Intrusion detection system for SDN network using

deep learning approach

Sarra BOUKRIA Mohamed GUERROUMI
Department of Electronics and Computer Science Department of Electronics and Computer Science
USTHB University USTHB University
Algiers, Algeria Algiers, Algeria
[email protected] [email protected]

Abstract—Software Defined Network (SDN) is considered as the connectivity of data and information that passed through
the main component of the next generation network. Security, in the SDN network.
this environment, has very challenges and risks. Attacking SDN Intrusion detection systems play a big role in the security
controller or injecting false flow rules could affect the network
and block the entire services. To enhance the SDN network enhancement of the network, which are manly designed to de-
security, we propose an anomaly-based intrusion detection system tect malicious activities including virus, worm, DDoS attacks
using deep learning approach. This solution aims to protect the . . . , the earlier possible. Many solutions have been proposed to
communication channel between the SDN control layer and the secure the SDN network using machine learning [7], statistics
SDN infrastructure layer against false data injection attack, and collection [8] and data mining [9] methods. Deep learning
to detect any attempt of attack in SND southbound side. We
analyze the flows that circulate in the SDN network, we use the approaches [10] [11] are mainly used in the most recent
logarithm function followed by the Min/Max scalar technique works of security as an evolution of machine learning methods.
to normalize the flows features. For the flow classification, we They outperformed existing machine learning techniques when
exploit the Relu and Softmax functions. We test the proposed applied to various classification problems [12]. The main
system with CICIDS2017 dataset on an experimental platform contributions of this work are as follows:
combining Mininet environment and ONOS controller. The
evaluation results demonstrate the effectiveness and efficiency • Design an anomaly-based intrusion detection system us-
of the proposed security solution. ing deep learning approach.
Index Terms—Intrusions Detection Systems, Security, Software • Protect the communication between SDN controller and
defined network, ONOS controller, Mininet, Deep learning. physical layer devices.
• Evaluate the proposed solution using Mininet environ-
I. I NTRODUCTION ment and ONOS controller.
The Internet architecture is an increasing complex sys- The figure 1 shows the threat model of the proposed solution.
tem, which changed over the time. The traditional network
architecture has a big limitation in software and hardware
fields, this fact leads to overcome the necessity of new
technologies and architectures as future networks. Software
Defined Networking, a new paradigm that represents the main
concept of the future network. It offers new proprieties and
features by making the network flexible in its configuration
and deployment of services, dynamic, programmable, scalable,
manageable, and cost-effective. These SDN characteristics
make it adaptable with the high-bandwidth and dynamic
applications. SDN decouple the control plane of network from
the forwarding plane, by managing the whole network with a
central entity called the controller[1] [2].
Open flow [3] is the protocol used to manage the SDN
architecture by connecting the control layer of SDN with the
infrastructure layer. SDN architecture and open flow protocol
attract great attention of researchers from both academia and Fig. 1. The threat model of proposed System.
industry. This new architecture adds several functionalities
in the network, which increases the security challenges and The table I shows the list of acronyms used in this paper.
enhance the vulnerability of the network. Many solutions are The rest of the paper is organized as follows, Section II
proposed to securing the SDN network [4] [5] [6]. Security discusses briefly the related work of this solution. In Section
engineers still look to obtain the adequate solution to secure III, we present the description of our solution by presenting

