Deep network approach with stacked sparse autoencoders in detection of DDoS attacks on SDN‐based VANET
2020; Institution of Engineering and Technology; Volume: 14; Issue: 22 Linguagem: Inglês
10.1049/iet-com.2020.0477
ISSN1751-8636
AutoresHüseyin Polat, Muammer Türkoğlu, Onur Polat,
Tópico(s)Advanced Malware Detection Techniques
ResumoIET CommunicationsVolume 14, Issue 22 p. 4089-4100 Research ArticleFree Access Deep network approach with stacked sparse autoencoders in detection of DDoS attacks on SDN-based VANET Huseyin Polat, Huseyin Polat orcid.org/0000-0003-4128-2625 Department of Computer Engineering, Faculty of Technology, Gazi University, Ankara, 06500 TurkeySearch for more papers by this authorMuammer Turkoglu, Muammer Turkoglu Department of Computer Engineering, Bingol University, Bingol, 12400 TurkeySearch for more papers by this authorOnur Polat, Corresponding Author Onur Polat onurpolat@gazi.edu.tr orcid.org/0000-0001-9313-4910 Department of Computer Engineering, Faculty of Technology, Gazi University, Ankara, 06500 TurkeySearch for more papers by this author Huseyin Polat, Huseyin Polat orcid.org/0000-0003-4128-2625 Department of Computer Engineering, Faculty of Technology, Gazi University, Ankara, 06500 TurkeySearch for more papers by this authorMuammer Turkoglu, Muammer Turkoglu Department of Computer Engineering, Bingol University, Bingol, 12400 TurkeySearch for more papers by this authorOnur Polat, Corresponding Author Onur Polat onurpolat@gazi.edu.tr orcid.org/0000-0001-9313-4910 Department of Computer Engineering, Faculty of Technology, Gazi University, Ankara, 06500 TurkeySearch for more papers by this author First published: 16 February 2021 https://doi.org/10.1049/iet-com.2020.0477Citations: 10AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract Software-defined network (SDN)-based vehicular ad hoc network (VANET) is an outstanding technology for smart transportation as it increases traffic safety, efficiency, comfort, and manageability. However, despite all its benefits and good performance, SDN-based VANET is vulnerable to attack threats such as distributed denial of service (DDoS). When SDN-based VANET systems are exposed to DDoS attacks, this may affect traffic safety, causing traffic accidents and deaths. Therefore, the relevant security threats need to be addressed before integrating the SDN-based VANETs into smart transportation systems. In this study, the stacked sparse autoencoder (SSAE) + Softmax classifier deep network model is proposed to detect DDoS attacks targeting SDN-based VANETs. The features in the dataset obtained from the SDN-based VANET were reduced dimensionally utilising SSAE, and the most significant features were obtained. Then, these features were used as input into the Softmax classifier. According to the experimental results, the best accuracy scores were calculated as 96.9% using the four-layer SSAE + Softmax classifier deep network model proposed. When compared, the results demonstrate the SSAE + Softmax classifier deep network model proposed can obtain better results in the classification of DDoS attacks and is more successful than the other machine learning classifiers. 1 Introduction In the modern world, travels are mostly carried out by private vehicles, and the spread of road transport challenges transportation infrastructures and transportation security. For this reason, smart transportation systems are needed to prevent traffic accidents that can seriously harm human life and for safe and comfortable travel and road transportation. Smart transportation systems can be used to exchange important and useful information between vehicle drivers, such as traffic information, accidents, emergencies and road constructions, and so on [[1]]. Automated information exchange can enable drivers to have more control of traffic, receive early warnings, and create an alternative route for travel to prevent accidents. In the exchange of information between vehicles, VANET technology is seen as an important technology for smart transportation as it allows the use of many applications that increase traffic safety and efficiency. VANET is a self-organising wireless network infrastructure whose nodes are mobile vehicles that do not need a fixed base station. In VANET, vehicles can communicate directly with each other (vehicle-to-vehicle) and with the communication infrastructure (vehicle-to-infrastructure) via the roadside units (RSUs). RSUs are connected to the backbone network, facilitating the exchange of information between vehicles and between vehicles and infrastructure. RSUs can be located, for example, on sides of the roads, on traffic lights, or in junction areas. Thanks to VANET technology, vehicles may be able to message each other and set a traffic-intensive route to avoid congested traffic [[2]]. VANET also enables applications that offer additional