An Optimal Framework for SDN Based on Deep Neural Network

Abdallah Abdallah,Mohamad Khairi Ishak,Nor Samsiah Sani,Imran Khan,Fahad R.Albogamy,Hirofumi Amano and Samih M.Mostafa

1Department of Industrial Engineering,School of Applied Technical Sciences German Jordanian University,Amman,35247,Jordan

2School of Electrical and Electronic Engineering,Universiti Sains Malaysia,Nibong Tebal,14300,Malaysia

3Center for Artificial Intelligence Technology,Faculty of Information Science and Technology,The National University of Malaysia(UKM),Bangi,43600,Selangor,Malaysia

4Department of Electrical Engineering,University of Engineering and Technology,Peshawar,814,Pakistan

5Turabah University College,Computer Sciences Program,Taif University,Taif,21944,Saudi Arabia

6Research Institute for Information Technology,Kyushu University,Fukuoka,819-0395,Japan

7Computer Science-Mathematics Department,Faculty of Science,South Valley University,Qena,83523,Egypt

Abstract:Software-defined networking (SDN) is a new paradigm that promises to change by breaking vertical integration,decoupling network control logic from the underlying routers and switches,promoting (logical)network control centralization,and introducing network programming.However,the controller is similarly vulnerable to a “single point of failure”,an attacker can execute a distributed denial of service (DDoS) attack that invalidates the controller and compromises the network security in SDN.To address the problem of DDoS traffic detection in SDN,a novel detection approach based on information entropy and deep neural network(DNN) is proposed.This approach contains a DNN-based DDoS traffic detection module and an information-based entropy initial inspection module.The initial inspection module detects the suspicious network traffic by computing the information entropy value of the data packet’s source and destination Internet Protocol(IP)addresses,and then identifies it using the DDoS detection module based on DNN.DDoS assaults were found when suspected irregular traffic was validated.Experiments reveal that the algorithm recognizes DDoS activity at a rate of more than 99%,with a much better accuracy rate.The false alarm rate (FAR) is much lower than that of the information entropy-based detection method.Simultaneously,the proposed framework can shorten the detection time and improve the resource utilization efficiency.

Keywords:Deep neural network;computer networks;data security;optimization

1 Introduction

Distributed denial of service (DDoS) has always been one of the main threats to the Internet[1-4].The DDoS attackers scan the network to find the vulnerable hosts and use these vulnerable hosts as the puppet machine to send a large number of request packets to the target server,causing the target host to lose its service function and cause network failure.There are many types of DDoS attacks,and the more common ones are distributed reflection DoS attacks using user datagram protocol (UDP) and the use of transmission control protocol (TCP) three-way handshake process attacks such as synchronize (SYN) flood attacks,etc.[5].Nowadays,the network mostly adopts distributed architecture.This network architecture was originally constructed to reflect its highly scalable distributed structure,but it also led to the emergence of many security vulnerabilities[6].The software defined network(SDN),as a new network architecture,has gradually become popular and has been widely studied,and is considered as the direction of network development[7].Therefore,regarding the prevention of DDoS attacks in SDN networks,its safety is very important[8].

SDN is an implementation of network virtualization.It separates the control and data layers of the network to achieve the purpose of“software management network”.The control layer of the SDN can centrally control the information of the entire network.A programming interface is convenient for the network administrators to manage the network.The centralized control of the SDN makes the controller the main target of DDoS attackers[9].When the attacker launches a DDoS attack on the SDN,in order to pass the network security equipment,disguising the source IP address,the switch continuously receives a large number of data packets,which are not in the original flow table.The controller continuously receives the forwarded data packets from the switch and becomes the target of attack.When the controller’s resources are exhausted,the entire SDN network is paralyzed.Therefore,timely detection and termination of DDoS attack traffic in the SDN network has become a current research hotspot.But how to detect the abnormal traffic in time and accurately identify has become a difficult point in current research[10].

In order to defend against DDoS attacks,how to find the abnormal traffic in the network is the main research method.In most cases,the attackers disguise abnormal traffic as normal traffic,so it is difficult to distinguish the detection methods based on information entropy and detection based on machine learning.The method is two of many detection methods,but both of these detection methods have shortcomings.The detection algorithm based on information entropy has a fast detection speed and does not need to construct more traffic characteristics.But compared with the algorithm based on machine learning(ML),there exists the disadvantages of low accuracy and high FAR.The DDoS traffic recognition method based on ML has a high accuracy rate (AR),but it needs to manually construct more traffic characteristics during the detection process,which affects the detection speed.So how to find a method,which not only has a high detection rate(DR)of abnormal traffic,but also has the ability to respond to high-speed traffic and detection efficiency,that has become a difficult point and challenge for research.

