A GRU deep learning system against attacks in software defined networks
Graphical abstract
Overall operation of the proposed SDN security system, which aims to protect its central controller against intrusion and DDoS attacks through individual IP flow analysis.
Introduction
The amount of data traveling on the Internet is rapidly increasing due to the growth in popularity and complexity of connected devices and software solutions. The usage of network resources by end users is rising through the popularization of social networks, web banking applications, and e-commerce, for instance. Thus, new cloud-based services are becoming essential to the operation of this new network environment, which brings specific requirements, such as dynamic traffic allocation (Maenhaut et al., 2017). Furthermore, the increasing popularity of Internet of Things (IoT) devices is gradually changing the Internet scenario by increasing the heterogeneously of communication, since each device (thing) has specific network requirements and processing capability (Yoon and Kim, 2017; Bera et al., 2018). In the face of these changes, management and security are becoming impracticable in traditional static network environments (da Costa et al., 2019; Hajiheidari et al., 2019).
A networking paradigm that is gaining space on several recent pieces of research and applications is the Software-defined Networking (SDN) (Zehra and Shah, 2017; Farris et al., 2019). This network paradigm operates by centralizing the network management into a single programmable controller, able to communicate and control network devices such as switches and routers regardless of their manufacturers, as “white-boxes”. The SDN separates the control and data planes so that the central controller is responsible for sending, for instance, management and packet forwarding policies to the controlled devices in a scalable and coordinated manner. This characteristic is a valuable feature able to provide next-generation networks with the dynamic architecture they require (Zhang et al., 2019), in which changes can be performed in a fast, programmable, and on-demand way.
However, while bringing essential improvements to the current network architecture, the SDN, as any centralized service, has as a critical failure spot its central controller. Malicious users may target this controller aiming to impair the whole network operation through the usage of different approaches, such as intrusions (Lopez-Martin et al., 2017) and denial of service (DoS) attacks (Daneshgadeh Çakmakçı et al., 2020; Wang et al., 2020; Xu et al., 2020; Zhang et al., 2020). Thus, efficient protection mechanisms are needed in SDNs to guarantee the availability of the network and the quality of the provided services (Correa Chica et al., 2020).
The occurrence of these attacks can be generically described as an anomaly, a situation when the network behavior differs from its normal state (Proença et al., 2005). The anomaly detection is a widely approached area, with several different methods proposed in the past years (Fernandes et al., 2019). However, it is still an open research field, since no consensus has been reached due to the enormous amount of different network scenarios and architectures available. In SDN environments, security is a central concern, arousing great interest from the scientific community due to the importance of this paradigm to present and future networks (Maziku et al., 2019).
Among all the anomaly detection methods, the IP flow-based ones are proving to be efficient approaches in SDN environments. It is mainly due to the amount of information these systems can provide, which can be used to characterize the regular network operation with high precision. However, most of the research in this area operates through sampling processes, analyzing the data in intervals of 5 min (Cortez et al., 2006; Bereziński et al., 2015; Shuying et al., 2010), 1 min (Pena et al., 2014; Sun et al., 2016), or even in smaller time intervals, such as 30 s (Carvalho et al., 2018), and 5-s (De Assis et al., 2018). While the sampling process helps in scaling the defense system, this process may hide stealthier attacks, such as port scans. Thus, the data analysis performed on each flow separately may provide a more precise detection approach, in which the detection method can find anomalies in specific communications and even identify who is participating in it.
In this paper, we propose a defense system against intrusions and denial-of-service attacks for SDNs based on the analysis of single IP flow records. This individual flow inspection enables faster mitigation responses, ensuring the quality of the services provided by the SDN. The system is divided into two main modules, Detection, and Mitigation.
The Detection Module is responsible for analyzing individual IP flows aiming to identify the occurrence of an anomaly. In this module, we used a recurrent deep learning algorithm called Gated Recurrent Units (GRU) (Cho et al., 2014) as a classifier. Deep learning approaches use multiple layers to learn data representation with various levels of abstraction and is increasingly gaining space among researchers for network applications (Lopez-Martin et al., 2018) (Aldweesh et al., 2020). GRU is widely applied in problems in which historical information is essential to the performance of classification tasks. In the proposed system, this method inspects individual IP flows through a multidimensional analysis, operating as a binary flow classifier, i.e., classifying them as normal or abnormal.
The Mitigation Module generates efficient counter-measures against the detected attacks. Since the system proposed in this paper individually analyzes IP flows, it can directly identify the attacking node address. Thus, a directed mitigation approach is proposed, which aims to bring the SDN back to its regular operation through a light and straightforward process.
To evaluate the efficiency of GRU as a detection method, we tested it against seven other shallow and deep learning detection approaches over two different scenarios using public datasets. On the first one, named CICDDoS 2019 (Sharafaldin et al., 2019), we tested the methods over several different kinds of Distributed DoS (DDoS) attacks. The second scenario, called CICIDS 2018 (Sharafaldin et al., 2018), was used to test the efficiency of the detection methods against different intrusion techniques. Furthermore, these two datasets are used to measure the proposed mitigation approach's efficiency regarding each one of the evaluated detection methods. The choice of these databases was motivated by their variety of attacks and the number of available IP flow features, an essential characteristic for the application of Deep Learning methods. Finally, we tested the number of flows per second the tested anomaly detection approaches can process to prove the proposed system's feasibility.
