A DDoS Attack Detection and Defense Scheme Using Time-series Analysisfor SDN

Ramin Fadaei Fouladia,∗, Orhan Ermisb, Emin Anarima

aElectrical and Electronics Engineering Bogazici University, Istanbul, TurkeybEURECOM Sophia Antipolis, France

Abstract

Software defined networking (SDN) has emerged as the integral part of cloud services since it providesflexible management capabilities to monitor and to analyze the network traffic with the help of programmableentities. Although, such functionalities play a significant role in terms of protecting the availability of cloudservices against the security threats, SDN still has some vulnerabilities such as the distributed denial ofservice (DDoS) attacks. The DDoS attackers use spurious packets similar to normal ones and endangerthe service continuity of SDN. Although conventional packet-based intrusion detection systems have broaddatabases to detect DDoS attacks, they are impotent of detection when the attack traffic is sheltered bythe normal network traffic. The idea is therefore, to come up with a new countermeasure by observing anddistinguishing the instant changes in network. In this work, we propose a DDoS attack detection and defensescheme using time-series analysis for SDN. The proposed scheme employs a model based on the upcomingtraffic feature forecasting and the chaos theory together with the exponential filter and the dynamic thresholdmethod to detect instant changes in the network. The experimental result shows that our algorithm hashigh detection rate and low false alarm.

Keywords: Distributed Denial of Service (DDoS), Software Defined Network (SDN), ARIMA, ChaosTheory, Exponential Smoothing

1. Introduction

Software-defined networking (SDN) separates thecontrol and data planes to diminish the burden onconventional networks caused by lack of a central con-trol mechanism [1]. This separation between the twoplanes increases the flexibility of network administra-tion during troubleshooting and monitoring. In addi-tion to data and control planes, SDN also comprisesan application plane for software programs to pro-vide efficient solutions for basic network functionali-

∗Corresponding authorEmail address: ramin.fadaei@boun.edu.tr (Ramin

Fadaei Fouladi)

ties such as load-balancing, intrusion detection, traf-fic monitoring, etc [2].

Although the centralization of the controller de-creases the deployment cost, it makes the controllermore vulnerable to various types of attacks such asdistributed denial of service (DDoS) attack, networkmanipulation and data leakage [3]. The separationbetween the control and data planes also exposes thenetwork to congestion, which potentially occurs afterDDoS attacks. In addition, the attackers can targetdifferent elements of SDN, particularly southboundand northbound interfaces, switch hardware, and thecontroller, in order to attack the availability of thenetwork [4].

Available DDoS attack detection mechanisms for

Preprint submitted to Elsevier August 24, 2020

SDNs are generally based on statistical and machinelearning approaches. Statistical methods employ athreshold to discriminate attacks from normal traf-fic. On the other hand, machine learning techniquesuse model training to generalize normal patterns [5].Compared to machine learning, statistical algorithmsare simpler; however, defining optimal thresholds ischallenging. To address this problem, in this work,we propose a DDoS attack detection and defensescheme based on statistics and time-series analysiswhich is integrated into the SDN controller. The con-tributions of the paper are as follows:

(i) First, we extract key features from the flow ta-ble of OpenFlow switches to analyze their time-series representation. Therefore, the controllermonitors each switch separately and applies theproposed algorithm to detect anomalies due tothe DDoS attack event in particular switches.Such anomaly can be detected using the numberof unique source IP addresses (USIP) feature,since during the attack phase this value increasessignificantly compared to the normal traffic.

(ii) In addition, when an attack occurs, it is possibleto observe changes in the number of unique des-tination IP addresses (UDIP) feature; however,this change is not as significant as the change inthe USIP feature. By considering the dramaticgrowth in the total number of packets (TPACK)in the flow table during the attack, the numberof UDIP value substantially reduces when it isnormalized by the TPACK values. Therefore,we employ normalized UDIP as the second fea-ture to detect DDoS attacks.

(iii) The upcoming value of the USIP time-series isestimated by using an auto regressive integratedmoving average (ARIMA) model and the er-ror of estimation is examined for chaotic be-haviour. Finally, according to the aforemen-tioned method, a binary anomaly score is as-signed to the traffic instance.

(iv) Another binary anomaly score is obtained by us-ing the dynamic threshold method based on theexponential filter and the NUDIP time-series.

The product of two mentioned binary scores isused to identify DDoS attack in each switch. Af-ter detecting the attack samples, the scheme ac-tivates the countermeasure mechanism.

(v) The chaotic behaviour and the dynamic thresh-old method resolve the problem of constantthreshold in the previous works. Moreover, bymonitoring each switch, the source of the attackcan be identified and prompt countermeasurewould be applied by modifying the packet for-warding policy at that switch. In order to eval-uate system performance in successful detectingof DDoS, we implement our scheme on an exam-ple SDN network via using Mininet environment[6].

The rest of the paper is organized as follows. Inthe next section, we overview the existing studies inthe literature. The background knowledge of relatedtechnologies is discussed in Section 3. Details of ourDDoS attack detection and defense scheme are givenin Section 4. Section 5 presents the performance eval-uation of our scheme. Finally, Section 6 concludes thepaper.

2. Related Work

In general, DDoS attack detection algorithms inthe literature can be categorized as intrinsic and ex-trinsic [7]. While the former is related to the struc-tural changes in SDN, the latter corresponds to theflow-based analysis. Since they provide better de-tection accuracy as far as the SDN environment isconcerned, we focus on flow-based solutions in thiswork. Such solutions are also classified as either thestatistical-based or the machine learning-based. Mostof the works related to the statistical approach, arebased on entropy concept. Entropy is the measureof randomness of an attribute within a specific pe-riod of time. For instance, a random variable witha high spread probability distribution has high en-tropy. On the other hand, in order to differentiatethe attack traffic from the normal one, a machinelearning method needs to be fed by a set of trainingsamples. Each sample consists of a set of features

2

obtained from the network traffic data to generalizethe discriminating model.

