Detection of Malicious Flows in the Software-Defined Networks by Using Statistical Flow Analysis-Based Intrusion Detection System

Abstract Specifically, in the past few years, internet traffic has grown rapidly, evolving modern network technologies with hybrid telecommunication systems and conventional computer networks. Unfortunately, the wireless nature of these technologies provides easy access to the network, resulting in an increased risk of network intrusion, ultimately creating a demand to develop an intrusion detection system (IDS). In this paper, an IDS is proposed to detect the malicious flows in the Software-Defined Network (SDN). The core concept behind this idea is implementing a robust statistical analysis-based intrusion detection system (SF-ABIDS) inside the RYU controller that takes statistics of network traffic from the southbound interface after a specific time interval (without changing the standard architecture of SDN). It is evident that due to the centralized nature of SDNs, the SDN controller that sits on top will face lightning-speed incoming network traffic flows. Our IDS will live in SDN controller as an application, and it will perform systemized analysis on incoming network traffic flows. After research, the IDS will have the results, and it will completely block the generator of IP that is classified as malicious by our IDS. This will be a generalized workflow of our IDS in an SDN controller monitoring the incoming traffic. This workflow will allow our IDS to perform accurately and achieve outstanding results by classifying malicious packets and placing them to where they belong i.e., The Blacklist. The SF-ABIDS is inspired by a meta-classification (an ensemble classification) technique that consists of four modules. We use a standard ISCX-UNB dataset to gauge the overall performance of our proposed Intrusion Detection System. Flow match statics features are extracted using the open flow (OF) protocol, which enables the new scheme to detect malicious flows in less time with higher accuracy. These features are then exploited using various ML (Machine Learning) based classifiers, including Decision Table, JRip, J48, PART, Random Forest, RepTree, LMT. The performance of these classifiers is tested by using evaluation parameters like accuracy in terms of true positive (TP), false positive (FP), AUROC, and the harmonic mean of Precision and recall at 0.95. Supervised classifiers with more than 99% AUROC, harmonic value, accuracy, and detecting the flow class in the least time (up to precision level 3) is considered ideal for the new system. As we mentioned above, the architecture of Software defines network enforces that it should be dependable to manage the network traffic, so our proposed Intrusion Detection System will introduce dependability as security in SDN by actively monitoring incoming traffic. So, intruders cannot exploit the centralized nature of Software Defined Networks. The core idea of the transition from conventional networks to SDNs is to introduce simplicity so the network can be easily scalable to support the need of today due to IoT (Internet of things) revolution. Our IDS supports the manifesto and introduces simplicity and security in the network without any additional pre-processing overhead.