Examining the Robustness of Learning-Based DDoS Detection in Software Defined Networks

With the rapid development of Software-Defined Networking (SDN) advocating a centralized view of networks, efficient and reliable Distributed Denial of Service (DDoS) defenses are necessary to protect the centralized SDN controller. Recently, an amalgamation of work has realized such defenses using Deep Learning (DL) based algorithms. Although DL-based algorithms are generally prone to adversarial learning attacks, the extent to which those attacks are applicable to DDoS defenses in SDN is unexamined. In this work, we explore the robustness of DL-based DDoS defenses in SDN against adversarial learning attacks. First, we investigate generic off-the-shelf adversarial attacks to test the robustness of DDoS defenses in SDN, and demonstrate that while they lead to misclassification, these attacks do not preserve the characteristics of flows. As a result, we propose Flow-Merge for realistic adversarial flows while achieving a high evasion rate, with both targeted and untargeted misclassification attacks. The proposed Flow-Merge is able to force the DL-based DDoS defenses to misclassify 100% of benign flows as malicious, while preserving original characteristics of flows. Using state-of-the-art defenses, we show that the adversarial flows generated using Flow-Merge are difficult to detect, with only 49.31% detection rate when using adversarial training.