Mayadah A. Mohsin* | Ali H. Hamad
© 2022 IIETA. This article is published by IIETA and is licensed under the CC BY 4.0 license (http://creativecommons.org/licenses/by/4.0/).
OPEN ACCESS
Software-defined networks (SDN) have a centralized control architecture that makes them a tempting target for cyber attackers. One of the major threats is distributed denial of service (DDoS) attacks. It aims to exhaust network resources to make its services unavailable to legitimate users. DDoS attack detection based on machine learning algorithms is considered one of the most used techniques in SDN security. In this paper, four machine learning techniques (Random Forest, K-nearest neighbors, Naive Bayes, and Logistic Regression) have been tested to detect DDoS attacks. Also, a mitigation technique has been used to eliminate the attack effect on SDN. RF and KNN were selected because of their high accuracy results. Three types of network topology have been generated to observe the effectiveness of proposed algorithms on different network architectures. The results reveal that RF performs better than KNN in a single topology, and both have close performance in other topologies.
distributed denial of service, K-nearest neighbor, machine learning, Mininet, random forest, RYU controller, SDN security, software-defined network
SDN design aims to address the shortcomings of the existing traditional network architecture through a new architectural design that is based on the decoupling of the control plane from the data plane, allowing the controller to be directly programmable and have full management. So, the SDN environment provides great reliability, simplicity, and flexibility for network management [1]. But SDN poses additional security issues due to the centralized controller, which is a vulnerable point that attackers target.
One of the most common attacks on SDN networks is the Distributed Denial of Service (DDoS) attack. This attack aims to make network services unavailable to legitimate users by sending large amounts of malicious traffic to exhaust the network resources. It launches his attack by taking control of several compromised hosts and making them part of a network called a botnet [2, 3]. This attack should be detected early before bringing the entire network down by causing damage to the controller. So, SDN should be equipped with efficient detection and mitigation techniques to ensure the safety of its resources and data in the face of various DDoS attacks.
Several detection techniques have been used to defend the SDN network against DDoS attack: entropy, machine learning algorithm, Traffic pattern analysis, intrusion detection system (IDS) like SNORT [4]. Machine Learning (ML) is mainly a classifier that classifies network traffic into normal and attacks. First, it builds a classifier model based on sample data called the training data set. Then, it tests the model in order to make predictions [5, 6]. There are many mitigation techniques provided through the use of OpenFlow protocol in SDN networks: drop packets, block port, redirection, control bandwidth, deep packet inspection, network reconfiguration, and topology change; each solution has its advantages and disadvantages [7]. The most fast and simple mitigation technique is the drop packet and the block ports. They completely block the attack sources, which may result in dropping the legitimate traffic if the legitimate host is compromised or in the case of a false alarm. So, a timeout is added to the blocking rule to ensure a non-permanent block for a real user in this work.
In this context, this paper presents a DDoS attack detection and mitigation technique in an SDN environment using two machine learning algorithms. The main contributions of this paper can be summarized as follow:
The rest of this paper is organized as follow: in section 2, a related work for DDoS detection techniques based on machine learning in SDN are introduced. In section 3, a theoretical background of the machine learning techniques is discussed. Section 4 presents the proposed algorithms implementation and environment setup. Section 5 shows the results and discussion. Finally, a conclusion introduced in section 6.
Several works have been done in the scope of DDoS detection and mitigation in SDN network using machine learning techniques we study some of these works we found interesting.
Ye et al. [8] Proposed a DDoS attack detection system based on an SVM algorithm that classifies traffic based on 6-tuple characteristics values related to DDoS attack that previously gathered from switch flow table. Sahoo et al. [9] Compare seven machine learning techniques to protect the SDN against DDoS attacks, KNN, NB, SVM, RF and LR. Experimental results showed that LR and RF have the most accurate detection. However, while the results are presented in the publication, the tools used for implementation and simulation are not described in full, and hence this study cannot be compared to our work. Prakash and Priyadarshini [10] proposed an evaluation for ML algorithms such as NB, KNN and SVM to defend SDN in the network layer against DDoS attacks, the work results show that the KNN performed better than other algorithms. Le et al. [11] tested six different ML-algorithms including RF, NB, KNN, SVM, Multiple Layer Perceptron (MLP), and DT, to classify DDoS attacks. The work proved that DT and NB have high accuracy, fast processing time and consume less resource compared to other algorithms. Karan et al. [12] implement SNORT intrusion detection system and ML algorithm to detect DDoS attack in SDN environment. The work compares SVM and Deep Neural Network (DNN) for their detection performance. the results found the DNN is having the higher accuracy. Rahman et al. [13] evaluated some machine learning algorithms which are SVM, RF, J48 and KNN for DDoS detection and mitigation in SDN network. The work found that J48 algorithm is the best for the system. Polat et al. [14] Proposed machine learning models supported with feature selection methods to detect DDoS attacks, the work tested different ML algorithms (SVM, NB, ANN KNN) and found that the KNN classifier achieved the highest accuracy rate in DDoS attack detection. Santos et al. [15] compare between four machine learning techniques to solve the problem of DDoS attacks in the SDN environment, the result found that RF algorithm had the best accuracy, and DT had the best processing time. Table 1 shows a comparative study for the related works compared to our work.
