A GRU deep learning system against attacks in software defined networks

https://doi.org/10.1016/j.jnca.2020.102942Get rights and content

Highlights

  • This paper introduces a system for SDN's defense against intrusion and DDoS attacks.

  • We propose an anomaly detection scheme based on isolated flow analysis using GRU.

  • We present an efficiency evaluation of distinct detection techniques applied to SDNs.

  • We used public datasets for performance analysis, which enable results' replication.

Abstract

The management of modern network environments is becoming more and more complex due to new requirements of devices' heterogeneity regarding the popularization of the Internet of Things (IoT), as well as the dynamic traffic required by next-generation applications and services. To address this problem, Software-defined Networking (SDN) emerges as a management paradigm able to handle these problems through a centralized high-level network approach. However, this centralized characteristic also creates a critical failure spot since the central controller may be targeted by malicious users aiming to impair the network operation. This paper proposes an SDN defense system based on the analysis of single IP flow records, which uses the Gated Recurrent Units (GRU) deep learning method to detect DDoS and intrusion attacks. This direct flow inspection enables faster mitigation responses, minimizing the attack's impact over the SDN. The proposed model is tested against several different machine learning approaches over two public datasets, the CICDDoS 2019 and the CICIDS 2018. Furthermore, a lightweight mitigation approach is presented and evaluated through performance tests regarding each detection method. Finally, a feasibility test is performed regarding the throughput of flows per second that each detection method can analyze. This test is accomplished through the use of real IP Flow data collected at a large-scale network. The results point out promising detection rates and an elevated amount of analyzed flows per second, which makes GRU a feasible approach for the proposed system.

Graphical abstract

Overall operation of the proposed SDN security system, which aims to protect its central controller against intrusion and DDoS attacks through individual IP flow analysis.

Image 1
  1. Download : Download high-res image (175KB)
  2. Download : Download full-size image

Introduction

The amount of data traveling on the Internet is rapidly increasing due to the growth in popularity and complexity of connected devices and software solutions. The usage of network resources by end users is rising through the popularization of social networks, web banking applications, and e-commerce, for instance. Thus, new cloud-based services are becoming essential to the operation of this new network environment, which brings specific requirements, such as dynamic traffic allocation (Maenhaut et al., 2017). Furthermore, the increasing popularity of Internet of Things (IoT) devices is gradually changing the Internet scenario by increasing the heterogeneously of communication, since each device (thing) has specific network requirements and processing capability (Yoon and Kim, 2017; Bera et al., 2018). In the face of these changes, management and security are becoming impracticable in traditional static network environments (da Costa et al., 2019; Hajiheidari et al., 2019).

A networking paradigm that is gaining space on several recent pieces of research and applications is the Software-defined Networking (SDN) (Zehra and Shah, 2017; Farris et al., 2019). This network paradigm operates by centralizing the network management into a single programmable controller, able to communicate and control network devices such as switches and routers regardless of their manufacturers, as “white-boxes”. The SDN separates the control and data planes so that the central controller is responsible for sending, for instance, management and packet forwarding policies to the controlled devices in a scalable and coordinated manner. This characteristic is a valuable feature able to provide next-generation networks with the dynamic architecture they require (Zhang et al., 2019), in which changes can be performed in a fast, programmable, and on-demand way.

However, while bringing essential improvements to the current network architecture, the SDN, as any centralized service, has as a critical failure spot its central controller. Malicious users may target this controller aiming to impair the whole network operation through the usage of different approaches, such as intrusions (Lopez-Martin et al., 2017) and denial of service (DoS) attacks (Daneshgadeh Çakmakçı et al., 2020; Wang et al., 2020; Xu et al., 2020; Zhang et al., 2020). Thus, efficient protection mechanisms are needed in SDNs to guarantee the availability of the network and the quality of the provided services (Correa Chica et al., 2020).

The occurrence of these attacks can be generically described as an anomaly, a situation when the network behavior differs from its normal state (Proença et al., 2005). The anomaly detection is a widely approached area, with several different methods proposed in the past years (Fernandes et al., 2019). However, it is still an open research field, since no consensus has been reached due to the enormous amount of different network scenarios and architectures available. In SDN environments, security is a central concern, arousing great interest from the scientific community due to the importance of this paradigm to present and future networks (Maziku et al., 2019).

