DDoS Detection in SDN using Machine Learning Techniques

This project implements a comprehensive solution for detecting and mitigating Distributed Denial of Service (DDoS) attacks in Software-Defined Networks (SDN) using various machine learning techniques.

Overview

The system integrates machine learning models with a POX SDN controller to detect and mitigate DDoS attacks in real-time. The project includes:

• Implementation of multiple ML algorithms (Random Forest, SVM, KNN, Decision Tree, Naive Bayes)
• Integration with POX controller for real-time traffic analysis
• Feature extraction from network flows
• Real-time attack detection and mitigation
• Performance evaluation and comparison of ML models
• Interactive dashboard for monitoring and analysis

Features

• Multiple ML Models: Implementation and comparison of 5 different machine learning algorithms
• Real-time Detection: Integration with POX controller for real-time traffic analysis
• Feature Engineering: Extraction of 23 traffic features for accurate attack detection
• Visualization: Interactive dashboard with charts and statistics
• Model Evaluation: Comprehensive performance metrics and comparisons
• Attack Mitigation: Automatic blocking of detected attack traffic

Machine Learning Models

The project implements and compares the following machine learning models:

1. Random Forest - Achieves 99.88% accuracy (best performer)
2. Support Vector Machine (SVM) - 97.5% accuracy
3. K-Nearest Neighbors (KNN) - 96.2% accuracy
4. Decision Tree - 98.1% accuracy
5. Naive Bayes - 94.3% accuracy

Dataset

The dataset contains network traffic data with 23 features:

1. dt (decision time)
2. switch (switch identifier)
3. src (source address)
4. dst (destination address)
5. pkt_count (packet count)
6. byte_count (byte count)
7. duration
8. duration_nsec (duration in nanoseconds)
9. total_duration
10. flows (number of flows)
11. pkt_rate (packet rate)
12. pair_flow
13. protocol
14. port_no (port number)
15. tx_bytes (transmitted bytes)
16. rx_bytes (received bytes)
17. tx_kbps (transmitted kilobits per second)
18. rx_kbps (received kilobits per second)
19. tot_kbps (total kilobits per second)
20. label (classification label - normal/attack)
21. packetins
22. byte_per_flow (bytes per flow)
23. packet_per_flow (packets per flow)

System Architecture

The system consists of the following components:

1. POX Controller: Manages the SDN network and collects traffic statistics
2. Feature Extractor: Processes raw traffic data into feature vectors
3. ML Classifier: Uses trained models to classify traffic as normal or attack
4. Flow Manager: Installs flow rules to block malicious traffic
5. Dashboard: Provides visualization and monitoring capabilities

Getting Started

Prerequisites

• Node.js (v14 or higher)
• Python 3.6 or higher
• POX controller
• Required Python packages: numpy, pandas, scikit-learn, joblib, matplotlib, seaborn

Installation

1. Clone the repository:

   git clone https://github.com/yourusername/ddos-detection-sdn-ml.git
   cd ddos-detection-sdn-ml
   

2. Install dependencies:

   npm install
   

3. Train the ML models:

   npm run train
   

4. Start the POX controller:

   npm run start-controller
   

5. Start the dashboard:

   npm run dev
   

Usage

Training ML Models

To train the machine learning models on the dataset:

npm run train

This will:

• Load the dataset (or create a synthetic one if not available)
• Preprocess the data
• Train all five ML models
• Evaluate their performance
• Save the trained models for use with the controller

Running the POX Controller

To start the POX controller with ML-based DDoS detection:

npm run start-controller

The controller will:

• Load the trained Random Forest model
• Monitor network traffic
• Extract features from flows
• Classify traffic as normal or attack
• Block malicious flows

Evaluating Model Performance

To evaluate and compare the performance of all models:

python src/ml/evaluate_models.py

This will generate detailed performance metrics and visualizations.

Dashboard

The dashboard provides a comprehensive view of the system's operation, including:

• Real-time traffic statistics
• Attack detection alerts
• Model performance comparison
• Dataset information
• Controller status

Project Structure

├── data/                  # Dataset storage
├── models/                # Trained ML models
├── results/               # Evaluation results and visualizations
├── src/
│   ├── components/        # React components for dashboard
│   ├── ml/                # Machine learning code
│   │   ├── train_models.py    # Model training script
│   │   └── evaluate_models.py # Model evaluation script
│   ├── pox/               # POX controller integration
│   │   └── pox_controller.py  # Controller with ML integration
│   └── App.tsx            # Main application component
├── public/                # Static assets
└── README.md              # Project documentation

Performance

The Random Forest model achieves the best performance with:

• 99.88% accuracy
• 99.9% precision
• 99.85% recall
• 99.87% F1 score

Future Work

• Integration with real network environments
• Implementation of additional ML algorithms
• Development of adaptive detection thresholds
• Support for additional attack types
• Distributed controller architecture

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

• The POX controller team
• scikit-learn library
• React and Chart.js for visualization