SDN-BASED CYBER SECURITY STRATEGY FOR

INDUSTRY

MUHAMMAD JUNAID KHALID

(20-ARID-954)

UNIVERSITY INSTITUTE OF INFORMATION TECHNOLOGY

PIR MEHR ALI SHAH
ARID AGRICULTURE UNIVERSITY RAWALPINDI
PAKISTAN
2022
SDN-BASED CYBER SECURITY STRATEGY FOR INDUSTRY

by

MUHAMMD JUNAID KHALID

(20-ARID-954)

A thesis submitted in partial fulfillment of

the requirement for degree of

Master of Science
in
Computer Science

UNIVERSITY INSTITUTE OF INFORMATION TECHNOLOGY

PIR MEHR ALI SHAH
ARID AGRICULTURE UNIVERSITY RAWALPINDI
PAKISTAN
2022
ii
 CERTIFICATION
I hereby undertake that this research is an original one and no part of this
thesis falls under plagiarism, If found otherwise at any stage, I will be responsible
for the consequences.

Name: MUHAMMAD JUNAID KHALID Signature: ______________

Registration Number: 20-ARID-954 Date: ______________

Certified that the contents and form of thesis entitled “SDN-Based Cyber

Security Strategy for Industry” submitted by “MUHAMMAD JUNAID

KHALID” has been found satisfactory for requirements of the degree.

Supervisor: ________________________________
(Dr. Syed Mushhad Mustuzhar Gilani)

Member: _____________________________
(Dr. Saud Altaf)

Member: _______________________________
(Mr. Muhamad Aleem Akhtar)

Date of Viva Voce: _______________ External Examiner: _______________

Director _________________________

Director Advanced Studies: ___________________________

iii
 DEDICATION

I want to dedicate this thesis to all my teachers who taught me from class prep to
this level, they all have made their contributions to make me able to do this thesis
successfully.

iv
 CONTENTS
Page
List of Tables viii
List of Figures ix
Acknowledgements x
Abstract xi
Chapter 1 INTRODUCTION 1
INDUSTRY EVOLUTION 1
1.1.1 Industry 1.0 Mechanization 2
1.1.2 Industry 2.0 Electrification 2
1.1.3 Industry 3.0 Automation 2
1.1.4 Industry 4.0 Digitalization 3
1.1.5 Industry 5.0 Personalization 3
CYBER SECURITY 4
1.2.1 Viruses 4
1.2.2 Phishing Attacks 4
1.2.3 Network Intrusions 5
1.2.4 Denial Of Service Attacks 5
1.2.5 Attack Mitigation Approaches 6
SOFTWARE DEFINED NETWORKING (SDN) 6
1.3.1 Application Plane 7
1.3.2 Control Plane 8
1.3.3 Data Plane 8
SDN AND CYBER SECURITY 9
RESEARCH CONTRIBUTIONS 10
Chapter 2 LITERATURE REVIEW 11
STATE-OF-THE-ART APPROCHES 11
TABULAR ANALYSIS OF LIERATURE REVIEW 16
PROBLEM STATEMENT 18
RESEARCH OBJECTIVES 18
EXPECTED OUTCOME 19

v
Chapter 3 PROPOSED STRATEGY 20
ARP SPOOFING ATTACKS MITIGATION 20
3.1.1 Scenario 1: Intruding in the Network When User is Blacklisted 20
3.1.2 Scenario 2: Intruding in the Whitelisted Network 21
3.1.3 Scenario 3 Man in the Middle Attack 22
3.1.4 Mitigation Strategy 23
3.1.4.1 IP address scanning module 24
3.1.4.2 MAC address scanning module 25
DDOS ATTACK MITIGATION 27
3.2.1 Types of DDOS Attack 27
3.2.1.1 Flooding 27
3.2.1.2 Slowris 28
3.2.2 Purpose of DDoS attack 28
3.2.3 Dataset 28
3.2.4 Mitigation Strategy 29
3.2.4.1 Bayesian network 29
3.2.4.2 Naïve Bayes 30
3.2.4.3 Artificial Neural Network (ANN) 30
3.2.4.4 Support Vector Machine (SVM) 31
3.2.4.5 K Nearest Neighbor (KNN) 31
3.2.4.6 Decision tree 32
3.2.4.7 Random forest 32
Chapter 4 SIMULATIONS AND RESULTS 33
SIMULATION FOR ARP SPOOFING ATTACK 33
4.1.1 ARP REQUEST Attack 35
4.1.2 ARP REPLY and ARP REPLY Destination Attack 36
SIMULATION FOR DDOS ATTACK 38
SUMMARY 42
LITERATURE CITED 43

vi
 ABBREVIATIONS

SDN Software Defined Networking

IDPS Intrusion Detection and Prevention System

DoS Denial of Service

DDoS Distributed Denial of Service

ARP Address Resolution Protocol

RARP Reverse Address Resolution Protocol

DHCP Dynamic Host Configuration Protocol

IP Internet Protocol

MAC Media Access Control

TCP Transmission Control Protocol

UDP User Datagram Protocol

ICMP Internet Control Message Protocol

KNN K Nearest Neighbors

SVM Support Vector Machine

ANN Artificial Neural Networks

CNN Convolutional Neural Networks

RNN Recurrent Neural Networks

SYN TCP Synchronize message

ACK TCP Acknowledgement message

vii
 List of Tables

Table 2.1: Comparison of ARP spoofing attack approaches ...................................16

Table 2.2: Comparison of DDoS attack mitigation approaches ...............................17
Table 4.1: IP configuration of the testing network topology ...................................33
Table 4.2: ARP REQUEST attack mitigation time ..................................................35
Table 4.3: ARP REPLY attack mitigation time .......................................................37
Table 4.4: Number of checks applied by every approach ........................................38

viii
 List of Figures

Figure 1.1: Industry evolution ....................................................................................2

Figure 1.2: Abstract view of SDN..............................................................................7
Figure 1.3: Abstract view of proposed strategy .......................................................10
Figure 2.1 Expected Outcome ..................................................................................19
Figure 3.1: Intruder intruding in blacklisted network ..............................................21
Figure 3.2: An intruder is intruding in the whitelisted network ...............................22
Figure 3.3: Man in the middle attack .......................................................................23
Figure 3.4: Abstract Mitigation strategy for IDPS against ARP spoofing attack ....24
Figure 3.5: Detailed methodology of IP address scanning module .........................25
Figure 3.6: Detailed methodology of MAC address scanning module ....................26
Figure 4.1: Test topology .........................................................................................34
Figure 4.2: ARP REQUEST attack mitigation time ................................................36
Figure 4.3: ARP REPLY attack mitigation time ......................................................37

ix
 Acknowledgements

First of all, I would like to thank Allah Almighty who gave me enough
knowledge and strength for this thesis. Then I would like to dedicate this thesis to
my family, who supported me morally and financially throughout my thesis they kept
me motivated. Specially to my grandfather (late) who was he first one who supported
me when I chose computer as career field.

I would also like to thank the supervisory committee members as well who kept
me guided and played the role of guiding light for me. It is their hard work that I was
able to do this thesis. I would like to thank my class fellows as well who also helped
me and discussed few things when I got stuck somewhere.

x
 ABSTRACT

Software Defined Networking (SDN) is a comparatively new approach that

separates the data plane and control plane from the devices. In easy words, it takes
the decision power from routing devices and gives it to a device called SDN
controller. SDN provides a programmatic interface that helps the researchers to
experiment their proposed methodologies. Similar to other networks, SDN is also
vulnerable to different cyber-attacks and need to implement cyber security
techniques. Cyber Security is a very trendy topic because of the diversity of the
attacking techniques. Cyber Security started from very beginning of the networks
because there was a greed and negative thoughts and people from the very beginning
of the world. There is different type of attacks that are performed to gain the
unauthorized access or to steal the important data to use it for personal uses. Famous
cyber-attacks are DDOS, ARP spoofing, and Injection attacks. Most of the attacks
are performed on the industrial networks because industrial networks have more
sophisticated data than a personal network, that is why this research focuses of
industrial network security. Attack on industrial network will cause a very large-
scale damage in terms of data or money because industrial data has a high number of
dependents on them. For this reason, this research work is focused on proposing a
new strategy to mitigate the DDOS attack and ARP spoofing attack. This strategy
will be implemented using any distributed SDN controller because the centralized
controllers are not successful in industrial use cases. The evaluation of the proposed
strategy will be performed using some SDN simulation tool.

Keywords: Cyber Security; Software Defined Networking; DDOS attack;

ARP spoofing attack, Intrusion Detection and Prevention
System

xi
 CHAPTER 1

INTRODUCTION

The networks inside the corporates and the other industrial units have very sensitive
data. Attack and security breaches in these networks can result in disaster and massive
irrecoverable damage. This research will use Software Define Networking based
strategy for the mitigation and prevention of these attacks.

INDUSTRY EVOLUTION

Any individual or group of individual who provides services or finished products is

part of industry. Industry is providing the place to businessmen to provide their services
and products to the people and earn the reward they deserve. Any kind of trade can be
considered a part of industry (Yin et al., 2015). The industry is a very old concept and
is initiated from the beginning of mankind. Since the stone age human beings are
trading the goods for living because everyone is not gifted with every quality so the
people used to trade to get the required things for their living. But technically the
modern industry was started in mid-18th century (Vinitha et al., 2020) when the human
labor was started to replace by the mechanized equipment. The industry is categorized
in different ages given below and also shown in Figure 1.1

1. Industry 1.0 Mechanization

2. Industry 2.0 Electrification

3. Industry 3.0 Automation

4. Industry 4.0 Digitalization

5. Industry 5.0 Personalization

It is important to study the evolution of the industry to get better understanding that
what actually this research is going to protect and what are the threat.

