Machine Learning Techniques for Intrusion Detection Systems in SDN-Recent Advances,Challenges and Future Directions

Gulshan Kumarand Hamed Alqahtani

1Shaheed Bhagat Singh State University,Firozpur,152024,India

2King Khalid University,Abha,61421,Saudi Arabia

ABSTRACT Software-Defined Networking (SDN) enables flexibility in developing security tools that can effectively and efficiently analyze and detect malicious network traffic for detecting intrusions.Recently Machine Learning(ML)techniques have attracted lots of attention from researchers and industry for developing intrusion detection systems(IDSs)considering logically centralized control and global view of the network provided by SDN.Many IDSs have developed using advances in machine learning and deep learning.This study presents a comprehensive review of recent work of ML-based IDS in context to SDN.It presents a comprehensive study of the existing review papers in the field.It is followed by introducing intrusion detection,ML techniques and their types.Specifically,we present a systematic study of recent works,discuss ongoing research challenges for effective implementation of ML-based intrusion detection in SDN,and promising future works in this field.

KEYWORDS Controller; intrusion detection; intrusion detection system; OpenFlow; security; software defined networking;traffic analysis

1 Introduction

The recent use of IT technology and several interconnected smart devices resulted in an abrupt increase in network communication traffic.It has been predicted that there will be financial growth in network traffic in the coming year [1].To keep up with increased network traffic, several heterogeneous networks have been formed consisting of different communication network protocols and various network equipment in different domains.For example, cellular networks transfer data from different kinds of devices with different standards for communicating data over the network.Therefore, heterogeneous networks becoming more complex in terms of their management of computing resources effectively.Security of the data over a heterogeneous network is considered one of the most important critical issues.Recently several incidents have happened against the security of confidential information of communication networks[2].

To avoid network attacks, several anti-intrusion techniques have been proposed.These antiintrusion techniques can be divided into six categories;namely,intrusion prevention,intrusion detection,intrusion preemption,intrusion deterrence,intrusion deflection and intrusion countermeasures as presented in Fig.1[3,4].Intrusion detection is considered one of the most effective techniques for handling intrusion into the network.Timely and accurate intrusion detection can help in minimizing the damage and take appropriate countermeasures to block the ongoing attack.

Figure 1:Anti intrusion techniques

Therefore, developing an accurate and intrusion detection system (IDS) is the need of the hour for providing another security layer over the conventional security mechanism like firewalls.

Recently several techniques have been proposed for developing an effective IDS by incorporating more intelligence to handle security issues.Artificial intelligence-based techniques, particularly machine learning(ML)techniques,has been incorporated into IDSs for adding more intelligence into the network data analysis [1].However, ML techniques have limited access to the data for analysis because of distributed features of traditional networks.Network devices such as switches contain a limited view of data belonging to a small segment of the entire network.Thus, ML models trained on a particular segment of the network is unable to work for detecting the intrusion in the entire network[5,6].

Software Defined Network(SDN)has opened many new possibilities for researchers to address the limited view of the data in traditional network devices[7,8].In SDN,the control plane and data plane have been decoupled.A centralized controller controls all network resources.A centralized controller enables the dynamic programming of networks by providing a global view of the data at a single point.The global view of the entire network’s data helps develop accurate ML models.Therefore,SDNs are more suitable for applications of ML techniques due to the following salient features.

· Recent development in computing devices such as GPUs enables processing a large amount of data in SDN help in training efficient ML model for their application in different fields[9].

· Global view of data in SDN helps to learn entire network behaviour by ML models.

· Global mean of the data at SDN can help deploy feature selection techniques resulting in reducing a considerable amount of data and hence in fast and accurate training of ML models.

Therefore, SDN provides a suitable framework for implementing ML techniques to detect intrusions in the real world[10].

Several intelligent IDSs have been proposed by considering the advantages of SDN architecture and the capability of ML techniques[11].This paper presents a comprehensive review ML techniques based IDSs specifically for SDN architecture.This review aims to discuss ML-based IDSs architecture for better understanding the current status of intrusion detection in SDNs and project significant clues to conduct future research in this field.

Rest of the paper is structured as follows.A comprehensive review of the existing studies is presented in Section 2.Section 3 explains intrusion detection preliminaries.Section 4 presents ML techniques and their types.Section 5 introduces the SDN and its architecture.Section 6 presents significant ML studies applied for intrusion detection in context of SDN.Section 7 highlights the major research issues in the field.Finally,Section 8 concludes the paper at the end.