Among all the anomaly detection methods, the IP flow-based ones are proving to be efficient approaches in SDN environments. It is mainly due to the amount of information these systems can provide, which can be used to characterize the regular network operation with high precision. However, most of the research in this area operates through sampling processes, analyzing the data in intervals of 5 min (Cortez et al., 2006; Bereziński et al., 2015; Shuying et al., 2010), 1 min (Pena et al., 2014; Sun et al., 2016), or even in smaller time intervals, such as 30 s (Carvalho et al., 2018), and 5-s (De Assis et al., 2018). While the sampling process helps in scaling the defense system, this process may hide stealthier attacks, such as port scans. Thus, the data analysis performed on each flow separately may provide a more precise detection approach, in which the detection method can find anomalies in specific communications and even identify who is participating in it.

In this paper, we propose a defense system against intrusions and denial-of-service attacks for SDNs based on the analysis of single IP flow records. This individual flow inspection enables faster mitigation responses, ensuring the quality of the services provided by the SDN. The system is divided into two main modules, Detection, and Mitigation.

The Detection Module is responsible for analyzing individual IP flows aiming to identify the occurrence of an anomaly. In this module, we used a recurrent deep learning algorithm called Gated Recurrent Units (GRU) (Cho et al., 2014) as a classifier. Deep learning approaches use multiple layers to learn data representation with various levels of abstraction and is increasingly gaining space among researchers for network applications (Lopez-Martin et al., 2018) (Aldweesh et al., 2020). GRU is widely applied in problems in which historical information is essential to the performance of classification tasks. In the proposed system, this method inspects individual IP flows through a multidimensional analysis, operating as a binary flow classifier, i.e., classifying them as normal or abnormal.

The Mitigation Module generates efficient counter-measures against the detected attacks. Since the system proposed in this paper individually analyzes IP flows, it can directly identify the attacking node address. Thus, a directed mitigation approach is proposed, which aims to bring the SDN back to its regular operation through a light and straightforward process.

To evaluate the efficiency of GRU as a detection method, we tested it against seven other shallow and deep learning detection approaches over two different scenarios using public datasets. On the first one, named CICDDoS 2019 (Sharafaldin et al., 2019), we tested the methods over several different kinds of Distributed DoS (DDoS) attacks. The second scenario, called CICIDS 2018 (Sharafaldin et al., 2018), was used to test the efficiency of the detection methods against different intrusion techniques. Furthermore, these two datasets are used to measure the proposed mitigation approach's efficiency regarding each one of the evaluated detection methods. The choice of these databases was motivated by their variety of attacks and the number of available IP flow features, an essential characteristic for the application of Deep Learning methods. Finally, we tested the number of flows per second the tested anomaly detection approaches can process to prove the proposed system's feasibility.

We can highlight the following as main contributions of this paper:

  • A system for SDN defense against intrusion and DDoS attacks;

  • A precise anomaly detection scheme based on isolated IP flow analysis, enabling near real-time detection. This approach allows for faster mitigation responses, minimizing the impact suffered by the SDN;

  • The efficiency evaluation and comparison of distinct shallow and deep learning anomaly detection techniques applied in public datasets and the efficiency measurement of the proposed mitigation process.

The remainder of this paper is organized as follows: Section 2 presents state of the art through related work; Section 3 describes the organization of the proposed system; Section 4 details the GRU method used for anomaly detection at the Detection Module; Section 5 discusses the performance outcomes achieved by GRU in comparison with seven other methods and the performance evaluation of the mitigation approach; Finally, section 6 presents the conclusions and future works.