Due to the promising results of entropy-basedmethods in detecting anomalies in traditional net-works [8, 9, 10], they have also been adopted by de-tection algorithms for SDN. In [11], a threshold isobtained by using the entropy of the destination IPaddresses. Later, this threshold is used to determinewhether there is an attack or not. Particularly, ifthe entropy of the test sample is less than the de-fined threshold, it is labeled as an attack. In [7],an entropy-based method [12] is proposed for DDoSattack detection and mitigation. Different featuresfrom payload are extracted and used for the detec-tion of the attack. The algorithm has three stages ofnominal, preparatory and active mitigation. Whilethe normal pattern baseline is obtained in an attackfree scenario at nominal stage, the attack samples areidentified at the preparatory stage. Later, the coun-termeasure against the attack traffic is carried outat the active mitigation stage. A combination of en-tropy and information distance is used in [13] to checkthe traffic for the DDoS attack detection. Althoughentropy-based methods are employed in DDoS attackdetection, they suffer from some limitations. Entropymaps the probability distribution into a single num-ber; therefore, the information of the distribution isdiscarded. Furthermore, two distributions with thesame amount of uncertainty result in the same en-tropy value. The last but not the least, finding theoptimal threshold for the generalized entropy is diffi-cult. These limitations may yield high false positiverates during the detection process.

SDN-based DDoS attack detection methods alsouse machine learning algorithms for the detectionprocedure. Some features from the network flow areextracted and used by a machine learning model todifferentiate malicious traffics from benign ones. In[14], six features including, average of packets perflow (APF), average of bytes per flow (ABF), aver-age of duration per flow (ADF), percentage of pair-flow (PPF), grows of single-flow (GSF) and growsof different port (GDP) are extracted from the net-work traffic and introduced into a self-organizing map(SOM) [15] to create a selective model for separatingattacks from normal traffic. In [16], a DDoS detection

algorithm based on entropy and machine learning ap-proaches is proposed. In the first phase, lightweight,a method based on entropy is used to detect attacktraffics. In the second phase, heavyweight, differentmachine learning approaches are employed to clas-sify abnormal traffics. In [17], authors use differentmachine learning methods to detect DDoS attack inSDN. According to the result, support vector ma-chine (SVM) [18] algorithm has the best performance.In [19], a set of five features consisting of entropy ofsource IP (etsSrcIP), entropy of source port (etsS-rcP), entropy of destination port (etsDstP), entropyof packet protocol (etsProtocol) and total number ofpackets (totalPacket) is fed into an SOM to classifythe traffic as normal or attack. In [20], SVM and idletime out adjustment (IA) are used to detect DDoSattacks and to classify the traffic. The entropy ofsource and destination IP addresses are used as thevector for the SVM algorithm to generalize a spe-cific DDoS attack detection model in [21]. Four dif-ferent features including byte rate (BR), symmetricflows percentage (SFP), variation rate of asymmetricflow (VAFR) and flows percentage with small amountpackets (FPSA) are extracted in [22]. The featuresare used as a four-tuple feature by a back propaga-tion neural network (BPNN) to discriminate attackfrom normal traffics. In [23], different features arecollected from the SDN and used in machine learn-ing algorithm to detect the DDoS attack. Four dif-ferent machine learning algorithms including SVM,K-nearest neighbor (KNN) [24], artificial neural net-work (ANN) [25] and naive Bayes (NB) [26], are em-ployed. KNN and NB outperform with respect tosuccess rates. In [27], a stack auto-encoder basedon deep learning model is employed to classify thedata obtained from the OpenFlow switch. A deeplearning-based DDoS detection and defense architec-ture is proposed in [28]. The detection part consistsof multiple deep learning layers such as CNN, LSTMand bidirectional RNN [29]. In [30], a deep learningmodel is proposed to detect DDoS attack in SDN.The statistics during the attack are analyzed and em-ployed by the deep learning approach to classify thetraffic into two classes, i.e., malicious and legitimate.In [31], different ensemble models including ensembleCNN, ensemble RNN, ensemble LSTM, and hybrid

3

RL are used for DDoS detection in SDNs. The resultshows that the ensemble CNN outperforms.

While machine learning-based methods produceheavy computational load on system and requirecomplex data demands, statistical-based methodsseem more favorable. In this work, we propose aDDoS attack detection and defense scheme based onthe time-series analysis. The USIP and NUDIP areextracted from the OpenFlow switches as the key fea-tures. In order to detect DDoS traffic, each featureis processed separately and simultaneously. WhileARIMA model and chaos theory are applied on USIPto label the traffic samples as normal or abnormal, ex-ponential filter and the dynamic threshold algorithmare carried out on NUDIP. The proposed scheme canidentify the switches involved in the attack and setsa defense protocol against such attacks.

3. Background

In this section, we explain the theory part of dif-ferent concepts utilized in this paper. We begin bydiscussing the OpenFlow1 which is the key protocolof SDN. Having provided a brief introduction relatedto the protocol, we dive into the ARIMA model fol-lowed by chaos theory and exponential filter. Theseideas play important roles in DDoS attack detectionin this paper.

3.1. OpenFlow

The OpenFlow protocol was first proposed in 2008.The main idea is to divide the network into two sep-arate parts of control plane and data plane, whichcommunicate with each other through a secure chan-nel. Figure 1 displays the OpenFlow architecture.

Packets are always handled as ”flows” in an Open-Flow switch. When a new packet arrives at a switch,it is compared with the packets which are recordedas the entries inside the flow table of the switch. Ifit is matched with an instance in the flow table, theassociated action is executed and the counter of theflow entry increments; otherwise, the new unknown

1https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf

Figure 1: OpenFlow Architecture.

packet is encapsulated into Packet-In massage andsent to the controller. A flow entry mainly includesthree parts of header, counter and action. Headerconsists of different segments of a packet, such as IPaddresses, ports, type of protocol, and etc. Whenthe new packet arrives, its field is compared againstthe header of the flow entry to find a match. Thecounter stores the information of the packets match-ing this flow entry. The action part determines thetype of action if a match is found.

3.2. Auto Regressive Integrated Moving Average(ARIMA)

The Auto Regressive Integrated Moving Average(ARIMA) model is used to forecast a time-serieswhich can be made stationary by differnecing if neces-sary. A stationary time-series data has the propertythat its statistical characteristics such as the meanand variance are constant over the time [32]. ARIMAis characterized by a three-tuple 〈p, d, q〉, where p isthe number of auto-regressive (AR) terms, d is thenumber of differences required for stationarity, andq is the number of moving average (MA) or laggedforecast errors terms. Let Z = {z1, z2, . . . , zn} be astationary time-series, the general forecasting equa-tion in terms of z is represented as:

zt = θ0+φ1zt−1+. . .+φpzt−p+εt−θ1εt−1−. . .−θqεt−q,

4

where φi (i = 1, ..., p) and θj (j = 1, ..., q) are AR andMA items, respectively. εk (k = t, t− 1, ..., t− q) arenamed as error terms which are generally assumedto be independent, identically distributed variablessampled from a normal distribution with zero mean.It is worth to note that, depending on the charac-teristic of the series, each p, d, and q can be equalto zero; therefore, the model may be simplified. Forinstance, ARIMA〈p, 0, 0〉, ARIMA 〈0, d, 0〉, ARIMA〈0, 0, q〉 and ARIMA 〈p, 0, q〉 are pure AR 〈p〉, randomwalk, MA 〈q〉 and ARMA 〈p, q〉 respectively.

