International Journal of

INTELLIGENT SYSTEMS AND APPLICATIONS IN

ENGINEERING
ISSN:2147-67992147-6799 www.ijisae.org Original Research Paper

DDoS Attack Mitigation using Distributed SDN Multi Controllers

for Fog Based IoT Systems
R. Ramalakshmi 1*, D. Kavitha 2
Submitted: 05/09/2023 Revised: 22/10/2023 Accepted: 06/11/2023

Abstract - Software Defined Networking is an important platform today for handling huge like Internet of things and fog edge
based networking devices. SDN is also a most prominent network platform for today’s industrial diversity of setup such as
cloud data storage, Industrial Internet of Things (IIoT), Network Function Virtualization (NFV), and Security attacks. So, SDN
is handling application layer resources and physical layer edge devices along with security protection. Resources like cloud
database storage is not capable enough for handling today’s world huge data’s. Similarly, a huge data’s are originated from
the various end devices via IoT based switches and gateways to the target resources. But due to the attacks like Denial of
service (DoS) and Distributed denial of service attack (DDoS), the network is easily contaminated and destroyed the target
resources and available bandwidth. So, in this scenario handling these data traffic and mitigating the attacks with privacy and
authentication is an efficient task provided by SDN controller. But SDN controller will take only the managing and controlling
part of the network. But still security is a very big concern in the today’s huge data collection from IoT and other smart devices.
So, Fog computing framework plays a vital role today to reduce the DDoS attacks from the different edge data sources by
creating a micro clouds or fog nodes before accessing the cloud resources to manage and mitigate the DDoS attacks with the
help of Distributed SDN multi controller and provides the additional layer of security for the network. This paper proposed
the Machine Learning (ML) based DDoS attack mitigation process in IoT based SDN environment with Fog computing
approach and secures the network from malicious packets with good detection accuracy.

Keywords: SDN, DDoS, Fog computing, IoT, Machine Learning, Distributed multi controller.

1. Introduction
Software defined networking is the most efficient managing, and security activities to the entire smart
powerful platform for the vast computational world based network with the default open flow interfaces
devices and applications. SDN is having a as well as integrating with new paradigm like edge
decoupling behaviour of the networks data. So that, computing devices and cloud computing
it could easily manage the resources for doing both applications too. So this work introduced the SDN
controlling and forwarding activities in all the controller along with Edge computing like smart
network intermediate nodes without delay. SDN IoT devices in forwarding layer with the help of fog
architecture was improved in past decades from the computing middle layer framework and cloud
single controller to distributed multi controller for computing resource access in application layer.
the fast network growth [1] . Then distributed multi
The SDN controller must be centralised in
controller is capable of doing the controlling,
operation. As a result, DDoS assaults on the SDN
1 Research Scholar, Department of Electronics and controller for exploiting the cloud to fog are a
Communication Engineering, distinct possibility. Some techniques may be used
Kalasalingam Academy of Research and Education, to develop a secure and dependable SDN controller
Anand Nagar, Krishnankoil, Tamilnadu -626126, India,
to defend against various assaults. The internet
[email protected]
*Correspondence: R. Ramalakshmi, E-mail: services are rendered inaccessible during a
[email protected] Distributed Denial of Service (DDoS) attack by
2 Professor, Department of Computer Science and
flooding them with unsolicited data traffic from
Engineering,
Kalasalingam Academy of Research and Education, various sources. The attack takes place in the
Anand Nagar, Krishnankoil, Tamilnadu -626126, India, compromised system's network layer or application
[email protected]

