Xinshuo Bai,Jun Bai,Xu Yang,Hongri Liu,Bailing Wang,Yang Liu

DOI: https://doi.org/10.1109/ICAIT51223.2020.9315471

2020-01-01

Abstract:Software-Defined Network (SDN), an innovating technique, endows flexibility and programmability to the network in contrast to the conventional one. Its idea of decoupling control and data plane brings convenience to manage networks like load balancing, traffic engineering, virtual firewall etc. Nevertheless, the separated plane structure results in novel threats, composed by the common in conventional network and the specialized in SDN. In this paper, we propose a deep learning approach to detect anomaly in SDN with OpenFlow by analyzing multiple metrics extracted from OpenFlow switch metadata. Evaluated by four trained deep learning models to classify the multivariate time series, we obtained an average accuracy of 83.8%.

Qinglan Meng,Xiyu Pang,Yanli Zheng,Gangwu Jiang,Xin Tian

DOI: https://doi.org/10.1109/icsp51882.2021.9408727

2021-01-01

Abstract:Ensuring the network security, resists the malicious traffic attacks as much as possible, and ensuring the network security, the Gated Recurrent Unit (GRU) and Convolutional Neural Network (CNN) are combined. Then, a Software Defined Networking (SDN) anomaly detection architecture is built and continuously optimized to ensure network security as much as possible and enhance the reliability of the detection architecture. The results show that the proposed network architecture can greatly improve the accuracy of detection, and its performance will be different due to the different number of CNN layers. When the two-layer CNN structure is selected, its performance is the best among all algorithms. Especially, the accuracy of GRU- CNN-2 is 98.7%, which verifies that the proposed method is effective. Therefore, under deep learning, the utilization of GRU- CNN to explore and optimize the SDN anomaly detection is of great significance to ensure information transmission security in the future.

Gang Zhang,Xiaofeng Qiu,Yang Gao

DOI: https://doi.org/10.1109/iccsn.2019.8905304

2019-01-01

Abstract:With the development of the Internet, the network attack technology has undergone tremendous changes. The forms of network attack and defense have also changed, which are features in attacks are becoming more diverse, attacks are more widespread and traditional security protection methods are invalid. In recent years, with the development of software defined security, network anomaly detection technology and big data technology, these challenges have been effectively addressed. This paper proposes a data-driven software defined security architecture with core features including data-driven orchestration engine, scalable network anomaly detection module and security data platform. Based on the construction of the analysis layer in the security data platform, real-time online detection of network data can be realized by integrating network anomaly detection module and security data platform under software defined security architecture. Then, data driven security business orchestration can be realized to achieve efficient, real-time and dynamic response to detected anomalies. Meanwhile, this paper designs a deep learning based HTTP anomaly detection algorithm module and integrates it with data-driven software defined security architecture so that demonstrating the flow of the whole system.

Alexandro Marcelo Zacaron,Daniel Matheus Brandão Lent,Vitor Gabriel da Silva Ruffo,Luiz Fernando Carvalho,Mario Lemes Proença

DOI: https://doi.org/10.1007/s10922-024-09867-z

2024-09-14

Journal of Network and Systems Management

Abstract:Software-defined Networking (SDN) is a modern network management paradigm that decouples the data and control planes. The centralized control plane offers comprehensive control and orchestration over the network infrastructure. Although SDN provides better control over traffic flow, ensuring network security and service availability remains challenging. This paper presents an anomaly-based intrusion detection system (IDS) for monitoring and securing SDN networks. The system utilizes deep learning models to identify anomalous traffic behavior. When an anomaly is detected, a mitigation module blocks suspicious communications and restores the network to its normal state. Three versions of the proposed solution were implemented and compared: the traditional Generative Adversarial Network (GAN), Deep Convolutional GAN (DCGAN), and Wasserstein GAN with Gradient Penalty (WGAN-GP). These models were incorporated into the system's detection structure and tested on two benchmark datasets. The first is emulated, and the second is the well-known CICDDoS2019 dataset. The results indicate that the IDS adequately identified potential threats, regardless of the deep learning algorithm. Although the traditional GAN is a simpler model, it could still efficiently detect when the network was under attack and was considerably faster than the other models. Additionally, the employed mitigation strategy successfully dropped over 89% of anomalous flows in the emulated dataset and over 99% in the public dataset, preventing the effects of the threats from being accentuated and jeopardizing the proper functioning of the SDN network.