The emergence of deep learning (DL) algorithms solves the limitations of ML.The process of DL is to use multiple processing layers to abstract high-level data to obtain multiple nonlinear transformation functions.Deep neural network(DNN)in the image recognition,speech recognition and other fields have achieved good results.Compared with traditional ML,the DNNs combine low-level features to form more abstract high-level representations through multi-layer non-linear transformations,so that a learning system cannot rely on artificial feature selection,and found that the distributed nature of data representation,and learn to express complex function[11].With the continuous development of graphical processing unit(GPU)technology and a variety of deep learning(DL) platform,making the depth of the neural network can quickly process huge amounts of data classification[12,13].Therefore,based on the DNN to identify the abnormal DDoS traffic,there is no need to manually design too many traffic characteristics,and it has higher detection accuracy and faster detection time.However,in practical applications,the SDN medium traffic is huge,and the detection of all traffic consumes huge computing resources and affects the real-time performance of the detection.

As a result,based on prior research and learning,this article proposes an innovative DDoS detection framework based on DNN.The proposed framework includes an initial inspection module based on information entropy and a detection module based on DNN.The detection model draws on the advantages of information entropy and DNN algorithm,and the accuracy measurement is performed after the initial inspection module finds the abnormal flow.This model makes up for the shortcomings of the detection algorithm based on information entropy of low DR and high FAR.It also shortens the detection time based on DNN algorithm,reducing the resource occupancy rate,not only can improve the accuracy of detection,but also shorten the processing time of detection,and save the frequency of resource usage by the DNN algorithm.

The main contributions of this article have three aspects:

1) A model for detecting the DDoS attacks in SDN is proposed.The model includes a preliminary inspection module based on information entropy and a DNN detection module.Combining the advantages of the two methods,it improves the DR and accuracy of the model,and reduces the FAR of the model.It speeds up the DR and reduce the occupancy rate of computing resources.

2) Using OpenFlow protocol fields,manual extraction and other methods to construct a 19-dimensional feature vector,as the input of the DNN model.After training and testing,the accuracy of the proposed model to identify DDoS traffic is higher than that of traditional ML methods,and has a lower FAR.

3) Propose a lightweight initial inspection method based on information entropy,and determine the suspected abnormal traffic by calculating the information entropy of the packet unit.The determined threshold allows the proposed method to have a recognition rate of more than 99%.As an initial inspection method,high false alarms can be ignored compared with the direct use of DNN-based detection algorithms,2/3 the detection time and the occupancy rate of computing resources are reduced.

2 Literature Review

The development of DDoS attacks has become a major security threat to the Internet today[14].The continuous development of network technology,the emergence of various new network architectures and the popularization of smart devices have made DDoS attack methods showing a trend of frequent development[15].With the advancement of network technology,the DDoS attackers have begun to use new network equipment or network architecture to launch attacks.In recent years,the SDN networks have become a research hotspot for researchers and network service providers,and the problem of DDoS attacks in SDN is one of the research topics[16,17].

Reference[18]proposed a method of setting up a backup controller.When the SDN network is subjected to a DDoS attack,the switch disconnects from the controller and connects to other backup controllers.This method can temporarily mitigate the DDoS attack.However,it cannot fundamentally prevent it.Once the backup controllers are also attacked,the entire SDN network will lose control.Reference[19]proposed a method to predict the attacks based on traffic thresholds.The method constructs flow characteristics by extracting NetFlow flow data,and calculates the flow characteristics and design thresholds through detection functions.However,this method needs to process the data flow collected in advance and requires a lot of preparatory work.In addition,the success of the test is closely related to the actual experience of the researcher.