We can highlight the following as main contributions of this paper:
- •
A system for SDN defense against intrusion and DDoS attacks;
- •
A precise anomaly detection scheme based on isolated IP flow analysis, enabling near real-time detection. This approach allows for faster mitigation responses, minimizing the impact suffered by the SDN;
- •
The efficiency evaluation and comparison of distinct shallow and deep learning anomaly detection techniques applied in public datasets and the efficiency measurement of the proposed mitigation process.
The remainder of this paper is organized as follows: Section 2 presents state of the art through related work; Section 3 describes the organization of the proposed system; Section 4 details the GRU method used for anomaly detection at the Detection Module; Section 5 discusses the performance outcomes achieved by GRU in comparison with seven other methods and the performance evaluation of the mitigation approach; Finally, section 6 presents the conclusions and future works.
Section snippets
Related works
Software-defined Networking (SDN) is an emerging paradigm that significantly improves the management procedures, providing the network administrator with the flexibility of dynamic traffic allocation, as well as an online, softwarized, and centralized configuration. Several authors have been developing solutions through the usage of SDNs, such as Theodorou and Mamatas (2017) that demonstrated the operation of CORAL-SDN, an SDN based solution for the Internet of Things. The authors highlighted
SDN defense system
In this section, we describe the operation of the proposed SDN defense system. The management centralization provides many advantages in this paradigm. Still, it is necessary to give the controller security resources to guarantee its operation and, consequently, the quality of the services provided. Thus, in this paper, we propose an SDN security defense system able to detect the occurrence of different intrusion and DDoS attacks on central controllers through an analysis of multi-dimensional
Gated Recurrent Units to detect network attacks
Deep learning methods are becoming increasingly popular among researchers through its usage in various applications aiming to detect computer network attacks and anomalies. Deep learning is a class of machine learning that can retrieve patterns in complex data and, therefore, is widely applied to problems of image recognition, pattern classification, and time series prediction (McDermott et al., 2018). Deep learning stands for the concept of successive layers of representations, as its depth is
Tests and results
This section analyzes the performance results relating to the detection and mitigation modules for the security system. We have applied the GRU method together with the directed mitigation approach. Aiming this objective, we compared the proposed method with the following detection approaches: Deep Neural Network (DNN) (Abdulhammed et al., 2019), Convolutional Neural Network (CNN) (Kwon et al., 2018), Long-Short Term Memory (LSTM) (Qin et al., 2018), Support Vector Machine (SVM) (Lei, 2017),
Conclusions and future work
In this paper, we proposed an SDN defense system against intrusion and DDoS attacks. This approach can protect the SDN central controller against situations that may compromise it, consequently impairing the network operation. The proposed system is composed of two main parts, the Detection and Mitigation modules. The Detection module is responsible for detecting the occurrence of attacks, while the Mitigation module takes the required countermeasures to reduce its impact over the network and,
Credit author statement
Marcos Vinicius Oliveira de Assis: Conceptualization, Methodology, Software, Validation, Formal analysis, Investigation, Data Curation, Writing - Original Draft, Visualization, Funding acquisition. Luiz Fernando Carvalho: Data Curation, Writing - Review & Editing. Jaime Lloret: Supervision, Writing - Review & Editing. Mario Lemes Proença Jr.: Conceptualization, Formal analysis, Writing - Review & Editing, Supervision, Project administration, Investigation, Funding acquisition.
Declaration of competing interest
Authors declare that they have no conflict of interest.
Acknowledgements
This study has been partially supported by the National Council for Scientific and Technological Development (CNPq) of Brazil under Grant of Project 310668/2019-0; by the “Ministerio de Economía y Competitividad” in the “Programa Estatal de Fomento de la Investigación Científica y Técnica de Excelencia, Subprograma Estatal de Generación de Conocimiento” within the project under Grant TIN2017-84802-C2-1-P; and by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) by the
Marcos V. O. de Assis is a professor at the Engineering and Exact Department of the Federal University of Paraná, Brazil. He received a master degree in Computer Science at the State University of Londrina – Brazil and is a Ph.D. student in the Electrical Engineering Department at the same institution. In addition, he worked as a visiting researcher at the Polytechnic University of Valencia – Spain for 6 months regarding the development of his doctoral research through the CAPES PDSE program.
References (60)
- et al.
Deep learning approaches for anomaly-based intrusion detection systems: a survey, taxonomy, and open issues
Knowl. Base Syst.
(2020) - et al.
An ecosystem for anomaly detection and mitigation in software-defined networking
Expert Syst. Appl.
(2018) - et al.
Da-drls: drift adaptive deep reinforcement learning based scheduling for iot resource management
J. Netw. Comput. Appl.
(2019) - et al.
Security in sdn: a comprehensive survey
J. Netw. Comput. Appl.
(2020) - et al.
Internet of things: a survey on machine learning-based intrusion detection approaches
Comput. Network.