computer science, information systems,telecommunications

Daojing He,Sammy Chan,Xiejun Ni,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2017.2694702

IF: 10.6

2017-01-01

IEEE Internet of Things Journal

Abstract:Traffic anomaly detection has been a principal direction in the network security field, which aims to identify attacks based on significant deviations from the established normal usage profiles. Recently, a new networking paradigm, software defined networking (SDN), has emerged to facilitate effective network control and management. In this paper, we present the advantages of leveraging SDN to detect traffic anomaly, and review recent progresses in this direction. Despite their effectiveness for traditional traffic, SDN-based traffic anomaly detection methods have to face the challenge of continuously increasing network traffic. To this end, we propose two refined algorithms to be used in an anomaly detection framework which can handle voluminous data, and report some experimental results to demonstrate their performance.

Hsiu-Min Chuang,Fanpyn Liu,Chung-Hsien Tsai

DOI: https://doi.org/10.3390/sym14061178

2022-06-08

Symmetry

Abstract:Recent developments have made software-defined networking (SDN) a popular technology for solving the inherent problems of conventional distributed networks. The key benefit of SDN is the decoupling between the control plane and the data plane, which makes the network more flexible and easier to manage. SDN is a new generation network architecture; however, its configuration settings are centralized, making it vulnerable to hackers. Our study investigated the feasibility of applying artificial intelligence technology to detect abnormal attacks in an SDN environment based on the current unit network architecture; therefore, the concept of symmetry includes the sustainability of SDN applications and robust performance of machine learning (ML) models in the case of various malicious attacks. In this study, we focus on the early detection of abnormal attacks in an SDN environment. On detection of malicious traffic in SDN topology, the AI module in the topology is applied to detect and act against the attack source through machine learning algorithms, making the network architecture more flexible. Under multiple abnormal attacks, we propose a hierarchical multi-class (HMC) architecture to effectively address the imbalanced dataset problem and improve the performance of minority classes. The experimental results show that the decision tree, random forest, bagging, AdaBoost, and deep learning models exhibit the best performance for distributed denial-of-service (DDoS) attacks. In addition, for the imbalanced dataset problem of multiclass classification, our proposed HMC architecture performs better than previous single classifiers. We also simulated the SDN topology and scenario verification. In summary, we concatenated the AI module to enhance the security and effectiveness of SDN networks in a practical manner.

A. A. Radhi,Luay Ibrahim Khalaf,Saadaldeen Rashid Ahmed,Omar Ayad Ismael,Sameer Algburi,Baydaa Alhamadani

DOI: https://doi.org/10.1145/3660853.3660932

2024-05-25

Abstract:An essential aspect of cybersecurity is the continuously growing threat landscape, which necessitates the use of advanced anomaly detection techniques in network data. The traditional approach might often be inadequate when it comes to addressing intricate cyber-security issues. Therefore, it is possible that deep learning approaches might be superior in terms of accuracy and performance. The primary objective of our study is to provide a novel algorithm that combines Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), autoencoders, and GANs to create a comprehensive strategy for detecting anomalies. This technique aims to solve research gaps that have not been previously explored. By using the MTA-KDD'19 dataset, our research enhances precision by achieving a remarkable accuracy rate of 95% in detecting various types of network traffic abnormalities. This discovery not only demonstrated the harmfulness of our deep learning-based approach but also highlighted the effectiveness of these measures in reducing the issue, particularly when faced with diverse threats. This enhances the development of network security procedures. CCS CONCEPTS • Computing methodologies∼ Artificial intelligence • Security and privacy∼Network security

