Centralized and Distributed Intrusion Detection for Resource-Constrained Wireless SDN Networks

Abstract

Software-defined networking (SDN) was devised to simplify network management and automate infrastructure sharing in wired networks. These benefits motivated the application of SDN in resource-constrained wireless networks to leverage solutions for complex applications. However, some of the core SDN traits expose the networks to Denial-of-Service (DoS) attacks. There are proposals in the literature to detect DoS in wireless SDN networks; however, not without shortcomings: there is little focus on resource constraints, high detection rates have been reported mostly for small networks and the detection is disengaged from the identification of the type of attack or the attacker. Our work targets these shortcomings by introducing a lightweight, online change point detector to monitor performance metrics that are impacted when the network is under attack. A key novelty is that the proposed detector is able to operate in either centralized or distributed mode. The centralized detector has very high detection rates and can further distinguish the type of attack from a list of known attacks. In turn, the distributed detector can be useful to identify the nodes launching the attack. Our proposal is tested over IEEE 802.15.4 networks. The results show detection rates exceeding 96% in networks of 36 and 100 nodes and identification of the type of attack with a probability exceeding 89% when using the centralized approach.