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on May 10,2020 at 06:52:44 UTC from IEEE Xplore. Restrictions apply.
 TABLE I achieved binary classification accuracy of 99.82% and 8-class
ACRONYM LIST classification accuracy of 95.65%.
Acronym discription
SDN Software Defined Network Chuanhuang L et al. [15] (2017), propose a detection and
IDS Intrusion Detection System defense system of DDoS attack–based on deep Learning for
ONOS Open Network Operating System
DL Deep Learning OpenFlow-based SDN network. They use recurrent neural
DNN Deep Neural Network network, convolutional neural network and long short-term
GRU-RNN Gated Recurrent Unit - Recurrent Neural Network memory to produce a model with 5 layers, an input layer,
OVS Open Virtual Switch
forward layer, backward layer, fully connected hidden layer
SAE Stacked autoencoder
OF Open Flow and an output layer. The system learns patterns from sequence
DOS Denial of service attack of network traffic and trace network attack in a historical
DDos Distributed Denial of service attack manner. The ISCX2012 [16]data set is used for evaluating
TP True Positive
FP False Positive
the model, this proposition achieves 98% of accuracy.
TN True Negative
FN False Negative Mohd. Z et al [17] (2017), present a system for detection
AC Accuracy and mitigation of SMTP Flood Attack using deep learning
P Precision
R Recall analysis technique, the proposed FlowIDS is a framework
F F-measure integrated with Suricata IDS [18], it based on decision tree
(DT) classification and deep learning (DL) algorithms. They
test their solution by a single simulation of SDN environment
the system architecture and functionalities. The section IV network for DT and DL. The result of simulation has shown
describes the system implementation and discusses the exper- that DL algorithm provides a better network bandwidth han-
iment results. The last section concludes the paper. dling compare to DT algorithm.
II. R ELATED WORK III. P ROPOSED SOLUTION
Few previous works used deep learning approach to secure A. Methodology
SDN network have been proposed in the literature.
In order to have a high-performance intrusion detection
In [13] (2016) a flow-based anomaly detection system by
system, which accurately detects the different types of at-
constructing a deep neural network (DNN) architecture is
tacks and intrusions that affect the SDN network, we design
proposed to secure the SDN network. The structure of the
an anomaly-based intrusion detection method and propose a
Deep learning system includes three basic layers. An input
modular architecture (Figure 2) containing different modules,
layer with six dimensions, three hidden layers contain twelve,
each of which has a role to play for securing the network.
six and three neurons respectively and an output layer with two
dimensions. To achieve better detection rate, the same authors
propose another intrusion detection system for SDN network
[14] (2018), the proposed approach based on Deep recurrent
neural network. The authors propound a Gated Recurrent Unit
- Recurrent neural network (GRU-RNN) model to build an
IDS contains an input and output layers with six and one
dimensions respectively, and a hidden layer which have six,
four and two dimensions. The system architecture composed
of Flow Collector, Anomaly Detector and Anomaly Mitigator.
For the test and training phases, they use the NSL-KDD
dataset. The first solution [13] achieves an accuracy of 75.75%
using six basic features, and the second one [14] had an
accuracy of 89%.
In [12], Niyaz Q et al (2016) propose a deep learning
based multi-vector approach for construct a DDoS intrusion
detection system. The approach incorporates stacked Fig. 2. Architecture of proposed System.
autoencoder (SAE) in an SDN environment. The proposed
system is implemented as a network application on top of Our intrusion detection system supervises malicious traffic
an SDN controller and installing rules only for symmetric that passes through the infrastructure layer. It analyzes the flow
flows, this system consists of three modules Traffic Collector that passes through the various devices and classifies it by an
and Flow installer (TCFI), Feature Extractor (FE), and intelligent system based on deep learning approach. In case
Traffic Classifier (TC). Its evaluation is performed using of detection of an anomaly, an alarm message is sent to the
custom generated traffic traces. The authors claim to have administrator to report the intrusion detection.

