Professional Documents
Culture Documents
INDUSTRY
(20-ARID-954)
by
(20-ARID-954)
Master of Science
in
Computer Science
Certified that the contents and form of thesis entitled “SDN-Based Cyber
Supervisor: ________________________________
(Dr. Syed Mushhad Mustuzhar Gilani)
Member: _____________________________
(Dr. Saud Altaf)
Member: _______________________________
(Mr. Muhamad Aleem Akhtar)
Director _________________________
iii
DEDICATION
I want to dedicate this thesis to all my teachers who taught me from class prep to
this level, they all have made their contributions to make me able to do this thesis
successfully.
iv
CONTENTS
Page
List of Tables viii
List of Figures ix
Acknowledgements x
Abstract xi
Chapter 1 INTRODUCTION 1
INDUSTRY EVOLUTION 1
1.1.1 Industry 1.0 Mechanization 2
1.1.2 Industry 2.0 Electrification 2
1.1.3 Industry 3.0 Automation 2
1.1.4 Industry 4.0 Digitalization 3
1.1.5 Industry 5.0 Personalization 3
CYBER SECURITY 4
1.2.1 Viruses 4
1.2.2 Phishing Attacks 4
1.2.3 Network Intrusions 5
1.2.4 Denial Of Service Attacks 5
1.2.5 Attack Mitigation Approaches 6
SOFTWARE DEFINED NETWORKING (SDN) 6
1.3.1 Application Plane 7
1.3.2 Control Plane 8
1.3.3 Data Plane 8
SDN AND CYBER SECURITY 9
RESEARCH CONTRIBUTIONS 10
Chapter 2 LITERATURE REVIEW 11
STATE-OF-THE-ART APPROCHES 11
TABULAR ANALYSIS OF LIERATURE REVIEW 16
PROBLEM STATEMENT 18
RESEARCH OBJECTIVES 18
EXPECTED OUTCOME 19
v
Chapter 3 PROPOSED STRATEGY 20
ARP SPOOFING ATTACKS MITIGATION 20
3.1.1 Scenario 1: Intruding in the Network When User is Blacklisted 20
3.1.2 Scenario 2: Intruding in the Whitelisted Network 21
3.1.3 Scenario 3 Man in the Middle Attack 22
3.1.4 Mitigation Strategy 23
3.1.4.1 IP address scanning module 24
3.1.4.2 MAC address scanning module 25
DDOS ATTACK MITIGATION 27
3.2.1 Types of DDOS Attack 27
3.2.1.1 Flooding 27
3.2.1.2 Slowris 28
3.2.2 Purpose of DDoS attack 28
3.2.3 Dataset 28
3.2.4 Mitigation Strategy 29
3.2.4.1 Bayesian network 29
3.2.4.2 Naïve Bayes 30
3.2.4.3 Artificial Neural Network (ANN) 30
3.2.4.4 Support Vector Machine (SVM) 31
3.2.4.5 K Nearest Neighbor (KNN) 31
3.2.4.6 Decision tree 32
3.2.4.7 Random forest 32
Chapter 4 SIMULATIONS AND RESULTS 33
SIMULATION FOR ARP SPOOFING ATTACK 33
4.1.1 ARP REQUEST Attack 35
4.1.2 ARP REPLY and ARP REPLY Destination Attack 36
SIMULATION FOR DDOS ATTACK 38
SUMMARY 42
LITERATURE CITED 43
vi
ABBREVIATIONS
IP Internet Protocol
vii
List of Tables
viii
List of Figures
ix
Acknowledgements
First of all, I would like to thank Allah Almighty who gave me enough
knowledge and strength for this thesis. Then I would like to dedicate this thesis to
my family, who supported me morally and financially throughout my thesis they kept
me motivated. Specially to my grandfather (late) who was he first one who supported
me when I chose computer as career field.
I would also like to thank the supervisory committee members as well who kept
me guided and played the role of guiding light for me. It is their hard work that I was
able to do this thesis. I would like to thank my class fellows as well who also helped
me and discussed few things when I got stuck somewhere.
x
ABSTRACT
xi
CHAPTER 1
INTRODUCTION
The networks inside the corporates and the other industrial units have very sensitive
data. Attack and security breaches in these networks can result in disaster and massive
irrecoverable damage. This research will use Software Define Networking based
strategy for the mitigation and prevention of these attacks.
INDUSTRY EVOLUTION
It is important to study the evolution of the industry to get better understanding that
what actually this research is going to protect and what are the threat.
1
Figure 1.1: Industry evolution
When the first fuel engine was made it started the modern industry of machines, the
human effort was minimized a lot and a lot of work was mechanized and many tasks
that were beyond human capabilities were taken from machines. The most popular
example of this is steam engine and later other fuel powered engines were developed.
The production got speed up and the services got better, a lot of lives got better.
With the invention of electricity, the engines started to convert from mechanical to
electrical engines and also few used both fuel and electricity. Which increased the
production speed efficiency to a lot, not just engines many new inventions were also
invented. The major example is the electric appliances used in household. This also
reduced the pollution generating engines and equipment.
This is when the machines started to take decision by themselves. This happened
with the invention of electronic circuits where the devices can take the decision on the
basis of the input given. This reduced the human effort to a lot less, many tasks were
automated. This revolution did not only speed up the production of the goods, increased
the number of devices available, but it also did speed up the revolution. Most popular
example of this industry is the modern day computer. The laptops, the cellphones and
2
their technologies, the revolutionized very quickly. This is the first time that the data
was saved on a physical device. This led to the invention of the field of data security.
This is the present day where the connection between the human beings and the
machinery is changing day by day. This era started with the advent of internet, when
the meaning of connecting with not only devices but with other human beings also got
changed (Crenn, 2021). Now the data was not only stored on physical device but can
also be transferred to literally anywhere in the world. This change in technology also
increased the risk of data breaches, the owners and the users of the data got very
conscious about the security of the data. With the passage of time and evolution of the
technology the risk is getting increased. The news of data breaches and other cyber-
attacks at famous industrial networks are now very common (Kolevski et al., 2021).
The breached data can be used for any legal or illegal purpose. With this increase in
ease to humanity, the risk of data security is also increasing (Saravanan & Bama, 2019).
This is the era yet to come. The advancements and the used of smart devices the
interaction with these devices is also getting increased. The concept of metaverse is
now becoming the reality, there are multiple metaverses available. Each has its own
purpose (Lee et al., 2021). The metaverse is a virtual world where the user interacts
with it being in physical world. It is a Virtual Reality (VR) socializing platform where
user just wear the gear and reach the place you want (Mystakidis, 2022). User do
interact with the objects there like in physical world. This means massive increase in
data transmissions and high risk of data being breached or attacked (Sparkes, 2021).
