Anomaly Detection Technique for Intrusion Detection in SDN Environment using Continuous Data Stream Machine Learning Algorithms

Abstract

Software Defined Networks (SDN) present some security weakness due to the separation between control and data planes. Thus, some operational security mechanisms have been designed to deal with malicious code in SDN. However, most of those approaches require a signature basis and present the inability to anticipate novel malicious activity. Other anomaly based approaches are inefficient due to the possibility of an attacker simulates legitimate traffic, which causes lots of false alarms. Thus, in this paper, we present an anomaly based approaches that uses machine learning algorithms over continuous data stream for intrusion detection in a SDN environment. Our approach is to overcome the main challenges that happen when developing an anomaly based system using machine learning algorithms. For characterising the anomalies, we have analysed a type of DDoS attack classified as infrastructure attack that considers the impact of both bandwidth and resource depletions. This type of attack imposes a high affect to the whole SDN. In fact, there are two types of attacks. The bandwidth depletion attack targets the channel between the switches and the controller through either UDP or HTTP flooding. Another way to exhaust outgoing and ingoing bandwidths is through ICMP flooding. The resource depletion attack attempts to exhaust the flow table of switches through SYN flooding. From experiments, we notice that the solution obtains 97.83% accuracy, 99% recall, 80% precision and 2.3% FPR for 10% DDoS attacks on the normal traffic. These results show the effectiveness of the proposed technique.