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on May 10,2020 at 06:52:44 UTC from IEEE Xplore. Restrictions apply.
 In order to find the right approach, which will allow
us to classify with the best possible accuracy the different
flows that cross the network. We focused on deep learning
techniques.
To safely implement our intrusion detection system, some
hypotheses must be taken into consideration:
• The security of our SDN network was not corrupted
before or during our deployment.
• The security of the controller, the application layer, as
well as the communications between them is already
ensured.
As shown in Figure 2, the proposed system contains three
modules, these modules work in adequacy for the good func-
tioning, and the well detection of malicious flows that cross
the network.
• Features extraction module: Its main functionality is to
handle the traffic passing through the network. Its task is
to capture the different flows passing through the network
devices and extracts the necessary features from these
flows. These extracted features help the intelligent system
to determine the type of traffic flow.
– The first step of this module is to capture the
flow from the devices through the port mirroring
technique. The captured flow is stored in the memory
until its end of capture. We note that the flow is
not directly processed, which allows the detection of
very specific types of attacks such as Dos and Ddos
attacks.
– Once the flow is fully captured, the second step
consists in extracting the necessary features to detect
the possible attacks. Once this step is completed, this
module sends a vector of features representing the
flow to the pre-processing module.
• The module of pre-processing of features: This module
processes the vector received from the features extractor
before sending them to the next module. This step is
mainly responsible for the standardization of feature
vectors.
– The first step of this module consists of removing the
features that lead to distort the results of detection
and the right classification of flows type. As features,
we have the source and destination IP addresses that
are not able to differentiate or specify the different
types of flows because the attack or normal flow can
come from any machine.
– The second step consists in modifying some
features of non-numerical values that prevent the
flow classification module from diagnosing the
different flows received to numerical values, such
as ” Infinity ” or ” NaN ” in -1 and 0 respectively.
– The last step consists in normalizing the received
flow for each of features. Most of the time,
Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on May 10,2020 at 06:52:44 UTC from IEEE Xplore. Restrictions apply.
data-sets contain data with different orders of
magnitude. This difference in scale can lead to
lower performance. Standardization is one of the
techniques to overcome this problem. There are
many techniques for standardizing data. We will use
two techniques to achieve the best possible results.
• Flow classification module: This module represents the
intelligent part of the intrusion detection system, it is
trained to differentiate between several types of attacks
and normal flows. This intelligent module processes the
received flow by analyzing it, based on the model trained
during the learning phase.
B. Normalization
• The first phase of normalization consists of reducing
the too large difference between the values of the same
feature.
This phase consists of applying the logarithmic function
to the different values of a feature when there is a very
large difference between the maximum and minimum
value of this feature.
If (XM ax - XM in > threshold)
then
Xnormalize = log(x) (1)
Where:
X: the value of the feature that we are trying to
normalize.
The value of the threshold is fixed at 10000, based on
the different tests where we obtained the best results.
• The second phase of normalization, which complements
the first, consists in using the Min/ Max Scalar technique,
which consists in finding the maximums and minimums
of each feature and then applying the following function:
Xnormalize = x − XM in /XM ax − XM in (2)
Where :
XM in : smallest value observed by the feature x. XM ax
: highest value observed by the feature x. x: the value of
the feature that we are trying to normalize.
The purpose of this phase is to obtain all values between
0 and 1, to ensure a better update of weights during the
learning phase.
C. Training of the intrusion detection system
For the training of the intelligent system that allows the
classification of the different flows. We propose a deep
learning architecture (Fig 3).
This architecture contains three levels of layers, the first
one includes an Input layer composed of 77 input neurons
representing each feature in the flow, the second level com-
prises three hidden layers which contain 128, 64, and 32
neurons respectively. The third level contains 7 output neurons
representing each type of flow.
Fig. 3. The proposed Deep learning architecture.
For the hidden layers, we use Relu as an activation function
(3). It is the most used activation function in the world right
now, it converges faster than the others activation functions
for the best result.