3.3. Chaos Theorem

The error between the actual value and the esti-mated one is the key factor to detect DDoS attacksamples. To assign anomaly score to the potentialDDoS attack candidates in the network traffic, weanalyze the chaotic behavior of the estimated error.Therefore, we employ the local Lyapunov exponent[33] as below:

λt =1

tln(| et

e0|), (1)

where e0, et and λt are the first prediction error, thetth prediction error and the lyapunov exponent at tth

time instance, respectively. A Positive λt may corre-spond to the prediction error which could be causedby DDoS attack or by some legitimate traffics [34].On the other hand, the negative λt refers to the nor-mal behavior. We use these values to distinguish theDDoS attack candidates from the normal ones.

3.4. Exponential filter

The exponential filter is a weighted combinationof the previous estimate (output) with the newestinput data, with the sum of the weights equal to 1, sothat the output matches the input at a steady state.This weight assignment is accomplished by using asmoothing constant α (0 ≤ α ≤ 1) to calculate thesmoothed value vt at time t as follows:

vt = α · vt−1 + (1− α) · zt. (2)

where α controls the closeness of this new value usingthe recent observation. The function of α is defined

as below:

f(n) =

{vt ∼= zt α→ 0

vt ∼= vt−1 α→ 1. (3)

4. DDoS Attack Detection and Defense

In this section, we introduce the DDoS attackdetection and defence scheme for SDN. The over-all view of the scheme is as illustrated in Figure 2.The proposed method consists of four main mod-ules, namely Feature Extraction, Anomaly Detectionfor USIP, Anomaly Detection for NUDIP and DDoSDetection. The proposed detection algorithm is illus-trated in Algorithms 1 to 4. The controller uses theproposed scheme and monitors each switch separatelyto detect any anomalies related to DDoS attack traf-fic. First, Feature Extraction module extracts cor-responding statistical features including USIP andNUDIP from the flow tables of the OpenFlow switch.while the USIP feature is used by the Anomaly De-tection for USIP module to assign an anomaly scoreto the sample, the NUDIP feature is employed byAnomaly Detection for NUDIP module to release an-other anomaly score. The Detection module decideswhether there is an anomaly or not with respect toanomaly scores. In the case of any abnormal condi-tions, this module raises anomaly alarm and activatesthe countermeasure part. The symbols used in thiswork are listed in Table 1

4.1. Feature Extraction

Due to the spoofed IP addresses and random gen-eration of source IP addresses, the number of flowentries with the unique source IP addresses increasesduring the DDoS attack. Although the number ofunique destination IP addresses may not change sig-nificantly during the attack compared to the normalcondition, the normalized value of this variable withrespect to the total number of packets in the flowtable decreases [35]. Therefore, in this work, we con-sider the number of unique source IP addresses andthe normalized unique destination IP addresses as thekey features for DDoS detection.

5

Table 1: Definitions of Symbols

Symbol Definition Symbol Definition

HS , HD Hash tables for extracting USIPand UDIP

counter The hash table counter variable

r Number of flow entries in theflow table

k Number of samples for trainingthe normal models

Model X, Model Y Training flags for USIP andNUDIP

X = {x1, . . . , xk} Time-series of the number ofunique source IP addresses

Y = {y1, . . . , yk} Time series of the number of nor-malized unique destination IPaddresses

〈xt, yt〉 USIP and UDIP instances attime interval t

〈p, d, q〉 The order of ARIMA, Number ofAR ,Differencing and MA terms

et The prediction error of ARIMAat time interval t

λt Lyapunov exponent at time in-terval t

0 ≤ α ≤ 1 Smoothing constant of the expo-nential filter

f(α) Function of α EXP f1(α1), EXP f2(α2) Exponential filters, α1 close to 1,α2 much less than 1

Df Time-series of the distance be-tween the outputs of two expo-nential filters

M Time-series of the Rolling me-dian for Df

w Window size of the rolling me-dian

min dist Minimum distance between eachelement and other elements inM

µm Mean value of min dist σm Standard deviation of min dist

q The number of standard devia-tion, σm to define the threshold

th The threshold value

score1,t, score2,t Anomaly score for xt and yt DestIPmax The destination IP adddresswith the maximum occurrence

In the feature extraction module, for each specifictime interval t, we obtain statistics from the flowtables of each switch to extract aforementioned fea-tures. The value of time interval t may be chosenaccording to the corresponding network infrastruc-ture and the traffic volume in the network. As shownin the Algorithm 1, two hash tables2 namely HS andHD are used to find USIP and UDIP, respectively. Ifa source IP address is not listed in HS , it is addedto the table and the corresponding counter is set to1. On the other hand, if the IP already exists inthe table, the counter is incremented by one. Thesame procedure is applied for the destination IP ad-dresses and the corresponding hash table HD. Onceall entries of the flow table are processed, the USIPfeature of the sample, xt, is obtained by counting thetotal number of non-empty elements of the HS ; Also,the total number of non-empty elements of HD are

2A data structure that uniquely maps keys for each values.

counted as UDIP and then it is divided by the totalnumber of packets in the flow table to obtain nor-malized UDIP (NUDIP), denoted as yt. These twofeatures are treated as time-series and employed inDDoS detection process independently to inspect thepossible instances of DDoS attack.

4.2. Anomaly Detection for USIP

As described in the Algorithm 2, by applyingARIMA and chaos theory on the xt feature, a bi-nary anomaly score (score1,t) is obtained for eachtime interval t.

ARIMA 〈p, d, q〉 model is employed to predict xtas xt [36]. In order to estimate the value of xt, theARIMA model is generated in advance; therefore, theModel X flag is initially set to ’True’ in Algorithm 2.Then, k samples of the USIP are stored in X to trainthe model. If X is a non-stationary time-series, dif-ferencing with d ≥ 1 is applied. If necessary, to stabi-lize the variance of X , Box-Cox transformation [37]can be used. Akaike’s information criterion (AIC),

6

Figure 2: Proposed DDoS Detection and Defense Model for SDN.

corrected AIC(AICc) and Bayesian information cri-terion (BIC) may be used for choosing the order ofthe model. Minimizing such criteria results in ob-taining optimal model [38]. We use ARIMA modelto generate the normal pattern of USIP; therefore,during the model generation X should not containany attack instances [39].

