Study the Effectiveness of Sequential Probability Ratio Test in detection DDoS Attacks against SDN

  • Basheer Husham Ali Department of Computer Engineering, AL-Iraqia University, Baghdad, Iraq
الكلمات المفتاحية: Sequential Probability Ratio, detection DDoS Attacks, SDN


In traditional networks, switches and routers are very expensive, complex, and inflexible because forwarding and handling of packets are in the same device. However, Software Defined Networking (SDN) makes networks design more flexible, cheaper, and programmable because it separates the control plane from the data plane. SDN gives administrators of networks more flexibility to handle the whole network by using one device which is the controller. Unfortunately, SDN faces a lot of security problems that may severely affect the network operations if not properly addressed. Controllers of SDN and their communications may be subjected to different types of attacks. DDoS attacks on the SDN controller can bring the network down. In this research, we studied effectiveness of sequential probability ratio method in identifying the compromised switched interface and detecting Distributed Denial of services (DDoS) attacks that are targeted the controller of Software Defined Network (SDN). We implemented the detection method and evaluated the performance of the method using publicly available DARPA datasets. Finally, we found that SPRT has the highest accuracy and F score and detect almost all DDoS attacks without producing false positive and false negative.


[1] B. Raghavan et al., "Software-defined internet architecture: Decoupling architecture from infrastructure," Proc. 11th ACM Workshop Hot Topics Netw., p. 43–48, 2012.
[2] D. Kreutz et al., "Software-Defined Networking: A Comprehensive Survey," Proceedings of the IEEE, vol. 103, no. 1, pp. 14-76, 2015.
[3] S. Sakir et al., "Are we ready for SDN? Implementation challenges for software-defined networks," IEEE Communications Magazine, pp. 36-43, 2013.
[4] H. Kim and N. Feamster, "Improving network management with software defined networking," IEEE Communications Magazine, vol. 51, no. 2, pp. 114-119, 2013.
[5] N. Zhang, H. Hämmäinen and H. Flinck, "Cost efficiency of SDN-enabled service function chaining," info, vol. 18, no. 5, pp. 45-55, 2016.
[6] D. Ping et al. , "A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows," IEEE International Conference on Communications (ICC), 2016.
[7] "SDN architecture issue 1," Open Networking Foundation, pp. 1-68, 2014.
[8] D. Kreutz, F. Ramos and P. Veríssimo, "Towards Secure and Dependable Software Defined Networks," Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, pp. 55-60, 2013.
[9] C. Kuan-yin et al, "SDNShield: Towards More Comprehensive Defense against DDoS Attacks on SDN Control Plane," 2016 IEEE Conference on Communications and Network Security (CNS), pp. 28-36, 2016.
[10] D. Kotani and Y. Okabe, "A Packet-In Message Filtering Mechanism for Protection of Control Plane in OpenFlow Networks," 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS) Architectures for Networking and Communications Systems (ANCS), 2014 ACM/IEEE Symposium on, pp. 29-40, 2014.
[11] S. M. Mousavi and M. St-Hilaire, "Early Detection of DDoS Attacks against SDN Controllers," International Conference on Computing, Networking and Communications, Communications and Information Security Symposium, pp. 77-81, 2015.
[12] "SDN Architecture Overview Version 1.0," Open Networking Foundation, pp. 1-5, 2013.
[13] A. Doyal, J. Zhan and H. A. Yu, "Towards Defeating DDoS Attacks," 2012 International Conference on Cyber Security cybersecurity Cyber Security, pp. 209-212, 2012.
[14] A. Wald, Sequential Analysis, New York: John Wiley and Sons, Inc., 1947.
[15] "MIT Lincoln Laboratory," Intrusion detection atttacks database, [Online]. Available:
[16] “Confussion Matrix,” 7 August 2017. [Online]. Available: [Accessed 11 November 2017].