convenience for drivers and passengers, thanks to its internet access capabilities [[3]]. VANET's network topology is extremely dynamic due to high vehicle speeds. Therefore, the rapid increase in the number of nodes in the network makes it difficult to scale and manage VANETs. However, due to its potential flexibility, SDN technology may offer VANETs scalability and better management. The separation of control and data layers in SDN makes it easier to manage this network, even if the number of nodes in VANET increases rapidly [[4]]. Besides, VANET is suggested to be part of the fifth generation (5G) technology, where SDN is already the main activator of 5G. The SDN architecture consists of three layers: data, control, and application layers. Devices such as switches, routers, wireless devices, and vehicles are located in the data layer. Devices located in the data layer perform the packet transmission based on the rules determined by the controller. The control logic in SDN does not create rules for packet forwarding only. It breaks the barrier between data connection settings and layers, and thanks to the instant status information it receives, it provides real-time control over the rules set for users and instant network status. The controller, the brain of the SDN, is located in the control layer. The controller makes decisions about how data layer devices transmit the flow and how the flow is regulated. Application layer: it consists of software applications (security, routing applications etc.) required for programming the network. Applications communicate with physical devices (OpenFlow switches, routers etc.) in the controller's data plane. Physical devices in the data layer are programmed by applications using Northbound and Southbound interfaces [[5]]. The control layer communicates with services and applications running on the application plane via the Northbound interface. The Northbound interface provides effective network organisation, determination of network policies, and enforcement by the controller. The controller communicates with devices on the data layer via the Southbound interface. The most popular communication protocol used in the Southbound interface is the OpenFlow protocol supported by the Open Network Foundation [[6]]. Despite all the benefits and good performance of using SDN and VANET technologies to improve traffic safety, the SDN-based VANET architecture, like other wireless networks, is vulnerable to various attack threats. Distributed denial of service (DDoS) attacks are the most common and dangerous among these attacks. In DDoS attacks, intruder aims to render the SDN architecture unusable by targeting the controller, switches, servers, or vehicles. While in a DDoS attack targeting the controller, the controller's process and communication capacity are targeted at the same time, it is aimed to consume the resources in the data layer, such as CPU and memory. Besides, attacks on SDN network servers are carried out to prevent end-users from accessing the services. In SDN, the controller is the brain of the network, making it the main target for attackers. If the attacker performs a DDoS attack targeted at the controller, the entire network may be adversely affected. In some cases, the SDN architecture may collapse completely [[7]]. Traffic safety can be seriously compromised in such attacks that may occur on SDN-based VANET networks. SDN-based VANET applications enable security-critical data exchange between vehicles. Therefore, to apply SDN-based VANETs to smart transportation systems on a large scale, related security threats must be addressed [[8]]. What is demonstrated in this study is how the DDoS attacks targeting SDN-based VANETS are detected by the stacked sparse autoencoder (SSAE) and Softmax classifier deep network model. It is important to examine this issue because when SDN-based VANET systems are exposed to an attack such as DDoS, traffic safety might cause traffic accidents and even deaths. Using deep network models would allow the creation of the SDN-based VANET architecture, which exhibits safer and smarter behaviour. A deep network model with SSAE + Softmax classifier architecture can be operated as a security module by the controls in the SDN-based VANET architecture. This security module can be tasked with collecting all data traffic, obtaining features, and then analysing them. Thanks to the security module, abnormal attack events such as DDoS can be detected more easily, and the alarm can be sent to the controller to take necessary preventive actions. The main contributions of the current study are as follows: In the studies in the literature, datasets obtained from the wired SDN architecture or traditional network structure are generally used in the detection of DDoS attacks against SDN-based VANET architecture by artificial intelligence methods. However, in this study, a special SDN-based VANET architecture was created, and a custom dataset consisting entirely of data specific to the SDN architecture was obtained. In the SDN-based VANET architecture created in this study, an edge controller is also used. The purpose of using an edge controller is to increase the communication time between the main controller and the vehicles, increasing the control of the main controller over the vehicles and the data transmission rate. A novel deep network framework was proposed to detect DDoS attacks targeting SDN-based VANETs. This approach consists of a multi-layer SSAE-based Softmax classifier. The high accuracy score was obtained as 96.9% with the proposed four-layer SSAE + Softmax classifier deep network model. The experimental results show that the deep approach proposed to classify DDoS attacks has been successful compared to machine learning classifiers and previous studies. This study consists of six sections. In Section 2, the studies in the literature that discuss the attacks against SDN and the effects of these attacks are briefly mentioned. In Section 3, under the material and methods, the process steps for implementing the SSAE method and the deep network model and the experimental configuration and collecting data of SDN-based VANET are submitted in detail. In Section 4, the details of the proposed method are given. In Section 5, the experimental results are examined, and inference is made from the findings. In the last section of the current study, the results achieved in the light of the experimental findings obtained are evaluated comparatively. 2 Related work In the literature, machine learning algorithms, supervised and unsupervised, are utilised to solve classification problems. Supervised learning algorithms such as support vector machine (SVM), K-nearest neighbours (KNN), and linear discriminant analysis, and decision tree involve using labelled datasets that have inputs and expected outputs. Deep learning (DL) as a machine learning method allows us to train artificial intelligence to predict outputs with a given dataset. Both supervised and unsupervised learning can be used to train artificial intelligence. Autoencoder is an artificial neural network used for unsupervised learning. This algorithm is generally used in processes such as noise removal, size reduction, and extraction of effective features. Deep or stacked autoencoders are a neural network consisting of multiple layers of AEs where the outputs in each layer are connected to the inputs of the successive layer. The number of studies on detecting and preventing cyberattacks with artificial intelligence in SDN-based VANET networks is not very high. Most of the existing work has been done to determine the security requirements and framework in SDN-based VANET networks. Yu et al. proposed, in the study, they carried out, a software-based platform for vehicular networks. They created an intrusion detection platform based on messages (Packet_In) and flow table entries between the controller and the data layer. Flow table entries were trained using a classifier, SVM. Key flow table entries are collected in the collection module created for real-time intrusion detection. The feature value of the collected flow inputs is then calculated. The flow inputs are sent to the SVM training module depending on the protocol types to determine whether they are benign or malign. Attack detection is thus made. When the Packet_In message exceeds a certain threshold value, the number of Packet_In messages is reduced thanks to the trigger module created using reducing the response time of the controller [[9]]. Zhao et al., in the study they carried out, stated that although the performance of vehicular networks increased with SDN, there were still many gaps in terms of security. In the study, resource allocation was made based on the trust value of the vehicles. Trust value was obtained through the trust management system. A three-layer trust management architecture was designed based on the consortium block-chain. Common risk evidence and modified Byzantine error tolerance algorithm were proposed to shorten the approval period applied to RSUs [[10]]. Chuan Huang et al. applied a DL model that would cover all layers of the SDN network structure to the identification and prevent DDoS attacks. In this model, they utilised the recurrent neural network (RNN), long-short-term memory (LSTM), and convolutional neural networks (CNN). The model created for the identification and blocking in real time of DDoS attacks can slow down the network and prevent controllers from synchronising with each other in large networks where multiple controllers are used [[11]]. In their study, Latah and Toker measured the rate of incoming packets in the DoS attack, detected the attack, and classified it with SVM. When the packets that arrive