Once the model is generated, the flag, Model X,is set to ’False’ and the training phase is completed.For each upcoming traffic sample, xt, the estimatedvalue, xt, is obtained by using the normal model.Then, an anomaly score is given by analyzing thechaotic behaviour of the estimation error. The abso-lute value of the prediction error, et is calculated by:

et = |xt − xt|. (4)

In some time intervals, the prediction errors differ.Such heterogeneous outcomes might be raised by theanomaly of the USIP instance, xt. Thus, in orderto assign anomaly score, Lyapunov exponent, λt ofthe error, et, is calculated and the positive value ofthe λt may correspond to anomaly. If the λt is nega-

tive, the denominator error term in Lyapunov equa-tion (Equation 1), e0, is replaced by et and the in-stance is labeled as normal (score1,t = 0); otherwise,it is labeled as anomaly (score1,t = 1). However, dueto the similarity of USIP pattern, some normal trafficsamples (i.e., flash crowd events) may be classified asattack candidates that also yields high false positiverate. Therefore, as introduced in the next section, weuse NUDIP feature to increase the accuracy.

4.3. Anomaly Detection for NUDIP

The adaptive thresholding method is used to assignanother anomaly score (score2,t) for each sample. Asdescribed in the Algorithm 3, the method uses theyt feature of the sample. In order to generate themodel, k samples of NUDIP are stored in Y as atime-series. Y is processed by two exponential fil-ters namely EXP f1 and EXP f2. The correspondingsmoothing constant of EXP f1 filter, α1, is chosen asclose as possible to 1; hence, the output of this fil-ter follows the trend in the Y. On the other hand,EXP f2 filter has α2 much less than 1; thus, the out-

7

Algorithm 1 Extract Statistic Features (USIP andNUDIP) from the Flow Table

1: function Feature Extraction(t)2: HD(DesIP , counter)← 03: HS(SrcIP , counter)← 04: for ∀(SrcIP , DesIP ) ∈ Flow T do5: if SrcIP 6∈ HS then6: HS(SrcIP , counter)← 17: else8: HS(SrcIP , counter)← counter + 19: end if

10: if DesIP 6∈ HD then11: HD(DesIP , counter)← 112: else13: HD(DesIP , counter)← counter + 114: end if15: end for16: xt ← Number of non-empty elements in HS

/*USIP sample*/17: yt ← Number of non-empty elements in HD

/*UDIP sample*/18: pt /*# of packets */19: yt ← yt/pt /* NUDIP sample*/20: return HD(DesIP , occurrence), xt, yt21: end function

put of the filter follows the change in Y. The abso-lute difference between outputs of these two filters,Df is used for extracting the discriminative feature.The difference is independent from the trend change;therefore, it almost fluctuates around zero, which re-flects the dynamic change of the Y. By applyingrolling median with the window size of w on the Df ,a median time-series, M, is generated. The mini-mum distance of each instance inM from the rest ofsamples in M are calculated and recorded in a newset, denoted as min dist. The mean value, µm, andstandard deviation, σm, of min dist are calculated.Once the aforementioned parameters are calculated,the Model Y is set to ’False’ and anomaly scoringpart is activated. For each yt feature of upcomingtraffic sample, using EXP f1 and EXP f2, the corre-sponding absolute difference, Dft is calculated. Themedian of {Dft−w

, . . . , Dft} is calculated and stored

Algorithm 2 Anomaly Score Computation forUnique Source IP Addresses

1: Model X ← True2: x count← 03: X ← []4: for each time interval t do5: if Model X then6: X||xt, where || stands for concatenation7: x count+ +8: if x count > k then9: Estimate ARIMA〈p,d,q〉 using X

10: Model X ← False11: end if12: else13: xt ← ARIMA〈p,d,q〉({xt−p−d, . . . , xt−1})14: et ← |xt − xt| /*Prediction error*/15: λt ← 1

t ln(| ete0 |) /*Lyapunov Exponent*/16: if λt < 0 then17: et is normal /*Normal traffic*/18: score1,t ← 019: e0 ← et /*Update e0*/20: else21: et is chaotic /*DDoS candidate*/22: score1,t ← 123: end if24: end if25: end for

in mt. The distances between mt and each elementin M is calculated and the minimum distance is ob-tained as distt. If distt is less than the thresholdvalue µm + q × σm, the instance is labeled as nor-mal (score2,t = 0), otherwise, it is labeled as theabnormal point (score2,t = 1). Moreover, if the sam-ple is normal, the first elements of M and min distare discarded and then mt and distt are appended re-spectively. As the result, µm, σm and th are updated.

4.4. DDoS Detection, Alert and Countermeasure

After binary scores for USIP, score1,t and NUDIP,score2,t are computed, these values are used by theDDoS attack detection module. For each traffic sam-ple, if score1,t AND score2,t is equal to 0, then thereis no anomaly; Otherwise, the sample is abnormal

8

and there is a DDoS attack to the system. Then thecontroller raises an attack alarm.

The countermeasure module uses the hash tableHD to identify the destination IP address with themaximum occurrence, so called DestIPmax. This IPand the corresponding switch ID are added to a dis-card list. Then controller updates the flow table(s) ofthe corresponding switch by setting the drop actionfor each flow entry with DestIPmax as the destina-tion IP address.

Although the defense mechanism discards the flowfrom the DDoS attacker and alleviates the burden

Algorithm 3 Anomaly Score Computation for Nor-malized Unique Destination IP Addresses

1: Model Y ← True2: y count← 03: Y ← []4: for each time interval t do5: if Model Y then6: Y||yt7: y count+ +8: if y count > k then9: Df ← [0]

10: M← []11: min dist← []12: l1 ← Y[1]13: h1 ← Y[1]14: for ∀yi ∈ Y[2 :] do15: li ← α1 · li−1 + (1− α1) · yi16: hi ← α2 · hi−1 + (1− α2) · yi17: Df |||hi − li|18: end for19: for ∀i ∈ 1, 2, . . . , k − w do20: M||Med(Dfi , . . . , Dfi+w

)21: end for22: for ∀mi ∈M do23: min dist||min(|mi −mj | /* where

j ∈ 1, . . . , k − w) and j 6= i*/24: end for25: µm ←Mean(min dist)26: σm ← StdDev(min dist)27: th← µm + q × σm28: Model Y ← False29: end if

30: else31: lt ← α1 · lt−1 + (1− α1) · yt32: ht ← α2 · hi−t + (1− α2) · yt33: Dft ← |ht − lt|34: mt ←Med({Df(t−w)

, . . . , Dft})35: distt ← min(|mt −mi|), for all mj ∈M36: if distt < th then37: score2,t ← 0 /*Normal*/ /*Discard

the first element of M and min dist, then addthe corresponding new values*/

38: M←Mk−w2 ||mt

39: min dist← min distk−w2 ||distt40: µm ←Mean(min dist)41: σm ← StdDev(min dist)42: else43: score2,t ← 1 /*Attack*/44: end if45: end if46: end for

Algorithm 4 DDoS Detection

1: for each time interval t do2: if ¬Model X & ¬Model Y then3: if score1,t × score2,t == 1 then4: DDoS attack is detected5: else6: Normal traffic is detected7: end if8: end if9: end for

on both controller and the switch, it also filters outall packets to the victim’s IP address routed throughthat switch. Therefore, the controller should updatethe action of the flow entries as soon as the attack isover.