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 57
layer, depending on how it is connected to the however it is not as centralised. Fog systems can be
network [2]. used to do local data analysis in edge devices,
facilitating networking, computation,
The controller, as the centre point of an SDN
infrastructure, and storage support as a backbone
network, is very vulnerable to a cyber assault and
for end user computing, primarily for IoT and IIoT
might have a significant impact on the entire
smart devices. Security is a major issue and worry
network. Still, some features of SDN, such as traffic
for both industry and academia while conducting
analysis, logically centralised control, a view of the
data transactions through the cloud. However,
network's global state, and dynamic updation of
security and privacy are two important issues that
forwarding rules, make it a good choice for
have stymied the development of fog computing
detecting and defending against DDoS attacks in
and cloud computing. However, attacks such as
both cloud and fog contexts. Regarding network
DDoS and others have always put a strain on this.
security, it's also crucial to talk about traffic
SDN (Software-Defined Network) is a new
information such as flow-based and traffic-pattern-
networking architecture that offers numerous
based load balancing in the SDN domain. [3]. DoS
benefits over traditional distributed computing. It
and DDoS assaults are the kind of attacks that can
simplifies networking for the development of new
completely degrade the availability of a system.
protocols and the deployment of new applications.
DDoS attacks are designed to make a machine or
Machine learning methods are used by the SDN
network resource unavailable to their target
controller to capture suspicious data flow and infer
customers carried out by multiple people or bots.
their validity.
TCP, UDP, ICMP, and DNS packets are used to
disrupt target clients by draining their network The following are the contributions to this work:
resources, or to deplete server resources such as
1. To minimise DDoS attacks, a source-based
sockets, ports, RAM, databases, and input/output
defence technique is developed that might be
bandwidth. The attack is known as network level
employed in fog as well as in an IoT-based
flooding, and application level DDoS flooding,
Distributed SDN Network configuration. The SDN
which is commonly done on an HTTP webpage.
controller has a defence module built in.
Thousands of billions of IoT devices are connected
2. The cited study proposes an Ensemble machine
to one another around the world. However, if all of
learning (ML) based light detection approach that
those devices attempted to load the entire
involves examining packet characteristics
computation to the cloud for merely functionality
beforehand and utilising a suitable ML model to
work, there would be insufficient bandwidth to let
improve detection and processing rates.
all of these devices to connect with the cloud server
on a continuous basis. It is critical to make the 3. It employs SDN technology, with the DDoS
Internet of Things (IoT) concept understandable. defender module deployed to counter DDoS attacks
This predicament is triggering a slew of new at the network/transport level.
technologies and techniques to deal with all of the There are difficulties in designing distributed and
industrial and production-related data and coordinated DDoS mitigation methods that
information that is at the heart of the IIoT. This is successfully overcome the limitations of existing
the main concept that led to the term "fog mitigation solutions, such as low detection
computing" being coined. Fog computing has been efficiency, high computation power, and cost for all
known to use the phrase "edge computing" real-time applications and computation resources.
interchangeably on occasion. There is, however, a The fundamental contribution of this research is to
distinction between the two conceptions. Edge use the Fog computational technique in an IoT-
computing and fog Both entail bringing processing enabled data environment to minimise DDoS
and intelligence capabilities closer to the point attacks by assigning compute power and dispersing
where the data is generated [4]. workload to provide faster and more accurate attack
FC is a highly virtualized computing paradigm that detection.
is beneficial for providing additional support to the Fog will work as a firewall in lower-level end
cloud environment, and it was initially launched by computing devices and as a router for higher-level
Cisco [5]. It works in a similar fashion to cloud, application devices such as cloud storage and
International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 58
control servers from a variety of resources. The implementation. So, in this section some relevant
prototype architecture of the Fog platform works specific to the SDN based DDoS attack
deployment in a network environment is shown in mitigation using Fog based edge computing
Figure 1. This study not only focuses on the fog paradigm. Most of the DDoS attack and its
network, but it also discusses the importance of the detection are based on network monitoring methods
fog layer in SDN-based DDoS attack detection and and some statistical analysis methods using ML
mitigation in an IoT-based SDN network. This approach. This paper focusing on SDN based
paradigm consists of n number of bottom layer DDoS detection via Fog layer environment. This
nodes connected to a middle layer called fog, which proposed work was designed by many motivating
incorporates fog nodes to handle more sensor and factors such as existing literature and other real time
other computing devices from various users in the analysis discussed below.
data plane, and then all of this is connected and
This section discussed about the DDoS attacks in
controlled by SDN controllers with the end
the SDN based IoT domain. IoT devices are
resources in the control plane.
constantly producing massive amounts of data. All
In Section II, we'll go through the background of this information is useless and must be extracted.
knowledge of the SDN-based IoT system and the This data processing at the network's edge is
existing work on DDoS mitigation. Section III overcome using fog computing. As a result, fog
describes the design and operating processes for our computing is able to solve some of the most
DDoS mitigation scheme. Section IV details the processing big data issues. Da Yin et.al [6] have
algorithm's implementation and testing, and discussed about the distributed denial-of-service
Section V concludes with a summary of the (DDoS) attack and vulnerabilities in IoT. The
proposed algorithm. emerging software-defined paradigm provides a
way to safely manage IoT devices. It composed of
an SD-IoT controller pool with controllers, SD-IoT
switches integrated with the IoT gateway, and
terminal IoT devices to find the real DDoS attacker,
and block the DDoS attack at the source. Finally,
this work proposed to extend the load balancing
controller in SD-IoT based domain along with
DDoS detection.
Song Wang et.al [7] have discussed about the SDN
based IoT for DDoS attack control using secure
control and dataplane (SECOD) algorithm. It
handled only TCP and UDP traffics for DDoS
Fig1: Overview of Fog based SDN Network attack detection and it is not suitable for all real-
architecture time IoT based traffic applications. M. Ejaz Ahmed
and Hyoungshick Kim [8] have discussed about the
2. Background And Related Work
SDN based DDoS security in IoT and by the way
SDN is a good tool to handle DDoS attacks. DDoS of mitigating the DDoS attack by using
defence mechanisms using SDN in three categories intermediate SDN domain before reaches the target
which are source-based, network- based and network. Luying Zhou et.al [9] demonstrates the
destination-based mechanisms. Many recent works DDoS attack detection time and effectiveness on
have discussed about the design and security of fog IIoT systems. Detecting and blocking DDoS attacks
based cloud and other network combinational at the source has the benefit of effective protection
environments also. This scheme considers a and preservation of network resources, but it also
different network approach for IoT based SDN has the disadvantage of making it difficult to
security using Fog computing approach. A peer distinguish between legitimate and attack traffic.
reviews discusses the various dimensions like Fog Because the volume of traffic near the attacking
based cloud without SDN, Fog based SDN, IoT sources may be low before the attack traffic
based Fog, Fog based cloud on SDN, and so on converges on the victim's side. DDoS attack
using Machine learning or Simulation method of sources might be dispersed over multiple domains,
International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 59
making it challenging to accurately detect and filter fixed locations, such as source or destination, may
attack flows. It provides the distributed DDoS need to overprovision features and capabilities.
detection scheme with the multilevel architecture
Luying Zhou et.al [20] discussed about the DDoS
approach.
attack detection using Fog approach in IIoT
DA Yin et.al [10] have proposed the SD-IoT based systems and implemented the virtualized rule
DDoS attack detection . It detected the attacks by based firewall three layer systems to detect the
IoT controllers or switches itself. But, it could not DDoS attacks using Snort method in industrial
handle heterogeneous type of packets from environment. Jianbing Ni et.al [21] discussed and
different IoT devices. So, this work could extend surveyed the Fog computing security issues with
the SDN-IoT based attack mitigation for better IoT applications in terms of various attributes like
performance. Myo Myint Oo et.al [11] have storage, computation, security and threats . The
implemented the DDoS attack detection using SDN function of fog nodes in IoT applications was also
testbed with ML algorithm. It provided the better examined in this research, including real-time
results of attack detection but not included the services, transitory storage, data dissemination, and
online data traffics. Amir Modarresi et.al [12] have decentralised computation. Bhumika Paharia and
demonstrated the fog based edge computing to Kriti Bhushan [22] have discussed about the Fog
manage the massive growth of IoT devices. This based security against DDoS attacks between cloud
paper used the Fog layer with traditional approach and end users without SDN. The fog computing
to mitigate spoofing attacks by SDN controller. level is made up of controller clusters and servers
Rojalina Priyadarshini et.al [13] discussed about that gather traffic data, identify DDoS attacks using
the Fog based SDN for DDoS attack detection network traffic data, and restrict DDoS attacks
using ML techniques based on Network monitoring depending on detection.
and traffic engineering techniques. This paper
Sarang Kahvazadeh et.al [23] discussed about the
analyzed the DDoS attack detection using Fog
security issues in Fog to cloud Based network by
based SDN 3 layer environment and demonstrated
reducing the distance between them using SDN
the CPU utilization between before and after attack
centralized controllers. But still F2C security issues
detection.
remain due to centralized controller. Rojalina
Sabireen [14], Zhang peiyun et.al [15], Priyadarshini and Barik [24] have proposed the
patwary et.al [5], Ashkan Yousefpour et.al [16] fog architecture between cloud and end computing
discussed about the various infrastructure issues in devices to filter out the attack packets by deep
Fog with IoT edge computing in SDN domain as learning method. It provides legitimate packets to
well as other privacy issues, authentication and all the cloud resources via the Fog layer. The DDoS
other challenging survey issues in IoT, sensor attacks are prevented on the Fog layer itself. Ola
devices , SDN along with Fog layer and cloud Salman Imad et .al [25] have presented the SDN
centres. Saad Khan et.al [17] have also discussed Fog security for IoT data challenges. This work
about the Fog computing importance to overcome proposed the IoT security by using SDN and Fog
the problems due to the growth of IoT devices and based networks. Luying Zhou et.al [26] have
its security challenges. Simer preet singh et. al [18] discussed about the DDoS attack protection by
discussed about the fog computing storage and using Fog computing approach in SDN testbed for
computational issues at the edge of the network and huge number of deployed IoT and other local
also discussed how fog computing overcomes the components and allocation of traffics in industrial
cloud computing drawbacks and challenges in big automation domain. It proven the Fog computing
data processing. Ruilong Deng et.al [19] based security against DDoS provides the better
investigates about the power consumption and efficiency than the normal computing approach.
transmission delay in fog and cloud computing. It This work focuses on detecting DDoS attacks using
discussed about the workload allocation to SDN-based fog computing technology. The report
decompose the problems into sub problems. But also discusses numerous obstacles, applications,
this paper works with only centralized manner. In benefits, and real-time applications of fog
order to efficiently handle unexpected traffic computing technology, pointing researchers in the
volume and attack types, DDoS mitigation based on right direction for future research.

