Centralized and Distributed Intrusion Detection for Resource Constrained Wireless SDN Networks

TL;DR

This paper introduces a lightweight, adaptable intrusion detection method for wireless SDN networks that effectively detects and identifies attacks, even in resource-constrained environments, with high accuracy in small to medium-sized networks.

Contribution

It proposes a novel online change point detection approach that operates in centralized or distributed modes, improving detection rates and attack identification in resource-limited wireless SDN networks.

Findings

Detection rates exceed 96% in tested networks.

Attack type identification probability exceeds 0.89.

Attacker pinpointing probability over 0.93 in distributed mode.

Abstract

Software-defined networking (SDN) was devised to simplify network management and automate infrastructure sharing in wired networks. These benefits motivated the application of SDN in wireless sensor networks to leverage solutions for complex applications. However, some of the core SDN traits turn the networks prone to denial of service attacks (DoS). There are proposals in the literature to detect DoS in wireless SDN networks, however, not without shortcomings: there is little focus on resource constraints, high detection rates have been reported only for small networks, and the detection is disengaged from the identification of the type of the attack or the attacker. Our work targets these shortcomings by introducing a lightweight, online change point detector to monitor performance metrics that are impacted when the network is under attack. A key novelty is that the proposed detector is able to operate in either centralized or distributed mode. The centralized detector has very high detection rates and can further distinguish the type of the attack (from a list of known attacks). On the other hand, the distributed detector provides information that allows to identify the nodes launching the attack. Our proposal is tested over IEEE 802.15.4 networks. The results show detection rates exceeding $96\%$ in networks of 36 and 100 nodes and identification of the type of the attack with a probability exceeding $0.89$ when using the centralized approach. Additionally, for some types of attack it was possible to pinpoint the attackers with an identification probability over $0.93$ when using distributed detectors.