Although the countermeasure module takes thediscard action for particular flow rules during theattack, it does not delete those flows from the flowtable. Therefore, the statistic features remains un-changed. Since the detection module continues tomonitor the switch, if score1,t AND score2,t re-turns from 1 to 0, the attack alarm is cleared. TheDestIPmax and the corresponding switch ID are re-

9

moved from the discard list and the action sectionof the flow entries returns back to the normal state.Furthermore, there would be always some normalsamples that are labeled as attack incorrectly. Be-cause the detection module continuously monitorsboth USIP and NUDIP features, the state of the net-work will return to its normal in a few intervals.

5. Performance Evaluation

In this section, first, we evaluate the performanceof the proposed scheme using the complexity analysisand then, we evaluate the detection and countermea-sure performance using simulations.

5.1. Algorithm Complexity Analysis

The computational complexity analysis of the pro-posed algorithms can be divided into two phases,namely normal model generation phase and DDoSattack detection phase.

The feature extraction, Algorithm 1, is appliedprior to both the model generation and attack de-tection phases. For a given flow table with r entries,the statistics features USIP (xt) and NUDIP (yt) areobtained using hash table indexing. Therefore, thecomplexity of this process is O(r).

The normal model generation phase consists of thetraining phase for ARIMA, Algorithm 2 and adaptivethresholding method, Algorithm 3, where the formeruses X and the latter uses Y as the training datathat corresponds r flow entries. The complexity ofgenerating each time-series with k elements is O(r ×k).

The training phase of ARIMA contains X time-series generation and ARIMA modeling. The com-plexity of ARIMA which deals with the identificationof its parameters and model estimation is O(k2) [40].As a result, the overall complexity is O(k2 + r × k).

Different time-series including Y, Df , M andmin dist are employed in the training phase of theadaptive thresholding method. The Df has thecomplexity of O(k). In order to calculate M andmin dist, the method of ”quicksort” proposed byTony Hoare is employed [41]. While the M compu-tation has the average complexity of O((k−w)×w),

with the worst case of O((k−w)×w2), the min disthas the average complexity of O((k − w)2) with theworst case of O((k−w)3). Moreover, both the meanvalue and standard deviation computation parts havethe complexity of O(k−w). The total complexity ofthe phase is O(k + (k − w) × w + (k − w)2) in thebest case and O(k + (k −w)×w2 + (k −w)3) in theworst case. The final complexity of the training partis O(k2 + r× k+ (k−w)×w+ (k−w)2) in the bestcase and O(k2 + r × k + (k − w) × w2 + (k − w)3)in the worst case. Let assume w << k then, we canconsider (k−w) ≈ k; therefore, the worst complexityis simplified to O(r × k + k3).

Finally, the score1 computation has the complexityof O(k+r). Since computation of score2 includes themedian, minimum, mean and standard deviation cal-culations, the worst case computational complexityis O(w2 + (k − w)2). Let assume w << k, the worstcomplexity is O(k2). The complexity of the DDoS de-tection, Algorithm 4, is O((k+r)+k2) ≈ O((r+k2).

5.2. Dataset

In order to feed the network with real data, weuse real network traffic dataset from MAWI WorkingGroup Traffic Archive [42]. Since 2002, MAWILabhas been collecting traffic measurement analysis onthe Internet. We use this dataset to generate the nor-mal traffic in our simulation network. We use the Jan12, 2012 part of the MAWI dataset with the trafficdata size of 1.1 GB. The MAWI traffic is regeneratedusing TcpReplay tool [43] and fed to the network.The IP addresses in MAWI dataset are also refash-ioned according to the host IPs in the experimentalnetwork. Therefore, each host in the network con-tributes to the traffic. In total, almost twelve hoursnormal and background traffic is regenerated by us-ing TcpReplay. 255-minute (more than four hours)length attack traffic is injected into the normal traffic.The attack starts after 320 minutes that the normaltraffic is started.

5.3. Simulation Environment

In order to simulate the network, Mininet emula-tion environment [6] is used to simulate the network.Due to its design and capabilities, it is appropriate for

10

Figure 3: Experimental Topology.

experimenting with SDN. POX controller [44] is runon a PC with 8 GB RAM and Intel Core i7 processoras the SDN controller .

The network topology for the experiment is asshown in Figure 3. There are eight OpenFlow en-abled switches, namely S1, S2, . . . , S8, in the net-work. Each switches Sk is connected to eight hosts,hkj . We assume that, one of the host of S4, h46, isinfected by a malicious user who is generating attackon a victim which is the host, h72 connected to theswitch, S7. We assume that the attacker uses dif-ferent compromised hosts on the Internet and thentries to enter to the network through S4 to attackthe victim [7, 11, 13].

5.4. Performance Metrics

In this work, we deal with the problem of the sep-aration attack traffics from normal ones. There aresome parameters that should be taken into accountwhile evaluating the performance of detection includ-ing true positive (TP ), true negative (TN), false pos-itive (FP ) and false negative (FN). TP and TN aretwo metrics that reflect the success rate of true detec-tion. While TP shows the number of attack samplesdetected by the algorithm, TN on the other hand,represents the number of benign samples which arecorrectly labeled as normal instances. FP and FN ,

in contrast, are used to show the failure of the methodin correct detection. FP is related to the numberof normal samples incorrectly classified as malicioussamples and FN is the number of attack samples thatare misplaced as normal.