f (x) = M ax(0, x)
I.e. :
f (x) = { 0 if x < 0 , x if x >= 0 }
For the output layer, we apply the Softmax activation
function (4). It attributes probabilities to each class where the
sum of their probabilities is equal to 1. The class with the
highest probability is the type of flow analyzed.
exp(xi )
σ(xi ) =
exp(x1 ) + exp(x2 ) + ... + exp(xn )
Where:
0 < i < n.
n : the number of output neurons.
The diagram below ( Fig 4) represents the general function-
ing of the proposed IDS:
IV. DEPLOYMENT AND TEST PERFORMANCE
A. Deployment environment
We use Mininet emulator [19] to create a realistic virtual
network, its Switches support OpenFlow for highly flexible
custom routing and SDN. We manage the SDN network by
ONOS [20] controller. ONOS is Open Network Operating Sys-
tem, this controller bears the cost of the network configuration
and control on a real time. It eliminates also the necessity
for controlling routing protocols and the commutation in the
structure of network.
Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on May 10,2020 at 06:52:44 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. General functioning of proposed System.
(3) We use the CICIDS2017 dataset [21], generated by the
Canadian institute of cybersecurity. Each flow in this collection
of data is represented by a row composed of 79 features. We
use the Wireshark tool to capture the traffic passing within the
network, and the CICFLowMeter tool as a feature extractor, it
allows us to extract all the appropriate features with the inputs
defined on the proposed intelligent system.
B. Experiments and results
1) Evaluation metrics: In the most of works based on deep
learning approach, the performance of NIDS is evaluated in
(4)
term of accuracy (AC), precision (P), recall (R) and F-measure
(F) to evaluate its detection rate. It requires a high detection
accuracy and low false alarm rate. The calculation of these
metrics requires the values of:
• True Positive (TP): the number of attacks correctly
classified.
• True Negative (TN): the number of normal flow correctly
classified.
• False Positive (FP): the number of normal flow incor-
rectly classified.
• False Negative (FN): the number of attacks incorrectly
classified.
So, we can present the formula of each parameter as follows:
- Accuracy (AC): the number of true detections over the
total traffic trace:
TP + TN
AC = (5)
TP + TN + FP + FN
 - Precision (P): The number of true detections over the The results presented in the figure 5, show amelioration in
true and false detection rate. The higher P is, the lower the rate of metrics in parallel with the increasing of the size
false alarm is : of learning data set from 500 thousand to 1.5 million flow. On
the other hand, performances seem to stabilize by increasing
TP the size from 1.5 million to 2 million flows.
P = (6)
TP + FP
- Recall (R): the percentage of predicted intrusions versus Based on the results obtained in this phase of evaluation,
all intrusion presented. The most detection requires a high we chose the model which gave the best results (trained with
R value : 2 million flows) to improve it.
To be able to improve this model, it is necessary to detail the
TP results obtained.For this purpose we have recalculated all the
R= (7)
TP + FN metrics used for each type of flow. The table III presents the
- F-measure (F): considering both the precision (P) and results obtained.
the recal (R). We aim for a high F value:
2 We can see that the precision of each class is always above
F = 1 1 (8) 95 %. The same remark for the recall except for web attacks
P + R (83%) and bot attack (29%). and for the F-measure each classe
2) Evaluation results: To evaluate the performance of the is above 90% unless the Bot attack with 45%. It should also
proposed system, we have fixed the set of test on 20% of the be noted that the false positive rate is very low except for the
initial dataset, we have using a program which divides the normal flow type.
rest of dataset (80%) on several sets to observe the evolution
of results over the number of flows used during the training We can explain this misclassification by the reduced number
phase. The table II show the evaluation results: of the flows in the learning data set, or that the features of this
set of data cannot differentiate the attack from the normal flow.
In order to better identify the cause of this misclassification
TABLE II and improve the results obtained, it can be modifying the
E VOLUTION METRICS IN PARALLEL WITH THE SIZE OF TRAINING DATA
SET (M ILLION ).
weight of each class during the error calculation in the training
phase. The weight used to assign more importance to flow
Size of Ac(%) P(%) R(%) F(%) FP(%) types that do not contain many occurrences in the learning
dataset data set. This helps to solve the problem of imbalance in data
Model 20% 99.2 99.03 99.19 99.11 1.48
(0.5M) sets.
Model 40% 99.47 99.46 99.46 99.45 0.73
(1M)
Model 60% 99.58 99.58 99.58 99.57 0.41 3) Comparison with the other solutions: In the table IV, we
(1.5M) compare the performance of our intrusion detection system
Model 80% 99.6 99.6 99.6 99.59 0.84
(2M) with other IDSs implementations in term of accuracy as
evaluation measure, using the Deep learning approach in SDN
networks.