The impact of attack on metaverse is very high drastic because the natures of the attack
will increase to unpredictable number (Ning et al., 2021). This amplifies the importance
of the cybersecurity in the industry.
3
CYBER SECURITY
The term cyber security means all the preventive measures taken to prevent the
exploitation of a potential vulnerability in the computer system or network (Pourbabak
et al., 2019). After studying all the generation of industry, this can be concluded that
with the advancements in the technology, the possibilities of attacks of different natures
are also increases risking the data of the users. This means there is a constant need of
evolving the defense mechanisms against all these evolving the attack mechanism,
glorifying the importance of cyber security in the industry.
The field of cyber security started from the beginning of the computer devices. The
malicious thoughts and intention of the human beings were never stopped and
compelled them to make the malicious software (malware). There are different types of
cyber-attacks.
1.2.1 Viruses
The first form of cyber-attack was virus software. Virus is a type malware that
attaches itself to some other legitimate software and gets triggered once the attached
software is executed (Yeh et al., 2021). It does reflect multiplication property of
biological virus. This means that it does spread itself and attaches itself to more and
more files. The purposes of viruses are different like monitoring the victim’s activities,
filling the space with hidden files, changing the file contents and the file types,
replicating the files, hiding the files, encrypting the files for ransom and a lot more
(Shah & Comissiong, 2021). There are multiple preventions are available to this attack.
The most famous prevention measure is to use a good antivirus.
This is another type of attack that is performed for password spoofing on end users.
This is very similar to real life fishing where the fisherman throws a bait in the water
and fish pick it as food and does not know that there is a hook in it and it eats it, when
it eats it gets stuck in the hook and gets captured. Similarly, in phishing attack, attacker
4
displays a replicated web page of an authentic website and traps the user in giving the
login credentials once the user enters the credentials the credentials gets stored in
attackers’ database (Jain & Gupta, 2022). This type of attack can be prevented only by
being conscious while using internet and educating the internet user.
These type of attacks are performed to become the part of a secured network and
perform some malicious activities. The intruder may only listen to the traffic, may
manipulate or may do some other malicious activities for example flooding network
with bogus traffic, accessing confidential data from the servers in the network and a lot
more reasons. This attack is performed by exploiting the weakness in the security
measures taken in the network. The outcome of this attack can be more drastic and
catastrophic then the phishing and virus attacks. The major reason behind this attack is
by corrupting the Address Resolution Protocols’ (ARP) cache on the networking
devices. This attack can be performed by implementing some serious and advanced
Intrusion Detection and Prevention Systems (IDPSs).
Denial of Service (DoS) attack are performed by flooding a network resource with
the bogus requests and keeping it this much busy and exhausting its resources so much
that it refuses to provide any service to any user or the service provision gets extremely
and annoyingly slow (Eliyan & Di Pietro, 2021). The DoS attack is performed by a
single device sending huge number of requests to the network resource. But in case of
Distributed Denial of Service (DDoS) attack, a number of devices are added to a botnet
then the whole botnet is used to flood the network resource with the requests.
This attack can be performed by sending huge number of ICMP, TCP-SYN, TCP-
ACK, and UDP packets to the network resource to make it busy. The packets may
contain such a heavy payload that processing it may drain all the resources of the
network resource forcing it to denying to provide the service (Balarezo et al., 2022).
5
1.2.5 Attack Mitigation Approaches
To avoid the virus and phishing attacks the user education is the best tool. As the
network configurations are not disturbed and affected. To perform these attacks, the
attacker just need to play with the users’ mind to make them do what attacker wants the
user to do. Therefore, to prevent these attacks, the most essential thing to do is to
educate the users about how to secure themselves on the internet. Although for virus
attacks multiple antiviruses and for phishing attacks different tools are present to detect
the fakeness of a website.
But to mitigate DDoS and intrusion attack, the end user education is of no use
because these are not performed by exploiting the weakness of the user. Whether these
are performed by exploiting the loopholes in the security configurations of the network.
It requires extensive networking and cyber security knowledge to mitigate these attacks.
The firewalls, and other security programs are required to be installed in the network
that do require extra hardware and cabling. Updating the configuration is equally
problematic.
6
This approach has three-layer architecture, Application Plane, Control Plane and
Data plane. The control plane is actually the decision maker of the network. The
application plane is where the end users are connected to the network or the networking
applications are executed and the data plane is where the networking devices resides.
The application plane is on the top level and is connected to control plane via
Northbound Interface and the Data plane is below the control plane and is connected to
control plane using the southbound interface. This architecture is shown in Figure 1.2.
This is the plane where the user end networking applications are running which
generates the requests and are then sent to the Control Plane via Northbound interface
of SDN Controller. The primary traffic generators and receivers reside here. This plane
does not know how the routing is being done it just send the traffic to the control plane
and the control plane handles the rest. Few SDN applications do also run at this plane
such as load balancing is done using the application plane. The network intrusion
detection and prevention is done using Application plane. These application are also
known as mid-level applications (Hu et al., 2021).
7
1.3.2 Control Plane
This is actually the point where all the configurations of the network are done. This
plane is heart of SDN architecture. The SDN controller runs at this layer, without a
controller running the whole networks gets halted and nothing works. This layer deals
with all the routing decisions to be made and have a programmable interface via SDN
controller. The decisions made here are then installed in data plane so that the traffic
with similar routing information are sent directly to the concerned device but if the
routing information does not match any of the rules installed then this layer receives
the traffic and perform the required information via southbound interface (Chen et al.,
2022).
This layer has two types of architecture, centralized and distributed (Oliveira et al.,
2021). The centralized means that there is only one controller that will control and
configure whole network. The examples of centralized controllers are RYU, POX,
NOX, Floodlight and OpenDaylight controller. Whereas distributed means that the
controller is not centralized in nature and there are multiple instances of the controller
so that if one controller is busy then the other controller is used. There are multiple
architectures available for distributed SDN controller but the most famous one is master
slave architecture (Espinel Sarmiento et al., 2021). The examples of distributed SDN
controllers are DISCO, ONOS and RUNOS.
This is the plane where the actual routing takes place. This plane comprises of
OpenFlow switches connected to the end user devices and the controller. These
switches do not have their own decision power; they rely on the decisions made by the
control plane. This makes the configuration of the network easier. These switches are
capable behaving as the layer 3 switches but are dependent on the control plane
configurations. Control plane also controls how these switches will behave. This plane
interacts with the control plane using the Southbound Interface. This plane does have
the flow rules installed by the control plane. If the conflicting traffic arrives, it is
forwarded to the SDN controller (Abbasi et al., 2022).