2 Related Work

Several types of research have been reported on developing effective and efficient IDS using ML techniques in the recent past.Researches attempted to summarize further development in various review papers.For analyzing the trend in developing IDSs using ML techniques,these reviews can be divided as scenario based reviews,technique based reviews and attack based reviews as presented in Fig.2.

Figure 2:Classification of ML-based IDS reviews

2.1 Scenario-Based Reviews

Scenario-based reviews mainly focus on specific network architecture or scenarios for discussing the trends in ML-based intrusion detection techniques.Several researchers attempted to exploit network configurations’features to explain intrusion detection techniques.

For example,Anantvalee et al.[12]focused on mobile ad-hoc networks(MANETs)for reviewing intrusion detection techniques in this category.The authors conducted a comprehensive study of existing IDSs and provided many clues for future research in this field.Similarly, Nadeem et al.[13]have also focused on MANETs in their review of intrusion detection techniques.Patel et al.[14]developed intrusion detection and prevention systems for cloud computing environments.They used the features of cloud computing to explain intrusion detection techniques and present different issues in developing intrusion detection and prevention systems for the cloud computing environment.Butun et al.[15]presented their work on IDSs for wireless sensor networks by specifying the pros and cons of intrusion detection techniques in the context of wireless sensor networks.

Bkassiny et al.[16]reviewed existing learning techniques in context to cognitive radio networks.They mainly focused on ML approaches for detecting intrusion accurately.ML approaches have also been reviewed for intrusion detection in context to wireless sensor networks in [17].Wang et al.[18] focused on artificial intelligence-based techniques for evolving heterogeneous networks.They highlighted significant issues in heterogeneous networks and provided many e points for future research in their review.Klaine et al.[19]provided a comparative analysis of ML techniques applied in self-organizing cellular networks.Whereas ML techniques based network traffic control having focus in[20].Chen et al.[21]analyzed the solutions proposed for solving issues in wireless sensor networks such as virtual reality, communication and education using neural networks.Xie et al.[1] mainly focused on ML techniques used in SDN.The authors provided details of different ML techniques in context to SDN from different aspects like routing,Resource Management,network traffic analysis and quality of service prediction.They highlighted many issues in developing ML-based systems for SDN.Sultana et al.[22] conducted a comprehensive analysis of ML techniques for detecting the intrusion is in SDN.The authors mainly focused on deep learning techniques for developing networkbased IDSs[11].They also highlighted many challenges for developing deep learning-based IDSs in SDN.Table 1 summarizes the scenario-based IDS reviews mentioned above.

Table 1:Summary of scenario-based IDS reviews

2.2 Technique-Based Reviews

Technique-based reviews mainly focus on analyzing the IDS waste on detection techniques.Generally, these papers follow some predefined taxonomy and analyze the existing research papers for each category proposed in the taxonomy.Such reviews are helpful in performing a comparative analysis of different techniques used in IDSs.For example,in 2009,Garcia-Teodoro et al.[24]analyzed the anomaly-based intrusion detection technique by categorizing them into three classes, statistical techniques,ML techniques and knowledge-based techniques.The author provided the pros and cons of each category in detecting intrusions.They have also provided a list of available commercial IDSs.They provided significant research challenges in detecting anomaly-based intrusion detection.Similar and extended work is also reported by Kumar et al.[4].Here the authors provided a review of artificial intelligence-based IDSs.They explained the general architecture of IDSs and divided IDSs based upon their functional components.