at the controller at the time of the attack exceeded the predetermined threshold, the packets received were examined and classified using the SVM algorithm [[12]]. Mowla et al. proposed the cognitive key-based DDoS detection and reduction method on the SDN-driven content distribution network. For traffic classification, logistic regression and SVM methods were utilised. Through this traffic classification, security rules were run on OpenFlow switches, and it was aimed to detect and prevent all possible DDoS attacks [[13]]. Niyaz et al. emphasised, in their study, that the existing network structure was vulnerable to DDoS attacks due to administrative challenges. It was mentioned that administrative challenges could be overcome with SDN technology, which provides one-stop management of the network. They also argued that with the integration of DL to SDN technology and detection of DDoS attacks, the problems that might be experienced in the network would be solved. They proposed a DL-based multi-vector DDoS recognition model in an SDN environment. Network traffic metrics were extracted through different scenarios, and the performance of the system was tested during a DDoS attack [[14]]. Tang et al. stated that SDN, with its flexible and programmable infrastructure, could soon replace the traditional network structure. In this context, a DL-based model was applied for the classification of a flow-based anomaly. Deep neural network (DNN) model was developed for intrusion detection. As a result of the success rates obtained in the study, they stated that the DL approach has a strong potential to detect a flow-based anomaly in SDN [[15]]. Hsider et al. emphasised that in their study, in a world where new technologies reshape the digital age, cyber-attacks pose a major threat to developing computing networks. Integrating the SDN network structure, which is the basis of central control logic against DDoS attacks, one of the most dangerous of these attacks, with artificial intelligence methods, provides a great advantage for detecting and preventing these attacks. In this study, the CNN community framework was proposed to detect and verify the attack using a flow-based dataset [[16]]. Tang et al. emphasised, in their study, that the SDN architecture, with its flexible and programmable structure, is vulnerable to cyber attacks, although it offers solutions to many problems in the information world. DeepIDS model, which is a DL-based attack detection framework, is proposed in the study. The DL model was tested with the NSL-KDD dataset, using a fully connected DNN and a gated RNN. The study stated that the DeepIDS model could provide success against flow-based attacks [[17]]. Dey et al. detected the attacks against the SDN controller, which is the main target of attackers, using traditional machine learning algorithms and DL models. First, the random forest algorithm was applied to the NSL-KDD dataset. Feature selection was made to these datasets to increase the accuracy rate. Second, DL-based attack detection was made based on gated recurrent unit-LSTM. When the results obtained in both cases were compared, it was emphasised that DL is a better option for intrusion recognition [[18]]. In their study, Ko et al. emphasised that the frequency and vectorial increase of DDoS attacks will increase with the development of 5G technology. They proposed a dynamic learning system (DLS) consisting of four modules for internet service providers to minimise the effects of DDoS attacks on internet users. DLS is an unsupervised ensemble model that uses a complete autoencoder (CA) as core learners to classify network traffic. The major difference between CA, which consists of deep autoencoder, and regular autoencoder is that the CA uses the unbalanced property of the attack data to create a binary classification via a class switch [[19]]. Ujjan et al. emphasised that the Internet of Things (IoT) network infrastructure, which has a heterogeneous structure, is of vital importance to protect against DDoS attacks. In particular, the SDN network structure, which has a central controller, stated that such an attack to which the IoT network integrated into it will be exposed may cause significant problems for the efficiency and continuity of the network such as high memory consumption, low accuracy, and additional load on the network. In their study, they propose sFlow and snort attack detection system with adaptive polling-based sampling and a DL-based model that helps to reduce DDoS attacks against the IoT network to overcome the effects of DDoS attacks [[20]]. Abou El Houda et al. emphasised that the domain name system (DNS) amplification attack, which is a type of DDoS attack, poses a great danger to internet security and the existing network structure. In their study to mitigate the effects of such protocol-based attacks, they proposed a