Section snippets

Related works

Software-defined Networking (SDN) is an emerging paradigm that significantly improves the management procedures, providing the network administrator with the flexibility of dynamic traffic allocation, as well as an online, softwarized, and centralized configuration. Several authors have been developing solutions through the usage of SDNs, such as Theodorou and Mamatas (2017) that demonstrated the operation of CORAL-SDN, an SDN based solution for the Internet of Things. The authors highlighted

SDN defense system

In this section, we describe the operation of the proposed SDN defense system. The management centralization provides many advantages in this paradigm. Still, it is necessary to give the controller security resources to guarantee its operation and, consequently, the quality of the services provided. Thus, in this paper, we propose an SDN security defense system able to detect the occurrence of different intrusion and DDoS attacks on central controllers through an analysis of multi-dimensional

Gated Recurrent Units to detect network attacks

Deep learning methods are becoming increasingly popular among researchers through its usage in various applications aiming to detect computer network attacks and anomalies. Deep learning is a class of machine learning that can retrieve patterns in complex data and, therefore, is widely applied to problems of image recognition, pattern classification, and time series prediction (McDermott et al., 2018). Deep learning stands for the concept of successive layers of representations, as its depth is

Tests and results

This section analyzes the performance results relating to the detection and mitigation modules for the security system. We have applied the GRU method together with the directed mitigation approach. Aiming this objective, we compared the proposed method with the following detection approaches: Deep Neural Network (DNN) (Abdulhammed et al., 2019), Convolutional Neural Network (CNN) (Kwon et al., 2018), Long-Short Term Memory (LSTM) (Qin et al., 2018), Support Vector Machine (SVM) (Lei, 2017),

Conclusions and future work

In this paper, we proposed an SDN defense system against intrusion and DDoS attacks. This approach can protect the SDN central controller against situations that may compromise it, consequently impairing the network operation. The proposed system is composed of two main parts, the Detection and Mitigation modules. The Detection module is responsible for detecting the occurrence of attacks, while the Mitigation module takes the required countermeasures to reduce its impact over the network and,

Credit author statement

Marcos Vinicius Oliveira de Assis: Conceptualization, Methodology, Software, Validation, Formal analysis, Investigation, Data Curation, Writing - Original Draft, Visualization, Funding acquisition. Luiz Fernando Carvalho: Data Curation, Writing - Review & Editing. Jaime Lloret: Supervision, Writing - Review & Editing. Mario Lemes Proença Jr.: Conceptualization, Formal analysis, Writing - Review & Editing, Supervision, Project administration, Investigation, Funding acquisition.

Declaration of competing interest

Authors declare that they have no conflict of interest.

Acknowledgements

This study has been partially supported by the National Council for Scientific and Technological Development (CNPq) of Brazil under Grant of Project 310668/2019-0; by the “Ministerio de Economía y Competitividad” in the “Programa Estatal de Fomento de la Investigación Científica y Técnica de Excelencia, Subprograma Estatal de Generación de Conocimiento” within the project under Grant TIN2017-84802-C2-1-P; and by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) by the

Marcos V. O. de Assis is a professor at the Engineering and Exact Department of the Federal University of Paraná, Brazil. He received a master degree in Computer Science at the State University of Londrina – Brazil and is a Ph.D. student in the Electrical Engineering Department at the same institution. In addition, he worked as a visiting researcher at the Polytechnic University of Valencia – Spain for 6 months regarding the development of his doctoral research through the CAPES PDSE program.

References (60)

  • S. Zhang et al.

    Towards secure 5g networks: a survey

    Comput. Network.

    (2019)
  • X. Zhang et al.

    Spatio-temporal heterogeneous bandwidth allocation mechanism against ddos attack

    J. Netw. Comput. Appl.

    (2020)
  • X. Zhang et al.

    Ballistocardiogram based person identification and authentication using recurrent neural networks

  • R. Abdulhammed et al.

    Deep and machine learning approaches for anomaly-based intrusion detection of imbalanced network traffic

    IEEE Sensors Letters

    (2019)
  • Y. Bengio et al.

    Learning long-term dependencies with gradient descent is difficult

    IEEE Trans. Neural Network.

    (1994)
  • S. Bera et al.

    Soft-wsn: software-defined wsn management system for iot applications

    IEEE Systems Journal

    (2018)
  • P. Bereziński et al.

    An entropy-based network anomaly detection method

    Entropy

    (2015)
  • K. Cho et al.