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 60
3. Proposed Method
This study presents a framework for defending
against DDoS attacks in a SDN-Fog environment.
The goal is to identify and neutralise any attack
traffic before sending it to the resources. A fog layer
is being constructed between the cloud resource
server and the bottom layer client to achieve this
goal. All data flow passes through this transitory
fog layer before reaching the cloud resources. The
fog layer is where the malicious traffic is managed
Fig 2: Proposed model DDoS attack detection on
and dealt with, and this is where the attack traffic
Fog based SDN-IoT Network
protection mechanism is placed along with the SDN
controller. SDN distributed multi controller with
Fog middle layer and the bottom layer with IoT
3.1 SDN- FOG-IOT based Network System
components are setup by using the Mininet tool
Software Defined Networking is a very important
with Pox controller. The huge amount of IoT and
platform in all networking architecture and it makes
sensor devices from the bottom layer /physical
a better flexible platform for any software and
layer/ components layer are connected to the Fog
hardware implementation. This work concentrates
intermediate layer via Fog based switches/ routers/
an extension of the previous DDoS attack detection
as Fog nodes. These various fog based middle layer
in IoT based systems by ML technique. In
nodes are connected the SDN
continuation of that edge computing devices like
centralized/Distributed Multi controller to access
Fog layer is involved to connect various IoT and
the Data base applications. All these layered
sensor digital devices from the physical layer to the
structure are connected by Open flow interface
centralized SDN controller for providing more
protocols. This Fog based SDN controller is trained
security in today’s huge network connection setup
by machine learning programming against the
and large volume of traffics.
DDoS attack generated from the bottom layer nodes
An application layer cloud resources are connected
such as IoT nodes. Our Fog is associated with the
with the centralized/Distributed SDN controller.
SDN controllers programming setup by various
These SDN controllers are further connected with
factors to detect the DDoS attack and block the
the distributed Fogs are located around the network.
attack by the SDN controller instructions. SDN
SDN distributed controllers are responsible for
controller is connected with both end that is
communication and security to the cloud resources
application layer cloud/database and lower layer
from the edge layer. All the distributed Fog nodes
edge computing devices to capture the various
are connected and controlled by SDN controller in
packets. All the legitimate and malicious packets
one end and which are connected with the various
are received from the various nodes from the
end nodes via the gateway or switches. This section
network devices and it is processed by the various
describes mainly about the edge devices, Fog layer
Machine Learning process to detect the attack
nodes, and then SDN controllers. Finally all these
packets perfectly before reaching the resources via
are connected to the end resources like storage,
Fog with SDN controller. This method provides a
security, management, and resource allocation.
better way of attack detection among network
This system design is developed based on that layer
packets from different sources with Fog based SDN
architecture for DDoS attack detection originated
controller and without Fog based SDN controller.
from the end nodes and it is crossed over via Fog
All the incoming packets are checked in Fog layer
layer controller unit from all the pool of distinct Fog
itself whether should be blocked or allowed to reach
nodes and then first stage of filtered datas are again
the destination resources. This proposed model
verified in the master distributed SDN controller
architecture is shown in figure 2.
unit. Edge- Fog- SDN Controller- Resources are the

