TY - GEN
T1 - SDN Intrusion Detection
T2 - 32nd International Telecommunication Networks and Applications Conference, ITNAC 2022
AU - O'Meara, John William
AU - Elsayed, Mahmoud Said
AU - Saber, Takfarinas
AU - Jurcut, Anca Delia
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Machine Learning (ML) based Intrusion Detection Systems (IDSs) have rapidly overtaken other solutions for securing networks. Robust and varied datasets are required to train the ML models to perform this role. The separation of the control plane from the forwarding plane within Software Defined Networks (SDNs) results in differences in network traffic patterns and different potential intrusion vectors when compared to traditional networks. Consequently, SDN specific ML models need to be trained on datasets captured from SDNs, and have the potential to recognise SDN specific attacks in addition to the standard cadre of exploits. When assessing the performance of an ML based IDS, reduction of the incidences of attacks that have been misclassified as normal traffic is of key importance. Therefore, measuring the False Negative Rate (FNR) of a trained model is crucial once high percentiles have been reached across the standard metrics used in ML model assessment. This paper establishes high baseline scores in all key metrics and then focuses on the importance of FNR in the assessment of model performance. In addition, identification of unseen attacks is of paramount importance given the rapid evolution of malicious traffic. A hold out testing strategy is employed to assess each model across a range of unseen attacks. An ensemble of models that compensate for each other's relative weaknesses is proposed to mitigate variability, thus maximising detection of new attacks. The performance of the proposed ensemble is evaluated and demonstrates a clear improvement on the performance of the individual component models.
AB - Machine Learning (ML) based Intrusion Detection Systems (IDSs) have rapidly overtaken other solutions for securing networks. Robust and varied datasets are required to train the ML models to perform this role. The separation of the control plane from the forwarding plane within Software Defined Networks (SDNs) results in differences in network traffic patterns and different potential intrusion vectors when compared to traditional networks. Consequently, SDN specific ML models need to be trained on datasets captured from SDNs, and have the potential to recognise SDN specific attacks in addition to the standard cadre of exploits. When assessing the performance of an ML based IDS, reduction of the incidences of attacks that have been misclassified as normal traffic is of key importance. Therefore, measuring the False Negative Rate (FNR) of a trained model is crucial once high percentiles have been reached across the standard metrics used in ML model assessment. This paper establishes high baseline scores in all key metrics and then focuses on the importance of FNR in the assessment of model performance. In addition, identification of unseen attacks is of paramount importance given the rapid evolution of malicious traffic. A hold out testing strategy is employed to assess each model across a range of unseen attacks. An ensemble of models that compensate for each other's relative weaknesses is proposed to mitigate variability, thus maximising detection of new attacks. The performance of the proposed ensemble is evaluated and demonstrates a clear improvement on the performance of the individual component models.
KW - Ensembles
KW - False Negative Rate
KW - Intrusion Detection
KW - Malicious Traffic
KW - SMOTE
KW - Security
KW - Software Defined Networks
KW - Supervised Machine Learning
UR - https://www.scopus.com/pages/publications/85146710248
U2 - 10.1109/ITNAC55475.2022.9998363
DO - 10.1109/ITNAC55475.2022.9998363
M3 - Conference Publication
T3 - 2022 32nd International Telecommunication Networks and Applications Conference, ITNAC 2022
SP - 28
EP - 35
BT - 2022 32nd International Telecommunication Networks and Applications Conference, ITNAC 2022
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 30 November 2022 through 2 December 2022
ER -