DDoS Detection Using a Cloud-Edge Collaboration Method ...

Research ArticleDDoS Detection Using a Cloud-Edge Collaboration MethodBased on Entropy-Measuring SOM and KD-Tree in SDN

Yuhua Xu 1 Yunfeng Yu 2 Hanshu Hong 1 and Zhixin Sun 1

1Engineering Research Center of Post Big Data Technology and Application of Jiangsu ProvinceResearch and Development Center of Post Industry Technology of the State Posts Bureau (Internet of ings Technology)Engineering Research Center of Broadband Wireless Communication Technology of the Ministry of EducationNanjing University of Posts and Telecommunications Nanjing 210003 China2Guoji Beisheng (Nanjing) Technology Development Co Ltd Nanjing 210003 China

Correspondence should be addressed to Zhixin Sun sunzxnjupteducn

Received 10 February 2021 Revised 3 March 2021 Accepted 25 March 2021 Published 12 April 2021

Academic Editor Chi-Hua Chen

Copyright copy 2021 Yuhua Xu et al -is is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Software-defined networking (SDN) emerges as an innovative network paradigm which separates the control plane from the dataplane to improve the network programmability and flexibility It is widely applied in the Internet of-ings (IoT) However SDN isvulnerable to DDoS attacks which can cause network disasters In order to protect SDN security a DDoS detection method usingcloud-edge collaboration based on Entropy-Measuring Self-organizing Maps and KD-tree (EMSOM-KD) is designed for SDNEntropy measurement is utilized to select the ideal SOM map and classify SOM neurons considering the limitation of dead andsuspicious neurons EMSOM can detect most flows directly and filter out a few doubtable flows-en these flows are fine-grainedidentified by KD-tree Due to the limited and precious resources of the controller parameter computation is performed in thecloud -e edge controller implements DDoS detection by EMSOM-KD -e experiments are conducted to evaluate the per-formance of the proposed method -e results show that EMSOM-KD has better detection accuracy moreover it improves theKD-tree detection efficiency

1 Introduction

Software-defined networking (SDN) separates the controlplane from the data plane to achieve programmable flexibleand reliable network services [1] In recent researches [2 3]SDN combined with edge computing is applied in the In-ternet of -ings (IoT) such as smart city and ubiquitoushealthcare Edge controllers of SDN implement logicallycentralized management of the local data plane and collectthe network information from forwarding devices tomaintain a global view of the local network [4] According tothe flow table forwarding devices such as switches forwarddata packets in the data plane OpenFlow protocol is widelyused between the data plane and the control plane [5]

However SDN is vulnerable to Distributed Denial ofService (DDoS) attacks due to its centralized controlframework A large number of malicious packets with

spoofing addresses being sent to switches can easily lead tobuffer saturation and flow table overflow [6] becauseswitches in the data plane have limited resources What ismore switches are forced to send numerous packet_inmessages to the controller for flow requests -is formspacket_in flooding on the controller and causes the con-troller saturation [7] -erefore DDoS attacks can lead tonetwork collapse and flow detection is essential for SDNnetwork security

Various algorithms are applied as classifiers for flowidentification in SDN -e performance of different algo-rithms can affect the effectiveness of DDoS defense in SDN-e self-organizing map (SOM) is one of the most effectiveclassifiers [8] and it can efficiently classify SDN flows SOMmaps high-dimensional training data to low-dimensionalwinning neurons of the neural network and recognizesnetwork flows through winning neurons [9] However SOM

HindawiSecurity and Communication NetworksVolume 2021 Article ID 5594468 16 pageshttpsdoiorg10115520215594468

neural network which is not set automatically can affect thedetection accuracy -ere are dead neurons that have neverbeen mapped by training data and suspicious neurons thatmap similar numbers of normal and abnormal training data-ese neurons lower the detection precision of SOM High-precision flow detection can protect the communicationsecurity of SDN K-Nearest Neighbor (KNN) has high de-tection accuracy of DDoS detection [10] However its hightime-consuming leads to detection delays and puts tre-mendous pressure on the controller -erefore an efficientand accurate detection method is essential for DDoS defensein SDN Moreover parameters calculation of the detectionmethod can increase the centralized controller overhead andcompromise the controller performance

SDNDDoS detection framework can be divided into twomain modes In the first mode the smart DDOS detectionalgorithm such as the deep learning algorithm [11 12] isdeployed in the controller However the smart algorithmtraining process can significantly impact the controller andmake the controller be the network bottleneck In the secondmode the lightweight algorithm such as the entropy-basedalgorithm is used by switches [13] to detect abnormal flowsand share the controller workload But switches have limitedcomputing and storage resources and additional detectionworkload of switches may affect network communicationUnlike previous researches we propose a cloud-edgecollaboration DDoS detection method -e cloud servercomputes the parameters and implements the trainingprocess of the improved smart algorithm to reduce theburden on the controller -e controller can detect DDoSattacks efficiently and accurately by the improved algorithmcombining Entropy-Measuring SOM and KD-tree Ourcontributions are summarized as follows

(1) A cloud-edge collaboration DDoS detection frame-work is designed for SDN It decouples parametercalculation from flow detection -e cloud performsthe detecting parameter calculation and it helps theedge controller focus on traffic detection to reducethe workload

(2) A detection method based on Entropy-MeasuringSOM and KD-tree (EMSOM-KD) is proposed toefficiently and precisely detect network traffic Ascoring scheme is built by the entropy measurementto compute a suitable SOM map which can classifyflows precisely and filter out a small number ofsuspicious flows -en KD-tree is utilized for theidentification of suspicious flows

(3) -e experiments are made in detail to verify theproposed methodrsquos effectiveness and efficiency

-e remainder of this paper is organized as follows therelated work of DDoS detection for SDN is introduced inSection 2 Section 3 introduces a cloud-edge collaborationframework for DDoS detection in SDN and presents thedetails of EMSOM-KD detection algorithm In Section 4experiments are conducted for the performance evaluationof the proposed method Section 5 concludes the paper andpoints out the future work

2 Related Work

DDOS detection solutions for SDN networks can be mainlydivided into statistical solutions machine learning-basedsolutions and artificial neural networks-based solutions

-e statistical detection solutions monitor and count theflow information of SDN and then compares the statisticalvalue with the threshold to determine whether the traffic isan attack Fouladi [14] and Bawany [15] used filters and setdynamic thresholds to detect instant abnormal changesSahoo et al [16ndash18] utilized information entropy-basedmethods to detect DDoS attacks in the control plane Al-though the statistics-based scheme is efficient andstraightforward the threshold value setting that requiresmultiple statistics is difficult

Machine learning solutions use clustering algorithmsdecision tree SVM KNN etc as classifiers to determine theDDoS attacks Cui [19] computed the dual address entropy asthe main feature and utilized SVM to detect flows In theresearch [20] a whale optimization algorithm is proposedfor DDoS detection in SDN Chen [21] modified the decisiontree algorithm to detect the SDN network state Latah [22]compared KNNwith other machine learning algorithms andshowed that KNN has high detection precision Tuan [23]and Dong [24] deployed the KNN-based detector in thecontroller for high-precision anomaly detection But thetraditional KNN needs to calculate the distance between thedetection point and each training point and causes signif-icant detection delay To reduce the calculation time oftraditional KNN k-dimensional (KD) tree was established[25] to realize rapid search of the nearest k points whilemaintaining the accuracy of KNN However the detectionspeed of KD-tree still needs to be further improved to realizeefficient DDoS detection in SDN

