{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,7]],"date-time":"2025-11-07T13:30:00Z","timestamp":1762522200519,"version":"build-2065373602"},"reference-count":29,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2018,8,23]],"date-time":"2018-08-23T00:00:00Z","timestamp":1534982400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":""The Fundamental Research Funds for the Central Universities", South-Central University for Nationalities","award":["CZY18014"],"award-info":[{"award-number":["CZY18014"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"A data center network is vulnerable to suffer from concealed low-rate distributed denial of service (L-DDoS) attacks because its data flow has the characteristics of data flow delay, diversity, and synchronization. Several studies have proposed addressing the detection of L-DDoS attacks, most of them are only detect L-DDoS attacks at a fixed rate. These methods cause low true positive and high false positive in detecting multi-rate L-DDoS attacks. Software defined network (SDN) is a new network architecture that can centrally control the network. We use an SDN controller to collect and analyze data packets entering the data center network and calculate the Renyi entropies base on IP of data packets, and then combine them with the hidden Markov model to get a probability model HMM-R to detect L-DDoS attacks at different rates. Compared with the four common attack detection algorithms (KNN, SVM, SOM, BP), HMM-R is superior to them in terms of the true positive rate, the false positive rate, and the adaptivity.<\/jats:p>","DOI":"10.3390\/fi10090083","type":"journal-article","created":{"date-parts":[[2018,8,24]],"date-time":"2018-08-24T03:42:31Z","timestamp":1535082151000},"page":"83","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":23,"title":["A HMM-R Approach to Detect L-DDoS Attack Adaptively on SDN Controller"],"prefix":"10.3390","volume":"10","author":[{"given":"Wentao","family":"Wang","sequence":"first","affiliation":[{"name":"College of Computer Science, South-Central University for Nationalities, Wuhan 430074, China"}]},{"given":"Xuan","family":"Ke","sequence":"additional","affiliation":[{"name":"College of Computer Science, South-Central University for Nationalities, Wuhan 430074, China"}]},{"given":"Lingxia","family":"Wang","sequence":"additional","affiliation":[{"name":"College of Computer Science, South-Central University for Nationalities, Wuhan 430074, China"}]}],"member":"1968","published-online":{"date-parts":[[2018,8,23]]},"reference":[{"key":"ref_1","first-page":"395","article-title":"Characteristics research on modern data center network","volume":"51","author":"Gang","year":"2014","journal-title":"J. Comput. Res. Dev."},{"key":"ref_2","first-page":"37","article-title":"Survey on research and progress of low-rate denial of service attacks","volume":"533","author":"Wen","year":"2014","journal-title":"J. Softw."},{"key":"ref_3","unstructured":"Min, S.K., Lee, S.B., and Gligor, V.D. (2013, January 19\u201322). The crossfire attack. Proceedings of the IEEE Symposium on Security & Privacy, Berkeley, CA, USA."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"426","DOI":"10.1109\/TIFS.2011.2107320","article-title":"Low-rate DDoS attacks detection and traceback by using new information metrics","volume":"6","author":"Xiang","year":"2011","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1145\/1883612.1883613","article-title":"Discrete wavelet transform-based time series analysis and mining","volume":"43","author":"Chaovalit","year":"2011","journal-title":"ACM Comput. Surv."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Oshima, S., Nakashima, T., and Sueyoshi, T. (2010, January 15\u201318). Early DoS\/DDoS Detection Method using Short-term Statistics. Proceedings of the International Conference on Complex, Intelligent and Software Intensive Systems, Krakow, Poland.","DOI":"10.1109\/CISIS.2010.53"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.patrec.2014.07.019","article-title":"An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection","volume":"51","author":"Bhuyan","year":"2015","journal-title":"Pattern Recognit. Lett."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Bhuyan, M.H., Bhattacharyya, D.K., and Kalita, J.K. (2014, January 7\u20139). Information metrics for low-rate DDoS attack detection: A comparative evaluation. Proceedings of the International Conference on Contemporary Computing, Noida, India.","DOI":"10.1109\/IC3.2014.6897151"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Mousavi, S.M., and Sthilaire, M. (2015, January 16\u201319). Early detection of DDoS attacks against SDN controllers. Proceedings of the International Conference on Computing, NETWORKING and Communications, Garden Grove, CA, USA.","DOI":"10.1109\/ICCNC.2015.7069319"},{"key":"ref_10","first-page":"33","article-title":"Low-rate DDoS attack detection using optimal objective entropy method","volume":"78","author":"Jadhav","year":"2014","journal-title":"Int. J. Comput. Appl."