8
SDN AND CYBER SECURITY
As discussed, SDN gives a central configuration point to the whole network and in
industrial networks the configuration of the network is made very easy. Many of the
cyber-attacks can be easily mitigated using this approach and at the same time many
other threats are now become more easy. First of all, intrusion in the network is made
easy because there is only one point where the ARP cache is needed to corrupt and the
intrusion is successful. Secondly the threat of DoS and DDoS attacks remain the same
as it was previously. As discussed before these attacks are not caused by user’s fault,
they are caused by network administrator’s fault. This means that these attacks can only
be mitigated by enhancing the security configurations at the control plane.
The programmable interface of the SDN make it easier for the network
administrator to configure and evolve the configuration of the network. The
programmable interface does also means that there are unlimited possibilities of
customization in network configurations. This indicates that any type of mitigation
approach can be implemented on the controller easily.
In case of intrusion in the network, the ARP cache poisoning or ARP spoofing must
be stopped. There are 3 different types of ARP spoofing attacks, ARP REQUEST
attack, when the ARP REQUEST packet has the malicious information, ARP REPLY
attack, when the ARP REPLY has the malicious information and ARPY REPLY
DESTINATION attack where the destination address(es) of the ARP REPLY packet
are malicious. The ordinary ARP packets are used for MAC address spoofing whereas
the Reverse Address Resolution Protocol (RARP) is majorly used for IP address
spoofing. The ARP spoofing means one or both at a time. When the intruder performs
both IP and MAC address spoofing he becomes invisible as the both of his addresses
are fake in the ARP cache. This requires a very effective IDPS.
In case of DDoS attack, the mitigation becomes very difficult because in case of
flooding the traffic is non malicious. For this reason, the attack must be detected as
much quickly as much possible because longer the delay, higher will be the chance that
the network resources will get exhausted.
9
RESEARCH CONTRIBUTIONS
This research is proposing a new and extensive IDPS against the ARP spoofing
attacks that will check not only the MAC address but also the IP address corruption in
the ARP cache of the SDN controller. The proposed IDPS will work as a module of the
SDN controller instead of working as application. For the mitigation of the DDoS, few
Artificial Intelligent models are trained and deployed on the SDN controller to get the
results. Those models includes, Naïve Bayes classifies, Bayesian Network, Naïve
Bayes Trees, Best First Decision Tree and KNN. The results are then compared in terms
of both mitigation time and accuracy. This model does also deploy as a module of SDN
controller instead of running it as application. This helps in reducing the mitigation time
and enhancing the performance of the models. The abstract view of proposed approach
is given in Figure 1.3.
10
CHAPTER 2
LITERATURE REVIEW
Till now it has been discussed that what attacks this research is going to mitigate
and have given a basic idea of how the mitigation will be performed. Now this
chapter will discuss. What work has already been done, then analyze that what else
is needed to be done.
STATE-OF-THE-ART APPROCHES
The authors proposed an IDPS (Girdler & Vassilakis, 2021) against ARP
spoofing attack; this IDPS matches the MAC addresses of the ARP packet and
Ethernet packet in which the ARP packet was encapsulated. This technique has a
very great accuracy rate but it can be improved if the current ARP table at SDN
controller is also checked if the entry or the same IP or MAC does exist in the table
or not.
The authors proposed a module (Rangisetti et al., 2021) that listens to DHCP
signals, LINK UP and LINK DOWN signals, and ARP packets to verify the
authenticity of the sender. Their proposed module saves the copy of the DHCP data
11
and then checks the data from the ARP packet with the DHCP packet if the data
matches the ARP packet data then the packet is passed otherwise it is dropped. Their
approach is very effective in detecting and preventing ARP spoofing attacks but there
is need to check the wrapping Ethernet frame as well.
The Authors proposed a topology listener (Aldabbas & Amin, 2021) that keeps
the record of the nodes in the network first check that applies is to check that the IP
addresses of the ARP packet belong to the network or not if then the packet is
dropped, then the IP-MAC table is checked for the entry from ARP packet. If the
entry is found first of all the packet will be dropped and then the node that originated
the packet will be blacklisted for some fixed amount of time. Their approach is good
and has amazing control over the ARP spoofing attack but this can be improved if
they also check the MAC addresses of the incoming ARP packet and the Ethernet
frame encapsulating the ARP packet.
The authors proposed an approach for mitigating the ARP poisoning attacks by
adding a new module to the POX controller (Darwesh et al., 2021). Their module
checks the Ethernet packet wrapping the ARP packet if the MAC address is different
than the packet is dropped and the port from the switch blocks for some time. Switch
also saves a flow rule about the packet and drops all ARP packets with similar
information. One more thing their approach has done is no node is allowed to set the
IP address manually, only the DHCP server is used.
12
are created to respond the packets but this approach has very low accuracy due to
imbalance dataset the results can be improved by using new and updated datasets.
Authors proposed a DDoS mitigation technique and used KNN algorithm for
classification of malicious packets (Tuan et al., 2020). Authors here tried to do the
mitigation at control plane of SDN architecture instead of application layer. This
really helped in improving the latency but the dataset used was very old. The
technique will fail if implemented in real life scenario because KNN is a lazy
algorithm.
Authors proposed DDoS attack mitigation technique they used SVM for the
classification purposes (Badotra & Panda, 2021). They have been successful in
mitigating the DDoS attack. Their technique got a good accuracy score but their
approach was very slow and creates the high latency that is problematic in industrial
networks the problem can be solved by changing the SVM approach with some
machine learning approach.
The authors worked on both ARP spoofing and DDoS attack mitigation
approaches (Jamil et al., 2022). They used ARP table at SDN controller and a
topology checker to mitigate the attacks but they did not check the IP address, they
just operated on MAC address secondly the checks applied are very limited. In case
13
of DDoS attack the mitigation time has been reduced but they did not discuss the
accuracy of the approach that is the key parameter of any algorithm. Secondly The
result graph shows that the mitigation time has too much fluctuation, their approach
is not stable to be implemented in real life scenario.
Authors proposed an approach where they used SDN Data plane for ARP
mitigation instead of using the control plane (Buzura et al., 2022). Their approach
has 4 modules first one monitoring and regulating traffic, second one collecting
traffic, third one is analyzing traffic and the last one is deciding to drop or forward
the packet. The checks they have applied is on just ARP table at SDN controller
nothing else is being checked hence the methodology is very limited and weak.