(2019) - et al.
Online ddos attack detection using mahalanobis distance and kernel-based learning algorithm
J. Netw. Comput. Appl.
(2020) - et al.
Intrusion detection systems in the internet of things: a comprehensive investigation
Comput. Network.
(2019) - et al.
Security risk assessment for sdn-enabled smart grids
Comput. Commun.
(2019) - et al.
Data-driven software defined network attack detection : state-of-the-art and perspectives
Inf. Sci.
(2020) - et al.
An enhanced saturation attack and its mitigation mechanism in software-defined networking
Comput. Network.
(2020)
Towards secure 5g networks: a survey
Comput. Network.
Spatio-temporal heterogeneous bandwidth allocation mechanism against ddos attack
J. Netw. Comput. Appl.
Ballistocardiogram based person identification and authentication using recurrent neural networks
Deep and machine learning approaches for anomaly-based intrusion detection of imbalanced network traffic
IEEE Sensors Letters
Learning long-term dependencies with gradient descent is difficult
IEEE Trans. Neural Network.
Soft-wsn: software-defined wsn management system for iot applications
IEEE Systems Journal
An entropy-based network anomaly detection method
Entropy
Learning phrase representations using RNN encoder–decoder for statistical machine translation
Internet traffic forecasting using neural networks
Fast defense system against attacks in software defined networks
IEEE Access
A two-tier network based intrusion detection system architecture using machine learning approach
A survey on emerging sdn and nfv security mechanisms for iot systems
IEEE Communications Surveys Tutorials
A comprehensive survey on network anomaly detection
Telecommun. Syst.
Detecting malicious activity with dns backscatter over time
IEEE/ACM Trans. Netw.
Lightweight algorithm for protecting sdn controller against ddos attacks
Unsupervised anomaly detection in iot systems for smart cities
IEEE Transactions on Network Science and Engineering
Exploiting lstm structure in deep neural networks for speech recognition
Long short-term memory
Neural Comput.
An empirical exploration of recurrent network architectures
Anomaly detection for univariate time series with statistics and deep learning
Cited by (85)
Intrusion detection system for cyberattacks in the Internet of Vehicles environment
2024, Ad Hoc NetworksNetwork intrusion detection based on the temporal convolutional model
2023, Computers and SecurityDL-2P-DDoSADF: Deep learning-based two-phase DDoS attack detection framework
2023, Journal of Information Security and ApplicationsUSAGE : Uncertain flow graph and spatio-temporal graph convolutional network-based saturation attack detection method
2023, Journal of Network and Computer ApplicationsA network traffic prediction model based on reinforced staged feature interaction and fusion
2023, Computer Networks
Marcos V. O. de Assis is a professor at the Engineering and Exact Department of the Federal University of Paraná, Brazil. He received a master degree in Computer Science at the State University of Londrina – Brazil and is a Ph.D. student in the Electrical Engineering Department at the same institution. In addition, he worked as a visiting researcher at the Polytechnic University of Valencia – Spain for 6 months regarding the development of his doctoral research through the CAPES PDSE program. He is part of the research group “Computer Networks and Data Communication,” and his research interest is in management and security of large-scale computer networks.
Luiz F. Carvalho received the Ph.D. degree in Electrical Engineering and Telecommunications from State University of Campinas in 2018. He completed his masters degree in Computer Science at State University of Londrina in 2014. He has experience in Computer Science with emphasis in Computer Networks and is part of the research group Computer Networks and Data Communication. His main research interests are management and security of computer networks.
Jaime Lloret received his B.Sc.+M.Sc. in Physics in 1997, his B.Sc.+M.Sc. in electronic Engineering in 2003 and his Ph.D. in telecommunication engineering (Dr. Ing.) in 2006. He is a Cisco Certified Network Professional Instructor. He worked as a network designer and administrator in several enterprises. He is currently Associate Professor in the Polytechnic University of Valencia. He is the Chair of the Integrated Management Coastal Research Institute (IGIC) and he is the head of the “Active and collaborative techniques and use of technologic resources in the education (EITACURTE)” Innovation Group. He is currently the chair of the Working Group of the Standard IEEE 1907.1. Since 2016 he is the Spanish researcher with highest h-index in the TELECOMMUNICATIONS journal list according to Clarivate Analytics Ranking. He is an IEEE Senior, ACM Senior and IARIA Fellow.
Mario Lemes Proença Jr. is an Associate Professor and leader of the research group that studies computer networks in the Computer Science Department at State University of Londrina (UEL), Brazil. He received the Ph.D. degree in Electrical Engineering and Telecommunications from State University of Campinas (UNICAMP) in 2005. He received the title of M.Sc degree in Computer Science from the Informatics Institute of Federal University of Rio Grande do Sul (UFRGS), in 1998. He has authored or coauthored over 100 papers in refereed international journals and conferences, books chapters, and one software register patent. His research interests include Computer Network, Network Operations, Management and Security and IT Governance. He has supervised 14 M.Sc. and tree Ph.D. students. He has been a Master's supervisor at computer science in State University of Londrina and Ph.D. supervisor in Department of Electrical Engineering at UEL.