solution called WisdomSDN, which consists of three modules: a comparison module that includes DNS requests and DNS responses, a machine learning module that detects illegal DNS requests in real time, and a module to reduce illegal DNS requests [[21]]. de Miranda Rios et al. emphasised that DDoS attacks against new technologies such as wireless communication technologies, cloud computing, fog computing, SDN will cause great dangers. In the study, a solution proposal was presented to detect the reduction of quality attack, which is a type of DDoS attack that mimics the normal traffic flow and is silently getting stronger. Multi-layer perceptron (MLP) neural network with backpropagation, KNN, SVM, and multinomial naive Bayes algorithms have been used for intrusion detection. They also suggested three methods based on fuzzy logic, MLP, and Euclidean distance. In the study, real-time intrusion detection was made and the proposed methods and machine learning algorithms were compared [[22]]. Ravi and Shalinie emphasised that in DDoS attacks to be performed against SDN-based IoT network with limited resources (CPU, bandwidth etc.), network services will be cut. In the study, a learning-driven detection mitigation (LEDEM) mechanism that detects and reduces the attack by using a semisupervised machine learning algorithm against DDoS attacks triggered by wireless IoT networks and servers is proposed [[23]]. 3 Material and methods In this study, SSAE + Softmax classifier deep network model was created to detect DDoS attacks targeting SDN-based VANETs. First, a dataset containing normal network traffic and attack traffic was created out of SDN-based VANET. The dataset features critical to the continuity of the SDN dataset features derived from the principal metrics SDN-based VANET architecture. An SSAE structure was used in front of the Softmax classifier layer in the deep network model created. The main purpose of SSAE is to reduce an n-dimensional feature vector to a smaller dimensional feature vector with minimal loss. It is extremely a tiring job to reduce the dimension of the feature and obtain important features through classical methods. An SSAE structure that performs this process automatically may be able to yield more effective results. Low-dimensional and high-importance features obtained through SSAE were provided as input to the Softmax classifier, then the normal traffic and the DDoS attack traffic were classified. The general flow diagram of the study is presented in detail in Fig. 1. Fig. 1Open in figure viewerPowerPoint Overall process diagram of the study In this study, the theoretical background of the proposed model's methods is detailed in the subtitles. 3.1 Stacked sparse autoencoder Autoencoders are increasingly being used in place of other feature dimension reduction techniques to reduce high-dimensional features to a low dimension by eliminating less important features. The features obtained through data-based learning using autoencoders can represent the data more successfully. An autoencoder is an unsupervised learning method based on an artificial neural network model [[24]-[26]]. An autoencoder consists of a three-layered feed-forward neural network: the input layer, hidden layer (code), and output layer (see Fig. 2). The numbers of neurons in the input layer and the output layer of an autoencoder are equal. In addition, the dimension of the hidden layer is lower than the dimension of the input and output layers. The data provided to the autoencoder as input is reconstructed in the output layer. Autoencoder includes two sections: encoder and decoder. These two sections are trained together as a single architecture. After the training is over, the encoder and decoder models can be used separately. Fig. 2Open in figure viewerPowerPoint Three-layered basic autoencoder structure A three-layered basic autoencoder structure comprised of an encoder and a decoder section is shown in Fig. 2. Here, x i , h 1 − 4 , x ^ i , and b 1 , 2 values represent the input layer, hidden layer (features), an output layer, and the bias values, respectively. In the encoding phase, features are extracted from the input x i values according to the following equation: h i = s 1 W 1 x i + b 1 , (1) where W 1 represent the encoding weight matrix, s1 is the activation function for the hidden layer neurons, and b1 is the encoder bias vector. In this study, the logistic sigmoid activation function was used in the encoder. In the decoding phase, an approximation of the original input x i values is reconstructed based on the extracted features (2) x ^ i = s 2 W 2 h i + b 2 , (2) where W 2 represent the decoding weight matrix, s2 is the activation function for the output layer neurons, and b2 is the decoder bias vector. In this study, the logistic sigmoid activation function was used in the decoder. The training of an autoencoder