Unsupervised online anomaly detection in Software Defined Network environments

[EN] Software Defined Networking (SDN) simplifies network management and significantly reduces operational costs. SDN removes the control plane from forwarding devices (e.g., routers and switches) and centralizes this plane in a controller, enabling the management of the network forwarding decisions...

Descripción completa

Detalles Bibliográficos
Autores: Scaranti, Gustavo Frigo, Carvalho, Luiz Fernando, Barbon Junior, Sylvio, Proença Jr, Mario Lemes, Lloret, Jaime|||0000-0002-0862-0533
Tipo de recurso: artículo
Fecha de publicación:2022
País:España
Institución:Universitat Politècnica de València (UPV)
Repositorio:RiuNet. Repositorio Institucional de la Universitat Politécnica de Valéncia
Idioma:inglés
OAI Identifier:oai:riunet.upv.es:10251/200496
Acceso en línea:https://riunet.upv.es/handle/10251/200496
Access Level:acceso abierto
Palabra clave:Anomaly detection
Software Defined Networking (SDN)
Stream ining
DenStream
DDoS
Portscan
INGENIERÍA TELEMÁTICA
Descripción
Sumario:[EN] Software Defined Networking (SDN) simplifies network management and significantly reduces operational costs. SDN removes the control plane from forwarding devices (e.g., routers and switches) and centralizes this plane in a controller, enabling the management of the network forwarding decisions by programming the control plane with a high-level language. However, its centralized architecture may be compromised by flooding attacks, such as Distributed Denial of Service (DDoS) and portscan. Facing this challenge, we propose an Intrusion Detection System (IDS) based on online clustering to detect attacks in an evolving SDN network taking advantage of the entropy of source and destination IP addresses and ports. Our proposal is focused on avoiding the demand for labeling and previous knowledge to provide a practical and accurate method to address real-life online scenarios. Moreover, our proposal paves the way for a comprehensive analysis by projecting the cluster's structure over the feature space, providing insights on intensity, seasonality, and attack type. Our experiments were carried out with the DenStream algorithm in several databases attacked by DDoS and portscan with different intensities, durations, and overlapping patterns. When comparing DenStream performance to Half-Space-Trees, an accurate online one-class classification algorithm for anomaly detection, it was possible to expose the capacity of our unsupervised proposal, overcoming the one-class solution, and reaching f-measure rates above 99.60%.