The authors proposed data plan development kit for SDN and proposed DDoS
attack detection approach named D3 (Varghese & Muniyal, 2021). Their approach
is a hybrid approach used both data and control plane to speed up the detection and
mitigation of the attack. They used the statistical anomaly detection for the purpose
of attack detection. Their approach has reduced the latency and have improved the
throughput but the accuracy is comparatively very low.
Authors proposed a resilience algorithm that helps the servers to work fine even
under DDoS attack (Haque et al., 2022). They proposed a Master-Slave distributed
controller based architecture for the industrial networks based on SDN. The
additional controller helped the network in processing the excessive number of
requests. They used DDoS Attack Aware SDN Smart Controller Placement
Algorithm for the server placement. The parameter they have used is the cost in terms
of money because if multiple controllers are added the cost will get increased. They
have analyzed that the throughput of the networks stays stabilized with increase in
the number of controller but on the other hand the cost gets increased.
The authors have proposed Network Function Virtualization based shield against
the DDoS attack on SDN control plane (Chen et al., 2022). Their approach used
virtual OpenFlow switches along with physical ones. This increased the number of
switches and decreased the chance of the bottleneck in the network. This also reduces
14
the success chance of DDoS attack on the network. This approach enhanced the use
of throughput and the response time of the servers and other devices is very reduced.
But as it is known that they used virtual switches, this increased the load on CPU
and RAM of Controller which is already busy in handling OpenFlow messages.
In this approach, the authors proposed s DDoS detection approach based SDN
(Dobrin & Dimiter, 2021). They made the threshold for the particular messages if
TCP-SYN, TCP-SYN-ACK, UDP and ICMP packet if the number of packets per
minute increased the threshold all the packets of such types were dropped for some
specific time. This approach is good and bad at the same time, the attack was
mitigated, the response time and throughput of the network was also increased but
the rate of false positives is very high. This means that their approach classifies the
legitimate traffic as DDoS attacks as well.
These authors made a survey on how much secure SDN is, what are the
challenges and what are the solutions available (Yurekten & Demirci, 2021). Their
survey shows that every ARP spoofing approach has limited functionality and should
be increased.
15
TABULAR ANALYSIS OF LIERATURE REVIEW
16
In case of DDoS attack, the work on it started from very much in past but still
many weaknesses are left to cover. The comparison of DDoS attack mitigation
approaches is given in Table 2.2. This analysis will help in producing accurate
problem statement.
17
(Long & Jinsong, 2022) Stacked Sparse Auto Both algorithms does not
Encoder and SVM used performs well in case of
large dataset
The analysis of DDoS attack gives another problem that there is a need of an
approach that will improve all three parameters i.e. accuracy, mitigation time and
throughput.
PROBLEM STATEMENT
Industrial networks are more likely to get cyber-attacks because they possess
highly confidential data and the damage there is very much higher as compared to
attack on personal networks. In Industrial networks, it is being noted that the DDoS
and ARP spoofing attacks are still very successful because current mitigating
techniques lags in terms of latency, accuracy and throughput. For this reason, a new
strategy for mitigation of these attacks using SDN platform.
RESEARCH OBJECTIVES
2. To propose DDoS, and ARP spoofing attacks mitigating strategy using SDN
controller
18
EXPECTED OUTCOME
The proposed strategy is to filter the malicious packets, so the expected outcome
is the malicious packets will be filtered and the industrial network will remain secure
from DDoS and ARP spoofing attacks. This is shown in Figure 2.1.
19
CHAPTER 3
PROPOSED STRATEGY
Till now it has been discussed that what is the research gap, what are the research
objectives, what exactly is the problem to solve and what is the expected outcome of
this research. This chapter will discuss how the problem will be solved.
As discussed abov,e ARP spoofing attack means to corrupt the ARP cache. This
means that the ARP REQUEST or ARP REPLY packets have false addresses and the
corrupt IP-MAC pair in the ARP table at SDN controllers gets added. As it is known
that ARP is used to query the device about MAC address and RARP is used to query
the device about its IP address. These both can be used in poisoning the ARP cache.
The corrupted ARP cache makes the router or in case of this research, the SDN
controller think that the device is someone it is not. To get a better understanding of
ARP spoofing attack and its possible results, the Scenario 1, 2 and 3 are here to visualize
the things a bit.
Let’s say there is a user whose MAC address is blacklisted on the network and is
trying to connect to the network by corrupting the ARP table at SDN controller entries.
This scenario is demonstrated in Figure 3.1. Host 4 is the attacker node trying to intrude
into the network even if its MAC address is blacklisted. The attacker may have very
malicious intents for intrusion. After the intrusion, irrecoverable damage can be
expected. The user may access the data on the server, flood the network with bogus
traffic making it busy and unusable by other users and many more possibilities are there.
In case of Industrial network where the highly confidential data is stored this intrusion
20
can be disastrous. For example, in a university campus network when there is an
intrusion of this type it has malicious intention to access and manipulate the data saved
on the servers. Or to leak the personal information of students and employees stored
there. The leakage of that personal information can be used for anything. There has to
be some mechanism implemented in the SDN controller for the detection and
prevention of this attack.
This scenario is similar to Scenario 1, let’s say there is a network where only the
whitelisted MAC addresses can access the network. An intruder wants to intrude on the
network but his MAC address is not whitelisted. He tries to corrupt the ARP table at
SDN controller at the SDN Controller, as shown in Figure 3.2. Similar to Scenario 1
here host 4 is the attacker and is trying to intrude into the network. In industry these
networks are normally found in server rooms where not only network intrusion but
physical intrusion is also very dangerous. If his intrusion gets successful, he may be
able to deliver the irrecoverable damage to the network and the network resources. If
this type of intrusion happened in industrial network for example, in the network of
some public sector organization that has data about the citizens of a country. This
21
intrusion can cause major data leaks and may also manipulate the data on the servers
(Clavorà & Vallettiabc, 2016). To prevent this there has to be some mechanism
implemented at the SDN controller for the detection and prevention of this behavior.
The third scenario is a bit different than the previous scenario, this scenario will
demonstrate the man in the middle attack. This means that the intruder will behave like
someone he is not. For instance, as shown in Figure 3.3 The intruder is behaving like
an SDN Controller or OpenFlow switch to Host 2 and as Host 2 to the SDN controller
or OpenFlow switch. This can also be done easily using ARP poisoning or spoofing
(Sebbar et al., 2018). This type of attack is done by sending the malicious address on
the ARP REPLY packet as this corrupts the ARP cache/table of both the controller and
the host. The attacker in this scenario has performed both MAC and IP spoofing and is
behaving different to different nodes. In this scenario the attacks can not only sniff the
information being communicated but can also manipulate it. In SDN scenario, the SDN
controller behaves as the router. This means if the victim is connected to the internet,
22
then attacker is controlling every flow of the traffic, attacker can control what the victim
will see and what he will not. In industrial networks this attack can have catastrophic
results. There has to be some mechanism in SDN controller to avoid and prevent this
type of attacks to avoid the damage.
