Skip to main content
SpringerLink
Log in

An efficient flow-based multi-level hybrid intrusion detection system for software-defined networks

  • Regular Paper
  • Published:
CCF Transactions on Networking

Abstract

Software-defined networking (SDN) is a novel networking paradigm that provides enhanced programming abilities, which can be used to solve traditional security challenges on the basis of more efficient approaches. The most important element in the SDN paradigm is the controller, which manages the flows of each correspondence forwarding element (switch or router). Flow statistics provided by the controller are considered to be useful information that can be used to develop a network-based intrusion detection system. Therefore, in this paper, we propose a 5-level hybrid classification system based on flow statistics in order to attain an improvement in the overall accuracy of the system. For the first level, we employ the k-nearest neighbor approach (kNN); for the second level, we use the extreme learning machine (ELM); and for the remaining levels, we utilize the hierarchical extreme learning machine (HELM) approach. In comparison with conventional supervised machine learning algorithms and other state-of-the-art methodologies based on the NSL-KDD benchmark dataset, the experimental study showed that our system achieves a good accuracy (84.29%), with an ability to detect new attacks that reaches 77.18%. Therefore, our approach presents an efficient approach for intrusion detection in SDNs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

References

  • Abuadlla, Y., Kvascev, G., Gajin, S., Jovanovic, Z.: Flow-based anomaly intrusion detection system using two neural network stages. Comput. Sci. Inf. Syst. 11(2), 601–622 (2014)

    Article  Google Scholar 

  • Alazab, M., Venkatraman, S., Watters, P., Alazab, M.: Zero-day malware detection based on supervised learning algorithms of api call signatures. In: Proceedings of the Ninth Australasian Data Mining Conference-Volume 121, pp. 171–182. Australian Computer Society, Inc. (2011)

  • Al-Nashif, Y., Kumar, A.A., Hariri, S., Luo, Y., Szidarovsky, F., Qu, G.: Multilevel intrusion detection system (ml-ids). In: 2008 International Conference on Autonomic Computing, pp. 131–140. IEEE (2008)

  • Al-Yaseen, W.L., Othman, Z.A., Nazri, M.Z.A.: Multi-level hybrid support vector machine and extreme learning machine based on modified k-means for intrusion detection system. Expert Syst. Appl. 67, 296–303 (2017)

    Article  Google Scholar 

  • Amoli, P.V., Hämäläinen, T.: Real time multi stage unsupervised intelligent engine for nids to enhance detection rate of unknown attacks. In: 2013 IEEE Third International Conference on Information Science and Technology (ICIST), pp. 702–706. IEEE (2013)

  • Anbeek, P., Vincken, K.L., Van Osch, M.J., Bisschops, R.H., Van Der Grond, J.: Probabilistic segmentation of white matter lesions in mr imaging. NeuroImage 21(3), 1037–1044 (2004)

    Article  Google Scholar 

  • Araki, S., Yamaguchi, Y., Shimada, H., Takakura, H.: Unknown attack detection by multistage one-class svm focusing on communication interval. In: International Conference on Neural Information Processing, pp. 325–332. Springer (2014)

  • Aziz, A.S.A., Hassanien, A.E., Hanaf, S.E.O., Tolba, M.F.: Multi-layer hybrid machine learning techniques for anomalies detection and classification approach. In: 13th International Conference on Hybrid Intelligent Systems (HIS 2013), pp. 215–220. IEEE (2013)

  • Banerjee, K.: Generalized inverse of matrices and its applications. (1973)

  • Beck, A., Teboulle, M.: A fast iterative shrinkage-thresholding algorithm for linear inverse problems. SIAM J. Imaging Sci. 2(1), 183–202 (2009)

    Article  MathSciNet  Google Scholar 

  • Bhattacharya, G., Ghosh, K., Chowdhury, A.S.: An affinity-based new local distance function and similarity measure for knn algorithm. Pattern Recognit. Lett. 33(3), 356–363 (2012)

    Article  Google Scholar 

  • Borah, B., Bhattacharyya, D.: Catsub: a technique for clustering categorical data based on subspace. ICFAI J. Comput. Sci. 7–20 (2008)

  • Brauckhoff, D., May, M., Plattner, B.: Flow-level anomaly detection - blessing or curse? In: IEEE INFOCOM 2007, Student Workshop, Anchorage, Alaska, USA (May 2007)

  • Casas, P., Mazel, J., Owezarski, P.: Unada: unsupervised network anomaly detection using sub-space outliers ranking. In: International Conference on Research in Networking, pp. 40–51. Springer (2011)

  • Cheng, C., Tay, W.P., Huang, G.: Extreme learning machines for intrusion detection. In: The 2012 International Joint Conference on Neural Networks (IJCNN), pp. 1–8 (2012)

  • Cordella, L., Sansone, C., Tortorella, F., Vento, M., De Stefano, C.: Neural network classification reliability: problems and applications. Image Process. Pattern Recognit. 5, 161–200 (1998)