1
Figure 1.1: Industry evolution

1.1.1 Industry 1.0 Mechanization

When the first fuel engine was made it started the modern industry of machines, the
human effort was minimized a lot and a lot of work was mechanized and many tasks
that were beyond human capabilities were taken from machines. The most popular
example of this is steam engine and later other fuel powered engines were developed.
The production got speed up and the services got better, a lot of lives got better.

1.1.2 Industry 2.0 Electrification

With the invention of electricity, the engines started to convert from mechanical to
electrical engines and also few used both fuel and electricity. Which increased the
production speed efficiency to a lot, not just engines many new inventions were also
invented. The major example is the electric appliances used in household. This also
reduced the pollution generating engines and equipment.

1.1.3 Industry 3.0 Automation

This is when the machines started to take decision by themselves. This happened
with the invention of electronic circuits where the devices can take the decision on the
basis of the input given. This reduced the human effort to a lot less, many tasks were
automated. This revolution did not only speed up the production of the goods, increased
the number of devices available, but it also did speed up the revolution. Most popular
example of this industry is the modern day computer. The laptops, the cellphones and

2
their technologies, the revolutionized very quickly. This is the first time that the data
was saved on a physical device. This led to the invention of the field of data security.

1.1.4 Industry 4.0 Digitalization

This is the present day where the connection between the human beings and the
machinery is changing day by day. This era started with the advent of internet, when
the meaning of connecting with not only devices but with other human beings also got
changed (Crenn, 2021). Now the data was not only stored on physical device but can
also be transferred to literally anywhere in the world. This change in technology also
increased the risk of data breaches, the owners and the users of the data got very
conscious about the security of the data. With the passage of time and evolution of the
technology the risk is getting increased. The news of data breaches and other cyber-
attacks at famous industrial networks are now very common (Kolevski et al., 2021).
The breached data can be used for any legal or illegal purpose. With this increase in
ease to humanity, the risk of data security is also increasing (Saravanan & Bama, 2019).

1.1.5 Industry 5.0 Personalization

This is the era yet to come. The advancements and the used of smart devices the
interaction with these devices is also getting increased. The concept of metaverse is
now becoming the reality, there are multiple metaverses available. Each has its own
purpose (Lee et al., 2021). The metaverse is a virtual world where the user interacts
with it being in physical world. It is a Virtual Reality (VR) socializing platform where
user just wear the gear and reach the place you want (Mystakidis, 2022). User do
interact with the objects there like in physical world. This means massive increase in
data transmissions and high risk of data being breached or attacked (Sparkes, 2021).
The impact of attack on metaverse is very high drastic because the natures of the attack
will increase to unpredictable number (Ning et al., 2021). This amplifies the importance
of the cybersecurity in the industry.

3
 CYBER SECURITY

The term cyber security means all the preventive measures taken to prevent the
exploitation of a potential vulnerability in the computer system or network (Pourbabak
et al., 2019). After studying all the generation of industry, this can be concluded that
with the advancements in the technology, the possibilities of attacks of different natures
are also increases risking the data of the users. This means there is a constant need of
evolving the defense mechanisms against all these evolving the attack mechanism,
glorifying the importance of cyber security in the industry.

The field of cyber security started from the beginning of the computer devices. The
malicious thoughts and intention of the human beings were never stopped and
compelled them to make the malicious software (malware). There are different types of
cyber-attacks.

1.2.1 Viruses

The first form of cyber-attack was virus software. Virus is a type malware that
attaches itself to some other legitimate software and gets triggered once the attached
software is executed (Yeh et al., 2021). It does reflect multiplication property of
biological virus. This means that it does spread itself and attaches itself to more and
more files. The purposes of viruses are different like monitoring the victim’s activities,
filling the space with hidden files, changing the file contents and the file types,
replicating the files, hiding the files, encrypting the files for ransom and a lot more
(Shah & Comissiong, 2021). There are multiple preventions are available to this attack.
The most famous prevention measure is to use a good antivirus.

1.2.2 Phishing Attacks

This is another type of attack that is performed for password spoofing on end users.
This is very similar to real life fishing where the fisherman throws a bait in the water
and fish pick it as food and does not know that there is a hook in it and it eats it, when
it eats it gets stuck in the hook and gets captured. Similarly, in phishing attack, attacker

4
displays a replicated web page of an authentic website and traps the user in giving the
login credentials once the user enters the credentials the credentials gets stored in
attackers’ database (Jain & Gupta, 2022). This type of attack can be prevented only by
being conscious while using internet and educating the internet user.

1.2.3 Network Intrusions

These type of attacks are performed to become the part of a secured network and
perform some malicious activities. The intruder may only listen to the traffic, may
manipulate or may do some other malicious activities for example flooding network
with bogus traffic, accessing confidential data from the servers in the network and a lot
more reasons. This attack is performed by exploiting the weakness in the security
measures taken in the network. The outcome of this attack can be more drastic and
catastrophic then the phishing and virus attacks. The major reason behind this attack is
by corrupting the Address Resolution Protocols’ (ARP) cache on the networking
devices. This attack can be performed by implementing some serious and advanced
Intrusion Detection and Prevention Systems (IDPSs).

1.2.4 Denial Of Service Attacks

Denial of Service (DoS) attack are performed by flooding a network resource with
the bogus requests and keeping it this much busy and exhausting its resources so much
that it refuses to provide any service to any user or the service provision gets extremely
and annoyingly slow (Eliyan & Di Pietro, 2021). The DoS attack is performed by a
single device sending huge number of requests to the network resource. But in case of
Distributed Denial of Service (DDoS) attack, a number of devices are added to a botnet
then the whole botnet is used to flood the network resource with the requests.

This attack can be performed by sending huge number of ICMP, TCP-SYN, TCP-
ACK, and UDP packets to the network resource to make it busy. The packets may
contain such a heavy payload that processing it may drain all the resources of the
network resource forcing it to denying to provide the service (Balarezo et al., 2022).

5
1.2.5 Attack Mitigation Approaches

To avoid the virus and phishing attacks the user education is the best tool. As the
network configurations are not disturbed and affected. To perform these attacks, the
attacker just need to play with the users’ mind to make them do what attacker wants the
user to do. Therefore, to prevent these attacks, the most essential thing to do is to
educate the users about how to secure themselves on the internet. Although for virus
attacks multiple antiviruses and for phishing attacks different tools are present to detect
the fakeness of a website.

But to mitigate DDoS and intrusion attack, the end user education is of no use
because these are not performed by exploiting the weakness of the user. Whether these
are performed by exploiting the loopholes in the security configurations of the network.
It requires extensive networking and cyber security knowledge to mitigate these attacks.
The firewalls, and other security programs are required to be installed in the network
that do require extra hardware and cabling. Updating the configuration is equally
problematic.

In case of industrial networks, the number of devices is in large number and

configuring them do require a lot of time and human efforts. There is one new approach
of networking available that provides a programmable interface to the whole network
and instead of configuring each device individually. Its programmable interface helps
to update the configuration comparatively very easily. This approach is known as
Software Defined Networking (SDN) (Alhaj & Dutta, 2022).

SOFTWARE DEFINED NETWORKING (SDN)

As discussed before the SDN is comparatively new approach in the world of

networking that provides the single configuration point of the whole network. Because
of this reason this approach is very suitable for industrial networks specially for the
datacenters where the networking devices are required in very large number, the
topology is very complex and the need of security is high. The single configuration
points help in mitigating many cyber-attacks all at once.

6
 This approach has three-layer architecture, Application Plane, Control Plane and
Data plane. The control plane is actually the decision maker of the network. The
application plane is where the end users are connected to the network or the networking
applications are executed and the data plane is where the networking devices resides.
The application plane is on the top level and is connected to control plane via
Northbound Interface and the Data plane is below the control plane and is connected to
control plane using the southbound interface. This architecture is shown in Figure 1.2.

Figure 1.2: Abstract view of SDN

1.3.1 Application Plane

This is the plane where the user end networking applications are running which
generates the requests and are then sent to the Control Plane via Northbound interface
of SDN Controller. The primary traffic generators and receivers reside here. This plane
does not know how the routing is being done it just send the traffic to the control plane
and the control plane handles the rest. Few SDN applications do also run at this plane
such as load balancing is done using the application plane. The network intrusion
detection and prevention is done using Application plane. These application are also
known as mid-level applications (Hu et al., 2021).

7
1.3.2 Control Plane

This is actually the point where all the configurations of the network are done. This
plane is heart of SDN architecture. The SDN controller runs at this layer, without a
controller running the whole networks gets halted and nothing works. This layer deals
with all the routing decisions to be made and have a programmable interface via SDN
controller. The decisions made here are then installed in data plane so that the traffic
with similar routing information are sent directly to the concerned device but if the
routing information does not match any of the rules installed then this layer receives
the traffic and perform the required information via southbound interface (Chen et al.,
2022).

