Towards an Efficient Anomaly-Based Intrusion Detection for Software-Defined Networks

TL;DR

This paper evaluates various supervised machine learning classifiers for anomaly-based intrusion detection in SDN, analyzing their accuracy, false alarms, and efficiency using the NSL-KDD dataset.

Contribution

It provides a comprehensive performance comparison of multiple ML classifiers for SDN intrusion detection, highlighting the most effective approaches.

Findings

Decision Trees and Random Forest show high accuracy.

Support Vector Machines have a low false alarm rate.

Neural Networks offer a good balance of speed and accuracy.

Abstract

Software-defined networking (SDN) is a new paradigm that allows developing more flexible network applications. SDN controller, which represents a centralized controlling point, is responsible for running various network applications as well as maintaining different network services and functionalities. Choosing an efficient intrusion detection system helps in reducing the overhead of the running controller and creates a more secure network. In this study, we investigate the performance of the well-known anomaly-based intrusion detection approaches in terms of accuracy, false alarm rate, precision, recall, f1-measure, area under ROC curve, execution time and Mc Nemar's test. Precisely, we focus on supervised machine-learning approaches where we use the following classifiers: Decision Trees (DT), Extreme Learning Machine (ELM), Naive Bayes (NB), Linear Discriminant Analysis (LDA), Neural Networks (NN), Support Vector Machines (SVM), Random Forest (RT), K Nearest-Neighbour (KNN), AdaBoost, RUSBoost, LogitBoost and BaggingTrees where we employ the well-known NSL-KDD benchmark dataset to compare the performance of each one of these classifiers.