LAUSR

Software-Defined Networking (SDN) switches typically have limited ternary content addressable memory (TCAM) that caches the flow entries on the data plane. The scarcity and strong resource competitiveness of TCAM space put the flow tables at the risk of malicious Distributed Denial-of-Service (DDoS) attacks. In this paper, we propose LtRFT, a Learning-To-Rank (LtR) based scheme for mitigating the low-rate DDoS attacks targeted at flow tables. LtRFT consists of three modules: monitor, ranker, and mitigator. Monitor manages the flow table status and sends alerts to other modules after detecting attacks. Ranker models the attack mitigation problem as a flow entry ranking task, and ranks malicious flows with a high eviction priority using a pairwise-based LtR algorithm. The mitigator frees up the flow table space by deleting malicious flow entries according to the flow entry ranking sequence generated by ranker. We introduce LtR to network attack detection innovatively and use both classification and information retrieval metrics to describe and evaluate LtRFT. Extensive experiments were conducted to validate the effectiveness and robustness of LtRFT in detecting and mitigating the low-rate data plane DDoS attacks. LtRFT can detect malicious attack flows with an accuracy of over 96%, and can reduce the attack flow duration by 97.7% with an average extra latency of 0.5 seconds, which proves that LtRFT is practicable in SDN deployments.