Cyberpulse: A Machine Learning Based Link Flooding Attack Mitigation System for Software Defined Networks

Software-defined networking (SDN) offers a novel paradigm for effective network management by decoupling the control plane from the data plane thereby allowing a high level of manageability and programmability. However, the notion of a centralized controller becomes a bottleneck by opening up a host of vulnerabilities to various types of attacks. One of the most harmful, stealthy, and easy to launch attacks against networked systems is the link flooding attack (LFA). In this paper, we demonstrate the vulnerability of the SDN control layer to LFA and how the attack strategy differs when targeting traditional networks which primarily involves attacking the links directly. In LFA, the attacker employs bots to surreptitiously send low rate legitimate traffic on the control channel which ultimately results in disconnecting control plane from the data plane. Mitigating LFA on the control channel remains a challenge in the network security paradigm with the use of network traffic filtering only. To address this challenge, we propose CyberPulse, a novel effective countermeasure, underpinning a machine learning-based classifier to alleviate LFA in SDN. CyberPulse performs network surveillance by classifying network traffic using deep learning techniques and is implemented as an extension module in the Floodlight controller. CyberPulse was evaluated for its accuracy, false positive rate, and effectiveness as compared to competing approaches on realistic networks generated using Mininet. The results show that CyberPulse can classify malicious flows with high accuracy and mitigate them effectively.