SD-Honeypot Integration for Mitigating DDoS Attack Using Machine Learning Approaches

Fauzi Dwi Setiawan Sumadi - Department of Informatics, University of Muhammadiyah Malang, Malang, 65145, Indonesia
Alrizal Rakhmat Widagdo - Department of Informatics, University of Muhammadiyah Malang, Malang, 65145, Indonesia
Abyan Faishal Reza - Department of Informatics, University of Muhammadiyah Malang, Malang, 65145, Indonesia
- Syaifuddin - Department of Informatics, University of Muhammadiyah Malang, Malang, 65145, Indonesia

Citation Format:



Distributed Denial of Services (DDoS) is still considered the main availability problem in computer networks. Developing a programmable Intrusion Prevention System (IPS) application in a Software Defined Network (SDN) may solve the specified problem. However, the deployment of centralized logic control can create a single point of failure on the network. This paper proposed the integration of Honeypot Sensor (Suricata) on the SDN environment, namely the SD-Honeypot network, to resolve the DDoS attack using a machine learning approach. The application employed several algorithms (Support Vector Machine (SVM), Multilayer Perceptron (MLP), Gaussian Naive Bayes (GNB), K-Nearest Neighbors (KNN), Classification and Regression Trees (CART), and Random Forest (RF)) and comparatively analyzed. The dataset used during the emulation utilized the extracted Internet Control Message Protocol (ICMP) flood data from the Suricata sensor. In order to measure the effectiveness of detection and mitigation modules, several variables were examined, namely, accuracy, precision, recall, and the promptness of the flow mitigation installation process. The Honeypot server transmitted the flow rule modification message for blocking the attack using the Representational State Transfer Application Programming Interface (REST API). The experiment results showed the effectiveness of CART algorithm for detecting and resolving the intrusion. Despite the accuracy score pointed at 69-70%, the algorithm could promptly deploy the mitigation flow within 31-49ms compared to the SVM, which produced 93-94% accuracy, but the flow installation required 112-305ms. The developed CART module can be considered a solution to prevent the attack effectively based on the analyzed variable.


DDoS; intrusion prevention system; machine learning; SD-Honeypot; Suricata.

Full Text:



A. Praseed and P. S. Thilagam, "DDoS Attacks at the Application Layer: Challenges and Research Perspectives for Safeguarding Web Applications," IEEE Communications Surveys & Tutorials, vol. 21, no. 1, pp. 661-685, 2019.

W. Zhijun, L. Wenjing, L. Liang, and Y. Meng, "Low-Rate DoS Attacks, Detection, Defense, and Challenges: A Survey," IEEE Access, vol. 8, pp. 43920-43943, 2020.

S. Sezer et al., "Are we ready for SDN? Implementation challenges for software-defined networks," IEEE Communications Magazine, vol. 51, no. 7, pp. 36-43, 2013.

V. Gupta, A. Kochar, S. Saharan, and R. Kulshrestha, "DNS Amplification Based DDoS Attacks in SDN Environment: Detection and Mitigation," in 2019 IEEE 4th International Conference on Computer and Communication Systems (ICCCS), 2019, pp. 473-478.

R. Swami, M. Dave, and V. Ranga, "Defending DDoS against Software Defined Networks using Entropy," in 2019 4th International Conference on Internet of Things: Smart Innovation and Usages (IoT-SIU), 2019, pp. 1-5.

F. D. S. Sumadi and C. S. K. Aditya, "Comparative Analysis of DDoS Detection Techniques Based on Machine Learning in OpenFlow Network," in 2020 3rd International Seminar on Research of Information Technology and Intelligent Systems (ISRITI), 2020, pp. 152-157.

A. O. Sangodoyin, M. O. Akinsolu, P. Pillai, and V. Grout, "Detection and Classification of DDoS Flooding Attacks on Software-Defined Networks: A Case Study for the Application of Machine Learning," IEEE Access, vol. 9, pp. 122495-122508, 2021.

A. O. Alzahrani and M. J. F. Alenazi, "Designing a Network Intrusion Detection System Based on Machine Learning for Software Defined Networks," Future Internet, vol. 13, no. 5, 2021.

P. M. Ombase, N. P. Kulkarni, S. T. Bagade, and A. V. Mhaisgawali, "DoS attack mitigation using rule based and anomaly based techniques in software defined networking," in 2017 International Conference on Inventive Computing and Informatics (ICICI), 2017, pp. 469-475.

C. Kelly, N. Pitropakis, A. Mylonas, S. McKeown, and W. J. Buchanan, "A Comparative Analysis of Honeypots on Different Cloud Platforms," Sensors, vol. 21, no. 7, 2021.

H. Wang and B. Wu, "SDN-based hybrid honeypot for attack capture," in 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), 2019, pp. 1602-1606.

M. Du and K. Wang, "An SDN-Enabled Pseudo-Honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things," IEEE Transactions on Industrial Informatics, vol. 16, no. 1, pp. 648-657, 2020.

H. Lin, "SDN-based In-network Honeypot: Preemptively Disrupt and Mislead Attacks in IoT Networks," ArXiv, vol. abs/1905.13254, 2019.

X. Luo, Q. Yan, M. Wang, and W. Huang, "Using MTD and SDN-based Honeypots to Defend DDoS Attacks in IoT," in 2019 Computing, Communications and IoT Applications (ComComAp), 2019, pp. 392-395.

W. Tian, M. Du, X. Ji, G. Liu, Y. Dai, and Z. Han, "Honeypot Detection Strategy Against Advanced Persistent Threats in Industrial Internet of Things: A Prospect Theoretic Game," IEEE Internet of Things Journal, vol. 8, no. 24, pp. 17372-17381, 2021.

S. Asadollahi, B. Goswami, and M. Sameer, "Ryu controller's scalability experiment on software defined networks," in 2018 IEEE International Conference on Current Trends in Advanced Computing (ICCTAC), 2018, pp. 1-5..

J. M. Ceron, C. Scholten, A. Pras, and J. Santanna, "MikroTik Devices Landscape, Realistic Honeypots, and Automated Attack Classification," in NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, 2020, pp. 1-9.

B. Heller et al., "OpenFlow Switch Specification", Version 1.3.0 (Wire Protocol 0x04),†pp. 1-105, 2012. [Online]. Available:

Y. Li, R. Miao, M. Alizadeh, and M. Yu, "DETER: Deterministic TCP Replay for Performance Diagnosis," in NSDI, 2019.

S. R. R, R. R, M. Moharir, and G. S, "SCAPY- A powerful interactive packet manipulation program," in 2018 International Conference on Networking, Embedded and Wireless Systems (ICNEWS), 2018, pp. 1-5.

K. Nam and K. Kim, "A Study on SDN security enhancement using open source IDS/IPS Suricata," in 2018 International Conference on Information and Communication Technology Convergence (ICTC), 2018, pp. 1124-1126.

I. W. Tsang, J. T. Kwok, and P.-M. Cheung, "Core Vector Machines: Fast SVM Training on Very Large Data Sets," J. Mach. Learn. Res., vol. 6, pp. 363–392, 2005.