In recent years, SDN has been widely studied and put into practice to assist in network management, especially with regards newly evolved network security challenges. SDN decouples the data and control planes, while maintaining a centralised and global view of the whole network. However, the separation of control and data planes made it vulnerable to security threats because it created new attack surfaces and potential points of failure. Traditionally, network devices such as routers and switches were designed with tightly integrated data and control planes, which meant that the device made decisions about how to forward traffic as it was being received. With the introduction of SDN, the control plane was separated from the data plane and centralized in a software-based controller. The controller is responsible for managing and configuring the network, while the data plane handles the actual forwarding of traffic. This separation of planes made it possible for network administrators to more easily manage and configure network traffic. However, it also created new potential points of attack. Attackers can target the software-based controller or the communication channels between the controller and the data plane to gain access to the network and manipulate traffic. If an attacker successfully compromises the controller, they can gain control over the entire network and cause significant disruption. Seven main categories directly related to these risks have been identified, which are unauthorized access, data leakage, data modification, compromised application, denial of services (DoS), configuration issues and system-level SDN security.
Distributed Denial of Service (DDoS) attacks are a significant threat to SDN because they can overwhelm the resources of the network, causing it to become unavailable and disrupting business operations. In an SDN architecture, the central controller is responsible for managing the flow of network traffic and directing it to the appropriate destination. However, if the network is hit with a DDoS attack, the controller can quickly become overwhelmed with traffic, making it difficult to manage the network and causing the network to become unavailable.
Coupling SDN capabilities with intelligent traffic analysis using Machine Learning and/or Deep Learning has recently attracted major research efforts especially in combatting DDoS attack in SDN. However, most efforts have only been a simple mapping of earlier solutions into the SDN environment. Focussing in DDoS attack in SDN, firstly, this thesis address the problem of SDN security based on deep learning in a purely native SDN environment, where a Deep Learning intrusion detection module is tailored to the SDN environment with the least overhead performance. In particular, propose a hybrid unsupervised machine learning approach based on auto-encoding for intrusion detection in SDNs. The experimental results show that the proposed module can achieve high accuracy with a minimum of selected flow features. The performance of the controller with the deployed model has been tested for throughput and latency. The results show a minimum overhead on the SDN controller performance, while yielding a very high detection accuracy.
Secondly, a hybrid deep autoencoder with a random forest classifier model to enhance intrusion detection performance in a native SDN environment was introduced. A deep learning architecture combining a deep autoencoder with random forest learning feature representation of traffic flows natively was collected from the SDN environment. Publicly available packet Capture (PCAP) files of recorded traffic flows were used in the SDN network for flow feature extraction and real-time implementation. The results show very high and consistent performance metrics, with an average of a 0.9 receiver-operating characteristics area under curve (ROC AUC) recorded.
Finally, an adaptive framework for attack mitigation in Software Defined Network environments is suggested. A combined three level protection mechanism was introduced to support the functionality of the secure SDN network operations. Entropy-based filtering was used to determine the legitimacy of a connection before a deep learning hybrid machine learning module made the second layer inspection. Through extensive experimental evaluations, the proposed framework demonstrates a strong potential for intrusion detection in SDN environments.
