the crossvalidation method of splitting rate from 10% to 90% of SDNTra cDS. e experimental result can be seen in Table 2.
According to the experimental results shown in Table 2, the average accuracy of the detection is 0.97, the average false alarm rate is 0.02, and the average detection rate is 0.97. e training time and testing time for each rate are approximately 50 seconds and 55 seconds, respectively. is generated and used. Our emulated testbed is conducted using Mininet. In our testbed, one hundred hosts, nine switches, and three controllers are used.
e existing researches in the security of SDN network used a single controller in their network setting. In this work, on the other hand, three controllers are used. Although one controller has down because of the attack, another controller can still be used. We used one hundred scenarios for UDP ooding attack and another one hundred scenarios for SYN ooding attacks. Both malicious tra c data and normal tra c data are generated. e SDN tra cs from the OpenFlow switches are collected. e volumetric and asymmetric features from the SDN tra cs are collected and extracted to create the dataset. Cross-validation method is employed while training and testing the classi cation model. Linear kernel is used in our SVM algorithm. As a result, the training and testing time is reduced. e parameter of classi cation error (C), gamma value, and decision function shape (OVS) is considered. According to the experimental results, the overall accuracy of the proposed model is at 97%. Our future works include an online detection system for DDoS attack on SDN network. In addition, other attack planes of SDN layer must also be considered. Moreover, we would like to mitigate the DDoS attack using the lightweight method.

Data Availability
We have used our own dataset by using Mininet emulator. Our dataset is available at https://my.pcloud.com/publink/show? code XZYm5P7ZXWd1JwSha2XTmPMtkfv2wzdXp5my.

Conflicts of Interest
e authors declare that they have no con icts of interest.