Reference[20]proposed a fast entropy calculation method to detect the DDoS attacks in traffic,and calculate the entropy value over a period of time by counting the network traffic.If the entropy value exceeds the threshold,it is determined that a DDoS attack has occurred in the network.This method successfully improved the detection speed,but failed to significantly improve the detection accuracy,and the algorithm has a high FAR.Reference[21]proposed a large-scale network detection mechanism based on flow entropy and packet sampling.This method improves the detection accuracy and reduces the FAR,but it sets a threshold based on relevant experience and increases the influence of human factors.Reference[22]proposed a statistical solution to detect the DDoS attacks in SDN.The method extracts the flow characteristics,generates a characteristic matrix,and finds the abnormal flow by calculating the joint entropy of different combinations of flow characteristics.Compared with the previous detection algorithm based on entropy,this method has a great improvement,and the detection range is accurate.The rate has been greatly improved,but this method requires a long period of preparation and statistics,the calculation is more complicated,the scalability is poor,and the real-time performance is not high.Reference[23]proposed an entropy-based SDN early detection technology for TCP SYN flooding attacks.This technology is based on traffic characteristics and measures the degree of randomness of the data packets received at the SDN controller by calculating the entropy value of the traffic characteristics in a time-based data packet window sequence and compared with the threshold(adaptive)under this example.This method can detect the early attack.However,this method assumes that there is only one target node,which is not universal,and the method is only for TCP SYN flood attacks.The above research shows that,in SDN,it is difficult for the existing DDoS detection methods based on information entropy to have both high accuracy and high DR.

Reference[24]proposed a DDoS traffic detection algorithm based on extreme gradient boost(XGBoost).The method uses the XGBoost classifier to test the knowledge discovery and data mining(KDD) 99 data set.The test results show that the method has the characteristics of high detection accuracy and fast DR.But The detection effect of this method on other experimental environmental data is unknown.Reference[25]used the support vector machines(SVM)to detect the DDoS traffic in SDN.This method is also tested on the KDD 99 data set.The test results show the effectiveness of the method.This method also faces the problem of unknown actual detection effect.At the same time,the methods proposed in[24,25]requires manual construction of a large number of features,which affects the detection efficiency.Reference[26]proposed a method for detecting abnormal traffic in SDN based on DL.This method designs traffic characteristics and uses DL algorithms to detect the abnormal traffic in the SDN.Compared with the previous ML methods,the accuracy is improved.However,the detection efficiency is not high.When the traffic is huge,the detection of normal traffic will consume the resources of the DL hardware and increase the calculation time.

Through the above research,it is found that there are many problems in the detection algorithm based on information entropy:the determination of the threshold often brings about the contradiction between the DR and FAR,high computational complexity,poor scalability,low detection rate,and data statistical cycle.Detection algorithms based on ML also have problems such as low DR,high central processing unit (CPU) usage,and unused actual data verification.DL algorithms have high accuracy and low FAR.However,when the network traffic is too large,it will affect the detection time and occupy computing resources.To address the shortcomings of the preceding research methods,this paper proposes a detection model based on information entropy and DL.This model combines the previous detection methods based on information entropy and ML.The information entropy method is used to conduct the preliminary detection of traffic,and then DNN is used to accurately detect the suspected problem traffic.Compared with the traditional methods based on information entropy and ML,this method has higher detection accuracy,lower FAR and higher detection efficiency.

3 Proposed Framework

3.1 Overall Architecture

The proposed detection model is deployed in the controller in the SDN.It includes two main parts:an abnormal initial detection module based on information entropy and a DDoS traffic detection module based on DNN,as shown in Fig.1.In the SDN network,every time the switch receives a new data packet,the controller will update the flow table entry of the switch.When the SDN network is attacked,the controller will receive a large number of data packets from the switch,resulting in control device interrupts the service and the network is paralyzed.The abnormal initial detection module collects thepacket_indata packets in the SDN controller,calculates the entropy value of the data characteristics in the fixed interval data packet window,and compares it with the set threshold.Once it is not within the normal range,the traffic is deemed to be suspected to be abnormal,and it is subjected to the DNN-based anomaly detection.The DDoS traffic detection module based on DNN extracts the required characteristics through the switch flow table entry,and performs further detection to confirm whether a DDoS attack occurs in the network.If an attack occurs,a warning will be issued and the network manager will be notified for further processing.

Figure 1:Proposed system model

3.2 Anomaly Initial Inspection

Information entropy reflects the degree of uncertainty in the value of random variables (RVs).When the value of the RV is more random,the value of information entropy is higher.When the value of the RV is more consistent,the information entropy has lower value[27].We use the Shannon’s formula to calculate the sample entropy:

Among them,the data samplex={ni;i=1,2,...,N}indicates that a certain sampleiin the data has occurrednitimes.which indicates the total number of sample valuesX.From Eq.(1),we can see that the size of the sample entropy changes in the interval(0;lnS).When the value distribution of the sample is the most concentrated,the entropy value is 0,thenn1=n2=...=nNmeans that all the sample values are the same.When the distribution of the sample is the most dispersed,the entropy value is the largest,and all sample values are different at this time.