TABLE IV
C OMPARISON OF THE PROPOSED SYSTEM WITH OTHER SOLUTIONS THA
USED D EEP LEARNING IN SDN NETWORK .

Solution Accuracy (%)

Our Solution 99.6
[14] 89%
[15] 98%
[12] 95.65%
[13] 75.75%

The table V present a comparison of our solution with other

Fig. 5. Evolution of metrics rate in parallel with the size of training data set. solution [22] using the same data set.

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on May 10,2020 at 06:52:44 UTC from IEEE Xplore. Restrictions apply.
 TABLE III
E VOLUTION OF METRICS RATE IN PARALLEL WITH THE TYPE OF FLOW.

Type of flow DDoS(%) DoS(%) Web Attack(%) PortScan(%) BruteForce (%) Normal(%) Bot(%)
Precision 99.85 98.64 98.36 99.95 95.67 99.71 96.69
Recall (R) 99.85 98.51 83.02 99.83 97.54 99.8 29.69
F-measure 99.85 98.28 90.04 99.89 96.59 99.75 45.43
FP Rate 0.007 0.14 0.001 0.003 0.02 1.03 0.0007

TABLE V [6] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “Sdn security: A sur-

C OMPARISON BETWEEN THE PROPOSED SOLUTION AND OTHER vey,” in 2013 IEEE SDN For Future Networks and Services (SDN4FNS).
SOLUTIONS THAT USED THE CICIDS2017 DATASET. IEEE, 2013, pp. 1–7.
[7] D. Michie, D. J. Spiegelhalter, C. Taylor et al., “Machine learning,”
Solution Model Precision Recall F-Mesure Neural and Statistical Classification, vol. 13, 1994.
(%) (%) (%) [8] H. Enomoto, T. Aimoto, S. Akahane, and H. Higuchi, “Information relay
Our solution model 99.6 99.6 99.59 apparatus and method for collecting flow statistic information,” Sep. 29
Naives 88 84 84 2005, uS Patent App. 11/062,832.
Bayes [9] D. J. Hand, “Data mining,” Encyclopedia of Environmetrics, vol. 2, 2006.
QDA 97 88 92 [10] Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” nature, vol. 521,
[22] Random for- 98 97 97 no. 7553, p. 436, 2015.
est [11] I. Goodfellow, Y. Bengio, and A. Courville, Deep learning. MIT press,
ID3 98 98 98 2016.
AdaBoost 77 84 77 [12] Q. Niyaz, W. Sun, and A. Y. Javaid, “A deep learning based ddos
MLP 77 83 76 detection system in software-defined networking (sdn),” arXiv preprint
K Nearst 96 96 96 arXiv:1611.07400, 2016.
Neighbours [13] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
“Deep learning approach for network intrusion detection in software
defined networking,” in 2016 International Conference on Wireless
By analyzing the different results of the different solutions, Networks and Mobile Communications (WINCOM). IEEE, 2016, pp.
we notice that our Intrusion detection systems have the best 258–263.
[14] T. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
results compared to other solutions. This which leads us to “Deep recurrent neural network for intrusion detection in sdn-based
say that our intelligent system has a considerable capacity for networks,” in 2018 4th IEEE Conference on Network Softwarization
classifying flows, thus allowing a more accurate detection of and Workshops (NetSoft). IEEE, 2018, pp. 202–206.
[15] C. Li, Y. Wu, X. Yuan, Z. Sun, W. Wang, X. Li, and L. Gong, “Detection
the different attacks that pass through the SDN network. and defense of ddos attack–based on deep learning in openflow-based
sdn,” International Journal of Communication Systems, vol. 31, no. 5,
V. C ONCLUSION p. e3497, 2018.
[16] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward
We have proposed a security solution to secure the SDN net- developing a systematic approach to generate benchmark datasets for