aims to minimise an error measure between the original input xi values and their reconstruction. The error between reconstructed x ^ i and original inputs xi values is optimised by (3). The optimisation problem can be solved using stochastic gradient descent [[27], [28]] θ ^ = arg min θ = ∑ i = 1 N x ^ i − x i 2 (3) where θ = W 1 , W 2 , b 1 , b 2 are the parameters of the autoencoder. N represents the number of input samples. As long as the hidden layer neurons are fewer than the input layer neurons, the autoencoder learns a lower-dimensional representation of the input features, which allows the autoencoder to be used for feature dimension reduction. The autoencoder can be arranged so that only a section of the neurons are used as active neurons by applying a sparsity constraint. For only some neurons to be active, a penalty term is added to the loss function. This forces the autoencoder to represent each input as a combination of a small number of neurons and discovers important features that can represent the data. This method is known as sparse autoencoder (SAE). SAE is an autoencoder version that applies sparse constraints to neurons in the hidden layer to control the number of active neurons. SAE works even if the hidden layer dimension is larger than the input dimension because only a small subset of neurons in the hidden layer will be active at any given time. SAE reduces system complexity and parameters by reducing the number of active neurons. Thus, learning of more important features is provided [[24]-[28]]. If the SAE input layer is high in dimension, it is not enough to use just one hidden layer to represent all training data. To overcome this challenge, the stacked autoencoder principle is used. n-number of hidden layers may be used in the autoencoder to better represent all training data. The output of each hidden layer is connected to the input of successive hidden layers. Each hidden layer's dimension is reduced symmetrically until each hidden layer reaches a code dimension. Then, from the code dimension, hidden layers are symmetrically expanded to the output dimension. The decoder is the symmetry of the encoder. In this way, when the encoder and decoder layers were stacked symmetrically, the SSAE architecture would then be created (see Fig. 3). The number of neurons in the hidden layer, which represents the code dimension between the encoder and the decoder, determines the number of features desired to be reduced. Fig. 3Open in figure viewerPowerPoint SSAE structure Training an SSAE consists of adjusting the cost function that can be represented as follows [[29]-[31]]: E = 1 N ∑ n = 1 N ∑ k = 1 K x k n − x ^ k n 2 + λ ∗ Ω weights + β ∗ Ω sparsity (4) N and K represent the number of input samples and the number of features in a sample. In addition, while Ω weights represents L2 regularisation, Ω sparsity is sparsity regularisation. The stochastic gradient descent algorithm is used for training the SSAE [[30], [31]]. 3.2 SSAE + Softmax classifier deep network model An SSAE + Softmax classifier deep network structure includes the encoder section of the SSAE structure and the Softmax classifier. The training of this deep network consists of pre-learning and sensitive learning. Through pre-learning, the process of training all structures is performed separately. Sensitive learning is combined with all of these structures, and the training process is carried out once again [[25], [29], [32], [33]]. Fig. 4 shows the deep network classifier based on the SAE model with two automatic encoders. Let the input vector assigned to this model be x 1 , x 2 , x 3 , … , x n and the corresponding output class variables are y 1 and y 2 . Then the training stages of the SSAE + Softmax classifier deep network are as follows: (i) As seen in Fig. 4a, the first autoencoder layer is trained using the original input vectors. In addition, the input vector and the target vector are the same. This layer re-structures the input features by extracting the features as h 1 1 , h 2 1 , h 3 1 , … , h k 1 . Fig. 4Open in figure viewerPowerPoint SSAE with Softmax classifier (a) Subfigure 1, (b) Subfigure 2, (c) Subfigure 3, (d) Subfigure 4 (ii) As seen in Fig. 4b, the output vector (Feature I) of the first autoencoder layer is provided to the entrance of the second autoencoder layer, and the output vector is created as h 1 2 , h 2 2 , h 3 2 , … , h m 2 . Then the second autoencoder layer re-structures the input as h 1 1 ^ , h 2 1 ^ , h 3 1 ^ , … , h k 1 ^ . (iii) As seen in Fig. 4c, the output vector obtained at the second autoencoder layer (Feature II) is provided to the entrance of the Softmax layer and trained. The layer's weights are repeated until the difference between the real input and the estimated input is the minimum. (iv) As seen in Fig. 4d, finally, all autoencoder layers and Softmax classifier are co
Referência(s)