Due to the self-similarity of network traffic,we consider that the sparseness and denseness of the data packet feature samples are only related to the number of samples,and the size of the entropy value is only determined by the similarities and differences of the sample data.For example,two sample sequences of the same numberXandY,whereXis a sample sequence collected within 30 s,Yis a sample sequence collected within 45 s,but the entropy of the two sample sequences is the same.Then it is inferred thatXandYhave the same degree of sparse distribution[28].

In the experiment,thepacket_indata packet of the SDN controller is regarded as the unit data packet.We define a fixed packet number interval as a packet unit data packet(packetbin).That is,the continuous data packet is divided into a packet unit according to a specific number of packets(bin).We use some feature sequence values in packetbin as sample data,and calculate the entropy value of the feature sequence sample data.We have selected two most important features that can reflect the current network status:source and destination IP addresses.The choice of the number of packetsWin each packetbin controls the change of sample characteristics in a short period of time.If the value ofWis too large,the entropy value will not change significantly,which will reduce the accuracy of detection.In the SDN network of this experimental environment,according to the number of hosts and traffic conditions,after measurement and analysis,it is found thatW=100 is a good compromise for the deployed data.When calculating the entropy,it isS=W=100 in Eq.(1),we calculate the information entropy of the source and destination IP addresses in the first consecutiveWpackets,and then move to the next adjacentWpackets to calculate the corresponding entropy.We get an abnormal traffic analysis index based on the information entropy,as shown in Tab.1.

Table 1:Index variables of flow with abnormalities

We set the experimental threshold T.If the information entropy in the indicator is not within the threshold range,it is observed that some abnormality has occurred in the SDN,issue a warning,and start the DDoS traffic detection module based on DL at this moment.The traffic in the SDN is detected,DDoS attacks are found and the warnings are issued.Unlike other entropy-based methods,this study does not set a confidence interval because it does not use a criterion for judging whether the DDoS occurs in the network,but only use it as the initial inspection method.Because the pure entropy-based detection method has limitations,for example,how to determine the threshold will affect the accuracy of the entire algorithm,and this method often results in a higher FAR.In our initial inspection model,the threshold is set to a wider range.This method has a higher detection and recognition rates,but it has a higher FAR.As a preliminary inspection method,it only requires a higher recognition rate.

The abnormal initial inspection module based on information entropy observe the network traffic,and inputs the generated suspected abnormal traffic to the DL module for further processing.It not only completes the detection of abnormal traffic,but also slows down the DL module pressure of the required resources.

3.3 Feature Extraction and Construction

In traditional ML algorithms,how to select the features will affect the success of the entire algorithm.Choosing good features can improve the accuracy of the algorithm.But too many feature designs will increase the complexity,and the process of manually selecting features will affect the detection speed.The DNN model can automatically extract the features layer by layer,and assign weights to the extracted features to achieve the best results.

In the experimental DNN model,we directly extracted some of the fields in the OpenFlow flow table as the feature input of the first layer.In addition to the features that can be directly extracted in the flow table,we manually designed two features,which are also used as the input of the DL network.The input characteristics are shown in Tab.2.

Table 2:Input characteristics

Table 2:Continued

The two features manually extracted are the average number of data packets and the number of data packets.Among them,the average number of data packetsn_packets_aveis the number of packets(n_packets)divided by the flow duration(duration),which is the number of data packets per second:

The average number of data packets(n_bytes_ave)is the number of packets(n_bytes)divided by the stream duration(duration),that is,the number of data packets per second:

In summary,this paper constructed the 19-dimensional feature input of the DL detection model based on the flow table information.These features can be directly read in the flow table entry,and the manually constructed features are also easier to obtain.This 19 dimensional feature vector is used as the input of the DL detection model to identify the abnormal DDoS traffic.

3.4 Detection Model

DNN is a fully connected network that includes an input layer,multiple hidden layers,and an output layer[29].Fig.2 depicts a 5-dimensional vector input,7-dimensional vector output and DNN network model withL-1 hidden layers.

Figure 2:Proposed DNN model

In the DNN network,each layer contains the weight vectorWand the offset vectorb.We calculate the outputlhof theh-th layer:

Among them,bhis the offset vector,whis the weight matrix,and the nonlinear function is the tanh.The top-level outputlμand the supervised target outputyare combined to form the loss functionω(lμ,y).The output layer linear regression function is

Among them,wμ iis thei-th row ofwμ.In this case,we use the conditional log-likelihood function as the loss function withlμ i ＞0 and

The expected value on the(x,y)pair is minimized.During training,back propagation(BP)and gradient descent(GD)algorithms are used to adjust the weight value and bias according to the output error value of each neuron.The amount of shift is adjusted.When the output of the cost function is the smallest,the best result is achieved.