Engineering,Computer Science

Mahmoud Said Abdallah,Nhien-An-Le-Khac,Hamed Z. Jahromi,Anca Delia Jurcut

DOI: https://doi.org/10.1145/3465481.3469190

2021-01-01

Abstract:Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm introduces new attack vectors that do not exist in the conventional distributed networks. This paper develops a hybrid Intrusion Detection System (IDS) by combining the Convolutional Neural Network (CNN) and Long Short-Term Memory Network (LSTM). The proposed model is capable of capturing the spatial and temporal features of the network traffic. Two regularization techniques i.e., L2 Regularization () and dropout method are used to overcome with the overfitting problem. The proposed method improves the intrusion detection performance of zero-day attacks. The InSDN dataset — the most recent dataset for SDN networks is used to test and evaluate the performance of the proposed model. The results indicate that integrating the CNN with LSTM improves the intrusion detection performance and achieves an accuracy of 96.32%. The estimated accuracy is higher than the accuracy of each individual model. In addition, it is established that the regularization techniques improves the performance of the CNN algorithms in detecting new intrusions when compared to the standard CNN. The findings of this study facilitates the development of robust IDS systems for SDN environment.

Zhulian Chen,Aiqin Hou,Chase Q. Wu,Xinji Qu,Yukun Wang,Le Ru

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys60770.2023.00040

2023-01-01

Abstract:Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm opens the door to new attack vectors that do not exist in traditional networks, such as flow table overflow attacks and flow rule injection attacks, which traditional intrusion detection systems are no longer sufficient to identify. To address this problem, we propose a new method that uses deep learning for attack detection in an SDN environment. In this method, we first utilize fisher score to remove insignificant features, then design a network model combining bi-directional long short-term memory network (BiLSTM) and gated convolutional neural network (GCNN) to capture the spatio-temporal features of network traffic, and finally use a fully connected layer to perform seven classifications of data. We choose focal loss as the loss function due to the imbalance of samples. The proposed model is evaluated based on the InSDN dataset, which is the latest IDS dataset developed specifically for SDN environments, and the CIC-IDS2017 dataset. The results show that the proposed model improves the performance for anomaly detection and achieves an accuracy of 99.80% and 98.85% on the InSDN and CIC-IDS2017 datasets, respectively. This level of detection accuracy provides great confidence in protecting SDN networks from anomalous traffic.

Yunhe Cui,Qing Qian,Huanlai Xing,Saifei Li

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00113

2020-01-01

Abstract:As an emerging architecture, Software-Defined Networking (SDN) is suffering from a lot of security issues. Network anomaly detection technology plays a crucial role in addressing SDN security issues. In SDN, the network status can be denoted by the packets or flow entries. Hence, the existing network anomaly detection methods are commonly designed based on inspecting packets or flow entries. Subsequently, these anomaly detection methods have to collect packets or flow entries from the underlying switches. More seriously, some anomaly detection methods even need to add extra modules to the switches. Unlike these existing network anomaly detection methods, this work proposes a lightweight network anomaly detection method. The main design principle of the proposed method is mining the inherent OpenFlow messages in SDN to represent the network status and further detect the network anomaly. The proposed method does not need to collect any additional messages from the underlying switches or add any additional modules to the underlying switches. The evaluation results demonstrate that the proposed network anomaly detection method can afford high detection accuracy and reduce the overhead of SDN controller.

Quamar Niyaz,Weiqing Sun,Ahmad Y Javaid

DOI: https://doi.org/10.4108/eai.28-12-2017.153515

2016-11-23

Abstract:Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

Networking and Internet Architecture

Hsiu-Min Chuang,Li-Jyun Ye

DOI: https://doi.org/10.3390/su15129395

IF: 3.9

2023-06-12

Sustainability

Abstract:In traditional network management, the configuration of routing policies and associated settings on individual routers and switches was performed manually, incurring a considerable cost. By centralizing network management, software-defined networking (SDN) technology has reduced hardware construction costs and increased flexibility. However, this centralized architecture renders information security vulnerable to network attacks, making intrusion detection in the SDN environment crucial. Machine-learning approaches have been widely used for intrusion detection recently. However, critical issues such as unknown attacks, insufficient data, and class imbalance may significantly affect the performance of typical machine learning. We addressed these problems and proposed a transfer-learning method based on the SDN environment. The following experimental results showed that our method outperforms typical machine learning methods. (1) our model achieved a F1-score of 0.71 for anomaly detection for unknown attacks; (2) for small samples, our model achieved a F1-score of 0.98 for anomaly detection and a F1-score of 0.51 for attack types identification; (3) for class imbalance, our model achieved an F1-score of 1.00 for anomaly detection and 0.91 for attack type identification. In addition, our model required 15,230 seconds (4 h 13 m 50 s) for training, ranking second among the six models when considering both performance and efficiency. In future studies, we plan to combine sampling techniques with few-shot learning to improve the performance of minority classes in class imbalance scenarios.