As discussed in first chapter for the ARP spoofing attack, an extensive IDPS will
be proposed. The proposed IDPS has two modules, one for checking IP addresses and
the second one for checking MAC addresses. Alongside these modules, the ARP cache
at the SDN controller is turned into a permanent ARP table at SDN controller because
cache memory is volatile and does get erased over time. SDN controller will also
behave as a DHCP controller and only DHCP IP will be able to communicate, for this
purpose a DHCP table is also maintained at the SDN controller. The flow rules for ARP
and packets will never be installed at the SDN controller. To make sure that the ARP
packets are redirected to the SDN controller. As soon as the new IP address is added
ARP REQUEST packet will be sent to the new IP address. Then both IP and MAC
address scanning modules will scan the ARP REPLY packet. Similarly, if an IP address
gets disconnected ARP entry will also be deleted. The strategy is shown in Figure 3.4.
23
The IP address and MAC address scanning modules do work one after each other
and do check the packet for possible malicious information from the ARP packets. If
any of the module drops the packet, the packet will be dropped by the SDN controller.
Otherwise the packet will be forwarded.
There are three types of ARP spoofing attacks that are mitigated using the
methodology ARP REQUEST attack, ARP REPLY attack, and ARP REPLY
DESTINATION attack. ARP REQUEST attack means when the ARP REQUEST
packet is corrupted, ARP REPLY attack is when the ARP REPLY has malicious
information and ARP REPLY DESTINATION attack is when the destination addresses
in the ARP REPLY packet are corrupted.
Figure 3.4: Abstract Mitigation strategy for IDPS against ARP spoofing attack
This module will scan the IP address from the ARP packet using the following
checks
1. If the sender and receiver IP address on the ARP packet does not exist in the
DHCP table, then the packet will be dropped but if it does exist it will be
forwarded.
24
2. If the sender and the receiver IP address do exist with any other MAC addresses
respectively in the ARP table at SDN controller, then the packet will be dropped
otherwise it will be forwarded.
3. If the sender and receiver IP addresses are in the IP whitelist, then the packet
will be processed if it is not then the packet will be forwarded.
4. If the sender and receiver IP addresses are on the IP blacklist, then the packet
will be dropped. If it does not exist, then the packet will be forwarded.
The checks are also demonstrated in Figure 3.5. These checks will minimize the
chances of IP address spoofing or the man in the middle attack. IP spoofing along with
MAC spoofing creates a risky where the attacker gets a complete IP-MAC disguise and
becomes invisible. This invisibility can result in huge loss to the network owners.
Similar to IP address scanning, this module will work for scanning the MAC
addresses of the ARP packet and Ethernet frame encapsulating it. Following are the
checks.
1. If the sender and receiver MAC address on the ARP packet does not exist in the
Ethernet frame, then the packet will be dropped but if it does exist it will be
forwarded.
25
2. If the sender and receiver MAC addresses do exist with any other IP addresses
respectively in the ARP table at SDN controller, then the packet will be dropped
otherwise it will have been forwarded.
3. If the sender and receiver MAC addresses are in the MAC whitelist, then the
packet will be processed if it is not then the packet will be dropped.
4. If the sender and receiver MAC addresses are on the MAC blacklist, then the
packet will be dropped. If it does not exist, then the packet will be forwarded.
The checks are also demonstrated in Figure 3.6. These checks will minimize the
chances of MAC address spoofing and man-in-the-middle attack as discussed in
scenarios 1, 2, and 3.
Both modules work together to minimize the chances of intrusion into the network
making it almost impossible to intrude into the network using ARP spoofing and
poisoning attacks. This extensive methodology is applied which covers all the checks
that are left in the previous approaches as discussed in chapter 4. This makes the
proposed IDPS special. The major contribution of this IDPS is that the SDN controller
itself send the message back and the checks are applied on both IP and MAC addresses.
26
DDOS ATTACK MITIGATION
The DDoS attack is performed by sending the huge number of requests to the
network resource as discussed above. The major target of this attacks are web servers
as they are comparatively easily accessible from all over the world. DDoS attack is
performed by multiple ways. The goal of this attack is to exhaust the resources of the
servers and make it so much busy that it starts denying the service it was providing.
To perform DDoS attack, the attacker initially creates the botnet of multiple
computer in the network that just wait for receiving the signal from the attacker to flood
the target server with the bogus and broken requests. The botnet is a network of infected
computers that are infected by the attacker in order to make them follow the orders of
the attacker the attacker signals them to flood the target server and they just start
sending the packets in abundance.
There are two major types of DDoS attacks, Flooding and Slowris. All these types
have one common goal to force the server to deny its services.
3.2.1.1 Flooding
This type of attack is performed by flooding the ICMP, UDP or TCP-SYN packet
towards the server. The number of requests get increase by the great extent that the
buffer of the server gets overflowed and starts to denying service to multiple users. The
huge number of requests do also occupy the bandwidth of the server. The payload of
these packet is also increased by a great extent intentionally. The increase in payload
will help the attacker in occupying the bandwidth of the attacked network filling the
buffer of the target server. The high number of requests makes the server busy and the
altered flags and parameters of the packets exhaust the resources of the servers and
force the server to deny its services. This means that the server gets halted and the user
requests remain unattended and the server stops providng its services.
27
3.2.1.2 Slowris
This attack is not performed to gain any access but forcing the server to deny its
services. This attack is performed by potential competitors to gain a little edge. New
script kiddies do this for fun and due to cyber warfare few governments fund this type
of attacks of rival’s websites to raise the frustration. The ultimate consequence of this
attack is loss of business, revenue and reputation. Once the reputation of an organization
is affected it becomes very difficult to regain the trust of the customers.
3.2.3 Dataset
The dataset used in this research is a traffic capture of Mininet tree topology
simulation (Housman et al., 2020). Tree topology of Mininet reflects the connection
combination used in industrial data centers. This dataset has 4 servers in the Mininet
topology and other hosts are accessing the services from the servers. The dataset has
total of 25 features. The parameters captured are packet protocol, packet size payload
size packet protocol, packet sequence number, packet headers size, packet sending and
receiving IP, packet sending and receiving port. All these features are captured and are
used for classification. For classification purposes there are 6 labels, three of them are
malicious and 3 of them are benign each class has 100 thousand network packets
captured. This means that the dataset is balanced. The balanced dataset makes sure that
the artificial intelligence model learns every class equally and this helps in better
classification. This dataset is already divided into test and train part. 70% of the dataset
is in train part and remaining 30 % is on test part.