The output selects the softmax function and defines the cross entropy error as follows

Wherein,Nis the number of units by thewobtained with respect to each weightwkcost functionF(w),which is defined as

where

Among them,τhis called the learning efficiency[30].Finally,according to Eqs.(7)-(9),the corresponding stochastic gradient descent algorithm is used to minimize the cost function,and finally we will get the best weight value.The experiment uses a DNN structure including an input layer,an output layer and 10 hidden layers.In the hidden layer,the hyperbolic tanh function is used for nonlinear processing,and the current activation is performed in the output layer.After multiple batches of GD training,the final detection model is determined.

4 Experimental Results

4.1 Configuration

This article uses Mininet to build an SDN,where the controller uses the JAVA-based open source controller Floodlight,and the operating system is Ubuntu 16.04.The DL module is developed based on the Tensorflow framework.The developed hardware environment is a 48-core CPU server.Before the experiment,we used the scapy tool to inject the traffic into the mininet virtual network(VN)to imitate the DDoS attack.The network topology created by Mininet is shown in Fig.3.The SDN consists of ten switches,each switch connects ten hosts,select two of them as the source of DDoS attacks,and launch an attack on the SDN network.

Figure 3:Proposed network configuration

The experiment uses three indicators:DR,accuracy(ACC),andFARas the criteria for evaluating the model.The DR is the ratio of the correctly identified to all DDoS attack traffic in the sample which is expressed as

The ACC is the ratio of correctly identifying normal and abnormal flows in the total data set

The FAR refers to the ratio of normal traffic that is misidentified as DDoS attack traffic by the model to all normal traffic in the test set.The lower the FAR,the better the classification effect of the model

Among them,the true positive (TP) rate refers to the rate at which the abnormal DDoS traffic is identified by the model,and the false positive (FP) rate refers to the rate at which normal traffic is incorrectly identified as DDoS traffic.The true negative (TN) rate refers to the rate at which the normal traffic is correctly identified.False negative (FN) rate refers to the rate at which the DDoS traffic is incorrectly identified as normal traffic[31].

4.2 Results Analysis Based on Information Entropy

In the abnormal initial detection module based on information entropy,we propose an abnormal traffic analysis indicator,by calculating the entropy value of each feature vector in several windows,and judging whether the network has occurred according to whether the entropy value exceeds the threshold collect thepacket-inof normal network traffic in the switch,read the source and destination IP addresses in the data packet,and then calculate the characteristic entropy value in each window,namely 100 data packets.The SDN network is subject to DDoS during the attack,100,000 pieces of data traffic are collected,the source and destination IP addresses are analyzed,and the information entropy value is calculated.The comparison is shown in Figs.4 and 5.

Figure 4:Entropy evaluation vs.number of windows of source-IP

Figure 5:Entropy evaluation vs.number of windows of destination IP

It can be seen from Figs.4 and 5 that when a DDoS attack occurs in SDN,the characteristic information entropy value has changed significantly,and the characteristic vector value has dropped rapidly,and the range of change is small.The initial inspection module based on information entropy is to be able to identify the abnormal traffic in the network,so it must have a high DR,but because it is only a preliminary inspection module,it is not required to have a very low FAR.According to the above principles,to analyze the experimental data,the threshold of the feature entropy value is shown in Tab.3.

Table 3:IP values analysis

According to the analysis of experimental data,when the source IP address information entropy threshold is set to 2.5192,the DR of abnormal traffic identification is 100%,and the FAR is 42.769%.When the destination IP address information entropy threshold is set to 2.5557,the DR of abnormal traffic is 100%,and the FAR is 39.231%.When one of the two feature entropy values exceeds the specified threshold,it is concluded that an abnormality has occurred in the network.

In order to prove the effectiveness of the threshold,this study simulate the DDoS attacks and collect data,mark them to distinguish between normal and abnormal traffic,mix normal traffic with abnormal traffic,and perform anomaly detection based on information entropy.If the information entropy of a certain characteristic value is lower than the threshold,it is marked as abnormal traffic.Finally,the marking result is compared with the initial label to calculate the DR and FAR of the algorithm.The experimental results are shown in Tab.4.