This layer has two types of architecture, centralized and distributed (Oliveira et al.,
2021). The centralized means that there is only one controller that will control and
configure whole network. The examples of centralized controllers are RYU, POX,
NOX, Floodlight and OpenDaylight controller. Whereas distributed means that the
controller is not centralized in nature and there are multiple instances of the controller
so that if one controller is busy then the other controller is used. There are multiple
architectures available for distributed SDN controller but the most famous one is master
slave architecture (Espinel Sarmiento et al., 2021). The examples of distributed SDN
controllers are DISCO, ONOS and RUNOS.

1.3.3 Data Plane

This is the plane where the actual routing takes place. This plane comprises of
OpenFlow switches connected to the end user devices and the controller. These
switches do not have their own decision power; they rely on the decisions made by the
control plane. This makes the configuration of the network easier. These switches are
capable behaving as the layer 3 switches but are dependent on the control plane
configurations. Control plane also controls how these switches will behave. This plane
interacts with the control plane using the Southbound Interface. This plane does have
the flow rules installed by the control plane. If the conflicting traffic arrives, it is
forwarded to the SDN controller (Abbasi et al., 2022).

8
 SDN AND CYBER SECURITY

As discussed, SDN gives a central configuration point to the whole network and in
industrial networks the configuration of the network is made very easy. Many of the
cyber-attacks can be easily mitigated using this approach and at the same time many
other threats are now become more easy. First of all, intrusion in the network is made
easy because there is only one point where the ARP cache is needed to corrupt and the
intrusion is successful. Secondly the threat of DoS and DDoS attacks remain the same
as it was previously. As discussed before these attacks are not caused by user’s fault,
they are caused by network administrator’s fault. This means that these attacks can only
be mitigated by enhancing the security configurations at the control plane.

The programmable interface of the SDN make it easier for the network
administrator to configure and evolve the configuration of the network. The
programmable interface does also means that there are unlimited possibilities of
customization in network configurations. This indicates that any type of mitigation
approach can be implemented on the controller easily.

In case of intrusion in the network, the ARP cache poisoning or ARP spoofing must
be stopped. There are 3 different types of ARP spoofing attacks, ARP REQUEST
attack, when the ARP REQUEST packet has the malicious information, ARP REPLY
attack, when the ARP REPLY has the malicious information and ARPY REPLY
DESTINATION attack where the destination address(es) of the ARP REPLY packet
are malicious. The ordinary ARP packets are used for MAC address spoofing whereas
the Reverse Address Resolution Protocol (RARP) is majorly used for IP address
spoofing. The ARP spoofing means one or both at a time. When the intruder performs
both IP and MAC address spoofing he becomes invisible as the both of his addresses
are fake in the ARP cache. This requires a very effective IDPS.

In case of DDoS attack, the mitigation becomes very difficult because in case of
flooding the traffic is non malicious. For this reason, the attack must be detected as
much quickly as much possible because longer the delay, higher will be the chance that
the network resources will get exhausted.

9
 RESEARCH CONTRIBUTIONS

This research is proposing a new and extensive IDPS against the ARP spoofing
attacks that will check not only the MAC address but also the IP address corruption in
the ARP cache of the SDN controller. The proposed IDPS will work as a module of the
SDN controller instead of working as application. For the mitigation of the DDoS, few
Artificial Intelligent models are trained and deployed on the SDN controller to get the
results. Those models includes, Naïve Bayes classifies, Bayesian Network, Naïve
Bayes Trees, Best First Decision Tree and KNN. The results are then compared in terms
of both mitigation time and accuracy. This model does also deploy as a module of SDN
controller instead of running it as application. This helps in reducing the mitigation time
and enhancing the performance of the models. The abstract view of proposed approach
is given in Figure 1.3.

Figure 1.3: Abstract view of proposed strategy

10
 CHAPTER 2

LITERATURE REVIEW

Till now it has been discussed that what attacks this research is going to mitigate
and have given a basic idea of how the mitigation will be performed. Now this
chapter will discuss. What work has already been done, then analyze that what else
is needed to be done.

STATE-OF-THE-ART APPROCHES

The authors proposed an IDPS (Girdler & Vassilakis, 2021) against ARP
spoofing attack; this IDPS matches the MAC addresses of the ARP packet and
Ethernet packet in which the ARP packet was encapsulated. This technique has a
very great accuracy rate but it can be improved if the current ARP table at SDN
controller is also checked if the entry or the same IP or MAC does exist in the table
or not.

The authors proposed an ARP spoofing attack mitigation protocol (Tchendji et

al., 2021), they used the variation of the Naïve Bayes algorithm name Efficient Bayes
Based Security Protocol (E2BaSeP). This protocol was designed by changing the
formula of the Naïve Bayes algorithm and was used for malicious packet
classification in addition to that. They checked the current ARP table at SDN
controller at SDN controller that whether the IP or MAC address from the incoming
ARP packet already exists or not. If an IP or MAC addresses pair already exist in the
ARP cache, then the packet is dropped. Although this is a very good technique, this
can be improved if they also check the MAC addresses of the incoming ARP packet
and the Ethernet packet encapsulating the ARP packet.

The authors proposed a module (Rangisetti et al., 2021) that listens to DHCP
signals, LINK UP and LINK DOWN signals, and ARP packets to verify the
authenticity of the sender. Their proposed module saves the copy of the DHCP data

11
and then checks the data from the ARP packet with the DHCP packet if the data
matches the ARP packet data then the packet is passed otherwise it is dropped. Their
approach is very effective in detecting and preventing ARP spoofing attacks but there
is need to check the wrapping Ethernet frame as well.

The Authors proposed a topology listener (Aldabbas & Amin, 2021) that keeps
the record of the nodes in the network first check that applies is to check that the IP
addresses of the ARP packet belong to the network or not if then the packet is
dropped, then the IP-MAC table is checked for the entry from ARP packet. If the
entry is found first of all the packet will be dropped and then the node that originated
the packet will be blacklisted for some fixed amount of time. Their approach is good
and has amazing control over the ARP spoofing attack but this can be improved if
they also check the MAC addresses of the incoming ARP packet and the Ethernet
frame encapsulating the ARP packet.

The authors proposed an approach for mitigating the ARP poisoning attacks by
adding a new module to the POX controller (Darwesh et al., 2021). Their module
checks the Ethernet packet wrapping the ARP packet if the MAC address is different
than the packet is dropped and the port from the switch blocks for some time. Switch
also saves a flow rule about the packet and drops all ARP packets with similar
information. One more thing their approach has done is no node is allowed to set the
IP address manually, only the DHCP server is used.

Authors proposed an approach to defend a ship architecture using SDN (Sahay

et al., 2019). Authors converted a traditional architecture to a software-defined
architecture and proposed a successful approach to mitigate the ARP spoofing
attacks but the proposed approach used centralized controller, in case for some
reasons controller goes down whole network will go down. This problem can be
solved by using some distributed controllers.

Authors proposed cyber resilience technique to mitigate the DDoS attack

(Babiceanu & Seker, 2019). The system shows some flexibility in case the number
of input packets is being increased by the server capacity and some virtual servers

12
are created to respond the packets but this approach has very low accuracy due to
imbalance dataset the results can be improved by using new and updated datasets.

Authors proposed a DDoS mitigation technique and used KNN algorithm for
classification of malicious packets (Tuan et al., 2020). Authors here tried to do the
mitigation at control plane of SDN architecture instead of application layer. This
really helped in improving the latency but the dataset used was very old. The
technique will fail if implemented in real life scenario because KNN is a lazy
algorithm.

Authors proposed DDoS attack mitigation technique they used SVM for the
classification purposes (Badotra & Panda, 2021). They have been successful in
mitigating the DDoS attack. Their technique got a good accuracy score but their
approach was very slow and creates the high latency that is problematic in industrial
networks the problem can be solved by changing the SVM approach with some
machine learning approach.

Authors did an investigation over different machine learning and artificial

intelligence approaches in mitigation of DDoS attack (Gadze et al., 2021). In their
research they have generated new dataset and then applied Naïve Bayes, KNN,
SVM, ANN, CNN and RNN, and have compared the obtained results from all of
these approaches. The end results are CNN outperformed every other approach and
gave best latency and quickest attack detection time.

Authors proposed a security framework for detection and mitigation of DDoS

attack (Tan et al., 2020). They applied K-means clustering on incoming traffic prior
to applying KNN algorithm for classification. This helped them to scrutinize the
useless data and improve the accuracy level to 98.8% but their approach also affected
the latency very badly. The latency has been increased with a huge difference.

The authors worked on both ARP spoofing and DDoS attack mitigation
approaches (Jamil et al., 2022). They used ARP table at SDN controller and a
topology checker to mitigate the attacks but they did not check the IP address, they
just operated on MAC address secondly the checks applied are very limited. In case

13
of DDoS attack the mitigation time has been reduced but they did not discuss the
accuracy of the approach that is the key parameter of any algorithm. Secondly The
result graph shows that the mitigation time has too much fluctuation, their approach
is not stable to be implemented in real life scenario.

Authors proposed an approach where they used SDN Data plane for ARP
mitigation instead of using the control plane (Buzura et al., 2022). Their approach
has 4 modules first one monitoring and regulating traffic, second one collecting
traffic, third one is analyzing traffic and the last one is deciding to drop or forward
the packet. The checks they have applied is on just ARP table at SDN controller
nothing else is being checked hence the methodology is very limited and weak.