Using the four previously mentioned parameters,we utilize four metrics including true positive rate(TPr), false positive rate (FPr), F1 score and to-tal accuracy (ACC). While F1 score gives a bettermeasure of the incorrectly classified cases, ACC rep-resents the ability of the system in true detection ofboth normal and DDoS attack. TPr, FPr, F1 scoreand ACC are defined as:

TPr =TP

TP + FN, (5)

FPr =FP

FP + TN, (6)

F1 score =2TP

2TP + FP + TN, (7)

ACC =TP + TN

TP + TN + FP + FN. (8)

Furthermore, we employ receiver operating char-acteristic, ROC, curve to observe the performanceof the scheme in separating attack from the normal

11

traffic. The area under the curve of ROC, AUC, rep-resents the degree of separability. The ROC curve isplotted with TPr against the FPr where TPr is ony-axis and FPr is on the x-axis.

5.5. Experimental Results

In this section, we evaluate the performance ofthe proposed detection and countermeasure schemevia simulation. We present our experimental resultswith respect to detection and countermeasure perfor-mances.

5.5.1. Detection Performance

In this section, we discuss the detection perfor-mance of the proposed scheme, by applying themethod on the simulation environment. The con-troller organizes the network traffic passing throughswitches. At that point, the feature extraction mod-ule collects statistics from flow tables for each switchin every minute and extracts their features. Then,the USIP feature is processed by the first anomalydetection algorithm (Algorithm 2), which employs atime-series approach based on ARIMA and chaos the-ory to assign an anomaly score to the sample. Onthe other hand, the NUDIP feature is processed byanother anomaly detection algorithm (Algorithm 3)which assigns another anomaly score to the samesample by applying the proposed adaptive threshold-ing method. Finally, our detection algorithm (Al-gorithm 4) decides whether the sample is an attackinstance or a normal traffic instance. The time inter-val t = 1 minute is selected empirically and by con-sidering the infrastructure of the experimental setupnetwork.

Our scenario is illustrated in Figure 3. The attackis originated from the switch, S4; therefore, the fol-lowing result are based on the analysis applied on thedata extracted from S4. Totally, we obtain 729 trafficsamples in our simulations. First 218 points are usedin initializing the normal behavior of the network andthe remaining 511 samples are left for test purposes.

Training and test phases of USIP are shown in Fig-ure 4. The trained model is employed to predict theupcoming value for xt. Figure 5 displays the originaland the predicted value for the USIP. Because the

Figure 4: The Number of Unique Source IPs.

ARIMA model is trained based on the normal traf-fic data, the estimated value diverges from the actualvalue during the attack. Thus, the prediction errorwhich is shown in Figure 6, is different from the nor-mal condition. The chaotic behaviour of the erroris used to differ attack samples from normal traffic.Therefore, the Lyapunov exponent of the error is es-timated. The positive value of the Lyapunov valuemay correspond to attack samples. In order to con-vert the negative and positive Lyapunov values toscores, we map negative and positive values as 0 and1, respectively. The Lyapunov values and the corre-sponding scores are depicted in the Figure 7. Theactual DDoS attack instances are labeled by the redsmall triangles in the figure.

Figure 8 shows the NUDIP time-series, the outputof two exponential filters, EXP f1 and EXP f2, andtheir difference. By applying rolling median with thewindow size of w = 10 on the difference,M is gener-ated and used as the new feature to distinguish be-tween normal and attack traffic. The threshold value,4× σm, is empirically selected from the data and byconsidering Chebyshev’s theorem which describes theminimum proportion of the measurements that mustlie within one, two, or more standard deviations ofthe mean [45].

Figure 9 displays the median of difference and the

12

0 100 200 300 400 500 600 700

Minutes

0

100

200

300

400

500

600

700

ARIMA Predicted Result

Original

Predicted

Figure 5: The Original USIP and The Predicted Output Byusing ARIMA model.

Figure 6: ARIMA Prediction Error.

corresponding score for the test part of the NUDIP.During the attack, the median is higher than the nor-mal one. The detection algorithm decides whetherthe sample is anomaly or not. The final score of thedetection algorithm is shown in Figure 10.

The proposed algorithm is applied on each switchSi in the network and corresponding scores, score1and score2 are obtained. Figure 11 displays the fi-nal anomaly score for all switches in the network,obtained by multiplying the corresponding score1and score2. As shown in the Figure 10 and Figure

200 300 400 500 600 700

3

2

1

0

1

2

Lyapunov E

xponent

200 300 400 500 600 700

Minutes

0.0

0.5

1.0

Score

_1

Attack

Normal

Figure 7: Local Lyapunov Exponent For ARIMA PredictionError and Corresponding Anomaly Score.

0 100 200 300 400 500 600 700

0.0

0.2

0.4

0.6

0.8

1.0

UD

IP/#

Packet

UDIP

Exp_f1

Exp_f2

0 100 200 300 400 500 600 700

Minutes

0.0

0.2

0.4

0.6

0.8

Absolu

te D

iffe

rence

Figure 8: NUDIP Time-series and The Outputs of Filters.

11, the controller immediately identifies two engagedswitches in the DDoS attack scenario once the attackstarts.

Table 2 shows the TPr, FPr, F1 score and ACC ofthe proposed method for each switch in the network.We just concentrate on the accuracy of S4 and S7.The detection algorithm performance on both switchS4 and S7 is the same and equals to 98.82%. Otherswitches are almost insensitive to the attack. Figure

13

200 300 400 500 600 700

0.2

0.4

0.6

0.8

Media

n o

f D

iffe

rence (

w=

10)

200 300 400 500 600 700

Minutes

0.0

0.5

1.0

Score

(S2)

Attack

Normal

Figure 9: Median of Difference and The Score2.

200 300 400 500 600 700

Minutes

0.2

0.0

0.2

0.4

0.6

0.8

1.0

1.2

Fin

al Score

(S)

Attack

Normal

Figure 10: Final Score of the Proposed Method.

12 displays the ROC curves for both switches S4 andS7. The AUC values for both switches are equal to0.99.

Because both thresholds are chosen dynamically,the detection performance is better compared toentropy-based detection algorithms which operateswith a constant threshold. Furthermore, most of thereferenced methods (see Section 2) have been carriedout by topologies with just one switch, but in this

M

200

3

700Switc

hes

S8S7

S6S5

Label

0.0

0.2

0.4

0.6

0.8

1.0

Figure 11: Final Anomaly Scores for All Switches.

Table 2: The Result of DDoS Attack Detection for Differentswitches

Switch TPr(%) FPr(%) F1 score ACC(%)

S1 1.92 1.60 — —S2 0 0 — —

S3 0.38 0 — —

S4 97.70 0 0.988 98.82S5 0 0 — —

S6 0.38 0 — —S7 98.46 0.8 0.988 98.82

S8 0 0 — —

work, the capability of DDoS detection and counter-measure for multiple switches is also discussed.