work using the deep learning approach. The presented solution intrusion detection,” computers & security, vol. 31, no. 3, pp. 357–374,
2012.
classifies the network traffic into normal and abnormal flows [17] M. Z. A. Aziz and K. Okamura, “Leveraging sdn for detection and
using the Relu and Softmax functions. The experiment results mitigation smtp flood attack through deep learning analysis techniques,”
show that the proposed approach gives a good performance INTERNATIONAL JOURNAL OF COMPUTER SCIENCE AND NET-
WORK SECURITY, vol. 17, no. 10, pp. 166–172, 2017.
in term of attack detection with an accuracy of 99.6 %. As [18] D. Day and B. Burns, “A performance analysis of snort and suricata net-
an extended future work, we plan enhancing the proposed work intrusion detection and prevention engines,” in Fifth International
solution for detecting more attacks and proposing other so- Conference on Digital Society, Gosier, Guadeloupe, 2011, pp. 187–192.
[19] R. L. S. De Oliveira, C. M. Schweitzer, A. A. Shinoda, and L. R.
lutions to securing the SDN network, with multicontroller Prete, “Using mininet for emulation and prototyping software-defined
and integrating other technology such as the Blockchain [23] networks,” in 2014 IEEE Colombian Conference on Communications
[24]technology. and Computing (COLCOM). IEEE, 2014, pp. 1–6.
[20] “Onos,” http ://onosproject.org, accessed: 2019-01-03.
[21] R. Panigrahi and S. Borah, “A detailed analysis of cicids2017 dataset
R EFERENCES for designing intrusion detection systems,” International Journal of
[1] D. B. Rawat and S. R. Reddy, “Software defined networking architec- Engineering & Technology, vol. 7, no. 3.24, pp. 479–482, 2018.
ture, security and energy efficiency: A survey,” IEEE Communications [22] I. Sharafaldin, A. Gharib, A. Habibi Lashkari, and A. Ghorbani,
Surveys & Tutorials, vol. 19, no. 1, pp. 325–346, 2017. “Towards a reliable intrusion detection benchmark dataset,” Software
[2] D. Kreutz, F. M. Ramos, P. Verissimo, C. E. Rothenberg, S. Azodol- Networking, vol. 2017, pp. 177–200, 01 2017.
molky, and S. Uhlig, “Software-defined networking: A comprehensive [23] M. Swan, Blockchain Thinking: The Brain as a Decentralaized Au-
survey,” Proceedings of the IEEE, vol. 103, no. 1, pp. 14–76, 2015. tonomous Corporation[Commentary].
[24] D. Puthal, N. Malik, S. P. Mohanty, E. Kougianos, and G. Das,
[3] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson,
“Everything you wanted to know about the blockchain: Its promise,
J. Rexford, S. Shenker, and J. Turner, “Openflow: enabling innovation in
components, processes, and problems,” IEEE Consumer Electronics
campus networks,” ACM SIGCOMM Computer Communication Review,
Magazine, vol. 7, no. 4, pp. 6–14, 2018.
vol. 38, no. 2, pp. 69–74, 2008.
[4] S. T. Ali, V. Sivaraman, A. Radford, and S. Jha, “A survey of securing
networks using software defined networking,” IEEE transactions on
reliability, vol. 64, no. 3, pp. 1086–1097, 2015.
[5] I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov, “Security in soft-
ware defined networks: A survey,” IEEE Communications Surveys &
Tutorials, vol. 17, no. 4, pp. 2317–2346, 2015.

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on May 10,2020 at 06:52:44 UTC from IEEE Xplore. Restrictions apply.