Академический Документы
Профессиональный Документы
Культура Документы
This document is the author deposited version. You are advised to consult the
publisher's version if you wish to cite from it.
Published version
ABUBAKAR, Atiku and PRANGGONO, Bernardi (2017). Machine learning based
intrusion detection system for software defined networks. In: 2017 7th International
Conference on Emerging Security Technologies, EST 2017, Canterbury, 6-8
September. IEEE.
Abstract —Software-Defined Networks (SDN) is an emerging area too complex. This complexity has resulted in a barrier for
that promises to change the way we design, build, and operate creating new and innovative services within a single data center,
network architecture. It tends to shift from traditional network difficulties in interconnecting data centers, interconnection
architecture of proprietary based to open and programmable within enterprises, and bigger barrier in the continued growth of
network architecture. However, this new innovative and improved the Internet in general.
technology also brings another security burden into the network
architecture, with existing and emerging security threats. The
Furthermore, current network architecture has many
network vulnerability has become more open to intruders: the limitations, which were resolved with the emergence of new
focus is now shifted to a single point of failure where the central SDN architecture. These include but are not limited to: inability
controller is a prime target. Therefore, integration of intrusion to optimize network for WAN and Data Centre to generate more
detection system (IDS) into the SDN architecture is essential to revenue and reduce expenses. With SDN more revenue can be
provide a network with attack countermeasure. The work generated by monitoring network devices and optimizing
designed and developed a virtual testbed that simulates the device utilization with a dynamic feature of SDN. The increase
processes of the real network environment, where a star topology in capital and operational cost with SDN automation reduces
is created with hosts and servers connected to the OpenFlow human involvement in managing resources to a minimum which
OVS-switch. Signature-based Snort IDS is deployed for traffic
monitoring and attack detection, by mirroring the traffic destine
significantly reduces the cost.
to the servers. The vulnerability assessment shows possible attacks The SDN comprise three-tiered architecture that is designed
Keywords — Software-defined Network; Intrusion Detection II. BACKGROUND AND RELATED WORK
System; OpenFlow; Machine Learning; Neural Network;
The key technology advantages of SDN are network
I. INTRODUCTION flexibility, efficiency, speedy service provisioning, and lower
operation cost considering the gain over the traditional network
Software-Defined Networking (SDN) is an emerging area technology. Traditional network technologies are proprietary
that promises to change the way we design, build, and operate and restricted to specific devices. SDN has the ability of been
the networks. Shifting from the traditional network architecture programmable, configurable and manageable. It is also open for
of proprietary based to the open, simple, and programmable the user to use devices from different vendors. SDN architecture
network architecture. Open networking foundation defines is characterized by the separation of the control plane from data
SDN as “an evolving architecture that is dynamic, manageable, plane [2]. With the logically centralized control plane, the
cost-effective, and adaptable. An ideal for the high bandwidth controller has the global view of the entire network where the
requirement and dynamic nature of today's application. The forwarding entries are programmed based on the policies
architecture decouples the network control and forwarding defined. This centralization can result in efficient support for
functions. This is enabling the network control to become traffic engineering, and maintain reliable security and policy
directly programmable, and allowing the underlying implementation to the entire network [3].
infrastructure to be abstracted for applications and network Despite the security consideration in designing SDN
services” [1]. architecture, the SDN environment still has security issues that
Today network has become an essential part of public need to be addressed. Some of these problems are inherited
infrastructures with the inception of public and private cloud from traditional network environment, while some are specific
computing. The traditional networking approach has become to the SDN architecture [3].