Table 4:DR and FAR evaluation

From the experimental results,it can be seen that the proposed method has a very high DR,which proves that it can effectively identify DDoS attack traffic.Although it has a high FAR,it does not affect its use as an initial check for the effectiveness.

4.3 Results Analysis Based on DNN

The experimental data set is the real traffic in the SDN.A total of 120,000 traffic data,including 70,000 normal traffic and 50,000 DDoS attack traffic is collected.Among them,79,970 data sets are used as training sets and 40030 pieces of data are used as the test set,as shown in Tab.5.

Table 5:Dataset values

The choice of the number of hidden layers of the DNN model will affect the accuracy of the model’s recognition of DDoS traffic.It is very important to choose how many layers of DNN as the detection model.Therefore,we have constructed the number of hidden layers as 5 and 10 respectively.In the experiment,we use the same data set to perform 1,000 iterations of these five DNN models,and evaluate each DNN model through accuracy rate.Tab.6 shows the comparison of the results of five DNN models with different structures after being trained for 1,000 rounds under the same training and test sets.

It can be seen from the results in Tab.6 that the DNN model does not have more layers and has better training results.It is because too many hidden layers will even cause the accuracy of the recognition results to decline.Therefore,the experimental model chooses a 10-layer DNN model.

Table 6:Hidden layers ACC evaluation

The actual data traffic set is deployed to compare the experiments with the XGBoost[24]and SVM models[25].At the same time,the proposed model is compared with the traditional ML based K-nearest neighbor (KNN) model.The results are shown in Tab.7.It can be seen from Tab.7 that the proposed DNN model is better than the traditional methods in terms of DR,ACC and FAR.The ACC rate of the proposed model is 97.87%,and the FAR has dropped significantly.From the experimental results,it can be seen that the proposed model is better than traditional ML models.

Table 7:Comparison of the proposed and existing algorithms

At the same time,we conducted two sets of comparative experiments using the experimental data set and using the DNN model to detect the DDoS traffic.The first group of experiments directly used the 17 feature fields extracted directly from the OpenFlow as inputs.The second group of experiments is in addition to directly extracting the 17 feature fields.Two features“Average data grouping number”and“Average data grouping bit number”are manually constructed in real time,and these 19 features are used as model inputs.At the same time,the accuracy of abnormal traffic under two different traffic feature inputs are calculated.The results are shown in Tab.8.

Table 8:ACC and time cost evaluation of the proposed algorithm

It can be seen from Tab.8 that after adding two manually constructed features,the accuracy recognition increased by 0.75%,while the time only increased by 0.03 s.This proves the effectiveness of manually constructed features.

In addition,we also conducted two comparison experiments.The first experiment used only the detection module based on DL to detect the flow,while the second experiment used the preliminary inspection module based on information entropy for the initial inspection and the detection module based on deep learning.The results are shown in Tab.9.

Table 9:Performance comparison of the proposed method

It can be seen from the detection accuracy that the two methods have high accuracy for the identification of abnormal traffic,both reaching more than 97%,and both have a good recognition effect.However,the detection method based on information entropy and deep learning saves CPU usage rate and reduce the processing time.The initial inspection method based on information entropy is a lightweight calculation,its occupancy rate of computing resources is not high,and has a faster processing speed.

By adjusting the number of DNN layers and manually designing input features,the optimal DNN detection model suitable for the experimental environment is obtained.At the same time,a comparative test was carried out with previous research methods,and the results showed that,the proposed model has a high accuracy rate for identifying the DDoS traffic in the traffic,occupies less computing resources and faster processing speed.

5 Conclusion

This paper proposes a DDoS attack detection framework based on information entropy and DNN,as well as an abnormal traffic analysis index for calculating information entropy with a 19-dimensional flow table feature vector.The initial inspection model based on information entropy can effectively identify the abnormal traffic,and the DNN detection module confirms it.The proposed model not only solves the problem of low accuracy of detection methods based on information entropy,but also alleviates the long detection time of DL methods and occupation of computing resources.Experiments show that,the proposed method can effectively identify the abnormal DDoS traffic,provide effective information for network administrators,and provide effective guarantee for SDN network security.

Acknowledgement:The authors would like to acknowledge the support from Taif University Researchers Supporting Project Number(TURSP-2020/331),Taif University,Taif,Saudi Arabia.

Funding Statement:This publication was supported by the Ministry of Education,Malaysia (Grant code:FRGS/1/2018/ICT02/UKM/02/6).

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.