A Machine Learning-Based Anomaly Prediction Service for Software-Defined Networks
Abstract
:1. Introduction
- The machine learning-based approach is proposed for an automatic anomaly prediction for SDN (annotated as MAP-SDN).
- MAP-SDN helps the SDN controller to identify the network anomalies.
- It helps the SDN controller to install the flow rules for normal traffic; however, no flow rules are installed for abnormal traffic.
- The evaluation results specify that MAP-SDN is accurate and its average accuracy, precision, recall, and f-measure are 95.27%, 98.70%, 98.45%, and 98.57%, respectively.
2. Background and Related Works
2.1. Intrusion and Anomaly Detection in SDN
2.2. Anomaly Detection in SDN by Using Machine and Deep Learning
3. Proposed Approach (MAP-SDN)
Algorithm 1 Network Traffic Anomaly Prediction |
|
3.1. Data Acquisition
3.2. Preprocessing
3.3. Feature Modeling
3.4. Training of the Model
4. Evaluation and Analysis
4.1. Research Questions
- RQ1: How accurate is MAP-SDN in anomaly prediction for SDN?
- RQ2: Does RF surpass other off-the-shelf algorithms?
- RQ3: Does pre-processing influence the performance of MAP-SDN? If yes, to what extent?
4.2. Dataset and Metrics
4.3. Evaluation Process
- We select the training set and train the naive Bayes (NB), multinomial naive Bayes (MNB), linear regression classifier (LR), random forest classifier (RF), support vector machine (SVM), and decision tree (DT) classifiers on .
- Then, for each ith sample from testing set , we predict the traffic anomalies by using trained classifiers (NB, MNB, LR, RF, SVM, and DT, respectively).
- Finally, we calculate and compare the performances of all classifiers by using the evaluation metrics, i.e., accuracy, precision, recall, and f-measure.
4.4. Analysis of Results
4.4.1. RQ1—Accuracy of MAP-SDN
- The MAP-SDN performs better than the RPA and ZRA in accuracy, precision, recall, and f-measure.
- In contrast to RPA, the performance improvement of MAP-SDN in accuracy, precision, recall, and f-measure is 54.14% = (95.27% − 61.81%)/61.81%, 65.30% = (98.70% − 59.71%)/59.71%, 81.63% = (98.45% − 54.20%)/54.20%, and 73.70% = (98.57% − 56.75%)/56.75%, respectively.
- In contrast to ZRA, the performance improvement of MAP-SDN in accuracy, precision, recall, and f-measure is 4.61% = (95.27% − 91.07%)/91.07%, 11.13% = (98.70% − 88.82%)/88.82%, 9.45% = (98.45% − 89.95%)/89.95%, and 10.29% = (98.57% − 89.37%)/89.37%, respectively.
- The average performance of MAP-SDN is better than the highest performances of RPA and ZRA as shown in Figure 5.
- MAP-SDN has a significant difference in performance against application using Snort in bandwidth and data transfer scenarios.
- The detection and mitigation time in both (bandwidth and data transfer) is very high. Figure 6b represents data transferred that increases from 20 GB to 35 GB after mitigating anomalies. Similarly, Figure 6a represents bandwidth that significantly increases from 2.5 Gbps to more than 4 Gbps. The jump in both figures at the 40-s mark is due to the normal flow rules.
- MAP-SDN detects the anomalies early and significantly improves the bandwidth utilization and data transfer rate by avoiding flow installation against anomalous traffic.
4.4.2. RQ2—Performance Comparison of Off-the-Shelf Algorithms
- RF yields the most accurate results. RF outperforms MNB, LR, and SVM in accuracy, precision, recall, and f-measure, respectively. The reason is that RF achieves better results due to its degree of freedom.
- MNB surpasses LR and SVM and its performance is very close to the proposed classifier RF.
4.4.3. RQ3—Influence of Preprocessing
- MAP-SDN performs significantly better when preprocessing is used. The results show that the performance improvement in accuracy, precision, recall, and f-measure is 2.07% = (95.27% − 93.34%)/93.34%, 3.20% = (98.70% − 95.64%)/95.64%, 3.95% = (98.45% − 94.70%)/94.70%, and 3.57% = (98.57% − 95.17%)/95.17%, respectively.
- Without preprocessing, the performance of MAP-SDN is significantly impacted. One possible reason for the decrease in performance is that, without preprocessing, the model may include unwanted features.