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1016\/j.comcom.2015.06.012","article-title":"Detecting DDoS attacks against data center with correlation analysis","volume":"67","author":"Xiao","year":"2015","journal-title":"Comput. Commun."},{"key":"ref_12","first-page":"474","article-title":"Rank correlation for low-rate DDoS attack detection: An empirical evaluation","volume":"18","author":"Ain","year":"2016","journal-title":"Int. J. Netw. Secur."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Bhuyan, M.H., Kalwar, A., Goswami, A., Bhattacharyya, D.K., and Kalita, J.K. (2015, January 4\u20136). Low-Rate and High-Rate Distributed DoS Attack Detection Using Partial Rank Correlation. Proceedings of the IEEE Fifth International Conference on Communication Systems and Network Technologies, Gwalior, India.","DOI":"10.1109\/CSNT.2015.24"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"173","DOI":"10.1109\/LCOMM.2012.121912.122257","article-title":"A rank correlation based detection against distributed reflection dos attacks","volume":"17","author":"Wei","year":"2013","journal-title":"IEEE Commun. Lett."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Hoque, N., Bhattacharyya, D.K., and Kalita, J.K. (2016, January 5\u201310). A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis. Proceedings of the IEEE International Conference on Communication Systems and Networks, Bangalore, India.","DOI":"10.1109\/COMSNETS.2016.7439939"},{"key":"ref_16","first-page":"3417","article-title":"Flow level detection and filtering of low-rate DDoS","volume":"56","author":"Zhang","year":"2012","journal-title":"Comput. Netw. Int. J. Comput. Telecommun. Netw."},{"key":"ref_17","unstructured":"Suresh, M., and Anitha, R. (2011, January 15\u201317). Evaluating machine learning algorithms for detecting DDoS attacks. Proceedings of the Advances in Network Security and Applications: 4th International Conference, CNSA 2011, Chennai, India."},{"key":"ref_18","first-page":"578","article-title":"An evaluation on KNN-SVM algorithm for detection and prediction of DDoS attack","volume":"138","author":"Yusof","year":"2011","journal-title":"Parasitology"},{"key":"ref_19","unstructured":"Priyanka, P.S., Gowrishankar, A., Priyanka, P.S., and Gowrishankar, A. (2018, July 18). Detection of Low and High Rate DDoS Attack Using Metrics with SVM in FireCol Distributed Network. Available online: https:\/\/www.ijcaonline.org\/proceedings\/icaccthpa2014\/...\/19445-6027."},{"key":"ref_20","first-page":"275","article-title":"Detection of DDoS attacks against wireless sdn controllers based on the fuzzy synthetic evaluation decision-making model","volume":"33","author":"Yan","year":"2016","journal-title":"Ad Hoc Sens. Wirel. Netw."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Braga, R., Mota, E., and Passito, A. (2010, January 10\u201314). Lightweight DDoS flooding attack detection using NOX\/OpenFlow. Proceedings of the IEEE Conference on Local Computer Networks, Denver, CO, USA.","DOI":"10.1109\/LCN.2010.5735752"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1016\/j.bjp.2013.10.014","article-title":"Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments","volume":"62","author":"Giotis","year":"2014","journal-title":"Comput. Netw."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1016\/j.jnca.2016.04.005","article-title":"SD-anti-DDoS: Fast and efficient DDoS defense in software-defined networks","volume":"68","author":"Cui","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1016\/j.comnet.2015.02.014","article-title":"Software-defined networking: A survey","volume":"81","author":"Farhady","year":"2015","journal-title":"Comput. Netw."},{"key":"ref_25","first-page":"62","article-title":"State-of-the-art survey on software-defined networking (SDN)","volume":"26","author":"Zhang","year":"2015","journal-title":"J. Softw."},{"key":"ref_26","unstructured":"Terrence, L. (2005). Foundations of Probability. Advanced Real Analysis. Cornerstones, Birkh\u00e4user."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Lantz, B., Heller, B., and Mckeown, N. (2010, January 20\u201321). A network in a laptop: Rapid prototyping for software-defined networks. Proceedings of the ACM Workshop on Hot Topics in Networks, HOTNETS 2010, Monterey, CA, USA.","DOI":"10.1145\/1868447.1868466"},{"key":"ref_28","unstructured":"(2018, July 18). POX Controller. Available online: https:\/\/github.com\/pkpk8\/pox."},{"key":"ref_29","unstructured":"(2018, July 18). Netsniff-ng Toolkit. Available online: http:\/\/www.netsniff-ng.org\/."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/9\/83\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:20:33Z","timestamp":1760196033000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/10\/9\/83"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,8,23]]},"references-count":29,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2018,9]]}},"alternative-id":["fi10090083"],"URL":"https:\/\/doi.org\/10.3390\/fi10090083","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2018,8,23]]}}}