Machine learning based malicious payload identification in software-defined networking

doi:10.1016/j.jnca.2021.103186

Journal of Network and Computer Applications

Volume 192, 15 October 2021, 103186

https://doi.org/10.1016/j.jnca.2021.103186 Get rights and content

Under a Creative Commons license

open access

Highlights

•
A novel deep packet inspection method in software-defined networking is proposed.
•
Binary logistic regression is efficient in identifying unencrypted malicious payloads.
•
An adaptive packet window samples packets to ease the burden of the controller.
•
The decision tree is efficient in classifying malicious encrypted packets.
•
The throughput and overheads of the deep packet inspection method are acceptable.

Abstract

Deep packet inspection (DPI) has been extensively investigated in software-defined networking (SDN) as complicated attacks may intractably inject malicious payloads in the packets. Existing proprietary pattern-based or port-based third-party DPI tools can suffer from limitations in efficiently processing a large volume of data traffic. In this paper, a novel OpenFlow-enabled deep packet inspection (OFDPI) approach is proposed based on the SDN paradigm to provide adaptive and efficient packet inspection. First, OFDPI prescribes an early detection at the flow-level granularity by checking the IP addresses of each new flow via OpenFlow protocols. Then, OFDPI allows for deep packet inspection at the packet-level granularity: (i) for unencrypted packets, OFDPI extracts the features of accessible payloads, including tri-gram frequency based on Term Frequency and Inverted Document Frequency (TF–IDF) and linguistic features. These features are concatenated into a sparse matrix representation and are then applied to train a binary classifier with logistic regression rather than matching with specific pattern combinations. In order to balance the detection accuracy and performance bottleneck of the SDN controller, OFDPI introduces an adaptive packet sampling window based on the linear prediction; and (ii) for encrypted packets, OFDPI extracts notable features of packets and then trains a binary classifier with a decision tree, instead of decrypting the encrypted traffic to weaken user privacy. A prototype of OFDPI is implemented on the Ryu SDN controller and the Mininet platform. The performance and the overhead of the proposed solution are assessed using the real-world datasets through experiments. The numerical results indicate that OFDPI can provide a significant improvement in detection accuracy with acceptable overheads.

Keywords

Software-defined networking

Deep packet inspection

Machine learning

Linear prediction

Cited by (0)

Qiumei Cheng received the B.E degree in software engineering from Southwest University of Science and Technology in 2016. She is currently pursuing the Ph.D. degree with the College of Computer Science and Technology, Zhejiang University. Her research interests include software-defined network security, intrusion response system, traffic monitoring and reinforcement learning.

Chunming Wu received the Ph.D. degree in computer science from Zhejiang University in 1995. He is currently a Professor with the College of Computer Science and Technology, Zhejiang University. He is also the Associate Director of the Research Institute of Computer System Architecture and Network Security, Zhejiang University, and the Director of the NGNT Laboratory. His research fields include software-defined networks, reconfigurable networks, proactive network defense, network security, and the architecture of next-generation Internet.

Haifeng Zhou received the Ph.D. degree in computer science and technology from Zhejiang University in 2018. His current research interests include software-defined network security, proactive network defense, intelligent networks and security systems, cloud security, software-defined networks, network traffic engineering, and innovative network and security technologies.

Dezhang Kong received the B.E degree in information security from the Huazhong University of Science and Technology in 2018. He is currently pursuing the Master degree in network space security with the College of Computer Science and Technology, Zhejiang University. His research interests include AI security, network security and software-defined network security.

Dong Zhang received the Ph.D. degree in computer science from Zhejiang University in 2010, and currently is an associate professor of College of Mathematics and Computer Science at Fuzhou University. His research areas include software defined networking, network virtualization and Internet QoS.

Junchi Xing received the Ph.D. degree with the College of Computer Science and Technology, Zhejiang University in 2020. His research interests include software-defined networks, software-defined network security, and cloud security.

Wei Ruan, Professorate senior engineer Wei Ruan was born in 1969. After graduating from Shanghai Jiao Tong University in 1991, he received M.S. and Ph.D. degrees from Zhejiang University majoring in the Department of Energy in 1997 and 2000, respectively. He has joined the SUPCON Group Co.,Ltd since 2000 and has served as major project director, deputy chief engineer, and vice president of Zhejiang Supcon Research Co.,Ltd. until 2016. He has been engaged in the research on the software and hardware of the national strategic equipment automatic control system, the optimization control strategy, and the field engineering application over a long period of time.