5.5.2. Countermeasure Performance

In order to observe the effectiveness of the defensealgorithm, we run another simulation on the sameexperiment. The countermeasure part of the detec-tion module is activated after a while that the attackstarts. The activation delay is intentionally added tosee the effect of the DDoS attack on the USIP andNUDIP features. The attack is originated from theSwitch, S4, and the victim resides in the Switch, S7.As the attack begins, the anomaly alarms for bothmentioned switches are raised. The rules in the flow

14

0.0 0.2 0.4 0.6 0.8 1.0

False Positive Rate

0.0

0.2

0.4

0.6

0.8

1.0

Tru

e P

osit

ive R

ate

S4 : AUC = 0.99

S7 : AUC = 0.99

Figure 12: The Receiver Operating Characteristic (ROC).

tables of both switches are updated to drop all pack-ets with the destination IP addresses as the same asthe most occurrence IP address in the correspondinghash tables.

Figure 13 shows the USIP and NUDIP features forboth switches. As the attack starts, both features arechanged accordingly. Because the attack is originatedfrom S4, when the countermeasure is activated, thepattern of both features revert to their normal con-dition in Switch S7. As a result, the anomaly alarmof the switch, S7 is cleared. The anomaly patternsin S4 does not change until the end of the attack.Once the attack is finished, the controller clears thealarm for the S4 and routing process of the switch isreturned to its normal state.

The result shows that the proposed countermea-sure scheme can be considered as an effective mecha-nism to mitigate DDoS attacks. Therefore, when anattack occurs, as soon as the involved switches aredetected by the controller, the rules of the flow tableentries are updated. As a result, the attack traf-fic that threatens involved switches in the network isisolated to protect the availability of the network.

6. Conclusion

In this paper, we propose a DDoS attack de-tection and countermeasure scheme based on time-

0 25 50 75 100 125 150 175

0

100

200

300

USIP

Switch #4

Switch #7

0 25 50 75 100 125 150 175

Minutes

0.0

0.2

0.4

0.6

0.8

1.0

NU

DIP

Switch #4

Switch #7

Figure 13: USIP and NUDIP for Switch #4 and Switch #7

series analysis for SDN. The proposed scheme mon-itors each OpenFlow switch individually to find anyanomalies caused by DDoS attacks. For this purpose,four modules including Feature Extraction, AnomalyDetection for USIP, Anomaly Detection for NUDIPand DDoS Detection, are added to the SDN con-troller. In this work, our scheme monitors the trafficfeatures to distinguish DDoS attack instances. Forthis purpose, we consider both the number of uniquesource IP addresses and the normalized unique des-tination IP addresses. In Anomaly Score Computa-tion for USIP algorithm, we employ the ARIMA fore-casting error and chaos theory. For Anomaly ScoreComputation for NUDIP algorithm, we adopt the dy-namic threshold method. Then, the results obtainedfrom these two algorithms are used for labeling eachtraffic sample as normal or DDoS traffic. Moreover, ifany DDoS attack instances are detected in a switch,the DDoS attack alarm is raised for that switch andthe countermeasure module updates the flow table ofthe switch accordingly to prevent the DDoS attack.In order to assess the performance of DDoS detec-tion, we implement our scheme on an example SDNnetwork by using Mininet environment [6]. The sim-ulation results show that our scheme detects anoma-

15

lies and affected switches in the network with a highaccuracy (98.82%).

References

[1] R. Sahay, W. Meng, C. D. Jensen, The applica-tion of software defined networking on securingcomputer networks: A survey, Journal of Net-work and Computer Applications 131 (2019) 89–108.

[2] J. C. C. Chica, J. C. Imbachi, J. F. Botero, Se-curity in sdn: A comprehensive survey, Journalof Network and Computer Applications (2020)102595.

[3] T. Ubale, A. K. Jain, Survey on ddos attacktechniques and solutions in software-defined net-work, in: Handbook of Computer Networks andCyber Security, Springer, 2020, pp. 389–419.

[4] S. Gupta, B. B. Gupta, Detection, avoidance,and attack pattern mechanisms in modern webapplication vulnerabilities: present and futurechallenges, International Journal of Cloud Ap-plications and Computing (IJCAC) 7 (3) (2017)1–43.

[5] N. Z. Bawany, J. A. Shamsi, K. Salah, DDoS at-tack detection and mitigation using sdn: meth-ods, practices, and solutions, Arabian Journalfor Science and Engineering 42 (2) (2017) 425–441.

[6] J. Yan, D. Jin, Vt-mininet: Virtual-time-enabled mininet for scalable and accuratesoftware-define network emulation, in: Proceed-ings of the 1st ACM SIGCOMM Symposiumon Software Defined Networking Research, 2015,pp. 27:1–27:7.

[7] K. Kalkan, L. Altay, G. Gur, F. Alagoz, Jess:Joint entropy-based DDoS defense scheme inSDN, IEEE Journal on Selected Areas in Com-munications 36 (10) (2018) 2358–2372.

[8] W. Lee, D. Xiang, Information-theoretic mea-sures for anomaly detection, in: Proceedings

2001 IEEE Symposium on Security and Privacy.S&P 2001, IEEE, 2000, pp. 130–143.

[9] P. Berezinski, M. Szpyrka, B. Jasiul, M. Mazur,Network anomaly detection using parameterizedentropy, in: IFIP International Conference onComputer Information Systems and IndustrialManagement, Springer, 2015, pp. 465–478.

[10] S. Yu, W. Zhou, R. Doss, W. Jia, Tracebackof ddos attacks using entropy variations, IEEETransactions on Parallel and Distributed Sys-tems 22 (3) (2010) 412–425.

[11] S. M. Mousavi, M. St-Hilaire, Early detection ofddos attacks against sdn controllers, in: 2015 In-ternational Conference on Computing, Network-ing and Communications (ICNC), IEEE, 2015,pp. 77–81.

[12] H. Bozdogan, Akaike’s information criterion andrecent developments in information complex-ity, Journal of mathematical psychology 44 (1)(2000) 62–91.

[13] K. S. Sahoo, D. Puthal, M. Tiwary, J. J. Ro-drigues, B. Sahoo, R. Dash, An early detectionof low rate ddos attack to sdn based data cen-ter networks using information distance metrics,Future Generation Computer Systems 89 (2018)685–697.

[14] R. Braga, E. de Souza Mota, A. Passito,Lightweight ddos flooding attack detection us-ing nox/openflow., in: LCN, Vol. 10, 2010, pp.408–415.