Solutions of artificial neural networks (ANN) simulatethe human brain structure to abstract knowledge throughautomatic learning for flow identification [26] Hannache[27] proposed a Neural Network based Traffic Flow Classifier(TFC-NN) to detect DDoS attacks in the SDN environmentHan [28] combined autoencoder and softmax classifier forDDoS detection -e complex training process of ANN putscomputational pressure on the controller As one of ANNalgorithms SOM trains the neurons to form the SOM mapwhose different units represent different traffic types [29]Because of its efficient classification capability SOM iswidely used for DDoS detection in SDN Trung [30]designed a distributed SOM for flooding attacks Tran[31] combined SOM with KNN for the improvement ofSOM detection accuracy -e topological structure of theSOM map which is not automatically set can affect thedetection results -us it needs to be improved for de-tection precision

Based on the comprehensive analysis above an efficientand accurate DDoS detection method is the key to DDoSdefense in SDN -e parameter calculation of the detectionalgorithm consumes the controller resources and affects itsperformance -erefore we design a cloud-edge collabo-ration architecture to strip the preprocessing calculation ofDDoS detection from the controller and improve the

2 Security and Communication Networks

existing detection method to realize efficient and accurateflow identification

3 Cloud-Edge Collaboration Detection SystemBased on EMSOM-KD

-e SDN controller communicates directly with switchesand obtains a global network topology Furthermore it has acentralized network operating system facilitating anomalydetection and mitigation [32] However the centralizedcomputation also puts much pressure on the controller -eproposed hierarchical detection architecture separates thedetection parameter calculation from the flow detection toreduce the controller burden as shown in Figure 1 -ecloud server calculates the detection parameters and deploysthem in the edge controller -e resources of complex pa-rameter calculations in the controller can be freed up-erefore the edge controller can focus on lightweighttraffic detection

Each switch stores the flow table of OpenFlow protocolfor network flow forwarding -e flow table has a set of flowentries consisting of header fielders counters and actions[33] -e edge controller connects with switches to collectflow information detects flows by the detection methodbased on EMSOM-KD and mitigates DDoS attacks bysetting actions in the flow table -e proposed detectionframework is shown in Figure 2 the preprocess modules arein the cloud server and detection modules are in the edgecontroller

31 PreprocessModules in Cloud Server Preprocess modulesin the cloud server include Database KD-tree BuilderEMSOM Preprocessor and EMSOM-KD ParameterTransmitter-ey implement computation and transmissionof detection parameters

311 Database Database stores training data set -etraining nodes can be classified as normal and abnormalby the tag -e training data set is D (V

y11

Vy12 V

yminus1Nminus1 V

yminus1N ) which contains N nodes y is the

tag of the node y 1 represents normal and y minus1 rep-resents abnormal Each node V

yi (vi1 vi2 vim) has

m-dimensional features Each feature vij is normalized as

vijprime

vij minus min vj1113872 1113873

max vj1113872 1113873 minus min vj1113872 1113873 (1)

Normalized training data will be utilized to compute theflow detection parameters in EMSOM Preprocessor andKD-tree Builder

312 EMSOM Preprocessor EMSOM Preprocessor com-putes SOM map search space which is the number range ofSOM neurons to reduce the computational complexity ofsearching SOMmap-en it finds out the appreciated SOMmap for the EMSOM-KD detection method and classifiesthe neurons in the map by entropy measuring

(1) Calculation of the SOMMap Search Space SOM neuronsrepresent classification kinds When the number of neuronsis too small the classification accuracy of SOM may be toolow Nevertheless a vast number of SOMneurons may causedead neurons and increase computation complexity -us areasonable range of the SOM neuron number can improvethe efficiency and precision of the SOM classifier SOM is anunsupervised clustering method that can assign each node V

to the nearest cluster Ci with a corresponding centroid Ui-e number of neurons set in the SOMmap is related to theideal clustering number of training data However the idealclustering number is often difficult to define and it is an-alyzed in detail in research [34] We estimate the range of theideal clustering number based on clustering compactnesschanges K-means++ is used to compute the search spaceBecause K-means++ is an efficient unsupervised clusteringalgorithm that can calculate cluster centroids and is con-ducive to clustering compactness computation it is detailedin research [35]

Definition 1 SSEk is the sum distance of each node to itsnearest cluster centroid It represents the clustering com-pactness of clustering number k As k raises SSEk can besmaller and the cluster is more compact SSEk is calculatedas

SSEk 1113944k

i11113936

VisinCi

V minus Ui

(2)

Definition 2 If SSEα has the largest relative decrease α isclose to the actual number of data categories according toElbow Method [36] α is the lower limit of the ideal clus-tering number and it is calculated as (3) where km is themaximum value of k

α argmaxk2km

SSEkminus1 minus SSEk

SSEk

1113888 1113889 (3)

Definition 3 β is the stable clustering number βgt α Whenk is bigger than β clustering compactness changes slightly βis the upper limit of the ideal clustering number It is cal-culated as

β argmaxk2km


11138681113868111386811138681113868111386811138681113868

SSEk minus SSEk+11113868111386811138681113868

1113868111386811138681113868 (4)

-erefore the range of the ideal clustering number is[α β] In order to ensure adequate search space for thesuitable SOM map the search space of neuron number is[α ε middot β] and ε is a positive integer ε grows to expand thesearch space until the ideal SOM map is found out

(2) Determination of the Suitable SOM Map SOM map istwo-dimensional [37] the map size is L times R where L is thecolumn number and R is the row number numLtimesR repre-sents the neuron number which should be in [α ε middot β]

during the process of determining a suitable SOM map -e

Security and Communication Networks 3

entropy method is used to measure the properties of SOMneurons and score the map -erefore EMSOM makes upfor the blindness of SOM selection

Classical SOM map is built and trained by training datathen its neurons are recognized by the statics of varioustraining data However there may be dead neurons orsuspicious neurons -ese neurons can reduce the precisionof SOM -us neurons are measured and divided intonormal abnormal and suspicious categories by entropy

Definition 4 ENTi is the mapping entropy of the ith neuronin the SOM map ai and bi are the numbers of normal andabnormal training nodes mapped by the ith neuron ENTi iscomputed as

ENTi minusai

ai + bi

1113888 1113889lnai

ai + bi

1113888 1113889 minusbi

ai + bi

1113888 1113889lnbi

ai + bi

1113888 1113889

(5)

-e greater the mapping information entropy the moreuncertain the neuron If ai bi 0 ith neuron is a deadneuron that cannot identify the flows let ENTi 1

ENTi 0 means that the ith neuron maps only one kindof training data If ai lt bi and ENTi 0 the ith neuron canbe judged as abnormal it will be put in abnormal neuron setAN If ai gt bi and ENTi 0 the ith neuron can be judged asnormal and will be put in normal neuron set NN