The authors proposed data plan development kit for SDN and proposed DDoS
attack detection approach named D3 (Varghese & Muniyal, 2021). Their approach
is a hybrid approach used both data and control plane to speed up the detection and
mitigation of the attack. They used the statistical anomaly detection for the purpose
of attack detection. Their approach has reduced the latency and have improved the
throughput but the accuracy is comparatively very low.

Authors proposed a resilience algorithm that helps the servers to work fine even
under DDoS attack (Haque et al., 2022). They proposed a Master-Slave distributed
controller based architecture for the industrial networks based on SDN. The
additional controller helped the network in processing the excessive number of
requests. They used DDoS Attack Aware SDN Smart Controller Placement
Algorithm for the server placement. The parameter they have used is the cost in terms
of money because if multiple controllers are added the cost will get increased. They
have analyzed that the throughput of the networks stays stabilized with increase in
the number of controller but on the other hand the cost gets increased.

The authors have proposed Network Function Virtualization based shield against
the DDoS attack on SDN control plane (Chen et al., 2022). Their approach used
virtual OpenFlow switches along with physical ones. This increased the number of
switches and decreased the chance of the bottleneck in the network. This also reduces

14
the success chance of DDoS attack on the network. This approach enhanced the use
of throughput and the response time of the servers and other devices is very reduced.
But as it is known that they used virtual switches, this increased the load on CPU
and RAM of Controller which is already busy in handling OpenFlow messages.

In another approaches authors integrated the Stacked Sparse Auto Encoder

(SSAE) for feature selection along with SVM for classification (Long & Jinsong,
2022). This approach improved the accuracy and enhanced the throughput but as
SSAE is the back propagation algorithm it requires lot of time to complete the task.
This impacts the mitigation and detection time of DDoS attack and it takes more than
a minute just to detect and even more for the mitigation of the attack.

In this approach, the authors proposed s DDoS detection approach based SDN
(Dobrin & Dimiter, 2021). They made the threshold for the particular messages if
TCP-SYN, TCP-SYN-ACK, UDP and ICMP packet if the number of packets per
minute increased the threshold all the packets of such types were dropped for some
specific time. This approach is good and bad at the same time, the attack was
mitigated, the response time and throughput of the network was also increased but
the rate of false positives is very high. This means that their approach classifies the
legitimate traffic as DDoS attacks as well.

These authors proposed a statistics based early DDoS attack detection

mechanism (Shohani et al., 2021). They have used Linear Regression for identifying
the target for the DDoS attack. Their approach takes the traffic of each node in the
network as input and gives the prediction on the basis of previous traffic that whether
it will be attacked or not. This approach is very useful in industrial networks as its
accuracy is appreciable and the mitigation time is also very optimal. This approach
fails miserably when the attack is performed outside the pattern.

These authors made a survey on how much secure SDN is, what are the
challenges and what are the solutions available (Yurekten & Demirci, 2021). Their
survey shows that every ARP spoofing approach has limited functionality and should
be increased.

15
 TABULAR ANALYSIS OF LIERATURE REVIEW

First the comparison of ARP spoofing attack mitigation approaches is given in

Table 2.1. The comparison shows that every approach has limited functionality and
is needed to be expanded. This indicates the first problem that there is a need of better
and extensive flow rules to be installed at the OpenFlow switches to mitigate the
ARP spoofing attack
Table 2.1: Comparison of ARP spoofing attack approaches
Reference Contribution Limitation
(Girdler & Vassilakis, Checked ARP packet and Did not checked the ARP
2021) Ethernet frame. Black and table at SDN controller
whitelists also checked and no methodology for
IP address
(Tchendji et al., 2021) Checked ARP table at Did not checked Ethernet
SDN controller frame and no checks n IP
address.
(Rangisetti et al., 2021) Checked DHCP and ARP Ethernet frame not
table at SDN controller checked.
(Aldabbas & Amin, Checked DHCP and ARP Ethernet frame not
2021) table at SDN controller checked.
(Darwesh et al., 2021) Checked Ethernet frame ARP table at SDN
and DHCP table controller not checked
(Sahay et al., 2019) Checked DHCP and ARP Ethernet frame not
table at SDN controller checked.
(Jamil et al., 2022) Only ARP table at SDN Ethernet frame not
controller checked checked and No checks
for IP address.
(Buzura et al., 2022) Combined Control plane Ethernet frame not
and data plane and ARP checked and No checks
table at SDN controller for IP address.
checked

16
 In case of DDoS attack, the work on it started from very much in past but still
many weaknesses are left to cover. The comparison of DDoS attack mitigation
approaches is given in Table 2.2. This analysis will help in producing accurate
problem statement.

Table 2.2: Comparison of DDoS attack mitigation approaches

Reference Contribution Limitation
(Babiceanu & Seker, Add resilience to the Low Accuracy due to
2019) system and the system imbalance dataset.
was working fine even Secondly Lazy classifier
under DDoS attack used
(Tuan et al., 2020) Applied KNN classifier KNN is lazy algorithm
and does not perform well
in case of large dataset
(Badotra & Panda, 2021) Applied SVM classifier Performance goes down
rapidly with increase in
dataset size
(Gadze et al., 2021) Executed and reviewed The dataset used was very
the performance of old and needs to be
famous classifiers and changed
CNN had best
performance.
(Tan et al., 2020) Applied K-means Both are lazy algorithms
clustering and KNN
(Varghese & Muniyal, Statistical Anomaly High complexity
2021) Detection is applied with resulting in high
other extensive approach mitigation time
(Haque et al., 2022) Master slave controller Lots of cost and cabling is
architecture under DDoS required for
attack implementation

17
 (Long & Jinsong, 2022) Stacked Sparse Auto Both algorithms does not
Encoder and SVM used performs well in case of
large dataset

The analysis of DDoS attack gives another problem that there is a need of an
approach that will improve all three parameters i.e. accuracy, mitigation time and
throughput.

PROBLEM STATEMENT

Industrial networks are more likely to get cyber-attacks because they possess
highly confidential data and the damage there is very much higher as compared to
attack on personal networks. In Industrial networks, it is being noted that the DDoS
and ARP spoofing attacks are still very successful because current mitigating
techniques lags in terms of latency, accuracy and throughput. For this reason, a new
strategy for mitigation of these attacks using SDN platform.

RESEARCH OBJECTIVES

This research has following objectives.

1. To identify the limitations in current mitigation strategies

2. To propose DDoS, and ARP spoofing attacks mitigating strategy using SDN
controller

3. To evaluate the proposed strategy at industrial level.

18
 EXPECTED OUTCOME

The proposed strategy is to filter the malicious packets, so the expected outcome
is the malicious packets will be filtered and the industrial network will remain secure
from DDoS and ARP spoofing attacks. This is shown in Figure 2.1.

Figure 2.1 Expected Outcome

19
 CHAPTER 3

PROPOSED STRATEGY

Till now it has been discussed that what is the research gap, what are the research
objectives, what exactly is the problem to solve and what is the expected outcome of
this research. This chapter will discuss how the problem will be solved.

ARP SPOOFING ATTACKS MITIGATION

As discussed abov,e ARP spoofing attack means to corrupt the ARP cache. This
means that the ARP REQUEST or ARP REPLY packets have false addresses and the
corrupt IP-MAC pair in the ARP table at SDN controllers gets added. As it is known
that ARP is used to query the device about MAC address and RARP is used to query
the device about its IP address. These both can be used in poisoning the ARP cache.
The corrupted ARP cache makes the router or in case of this research, the SDN
controller think that the device is someone it is not. To get a better understanding of
ARP spoofing attack and its possible results, the Scenario 1, 2 and 3 are here to visualize
the things a bit.

3.1.1 Scenario 1: Intruding in the Network When User is Blacklisted

Let’s say there is a user whose MAC address is blacklisted on the network and is
trying to connect to the network by corrupting the ARP table at SDN controller entries.
This scenario is demonstrated in Figure 3.1. Host 4 is the attacker node trying to intrude
into the network even if its MAC address is blacklisted. The attacker may have very
malicious intents for intrusion. After the intrusion, irrecoverable damage can be
expected. The user may access the data on the server, flood the network with bogus
traffic making it busy and unusable by other users and many more possibilities are there.
In case of Industrial network where the highly confidential data is stored this intrusion

20
can be disastrous. For example, in a university campus network when there is an
intrusion of this type it has malicious intention to access and manipulate the data saved
on the servers. Or to leak the personal information of students and employees stored
there. The leakage of that personal information can be used for anything. There has to
be some mechanism implemented in the SDN controller for the detection and
prevention of this attack.

Figure 3.1: Intruder intruding in blacklisted network

3.1.2 Scenario 2: Intruding in the Whitelisted Network

This scenario is similar to Scenario 1, let’s say there is a network where only the
whitelisted MAC addresses can access the network. An intruder wants to intrude on the
network but his MAC address is not whitelisted. He tries to corrupt the ARP table at
SDN controller at the SDN Controller, as shown in Figure 3.2. Similar to Scenario 1
here host 4 is the attacker and is trying to intrude into the network. In industry these
networks are normally found in server rooms where not only network intrusion but
physical intrusion is also very dangerous. If his intrusion gets successful, he may be
able to deliver the irrecoverable damage to the network and the network resources. If
this type of intrusion happened in industrial network for example, in the network of
some public sector organization that has data about the citizens of a country. This

21
intrusion can cause major data leaks and may also manipulate the data on the servers
(Clavorà & Vallettiabc, 2016). To prevent this there has to be some mechanism
implemented at the SDN controller for the detection and prevention of this behavior.