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 61
 layered architecture to process the data to mitigate the attacks from source machines. The SDN
DDoS attacks using Machine learning method. Controller server is prior trained with the machine
In existing works the DDoS attack detection was learning algorithms with the data that obtained
done by many ways like threshold based detection, some significant characteristics of the incoming
snort rule based filtering, ML and DL based data pattern. So that it could be able to classify the
detection in SDN test bed only. But, recent years incoming packets as legitimate or not by using both
middle ware based edge computing security binary and multiclass attributes. If they are found
protection was playing a major role with the help of legitimate, then only be forwarded to the
SDN controller and the various software Application server. Else, the IP address of the
techniques. corresponding packet is filtered and is forwarded to
But, still many of the research work is not yet the flow table to be added to the Block list of
implemented for IoT systems based DDoS attack switches pragmatically. The whole working
detection via Fog techniques in SDN domain. mechanism of the model which is described above
Mostly, it is under survey level. But, this proposed is depicted in Figure 3.
work has implemented the Fog based DDoS attack
mitigation for IoT systems in SDN domain by using
3.3 Fog based DDoS attack detection scheme
Machine learning method.
We can simulate both exhausting resources-based
and protocol vulnerability-based DDoS attacks
3.2 Machine Learning Attack detection
using field devices. The experiment also simulates
method
a DDoS attack by sending packets from multiple
Private data (e.g., IoT device data) generated from networks at the same time in order to overwhelm
end users to application resources and vice versa the central controller, and such attack traffic could
should be monitored and detected by effective evade detection by the local server. The accuracy
security rules and filtering techniques. Real DDoS and reaction time of detection of such distributed
attacks are used in this research, and a test bed is DDoS attacks in the fog environment processing
created to validate the model. With the help of the are used to evaluate the mitigation scheme's
Mininet open source tool, DDoS assaults are performance. The goal of any fog-based local
carried out on TCP, UDP, and ICMP protocols via network's DDoS detection module is to aggregate
several random virtual computers.The Machine all traffic collected from own field devices and
learning model is then used to process the attacked assess hidden correlation. This anomaly detection
packets. The performance measures are chosen as a module, which runs as a virtualized functionality
percentage of accuracy on test data. The DDoS (NFV) on a local server, seeks to uncover hidden
Defence model was compared to current models DDoS behaviours by creating network activity
that used ML and SDN in the past. A fog network baselines and performing specification-based
is typically connected to a large number of small anomaly identification. If a hidden DDoS activity is
devices. When data from multiple devices is proven, the detection module will notify the
combined, the total amount of data becomes administrator for further mitigation activities, such
difficult to manage. As a result, filtering each as modifying the local fog node rules with SDN.
network packet requires more processing time. So Both benign and malignant packets are transmitted
that SDN presents on Fog layer to identify and from client sites that may request access to target
mitigate the DDoS attack presents in the network. services in this proposed effort. However, before
All the distributed SDN supported Fog layers are reaching the destination service, all data flow must
connected to the core SDN controller network to travel through the fog layer. The fog layer is made
access the cloud resources. So, the DDoS attack up of a number of fog devices and a fog server,
detection security scheme is handled and which houses the SDN controller. The SDN
constructed by the machine language programme controller serves as a central controller that inspects
on the SDN controller through Fog layer. all incoming packets from different nodes. The data
traffics are screened there, and the Fog server
The fog server is the point of presence where SDN
captures some specific characteristics that are used
controller is hosted. The packets coming from each
to determine if an incoming packet is legitimate or
node in the system are to be controlled by this.
malicious. The attacks are created using a range of
Different tools and scripts are being used to cause
International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 62
tools from several source machines (i.e. Hping, information are targeted from the multiple
scapy, wire shark, and scripts). The Machine distributed networks and controlled by the central
learning algorithm is used to train the Fog server i.e. controller and produces the efficient output to the
SDN controller. The algorithms are taught using network. As a result, the Fog server, controller, and
collected features of incoming data traffic, which switch provide effective pre-processing security
includes IoT devices. In other words, the server against attackers. SDN controller can quickly
uses classifier models to determine if incoming disconnect the pool from the extensive network
packets are authentic or malicious. The packets are security processing, even if the local fog pools are
forwarded through the classifiers in response to an compromised by any malicious code, including
incoming request to determine if the requests are DDoS, DoS, Ransom ware, Mirai, etc.
authentic or not. The packet is forwarded to the
target server if it is determined to be valid. If it is 4. Experimental Results And Discussion
determined to be suspicious, the IP address of the In the following section, the proposed design
relevant packet is added to the prohibited list of the methodologies and testbed setups are applied, and
SDN controller's flow table of switches. At the the experimental findings are recorded and
switch level, enough programming is done to discussed. Existing literature rarely uses an
prevent the packet from being transmitted to the industrial system as a test environment for DDoS
target server. mitigation, making a fair comparison between the
proposed technique and existing methods difficult.
As a result, we examine the suggested algorithm
from a variety of angles and scenarios in order to
demonstrate its efficacy in preventing DDoS
attacks in the SDN- Fog- IoT context. Here, data
such as detection time and rate are recorded and
reported. Normally with or without DDoS attack
packets, the SDN network with Fog computing
approach start detecting attack packets and block
the attacks. The studies are designed to assess the
efficacy of the suggested approach, demonstrating
Fig 3: Working Mechanism of Fog based SDN-IoT that the Fog computing approach can respond
Network model quickly to a DDoS attack, effectively moderate the
3.4 Central SDN Analysis and consolidation attack, and save network resources.
When the SDN central controller receives reports of 4.1 Data Sources
suspicious DDoS behaviour from a particular fog
This study uses a customised network dataset that
local network, it examines the suspicious behaviour
includes hosts, fog nodes, SDN controllers, IoT
by comparing traffic characteristics from other
distributed local networks to find patterns of devices, and attack nodes. Mininet, Hping, scapy,
similarity and detect distributed DDoS attack traffic Nmap, and Wire shark were used to build and create
that appears legitimate. The DDoS mitigation the dataset from an SDN-controlled Fog-IoT
functions are distributed and performed in three customised network. The information was created
multiple levels of the architecture. Packets are and traced from about 100 network activity nodes,
received from IoT systems, and then functions are and includes protocols used in both normal and
executed from the local distributed Fog layer nodes. attack settings. As part of our security study, we've
Finally, SDN controllers performs the computation tested DOS and DDoS attacks. Certain DDoS
schemes with Machine learning intelligence to attack types, including ipsweep, multihop, smurf,
filter out the anomalies such as DDoS attack and snmpguess among others, are researched for attack
allow the legitimate packets to reach the resources. detection and mitigation. The various attributes like
So, the local Fog nodes report the suspicious Ipaddress, port, packet flow, temperature,
packets information such as “packet type, source humidity, motion status, pressure, protocol, source,
address, destination address, type of protocols, destination, size, bytes, etc., Total dataset contains
etc.,” to the associated SDN controller. Likewise, Approx. 2, 50,000 Packets. The following Table 1

