Elsevier

Information Sciences

Volume 513, March 2020, Pages 65-83
Information Sciences

Data-driven software defined network attack detection : State-of-the-art and perspectives

https://doi.org/10.1016/j.ins.2019.08.047Get rights and content

Highlights

  • This paper analyzes and summarizes the characteristics of SDN data, and surveys latest network detection algorithms.

  • This paper proposes a novel construction method of tensor subspace, and applies it to complete SDN attack detection.

  • This paper proposes a general data-driven SDN network attack detection architecture.

Abstract

SDN (Software Defined Network) has emerged as a revolutionary technology in network, a substantial amount of researches have been dedicated to security of SDNs to support their various applications. The paper firstly analyzes State-of-the-Art of SDN security from data perspectives. Then some typical network attack detection (NAD) methods are surveyed, including machine learning based methods and statistical methods. After that, a novel tensor based network attack detection method named tensor principal component analysis (TPCA) is proposed to detect attacks. After surveying the last data-driven SDN frameworks, a tensor based big data-driven SDN attack detection framework is proposed for SDN security. In the end, a case study is illustrated to verify the effectiveness of the proposed framework.

Introduction

Software Defined Network (SDN) is an emerging network paradigm, which decouples the control plane and data plane, so as to realize the programmable networks [46], [47]. Different from the traditional network architecture, Software Defined Network (SDN) has three planes, namely control plane, application plane and data plane. The Northbound Interface (NI) connects the control plane and the application plane, the Southbound Interface (SI) connects the control plane and the data plane. Software Defined Network (SDN) is flexible and programmable, which plays an important role in network management, operation and maintenance. SDN has greatly promoted the network innovation. But the security of SDN become a decisive factor that restricts the commercialization and popularization of SDN [1], [37].

In terms of data collecting, SDNs make it easy to collect a large scale of network data. These data are always multi-source and heterogeneous, including IP parsing packets, security device logs, network traffic statistics, flow-tables in OpenFlow switch, system protection logs. These data describe various aspects of a same security event. There is a need to comprehensively analyze these data for SDN attack detection.

In terms of data processing, the separation of data plane and control plane promotes the centralization of network intelligence. It’s easy to deploy powerful computing platform (Hadoop, Spark, TensorFlow) in the control plane, which provides powerful computing power to complete complex big data algorithms. This provides opportunities for designing big data-driven network attack detection architectures.

To promote the research of big data-driven SDN security, we survey the recent developments and emerging trends of SDN security to provide readers with a generic and comprehensive view of data-driven SDN attack detection methodologies. Furthermore, we develop our previous research of SDN and put forward a tensor based data-driven SDN attack detection framework. Based on the concept of eigentensor, we propose a novel tensor based principal component analysis method for network attack detection.

The paper is to bridge the gap between two popular research areas of SDN attack detection and big data. The contributions of the paper are multifaceted: (i) we analyze and summarize the characteristics of SDN data, and survey latest network detection algorithms; (ii) we propose a novel tensor principal component analysis method for SDN attack detection; (iii) we propose a general big data-driven network attack detection framework for SDN security.

The remainder of the paper is organized as follows. Section 2 briefly introduces some backgrounds of data-driven SDN security, including tensor and eigentensor, tensor decomposition and SDN security. In Section 3, some typical network attack detection methods are surveyed, including the machine learning based detection methods and statistical methods. In Section 4, we firstly survey data-driven SDN frameworks and SDN security frameworks, then we propose a big data-driven tensor based SDN attack detection framework. Section 5 develops a case study to verify the proposed SDN attack detection framework. In Section 6, we summarize the paper.

Section snippets

Background

In this section, the backgrounds of data-driven SDN security are surveyed.

Typical network attack detection methods

The Big Bang of research of SDN security has led to a wide variety of network attack detection methods. According to the network detection strategies, these methods mainly are divided into statistical approaches and machine learning based methods. Our review of the related kinds of literature is organized corresponding to the taxonomy from Fig. 5. In the following sections, we will survey the methods in detail.

The proposed tensor-based network attack detection for SDN

In this section, we firstly analyze the existing SDN security frameworks and data-driven SDN frameworks, this provides the valuable references and suggestions for us to design the tensor-based data-driven network attack detection for SDN. Then a big data-driven network attack detection framework is proposed for SDN.

The case study

In this section, we illustrate a case study to verify the proposed SDN attack detection framework. As Fig. 15 shown, a typical monitoring system with triggering protocol is embedded in SDN. The monitoring system consists of two parts: (i) a set of distributed monitors, in our framework, the OpenFlow switches can be considered as distributed sensors; (ii) a coordinator in the controller of SDN with NOX operation system. The distributed monitors produce a continuous time series, which can be

Summary and further work

SDN provides new opportunities to design big data-driven network attack detection frameworks. At the same time, the emergence of SDN presents some new challenges in network security. The paper firstly gives a bird view of SDN security and analyses the features of SDN data. Then some typical network attack detection methods are surveyed. Also, we survey the existing tensor based big data driven SDN frameworks and SDN attack detection frameworks. Then a general big data-driven SDN network attack

Declaration of Competing Interest

a. This manuscript is the authors’ original work and has not been published nor has it been submitted simultaneously elsewhere.

b. All authors have checked the manuscript and have agreed to the submission.

Acknowledgements

The work is partly supported by National Key Research & Development Plan of China under Grant No. 2017YFB0801804, Shenzhen Fundamental Research Program under Grant No. JCYJ20170307172200714, and Fundamental Research Funds for the Central Universities under Grant No. HUST2018KFYXKJC046

References (84)

  • R.C. Aygun et al.

    Network anomaly detection with stochastically improved autoencoder based models

    IEEE International Conference on Cyber Security and Cloud Computing

    (2017)
  • S.K. Bhoi et al.

