Data-driven software defined network attack detection : State-of-the-art and perspectives
Introduction
Software Defined Network (SDN) is an emerging network paradigm, which decouples the control plane and data plane, so as to realize the programmable networks [46], [47]. Different from the traditional network architecture, Software Defined Network (SDN) has three planes, namely control plane, application plane and data plane. The Northbound Interface (NI) connects the control plane and the application plane, the Southbound Interface (SI) connects the control plane and the data plane. Software Defined Network (SDN) is flexible and programmable, which plays an important role in network management, operation and maintenance. SDN has greatly promoted the network innovation. But the security of SDN become a decisive factor that restricts the commercialization and popularization of SDN [1], [37].
In terms of data collecting, SDNs make it easy to collect a large scale of network data. These data are always multi-source and heterogeneous, including IP parsing packets, security device logs, network traffic statistics, flow-tables in OpenFlow switch, system protection logs. These data describe various aspects of a same security event. There is a need to comprehensively analyze these data for SDN attack detection.
In terms of data processing, the separation of data plane and control plane promotes the centralization of network intelligence. It’s easy to deploy powerful computing platform (Hadoop, Spark, TensorFlow) in the control plane, which provides powerful computing power to complete complex big data algorithms. This provides opportunities for designing big data-driven network attack detection architectures.
To promote the research of big data-driven SDN security, we survey the recent developments and emerging trends of SDN security to provide readers with a generic and comprehensive view of data-driven SDN attack detection methodologies. Furthermore, we develop our previous research of SDN and put forward a tensor based data-driven SDN attack detection framework. Based on the concept of eigentensor, we propose a novel tensor based principal component analysis method for network attack detection.
The paper is to bridge the gap between two popular research areas of SDN attack detection and big data. The contributions of the paper are multifaceted: (i) we analyze and summarize the characteristics of SDN data, and survey latest network detection algorithms; (ii) we propose a novel tensor principal component analysis method for SDN attack detection; (iii) we propose a general big data-driven network attack detection framework for SDN security.
The remainder of the paper is organized as follows. Section 2 briefly introduces some backgrounds of data-driven SDN security, including tensor and eigentensor, tensor decomposition and SDN security. In Section 3, some typical network attack detection methods are surveyed, including the machine learning based detection methods and statistical methods. In Section 4, we firstly survey data-driven SDN frameworks and SDN security frameworks, then we propose a big data-driven tensor based SDN attack detection framework. Section 5 develops a case study to verify the proposed SDN attack detection framework. In Section 6, we summarize the paper.
Section snippets
Background
In this section, the backgrounds of data-driven SDN security are surveyed.
Typical network attack detection methods
The Big Bang of research of SDN security has led to a wide variety of network attack detection methods. According to the network detection strategies, these methods mainly are divided into statistical approaches and machine learning based methods. Our review of the related kinds of literature is organized corresponding to the taxonomy from Fig. 5. In the following sections, we will survey the methods in detail.
The proposed tensor-based network attack detection for SDN
In this section, we firstly analyze the existing SDN security frameworks and data-driven SDN frameworks, this provides the valuable references and suggestions for us to design the tensor-based data-driven network attack detection for SDN. Then a big data-driven network attack detection framework is proposed for SDN.
The case study
In this section, we illustrate a case study to verify the proposed SDN attack detection framework. As Fig. 15 shown, a typical monitoring system with triggering protocol is embedded in SDN. The monitoring system consists of two parts: (i) a set of distributed monitors, in our framework, the OpenFlow switches can be considered as distributed sensors; (ii) a coordinator in the controller of SDN with NOX operation system. The distributed monitors produce a continuous time series, which can be
Summary and further work
SDN provides new opportunities to design big data-driven network attack detection frameworks. At the same time, the emergence of SDN presents some new challenges in network security. The paper firstly gives a bird view of SDN security and analyses the features of SDN data. Then some typical network attack detection methods are surveyed. Also, we survey the existing tensor based big data driven SDN frameworks and SDN attack detection frameworks. Then a general big data-driven SDN network attack
Declaration of Competing Interest
a. This manuscript is the authors’ original work and has not been published nor has it been submitted simultaneously elsewhere.
b. All authors have checked the manuscript and have agreed to the submission.
Acknowledgements
The work is partly supported by National Key Research & Development Plan of China under Grant No. 2017YFB0801804, Shenzhen Fundamental Research Program under Grant No. JCYJ20170307172200714, and Fundamental Research Funds for the Central Universities under Grant No. HUST2018KFYXKJC046
References (84)
- et al.
An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection
Pattern Recognit. Lett.
(2015) - et al.
Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments
Comput. Netw.
(2014) - et al.
Network intrusion detection in covariance feature space
Pattern Recognit.
(2007) - et al.
A survey on openflow-based software defined networks: security challenges and countermeasures
J. Netw. Comput. Appl.
(2016) - et al.
Data fusion in cyber-physical-social systems: state-of-the-art and perspectives
Inf. Fusion
(2019) - et al.