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 63
shows the number of anomaly packets and normal • True Negative (TN): Number of false
packets from the raw IoT mixed dataset. samples classified as false
Because the central SDN server provides an entire • False Negative (FN): Number of true
system view of the traffic status, the fog computing samples classified as false
solution delivers a faster detection time via SDN
The above measures are prescribed as follows:
controller coordination, whereas the Fog level
observes local traffic and takes longer to determine 𝑇𝑃
𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 =
𝑇𝑃+𝐹𝑃
the assault traffic pattern. Several SDN Controller
(4.1.1)
configuration rules are created using Ubuntu
𝑇𝑃
features. The Smurf assault, for example, is a 𝑅𝑒𝑐𝑎𝑙𝑙 =
𝑇𝑃+𝐹𝑁
typical DDoS attack that uses a large number of (4.1.2)
botnets to flood ICMP traffic at the victims. Botnets
𝑇𝑃+𝑇𝑁
relate to a wide range of field devices, including IP 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 =
𝑇𝑃+𝑇𝑁+𝐹𝑃+𝐹𝑁
cameras, Remote terminal units, and other similar (4.1.3)
devices. As shown in Tables 1 and 2, the Fog
computing approach is used to measure the DDoS
attack detection for different attack traffic types. recall ×precision
F1_score = 2 ×
recall+precision
For the SDN-Fog based distributed multi-controller
(4.1.4)
IoT network, the proposed study employs the LR,
KNN, MLP, and ID3 classifiers to detect assaults The equations 4.1.1, 4.1.2, 4.1.3 and 4.1.4 are used
and assess their performance. to calculate the DDoS attack detection from the data
set and produce the results and its performance
measures.
Table 1: Attack and Normal packet size.
4.2 Results and Analysis
S. No Category Label
The proposed network testbed is created with
1. Anomaly 233864 Mininet SDN system, Python-based controller, and
2. Normal 16008 virtual Oracle VMware were utilised to detect SDN
attacks. The setup has switches and routers, (1-100)
3. Total 249872 range of IoT and other terminal nodes, two SDN-
based controllers and two Fog-based controllers.
Our experimental machine learning training model
Table 2: A summary of dataset classification on an 8GB RAM and a 2TB hard drive hardware
S. No Type Count configuration. The operating system Windows 10,
1. ICMP 165967 and Anaconda Jupyter Notebook with Python 3.6 as
support were the programmes used. The SDN with
2. TCP 30182 IoT network datasets, including DDoS attack
3. UDP 23644 packets from traffic created in real-time, were the
main components of the ML attack detection and
4. Normal 16008 mitigation setup. Figure 4 shows a sample SDN-
FOG-IOT network architecture. It tells about the
5. Others 14071
clients with normal and attack nodes connected to
The performance metric of machine learning the SDN Controller along with Fog
models such as recall (R), F1-score (F1), accuracy switch/gateway/controller. Based on the number
(A), and precision (P) are used to calculate the nodes network traffic details will be varied.
performance of the attack detection.
Here, the various types of end nodes or physical
• True Positive (TP): Number of true layer nodes are mingled in. The fog layer, which is
samples classified as true the middle layer, has switches that connect the IoT
• False Positive (FP): Number of false and SDN controllers to the fog controller. Root
samples classified as true SDN controller is present in the higher layer.

