As a new networking paradigm, Software-Defined Networking (SDN) separates data and control planes to facilitate programmable functions and improve the efficiency of packet delivery. Recent studies have shown that there exist various security threats in SDN. For example, a saturation attack may disturb the normal delivery of packets and even make the SDN system out of service by flooding the data plane, the control plane, or both. The existing research has focused on saturation attacks caused by SYN flooding. This paper presents an anomaly detection method, called SA-Detector, for dealing with a family of saturation attacks through IP spoofing, ICMP flooding, UDP flooding, and other types of TCP flooding, in addition to SYN flooding. SA-Detector builds upon the study of self-similarity characteristics of OpenFlow traffic between the control and data planes. Our work has shown that the normal and abnormal traffic flows through the OpenFlow communication channel have different statistical properties. Specifically, normal OpenFlow traffic has a low self-similarity degree whereas the occurrences of saturation attacks typically imply a higher degree of self-similarity. Therefore, SA-Detector exploits statistical results and self-similarity degrees of OpenFlow traffic, measured by Hurst exponents, for anomaly detection. We have evaluated our approach in both physical and simulation SDN environments with various time intervals, network topologies and applications, Internet protocols, and traffic generation tools. For the physical SDN environment, the average accuracy of detection is 97.68% and the average precision is 94.67%. For the simulation environment, the average accuracy is 96.54% and the average precision is 92.06%. In addition, we have compared SA-Detector with the existing saturation attack detection methods in terms of the aforementioned performance metrics and controller’s CPU utilization. The experiment results indicate that SA-Detector is effective for the detection of saturation attacks in SDN.

中文翻译：

---

基于OpenFlow流量自相似性的饱和攻击检测

作为一种新的网络范式，软件定义网络 (SDN) 将数据和控制平面分开，以促进可编程功能并提高数据包交付的效率。最近的研究表明，SDN中存在各种安全威胁。例如，饱和攻击可能会干扰数据包的正常传递，甚至通过泛洪数据平面、控制平面或两者使 SDN 系统停止服务。现有的研究主要集中在由 SYN 泛洪引起的饱和攻击。本文提出了一种称为 SA-Detector 的异常检测方法，用于通过 IP 欺骗、ICMP 泛洪、UDP 泛洪和其他类型的 TCP 泛洪以及 SYN 泛洪来处理一系列饱和攻击。SA-Detector 建立在对控制平面和数据平面之间 OpenFlow 流量自相似特性的研究之上。我们的工作表明，通过 OpenFlow 通信通道的正常和异常流量具有不同的统计特性。具体而言，正常的 OpenFlow 流量具有较低的自相似度，而饱和攻击的发生通常意味着较高的自相似度。因此，SA-Detector 利用由 Hurst 指数测量的 OpenFlow 流量的统计结果和自相似度进行异常检测。我们已经在具有不同时间间隔、网络拓扑和应用程序、互联网协议和流量生成工具的物理和模拟 SDN 环境中评估了我们的方法。对于物理 SDN 环境，平均检测准确率为97.68%，平均精度为94.67%。对于仿真环境，平均准确率为96.54%，平均精度为92.06%。此外，我们在上述性能指标和控制器的 CPU 利用率方面将 SA-Detector 与现有的饱和攻击检测方法进行了比较。实验结果表明，SA-Detector 可有效检测 SDN 中的饱和攻击。