28
3.2.4 Mitigation Strategy
To mitigate DDoS attack multiple artificial intelligence algorithms are used and
best one is found. As it has been discussed that the DDoS attack is performed by the
series of different type of packets towards the target server in abundance amount. This
suggest that there is a Bayesian and conditional probabilistic relation between the data.
For this reason, this research is using the Bayesian Network for the classification of
normal and malicious packets and then the results are compared with the other
algorithm such as Naïve Bayes, Artificial Neural Network (ANN), Support Vector
Machine (SVM), K Nearest Neighbor (KNN), Decision Tree and Random Forest
Algorithms and Extreme Gradient Boost.
29
been happened and find the probability that if let's say event A happened then what is
the probability of event B will occur. The mathematical formula of finding the
probability is given in equation 1. After finding the conditional probabilities of every
event it predicts the event with the highest probability. The event in this case is the class
name to be predicted. This means that this classifier can be used where the data is in
conditional probabilistic format
𝑃(𝐵|𝐴)𝑃(𝐴)
𝑃(𝐴|𝐵) = (1)
𝑃(𝐵)
An artificial neural network is a simulation of human like neurons that makes the
computers able to learn the way humans do learn. These neural networks are created by
programming the neurons and inter connecting them. The interconnection between
these neurons helps the neural network to learn the dataset quickly and this also helps
it to learn the correlation between them the classification is performed by finding the
correlation between the features and the class label. This correlation is then applied to
test data for test classification. An artificial neural network is also trained to learn the
dataset and classify the network traffic with its respective label.
The ANN used for this purposes have multi-layer architecture. It has total 6 layers,
first one is input layer then there are 4 hidden layers the first two hidden layers are have
40% dropout but the last two are fully connected hidden layers. Then there is output
layer. This is demonstrated in Figure 3.8.
30
Figure 3.8 ANN layers
31
predicted class will be the class of the highest number of train instances in the train
dataset.
Decision tree algorithm is a supervised learning algorithm which classifies the data
on the basis of how the previous events have behaved or worked. This means that this
algorithm is needed to be fed by a training dataset. This approach has the structure like
a tree data structure (not necessarily binary tree). There is a root node then the decision
nodes and after all leaf nodes. Leaf nodes are the classification nodes. The tree is needed
to be traversed according to the test data, all the decisions are made using the test data
to reach the leaf node. This can also be imagined as a very deep level nested if else
conditions.
32
CHAPTER 4
It has been discussed that what is the problem, why is the problem and how the
problem can be solved. This chapter will discuss how the proposed strategy is
implemented and what are the results and how are they compared to the previous
approaches.
The simulation was done using the POX SDN controller integrated with the Mininet
SDN simulator. The Mininet was installed on the physical machine instead of using it
as a VM. The machine used for the simulator has a Core i5 2520M processor and 12
GBs of RAM. The topology used for the purpose has 4 hosts connected in a single
topology as shown in Figure 4.1. Host 5 act as a server and host 1 act as the attacker.
l3_learning module of POX controller is executed. The controller does also behave as
the DHCP server using the isc-dhcp-server module of the POX controller. The attacker
host does have installed arpspoof and driftnet tools for the attacking purpose. The IP
configuration of the Mininet is given in Table 4.1. The POX controller on default port
configuration i.e. 127.0.0.1:6633 and the controller is set to be remote at the same IP
address.
Table 4.1: IP configuration of the testing network topology
Device IP address
Host 1 (Attacker) 10.0.0.1
Host 2 10.0.0.2
Host 3 10.0.0.3
Host 4 (Server) 10.0.0.4
SDN controller 10.16.49.101
33
Figure 4.1: Test topology
The implementation is done by monitoring the PacketIn events. The PacketIn event
occurs when the packet does not have any flow control entry and the packet id is
forwarded to the SDN controller. The first rule embedded on the switch is no flow rule
for ARP and the DHCP packets. This will make sure that all ARP and DHCP packets
are forwarded to the controller. This makes the controller the data gathering point. After
the packet is received first its type will be checked if it is an ARP REPLY packet then
the checks discussed above will be applied and the fate of the packet will be decided.
If it is an ARP REQUEST packet, then the checks will be applied to the packet and the
ARP REPLY packet will be generated on the SDN controller using the scapy python
library. If it is DHCP LINK UP or DHCP LINK DOWN packet, then the DHCP and
ARP table at SDN controllers will be updated.
34
The functionality does minimize the chances of the success of the attack with the
constant number of checks and lines to be executed this means the time taken will not
be or may be slightly affected by the number of nodes in the network. The slight effect
occurs due to the consumption of bandwidth. Overall the mitigation time is projected
to be stable. To get a better understanding of how the ARP spoofing attack mitigation
is performed by the functionality of the proposed IDPS. To get a better understanding
that how the proposed IDPS performs against different type of ARP spoofing attacks,
let’s discuss each ARP spoofing attack separately.
For ARP REQUEST attack the IP of both sender and receiver and MAC addresses
of the sender are observed and verified using the Ethernet frame, blacklist or whitelist,
ARP table at SDN controller, and DHCP table.
The results of the ARP REQUEST attack mitigation are given in Figure 4.2. 25
packets were originated from the hosts and were checked by the controller. The stability
of the time taken can be observed, there are no fluctuations in the time taken. The slight
increase and decrease are because of the network bandwidth usage. The average
mitigation time and its comparison with the previous approaches are given in Table 4.2.
Table 4.2: ARP REQUEST attack mitigation time
Reference Mitigation time (seconds)
(Girdler & Vassilakis, 2021) 2.204
(Tchendji et al., 2021) 1.739
(Rangisetti et al., 2021) 1.876
(Aldabbas & Amin, 2021) 1.676
(Darwesh et al., 2021) 0.150
(Sahay et al., 2019) 1.411
(Jamil et al., 2022) 0.173
(Buzura et al., 2022) 0.102
Proposed Approach 2.183
35
Figure 4.2: ARP REQUEST attack mitigation time
In the case of the ARP reply attack, this attack is only possible when ARP
REQUEST is sent from the controller itself because the reply to the ARP REQUEST
case is given by the controller itself using the Scapy library for python. After
implementing the current methodology where the SDN controller has the permanent
ARP table at SDN controller instead of an ARP cache, this case will only happen when
a new IP is assigned to the device. When a new ARP REQUEST packet is sent by the
SDN controller and the device gives the ARP REPLY. This ARP REPLY packet can
be malicious or have false information in it. So, its source and destination IP and MAC
address are checked whether the IP addresses exist in the DHCP table, the IP and MAC
addresses do not already have an entry in the ARP table at SDN controller. The MAC
address is also verified with the MAC addresses of the Ethernet frame encapsulating
the ARP packet. The results are very supportive and are shown in figure 4.3. This will
ensure that both ARP REPLY and the ARP REPLY DESTINATION attacks do not
happen.