    Learning phrase representations using RNN encoder–decoder for statistical machine translation

  • P. Cortez et al.

    Internet traffic forecasting using neural networks

  • M.V.O. De Assis et al.

    Fast defense system against attacks in software defined networks

    IEEE Access

    (2018)
  • Divyatmika et al.

    A two-tier network based intrusion detection system architecture using machine learning approach

  • I. Farris et al.

    A survey on emerging sdn and nfv security mechanisms for iot systems

    IEEE Communications Surveys Tutorials

    (2019)
  • G. Fernandes et al.

    A comprehensive survey on network anomaly detection

    Telecommun. Syst.

    (2019)
  • K. Fukuda et al.

    Detecting malicious activity with dns backscatter over time

    IEEE/ACM Trans. Netw.

    (2017)
  • C. Gkountis et al.

    Lightweight algorithm for protecting sdn controller against ddos attacks

  • Y. Guo et al.

    Unsupervised anomaly detection in iot systems for smart cities

    IEEE Transactions on Network Science and Engineering

    (2020)
  • T. He et al.

    Exploiting lstm structure in deep neural networks for speech recognition

  • S. Hochreiter et al.

    Long short-term memory

    Neural Comput.

    (1997)
  • R. Jozefowicz et al.

    An empirical exploration of recurrent network architectures

  • J. Kao et al.

    Anomaly detection for univariate time series with statistics and deep learning

  • Cited by (85)

    • DL-2P-DDoSADF: Deep learning-based two-phase DDoS attack detection framework

      2023, Journal of Information Security and Applications
    View all citing articles on Scopus

    Marcos V. O. de Assis is a professor at the Engineering and Exact Department of the Federal University of Paraná, Brazil. He received a master degree in Computer Science at the State University of Londrina – Brazil and is a Ph.D. student in the Electrical Engineering Department at the same institution. In addition, he worked as a visiting researcher at the Polytechnic University of Valencia – Spain for 6 months regarding the development of his doctoral research through the CAPES PDSE program. He is part of the research group “Computer Networks and Data Communication,” and his research interest is in management and security of large-scale computer networks.

    Luiz F. Carvalho received the Ph.D. degree in Electrical Engineering and Telecommunications from State University of Campinas in 2018. He completed his masters degree in Computer Science at State University of Londrina in 2014. He has experience in Computer Science with emphasis in Computer Networks and is part of the research group Computer Networks and Data Communication. His main research interests are management and security of computer networks.

    Jaime Lloret received his B.Sc.+M.Sc. in Physics in 1997, his B.Sc.+M.Sc. in electronic Engineering in 2003 and his Ph.D. in telecommunication engineering (Dr. Ing.) in 2006. He is a Cisco Certified Network Professional Instructor. He worked as a network designer and administrator in several enterprises. He is currently Associate Professor in the Polytechnic University of Valencia. He is the Chair of the Integrated Management Coastal Research Institute (IGIC) and he is the head of the “Active and collaborative techniques and use of technologic resources in the education (EITACURTE)” Innovation Group. He is currently the chair of the Working Group of the Standard IEEE 1907.1. Since 2016 he is the Spanish researcher with highest h-index in the TELECOMMUNICATIONS journal list according to Clarivate Analytics Ranking. He is an IEEE Senior, ACM Senior and IARIA Fellow.

    Mario Lemes Proença Jr. is an Associate Professor and leader of the research group that studies computer networks in the Computer Science Department at State University of Londrina (UEL), Brazil. He received the Ph.D. degree in Electrical Engineering and Telecommunications from State University of Campinas (UNICAMP) in 2005. He received the title of M.Sc degree in Computer Science from the Informatics Institute of Federal University of Rio Grande do Sul (UFRGS), in 1998. He has authored or coauthored over 100 papers in refereed international journals and conferences, books chapters, and one software register patent. His research interests include Computer Network, Network Operations, Management and Security and IT Governance. He has supervised 14 M.Sc. and tree Ph.D. students. He has been a Master's supervisor at computer science in State University of Londrina and Ph.D. supervisor in Department of Electrical Engineering at UEL.

    View full text