    Article  Google Scholar 

  • Cordella, L.P., Sansone, C.: A multi-stage classification system for detecting intrusions in computer networks. Pattern Anal. Appl. 10(2), 83–100 (2007)

    Article  MathSciNet  Google Scholar 

  • Damopoulos, D., Menesidou, S.A., Kambourakis, G., Papadaki, M., Clarke, N., Gritzalis, S.: Evaluation of anomaly-based ids for mobile devices using machine learning classifiers. Secur. Commun. Netw. 5(1), 3–14 (2012)

    Article  Google Scholar 

  • Dasarathy, B.V.: Nearest neighbor (nn) norms: Nn pattern classification techniques. IEEE Comput. Soc. Tutor. (1991)

  • Dey, S.K., Uddin, M.R., Rahman, M.M.: Detection of flow based anomaly in OpenFlow controller: machine learning approach in software defined networking. In: 2018 4th International Conference on Electrical Engineering and Information & Communication Technology (iCEEiCT), pp. 416–421 (2018).

  • Ester, M., Kriegel, H.P., Sander, J., Xu, X., et al.: A density-based algorithm for discovering clusters in large spatial databases with noise. Kdd 96, 226–231 (1996)

    Google Scholar 

  • Firte, L., Lemnaru, C., Potolea, R.: Spam detection filter using knn algorithm and resampling. In: Proceedings of the 2010 IEEE 6th International Conference on Intelligent Computer Communication and Processing, pp. 27–33. IEEE (2010)

  • Fred, A.L., Jain, A.K.: Combining multiple clusterings using evidence accumulation. IEEE Trans. Pattern Anal. Mach. Intell. 27(6), 835–850 (2005)

    Article  Google Scholar 

  • Gogoi, P., Borah, B., Bhattacharyya, D.K.: Network anomaly detection using unsupervised model. Int. J. Comput. Appl. (Special Issue on Network Security and Cryptography) NSC, 19–30 (2011)

  • Gogoi, P., Bhattacharyya, D., Borah, B., Kalita, J.K.: Mlh-ids: a multi-level hybrid intrusion detection method. Comput. J. 57(4), 602–623 (2013)

    Article  Google Scholar 

  • Golling, M., Hofstede, R., Koch, R.: Towards multi-layered intrusion detection in high-speed networks. In: 2014 6th International Conference on Cyber Conflict (CyCon 2014), pp. 191–206. IEEE (2014)

  • Holmes, C., Adams, N.: A probabilistic nearest neighbour method for statistical pattern recognition. J. R. Stat. Soc. Ser. B (Statistical Methodology) 64(2), 295–306 (2002)

    Article  MathSciNet  Google Scholar 

  • Huang, G.B., Zhu, Q.Y., Siew, C.K., et al.: Extreme learning machine: a new learning scheme of feedforward neural networks. Neural Netw. 2, 985–990 (2004)

    Google Scholar 

  • Huang, G.B., Wang, D.H., Lan, Y.: Extreme learning machines: a survey. Int. J. Mach. Learn. Cybern. 2(2), 107–122 (2011)

    Article  Google Scholar 

  • Hussain, J., Lalmuanawma, S., Chhakchhuak, L.: A two-stage hybrid classification technique for network intrusion detection system. Int. J.Comput. Intell. Syst. 9(5), 863–875 (2016)

    Article  Google Scholar 

  • Jarraya, Y., Madi, T., Debbabi, M.: A survey and a layered taxonomy of software-defined networking. IEEE Commun. Surveys Tutor. 16(4), 1955–1980 (2014)

    Article  Google Scholar 

  • Jin, W., Tung, A.K., Han, J., Wang, W.: Ranking outliers using symmetric neighborhood relationship. In: Pacific-Asia Conference on Knowledge Discovery and Data Mining, pp. 577–593. Springer (2006)

  • Kim, M.S., Kong, H.J., Hong, S.C., Chung, S.H., Hong, J.W.: A flow-based method for abnormal network traffic detection. In: 2004 IEEE/IFIP network operations and management symposium (IEEE Cat. No. 04CH37507), vol. 1, pp. 599–612. IEEE (2004)

  • Koch, R.: Towards next-generation intrusion detection. In: 2011 3rd International Conference on Cyber Conflict, pp. 1–18. IEEE (2011)

  • Kuang, L., Zulkernine, M.: An anomaly intrusion detection method using the csi-knn algorithm. In: Proceedings of the 2008 ACM symposium on Applied computing, pp. 921–926. ACM (2008)

  • Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: ACM SIGCOMM Computer Communication Review, vol. 35, pp. 217–228. ACM (2005)

  • Latah, M., Toker, L.: Artificial intelligence enabled software-defined networking: a comprehensive overview. IET Netw. 8(2), 79–99 (2018a)

    Article  Google Scholar 

  • Latah, M., Toker, L.: Towards an efficient anomaly-based intrusion detection for software-defined networks. IET Netw. 7(6), 453–459 (2018b)

    Article  Google Scholar 

  • Lee, D.H., Kim, D.Y., Jung, J.I.: Multi-stage intrusion detection system using hidden markov model algorithm. In: 2008 International Conference on Information Science and Security (ICISS 2008), pp. 72–77. IEEE (2008)

  • Li, Y., Guo, L.: An active learning based tcm-knn algorithm for supervised network intrusion detection. Comput. Secur. 26(7–8), 459–467 (2007)

    Article  Google Scholar 

  • Li, W., Yi, P., Wu, Y., Pan, L., Li, J.: A new intrusion detection system based on knn classification algorithm in wireless sensor network. J. Electr. Comput. Eng. (2014)

  • Liao, Y., Vemuri, V.R.: Use of k-nearest neighbor classifier for intrusion detection. Comput. Secur. 21(5), 439–448 (2002a)

    Article  Google Scholar 

  • Liao, Y., Vemuri, V.R.: Using text categorization techniques for intrusion detection. USENIX Secur. Symp. 12, 51–59 (2002b)

    Google Scholar 

  • McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  • Parsons, L., Haque, E., Liu, H.: Subspace clustering for high dimensional data: a review. ACM SIGKDD Explor. Newsl 6(1), 90–105 (2004)

    Article  Google Scholar 

  • Parvin, H.; Alizadeh, H.; Minaes-Bidgoli, B.: MKNN: modified k-nearest neighbor. In: Proceedings of World Congress on Engineering and Computer Science (WCECS), Yantai, China, pp. 91–94 (2010)

  • Popescu, M., Keller, J.M.: Random projections fuzzy k-nearest neighbor (rpfknn) for big data classification. In: 2016 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp. 1813–1817. IEEE (2016)

  • Rajeswari, L.P., Kannan, A.: An intrusion detection system based on multiple level hybrid classifier using enhanced c4. 5. In: 2008 International Conference on Signal Processing, Communications and Networking, pp. 75–79. IEEE (2008)

  • Reddy, N.S., Acharya, U.D., et al.: A two-stage hybrid model for intrusion detection. In: 2006 International Conference on Advanced Computing and Communications, pp. 163–165. IEEE (2006)

  • Santos, I., Penya, Y.K., Devesa, J., Bringas, P.G.: N-grams-based file signatures for malware detection. ICEIS 2(9), 317–320 (2009)

    Google Scholar 

  • Sharma, N., Mukherjee, S.: A novel multi-classifier layered approach to improve minority attack detection in ids. Proc. Technol. 6, 913–921 (2012)

    Article  Google Scholar 

  • Singh, R., Kumar, H., Singla, R.: An intrusion detection system using network traffic profiling and online sequential extreme learning machine. Expert Syst. Appl. 42(22), 8609–8624 (2015)

    Article  Google Scholar 

  • Sperotto, A., Pras, A.: Flow-based intrusion detection. In: 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops, pp. 958–963. IEEE (2011)

  • Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An overview of ip flow-based intrusion detection. IEEE Commun. Surveys Tutor. 12(3), 343–356 (2010)

    Article  Google Scholar 

  • Tang, J., Deng, C., Huang, G.B.: Extreme learning machine for multilayer perceptron. IEEE Trans. Neural Netw. Learn. Syst. 27(4), 809–821 (2015)

    Article  MathSciNet  Google Scholar 

  • Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. In: 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), pp. 258–263. IEEE (2016)

  • Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep recurrent neural network for intrusion detection in sdn-based networks. In 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), pp. 202–206. IEEE (2018)

  • Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the kdd cup 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp. 1–6. IEEE (2009)

  • Umer, M.F., Sher, M., Bi, Y.: Flow-based intrusion detection: TEchniques and challenges. Comput. Secur. 70, 238–254 (2017)

    Article  Google Scholar 

  • Wang, B., Sun, Y., Yuan, C., Xu, X.: LESLA: A smart solution for SDN-enabled mMTC E-health monitoring system. In Proceedings of the 8th ACM MobiHoc 2018 Workshop on Pervasive Wireless Healthcare Workshop, pp. 1–6. IEEE (2018)

  • Wettschereck, D., Dietterich, T.G.: Locally adaptive nearest neighbor algorithms. In: Advances in Neural Information Processing Systems, pp. 184–191 (1994)

  • Xiang, C., Chong, M., Zhu, H.: Design of mnitiple-level tree classifiers for intrusion detection system. In: IEEE Conference on Cybernetics and Intelligent Systems, 2004., vol. 2, pp. 873–878. IEEE (2004)

Download references

Acknowledgements

We would like thank the anonymous reviewers for their insightful comments and constructive suggestions, which helped us improve the quality of this work.

Author information

Authors and Affiliations

  1. Department of Computer Science, Ozyegin University, 34794, Istanbul, Turkey

    Majd Latah

  2. Department of Computer Engineering, Ege University, 35100, Bornova, Turkey

    Levent Toker

Authors
  1. Majd Latah
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Levent Toker
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Majd Latah.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Latah, M., Toker, L. An efficient flow-based multi-level hybrid intrusion detection system for software-defined networks. CCF Trans. Netw. 3, 261–271 (2020). https://doi.org/10.1007/s42045-020-00040-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s42045-020-00040-z

Keywords

Search

Navigation