Anomalous Rule Detection using Machine Learning in Software Defined Networks

Abstract

The centralized control plane in Software Defined Networking (SDN) introduces new security threats to the network. A compromised controller can install malicious rules at the switches to perform stealthy attacks such as intermittent packet dropping, route misdirection etc. Replication based approaches in the literature require the switches to broadcast the requests to multiple controllers and verify the rules for consistency before installing them. However, they result in heavy load on the control plane and longer response time for requests from the switches. Other approaches assume forwarding elements, rather than the controller, to be compromised and propose packet sampling and active probing to identify malicious behavior. In this work, we: i) propose a machine learning based framework to detect anomalous behavior at the flow table and identify the compromised controller, ii) develop MTADS, a M achine learning based detection T echnique for A nomaly D etection in S DN, which uses D BSCAN algorithm to identify anomalous rules and behavior, and iii) implement MTADS on top of Floodlight controller managing a network emulated in Mininet and test its detection capabilities against various attacks such as route misdirection, packet drop etc. We compare the performance of MTADS (based on DBSCAN) with K-Means algorithm and show that MTADS (DBSCAN) outperforms the K-Means version and achieves precision and recall of about 85% and 95&, respectively.