environmental sciences,environmental studies,green & sustainable science & technology

Kun Wang,Yu Fua,Xueyuan Duan,Taotao Liu,Jianqiao Xu

2023-11-20

Abstract:Software defined network (SDN) provides technical support for network construction in smart cities, However, the openness of SDN is also prone to more network attacks. Traditional abnormal traffic detection methods have complex algorithms and find it difficult to detect abnormalities in the network promptly, which cannot meet the demand for abnormal detection in the SDN environment. Therefore, we propose an abnormal traffic detection system based on deep learning hybrid model. The system adopts a hierarchical detection technique, which first achieves rough detection of abnormal traffic based on port information. Then it uses wavelet transform and deep learning techniques for fine detection of all traffic data flowing through suspicious switches. The experimental results show that the proposed detection method based on port information can quickly complete the approximate localization of the source of abnormal traffic. the accuracy, precision, and recall of the fine detection are significantly improved compared with the traditional method of abnormal traffic detection in SDN.

Networking and Internet Architecture

Huishan Bian,Liehuang Zhu,Meng Shen,Mingzhong Wang,Chang Xu,Qiongyu Zhang

DOI: https://doi.org/10.1007/978-3-319-31550-8_1

2015-01-01

Abstract:Software Defined Network SDN separates control plane from data plane and provides programmability which adds rich function for anomaly detection. In this case, every organization can manage their own network and detect anomalous traffic data using SDN architecture. Moreover, detection of malicious traffic, such as DDoS attack, would be dealt with much higher accuracy if these organizations shared their data. Unfortunately, they are unwilling to do so due to privacy consideration. To address this contradiction, we propose an efficient and privacy-preserving collaborative anomaly detection scheme. We extend prior work on SDN-based anomaly detection method to guarantee accuracy and privacy at the same time. The implementation of our design on simulated data shows that it performs well for network-wide anomaly detection with little overhead.

Zhaohui Ma,Jialiang Huang

DOI: https://doi.org/10.1007/978-981-15-2767-8_33

2020-01-01

Abstract:The seperation of control layer from data layer through SDN (software defined network) enables network administrators to plan the network programmatically without changing network devices, realizing flexible configuration of network devices and fast forwarding of data flows. However, due to its construction, SDN is vulnerable to be attacked by Distributed Denial of Service (DDoS) attack. So it is important to detect DDoS attack in SDN network. This paper presents a DDoS detection scheme based on the machine learning method of SVM (support vector machine) support vector machine in SDN environment. By extracting the flow table information features in SDN network, the data is detected and the data model of DDoS traffic can be trained, and the purpose of DDoS abnormal traffic identification is finally realized.

Tohid Jafarian,Mohammad Masdari,Ali Ghaffari,Kambiz Majidzadeh

DOI: https://doi.org/10.1007/s10586-020-03184-1

2020-09-18

Cluster Computing

Abstract:Software defined network (SDN) decouples the network control and data planes. Despite various advantages of SDNs, they are vulnerable to various security attacks such anomalies, intrusions, and Denial-of-Service (DoS) attacks and so on. On the other hand, any anomaly and intrusion in SDNs can affect many important domains such as banking system and national security. Therefore, the anomaly detection topic is a broad research domain, and to mitigate these security problems, a great deal of research has been conducted in the literature. In this paper, the state-of-the-art schemes applied in detecting and mitigating anomalies in SDNs are explained, categorized, and compared. This paper categorizes the SDN anomaly detection mechanisms into five categories: (1) flow counting scheme, (2) information-based scheme, (3) entropy-based scheme, (4) deep learning, and (5) hybrid scheme. The research gaps and major existing research issues regarding SDN anomaly detection are highlighted. We hope that the analyses, comparisons, and classifications might provide directions for further research.