ENTi ne 0 means that the ith neuron maps both kinds oftraining flows and the mapping entropy needs to becompared with the judgment threshold to determine thetype of ith neuron

Definition 5 T is the judgment threshold It is computed as

T 1113944LtimesR

i1

ENTi

L times R (6)

If ai lt bi and ENTi leT the ith neuron is abnormal it canbe put in AN If ai lt bi and ENTi gtT the ith neuron issuspicious and has a strong possibility of misjudging it willbe put in suspicious neuron set SN Likewise if ai gt bi andENTi leT ith neuron will be put in NN Otherwise it will beplaced in SN

After recognizing neurons in the EMSOM map theEMSOM map has to be evaluated for its performance

Definition 6 SFLtimesR is the score of the SOM map perfor-mance of filtering out suspicious flows It is calculated as

SFLtimesR 1113944iisinSN

ai + bi

2n (7)

SFLtimesR shows the ratio of the nodes mapped by suspiciousneurons to the total training nodes -e larger SFRtimesL is themore suspicious traffic the SOM map may filter out

Definition 7 SALtimesR is the score of identification accuracy ofthe SOM map whose topology is L times R It is calculated as

SALtimesR 1113944iisinNN

ai + bi

2nmiddot ENTi1113888 1113889 + 1113944

iisinAN

ai + bi

2nmiddot ENTi1113888 1113889

(8)

Normal flowsDDoS attacks

Normal flowsDDoS attacksSuspicious flows

Cloud server

Switch

Edge controller

SwitchSwitch

Edge controller

SwitchSwitch

Detectionparameterscalculation

EMSOM classifier

KD-tree identifier

Flow classificationbased on EMSOMSuspicious flowidentification basedon KD-treeAnomaly mitigation(iii)

(ii)

(i)

(i)

Figure 1 Cloud-edge collaboration architecture for DDoS detection in SDN


SALtimesR expresses the influence of mapping entropy of normaland abnormal neurons in the SOM map -e larger SALtimesRthe lower the identification accuracy of the SOM map

-e SOM map deployed in the controller should filtersuspicious traffic as little as possible whereas accuratelydistinguishing regular traffic and attack traffic -e scoreexpression of the SOM map is

ScoreLtimesR eSFLtimesR + e

SALtimesR

radic

(9)

According to the rule of SFLtimesR and SALtimesR ScoreLtimesR has thenature that the lower the SOM map score the better the per-formance A suitable SOMmap can be expressed by the formula

estmap(L times R) argminnumLtimesRisin[αεmiddotβ]

ScoreLtimesR (10)

Figure 3 shows the computation process of the suitableSOM map -e detailed steps of neuron classification in theSOM map and determination of the best map for EMSOM-KD are as follows

① SOM topology creation in the map search space of[α ε middot β] create the SOM topology L times R whoseneuron number isnumLtimesR and αlenumLtimesR le ε middot β

② Network initialization create S((αle Sle ε middot β) neuronsW1 W2 WS Each neuron has m-dimensionalweights Wi (wi1 wi2 wim) 1le ile S the weightsare initialized by random values

③ Winning neuron acquisition input the trainingvector Vh and calculate the distances between thevector and neurons as

Dis Vh Wi( 1113857 Vh minus Wi

1113944

m

j1

11139741113972

vhj minus wij1113872 11138732

(11)

-eneuron with the smallest distance is selected to bethe winning neuron

EMSOM preprocesser

Suitable SOM mapfinding

Normal neuronset

SOM map

Entropy-basedmeasurement

Calculation ofneuron search space Abnormal neuron

set

KD tree builder KD-tree

EMSOM-KDparametertransmitter

Database

Cloud server

Edgecontroller

Database

Flow table

Flow entries

Receivedpackets

Receivedbytes Duration

Ingressport

Ethernetsrc

Ethernetdst

Ethernettype

VLAN id

VLANpriority IP src IP

protocol ToSIP dst Portdst

Portsrc

Header fields ActionsCounters

Transmitpackets

Transmitbytes

Transmitoverrun errors

Forward Drop Enqueque Modify-field

Switch

DDoS attacksFlow collector

Feature extractor

Detection parameters

Flow information

Suspiciousneuron set

KD-tree identifier

KD-tree

EMSOM classifier

SOM map

Normal neuronset

Abnormal neuronset

Suspicious neuronset

Anomaly mitigator

Mitigation policy

Suspiciousflows

Flow detector

DDoSattacks

Figure 2 DDoS detection model based on Entropy-Measuring SOM and KD-tree for SDN


④ Weights update collect the neighboring neurons ofthe winning neuron Wz and update the weights ofWz and its neighbors as

Wz(t + 1) Wz(t) + η(t)α(t) Vh(t) minus Wz(t)( 1113857

(12)

η(t) is the neighborhood function andα(t) is thelearning rate

⑤ Loop repeat steps 2 to 3 until there is no more trainingvectors in input space and get the trained SOMmap Δ

⑥ Entropy measurement of neurons input trainingdata into the SOM map Δ and compute the bestmatch neuron for each training node by (13)

li argminzisinΔ

Vi minus Wz

1113872 1113873 (13)

-en count each neuron number in each trainingcategory and calculate each neuronrsquos mapping en-tropy by formula (5)

⑦ Classification of neurons compute the judgmentthreshold as formula (6) -en assign the neuronsinto normal neuron set NN abnormal neuron setAN and suspicious neuron set SN due to themapping entropies and the judgment threshold

⑧ Score computation of SOM map Δ calculate thescore of the SOMmap Δ to evaluate the performanceof Δ by the formulas (7)ndash(9)

⑨ Suitable SOMmap selection repeat steps 1 to 8 untilthere is no more available EMSOM topology in themap search space then choose the suitable SOMmapby formula (10)

313 KD-Tree Builder KD-tree is an improvement of KNNIt can quickly find the nearest training points to the targetnode through the tree structure index without calculatingthe distance between the target node and each data in thetraining set

KD-tree Builder constructs a balanced binary treethrough a recursive method to store training data Due to thenumber of training data set features the binary tree dividesan entire feature space into specific parts for fast queryoperations -e constructed KD-tree will be transmitted tothe controller for the inspection of suspicious flows Detailsof KD-tree construction are explained in research [38]

314 EMSOM-KD Parameter Transmitter Before trafficdetection each controller needs to be registered on the cloudserver and the cloud will verify the controller identity Afterverification the controller sends a parameter request to thecloud server EMSOM-KD Parameter Transmitter thensends training data SOMmap normal neuron set abnormalneuron set suspicious neuron set and KD-tree to thecontroller

32DetectionModules inEdgeController After receiving theparameters from the cloud server the edge controller canefficiently detect network traffic Detection modules in thecontroller include Flow Collector Feature Extractor FlowDetector and Anomaly Mitigator

321 Flow Collector Flow Collector regularly communi-cates with switches and collects the flow information whichcontains IP protocol IP sourcedestination address sourcedestination port the numbers of received packets receivedbytes duration etc -e flow information is helpful for theidentification of attack traffic And it will be transported toFeature Extractor for feature computation