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 64
Distributed connections between controllers have
been made. Both regular and assault end nodes Types of Attack
continuously send packets across switches and the 200000
165967
fog controller.
150000
Here, the packets connected with the SDN
controller will undergo some local examination by
100000
the Fog controller, gateway, and router Similar to
how each Fog and its associated pools of devices 50000
pre-processed packets and detected attacks using 30182 23644 16008 14071
information from the SDN controller. Finally, the 0
Root SDN controller receives all of the filtered ICMP TCP UDP Normal Others
packets so that it can fully mitigate attacks and stop
abnormalities. Thus, the SDN controller's workload Fig 6: A summary of dataset classification
has been lightened while maintaining a high Figure 6 represents the results of dataset
detection rate. classifications for various DDoS attack types taken
for the ML processing.

ICMP
5.63%
6.40%
TCP
9.46%
UDP

12.07%

66.39%

Fig 7: Percentage of the Attack and Normal

Fig 4: Model Experimental setup of Fog based
packets.
SDN-IoT Network model
The Figure 7 shows the percentage of dataset
contributions in the given work to detect and
mitigate the DDoS attack presents in the form of
Data Size various packets as Tcp, Udp, Icmp, other packets,
233864 and non anomalies packets also.
250000
Table 3: Time taken for DDoS attack mitigation
200000

150000 S. No Type of Classifier Time taken (Sec)

100000 1. LR 26.60
2. KNN 26.67
50000
16008
3. DT 26.73
0
Anomaly Normal 4. MLP 24.41

Fig 5: Attack and normal packets size

Figure 5 shows the representation of the total raw Table 3 gives the DDoS attack detection and
packet sizes of attack and normal. mitigation time taken i.e. starting and ending time
International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 65
 difference of the respective classifiers to find out
the various attacks from the dataset in seconds.

Time taken to find the

attack(Sec)
26.73
27 26.6 26.67

26

25 24.41

24
Fig 10: Output of variance by Machine Learning
23
LR KNN DT MLP The variance taken for ML processing for attack
detection by different classifiers using the individual
Fig 8: Output representation of the Accuracy and cumulative explained variance method of
analysis is depicted in Figure 10 as the number of
The Figure 8 shows the classifier resultant accuracy
variances.
for DDoS attack packets with various classifiers.
Out of these 4 classifiers decision tree gives the These various variance parameters are derived from
better performance. It produced the results in 26.73 the characteristics of the dataset and used to compute
seconds. the Eigen vectors and Eigen values to yield effective
results. The ratio of each individual variance
Type of
S. Accura Recal F1_Sc extracted from the dataset is shown via an Eigen
Classifie Precision
No. cy l ore vector.
r
1. LR 0.52 0.49 0.49 0.45 Accuracy
2. KNN 0.50 0.76 0.48 0.60 1
3. DT 0.77 0.79 0.85 0.81 0.8 0.79
0.76
4. MLP 0.44 0.45 0.43 0.37 0.6
0.49 0.45
Fig 9: Overall performance measurement. 0.4
The parameters obtained from the dataset 0.2
processing for the identification of attack packets
0
using the LR, KNN, DT, and MLP algorithms are LR KNN DT MLP
explained in the figure 9. Based on the TP, TN, FP,
and FN findings obtained from the relevant
Fig 11: Output for Accuracy
classifiers, attack performance metrics such as
accuracy, precision, recalls, and F1-score are Figure 11 illustrates the reliability of the results that
calculated. The overall accuracy of the model is were detected. The outcome is displayed using
calculated from the measured findings. As a result, equation 4.1.3. The best accuracy is shown by
the decision tree has produced the improved results Decision Tree, whereas MLP shows the least
for attack detection as demonstrated by the results accuracy.
above.

