Flow-Based Intrusion Detection on Software-Defined Networks: A Multivariate Time Series Anomaly Detection Approach

Abstract

Abstract In this study, SAnDet architecture, which can do an anomaly-based intrusion detection by taking advantage of the capabilities offered by SDN architecture, is presented and implemented as controller application. A detailed description of this system which consists of three main modules which are statistics collector, anomaly detector, and anomaly prevention is given. More specifically, Replicator Neural Networks (RNN) which is a special variant of the autoencoder, and EncDecAD methods which a special type of LSTM networks that can produce successful results especially in given data series, were used to identify unknown attacks using flow features collected from OpenFlow switches. In experiments, flow-based features extracted from network traffic data including different types of attacks, are given as input into models as time series. The results of the methods are calculated in terms of the ROC and AUC metrics. Experimental results show that EncDecAD outperforms RNN and the methods proposed in the literature.