Table 1. Comparative study of related works
|
Ref. |
Detection algorithm |
Dataset type |
Mitigation |
Controller |
Network Topology |
Network Scale |
|
[6] |
SVM |
No dataset Flow table features extraction |
× |
Floodlight |
Linear |
5 hosts |
|
[7] |
SVM/KNN/NB/RF/LR |
Public |
× |
× |
× |
× |
|
[8] |
NB/KNN/SVM |
Generated by Simulation |
Drop packet |
Floodlight |
Linear |
Not mentioned |
|
[9] |
RF/DT/SVM/KNN/MLP |
Generated by Simulation |
× |
RYU |
Single |
3 hosts |
|
[10] |
SVM/DNN |
Public KDD dataset |
× |
RYU |
Single |
4 hosts |
|
[11] |
J48 |
Generated by Simulation |
Block port with timeout |
RYU |
Single |
5 hosts |
|
[12] |
SVM/NB/ANN/KNN |
Generated by Simulation |
× |
POX |
Single |
6 hosts |
|
[13] |
SVM/MLP/DT/RF |
Generated by Simulation |
× |
POX |
Single |
6 hosts |
|
Our paper |
RF/KNN/NB/LR |
Generated by Simulation |
Block port with timeout |
RYU |
Single, linear, linear with multi-controller |
64 hosts /8 switches-64 hosts /8 switches-64 hosts |
Machine learning algorithms be divided into four categories: supervised, unsupervised, semi-supervised, and reinforcement learning. Table 2 explains the main differences between them. In supervised learning algorithms, the input is combined with a label that represents a classification class and during the testing phase, the machine predicts the class of that input data based on the training sample. This is called supervised because we pre-trained the model on a known classed training sample [16]. In this work the supervised learning has been used since the generated data is labeled to 1 and 0 to indicate a normal or attack flow.
Table 2. Machine learning techniques
|
ML class |
Learning |
Example |
|
Supervised |
Labeled dataset |
SVM, DT, KNN… |
|
Unsupervised |
Unlabeled dataset |
K-means, SVD, PCA |
|
Semi-supervised |
Some labeled and other unlabeled |
linear regression, logistic regression |
|
Reinforcement |
Trial and error (no dataset) |
Markov Decision Support, Q-learning |
Next is a further explanation of some of the supervised algorithms that have been used in this work:
Random Forest (RF): Also known as a random decision forest, because it is constructs from many decision trees (forest). It is one of the popular supervised learning algorithms that used both in classification and regression problems. The accuracy of the algorithm depends on the number of trees used [17]. To build the final decision about the new unclassified sample each decision tree will make a vote about this sample and the final prediction is the class with the most votes among the tree outputs.
K-nearest neighbor (KNN): It is a simple, easy-to-implement supervised machine learning algorithm that can be used to solve both classification and regression problems. It assumes the similarity between the new case/data and available cases and put the new case into the category that is most similar to the available categories [18].
Naive Bayes (NB): It is one of the simplest supervised ML algorithms that used to solve the classification problem. It based on the Bayes theorem that uses conditional probability to describe the relationship between statistical quantities. Bayes theorem uses conditional probability of an event which based on the assumption that predictors or input features are independent to each other [19].
Logistic Regression (LR): it is a supervised ML algorithm used for the classification problem based on the logistic function or sigmoid function which is a mathematical function used to map the predicted values to probabilities and have value between 0 and 1, different from linear function that is used in linear regression that can gives value above 1 or below 0 [20]. Logistic regression uses a threshold value, so as values above the threshold tends to 1, and a value below the threshold tends to 0.