322 Feature Extractor -is module extracts feature vec-tors from the collected flow information Network flows canbe classified through the flow feature vectors whose elementsare interconnected and reflect network conditioncharacteristics

During the DDoS process the attacker may use differentprotocols to attack the specific destination ports For

Start

In the EMSOM topology create neurons and initialize weights

Is there any training vectorin input space

Y

Compute the winning weights and update weights

In the search space create an available SOM topology

Get the SOM map

Input the training data and compute the mappingentropy of neurons in the map

Classify the neurons and compute the score of themap according to the mapping entropy

Is there any available topologyin the search space

Choose the suitable SOM map according to thescore

End

N

N

Y

Figure 3 Determination process of the suitable SOM map


example HTTP flooding mainly occupies port 80 -usprotocol and destination port are related to DDoS attacksMoreover the rate and size of the flow also reflect the lawand characteristics of attacks For example low-rate DDoSperiodically launches malicious attack traffic at a low rateand the packet size of network flow may change regularly-erefore it is necessary to count the flow duration andcalculate the average packet size APS in each flow by

APS 1113936

FEj Packetnumi1 Packet_sizei

FEj Packetnum (14)

FEj Packetnum is the packet number of the flow entryPacket sizei is the length of ith packet of the jth flow APScan describe the flow size

During the DDoS attacking process multiple sources areused to send massive data to the victim server which willbecome unavailable for legal users -us DDoS attacks canincrease traffic sharply so traffic generating speed reflectsthe network condition PR is the flow packets rate that is thenumber of packets transferred per second BR is the flowbyte rate that is the number of packets transmitted persecond PR and BR are calculated by

PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)

FEj Bytenum is the byte number of the flow -erefore thefeature vector comprises protocol flow duration destinationPort APS PR and BR

323 Flow Detector In Flow Detector EMSOM Classifierand KD-tree Identifier work together to detect networkflows Figure 4 illustrates the flow detection process whichcontains two stages flow classification and suspicious trafficfiltering based on EMSOM and suspicious flow identifica-tion based on KD-tree

EMSOM Classifier calculates the best match neuron forthe network flow in the first stage and divides them intonormal malicious and suspicious according to the types ofneurons And suspicious flows should be transported to KD-tree Identifier for fine-grained recognition Because EMSOMPreprocessor picks out dead neurons and suspicious neu-rons that may lead to a great classification error rate theaccuracy of EMSOM can be improved In the second stageKD-tree Identifier uses Best Bin First (BBF) [22] algorithmto search the g nearest training nodes of the suspicious flowin the KD-tree and computes the node number in eachcategory If most of the closest training nodes are normalthen the suspicious flow is identified as normal otherwisethe suspicious flow is judged as a DDoS attack -eEMSOM-KD detection method is described as Algorithm 1

324 Anomaly Mitigator When Flow Detector finds DDoSattacks it sends the attacking flow information to AnomalyMitigator AnomalyMitigator modifies the action field in the

flow table and sends modified flow tables to the OpenFlowswitch to discard attacking flows What is more AnomalyMitigator sends information about the attack flows (such asMAC IP port) and defense instructions to the firewall

4 Experiments and Performance Evaluation

-is section introduces the testing environment and processparameter adjustment and presents experiment details -eexperiment results are analyzed for performance evaluationof EMSOM-KD

41 Testing Environment Figure 5 presents the experi-mental topology which includes a Ryu controller the cloudserver OpenFlow switches legal user hosts and attackinghosts Before flow detection the cloud server deploys thetraining data set and preprocessed data in the controller Le-gitimate hosts use network applications to generate regulartraffic -e attacks use a DDoS tool such as Kali to developDDoS attacks -e training data set has 4000 flows including2000 normal flows and 2000 abnormal flows -e initialEMSOM-KD algorithm parameters are shown in Table 1

We use recall of attacking flowsRa precision of attackingflows Pa and F1 score to evaluate the performance ofEMSOM-KD F1 can measure the accuracy of the detectionmethod -e larger F1 the higher the accuracy of themethod Ra Pa and F1 are calculated as (17)ndash(19)

Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)

TP is the number of the attacking flows that are identifiedcorrectly FN is the number of the attacking flows that aremisjudged FP is the number of the normal flows that aremistaken

42 Parameter Adjustment in Cloud Server -e cloud serverselects the suitable SOM map and classifies neurons in themap using the entropy measuring method in Section 3-en the parameters will be deployed in the edge SDNcontroller for DDoS detection

In order to find a suitable SOM map we use theK-means++ algorithm to cluster training nodes and calculateSSEk (SSEkminus1 minus SSEk)SSEk and (|SSEkminus1 minus SSEk||SSEkminus

SSEk+1|) for the different numbers of clusters -e range ofcluster number k is set as [2 100] -e calculation results areshown in Table 2

When k 7 (SSEkminus1 minus SSEk)SSEk has the max valueand k 38 (|SSEkminus1 minus SSEk||SSEk minus SSEk+1|) reaches amaximum -us α 7 and β 38 As shown in Figure 6 αis the knee point and SSEk is stable after β Let ε 2 and thesearch space of the neuron number is [7 76]


Start

Normalize the flow data

Compute the best matchneuron of the flow in the

SOM map

Check the neuron sets

It is the attackingflow

It is the normalflow

End EndIt is the suspicious flow

In NN In AN

In SN

Search the g nearesttraining nodes in KD-tree

If the normal number is more than (g ndash 1)2

Get the number of thenodes of each category

It is the normal flow

It is the attackingflowN

Y

End

End

Figure 4 Flow detection process based on EMSOM-KD

Input the detected flow vector SOM map abnormal neuron set AN normal neuron set NN suspicious neuron set SN KD-treeOutput the detection result

(1) For each network flow(2) Normalize the detected flow vector by (1)(3) Compute the best match neuron in the suitable SOM map(4) If the best match neuron is in NN then

-e detected flow is normalElse if the best match neuron is in AN then

-e detected flow is abnormal

ALGORITHM 1 Continued


Else-e detected flow is suspicious

End if(5) End for(4) For each suspicious flow

Search the g nearest nodes in the KD-treeCount the number of nodes of each typeIf the number of normal nodes is more than (g minus 1)2 then

-e detected flow is normalElse

-e detected flow is abnormalEnd for

ALGORITHM 1 DDoS detection based on EMSOM-KD

OpenFlow switch OpenFlow switch

Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost

Figure 5 Experimental implementation topology

Table 1 Values of EMSOM-KD parameters

SOM parameter ValueNumber of training epoch 100Order learning rate 09Tuning learning rate 002Number of nearest nodes of KD-tree 7

Table 2 SSEk (SSEkminus1 minus SSEk)SSEk and (|SSEkminus1 minus SSEk||SSEk minus SSEk+1|) of the different cluster numbers

k SSEk (SSEkminus1 minus SSEk)SSEk (|SSEkminus1 minus SSEk||SSEk minus SSEk+1|)

5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833


We utilize the scoring method to find a suitable SOMmap Five thousand test flows are used to evaluate theperformance of each SOM map in the search space Asshown in Table 3 the smaller the score the greater thepossibility that the map can detect most flows and has highdetection accuracy We choose L 5 R 13 as the suitableSOM map

