An SDN-based Intrusion Detection System using SVM with Selective Logging for IP Traceback

Abstract

In this paper we introduce a Software Defined Networking (SDN) based Intrusion Detection System (IDS) using the Support Vector Machines (SVM) along with Selective Logging for IP Traceback. We achieve a detection accuracy of 95.98% on the full NSL-KDD dataset and 87.74% on the selected sub-features of the dataset. Detection of anomalous traffic and network intrusion is done during the PACKET_IN event at the controller and then again by fetching the flow statistics from the OpenFlow switches at regular intervals. Selective logging of suspicious packets/flows during a PACKET_IN event enables an IP traceback to be performed in the eventuality of an attack which can be initiated by a network admin using an HTTP-based web console. This approach gains significance given that it is practically impossible to achieve 100% attack detection accuracy. Moreover, it is not always correct to take punitive action against packets of a traffic flow, solely based on a detection of a possible threat which may result in blocking or dropping of genuine packets. In the proposed scheme, logging is performed selectively at the controller and not at the switches, achieving significant savings in terms of overall memory resources. Moreover logging is performed using the in-memory structure at the controller thereby enhances the performance of the logging operation over traditional file-based database by 9.76%. Finally, we have chosen this approach because (i) SDN provides a centralized architecture for detection analysis and logging (ii) SVM provides decent detection accuracy without much computation overhead (iii) Selective Logging provides about 90% to 95% savings in terms of overall memory resources and (iv) IP traceback provides the ability to track the actual source of the packets in the eventuality of an attack.