In this work four machine learning algorithms has been proposed to secure SDN networks from DDoS attacks, RF, KNN, NB and LR. The proposed system works as illustrated in Figure 1, the controller extracts the network traffic characteristics from switch flow table and uses it as input to the selected ML classifier to identify the traffic as normal or attack. The experimental setup done on an HP laptop with Core i7 CPU and 16 GB RAM under Linux Ubuntu 16.04 LTS OS. The testbed has been done using Mininet emulator and RYU controller. Open VS witches with OpenFlow protocol version 1.3 have been used in this work.
Figure 1. Proposed system
Different steps used to construct the system as follow.
4.1 Network scenarios construction
Three different network topologies constructed using python script to evaluate the effect of changing topology type on the detection and mitigation techniques efficiency. Single topology is the first network was implemented with 64 hosts, one switch and one controller. Linear with one controller topology was the second network implemented with also 64 hosts but with eight switches and one controller. Finally, a multi-controller Linear topology was implemented, which is the same as the linear but with two-controllers Figure 2 illustrate the topologies architecture.
(a) Single topology
(b) Linear topology
(c) Multi-Controller topology
Figure 2. Simulation network scenarios
4.2 Dataset generation
According to the scenarios showed in Figure 2 three datasets have been generated using the simulation instead of using the publicly available datasets that are unrealistic and lack many extracted data features. The datasets generated by collecting the features of network flows during normal and attack traffic using Mininet emulator. Table 3 listed the extracted features of the flow.
A python script responsible for creating the topology will randomly generate the normal ICMP traffic between hosts in the topology using the "Ping" traffic generation command tool. Another python script will generate the ICMP flood traffic, which is a DDoS traffic, between hosts in the topology randomly using the "Hping3" traffic generation command tool. These are the standard command tools for traffic generation in a simulation test. The generation launch 6 hours of normal traffic and 8 minutes of attack traffic for each type of topology which generate data of a (43.7 M Byte/32619 flow) for single topology, (344.4 M Byte/2176918 flow) for linear topology and (259.4 M Byte/1791308 flow) for linear with multi-controller topology.
4.3 Model training
After generating the datasets, the machine learning classifier model is trained on each one. At the training, the dataset split into 75% training and 25% testing sets. The trained model will be called in the testing phase by the controller during real-time traffic to predict whether the flow is normal or attack. The confusion matrix and training time are used to evaluate the trained model. Eq. (1) calculate the accuracy of the model depending on confusion matrix.
Accuracy $=\frac{T P+T N}{T P+F P+F N+T N} \times 100 \%$ (1)
where, (TP) is the true positive, (FP) is the false positive, (FN) is the false negative (FN), and (TN) is the true negative which all construct the confusion matrix. Table 4 illustrated the confusion matrix parameters and training time results. FP and FN indicate false alarms. Figure 3 shows the obtained accuracy for each classifier.
Table 3. Dataset features
|
Field name |
Description |
|
Timestamp |
Arrival time of packet |
|
datapath_id |
Switch ID |
|
Flow_id |
Flow identifier |
|
ip_src |
Source IP address |
|
tp_src |
Source port |
|
ip_dst |
Destination IP address |
|
tp_dst |
Destination port |
|
ip_proto |
protocol |
|
icmp_code |
ICMP code |
|
icmp_type |
ICMP type |
|
flow_duration_sec |
The duration of flow in seconds |
|
flow_duration_nsec |
Th duration of flow in nano seconds |
|
Idle_timeout |
Flow entry timeout after inactivity |
|
hard_timeout |
Flow expiration time |
|
flag |
Modify the way flow inputs are handled |
|
packet_count |
Number of packets |
|
byte_count |
Number of bytes |
|
packet_count_per_second |
Number of packets per second |
|
packet_count_per_nsecond |
Number of packets per nano second |
|
byte_count_per_second |
Number of bytes per second |
|
byte_count_per_nsecond |
Number of bytes per nano second |
|
label |
0 for normal, 1 for attack |
Table 4. Machine learning training results.