Figure 3.2: An intruder is intruding in the whitelisted network

3.1.3 Scenario 3 Man in the Middle Attack

The third scenario is a bit different than the previous scenario, this scenario will
demonstrate the man in the middle attack. This means that the intruder will behave like
someone he is not. For instance, as shown in Figure 3.3 The intruder is behaving like
an SDN Controller or OpenFlow switch to Host 2 and as Host 2 to the SDN controller
or OpenFlow switch. This can also be done easily using ARP poisoning or spoofing
(Sebbar et al., 2018). This type of attack is done by sending the malicious address on
the ARP REPLY packet as this corrupts the ARP cache/table of both the controller and
the host. The attacker in this scenario has performed both MAC and IP spoofing and is
behaving different to different nodes. In this scenario the attacks can not only sniff the
information being communicated but can also manipulate it. In SDN scenario, the SDN
controller behaves as the router. This means if the victim is connected to the internet,

22
then attacker is controlling every flow of the traffic, attacker can control what the victim
will see and what he will not. In industrial networks this attack can have catastrophic
results. There has to be some mechanism in SDN controller to avoid and prevent this
type of attacks to avoid the damage.

Figure 3.3: Man in the middle attack

3.1.4 Mitigation Strategy

As discussed in first chapter for the ARP spoofing attack, an extensive IDPS will
be proposed. The proposed IDPS has two modules, one for checking IP addresses and
the second one for checking MAC addresses. Alongside these modules, the ARP cache
at the SDN controller is turned into a permanent ARP table at SDN controller because
cache memory is volatile and does get erased over time. SDN controller will also
behave as a DHCP controller and only DHCP IP will be able to communicate, for this
purpose a DHCP table is also maintained at the SDN controller. The flow rules for ARP
and packets will never be installed at the SDN controller. To make sure that the ARP
packets are redirected to the SDN controller. As soon as the new IP address is added
ARP REQUEST packet will be sent to the new IP address. Then both IP and MAC
address scanning modules will scan the ARP REPLY packet. Similarly, if an IP address
gets disconnected ARP entry will also be deleted. The strategy is shown in Figure 3.4.

23
 The IP address and MAC address scanning modules do work one after each other
and do check the packet for possible malicious information from the ARP packets. If
any of the module drops the packet, the packet will be dropped by the SDN controller.
Otherwise the packet will be forwarded.

There are three types of ARP spoofing attacks that are mitigated using the
methodology ARP REQUEST attack, ARP REPLY attack, and ARP REPLY
DESTINATION attack. ARP REQUEST attack means when the ARP REQUEST
packet is corrupted, ARP REPLY attack is when the ARP REPLY has malicious
information and ARP REPLY DESTINATION attack is when the destination addresses
in the ARP REPLY packet are corrupted.

Figure 3.4: Abstract Mitigation strategy for IDPS against ARP spoofing attack

3.1.4.1 IP address scanning module

This module will scan the IP address from the ARP packet using the following
checks

1. If the sender and receiver IP address on the ARP packet does not exist in the
DHCP table, then the packet will be dropped but if it does exist it will be
forwarded.

24
 2. If the sender and the receiver IP address do exist with any other MAC addresses
respectively in the ARP table at SDN controller, then the packet will be dropped
otherwise it will be forwarded.

3. If the sender and receiver IP addresses are in the IP whitelist, then the packet
will be processed if it is not then the packet will be forwarded.

4. If the sender and receiver IP addresses are on the IP blacklist, then the packet
will be dropped. If it does not exist, then the packet will be forwarded.

The checks are also demonstrated in Figure 3.5. These checks will minimize the
chances of IP address spoofing or the man in the middle attack. IP spoofing along with
MAC spoofing creates a risky where the attacker gets a complete IP-MAC disguise and
becomes invisible. This invisibility can result in huge loss to the network owners.

Figure 3.5: Detailed methodology of IP address scanning module

3.1.4.2 MAC address scanning module

Similar to IP address scanning, this module will work for scanning the MAC
addresses of the ARP packet and Ethernet frame encapsulating it. Following are the
checks.

1. If the sender and receiver MAC address on the ARP packet does not exist in the
Ethernet frame, then the packet will be dropped but if it does exist it will be
forwarded.

25
 2. If the sender and receiver MAC addresses do exist with any other IP addresses
respectively in the ARP table at SDN controller, then the packet will be dropped
otherwise it will have been forwarded.

3. If the sender and receiver MAC addresses are in the MAC whitelist, then the
packet will be processed if it is not then the packet will be dropped.

4. If the sender and receiver MAC addresses are on the MAC blacklist, then the
packet will be dropped. If it does not exist, then the packet will be forwarded.

The checks are also demonstrated in Figure 3.6. These checks will minimize the
chances of MAC address spoofing and man-in-the-middle attack as discussed in
scenarios 1, 2, and 3.

Figure 3.6: Detailed methodology of MAC address scanning module

Both modules work together to minimize the chances of intrusion into the network
making it almost impossible to intrude into the network using ARP spoofing and
poisoning attacks. This extensive methodology is applied which covers all the checks
that are left in the previous approaches as discussed in chapter 4. This makes the
proposed IDPS special. The major contribution of this IDPS is that the SDN controller
itself send the message back and the checks are applied on both IP and MAC addresses.

26
 DDOS ATTACK MITIGATION

The DDoS attack is performed by sending the huge number of requests to the
network resource as discussed above. The major target of this attacks are web servers
as they are comparatively easily accessible from all over the world. DDoS attack is
performed by multiple ways. The goal of this attack is to exhaust the resources of the
servers and make it so much busy that it starts denying the service it was providing.

To perform DDoS attack, the attacker initially creates the botnet of multiple
computer in the network that just wait for receiving the signal from the attacker to flood
the target server with the bogus and broken requests. The botnet is a network of infected
computers that are infected by the attacker in order to make them follow the orders of
the attacker the attacker signals them to flood the target server and they just start
sending the packets in abundance.

3.2.1 Types of DDOS Attack

There are two major types of DDoS attacks, Flooding and Slowris. All these types
have one common goal to force the server to deny its services.

3.2.1.1 Flooding

This type of attack is performed by flooding the ICMP, UDP or TCP-SYN packet
towards the server. The number of requests get increase by the great extent that the
buffer of the server gets overflowed and starts to denying service to multiple users. The
huge number of requests do also occupy the bandwidth of the server. The payload of
these packet is also increased by a great extent intentionally. The increase in payload
will help the attacker in occupying the bandwidth of the attacked network filling the
buffer of the target server. The high number of requests makes the server busy and the
altered flags and parameters of the packets exhaust the resources of the servers and
force the server to deny its services. This means that the server gets halted and the user
requests remain unattended and the server stops providng its services.

27
3.2.1.2 Slowris

This type of attack is performed by sending incomplete HTTPs requests, server

waits for the completion and the requests never gets completed. This attack is performed
on highly targeted web pages. The web server gets down when the number of
incomplete requests exceeds a limit.

3.2.2 Purpose of DDoS attack

This attack is not performed to gain any access but forcing the server to deny its
services. This attack is performed by potential competitors to gain a little edge. New
script kiddies do this for fun and due to cyber warfare few governments fund this type
of attacks of rival’s websites to raise the frustration. The ultimate consequence of this
attack is loss of business, revenue and reputation. Once the reputation of an organization
is affected it becomes very difficult to regain the trust of the customers.

3.2.3 Dataset

The dataset used in this research is a traffic capture of Mininet tree topology
simulation (Housman et al., 2020). Tree topology of Mininet reflects the connection
combination used in industrial data centers. This dataset has 4 servers in the Mininet
topology and other hosts are accessing the services from the servers. The dataset has
total of 25 features. The parameters captured are packet protocol, packet size payload
size packet protocol, packet sequence number, packet headers size, packet sending and
receiving IP, packet sending and receiving port. All these features are captured and are
used for classification. For classification purposes there are 6 labels, three of them are
malicious and 3 of them are benign each class has 100 thousand network packets
captured. This means that the dataset is balanced. The balanced dataset makes sure that
the artificial intelligence model learns every class equally and this helps in better
classification. This dataset is already divided into test and train part. 70% of the dataset
is in train part and remaining 30 % is on test part.

28
3.2.4 Mitigation Strategy

To mitigate DDoS attack multiple artificial intelligence algorithms are used and
best one is found. As it has been discussed that the DDoS attack is performed by the
series of different type of packets towards the target server in abundance amount. This
suggest that there is a Bayesian and conditional probabilistic relation between the data.
For this reason, this research is using the Bayesian Network for the classification of
normal and malicious packets and then the results are compared with the other
algorithm such as Naïve Bayes, Artificial Neural Network (ANN), Support Vector
Machine (SVM), K Nearest Neighbor (KNN), Decision Tree and Random Forest
Algorithms and Extreme Gradient Boost.

To implement the DDoS mitigation approach using artificial intelligence, the

following steps will be taken/ These steps are demonstrated in Figure 3.7.