4.5. Threats to Validity
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Kim, H.; Feamster, N. Improving Network Management with Software Defined Networking. IEEE Commun. Mag. 2013, 51, 114–119. [Google Scholar] [CrossRef]
- Kreutz, D.; Ramos, F.M.V.; Veríssimo, P.E.; Rothenberg, C.E.; Azodolmolky, S.; Uhlig, S. Software-Defined Networking: A Comprehensive Survey. Proc. IEEE 2015, 103, 14–76. [Google Scholar] [CrossRef] [Green Version]
- Latif, Z.; Sharif, K.; Li, F.; Karim, M.M.; Biswas, S.; Wang, Y. A Comprehensive Survey of Interface Protocols for Software Defined Networks. J. Netw. Comput. Appl. 2020, 156, 102563. [Google Scholar] [CrossRef] [Green Version]
- Zhu, L.; Karim, M.M.; Sharif, K.; Xu, C.; Li, F.; Du, X.; Guizani, M. SDN Controllers: A Comprehensive Analysis and Performance Evaluation Study. ACM Comput. Surv. 2020, 53, 133. [Google Scholar] [CrossRef]
- McKeown, N.; Anderson, T.; Balakrishnan, H.; Parulkar, G.; Peterson, L.; Rexford, J.; Shenker, S.; Turner, J. OpenFlow: Enabling Innovation in Campus Networks. SIGCOMM Comput. Commun. Rev. 2008, 38, 69–74. [Google Scholar] [CrossRef]
- Latif, Z.; Sharif, K.; Li, F.; Karim, M.M.; Biswas, S.; Shahzad, M.; Mohanty, S.P. DOLPHIN: Dynamically Optimized and Load Balanced Path for Inter-domain SDN Communication. IEEE Trans. Netw. Serv. Manag. 2020, 18, 331–346. [Google Scholar] [CrossRef]
- Mishra, P.; Puthal, D.; Tiwary, M.; Mohanty, S.P. Software Defined IoT Systems: Properties, State of the Art, and Future Research. IEEE Wirel. Commun. 2019, 26, 64–71. [Google Scholar] [CrossRef]
- Inayat, U.; Zia, M.F.; Mahmood, S.; Khalid, H.M.; Benbouzid, M. Learning-Based Methods for Cyber Attacks Detection in IoT Systems: A Survey on Methods, Analysis, and Future Prospects. Electronics 2022, 11, 1502. [Google Scholar] [CrossRef]
- Anjum, N.; Latif, Z.; Lee, C.; Shoukat, I.A.; Iqbal, U. MIND: A Multi-Source Data Fusion Scheme for Intrusion Detection in Networks. Sensors 2021, 21, 4941. [Google Scholar] [CrossRef]
- Zhang, P.; Xu, S.; Yang, Z.; Li, H.; Li, Q.; Wang, H.; Hu, C. FOCES: Detecting Forwarding Anomalies in Software Defined Networks. In Proceedings of the 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), Vienna, Austria, 2–6 July 2018; pp. 830–840. [Google Scholar] [CrossRef]
- Wang, P.; Chao, K.; Lin, H.; Lin, W.; Lo, C. An Efficient Flow Control Approach for SDN-Based Network Threat Detection and Migration Using Support Vector Machine. In Proceedings of the 2016 IEEE 13th International Conference on e-Business Engineering (ICEBE), Macau, China, 4–6 November 2016; pp. 56–63. [Google Scholar] [CrossRef]
- Ashraf, J.; Latif, S. Handling intrusion and DDoS Attacks in Software Defined Networks Using Machine Learning Techniques. In Proceedings of the 2014 National Software Engineering Conference, Rawalpindi, Pakistan, 11–12 November 2014; pp. 55–60. [Google Scholar] [CrossRef]
- Hamed, M.; Syed Ariffin, S.H.; Abdul Latiff, N.M.; Abdullah, A.S. A Review of Anomaly Detection Techniques and Distributed Denial of Service (DDoS) on Software Defined Network (SDN). Eng. Technol. Appl. Sci. Res. 2018, 8, 2724–2730. [Google Scholar]
- Mininet: An Instant Virtual Network on Your Laptop (or Other PC). Available online: http://www.mininet.org/ (accessed on 22 September 2022).