The security threat has become so frequent from within, the
effect of these attacks ranges from mild to critical. The security
breach usually alters the credibility, integrity, or availability of
hardware, software or an information resource. The attack on
these components can bring considerable damage to the
organization. The damages can be a loss in monetary or Host-based IDS
Network-based IDS
OpenFlow switch created on Mininet machine via mirror traffic. IP: 192.168.x.137
Snort is connected to OpenFlow switch s1 by eth3. Figure 2 Parrot Security VM Ubuntu Desktop 16.04:Mininet+ODL Metasploitable2 Server VM
SPAN(Traffic Mirroring)
present architecture of proposed IDS for SDN virtual testbed
environment. Pentmenu, Bonesi, hping3: DDoS
Wireshark
FTP
Hydra: R2L SSH Tomcat
3 Telnet Ruby
PostgreSQL
Virtual Switch Java RMI
1 2
Web Server
IP: 192.168.56.x
1
FTP
SSH
Tomcat
Ruby
Telnet PostgreSQL
The star topology is used for setting up laboratory network Virtual Switch Java RMI
network traffic without overhead in providing centralize IP: 192.168.56.x IP: 192.168.56.x m = 5, n = 10, x=100-254 IP: 192.168.56.x
REFERENCES
[1] OpenNetworkingFroundation. (2017, 06/2017). Available:
https://www.opennetworking.org/
[2] D. Kreutz, F. M. V. Ramos, P. Esteves Verissimo, C. Esteve
Rothenberg, S. Azodolmolky, and S. Uhlig, "Software-Defined
Networking: A Comprehensive Survey," Proceedings of the IEEE,
vol. 103, pp. 14-76, 2015.
[3] S. Scott-Hayward, S. Natarajan, and S. Sezer, "A Survey of Security
in Software Defined Networks," Communications Surveys &
Tutorials, IEEE, vol. PP, pp. 1-1, 2015.
[4] S. Sezer, S. Scott-Hayward, P. K. Chouhan, B. Fraser, D. Lake, J.
Finnegan, et al., "Are we ready for SDN? Implementation
challenges for software-defined networks," Communications
Magazine, IEEE, vol. 51, pp. 36-43, 2013.
[5] K. Benton, L. J. Camp, and C. Small, "OpenFlow vulnerability
assessment," presented at the Proceedings of the second ACM
Figure 8. ROC Curve SIGCOMM workshop on Hot topics in software defined
networking, Hong Kong, China, 2013.
A. Evaluation [6] B. Pranggono, K. McLaughlin, Y. Yang, and S. Sezer, "Intrusion
Detection Systems for Critical Infrastructure," in The State of the Art
The performance of this model IDS is evaluated based on in Intrusion Prevention and Detection , A.-S. K. Pathan, Ed., ed:
other neural network type such as Curve Fitting and Time CRC Press, 2014, pp. 115-138.
Series. The results shown in Table 3 indicate Pattern [7] B. Fakhim, A. Hassani, A. Rashidi, and P. Ghodousi, "Predicting the
Impact of Multiwalled Carbon Nanotubes on the Cement Hydration
Recognition has better performance accuracy of detecting Products and Durability of Cementitious Matrix Using Artificial
anomaly with 97.3% detection rate. Fitting Curve has 89.5% Neural Network Modeling Technique," The Scientific World
accuracy, it initially has less performance but with weight Journal, vol. 2013, p. 103713, 2013.
initialization and re-training the performance in detection [8] S. Hettich and S. D. Bay, "The UCI KDD Archive
[http://kdd.ics.uci.edu]," University of California, Irvine, C. A.
accuracy is improved. Moreover, Time Series Neural Network [9] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, "A detailed
method recorded the poorest result, it takes longer time in analysis of the KDD CUP 99 data set," presented at the Proceedings
training, this also makes retraining very difficult. During the of the Second IEEE international conference on Computational
training, it takes at least have an hour to complete training, intelligence for security and defense applications, Ottawa, Ontario,
Canada, 2009.
hence retrain in several times is difficult. [10] P. Manandhar, "A Practical Approach to Anomaly-based Intrusion
Detection System by Outlier Mining in Network Traffic," Masdar
Table 3. Comparison of Neural Network Institute of Science and Technology, 2014.
Performance Accuracy [11] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M.
Ghogho, "Deep learning approach for Network Intrusion Detection
Neural Network Type Detection Accuracy (%) in Software Defined Networking," in 2016 International Conference
Fitting Curve 89.5 on Wireless Networks and Mobile Communications (WINCOM) ,
Pattern Recognition 97.3 2016, pp. 258-263.
[12] F. Hendrik. (07/2017). NSLKDD-Dataset. Available:
Time Series 33 https://github.com/FransHBotes/NSLKDD-Dataset