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 66
 Precision F1_Score
0.9 0.9
0.8 0.81
0.8
0.77
0.7
0.7
0.6 0.6
0.6
0.52 0.5
0.44 0.45
0.5 0.5 0.4
0.37
0.4 0.3
0.2
0.3
0.1
0.2
0
0.1 LR KNN DT MLP

0 Fig 14: Output for F1_Score

LR KNN DT MLP
The results that were found are shown in the F1score
Fig 12: Output for Precision in Figure 14. The F1 score is nearly equal to the
mean average of the two findings shown in equation
The Precision of the Detected Results is displayed in 4.1.4. Decision tree displays the high F1 score
Figure 12. The outcome is shown using equation together with the remaining values.
4.1.1 as a guide. MLP displays less precision value,
while Decision Tree displays the best outcome.

Recall
0.9
0.85
0.8
0.7
0.6
0.49
0.5 0.48
0.43
0.4
0.3
0.2 Fig 15: Output for the overall measurements

0.1 Figure 15 shows the overall measurements of the

Accuracy, Precision, Recall, and F1 Score
0 respectively. Decision tree produces the better
LR KNN DT MLP detection performance than the other classifiers.

Fig 13: Output for Recall 5. Conclusion

Recall of the outcomes that were found is shown in The technique of IoT and fog edge based DDoS
Figure 13. Equation 4.1.2 is used to display the attack detection and mitigation utilising distributed
result. Decision Tree has the best sensitivity SDN Multi Controller Network has been addressed
outcomes; while MLP displays the least remember in this suggested study. In order to create the
values. network, this study employed a python-based open
source setup together with additional tools and
packages for creating packets with information
International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 67
 about normal and abnormal packets using a [5] A.A. Patwary, R.K. Naha, S. Garg, S.K. Battula, M.
customised network. This machine learning Gong, Towards Secure Fog Computing : A Survey
mechanism processes a customised dataset made up on Trust, (2021) 1–52.
of roughly 2,50,000 packets which also contains 2, [6] L. Zhang, K.U.N. Yang, A DDoS Attack Detection
33, 864 abnormal packets and 16,008 regular and Mitigation With Software-Defined Internet of
packets for the detection of DDoS attacks using Things Framework, 6 (2018).
TCP, UDP, ICMP attack, and other regular packets. [7] S. Wang, K. Gomez, K. Sithamparanathan, M.R.
This Python-based Machine Learning model takes Asghar, G. Russello, P. Zanna, applied sciences
some time to recognize and analyze the assault Mitigating DDoS Attacks in SDN-Based IoT
before producing results in 26.60, 26.67, 26.73, and Networks Leveraging Secure Control and Data
24.41 seconds, respectively. Decision tree created Plane Algorithm, (2021).
the quick and efficient attack processing and [8] M. Ejaz Ahmed, H. Kim, DDoS attack mitigation
detection findings from these results. The findings in internet of things using software defined
of this work's analysis of performance on the basis networking, Proc. - 3rd IEEE Int. Conf. Big Data
of accuracy, precision, recall, and F1-score were Comput. Serv. Appl. BigDataService 2017. (2017)
77%, 79%, 85%, and 81%, respectively. Based on 271–276.
these findings, Decision Tree outperforms other https://doi.org/10.1109/BigDataService.2017.41.
classifiers in terms of performance. Fog node [9] L. Zhou, H. Guo, G. Deng, A fog computing based
middle layer gateway data to SDN controller approach to DDoS mitigation in IIoT systems,
dataset is used in this work. SDN intelligence will Comput. Secur. 85 (2019) 51–62.
find both fog and IoT assaults. However, the benefit https://doi.org/10.1016/j.cose.2019.04.017.
of a fog pool is that, should it become compromised, [10] D. Yin, L. Zhang, K. Yang, A DDoS Attack
it can be quickly removed from the network. The Detection and Mitigation with Software-Defined
Fog node will serve as a controller in future work Internet of Things Framework, IEEE Access. 6
and assist the SDN controller in conducting (2018) 24694–24705.
effective network analysis and providing increased https://doi.org/10.1109/ACCESS.2018.2831284.
protection. Finally, this work produced the better [11] M. Myint Oo, S. Kamolphiwong, T.
detection results and speed including Fog-IoT with Kamolphiwong, S. Vasupongayya, Advanced
SDN server using ML method in compare to the Support Vector Machine-(ASVM-) based detection
existing survey. for Distributed Denial of Service (DDoS) attack on
Software Defined Networking (SDN), J. Comput.
References:
Networks Commun. 2019 (2019).
[1] D. Kavitha, R. Ramalakshmi, R. Murugeswari, The https://doi.org/10.1155/2019/8012568.
Detection and Mitigation of Distributed Denial-of- [12] A. Modarresi, S. Gangadhar, J.P.G. Sterbenz, A
Service (DDOS) Attacks in Software Defined Framework for Improving Network Resilience
Networks using Distributed Controllers, 2019 Int. Using SDN and Fog Nodes, (2017) 1–7.
Conf. Clean Energy Energy Effic. Electron. Circuit [13] R. Priyadarshini, R. Kumar Barik, H. Dubey, Fog-
Sustain. Dev. INCCES 2019. (2019). SDN: A light mitigation scheme for DDoS attack in
https://doi.org/10.1109/INCCES47820.2019.9167 fog computing framework, Int. J. Commun. Syst.
698. 33 (2020) 1–13. https://doi.org/10.1002/dac.4389.
[2] D. Kavitha, R. Ramalakshmi, Fog-based SDN for [14] H. Sabireen, V. Neelanarayanan, A Review on Fog
DDOS Attack Mitigation in IoT Systems : A Computing: Architecture, Fog with IoT,
Survey , 13 (2020) 4161–4173. Algorithms and Research Challenges, ICT Express.
[3] S. Prabakaran, R. Ramar, Software defined 7 (2021) 162–176.
network: Load balancing algorithm design and https://doi.org/10.1016/j.icte.2021.05.004.
analysis, Int. Arab J. Inf. Technol. 18 (2021) 312– [15] P. Zhang, M. Zhou, G. Fortino, Security and trust
318. https://doi.org/10.34028/iajit/18/3/7. issues in Fog computing : A survey, Futur. Gener.
[4] S. Khan, S. Parkinson, Y. Qin, Fog computing Comput. Syst. 88 (2018) 16–27.
security: a review of current applications and https://doi.org/10.1016/j.future.2018.05.008.
security solutions, J. Cloud Comput. 6 (2017). [16] A. Yousefpour, C. Fung, T. Nguyen, K. Kadiyala,
https://doi.org/10.1186/s13677-017-0090-3. F. Jalali, A. Niakanlahiji, J. Kong, J.P. Jue, All one