-e neurons in this suitable map are divided intonormal abnormal and suspicious by the entropy mea-surement -e neuron classification result of the suitableSOM map is shown in Figure 7

43 Performance Evaluation of EMSOM-KD -e proposedmethod is tested with 2000 to 20000 flows containing thesame number of DDoS attacking flows and normal flowsWhat is more we compare EMSOM-KD with SOM typealgorithms such as SOM [29] and DSOM [30] and fast KNNtype algorithms such as KD-tree [25] SOM-KD [31] SOM-KD replaces the original training set with the trainedneurons to calculate the nearest neighbor nodes so it be-longs to the KNN type SOM and EMSOM-KD have the

same map size DSOM map size is 10 times 15 and SOM-KDmap size is 20 times 15

Figure 8 illustrates the ratio of suspicious flows filteredthrough the suitable SOM map to total flows -e radio ofsuspicious flows is less than 16 It means that EMSOM candirectly identify most attacking and normal flows and filterout a small number of suspicious flows that EMSOM cannotdetermine Some normal flows are similar to DDoS attacksso the suspicious flows include DDoS attacks and normalones

-ere are suspicious and dead neurons in the tradi-tional SOM map which affects the detection accuracy ofSOM EMSOM takes advantage of entropy measurementto exclude suspicious neurons and dead neurons anddetermine the suitable SOM map for high-precision flowidentification As shown in Figure 9 F1 value of EMSOMevaluating the direct classification of normal and ab-normal flows is higher than 0995 F1 of KD-tree assessingthe identification of suspicious flows filtered by EMSOMis more than 0965 Because suspicious flows have a smallamount the accuracy of EMSOM-KD is still higher than099

α = 7

β = 38

10 20 30 40 50 600Number of clusters

0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)

Figure 6 SSEk values with different k

Table 3 Performance and score of different SOM maps

Map size L times R SFLtimesR SALtimesR ScoreLtimesR Suspicious flow number F1

4 times 11 01585 00299 23605 786 099445 times 11 01403 00314 23446 698 099296 times 11 0146 00246 23269 1145 099404 times 12 02205 00133 23694 1541 099585 times 12 01713 00100 22918 837 099776 times 12 01508 00095 22652 751 099644 times 13 01293 00177 22802 1072 099395 times 13 01573 00079 22633 781 099777 times 10 0141 00151 22822 711 099547 times 9 01533 00118 22802 1188 09971


1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13

Abnormal neuronNormal neuronSuspicious neuron

Figure 7 Neuron classification in the suitable SOM map

6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0

Number of detected network flows

0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal

Figure 8 -e radio of suspicious flows filtered by EMSOM


As shown in Figures 10 and 11 both recall and precisionof EMSOM-KD are better than other detection methods-at is EMSOM-KD has the lowest error rates of normaltraffic and DDoS attack recognition It implies that usingEMSOM-KD for DDoS mitigation is conducive to maintainregular network communication in SDN Figure 12

illustrates that compared with other algorithmsEMSOM-KD has the best F1 score -erefore the proposedDDoS detection method has the highest detection accuracy

Figure 13 shows the detection time of different methodsAs the number of flows grows the detection time of allmethods will increase -e consuming time of EMSOM-KD

100004000 80006000 12000 16000 180002000 14000 20000Number of detected network flows

095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re

EMSOMKD treeEMSOM-KD

Figure 9 -e detection accuracy of EMSOM-KD


094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM

Figure 10 Recall of EMSOM-KD and other detection methods


is larger than SOM type methods but is much shorter thanKNN type methods

During the EMSOM-KD detection process KD-treeneeds to identify suspicious traffic additionally It increasesthe detection time of EMSOM-KD compared with SOM typemethods As depicted in Figure 14 KD-tree takes up most ofthe inspection time during the detection process of EMSOM-

KD In other words the less suspicious flows the more ef-ficient EMSOM-KD And the amount of suspicious traffic issmall which reduces the consuming time of KD-tree

In conclusion EMSOM-KD improves the detectionaccuracy of SOM and KD-tree Moreover EMSOM-KDtakes advantage of SOM to obtain better detection efficiencycompared with KD-tree

2 3 4 5 6 7 8 9 101Number of detected flows

093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM

Figure 11 Precision of EMSOM-KD and other detection methods

0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM

Figure 12 F1-measure of EMSOM-KD and other detection methods


5 Conclusion and Future Work

SDN improves network flexibility and programmabilitythrough centralized control However it is vulnerable toDDoS network attacks which leads to network paralysis-erefore it is important to protect network security againstDDoS in SDN In this paper a cloud-edge collaborationdetection system is designed for efficient and precise DDoSdetection and a flow detection method based on EMSOM-KD is proposed EMSOM overcomes the blindness of SOMmap selection through the entropy measurement methodIt divides flows into three categories normal abnormaland suspicious -en KD-tree performs fine-grainedidentification of doubtable flows Moreover we did detailed

experiments for EMSOM-KD -e experimental resultsverified the efficiency and accuracy of the proposed method

Although this article proposes a Cloud-Edge Collabo-rationMethod for DDoS detection in SDN it is assumed thatthere is secure communication between the controller andthe cloud server However if the controller and the cloudserver are not in a secure communication environment andthe parameters may be tampered with the controller cannotperform DDoS detection In the future we will study thesignature encryption technology for secure communicationbetween the cloud server and the controller-e cloud serverwill sign and encrypt the parameters After receiving theparameters the controller will verify the integrity andvalidity of the data by decryption

Moreover EMSOM-KD can improve the accuracy ofSOM and KD-tree Still it depends on the historical trainingdata Our method will be enhanced by automatically col-lecting more training flows and updating parameters ofEMSOM-KD for further DDoS inspection accuracy

Data Availability

-e data used to support the findings of this study areavailable from the corresponding author upon request

Conflicts of Interest

-e authors declare that they have no conflicts of interest forthis paper

Acknowledgments

-is work was supported in part by the National NaturalScience Foundation of China under Grant nos 61672299

4000 6000 8000 1800012000 14000 16000 200002000 10000Number of detected network flows

0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM

Figure 13 Detection time of different methods

4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree

Figure 14 Detection time of EMSOM


61972208 and 61802200 Natural Science Foundation ofJiangsu Province under Grant no BK20180745 and Post-graduate Research amp Practice Innovation Program of JiangsuProvince under Grant no KYCX19_0914

References

[1] G Kaur and P Gupta ldquoClassifier for DDoS attack detection insoftware defined networksrdquo Internet of ings in BusinessTransformation Developing an Engineering and BusinessStrategy for Industry 50 vol 20 pp 71ndash90 2021

[2] S A Gagangeet C Rajat K Kuljeet et al ldquoSAFE SDN-assisted framework for edgendashcloud interplay in securehealthcare ecosystemrdquo IEEE Transactions On Industrial In-formatics vol 15 no 1 pp 469ndash480 2019

[3] Z Lv andW Xiu ldquoInteraction of edge-cloud computing basedon SDN and NFV for next generation IoTrdquo IEEE Internet ofings Journal vol 7 no 7 pp 5706ndash5712 2020