Similar to the ARP REQUEST attack ARP REPLY and ARP REPLY
DESTINATION attacks do also have a stable response time. The average mitigation
time and its comparison with previous approaches are given in Table 4.3.
36
Figure 4.3: ARP REPLY attack mitigation time
The mitigation time can be observed that it is not very different from the previous
approaches even after this extensive methodology and the checks being applied. The
number of checks is compared in Table 4.4. The proposed IDPS can be used and
deployed in an industrial network to prevent intrusions. Because as discussed above the
intrusions into industrial networks can result in drastic and irrecoverable damage.
37
Table 4.4: Number of checks applied by every approach
Reference Mitigation time (seconds)
(Girdler & Vassilakis, 2021) 3
(Tchendji et al., 2021) 1
(Rangisetti et al., 2021) 2
(Aldabbas & Amin, 2021) 2
(Darwesh et al., 2021) 1
(Sahay et al., 2019) 2
(Jamil et al., 2022) 1
(Buzura et al., 2022) 1
Proposed Approach 4
The simulation of DDoS attack is also done at the same machine as the ARP
spoofing mitigation. The machine has i5-2520M processor and 16 GBs of RAM and
Ubuntu 22.04 Operating System is installed. The Mininet SDN simulation tool is used
for the simulation of the proposed approach. Mininet comes in two forms, pre-installed
in a virtual machine and installable as a tool in physical machine. POX open source
SDN controller is integrated with the Mininet as an SDN controller. As DDoS attack is
majorly targeted at the industrial servers and networks, this research has used fat tree
topology that is most common for the industrial networks. To create a tree topology for
this research, depth of tree was set to 3 and fanout was set to 4, this resulted in 64 hosts,
4 of them are servers and server 1 will be under attack. The Low Orbit Ion Cannon
(LOIC) tool is used for performing the DDoS attack. LOIC is the network, stress testing
and DoS attack tool. This tool will be used to stress the network with ICMP, TCP and
UDP traffic. This tool is combined with Scapy python library to initiate the attack from
multiple hosts in the network. During the attack the attack IP address was generating
150 to 200 requests per second. This huge number of requests when reached the servers,
the load balancing module of SD controller worked and divided the packets evenly. At
server side there were at average 1000 requests per second. This high number of
requests affected he latency of the network and the average server response time
38
increased from 1ms to 250ms. But as soon as the attack is mitigated, the latency gets
back to normal 1ms.
The OpenFlow PacketIn message occurs when a new type of packet arrives or some
packet arrives from a new host. For every PacketIn event, the DDoS attack mitigation
model is executed and determines that whether the packet is DDoS or normal. This
requires that the execution time of the model should be as much less as much possible.
If the packet is classified as the malicious packet, then the IP is added in the blacklist
for 24 hrs. and all the traffic from the IP is blocked for the time being.
To maximize the classification accuracy and minimize the error in the model
predictions, there is a need of reducing the noise from the input variables given the
artificial intelligence model. This noise is the part of the features of the dataset. There
is a need to reduce the features and select only those who has higher impact on the
output class. The optimal features reduce the error and improves the accuracy of the
model, this feature reduction process is called feature selection.
This research is also performing the feature selection for noise reduction, reducing
the problem of overfitting and improving the accuracy of the model. This research also
has not selected any ambiguous features. Ambiguous features are the features with
ambiguous source of extraction. Ambiguous features may increase the accuracy but in
realtime the false alarm by them is very much expected.
For the feature selection this research has used Pearson correlation coefficient.
Pearson coefficient is the linear relation between two variables. The relationship
between the features and the class. The features with more than 70% positive relation
with the output label class were chosen. The chosen features are
1. Sender IP
2. Receiver IP
3. Sender Port
4. Receiver Port
39
5. Packet type
6. Protocol
7. Payload size
8. Sequence Number
9. Header length
The artificial intelligence models were trained on these features from the dataset.
The training of the model means to make the model learn that what type of features
results in what type of output. In this research, these 11 features are selected to predict
the output class of the packet.
This research has proposed the use of Bayesian Network for this purpose and the
results shows that the Bayesian Network have outperformed every other approach in
terms of accuracy and attack detection time. The comparison of accuracy of the machine
learning algorithms are shown in Table 4.5.
Algorithm Accuracy
Extreme Gradient Boost 99.02%
Bayesian Network 99.88%
Decision Tree 99.64%
Random Forest 99.75%
Support Vector Machine 93.60%
Naive Bayes 99.60%
KNN 91.27%
ANN 98.57%
40
Achieving the accuracy for DDoS attack is important to detect the attack time correctly.
Similarly, it is also very important to detect the attack as soon as possible. Table 4.6
shows the time taken by the different algorithms to detect and mitigate the attack.
41
SUMMARY
The intrusions in industrial networks are very drastic and catastrophic because the
consequences might be in form of major data breaches or leaks. The previous
approaches do perform a good job but the functionality was very limited and can be
easily bypassed. This article proposes a new IDPS against ARP spoofing attacks with
extensive methodology and security checks applied on both the IP and MAC addresses.
The proposed IDPS covers the attack from almost every intrusion perspective, i.e. when
an ARP packet reaches the OpenFlow switch, then is forwarded to the SDN controller,
the controller applies the checks discussed before. If it is an ARP REQUEST packet,
then the ARP REPLY will be generated by the SDN controller and if the packet is ARP
REPLY then the ARP table at SDN controller will be updated. Even after these
extensive checks and methodology, the mitigation time is not very much different from
the previous approaches. This is because the number of checks applied are not
depending on anything, the number of checks is constant.
The DDoS attack is performed by sending the huge number of requests to the
network resource as discussed above. The major target of this attacks are web servers
as they are comparatively easily accessible from all over the world. DDoS attack is
performed by multiple ways. The goal of this attack is to exhaust the resources of the
servers and make it so much busy that it starts denying the service it was providing.
