Flow-based intrusion detection on software-defined networks: a multivariate time series anomaly detection approach

In this study, we present and implement the SAnDet (SDN anomaly detector) architecture, an anomaly-based intrusion detection system designed to take advantage of the capabilities offered by software-defined networking (SDN) architecture, as a controller application. The SAnDet system is composed of three modules: statistics collection, anomaly detection, and anomaly prevention. In particular, we utilize replicator neural networks (RNN), which is a specialized variant of the autoencoder, and the LSTM-based encoder-decoder (EncDecAD) method, which is a special type of long short-term memory (LSTM) network that has demonstrated a strong performance on data series particularly, to identify unknown attacks using flow features collected from OpenFlow switches. In our experiments, we utilize flow-based features extracted from network traffic data containing various types of attacks as input to our models in the form of time series. We evaluate the performance of our methods using the accuracy and area under the receiver operating characteristic curve (AUC) metrics. Our experimental results demonstrate that EncDecAD outperforms RNN and that our approach offers several benefits over previously conducted research.

Automated summary

In this study, we propose and implement the SAnDet architecture, an anomaly-based intrusion detection system using SDN. We utilize replicator neural networks (RNN) and the LSTM-based encoder-decoder (EncDecAD) method to identify unknown attacks. Experimental results show that EncDecAD outperforms RNN and our approach offers several benefits.