[4] R Muntildeoz R Vilalta R Casellas et al ldquoOrchestration ofoptical networks and cloudedge computing for IoT servicesrdquo2019

[5] A Shalimov D Zuikov D Zimarina V Pashkov andR Smeliansky ldquoAdvanced study of SDNOpenFlow con-trollersrdquo in Proceedings of the 9th Central amp Eastern EuropeanSoftware Engineering Conference in Russia pp 1ndash6 Associ-ation for Computing Machinery Moscow Russia 2013

[6] J Singh and S Behal ldquoDetection and mitigation of DDoSattacks in SDN a comprehensive review research challengesand future directionsrdquo Computer Science Review vol 372020

[7] M P Singh and A Bhandari ldquoNew-flow based DDoS attacksin SDN taxonomy rationales and research challengesrdquoComputer Communications vol 154 pp 509ndash527 2020

[8] N Dao T V Phan J Kim T Bauschert and S CholdquoSecuring heterogeneous Iot with intelligent DDOS attackbehavior learningrdquo 2017

[9] K Johnson Singh and T De ldquoMathematical modelling ofDDoS attack and detection using correlationrdquo Journal ofCyber Security Technology vol 1 no 3-4 pp 175ndash186 2017

[10] R Doshi N Apthorpe and N Feamster ldquoMachine learningddos detection for consumer internet of things devicesrdquo 2018

[11] T V Phan T G Nguyen N-N Dao T T HuongN H -anh and T Bauschert ldquoDeepGuard efficientanomaly detection in SDN with fine-grained traffic flowmonitoringrdquo IEEE Transactions On Network and ServiceManagement vol 17 no 3 pp 1349ndash1362 2020

[12] J D Gadze A A Bamfo-Asante J O Agyemang et al ldquoAninvestigation into the application of deep learning in thedetection and mitigation of DDOS attack on SDN control-lersrdquo Technologies vol 9 no 1 2021

[13] J Galeano-Brajones J Carmona-Murillo J F Valenzuela-Valdes et al ldquoDetection and mitigation of dos and ddosattacks in iot-based stateful sdn an experimental approachrdquoSensors vol 20 no 3 2020

[14] R F Fouladi O Ermis and E Anarim ldquoA DDoS attackdetection and defense scheme using time-series analysis forSDNrdquo Journal of Information Security and Applicationsvol 54 2020

[15] N Z Bawany and J A Shamsi ldquoSEAL SDN based secure andagile framework for protecting smart city applications fromDDoS attacksrdquo Journal of Network and Computer Applica-tions vol 145 2019

[16] K S Sahoo D Puthal M Tiwary J J P C RodriguesB Sahoo and R Dash ldquoAn early detection of low rate DDoS

attack to SDN based data center networks using informationdistance metricsrdquo Future Generation Computer Systemsvol 89 pp 685ndash697 2018

[17] A B Dehkordi M Soltanaghaei and F Z Boroujeni ldquo-eDDoS attacks detection through machine learning and sta-tistical methods in SDNrdquo e Journal of Supercomputingvol 34 pp 1ndash33 2020

[18] R Li and BWu ldquoEarly detection of DDoS based on φ-entropyin SDN networksrdquo 2020

[19] J Cui M Wang Y Luo and H Zhong ldquoDDoS detectionand defense mechanism based on cognitive-inspired com-puting in SDNrdquo Future Generation Computer Systems vol 97pp 275ndash283 2019

[20] M Shakil AF Y Mohammed R Arul et al A Novel Dy-namic Framework to Detect DDoS in SDN Using MetaheuristicClustering Transactions on Emerging TelecommunicationsTechnologies Shanghai China 2019

[21] Y Chen J Pei and D Li ldquoDETPro a high-efficiency andlow-latency system against DDoS attacks in SDN based ondecision treerdquo 2019

[22] M Latah and L Toker ldquoTowards an efficient anomaly-basedintrusion detection for software-defined networksrdquo Iet Net-works vol 7 no 6 pp 453ndash459 2018

[23] N N Tuan P H Hung N D Nghia et al ldquoA DDoS attackmitigation scheme in ISP networks using machine learningbased on SDNrdquo Electronics vol 9 no 3 2020

[24] S Dong and M Sarem ldquoDDoS attack detection method basedon improved KNN with the degree of DDoS attack in soft-ware-defined networksrdquo IEEE Access vol 8 pp 5039ndash50482019

[25] L Zhu X Tang M Shen X Du and M Guizani ldquoPrivacy-preserving DDoS attack detection using cross-domain trafficin software defined networksrdquo IEEE Journal On Selected Areasin Communications vol 36 no 3 pp 628ndash643 2018

[26] Z Liu Y He W Wang and B Zhang ldquoDDoS attack de-tection scheme based on entropy and PSO-BP neural networkin SDNrdquo China Communications vol 16 no 7 pp 144ndash1552019

[27] O Hannache and M C Batouche ldquoNeural network-basedapproach for detection and mitigation of DDoS attacks inSDN environmentsrdquo International Journal of InformationSecurity and Privacy vol 14 no 3 pp 50ndash71 2020

[28] B Han X Yang Z Sun J Huang and J Su ldquoOverWatch Across-plane DDoS attack defense framework with collabo-rative intelligence in SDNrdquo Security and CommunicationNetworks vol 2018 2018

[29] T Wang and H Chen ldquoSGuard A lightweight SDN safe-guard architecture for DoS attacksrdquo China Communicationsvol 14 no 6 pp 113ndash125 2017

[30] T V Phan N K Bao and M Park ldquoDistributed-SOM anovel performance bottleneck handler for large-sized soft-ware-defined networks under flooding attacksrdquo Journal ofNetwork and Computer Applications vol 91 pp 14ndash25 2017

[31] T M Nam P H Phong T D Khoa et al ldquoSelf-organizingmap-based approaches in DDoS flooding detection usingSDNrdquo 2018

[32] S Garg K Kaur N Kumar and J J P C Rodrigues ldquoHybriddeep-learning-based anomaly detection scheme for suspiciousflow detection in SDN a social multimedia perspectiverdquo IEEETransactions On Multimedia vol 21 no 3 pp 566ndash578 2019

[33] A Lara A Kolasani and B Ramamurthy ldquoNetwork inno-vation using openflow a surveyrdquo IEEE CommunicationsSurveys amp Tutorials vol 16 no 1 pp 493ndash512 2013


[34] A Gupta S Datta and S Das ldquoFast automatic estimation ofthe number of clusters from the minimum inter-center dis-tance for k-means clusteringrdquo Pattern Recognition Lettersvol 116 pp 72ndash79 2018

[35] D Arthur and S Vassilvitskii ldquok-means++ the advantages ofcareful seedingrdquo 2006

[36] D Marutho S H Handaka and E Wijaya ldquo-e determi-nation of cluster number at k-mean using elbow method andpurity evaluation on headline newsrdquo 2018