A tensor-based big-data-driven routing recommendation approach for heterogeneous networks
IEEE Netw.
(2019) - et al.
Privacy-preserving DDoS attack detection using cross-domain traffic in software defined networks
IEEE J. Sel. Areas Commun.
(2018) - et al.
Security in software defined networks: a survey
IEEE Commun. Surv. Tut.
(2015) - et al.
Multivariate online anomaly detection using kernel recursive least squares
IEEE International Conference on Computer Communications
(2007) - et al.
A survey of securing networks using software defined networking
IEEE Trans. Reliabil.
(2015)
Network anomaly detection with stochastically improved autoencoder based models
IEEE International Conference on Cyber Security and Cloud Computing
Software defined network based fault detection in industrial wireless sensor networks
IEEE Global Communications Conference (GLOBECOM)
Information metrics for low-rate DDoS attack detection: a comparative evaluation
International Conference on Contemporary Computing
Efficient intrusion detection using principal component analysis
3éme Conférence sur la Sécurité et Architectures Réseaux (SAR), La Londe, France
Early detection of DDoS attacks against SDN controllers
International Conference on Computing, Networking and Communications
Attack sequence detection in cloud using hidden Markov model
Asia Joint Conference on Information Security
Real-time DDoS attack detection based on deep learning
Telecommun. Sci.
A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems
Information and Communication Technologies
An improved secure high-order-Lanczos based orthogonal tensor SVD for outsourced cyber-physical-social big data reduction
IEEE Trans. BigData
A secure high-order-Lanczos based orthogonal tensor SVD for big data reduction in cloud environment
IEEE Trans. Big Data
Privacy-preserving tensor decomposition over encrypted data in a federated cloud environment
IEEE Trans. Depend. Sec.Comput.
FAS: using FPGA to accelerate and secure SDN software switches
Secur. Commun. Netw.
NoX: towards an operating system for networks
ACM SIGCOMM Comput. Commun. Rev.
Intrusion detection system using PCA and fuzzy PCAtechniques
International Conference on Advanced Communication Systems and Information Security
Overwatch: a cross-plane DDoS attack defense framework with collaborative intelligence in SDN
Secur. Commun. Netw.
DAC-HMM: detecting anomaly in cloud systems with hidden Markov models
Concurr. Comput. Pract. Exp.
Wavelet-based real time detection of network traffic anomalies
Securecomm and Workshops
Detecting flooding based dos attack in cloud computing environment using covariance matrix approach
Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication
Data flow anomaly detection
IEEE Trans. Softw. Eng.
A fuzzy Bayesian approach to enhance SCADA network security
International Conference on Computer Science and Information Technology.
A covariance analysis model for DDoS attack detection
IEEE International Conference on Communications
DDoS detection and analysis in SDN-based environment using support vector machine classifier
International Conference on Advanced Computing
Bayesian event classification for intrusion detection
Computer Security Applications Conference
Tensor-based software-defined internet of things
IEEE Wirel. Commun.
A tensor-based framework for software-defined cloud data center
ACM Trans. Multimed. Comput.Commun. Appl.
A tensor-based big data model for QoS improvement in software defined networks
IEEE Netw.
Diagnosing network-wide traffic anomalies
ACM SIGCOMM
A DDoS attack detection model based on machine learning algorithm in SDN environment
Microelectron. Comput.
Anomaly detection via online oversampling principal component analysis
IEEE Trans. Knowl. Data Eng.
DDoS Attack Detection and Wavelets
An effective defence mechanism for detection of DDoSattack on application layer based on hidden Markov model
Proceedings of the International Conference on Information Systems Design and Intelligent Applications
A kernel-based reinforcement learning approach to dynamic behavior modeling of intrusion detection
International Symposium on Neural Networks: Advances in Neural Networks
Cited by (32)
SDN/NFV-based framework for autonomous defense against slow-rate DDoS attacks by using reinforcement learning
2023, Future Generation Computer SystemsNature-inspired intrusion detection system for protecting software-defined networks controller
2023, Computers and SecurityA flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning
2022, Journal of Network and Computer ApplicationsTowards security automation in Software Defined Networks
2022, Computer CommunicationsCitation Excerpt :In the second category, the SDN-based security solutions to protect traditional networks have been reviewed. The standard strategy to review these solutions has been to divide them into statistics-based, ML-based, DL-based, and metaheuristics-based solutions [23–25,36–38]. An alternative approach has been threat-oriented reviews [39–41].
A traffic anomaly detection scheme for non-directional denial of service attacks in software-defined optical network
2022, Computers and SecurityCitation Excerpt :It has the characteristics of overall, integrity, dynamic and coherence. The purpose of traffic anomaly detection is to discover the abnormal situation of network traffic in time and clarify the time node and location of abnormal traffic, which can effectively eliminate risks and ensure the security and order of network traffic operations (Khairi et al., 2018; Wang et al., 2020). The abnormal flow detection technology has attracted the research of a large number of scholars and institutions, and a large number of research results have emerged, especially in software-defined network related applications.