    Software defined network based fault detection in industrial wireless sensor networks

    IEEE Global Communications Conference (GLOBECOM)

    (2018)
  • M.H. Bhuyan et al.

    Information metrics for low-rate DDoS attack detection: a comparative evaluation

    International Conference on Contemporary Computing

    (2014)
  • Y. Bouzida et al.

    Efficient intrusion detection using principal component analysis

    3éme Conférence sur la Sécurité et Architectures Réseaux (SAR), La Londe, France

    (2004)
  • J. Castro-Ramos et al.

    Early detection of DDoS attacks against SDN controllers

    International Conference on Computing, Networking and Communications

    (2015)
  • C.M. Chen et al.

    Attack sequence detection in cloud using hidden Markov model

    Asia Joint Conference on Information Security

    (2012)
  • L.I. Chuanhuang et al.

    Real-time DDoS attack detection based on deep learning

    Telecommun. Sci.

    (2017)
  • A. Faour et al.

    A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems

    Information and Communication Technologies

    (2006)
  • J. Feng et al.

    An improved secure high-order-Lanczos based orthogonal tensor SVD for outsourced cyber-physical-social big data reduction

    IEEE Trans. BigData

    (2018)
  • J. Feng et al.

    A secure high-order-Lanczos based orthogonal tensor SVD for big data reduction in cloud environment

    IEEE Trans. Big Data

    (2018)
  • J. Feng et al.

    Privacy-preserving tensor decomposition over encrypted data in a federated cloud environment

    IEEE Trans. Depend. Sec.Comput.

    (2018)
  • W. Fu et al.

    FAS: using FPGA to accelerate and secure SDN software switches

    Secur. Commun. Netw.

    (2018)
  • N. Gude et al.

    NoX: towards an operating system for networks

    ACM SIGCOMM Comput. Commun. Rev.

    (2008)
  • A. Hadri et al.

    Intrusion detection system using PCA and fuzzy PCAtechniques

    International Conference on Advanced Communication Systems and Information Security

    (2017)
  • B. Han et al.

    Overwatch: a cross-plane DDoS attack defense framework with collaborative intelligence in SDN

    Secur. Commun. Netw.

    (2018)
  • B. Hong et al.

    DAC-HMM: detecting anomaly in cloud systems with hidden Markov models

    Concurr. Comput. Pract. Exp.

    (2016)
  • C.T. Huang et al.

    Wavelet-based real time detection of network traffic anomalies

    Securecomm and Workshops

    (2007)
  • M.N. Ismail et al.

    Detecting flooding based dos attack in cloud computing environment using covariance matrix approach

    Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication

    (2013)
  • J. Jachner et al.

    Data flow anomaly detection

    IEEE Trans. Softw. Eng.

    (2009)
  • S. Jin et al.

    A fuzzy Bayesian approach to enhance SCADA network security

    International Conference on Computer Science and Information Technology.

    (2014)
  • S. Jin et al.

    A covariance analysis model for DDoS attack detection

    IEEE International Conference on Communications

    (2004)
  • R.T. Kokila et al.

    DDoS detection and analysis in SDN-based environment using support vector machine classifier

    International Conference on Advanced Computing

    (2015)
  • C. Kruegel et al.

    Bayesian event classification for intrusion detection

    Computer Security Applications Conference

    (2010)
  • L. Kuang et al.

    Tensor-based software-defined internet of things

    IEEE Wirel. Commun.

    (2016)
  • L. Kuang et al.

    A tensor-based framework for software-defined cloud data center

    ACM Trans. Multimed. Comput.Commun. Appl.

    (2016)
  • L. Kuang et al.

    A tensor-based big data model for QoS improvement in software defined networks

    IEEE Netw.

    (2016)
  • A. Lakhina et al.

    Diagnosing network-wide traffic anomalies

    ACM SIGCOMM

    (2004)
  • M.A. Le-Le et al.

    A DDoS attack detection model based on machine learning algorithm in SDN environment

    Microelectron. Comput.

    (2018)
  • Y.J. Lee et al.

    Anomaly detection via online oversampling principal component analysis

    IEEE Trans. Knowl. Data Eng.

    (2013)
  • L. Li et al.

    DDoS Attack Detection and Wavelets

    (2005)
  • S. Limkar et al.

    An effective defence mechanism for detection of DDoSattack on application layer based on hidden Markov model

    Proceedings of the International Conference on Information Systems Design and Intelligent Applications

    (2012)
  • Y. Luo et al.

    A kernel-based reinforcement learning approach to dynamic behavior modeling of intrusion detection

    International Symposium on Neural Networks: Advances in Neural Networks

    (2007)
  • Cited by (32)

    • Towards security automation in Software Defined Networks

      2022, Computer Communications
      Citation Excerpt :

      In the second category, the SDN-based security solutions to protect traditional networks have been reviewed. The standard strategy to review these solutions has been to divide them into statistics-based, ML-based, DL-based, and metaheuristics-based solutions [23–25,36–38]. An alternative approach has been threat-oriented reviews [39–41].

    • A traffic anomaly detection scheme for non-directional denial of service attacks in software-defined optical network

      2022, Computers and Security
      Citation Excerpt :

      It has the characteristics of overall, integrity, dynamic and coherence. The purpose of traffic anomaly detection is to discover the abnormal situation of network traffic in time and clarify the time node and location of abnormal traffic, which can effectively eliminate risks and ensure the security and order of network traffic operations (Khairi et al., 2018; Wang et al., 2020). The abnormal flow detection technology has attracted the research of a large number of scholars and institutions, and a large number of research results have emerged, especially in software-defined network related applications.

    View all citing articles on Scopus
    View full text