DOCUS-DDoS detection in SDN using modified CUSUM with flash traffic discrimination and mitigation

Software Defined Networking (SDN) is a network paradigm with a significant philosophy of separating the data plane from the control plane. This separation helps in achieving centralized control over the entire network and faster data transmission. However, SDN suffers from network security challenges; Distributed Denial of Service (DDoS) is one such significant challenge. Most of the existing SDN DDoS attack detection models have an issue with identifying the genuine benign flash traffic as a DDoS attack. In this paper, we develop DOCUS (DDoS detection in SDN by modified CUSUM) to overcome this major issue, i.e., to identify and separate flash traffic while detecting DDoS attacks, thus reducing false detection of benign traffic as an attack. The emulated experiment results show that the DOCUS model effectively detects DDoS attacks targeted toward a web server in a given network. We compare the DOCUS detection scheme with existing research schemes and show that the average DDoS attack detection time for DOCUS is 83.3% less than recent schemes proposed in the literature. We also compare our flash detection model with the existing literature scheme. We show that DOCUS efficiently identifies flash traffic as benign and attack traffic as DDoS attacks under various scenarios. DOCUS also mitigates the attack by identifying and blocking the attack traffic from all the attackers.