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 68
 needs to know about fog computing and related Approach, (n.d.).
edge computing paradigms: A complete survey, J. [24] R. Priyadarshini, R.K. Barik, A deep learning based
Syst. Archit. 98 (2019) 289–330. intelligent framework to mitigate DDoS attack in
https://doi.org/10.1016/j.sysarc.2019.02.009. fog environment, J. King Saud Univ. - Comput. Inf.
[17] S. Khan, S. Parkinson, Y. Qin, Fog computing Sci. (2019).
security: a review of current applications and https://doi.org/10.1016/j.jksuci.2019.04.010.
security solutions, J. Cloud Comput. 6 (2017). [25] O. Salman, A. Chehab, PT US AC CR, Comput.
https://doi.org/10.1186/s13677-017-0090-3. Networks. (2018).
[18] S.P. Singh, A. Nayyar, R. Kumar, A. Sharma, Fog https://doi.org/10.1016/j.comnet.2018.07.020.
computing: from architecture to edge computing [26] L. Zhou, H. Guo, G. Deng, A Fog Computing
and big data processing, J. Supercomput. 75 (2019) Based Approach to DDoS, Comput. Secur. (2019).
2070–2105. https://doi.org/10.1007/s11227-018- https://doi.org/10.1016/j.cose.2019.04.017.
2701-2. [27] Carlos Silva, David Cohen, Takashi Yamamoto,
[19] R. Deng, R. Lu, S. Member, C. Lai, Optimal Maria Petrova, Ana Costa. Ethical Considerations
Workload Allocation in Fog-Cloud Computing in Machine Learning Applications for Education.
Towards Balanced Delay and Power Consumption, Kuwait Journal of Machine Learning, 2(2).
X (2016) 1–11. Retrieved from
https://doi.org/10.1109/JIOT.2016.2565516. http://kuwaitjournals.com/index.php/kjml/article/v
[20] A. Wani, S. Revathi, DDoS Detection and iew/192
Alleviation in IoT using SDN, J. Inst. Eng. Ser. B. [28] Reddy, B.R.S., Saxena, A.K., Pandey, B.K., Gupta,
(2020). https://doi.org/10.1007/s40031-020-00442- S., Gurpur, S., Dari, S.S., Dhabliya, D. Machine
z. learning application for evidence image
[21] J. Ni, K. Zhang, X. Lin, X.S. Shen, Securing Fog enhancement (2023) Handbook of Research on
Computing for Internet of Things Applications: Thrust Technologies? Effect on Image Processing,
Challenges and Solutions, IEEE Commun. Surv. pp. 25-38.
Tutorials. 20 (2018) 601–628. [29] Dasi , S. ., & Rao, G. M. . (2023). Design and
https://doi.org/10.1109/COMST.2017.2762345. Analysis of Metamaterial Absorber using Split
[22] B. Paharia, Fog Computing as a defensive approach Ring Resonator for Dual Band Terahertz
against Distributed Denial of Service ( DDoS ): a Applications. International Journal on Recent and
proposed architecture, (2018). Innovation Trends in Computing and
[23] X. Masip-bruin, E. Marn-tordera, R. Diaz, Securing Communication, 11(1), 128–132.
combined Fog-to-Cloud system Through SDN https://doi.org/10.17762/ijritcc.v11i1.6059

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(4s), 57–69 | 69