Figure 3.7: DDoS attack mitigation block diagram

3.2.4.1 Bayesian network

Bayesian network is a supervised machine learning classifier that uses Bayes

theorem. This means that this is a probabilistic graphical classifying model that
represents the knowledge about some unknown class. The nodes of the graph form the
knowledge represents the features of random classes and edges represents the
conditional probability. This means that this classifier has the knowledge that what has

29
been happened and find the probability that if let's say event A happened then what is
the probability of event B will occur. The mathematical formula of finding the
probability is given in equation 1. After finding the conditional probabilities of every
event it predicts the event with the highest probability. The event in this case is the class
name to be predicted. This means that this classifier can be used where the data is in
conditional probabilistic format
𝑃(𝐵|𝐴)𝑃(𝐴)
𝑃(𝐴|𝐵) = (1)
𝑃(𝐵)

3.2.4.2 Naïve Bayes

Naïve Bayes is also a supervised machine learning probabilistic classifier with

similar goal to predict the correct class on the basis of the training data provided. This
also uses the Bayesian network for finding the probabilities but the differences is that
Naïve Bayes assumes that the classes are conditionally independent whereas the
Bayesian network does have any such assumptions.

3.2.4.3 Artificial Neural Network (ANN)

An artificial neural network is a simulation of human like neurons that makes the
computers able to learn the way humans do learn. These neural networks are created by
programming the neurons and inter connecting them. The interconnection between
these neurons helps the neural network to learn the dataset quickly and this also helps
it to learn the correlation between them the classification is performed by finding the
correlation between the features and the class label. This correlation is then applied to
test data for test classification. An artificial neural network is also trained to learn the
dataset and classify the network traffic with its respective label.

The ANN used for this purposes have multi-layer architecture. It has total 6 layers,
first one is input layer then there are 4 hidden layers the first two hidden layers are have
40% dropout but the last two are fully connected hidden layers. Then there is output
layer. This is demonstrated in Figure 3.8.

30
Figure 3.8 ANN layers

3.2.4.4 Support Vector Machine (SVM)

Support Vector Machine (SVM) is a supervised and traditional AI approach. this

approach plots the training dataset on the multi-dimensional plane. The number of
dimensions is dependent on the number of features. After plotting the train dataset, this
approach creates different sub-planes for each class. This means that if there are 6
prediction classes then there will be 6 sub planes each plane containing the member of
one class only making it easier and quicker to predict because if the test data will be
plotted the only thing that will be checked will be the plane it does belong to.

3.2.4.5 K Nearest Neighbor (KNN)

K Nearest Neighbors (KNN) is a very simple, supervised and lazy artificial

intelligence algorithm. This algorithm plots the whole training dataset on a plane. The
dimension of the plane is the same as the number of the features used for training and
testing. This means if there is single feature then the plane will be one dimensional, if
there are two features the plane will be two dimensional, if there are three features the
plane will be three dimensional and so on. After the plotting it will plot the test data
and will find the ‘K’ number of least nearest distant train data instances. In this way

31
predicted class will be the class of the highest number of train instances in the train
dataset.

3.2.4.6 Decision tree

Decision tree algorithm is a supervised learning algorithm which classifies the data
on the basis of how the previous events have behaved or worked. This means that this
algorithm is needed to be fed by a training dataset. This approach has the structure like
a tree data structure (not necessarily binary tree). There is a root node then the decision
nodes and after all leaf nodes. Leaf nodes are the classification nodes. The tree is needed
to be traversed according to the test data, all the decisions are made using the test data
to reach the leaf node. This can also be imagined as a very deep level nested if else
conditions.

3.2.4.7 Random forest

Random Forest is a flexible and easy to use machine algorithm. It is a method

building multiple decision trees at training time and resulting in the class that is the
mode of classes or mean prediction of the tree. Random Forest averages the predictions
of a number of predictors where each tree is based on independently sampled values.
Random Forest is best for overfitting the decision tree to their training set. Random
forest is best to avoid the overfitting problem faced in decision tree approach. Because
it takes multiple trees and counts the output classes of the individual tree and gives the
output with maximum count. Similar to KNN algorithm where the k closest items were
chosen but in random forest the multiple decision trees are made.

32
 CHAPTER 4

SIMULATIONS AND RESULTS

It has been discussed that what is the problem, why is the problem and how the
problem can be solved. This chapter will discuss how the proposed strategy is
implemented and what are the results and how are they compared to the previous
approaches.

SIMULATION FOR ARP SPOOFING ATTACK

The simulation was done using the POX SDN controller integrated with the Mininet
SDN simulator. The Mininet was installed on the physical machine instead of using it
as a VM. The machine used for the simulator has a Core i5 2520M processor and 12
GBs of RAM. The topology used for the purpose has 4 hosts connected in a single
topology as shown in Figure 4.1. Host 5 act as a server and host 1 act as the attacker.
l3_learning module of POX controller is executed. The controller does also behave as
the DHCP server using the isc-dhcp-server module of the POX controller. The attacker
host does have installed arpspoof and driftnet tools for the attacking purpose. The IP
configuration of the Mininet is given in Table 4.1. The POX controller on default port
configuration i.e. 127.0.0.1:6633 and the controller is set to be remote at the same IP
address.
Table 4.1: IP configuration of the testing network topology
Device IP address
Host 1 (Attacker) 10.0.0.1
Host 2 10.0.0.2
Host 3 10.0.0.3
Host 4 (Server) 10.0.0.4
SDN controller 10.16.49.101

33
Figure 4.1: Test topology

The implementation is done by monitoring the PacketIn events. The PacketIn event
occurs when the packet does not have any flow control entry and the packet id is
forwarded to the SDN controller. The first rule embedded on the switch is no flow rule
for ARP and the DHCP packets. This will make sure that all ARP and DHCP packets
are forwarded to the controller. This makes the controller the data gathering point. After
the packet is received first its type will be checked if it is an ARP REPLY packet then
the checks discussed above will be applied and the fate of the packet will be decided.
If it is an ARP REQUEST packet, then the checks will be applied to the packet and the
ARP REPLY packet will be generated on the SDN controller using the scapy python
library. If it is DHCP LINK UP or DHCP LINK DOWN packet, then the DHCP and
ARP table at SDN controllers will be updated.

34
 The functionality does minimize the chances of the success of the attack with the
constant number of checks and lines to be executed this means the time taken will not
be or may be slightly affected by the number of nodes in the network. The slight effect
occurs due to the consumption of bandwidth. Overall the mitigation time is projected
to be stable. To get a better understanding of how the ARP spoofing attack mitigation
is performed by the functionality of the proposed IDPS. To get a better understanding
that how the proposed IDPS performs against different type of ARP spoofing attacks,
let’s discuss each ARP spoofing attack separately.

4.1.1 ARP REQUEST Attack

For ARP REQUEST attack the IP of both sender and receiver and MAC addresses
of the sender are observed and verified using the Ethernet frame, blacklist or whitelist,
ARP table at SDN controller, and DHCP table.

The results of the ARP REQUEST attack mitigation are given in Figure 4.2. 25
packets were originated from the hosts and were checked by the controller. The stability
of the time taken can be observed, there are no fluctuations in the time taken. The slight
increase and decrease are because of the network bandwidth usage. The average
mitigation time and its comparison with the previous approaches are given in Table 4.2.
Table 4.2: ARP REQUEST attack mitigation time
Reference Mitigation time (seconds)
(Girdler & Vassilakis, 2021) 2.204
(Tchendji et al., 2021) 1.739
(Rangisetti et al., 2021) 1.876
(Aldabbas & Amin, 2021) 1.676
(Darwesh et al., 2021) 0.150
(Sahay et al., 2019) 1.411
(Jamil et al., 2022) 0.173
(Buzura et al., 2022) 0.102
Proposed Approach 2.183

35
Figure 4.2: ARP REQUEST attack mitigation time

4.1.2 ARP REPLY and ARP REPLY Destination Attack

In the case of the ARP reply attack, this attack is only possible when ARP
REQUEST is sent from the controller itself because the reply to the ARP REQUEST
case is given by the controller itself using the Scapy library for python. After
implementing the current methodology where the SDN controller has the permanent
ARP table at SDN controller instead of an ARP cache, this case will only happen when
a new IP is assigned to the device. When a new ARP REQUEST packet is sent by the
SDN controller and the device gives the ARP REPLY. This ARP REPLY packet can
be malicious or have false information in it. So, its source and destination IP and MAC
address are checked whether the IP addresses exist in the DHCP table, the IP and MAC
addresses do not already have an entry in the ARP table at SDN controller. The MAC
address is also verified with the MAC addresses of the Ethernet frame encapsulating
the ARP packet. The results are very supportive and are shown in figure 4.3. This will
ensure that both ARP REPLY and the ARP REPLY DESTINATION attacks do not
happen.

Similar to the ARP REQUEST attack ARP REPLY and ARP REPLY
DESTINATION attacks do also have a stable response time. The average mitigation
time and its comparison with previous approaches are given in Table 4.3.