|
Algorithm |
Network Topology |
TP |
FP |
FN |
TN |
Training Time (sec.) |
|
RF |
Single |
25796 |
0 |
0 |
55859 |
27 |
|
Linear |
220747 |
0 |
0 |
323483 |
171 |
|
|
Multi-controller |
32501 |
0 |
0 |
415326 |
125 |
|
|
KNN |
Single |
25796 |
0 |
2 |
55859 |
53 |
|
Linear |
220747 |
0 |
3 |
323483 |
372 |
|
|
Multi-controller |
32501 |
0 |
0 |
415326 |
275 |
|
|
NB |
Single |
25796 |
0 |
15926 |
39933 |
4.9 |
|
Linear |
220747 |
0 |
143764 |
179719 |
16.6 |
|
|
Multi-controller |
32501 |
0 |
124918 |
290408 |
13.8 |
|
|
LR |
Single |
0 |
25796 |
0 |
55859 |
10.6 |
|
Linear |
0 |
220747 |
0 |
323483 |
29.8 |
|
|
Multi-controller |
0 |
32501 |
0 |
415326 |
27 |
Figure 3. Machine learning model accuracy
4.4 Model testing
The training results showed that NB and LR have less accuracy and they are both not good for the system. So, farther test step will be implemented only using RF and KNN since they have a good accuracy.
Traffic generation
The normal traffic is generated using the ping command tool, it sends a request over the network to a specific host. A successful ping results in a response from the host that was pinged, back to the originating host. The attack traffic is generated using Hping3 which is a network tool able to send custom ICMP/UDP/TCP packets. This tool has many options to allow to control the size, quantity, and fragmentation of packets in order to overload the target. Table 5 illustrate normal and attack traffic specification in this system.
Table 5. Normal and attack traffic specification
|
Traffic parameters |
Normal |
Attack |
|
Packet type |
ICMP |
ICMP Flood |
|
Source IP |
10.0.0.1 or any host |
Spoofed Random IP |
|
Destination IP |
10.0.0.2 or any host |
10.0.0.2 |
|
Traffic rate (packets/1 sec.) |
2 |
More than 1000 |
Detection and mitigation process
After training ends, the system will be ready to detect the traffic generated by any host in the topology and classify it. RYU controller python code will call the trained model and start testing it on the real-time traffic. It will get the flow statistics from all the switches every 3 seconds and pass them as input to the classifier model. The classifier predicts whether it is an attack or normal traffic and then displays the result on the controller terminal. If the traffic is malicious (DDoS), the controller also displays the victim, and then the mitigation process starts.
When generating normal traffic between any two hosts it has been observed that RYU terminal correctly detects a legitimate traffic happening. Figure 4 shows the correct detection in the multi-controller topology. The two other topologies also display a correct detection, but we eliminate their results for abbreviation.
While normal traffic still running, we test the detection of an attack traffic. A DDoS attack traffic is generated with random spoofed IPs using hping3 tool between two hosts for each topology, in all topologies host 64 will attack host 2. After few seconds, RYU will detect attack traffic and print the victim host. Figure 5 shows the result of DDoS detection only for multi-controller topology for abbreviation also.
Figure 4. Detecting normal traffic in Ryu terminal in multi-controller topology
Figure 5. Detecting attack traffic in Ryu terminal in multi-controller topology
Next, mitigation process starts to stop the attack traffic from exhaustion the network resources. It will find the source port of the attacker and then block this port for 120 sec. The drop packet rule will be updated by the controller in the switch flow-table. The detection and mitigation process steps are explained in algorithm 1.
|
Algorithm 1: Detection and Mitigation Process |
|
Select the classifier (RF or KNN) hard_time = t #block port timeout mitigation = 0 (before detection)
|
After mitigation done correctly the network will return to its normal traffic. The real time results during mitigation at single and linear topologies are shown in Figures 6 and 7. We should mention that in linear topology and multi-controller topology, host 64 which is the attacker host is located at switch 10 port 11.
Figure 6. Mitigation results in single topology
Figure 7. Mitigation results in linear topology
In the linear with multi-controller topology as it has two domains as shown in Figure 8, the port that receives traffic from the other domain will be monitored and if an attack is detected this port it will be blocked for 30 seconds to give time for the other controller to start to block the attacker port at his domain, this small-time block for the traffic between the 2 domains will not block the normal traffic between domains for a lot of time and ensure that the DDoS traffic will not harm the target domain if the attacker domain controller delayed in mitigating the attack. The real time results during mitigation in this scenario shown in Figure 9.
Figure 8. Linear with 2-controllers topology as a two-domain structure
Figure 9. Mitigation results in multi-controller topology
The proposed algorithms tested for their ability to detect and mitigate DDoS attack in the three simulation networks and to prove its accurate classification for the incoming traffic to the controller. The monitoring metrics during the evaluation are the packets rate of the victim and controller, as well as the attack detection and mitigation time. Table 6 shows the results collected during the run test of all network topology using RF and KNN classifiers and during three DDoS attack strikes.