- Roesch, M. Snort—Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration, Seattle, WA, USA, 7–12 November 1999; pp. 229–238. [Google Scholar]
- Kausar, N.; Latif, Z.; Lee, C.; Iqbal, U. Towards Detection and Mitigation of Traffic Anomalies in SDN. In Proceedings of the 2021 International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, Korea, 20–22 October 2021; pp. 728–731. [Google Scholar]
- Yassin, W.; Udzir, N.I.; Abdullah, A.; Abdullah, M.T.; Muda, Z.; Zulzalil, H. Packet Header Anomaly Detection Using Statistical Analysis. In Proceedings of the International Joint Conference SOCO’14-CISIS’14-ICEUTE’14; de la Puerta, J.G., Ferreira, I.G., Bringas, P.G., Klett, F., Abraham, A., de Carvalho, A.C., Herrero, Á., Baruque, B., Quintián, H., Corchado, E., Eds.; Springer International Publishing: Cham, Switzerland, 2014; pp. 473–482. [Google Scholar]
- Kim, M.; Park, Y.; Kotalwar, R. Robust and Agile System against Fault and Anomaly Traffic in Software Defined Networks. Appl. Sci. 2017, 7, 266. [Google Scholar] [CrossRef] [Green Version]
- Carvalho, L.F.; Abrão, T.; de Souza Mendes, L.; Proença, M.L. An Ecosystem for Anomaly Detection and Mitigation in Software-Defined Networking. Expert Syst. Appl. 2018, 104, 121–133. [Google Scholar] [CrossRef]
- Xie, J.; Yu, F.R.; Huang, T.; Xie, R.; Liu, J.; Wang, C.; Liu, Y. A Survey of Machine Learning Techniques Applied to Software Defined Networking (SDN): Research Issues and Challenges. IEEE Commun. Surv. Tutor. 2019, 21, 393–430. [Google Scholar] [CrossRef]
- Nanda, S.; Zafari, F.; DeCusatis, C.; Wedaa, E.; Yang, B. Predicting Network Attack Patterns in SDN Using Machine Learning Approach. In Proceedings of the 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Palo Alto, CA, USA, 7–10 November 2016; pp. 167–172. [Google Scholar] [CrossRef]
- Abubakar, A.; Pranggono, B. Machine Learning Based Intrusion Detection System for Software Defined Networks. In Proceedings of the 2017 Seventh International Conference on Emerging Security Technologies (EST), Canterbury, UK, 6–8 September 2017; pp. 138–143. [Google Scholar] [CrossRef] [Green Version]
- Song, C.; Park, Y.; Golani, K.; Kim, Y.; Bhatt, K.; Goswami, K. Machine-Learning Based Threat-Aware System in Software Defined Networks. In Proceedings of the 2017 26th International Conference on Computer Communication and Networks (ICCCN), Vancouver, BC, Canada, 31 July–3 August 2017; pp. 1–9. [Google Scholar] [CrossRef]
- Hurley, T.; Perdomo, J.E.; Perez-Pons, A. HMM-Based Intrusion Detection System for Software Defined Networking. In Proceedings of the 2016 15th IEEE International Conference on Machine Learning and Applications (ICMLA), Anaheim, CA, USA, 18–20 December 2016; pp. 617–621. [Google Scholar] [CrossRef]
- Ghahramani, Z. Hidden Markov Models; Chapter—An Introduction to Hidden Markov Models and Bayesian Networks; World Scientific Publishing Co., Inc.: River Edge, NJ, USA, 2002; pp. 9–42. [Google Scholar]
- Santos da Silva, A.; Wickboldt, J.A.; Granville, L.Z.; Schaeffer-Filho, A. ATLANTIC: A Framework for Anomaly Traffic Detection, Classification, and Mitigation in SDN. In Proceedings of the NOMS 2016—2016 IEEE/IFIP Network Operations and Management Symposium, Istanbul, Turkey, 25–29 April 2016; pp. 27–35. [Google Scholar] [CrossRef]
- Aleroud, A.; Alsmadi, I. Identifying DoS Attacks on Software Defined Networks: A Relation Context Approach. In Proceedings of the NOMS 2016—2016 IEEE/IFIP Network Operations and Management Symposium, Istanbul, Turkey, 25–29 April 2016; pp. 853–857. [Google Scholar] [CrossRef]
- Barki, L.; Shidling, A.; Meti, N.; Narayan, D.G.; Mulla, M.M. Detection of Distributed Denial of Service Attacks in Software Defined Networks. In Proceedings of the 2016 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Jaipur, India, 21–24 September 2016; pp. 2576–2581. [Google Scholar] [CrossRef]