36
Figure 4.3: ARP REPLY attack mitigation time

Table 4.3: ARP REPLY attack mitigation time

Reference Mitigation time (seconds)
(Girdler & Vassilakis, 2021) 2.202
(Tchendji et al., 2021) 2.071
(Rangisetti et al., 2021) 1.812
(Aldabbas & Amin, 2021) 0.264
(Darwesh et al., 2021) 0.170
(Sahay et al., 2019) 1.561
(Jamil et al., 2022) 0.186
(Buzura et al., 2022) 0.114
Proposed Approach 2.242

The mitigation time can be observed that it is not very different from the previous
approaches even after this extensive methodology and the checks being applied. The
number of checks is compared in Table 4.4. The proposed IDPS can be used and
deployed in an industrial network to prevent intrusions. Because as discussed above the
intrusions into industrial networks can result in drastic and irrecoverable damage.

37
Table 4.4: Number of checks applied by every approach
Reference Mitigation time (seconds)
(Girdler & Vassilakis, 2021) 3
(Tchendji et al., 2021) 1
(Rangisetti et al., 2021) 2
(Aldabbas & Amin, 2021) 2
(Darwesh et al., 2021) 1
(Sahay et al., 2019) 2
(Jamil et al., 2022) 1
(Buzura et al., 2022) 1
Proposed Approach 4

SIMULATION FOR DDOS ATTACK

The simulation of DDoS attack is also done at the same machine as the ARP
spoofing mitigation. The machine has i5-2520M processor and 16 GBs of RAM and
Ubuntu 22.04 Operating System is installed. The Mininet SDN simulation tool is used
for the simulation of the proposed approach. Mininet comes in two forms, pre-installed
in a virtual machine and installable as a tool in physical machine. POX open source
SDN controller is integrated with the Mininet as an SDN controller. As DDoS attack is
majorly targeted at the industrial servers and networks, this research has used fat tree
topology that is most common for the industrial networks. To create a tree topology for
this research, depth of tree was set to 3 and fanout was set to 4, this resulted in 64 hosts,
4 of them are servers and server 1 will be under attack. The Low Orbit Ion Cannon
(LOIC) tool is used for performing the DDoS attack. LOIC is the network, stress testing
and DoS attack tool. This tool will be used to stress the network with ICMP, TCP and
UDP traffic. This tool is combined with Scapy python library to initiate the attack from
multiple hosts in the network. During the attack the attack IP address was generating
150 to 200 requests per second. This huge number of requests when reached the servers,
the load balancing module of SD controller worked and divided the packets evenly. At
server side there were at average 1000 requests per second. This high number of
requests affected he latency of the network and the average server response time

38
increased from 1ms to 250ms. But as soon as the attack is mitigated, the latency gets
back to normal 1ms.

The OpenFlow PacketIn message occurs when a new type of packet arrives or some
packet arrives from a new host. For every PacketIn event, the DDoS attack mitigation
model is executed and determines that whether the packet is DDoS or normal. This
requires that the execution time of the model should be as much less as much possible.
If the packet is classified as the malicious packet, then the IP is added in the blacklist
for 24 hrs. and all the traffic from the IP is blocked for the time being.

To maximize the classification accuracy and minimize the error in the model
predictions, there is a need of reducing the noise from the input variables given the
artificial intelligence model. This noise is the part of the features of the dataset. There
is a need to reduce the features and select only those who has higher impact on the
output class. The optimal features reduce the error and improves the accuracy of the
model, this feature reduction process is called feature selection.

This research is also performing the feature selection for noise reduction, reducing
the problem of overfitting and improving the accuracy of the model. This research also
has not selected any ambiguous features. Ambiguous features are the features with
ambiguous source of extraction. Ambiguous features may increase the accuracy but in
realtime the false alarm by them is very much expected.

For the feature selection this research has used Pearson correlation coefficient.
Pearson coefficient is the linear relation between two variables. The relationship
between the features and the class. The features with more than 70% positive relation
with the output label class were chosen. The chosen features are

1. Sender IP

2. Receiver IP

3. Sender Port

4. Receiver Port

39
 5. Packet type

6. Protocol

7. Payload size

8. Sequence Number

9. Header length

10. Flags on the packet

11. Frequency of the packets

The artificial intelligence models were trained on these features from the dataset.
The training of the model means to make the model learn that what type of features
results in what type of output. In this research, these 11 features are selected to predict
the output class of the packet.

This research has proposed the use of Bayesian Network for this purpose and the
results shows that the Bayesian Network have outperformed every other approach in
terms of accuracy and attack detection time. The comparison of accuracy of the machine
learning algorithms are shown in Table 4.5.

Table 4.5 Accuracy of different algorithms

Algorithm Accuracy
Extreme Gradient Boost 99.02%
Bayesian Network 99.88%
Decision Tree 99.64%
Random Forest 99.75%
Support Vector Machine 93.60%
Naive Bayes 99.60%
KNN 91.27%
ANN 98.57%

40
Achieving the accuracy for DDoS attack is important to detect the attack time correctly.
Similarly, it is also very important to detect the attack as soon as possible. Table 4.6
shows the time taken by the different algorithms to detect and mitigate the attack.

Table 4.6 DDoS attack mitigation time

Algorithm Attack mitigation time (milliseconds)

Extreme Gradient Boost 330
Bayesian Network 30
Decision Tree 60
Random Forest 1130
Support Vector Machine 3120
Naive Bayes 55
KNN 5320
ANN 140

41
 SUMMARY

The intrusions in industrial networks are very drastic and catastrophic because the
consequences might be in form of major data breaches or leaks. The previous
approaches do perform a good job but the functionality was very limited and can be
easily bypassed. This article proposes a new IDPS against ARP spoofing attacks with
extensive methodology and security checks applied on both the IP and MAC addresses.
The proposed IDPS covers the attack from almost every intrusion perspective, i.e. when
an ARP packet reaches the OpenFlow switch, then is forwarded to the SDN controller,
the controller applies the checks discussed before. If it is an ARP REQUEST packet,
then the ARP REPLY will be generated by the SDN controller and if the packet is ARP
REPLY then the ARP table at SDN controller will be updated. Even after these
extensive checks and methodology, the mitigation time is not very much different from
the previous approaches. This is because the number of checks applied are not
depending on anything, the number of checks is constant.

The DDoS attack is performed by sending the huge number of requests to the
network resource as discussed above. The major target of this attacks are web servers
as they are comparatively easily accessible from all over the world. DDoS attack is
performed by multiple ways. The goal of this attack is to exhaust the resources of the
servers and make it so much busy that it starts denying the service it was providing.
This is why this attack is mitigated by employing the machine learning algorithms for
the purpose. This research proposed Bayesian Network algorithm for the DDoS attack
mitigation. The results obtained shows that the Bayesian network has proved itself very
effective in terms of both the attack mitigation time and attack detection accuracy.

In the future work, there is need to work on the mitigation time because currently,
it is more than 2 seconds which is very high, this is needed to be lowered by optimizing
the packet checks approach, multithreading, parallel execution of checks or GPU
accelerated development can help. The number of checks can also be optimized by
simplifying the checks or enhancing the methodology to make sure that ARP spoofing
could not possible. For DDoS attack deep reinforcement learning will be implemented

42
 LITERATURE CITED

Abbasi, M., Maleki, S., Jeon, G., Khosravi, M. R., & Abdoli, H. (2022). An intelligent

method for reducing the overhead of analysing big data flows in Openflow

switch. IET Communications, 16(5), 548–559.

Aldabbas, H., & Amin, R. (2021). A novel mechanism to handle address spoofing

attacks in SDN based IoT. Cluster Computing, 24(4), 3011–3026.

https://doi.org/10.1007/s10586-021-03309-0

Alhaj, A. N., & Dutta, N. (2022). Analysis of Security Attacks in SDN Network: A

Comprehensive Survey. In H. K. D. Sarma, V. E. Balas, B. Bhuyan, & N. Dutta

(Eds.), Contemporary Issues in Communication, Cloud and Big Data Analytics

(pp. 27–37). Springer.

Babiceanu, R. F., & Seker, R. (2019). Cyber resilience protection for industrial internet

of things: A software-defined networking approach. Computers in Industry,

104, 47–58. https://doi.org/10.1016/j.compind.2018.10.004

Badotra, S., & Panda, S. N. (2021). SNORT based early DDoS detection system using

Opendaylight and open networking operating system in software defined

networking. Cluster Computing, 24(1), 501–513.

https://doi.org/10.1007/s10586-020-03133-y

Balarezo, J. F., Wang, S., Chavez, K. G., Al-Hourani, A., & Kandeepan, S. (2022). A

survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and

virtual networks. Engineering Science and Technology, an International

Journal, 31, 101065. https://doi.org/10.1016/j.jestch.2021.09.011

43
Buzura, S., Lehene, M., Iancu, B., & Dadarlat, V. (2022). An Extendable Software

Architecture for Mitigating ARP Spoofing-Based Attacks in SDN Data Plane

Layer. Electronics, 11(13), 1965. https://doi.org/10.3390/electronics11131965

Chen, K.-Y., Liu, S., Xu, Y., Siddhrau, I. K., Zhou, S., Guo, Z., & Chao, H. J. (2022).

SDNShield: NFV-Based Defense Framework Against DDoS Attacks on SDN

Control Plane. IEEE/ACM Transactions on Networking, 30(1), 1–17.

https://doi.org/10.1109/TNET.2021.3105187

Clavorà, F., & Vallettiabc, B. T. (2016). Selling customer information to competing

firms. Economics Letters, 149, 10–14.

https://doi.org/10.1016/j.econlet.2016.10.005

Crenn, H. (2021). Data breaches in the era of covid-19: Silent identity collection as an

intentional political instrument - the weak experience of the balkan region.