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chao MA,Li CHENG,Ling-ling KONG

DOI: https://doi.org/10.3969/j.issn.1006-2475.2015.10.020

2015-01-01

Abstract:The increasing complexity of hybrid cloud networks becomes a bottleneck of cloud computing.As a potential solution, SDN has gained great attentions from both industry and academia, especially in the network security domain.Research on utili-zing SDN in network attack detection is still in its inception phase.Specifically, it has not been evaluated whether SDN can effi-ciently detect internal network attacks in a cloud environment.In this research we implement both SDN and traditional network in-frastructures based on OpenStack platform.We simulate both flood and port-scan attacks and utilize two types of traffic anomaly detection algorithms.Experiment results indicate that the SDN method shows better performance in memory usage without degrad-ing its accuracy, while it also suffers performance bottleneck when directly deployed into SDN controllers.

Mohammad Kazim Hooshmand,Doreswamy Hosahalli

DOI: https://doi.org/10.1049/cit2.12078

IF: 7.985

2022-01-31

CAAI Transactions on Intelligence Technology

Abstract:Convolutional neural networks (CNNs) are the specific architecture of feed‐forward artificial neural networks. It is the de‐facto standard for various operations in machine learning and computer vision. To transform this performance towards the task of network anomaly detection in cyber‐security, this study proposes a model using one‐dimensional CNN architecture. The authors' approach divides network traffic data into transmission control protocol (TCP), user datagram protocol (UDP), and OTHER protocol categories in the first phase, then each category is treated independently. Before training the model, feature selection is performed using the Chi‐square technique, and then, over‐sampling is conducted using the synthetic minority over‐sampling technique to tackle a class imbalance problem. The authors' method yields the weighted average f‐score 0.85, 0.97, 0.86, and 0.78 for TCP, UDP, OTHER, and ALL categories, respectively. The model is tested on the UNSW‐NB15 dataset.

Nisha Ahuja,Debajyoti Mukhopadhyay,Gaurav Singal

DOI: https://doi.org/10.1007/s00779-023-01785-2

2024-01-25

Personal and Ubiquitous Computing

Abstract:Software-defined networking will be a critical component of the networking domain as it transitions from a standard networking design to an automation network. To meet the needs of the current scenario, this architecture redesign becomes mandatory. Besides, machine learning (ML) and deep learning (DL) techniques provide a significant solution in network attack detection, traffic classification, etc. The DDoS attack is still wreaking havoc. Previous work for DDoS attack detection in SDN has not yielded significant results, so the author has used the most recent deep learning technique to detect the attacks. In this paper, we aim to classify the network traffic into normal and malicious classes based on features in the available dataset by using various deep learning techniques. TCP, UDP, and ICMP traffic are considered normal; however, malicious traffic includes TCP Syn Attack, UDP Flood, and ICMP Flood, all of which are DDoS attack traffic. The major contribution of this paper is the identification of novel features for DDoS attack detection. Novel features are logged into the CSV file to create the dataset, and machine learning algorithms are trained on the created SDN dataset. Various work which has already been done for DDoS attack detection either used a non-SDN dataset or the research data is not made public. A novel hybrid machine learning model is utilized to perform the classification. The dataset used by the ML/DL algorithms is a collection of public datasets on DDoS attacks as well as an experimental DDoS dataset generated by us and publicly available on the Mendeley Data repository. A Python application performs the classification of traffic into one of the classes. From the various classifiers used, the accuracy score of 99.75% is achieved with Stacked Auto-Encoder Multi-layer Perceptron (SAE-MLP). To measure the effectiveness of the SDN-DDoS dataset, the other publicly available datasets are also evaluated against the same deep learning algorithms, and traffic classification accuracy is found to be significantly higher with the SDN-DDoS dataset. The attack detection time of 216.39 s also serve as experimental evidence.

computer science, information systems,telecommunications