- Aslam, M.; Ye, D.; Tariq, A.; Asad, M.; Hanif, M.; Ndzi, D.; Chelloug, S.A.; Elaziz, M.A.; Al-Qaness, M.A.; Jilani, S.F. Adaptive Machine Learning Based Distributed Denial-of-Services Attacks Detection and Mitigation System for SDN-Enabled IoT. Sensors 2022, 22, 2697. [Google Scholar] [CrossRef]
- Shinan, K.; Alsubhi, K.; Alzahrani, A.; Ashraf, M.U. Machine Learning-Based Botnet Detection in Software-Defined Network: A Systematic Review. Symmetry 2021, 13, 866. [Google Scholar] [CrossRef]
- Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep Recurrent Neural Network for Intrusion Detection in SDN-Based Networks. In Proceedings of the 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), Montreal, QC, Canada, 25–29 June 2018; pp. 202–206. [Google Scholar] [CrossRef] [Green Version]
- El Sayed, M.S.; Le-Khac, N.A.; Azer, M.A.; Jurcut, A.D. A Flow Based Anomaly Detection Approach with Feature Selection Method Against DDoS Attacks in SDNs. IEEE Trans. Cogn. Commun. Netw. 2022; Early Access. [Google Scholar] [CrossRef]
- Dey, S.K.; Rahman, M.M. Flow Based Anomaly Detection in Software Defined Networking: A Deep Learning Approach with Feature Selection Method. In Proceedings of the 2018 4th International Conference on Electrical Engineering and Information Communication Technology (iCEEiCT), Dhaka, Bangladesh, 13–15 September 2018; pp. 630–635. [Google Scholar] [CrossRef]
- Dawoud, A.; Shahristani, S.; Raun, C. A Deep Learning Framework to Enhance Software Defined Networks Security. In Proceedings of the 2018 32nd International Conference on Advanced Information Networking and Applications Workshops (WAINA), Krakow, Poland, 16–18 May 2018; pp. 709–714. [Google Scholar] [CrossRef]
- Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep Learning Approach for Network Intrusion Detection in Software Defined Networking. In Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco, 26–29 October 2016; pp. 258–263. [Google Scholar] [CrossRef]
- Jiang, W. Graph-based Deep Learning for Communication Networks: A Survey. Comput. Commun. 2021, 185, 40–54. [Google Scholar] [CrossRef]
- Zhou, X.; Liang, W.; Li, W.; Yan, K.; Shimizu, S.; Kevin, I.; Wang, K. Hierarchical Adversarial Attacks Against Graph Neural Network based IoT Network Intrusion Detection System. IEEE Internet Things J. 2021, 9, 9310–9319. [Google Scholar] [CrossRef]
- Lo, W.W.; Layeghy, S.; Sarhan, M.; Gallagher, M.; Portmann, M. E-GraphSAGE: A Graph Neural Network based Intrusion Detection System for IoT. In Proceedings of the NOMS 2022—2022 IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, 25–29 April 2022; pp. 1–9. [Google Scholar]
- Samples of Security Related Data. Available online: https://www.secrepo.com/ (accessed on 22 September 2022).
- iPerf—The Ultimate Speed Test Tool for TCP, UDP and SCTP. 2015. Available online: https://iperf.fr/ (accessed on 22 September 2022).
- hping3 Documentation. 2020. Available online: http://hping.org/documentation.php (accessed on 22 September 2022).
- Rao, V.; Sachdev, J. A Machine Learning Approach to Classify News Articles Based on Location. In Proceedings of the 2017 International Conference on Intelligent Sustainable Systems (ICISS), Palladam, India, 7–8 December 2017; pp. 863–867. [Google Scholar] [CrossRef]
- Umer, Q.; Liu, H.; Sultan, Y. Emotion Based Automated Priority Prediction for Bug Reports. IEEE Access 2018, 6, 35743–35752. [Google Scholar] [CrossRef]
- Ramay, W.Y.; Umer, Q.; Yin, X.C.; Zhu, C.; Illahi, I. Deep Neural Network-Based Severity Prediction of Bug Reports. IEEE Access 2019, 7, 46846–46857. [Google Scholar] [CrossRef]
- Nizamani, Z.A.; Liu, H.; Chen, D.M.; Niu, Z. Automatic Approval Prediction for Software Enhancement Requests. Autom. Softw. Eng. 2017, 25, 347–381. [Google Scholar] [CrossRef]
- A Java Based OpenFlow Controller. Available online: www.projectfloodlight.org/floodlight/ (accessed on 22 September 2022).
