SD-Honeypot Integration for Mitigating DDoS Attack Using Machine Learning Approaches

Distributed Denial of Services (DDoS) is still considered the main availability problem in computer networks. Developing a programmable Intrusion Prevention System (IPS) application in a Software Defined Network (SDN) may solve the specified problem. However, the deployment of centralized logic control can create a single point of failure on the network. This paper proposed the integration of Honeypot Sensor (Suricata) on the SDN environment, namely the SD-Honeypot network, to resolve the DDoS attack using a machine learning approach. The application employed several algorithms (Support Vector Machine (SVM), Multilayer Perceptron (MLP), Gaussian Naive Bayes (GNB), K-Nearest Neighbors (KNN), Classification and Regression Trees (CART), and Random Forest (RF)) and comparatively analyzed. The dataset used during the emulation utilized the extracted Internet Control Message Protocol (ICMP) flood data from the Suricata sensor. In order to measure the effectiveness of detection and mitigation modules, several variables were examined, namely, accuracy, precision, recall, and the promptness of the flow mitigation installation process. The Honeypot server transmitted the flow rule modification message for blocking the attack using the Representational State Transfer Application Programming Interface (REST API). The experiment results showed the effectiveness of CART algorithm for detecting and resolving the intrusion. Despite the accuracy score pointed at 69-70%, the algorithm could promptly deploy the mitigation flow within 31-49ms compared to the SVM, which produced 93-94% accuracy, but the flow installation required 112-305ms. The developed CART module can be considered a solution to prevent the attack effectively based on the analyzed variable