Table 6. Simulation results of RF and KNN models
|
Test metrics |
RF |
KNN |
||||
|
single |
linear |
2-controller |
single |
linear |
2-controller |
|
|
Normal Tx packet |
580 |
580 |
480 |
580 |
480 |
480 |
|
Normal Rx packet |
416 |
577 |
418 |
351 |
480 |
450 |
|
Packet loss |
28% |
0% |
12% |
39% |
0% |
6% |
|
Attack Tx packet |
34487300 |
26242144 |
24647452 |
33910143 |
24104797 |
25092838 |
|
Detection time |
12 |
5 |
3 |
10 |
5 |
3 |
|
*Max. Mitigation time |
22/32/48 |
8/11/10 |
5/7/4 |
14/12/58 |
9/10/8 |
6/4/6 |
|
*Target max. Packet rate during attack |
2425/6344/6313 |
314/183/184 |
220/276/244 |
2394/5092/8605 |
178/185/212 |
224/227/295 |
*The values (x/x/x) are for the three attack strikes.
(a) Target packets rate
(b) Ryu controller packets rate
Figure 10. System results in single topology during detection and mitigation of DDoS attack using RF and KNN classifiers
(a) Target packets rate
(b) Ryu controller packets rate
Figure 11. System results in linear topology during detection and mitigation of DDoS attack using RF and KNN classifiers
(a) Target packets rate
(b) Ryu controller packets rate
Figure 12. System results in multi-controller linear topology during detection and mitigation of DDoS attack using RF
Figure 13. Detection time for all tests
We can observe that:
From observing the target and controller traffic we can find that the packets per second are significantly increased during the launch of DDoS attack, and it is mostly affecting the controller traffic because since the source addresses of the attack are spoofed random IPs, the switch will forward all them. When mitigation started, the target will return to the normal traffic faster than the controller does.
DDoS attack detection is one of the main challenges of SDN security today. One of the great enhancements to network management that emerged in SDN is the ability to build an application to mitigate security issues or to propose new software solutions to the network environment, especially with modern intelligent technologies. Machine learning algorithms are one of these solutions that can significantly improve the quality of SDN security. RF, KNN, NB, and LR are proposed in this work as supervised machine learning algorithms to detect a DDoS attack in three network architectures which are single topology, linear topology, and multi-controller topology. The models have been trained on the datasets generated in a simulated SDN environment using Mininet emulator and RYU controller. The simulation results show that NB and LR have low accuracy rates and produce many wrong predictions. On the other hand, RF and KNN produce high accuracy rates and can be effectively used as prediction models for this work.
From monitoring network traffic during the attack, it can be observed that this attack is mainly attempting to exhaust the controller and bring it down by flooding the switch flow table with spoofed IP addresses requests. It also caused some loss in normal packet flow by busying the controller with these faked requests. This effect is mostly appeared in the single topology unlike linear and multi-controller topologies, which means that increasing the switches number lowers the load and helps to eliminate the attack effect fast. Also, increasing network switches minimizes the detection and mitigation time. Moreover, increasing the number of controllers enhances the detection and mitigation process by minimizing the error rate, detection and mitigation time.
Finally, the proposed mitigation technique is accurately implemented to stop the attack before it harms the controller by blocking the attacker port for 120 second.
For future work we suggest implementing the system in real network instead of virtual and adopting more SDN controllers in the multi-controller topology. Also, other types of machine learning algorithms such as reinforcement which doesn’t need a dataset can be tested.
[1] Gupta, S., Grover, D. (2021). A comprehensive review on detection of DDoS attacks using ML in SDN environment. In 2021 International Conference on Artificial Intelligence and Smart Systems (ICAIS), pp. 1158-1163. https://doi.org/10.1109/ICAIS50930.2021.9395987
[2] Deepa, V., Sudar, K.M., Deepalakshmi, P. (2018). Detection of DDoS attack on SDN control plane using hybrid machine learning techniques. In 2018 International Conference on Smart Systems and Inventive Technology (ICSSIT), pp. 299-303. https://doi.org/10.1109/ICSSIT.2018.8748836
[3] Mohsin, M.A., Hamad, A.H. (2022). Implementation of entropy-based DDoS attack detection method in different SDN topologies. American Academic Scientific Research Journal for Engineering, Technology, and Sciences, 86(1): 63-76.
