Distributed Denial of Service Attack Detection in Software-Defined Networks Using Decision Tree Algorithms

A software-defined network (SDN) is a new architecture approach for constructing and maintaining networks with the main goal of making the network open and programmable. This allows the achievement of specific network behavior by updating and installing software, instead of making physical changes to the network. Thus, SDNs allow far more flexibility and maintainability compared to conventional device-dependent architectures. Unfortunately, like their predecessors, SDNs are prone to distributed denial of service (DDoS) attacks. These attack paralyze networks by flooding the controller with bogus requests. The answer to this problem is to ignore machines in the network sending these requests. This can be achieved by incorporating classification algorithms that can distinguish between genuine and bogus requests. There is abundant literature on the application of such algorithms on conventional networks. However, because SDNs are relatively new, they lack such abundance both in terms of novel algorithms and effective datasets when it comes to DDoS attack detection. To address these issues, the present study analyzes several variants of the decision tree algorithm for detection of DDoS attacks while using two recently proposed datasets for SDNs. The study finds that a decision tree constructed with a hill climbing approach, termed the greedy decision tree, iteratively adds features on the basis of model performance and provides a simpler and more effective strategy for the detection of DDoS attacks in SDNs when compared with recently proposed schemes in the literature. Furthermore, stability analysis of the greedy decision tree provides useful insights about the performance of the algorithm. One edge that greedy decision tree has over several other methods is its enhanced interpretability in conjunction with higher accuracy.