[37] D Miljkovic ldquoBrief review of self-organizing mapsrdquo 2017[38] P Ram and K Sinha ldquoRevisiting kd-tree for nearest neighbor

searchrdquo in Proceedings of the 25th ACM SIGKDD Interna-tional Conference on Knowledge Discovery amp Data Miningpp 1378ndash1388 Association for Computing Machinery An-chorage AK USA 2019


neural network which is not set automatically can affect thedetection accuracy -ere are dead neurons that have neverbeen mapped by training data and suspicious neurons thatmap similar numbers of normal and abnormal training data-ese neurons lower the detection precision of SOM High-precision flow detection can protect the communicationsecurity of SDN K-Nearest Neighbor (KNN) has high de-tection accuracy of DDoS detection [10] However its hightime-consuming leads to detection delays and puts tre-mendous pressure on the controller -erefore an efficientand accurate detection method is essential for DDoS defensein SDN Moreover parameters calculation of the detectionmethod can increase the centralized controller overhead andcompromise the controller performance

SDNDDoS detection framework can be divided into twomain modes In the first mode the smart DDOS detectionalgorithm such as the deep learning algorithm [11 12] isdeployed in the controller However the smart algorithmtraining process can significantly impact the controller andmake the controller be the network bottleneck In the secondmode the lightweight algorithm such as the entropy-basedalgorithm is used by switches [13] to detect abnormal flowsand share the controller workload But switches have limitedcomputing and storage resources and additional detectionworkload of switches may affect network communicationUnlike previous researches we propose a cloud-edgecollaboration DDoS detection method -e cloud servercomputes the parameters and implements the trainingprocess of the improved smart algorithm to reduce theburden on the controller -e controller can detect DDoSattacks efficiently and accurately by the improved algorithmcombining Entropy-Measuring SOM and KD-tree Ourcontributions are summarized as follows

(1) A cloud-edge collaboration DDoS detection frame-work is designed for SDN It decouples parametercalculation from flow detection -e cloud performsthe detecting parameter calculation and it helps theedge controller focus on traffic detection to reducethe workload

(2) A detection method based on Entropy-MeasuringSOM and KD-tree (EMSOM-KD) is proposed toefficiently and precisely detect network traffic Ascoring scheme is built by the entropy measurementto compute a suitable SOM map which can classifyflows precisely and filter out a small number ofsuspicious flows -en KD-tree is utilized for theidentification of suspicious flows

(3) -e experiments are made in detail to verify theproposed methodrsquos effectiveness and efficiency

-e remainder of this paper is organized as follows therelated work of DDoS detection for SDN is introduced inSection 2 Section 3 introduces a cloud-edge collaborationframework for DDoS detection in SDN and presents thedetails of EMSOM-KD detection algorithm In Section 4experiments are conducted for the performance evaluationof the proposed method Section 5 concludes the paper andpoints out the future work

2 Related Work

DDOS detection solutions for SDN networks can be mainlydivided into statistical solutions machine learning-basedsolutions and artificial neural networks-based solutions

-e statistical detection solutions monitor and count theflow information of SDN and then compares the statisticalvalue with the threshold to determine whether the traffic isan attack Fouladi [14] and Bawany [15] used filters and setdynamic thresholds to detect instant abnormal changesSahoo et al [16ndash18] utilized information entropy-basedmethods to detect DDoS attacks in the control plane Al-though the statistics-based scheme is efficient andstraightforward the threshold value setting that requiresmultiple statistics is difficult

Machine learning solutions use clustering algorithmsdecision tree SVM KNN etc as classifiers to determine theDDoS attacks Cui [19] computed the dual address entropy asthe main feature and utilized SVM to detect flows In theresearch [20] a whale optimization algorithm is proposedfor DDoS detection in SDN Chen [21] modified the decisiontree algorithm to detect the SDN network state Latah [22]compared KNNwith other machine learning algorithms andshowed that KNN has high detection precision Tuan [23]and Dong [24] deployed the KNN-based detector in thecontroller for high-precision anomaly detection But thetraditional KNN needs to calculate the distance between thedetection point and each training point and causes signif-icant detection delay To reduce the calculation time oftraditional KNN k-dimensional (KD) tree was established[25] to realize rapid search of the nearest k points whilemaintaining the accuracy of KNN However the detectionspeed of KD-tree still needs to be further improved to realizeefficient DDoS detection in SDN

Solutions of artificial neural networks (ANN) simulatethe human brain structure to abstract knowledge throughautomatic learning for flow identification [26] Hannache[27] proposed a Neural Network based Traffic Flow Classifier(TFC-NN) to detect DDoS attacks in the SDN environmentHan [28] combined autoencoder and softmax classifier forDDoS detection -e complex training process of ANN putscomputational pressure on the controller As one of ANNalgorithms SOM trains the neurons to form the SOM mapwhose different units represent different traffic types [29]Because of its efficient classification capability SOM iswidely used for DDoS detection in SDN Trung [30]designed a distributed SOM for flooding attacks Tran[31] combined SOM with KNN for the improvement ofSOM detection accuracy -e topological structure of theSOM map which is not automatically set can affect thedetection results -us it needs to be improved for de-tection precision

Based on the comprehensive analysis above an efficientand accurate DDoS detection method is the key to DDoSdefense in SDN -e parameter calculation of the detectionalgorithm consumes the controller resources and affects itsperformance -erefore we design a cloud-edge collabo-ration architecture to strip the preprocessing calculation ofDDoS detection from the controller and improve the








y11

Vy12 V

yminus1Nminus1 V





vijprime








SSEk 1113944k

i11113936

VisinCi

V minus Ui

(2)


α argmaxk2km


SSEk

1113888 1113889 (3)


β argmaxk2km


11138681113868111386811138681113868111386811138681113868

SSEk minus SSEk+11113868111386811138681113868

1113868111386811138681113868 (4)








ENTi minusai

ai + bi

1113888 1113889lnai

ai + bi

1113888 1113889 minusbi

ai + bi

1113888 1113889lnbi

ai + bi

1113888 1113889

(5)





T 1113944LtimesR

i1

ENTi

L times R (6)





ai + bi

2n (7)




ai + bi

2nmiddot ENTi1113888 1113889 + 1113944

iisinAN

ai + bi

2nmiddot ENTi1113888 1113889

(8)



Cloud server

Switch

Edge controller

SwitchSwitch

Edge controller

SwitchSwitch


EMSOM classifier

KD-tree identifier


(ii)

(i)

(i)






SALtimesR

radic

(9)



ScoreLtimesR (10)






1113944

m

j1

11139741113972

vhj minus wij1113872 11138732

(11)


EMSOM preprocesser


Normal neuronset

SOM map



set



Database

Cloud server

Edgecontroller

Database

Flow table

Flow entries

Receivedpackets


Ingressport

Ethernetsrc

Ethernetdst

Ethernettype

VLAN id



Portsrc


Transmitpackets

Transmitbytes



Switch


Feature extractor


Flow information


KD-tree identifier

KD-tree

EMSOM classifier

SOM map

Normal neuronset

Abnormal neuronset


Anomaly mitigator

Mitigation policy

Suspiciousflows

Flow detector

DDoSattacks





(12)




li argminzisinΔ

Vi minus Wz

1113872 1113873 (13)












Start



Y



Get the SOM map





End

N

N

Y




APS 1113936


FEj Packetnum (14)



PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)










Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)







Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References
















































y11

Vy12 V

yminus1Nminus1 V





vijprime








SSEk 1113944k

i11113936

VisinCi

V minus Ui

(2)


α argmaxk2km


SSEk

1113888 1113889 (3)


β argmaxk2km


11138681113868111386811138681113868111386811138681113868

SSEk minus SSEk+11113868111386811138681113868

1113868111386811138681113868 (4)








ENTi minusai

ai + bi

1113888 1113889lnai

ai + bi

1113888 1113889 minusbi

ai + bi

1113888 1113889lnbi

ai + bi

1113888 1113889

(5)





T 1113944LtimesR

i1

ENTi

L times R (6)





ai + bi

2n (7)




ai + bi

2nmiddot ENTi1113888 1113889 + 1113944

iisinAN

ai + bi

2nmiddot ENTi1113888 1113889

(8)



Cloud server

Switch

Edge controller

SwitchSwitch

Edge controller

SwitchSwitch


EMSOM classifier

KD-tree identifier


(ii)

(i)

(i)






SALtimesR

radic

(9)



ScoreLtimesR (10)






1113944

m

j1

11139741113972

vhj minus wij1113872 11138732

(11)


EMSOM preprocesser


Normal neuronset

SOM map



set



Database

Cloud server

Edgecontroller

Database

Flow table

Flow entries

Receivedpackets


Ingressport

Ethernetsrc

Ethernetdst

Ethernettype

VLAN id



Portsrc


Transmitpackets

Transmitbytes



Switch


Feature extractor


Flow information


KD-tree identifier

KD-tree

EMSOM classifier

SOM map

Normal neuronset

Abnormal neuronset


Anomaly mitigator

Mitigation policy

Suspiciousflows

Flow detector

DDoSattacks





(12)




li argminzisinΔ

Vi minus Wz

1113872 1113873 (13)












Start



Y



Get the SOM map





End

N

N

Y




APS 1113936


FEj Packetnum (14)



PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)










Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)







Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References













































ENTi minusai

ai + bi

1113888 1113889lnai

ai + bi

1113888 1113889 minusbi

ai + bi

1113888 1113889lnbi

ai + bi

1113888 1113889

(5)





T 1113944LtimesR

i1

ENTi

L times R (6)





ai + bi

2n (7)




ai + bi

2nmiddot ENTi1113888 1113889 + 1113944

iisinAN

ai + bi

2nmiddot ENTi1113888 1113889

(8)



Cloud server

Switch

Edge controller

SwitchSwitch

Edge controller

SwitchSwitch


EMSOM classifier

KD-tree identifier


(ii)

(i)

(i)






SALtimesR

radic

(9)



ScoreLtimesR (10)






1113944

m

j1

11139741113972

vhj minus wij1113872 11138732

(11)


EMSOM preprocesser


Normal neuronset

SOM map



set



Database

Cloud server

Edgecontroller

Database

Flow table

Flow entries

Receivedpackets


Ingressport

Ethernetsrc

Ethernetdst

Ethernettype

VLAN id



Portsrc


Transmitpackets

Transmitbytes



Switch


Feature extractor


Flow information


KD-tree identifier

KD-tree

EMSOM classifier

SOM map

Normal neuronset

Abnormal neuronset


Anomaly mitigator

Mitigation policy

Suspiciousflows

Flow detector

DDoSattacks





(12)




li argminzisinΔ

Vi minus Wz

1113872 1113873 (13)












Start



Y



Get the SOM map





End

N

N

Y




APS 1113936


FEj Packetnum (14)



PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)










Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)







Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References













































SALtimesR

radic

(9)



ScoreLtimesR (10)






1113944

m

j1

11139741113972

vhj minus wij1113872 11138732

(11)


EMSOM preprocesser


Normal neuronset

SOM map



set



Database

Cloud server

Edgecontroller

Database

Flow table

Flow entries

Receivedpackets


Ingressport

Ethernetsrc

Ethernetdst

Ethernettype

VLAN id



Portsrc


Transmitpackets

Transmitbytes



Switch


Feature extractor


Flow information


KD-tree identifier

KD-tree

EMSOM classifier

SOM map

Normal neuronset

Abnormal neuronset


Anomaly mitigator

Mitigation policy

Suspiciousflows

Flow detector

DDoSattacks





(12)




li argminzisinΔ

Vi minus Wz

1113872 1113873 (13)












Start



Y



Get the SOM map





End

N

N

Y




APS 1113936


FEj Packetnum (14)



PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)










Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)







Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References












































(12)




li argminzisinΔ

Vi minus Wz

1113872 1113873 (13)












Start



Y



Get the SOM map





End

N

N

Y




APS 1113936


FEj Packetnum (14)



PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)










Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)







Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References











































APS 1113936


FEj Packetnum (14)



PR FEj Packetnum

duration (15)

BR FEj Bytenum

duration (16)










Ra TP

TP + FN (17)

Pa TP

TP + FP (18)

F1 2RaPa

Ra + Pa

(19)







Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References










































Start



SOM map





In NN In AN

In SN






Y

End

End















Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References

















































Ryu controller

Legalhost

Attackinghost

Legalhost

Cloud server

Legalhost

Attackinghost






5 7195819 05426 345986 8324315 minus01356 025487 3895981 11366 1220158 3533047 01027 076879 3060899 01543 0890936 1015119 00695 0300937 1249472 minus01876 1041438 1024431 02197 19017739 1012598 00117 11833








α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References
















































α = 7

β = 38


0

500

1000

1500

2000

2500

Sum

of t

he sq

uare

d er

rors

(SSE

)






1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References










































1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 32 33 34 35

36 37 38 39 40

41 42 43 44 45

46 47 48 49 50

51 52 53 54 55

56 57 58 59 60

61 62 63 64 65

2 31 54

1

2

3

4

5

6

7

8

9

10

11

12

13



6000

8000

2000

4000

2000

0

1400

0

1600

0

1800

0

1200

0

1000

0


0002004006008

01012014016

The r

atio

of s

uspi

ciou

s flow

s

DDoSNormal







095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References














































095

0955

096

0965

097

0975

098

0985

099

0995

1

F1-m

easu

re




094

095

096

097

098

099

1

Reca

ll

EMSOM-KDKD-treeDSOM

SOM-KDSOM








093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References















































093

094

095

096

097

098

099

1

Prec

ision

EMSOM-KDKD-treeDSOM

SOM-KDSOM


0955

096

0965

097

0975

098

0985

099

0995

F1-m

easu

re


SOM-KDSOM

EMSOM-KDKD-treeDSOM








Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References















































Data Availability




Acknowledgments



0

05

1

15

2

25

3

Tim

e (s)

EMSOM-KDKD-treeDSOM

SOM-KDSOM


4000

1000

0

2000

0

6000

1200

0

1400

0

1600

0

1800

0

8000

2000


0

01

02

03

04

05

06

EMSO

M-K

D d

etec

tion

time (

s)

EMSOMKD-tree




References











































References










































DDoS Detection Using a Cloud-Edge Collaboration Method ...

Documents

Transcript of DDoS Detection Using a Cloud-Edge Collaboration Method ...