[15] T. Kohonen, The self-organizing map, Proceed-ings of the IEEE 78 (9) (1990) 1464–1480.

[16] A. S. da Silva, J. A. Wickboldt, L. Z.Granville, A. Schaeffer-Filho, Atlantic: A frame-work for anomaly traffic detection, classification,and mitigation in sdn, in: NOMS 2016-2016IEEE/IFIP Network Operations and Manage-ment Symposium, IEEE, 2016, pp. 27–35.

[17] N. Meti, D. Narayan, V. Baligar, Detection ofdistributed denial of service attacks using ma-chine learning algorithms in software defined

16

networks, in: 2017 International Conference onAdvances in Computing, Communications andInformatics (ICACCI), IEEE, 2017, pp. 1366–1371.

[18] B. Scholkopf, A. J. Smola, Learning with ker-nels: support vector machines, regularization,optimization, and beyond, MIT press, 2001.

[19] T. M. Nam, P. H. Phong, T. D. Khoa, T. T.Huong, P. N. Nam, N. H. Thanh, L. X. Thang,P. A. Tuan, V. D. Loi, et al., Self-organizingmap-based approaches in ddos flooding detec-tion using sdn, in: 2018 International Con-ference on Information Networking (ICOIN),IEEE, 2018, pp. 249–254.

[20] T. V. Phan, T. Van Toan, D. Van Tuyen, T. T.Huong, N. H. Thanh, Openflowsia: An op-timized protection scheme for software-definednetworks from flooding attacks, in: 2016 IEEESixth International Conference on Communica-tions and Electronics (ICCE), IEEE, 2016, pp.13–18.

[21] J. Cui, M. Wang, Y. Luo, H. Zhong, Ddos detec-tion and defense mechanism based on cognitive-inspired computing in sdn, Future GenerationComputer Systems 97 (2019) 275–283.

[22] Y. Wang, T. Hu, G. Tang, J. Xie, J. Lu, Sgs:Safe-guard scheme for protecting control planeagainst ddos attacks in software-defined net-working, IEEE Access 7 (2019) 34699–34710.

[23] H. Polat, O. Polat, A. Cetin, Detecting ddos at-tacks in software-defined networks through fea-ture selection methods and machine learningmodels, Sustainability 12 (3) (2020) 1035.

[24] N. Bhatia, et al., Survey of nearest neighbortechniques, arXiv preprint arXiv:1007.0085.

[25] O. I. Abiodun, A. Jantan, A. E. Omolara, K. V.Dada, N. A. Mohamed, H. Arshad, State-of-the-art in artificial neural network applications: Asurvey, Heliyon 4 (11) (2018) e00938.

[26] S. Umadevi, K. J. Marseline, A survey on datamining classification algorithms, in: 2017 Inter-national Conference on Signal Processing andCommunication (ICSPC), IEEE, 2017, pp. 264–268.

[27] Q. Niyaz, W. Sun, A. Y. Javaid, A deeplearning based ddos detection system insoftware-defined networking (sdn), arXivpreprint arXiv:1611.07400.

[28] C. Li, Y. Wu, X. Yuan, Z. Sun, W. Wang, X. Li,L. Gong, Detection and defense of ddos attack–based on deep learning in openflow-based sdn,International Journal of Communication Sys-tems 31 (5) (2018) e3497.

[29] R. Zhao, R. Yan, Z. Chen, K. Mao, P. Wang,R. X. Gao, Deep learning and its applications tomachine health monitoring, Mechanical Systemsand Signal Processing 115 (2019) 213–237.

[30] R. U. Rasool, U. Ashraf, K. Ahmed, H. Wang,W. Rafique, Z. Anwar, Cyberpulse: A machinelearning based link flooding attack mitigationsystem for software defined networks, IEEE Ac-cess 7 (2019) 34885–34899.

[31] S. Haider, A. Akhunzada, I. Mustafa, T. B. Pa-tel, A. Fernandez, K.-K. R. Choo, J. Iqbal, Adeep cnn ensemble framework for efficient ddosattack detection in software defined networks,Ieee Access 8 (2020) 53972–53983.

[32] N. Perraudin, P. Vandergheynst, Stationary sig-nal processing on graphs, IEEE Transactions onSignal Processing 65 (13) (2017) 3462–3477.

[33] M. T. Rosenstein, J. J. Collins, C. J. De Luca,A practical method for calculating largest Lya-punov exponents from small data sets, PhysicaD: Nonlinear Phenomena 65 (1-2) (1993) 117–134.

[34] S. M. T. Nezhad, M. Nazari, E. A. Gharavol,A novel DoS and DDoS attacks detection al-gorithm using ARIMA time series model andchaotic system in computer networks., IEEECommunications Letters 20 (4) (2016) 700–703.

17

[35] R. C. Baishya, N. Hoque, D. K. Bhattacharyya,DDoS attack detection using unique source IPdeviation., IJ Network Security 19 (6) (2017)929–939.

[36] D. C. Montgomery, C. L. Jennings, M. Kulahci,Introduction to time series analysis and forecast-ing, Wiley series in probability and statistics,2015.

[37] P. Legendre, D. Borcard, Box–cox-chord trans-formations for community composition dataprior to beta diversity analysis, Ecography41 (11) (2018) 1820–1824.

[38] G. Jain, B. Mallick, A study of time series mod-els arima and ets, Available at SSRN 2898968.

[39] M. Thottan, C. Ji, Anomaly detection in ip net-works, IEEE Transactions on signal processing51 (8) (2003) 2191–2204.

[40] E. H. Pena, L. F. Carvalho, S. Barbon Jr, J. J.Rodrigues, M. L. Proenca Jr, Anomaly detectionusing the correlational paraconsistent machinewith digital signatures of network segment, In-formation Sciences 420 (2017) 313–328.

[41] Y. Yao, Using nonlinear difference equations tostudy quicksort algorithms, Journal of DifferenceEquations and Applications 26 (2) (2020) 275–294.

[42] M. W. Group, et al., Mawi working group trafficarchive (2018).

[43] P. E. TCPReplay, Replay tools for* nix (2016).

[44] S. Kaur, J. Singh, N. S. Ghumman, Networkprogrammability using POX controller, in: IC-CCS International Conference on Communica-tion, Computing & Systems, IEEE, Vol. 138,2014.

[45] B. G. Amidan, T. A. Ferryman, S. K. Cooley,Data outlier detection using the chebyshev theo-rem, in: 2005 IEEE Aerospace Conference, 2005,pp. 3814–3819.

18