This is why this attack is mitigated by employing the machine learning algorithms for
the purpose. This research proposed Bayesian Network algorithm for the DDoS attack
mitigation. The results obtained shows that the Bayesian network has proved itself very
effective in terms of both the attack mitigation time and attack detection accuracy.
In the future work, there is need to work on the mitigation time because currently,
it is more than 2 seconds which is very high, this is needed to be lowered by optimizing
the packet checks approach, multithreading, parallel execution of checks or GPU
accelerated development can help. The number of checks can also be optimized by
simplifying the checks or enhancing the methodology to make sure that ARP spoofing
could not possible. For DDoS attack deep reinforcement learning will be implemented
42
LITERATURE CITED
Abbasi, M., Maleki, S., Jeon, G., Khosravi, M. R., & Abdoli, H. (2022). An intelligent
method for reducing the overhead of analysing big data flows in Openflow
Aldabbas, H., & Amin, R. (2021). A novel mechanism to handle address spoofing
https://doi.org/10.1007/s10586-021-03309-0
Alhaj, A. N., & Dutta, N. (2022). Analysis of Security Attacks in SDN Network: A
Babiceanu, R. F., & Seker, R. (2019). Cyber resilience protection for industrial internet
Badotra, S., & Panda, S. N. (2021). SNORT based early DDoS detection system using
https://doi.org/10.1007/s10586-020-03133-y
Balarezo, J. F., Wang, S., Chavez, K. G., Al-Hourani, A., & Kandeepan, S. (2022). A
43
Buzura, S., Lehene, M., Iancu, B., & Dadarlat, V. (2022). An Extendable Software
Chen, K.-Y., Liu, S., Xu, Y., Siddhrau, I. K., Zhou, S., Guo, Z., & Chao, H. J. (2022).
https://doi.org/10.1109/TNET.2021.3105187
https://doi.org/10.1016/j.econlet.2016.10.005
Crenn, H. (2021). Data breaches in the era of covid-19: Silent identity collection as an
Dobrin, D., & Dimiter, A. (2021). DDoS attack identification based on SDN. 2021
Eliyan, L. F., & Di Pietro, R. (2021). DoS and DDoS attacks in Software Defined
https://doi.org/10.1016/j.future.2021.03.011
44
Espinel Sarmiento, D., Lebre, A., Nussbaum, L., & Chari, A. (2021). Decentralized
https://doi.org/10.1109/COMST.2021.3050297
Gadze, J. D., Bamfo-Asante, A. A., Agyemang, J. O., Nunoo-Mensah, H., & Opare, K.
ARP spoofing attacks and Blacklisted MAC Addresses. Computers & Electrical
Haque, M. R., Tan, S. C., Yusoff, Z., Nisar, K., Kaspin, R., Haider, I., Nisar, S.,
S., Rawat, D. B., Etengu, R., & Buyya, R. (2022). Unprecedented Smart
https://doi.org/10.32604/cmc.2022.018505
https://doi.org/10.17632/hkjbp67rsc.1
Hu, T., Zhang, Z., Yi, P., Liang, D., Li, Z., Ren, Q., Hu, Y., & Lan, J. (2021). SEAPP:
45
Jain, A. K., & Gupta, B. B. (2022). A survey of phishing attack techniques, defence
Jamil, F., Jamil, H., & Ali, A. (2022). Spoofing Attack Mitigation in Address
https://doi.org/10.26735/VBVS3993
Kolevski, D., Michael, K., Abbas, R., & Freeman, M. (2021). Cloud computing data
https://doi.org/10.1109/ISTAS52410.2021.9629173
Lee, L.-H., Braud, T., Zhou, P., Wang, L., Xu, D., Lin, Z., Kumar, A., Bermejo, C., &
Hui, P. (2021). All One Needs to Know about Metaverse: A Complete Survey on
https://doi.org/10.48550/arXiv.2110.05352
Long, Z., & Jinsong, W. (2022). A hybrid method of entropy and SSAE-SVM based
https://doi.org/10.3390/encyclopedia2010031
Ning, H., Wang, H., Lin, Y., Wang, W., Dhelim, S., Farha, F., Ding, J., & Daneshmand,
https://doi.org/10.48550/arXiv.2111.09673
46
Oliveira, T. F., Xavier-de-Souza, S., & Silveira, L. F. (2021). Improving Energy
Pourbabak, H., Chen, T., & Su, W. (2019). 8—Emerging data encryption methods
08-102207-8.00008-4
Rangisetti, A. K., Dwivedi, R., & Singh, P. (2021). Denial of ARP spoofing in SDN
3172. https://doi.org/10.1007/s10586-021-03328-x
Sahay, R., Meng, W., Estay, D. A. S., Jensen, C. D., & Barfod, M. B. (2019).
736–750. https://doi.org/10.1016/j.future.2019.05.049
Saravanan, A., & Bama, S. S. (2019). A Review on Cyber Security and the Fifth
Sebbar, A., Boulmalf, M., Dafir Ech-Cherif El Kettani, M., & Baddi, Y. (2018).
https://doi.org/10.1109/CIST.2018.8596479
Shah, H., & Comissiong, D. M. G. (2021). Computer Virus Model with Stealth Viruses
47
Shohani, R. B., Mostafavi, S., & Hakami, V. (2021). A Statistical Model for Early
https://doi.org/10.1016/S0262-4079(21)01450-0
Tan, L., Pan, Y., Wu, J., Zhou, J., Jiang, H., & Deng, Y. (2020). A New Framework for
161908–161919. https://doi.org/10.1109/ACCESS.2020.3021435
Tchendji, V. K., Mvah, F., Djamegni, C. T., & Yankam, Y. F. (2021). E2BaSeP:
Efficient Bayes Based Security Protocol Against ARP Spoofing Attacks in SDN
https://doi.org/10.1007/s41635-020-00105-x
Tuan, N. N., Hung, P. H., Nghia, N. D., Tho, N. V., Phan, T. V., & Thanh, N. H. (2020).
Varghese, J. E., & Muniyal, B. (2021). An Efficient IDS Framework for DDoS Attacks
https://doi.org/10.1109/ACCESS.2021.3078065
Vinitha, K., Ambrose Prabhu, R., Bhaskar, R., & Hariharan, R. (2020). Review on
Yeh, W.-C., Lin, E., & Huang, C.-L. (2021). Predicting Spread Probability of Learning-
48
Yin, S., Li, X., Gao, H., & Kaynak, O. (2015). Data-Based Techniques Focused on
Yurekten, O., & Demirci, M. (2021). SDN-based cyber defense: A survey. Future
49