The Usage Analysis of Machine Learning Methods for Intrusion Detection in Software-Defined Networks

The Usage Analysis of Machine Learning Methods for Intrusion Detection in Software-Defined Networks

Derya Yiltas-Kaplan (Istanbul University – Cerrahpaşa, Turkey)
DOI: 10.4018/978-1-5225-7353-1.ch005


This chapter focuses on the process of the machine learning with considering the architecture of software-defined networks (SDNs) and their security mechanisms. In general, machine learning has been studied widely in traditional network problems, but recently there have been a limited number of studies in the literature that connect SDN security and machine learning approaches. The main reason of this situation is that the structure of SDN has emerged newly and become different from the traditional networks. These structural variances are also summarized and compared in this chapter. After the main properties of the network architectures, several intrusion detection studies on SDN are introduced and analyzed according to their advantages and disadvantages. Upon this schedule, this chapter also aims to be the first organized guide that presents the referenced studies on the SDN security and artificial intelligence together.
Chapter Preview


Software Defined Network (SDN) architecture is one of the most recently emerging technologies. SDN is described in 2004 by various researchers in the universities of Princeton, Carnegie Mellon, Stanford, and California as its current concept. Its standards have been designed in the last few years.

Inside the traditional computer networks, each device such as router or switch is responsible from the routing and forwarding operations nearby their packet traffic controls. By this way, a traditional network covers the data, control, and management planes in each device. Here the data plane manages the incoming data, the control plane covers the protocols which construct the routing tables, and the management plane follows and changes the functions of the control plane. On the other hand, an SDN diversifies the control and data planes by embedding the control part inside a central element called controller. In this architecture, router/switch devices do not make any process between each other. Instead, each router/switch is connected to the controller and sometimes gets a decision from this controller device. Such centralized structure provides SDN with the advantages of flexibility, high programmability, security, and fast configuration.

The controller in an SDN structure is the main part that manages the network operations. This part is programmable and can be constructed by different software tools. A controller is related with some designations of new services and obtainment of the functions. Some present controller software can be listed as Beacon, Floodlight, NOX, ONOS, POX, and Pyretic. The most widespread one is the Floodlight. The controller software can be implemented for deciding the routes for the packet flows, realizing the network monitoring, managing the flows and other network processes. The researchers say that SDN provides all networking operations by the help of the centralized software part—controller without any requirement of some configurations on other network devices.

Several network operations such as intrusion detection, routing, firewall filtering, and flow forwarding are examples of the tasks of an SDN controller. This chapter is related to the intrusion detection part and analyzes this task based on the studies including machine learning methods. In the literature there is quite limited number of papers that present SDN and machine learning collaborations, of which only some of them give attention to the SDN security issues. The collaboration between SDN and machine learning has only been used for proposing some methods in the security area. This chapter is the first analysis report on the referenced studies with defining the methods by giving their computational success rates as a strong capability.

As a summary of this chapter, the main definitions about SDN structure are given. It is because, without understanding the SDN, one cannot investigate the literature deeply. Nearby SDN, the background about intrusion detection systems and machine learning methods is also explained. After that part, several current studies that give a connection between SDN and machine learning methods are analyzed. The main objective of this chapter is to give a literature review based on comparing the merits and demerits of different methods used in the machine learning phases. At the end, this chapter gives some deficiencies as unsolved problems in the literature of the SDN studies including the machine learning methods.

Key Terms in this Chapter

Learning: A phase in the machine learning methods that aggregates some information about the state actions for using in the future predictions of the events.

Software-Defined Network: New network platform that migrates several functions from the network devices to a controller software.

Intrusion: An attack to a remote computer with a malicious purpose and constraining.

Data Plane: A part in the software defined network including the switches that provides the flows of the packets through the ports.

Controller: The central element of a software defined network that is responsible from any process management and constructed from software modules.

OpenFlow: Protocol name through the connection in between controller and switch in a software-defined network.

Complete Chapter List

Search this Book: