Software Defined Networking (SDN) is developing as a new solution for the development and innovation of the Internet. SDN is expected to be the ideal future for the Internet since it can provide controllable, dynamic and cost-effective networking. The emergence of SDN provides a unique opportunity to achieve network security in a more efficient and flexible manner. One key advantage of SDN, as compared to traditional networks, is that by virtue of centralized control, it allows better provisioning of network security. Nevertheless, the flexibility provided by the SDN architecture manifests several new network security issues that must be addressed to strengthen SDN security. The SDN has original structural vulnerabilities, which are the centralized controller, the control-data interface and the control-application interfaces. These vulnerabilities can be exploited by intruders to conduct several types of attacks.
Network Intrusion Detection System (NIDS), which is an important part of network architecture, is used to detect network intrusions and secure the whole network. In this thesis, we propose an SDN-based NIDS (DeepIDS) using Deep Learning (DL) algorithms to detect anomalies in the SDN architecture. Firstly, we evaluate the potential of DL for flow-based anomaly detection with different flow features. Through experiments, we confirm that the DL approach has the potential for flow-based anomaly detection in the SDN environment. Secondly, we propose a Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) to improve the detection rate of the DeepIDS. Our experimental results show that the proposed GRU-RNN model improves the detection rate significantly without deteriorating network performance. The performance of our system in terms of accuracy, throughput, latency and resource utilization shows that DeepIDS does not affect the performance of the OpenFlow controller, and so is a feasible approach.
Finally, we introduce an unsupervised approach (SAE-1SVM) to solve an unlabeled and imbalanced dataset problem. This approach yields a high detection rate while maintaining a significantly low processing time. Through extensive experimental evaluations, we conclude that our proposed approach exhibits a strong potential for intrusion detection in the SDN environments.