- Sohrawardi, S.J.; Azam, I.; Hosain, S. A Comparative Study of Text Classification Algorithms on User Submitted Bug Reports. In Proceedings of the Ninth International Conference on Digital Information Management (ICDIM 2014), Phitsanulok, Thailand, 29 September–1 October 2014; pp. 242–247. [Google Scholar] [CrossRef]
Acronym | Description |
---|---|
API | Application Programmable Interface |
BN | BayesNet |
DDoS | Distributed Denial of Service |
DT | Decision Tree |
GNN | Graph Neural Network |
GRU-RNN | Gated Recurrent Unit Recurrent Neural Network |
GRU-LSTM | Gated Recurrent Unit Long Short Term Memory |
HAA | Hierarchical Adversarial Attack |
HMM | Hidden Markov Model |
ICMP | Internet Control Message Protocol |
IP | Internet Protocol |
KNN | K-Nearest Neighbor |
LR | Linear Regression |
MAP-SDN | Machine Learning-Based Anomaly Prediction in SDN |
MNB | Multinomial Naive Bayes |
NB | Naive Bayes |
NIDS | Network Intrusion Detection Systems |
PCAP | Packet Capture |
RF | Random Forest |
RPA | Random Prediction Algorithm |
SDN | Software Defined Networking |
SVM | Support Vector Machine |
TCP | Transmission Control Protocol |
UDP | User Datagram Protocol |
ZRA | Zero Rule Algorithm |
Proposed Approach | RPA | ZRA | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Testing Samples | Accuracy | Precision | Recall | F-Measure | Accuracy | Precision | Recall | F-Measure | Accuracy | Precision | Recall | F-Measure |
Latest 5% | 95.29% | 99.26% | 98.46% | 98.86% | 60.00% | 57.49% | 51.65% | 54.42% | 88.58% | 84.92% | 85.84% | 85.37% |
Latest 10% | 95.34% | 98.83% | 98.39% | 98.61% | 61.00% | 67.89% | 56.62% | 61.74% | 91.82% | 82.58% | 85.84% | 84.18% |
Latest 15% | 95.21% | 98.55% | 98.57% | 98.56% | 61.97% | 53.29% | 54.32% | 53.80% | 93.44% | 95.93% | 95.73% | 95.83% |
Latest 20% | 95.25% | 98.16% | 98.36% | 98.26% | 64.25% | 60.18% | 54.22% | 57.04% | 90.46% | 91.84% | 92.38% | 92.11% |
Average | 95.27% | 98.70% | 98.45% | 98.57% | 61.81% | 59.71% | 54.20% | 56.75% | 91.07% | 88.82% | 89.95% | 89.37% |
Approach | Accuracy | Precision | Recall | F-Measure |
---|---|---|---|---|
RF | 95.27% | 98.70% | 98.45% | 98.57% |
MNB | 94.49% | 94.53% | 99.30% | 96.85% |
LR | 93.12% | 93.96% | 98.27% | 96.06% |
SVM | 90.27% | 91.75% | 84.46% | 87.94% |
Preprocessing | Accuracy | Precision | Recall | F-Measure |
---|---|---|---|---|
Enabled | 95.27% | 98.70% | 98.45% | 98.57% |
Disabled | 93.34% | 95.64% | 94.70% | 95.17% |
Improvement | 2.07% | 3.20% | 3.95% | 3.57% |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Latif, Z.; Umer, Q.; Lee, C.; Sharif, K.; Li, F.; Biswas, S. A Machine Learning-Based Anomaly Prediction Service for Software-Defined Networks. Sensors 2022, 22, 8434. https://doi.org/10.3390/s22218434
Latif Z, Umer Q, Lee C, Sharif K, Li F, Biswas S. A Machine Learning-Based Anomaly Prediction Service for Software-Defined Networks. Sensors. 2022; 22(21):8434. https://doi.org/10.3390/s22218434
Chicago/Turabian StyleLatif, Zohaib, Qasim Umer, Choonhwa Lee, Kashif Sharif, Fan Li, and Sujit Biswas. 2022. "A Machine Learning-Based Anomaly Prediction Service for Software-Defined Networks" Sensors 22, no. 21: 8434. https://doi.org/10.3390/s22218434
APA StyleLatif, Z., Umer, Q., Lee, C., Sharif, K., Li, F., & Biswas, S. (2022). A Machine Learning-Based Anomaly Prediction Service for Software-Defined Networks. Sensors, 22(21), 8434. https://doi.org/10.3390/s22218434