[4] Bawany, N.Z., Shamsi, J.A., Salah, K. (2017). DDoS attack detection and mitigation using SDN: Methods, practices, and solutions. Arabian Journal for Science and Engineering, 42(2): 425-441. https://doi.org/10.1007/s13369-017-2414-5
[5] Tuan, T.A., Long, H.V., Son, L.H., Kumar, R., Priyadarshini, I., Son, N.T.K. (2020). Performance evaluation of Botnet DDoS attack detection using machine learning. Evolutionary Intelligence, 13(2): 283-294. https://doi.org/10.1007/s12065-019-00310-w
[6] Hamad, A.H. (2021). Smart campus monitoring based video surveillance using haar like features and K-Nearest neighbour. International Journal of Computing and Digital Systems, 10(1): 863-870. http://dx.doi.org/10.12785/ijcds/100179
[7] Beslin Pajila, P.J., Golden Julie, E. (2019). Detection of DDoS attack using SDN in IoT: A survey. In Intelligent Communication Technologies and Virtual Mobile Networks, pp. 438-452. https://doi.org/10.1007/978-3-030-28364-3_44
[8] Ye, J., Cheng, X., Zhu, J., Feng, L., Song, L. (2018). A DDoS attack detection method based on SVM in software defined network. Security and Communication Networks. https://doi.org/10.1155/2018/9804061
[9] Sahoo, K.S., Iqbal, A., Maiti, P., Sahoo, B. (2018). A machine learning approach for predicting DDoS traffic in software defined networks. In 2018 International Conference on Information Technology (ICIT), pp. 199-203. https://doi.org/10.1109/icit.2018.00049
[10] Prakash, A., Priyadarshini, R. (2018). An intelligent software defined network controller for preventing distributed denial of service attack. In 2018 Second International Conference on Inventive Communication and Computational Technologies (ICICCT), pp. 585-589. https://doi.org/10.1109/icicct.2018.8473340
[11] Le, D.T., Dao, M.H., Nguyen, Q.L.T. (2020). Comparison of machine learning algorithms for DDoS attack detection in SDN. Информационно-управляющие системы, 3(106): 59-70. https://doi.org/10.31799/1684-8853-2020-3-59-70
[12] Karan, B.V., Narayan, D.G., Hiremath, P.S. (2018). Detection of DDoS attacks in software defined networks. In 2018 3rd International Conference on Computational Systems and Information Technology for Sustainable Solutions (CSITSS), pp. 265-270. https://doi.org/10.1109/csitss.2018.8768551
[13] Rahman, O., Quraishi, M.A.G., Lung, C.H. (2019). DDoS attacks detection and mitigation in SDN using machine learning. In 2019 IEEE World Congress on Services (SERVICES), 2642: 184-189. https://doi.org/10.1109/services.2019.00051
[14] Polat, H., Polat, O., Cetin, A. (2020). Detecting DDoS attacks in software-defined networks through feature selection methods and machine learning models. Sustainability, 12(3): 1035. https://doi.org/10.3390/su12031035
[15] Santos, R., Souza, D., Santo, W., Ribeiro, A., Moreno, E. (2020). Machine learning algorithms to detect DDoS attacks in SDN. Concurrency and Computation: Practice and Experience, 32(16): e5402. https://doi.org/10.1002/cpe.5402
[16] Aljuhani, A. (2021). Machine learning approaches for combating distributed denial of service attacks in modern networking environments. IEEE Access, 9: 42236-42264. https://doi.org/10.1109/access.2021.3062909
[17] Aljuhani, A. (2021). Machine learning approaches for combating distributed denial of service attacks in modern networking environments. IEEE Access, 9: 42236-42264. https://doi.org/10.1109/access.2021.3062909
[18] Zhao, Y., Li, Y., Zhang, X., Geng, G., Zhang, W., Sun, Y. (2019). A survey of networking applications applying the software defined networking concept based on machine learning. IEEE Access, 7: 95397-95417. https://doi.org/10.1109/access.2019.2928564
[19] Sangodoyin, A.O., Akinsolu, M.O., Pillai, P., Grout, V. (2021). Detection and classification of DDoS flooding attacks on software-defined networks: A case study for the application of machine learning. IEEE Access, 9: 122495-122508. https://doi.org/10.1109/ACCESS.2021.3109490
[20] Amin, R., Rojas, E., Aqdus, A., Ramzan, S., Casillas-Perez, D., Arco, J.M. (2021). A survey on machine learning techniques for routing optimization in SDN. IEEE Access. https://doi.org/10.1109/access.2021.3099092