Cyberpolitik Journal, 6(12), 140–154.

Darwesh, G., Vorobeva, A. a., & Korzhuk, V. m. (2021). An efficient mechanism to

detect and mitigate an ARP spoofing attack in software-defined networks.

Научно-Технический Вестник Информационных Технологий, Механики и

Оптики, 21(3), 401–409.

Dobrin, D., & Dimiter, A. (2021). DDoS attack identification based on SDN. 2021

IEEE 20th International Symposium on Network Computing and Applications

(NCA), 1–8. https://doi.org/10.1109/NCA53618.2021.9685554

Eliyan, L. F., & Di Pietro, R. (2021). DoS and DDoS attacks in Software Defined

Networks: A survey of existing solutions and research challenges. Future

Generation Computer Systems, 122, 149–171.

https://doi.org/10.1016/j.future.2021.03.011

44
Espinel Sarmiento, D., Lebre, A., Nussbaum, L., & Chari, A. (2021). Decentralized

SDN Control Plane for a Distributed Cloud-Edge Infrastructure: A Survey.

IEEE Communications Surveys & Tutorials, 23(1), 256–281.

https://doi.org/10.1109/COMST.2021.3050297

Gadze, J. D., Bamfo-Asante, A. A., Agyemang, J. O., Nunoo-Mensah, H., & Opare, K.

A.-B. (2021). An Investigation into the Application of Deep Learning in the

Detection and Mitigation of DDOS Attack on SDN Controllers. Technologies,

9(1), 14. https://doi.org/10.3390/technologies9010014

Girdler, T., & Vassilakis, V. G. (2021). Implementing an intrusion detection and

prevention system using Software-Defined Networking: Defending against

ARP spoofing attacks and Blacklisted MAC Addresses. Computers & Electrical

Engineering, 90, 106990. https://doi.org/10.1016/j.compeleceng.2021.106990

Haque, M. R., Tan, S. C., Yusoff, Z., Nisar, K., Kaspin, R., Haider, I., Nisar, S.,

Rodrigues, J. J. P. C., Shankar Chowdhry, B., Uqaili, M. A., Prasad Majumder,

S., Rawat, D. B., Etengu, R., & Buyya, R. (2022). Unprecedented Smart

Algorithm for Uninterrupted SDN Services During DDoS Attack. Computers,

Materials & Continua, 70(1), 875–894.

https://doi.org/10.32604/cmc.2022.018505

Housman, O. G., Isnaini, H., & Sumadi, F. (2020). SDN-DDOS (ICMP,TCP,UDP). 1.

https://doi.org/10.17632/hkjbp67rsc.1

Hu, T., Zhang, Z., Yi, P., Liang, D., Li, Z., Ren, Q., Hu, Y., & Lan, J. (2021). SEAPP:

A secure application management framework based on REST API access

control in SDN-enabled cloud environment. Journal of Parallel and Distributed

Computing, 147, 108–123.

45
Jain, A. K., & Gupta, B. B. (2022). A survey of phishing attack techniques, defence

mechanisms and open research challenges. Enterprise Information Systems,

16(4), 527–565. https://doi.org/10.1080/17517575.2021.1896786

Jamil, F., Jamil, H., & Ali, A. (2022). Spoofing Attack Mitigation in Address

Resolution Protocol (ARP) and DDoS in Software-Defined Networking.

Journal of Information Security and Cybercrimes Research, 5(1), 31–42.

https://doi.org/10.26735/VBVS3993

Kolevski, D., Michael, K., Abbas, R., & Freeman, M. (2021). Cloud computing data

breaches: A review of U.S. regulation and data breach notification literature.

2021 IEEE International Symposium on Technology and Society (ISTAS), 1–7.

https://doi.org/10.1109/ISTAS52410.2021.9629173

Lee, L.-H., Braud, T., Zhou, P., Wang, L., Xu, D., Lin, Z., Kumar, A., Bermejo, C., &

Hui, P. (2021). All One Needs to Know about Metaverse: A Complete Survey on

Technological Singularity, Virtual Ecosystem, and Research Agenda.

https://doi.org/10.48550/arXiv.2110.05352

Long, Z., & Jinsong, W. (2022). A hybrid method of entropy and SSAE-SVM based

DDoS detection and mitigation mechanism in SDN. Computers & Security,

115, 102604. https://doi.org/10.1016/j.cose.2022.102604

Mystakidis, S. (2022). Metaverse. Encyclopedia, 2(1), 486–497.

https://doi.org/10.3390/encyclopedia2010031

Ning, H., Wang, H., Lin, Y., Wang, W., Dhelim, S., Farha, F., Ding, J., & Daneshmand,

M. (2021). A Survey on Metaverse: The State-of-the-art, Technologies,

Applications, and Challenges (arXiv:2111.09673). arXiv.

https://doi.org/10.48550/arXiv.2111.09673

46
Oliveira, T. F., Xavier-de-Souza, S., & Silveira, L. F. (2021). Improving Energy

Efficiency on SDN Control-Plane Using Multi-Core Controllers. Energies,

14(11), 3161. https://doi.org/10.3390/en14113161

Pourbabak, H., Chen, T., & Su, W. (2019). 8—Emerging data encryption methods

applicable to Energy Internet. In W. Su & A. Q. Huang (Eds.), The Energy

Internet (pp. 181–199). Woodhead Publishing. https://doi.org/10.1016/B978-0-

08-102207-8.00008-4

Rangisetti, A. K., Dwivedi, R., & Singh, P. (2021). Denial of ARP spoofing in SDN

and NFV enabled cloud-fog-edge platforms. Cluster Computing, 24(4), 3147–

3172. https://doi.org/10.1007/s10586-021-03328-x

Sahay, R., Meng, W., Estay, D. A. S., Jensen, C. D., & Barfod, M. B. (2019).

CyberShip-IoT: A dynamic and adaptive SDN-based security policy

enforcement framework for ships. Future Generation Computer Systems, 100,

736–750. https://doi.org/10.1016/j.future.2019.05.049

Saravanan, A., & Bama, S. S. (2019). A Review on Cyber Security and the Fifth

Generation Cyberattacks. Oriental Journal of Computer Science and

Technology, 12(2), 50–56. https://doi.org/10.13005/ojcst12.02.04

Sebbar, A., Boulmalf, M., Dafir Ech-Cherif El Kettani, M., & Baddi, Y. (2018).

Detection MITM Attack in Multi-SDN Controller. 2018 IEEE 5th International

Congress on Information Science and Technology (CiSt), 583–587.

https://doi.org/10.1109/CIST.2018.8596479

Shah, H., & Comissiong, D. M. G. (2021). Computer Virus Model with Stealth Viruses

and Antivirus Renewal in a Network with Fast Infectors. SN Computer Science,

2(5), 407. https://doi.org/10.1007/s42979-021-00780-9

47
Shohani, R. B., Mostafavi, S., & Hakami, V. (2021). A Statistical Model for Early

Detection of DDoS Attacks on Random Targets in SDN. Wireless Personal

Communications, 120(1), 379–400.

Sparkes, M. (2021). What is a metaverse. New Scientist, 251(3348), 18.

https://doi.org/10.1016/S0262-4079(21)01450-0

Tan, L., Pan, Y., Wu, J., Zhou, J., Jiang, H., & Deng, Y. (2020). A New Framework for

DDoS Attack Detection and Defense in SDN Environment. IEEE Access, 8,

161908–161919. https://doi.org/10.1109/ACCESS.2020.3021435

Tchendji, V. K., Mvah, F., Djamegni, C. T., & Yankam, Y. F. (2021). E2BaSeP:

Efficient Bayes Based Security Protocol Against ARP Spoofing Attacks in SDN

Architectures. Journal of Hardware and Systems Security, 5(1), 58–74.

https://doi.org/10.1007/s41635-020-00105-x

Tuan, N. N., Hung, P. H., Nghia, N. D., Tho, N. V., Phan, T. V., & Thanh, N. H. (2020).

A DDoS Attack Mitigation Scheme in ISP Networks Using Machine Learning

Based on SDN. Electronics, 9(3), 413.

Varghese, J. E., & Muniyal, B. (2021). An Efficient IDS Framework for DDoS Attacks

in SDN Environment. IEEE Access, 9, 69680–69699.

https://doi.org/10.1109/ACCESS.2021.3078065

Vinitha, K., Ambrose Prabhu, R., Bhaskar, R., & Hariharan, R. (2020). Review on

industrial mathematics and materials at Industry 1.0 to Industry 4.0. Materials

Today: Proceedings, 33, 3956–3960.

Yeh, W.-C., Lin, E., & Huang, C.-L. (2021). Predicting Spread Probability of Learning-

Effect Computer Virus. Complexity, 2021, e6672630.

48
Yin, S., Li, X., Gao, H., & Kaynak, O. (2015). Data-Based Techniques Focused on

Modern Industry: An Overview. IEEE Transactions on Industrial Electronics,

62(1), 657–667. https://doi.org/10.1109/TIE.2014.2308133

Yurekten, O., & Demirci, M. (2021). SDN-based cyber defense: A survey. Future

Generation Computer Systems, 115, 126–149.

49