Zhang et al.[25]also focused on anomaly-based detection techniques used in computer networks.They proposed to divide anomaly-based techniques into four categories, classification techniques,Statistical Techniques, ML techniques and finite state machines.The authors described advantages and disadvantages for techniques of each category with their future improvement in the field of IDSs.Tsai et al.[26] also reviewed ML-based IDSs and compare them based on classified design,experimental settings and benchmark datasets.They highlighted the challenges of effective IDSs and provided many future directions for research in this field.Wu et al.[27] presented a comprehensive survey of computational intelligence based intrusion detection techniques.They have highlighted applications of computational intelligence-based techniques in different fields for detecting intrusions.Their survey focuses on fuzzy system, artificial neural networks, artificial immune systems,soft computing paradigm, and evolutionary algorithms.Buczak et al.[28] focused ML techniques employed for detecting intrusions effectively.They divided ML techniques into 12 different categories and analyzed their computational complexity.Based upon their analysis of computational complexity,they recommended using ML techniques to detect intrusion in the network.Drasar et al.[29]studied flow-based intrusion detection techniques in their review paper.They targeted flow-based techniques based on similarity matching for detecting internet-based attacks.They proposed to group flow-based intrusion detection techniques based on their similarity functions.Vasilomanolakis et al.[30]focused on collaborative IDS.They identified the requirement for implementing collaborative IDS in large organizations.In the review, they proposed a taxonomy for collaborative IDSs.They divided the collaborative IDSs into centralized,decentralized,and distributed categories.They reviewed the vital research work for each category as per their taxonomy.

Similarly, Patcha et al.[31] also focused on ML techniques for IDSs.Whereas Hodo et al.[32]also focused on deep learning-based IDSs in their review.

Table 2 summarizes the technique-based IDS reviews mentioned above.

Table 2:Summary of technique-based IDS reviews

Table 2 (continued)Study Domain ML techniques Wu et al.[27] Networks Computational intelligence based techniques Buczak et al.[28] Networks Data mining and ML algorithms Drasar et al.[29] Networks Flow-based techniques Vasilomanolakis et al.[33] Networks Collaborative intrusion detection techniques Patcha et al.[31] Networks Supervised and unsupervised learning Hodo et al.[32] Networks Supervised and unsupervised learning Nguyen et al.[34] Networks Supervised and unsupervised learning

2.3 Attack-Based Reviews

The research work in this category has been proposed to classify different kinds of network intrusion.These papers follow a specific taxonomy of network inclusions and present a review of different techniques as per the adopted taxonomy.Such reviews are beneficial for comparing different intrusion detection techniques to detect specific kinds of intrusions.For example,Sperotto et al.[35]focused on flow-based intrusion detection techniques.The authors proposed a taxonomic classified network intrusion and flow-based techniques used to detect each intrusion category.They also highlighted the research issues specifically for flow-based IDSs and provided many directions for future research in IDS.Umer et al.[36] focused on flow-based IDSs and compared different intrusion detection techniques in different aspects.They presented different benchmark data sets used for validating flow-based intrusion detection techniques.They also proposed a taxonomy of intrusion detection techniques for detecting malicious network flows.They identified different research issues regarding flow-based IDSs and highlighted different research directions for future research in this field.Table 3 summarizes the attack-based IDS reviews mentioned above.

Table 3:Summary of attack-based IDS reviews

2.4 General-Purpose Reviews

This category of research work for IDS attempts to analyze network intrusions in different aspects.Such reviews follow a General taxonomy of intrusion and review the current research work as per the adopted taxonomy.For example, Patel et al.[14] focused on intrusion detection and prevention techniques.They identified the limitations of existing systems and proposed using MLbased techniques for detecting intrusions effectively and accurately.Liao et al.[37] proposed a taxonomy of IDS based on different aspects such as deployment,timeline,source of data and detection method.They identified several limitations of the existing method and highlighted different research directions in the field.Bhuyan et al.[38] reviewed the network anomaly detection techniques tools and systems.Their review proposed a taxonomy that divides our existing network anomaly detection techniques into six categories.They highlighted the advantages and disadvantages of each category.They also highlighted the most commonly used performance metrics and data sets for validating intrusion detection techniques.Table 4 summarizes the General-purpose IDS reviews mentioned above.

Table 4:Summary of General-purpose IDS reviews

It can be concluded from Tables 1–4 that many researchers have successfully implemented ML techniques in different network scenarios.However, a few studies have been proposed for intrusion detection in SDN.To that end, we provide a comprehensive review of ML techniques proposed in recent years for intrusion detection,specifically for SDN.We aim to explore ML techniques,identify research gaps,and highlight future research directions in intrusion detection in context to SDN.

The above cited reviews can be summarized in Fig.3.

Figure 3:Summary of IDS reviews

3 Intrusion Detection

An IDS is defined as“an effective security technology,which can detect,prevent and possibly react to the computer attacks”,is one of the standard components in security infrastructures[4].It monitors target sources of activities,such as audit and network traffic data in a computer or network systems and deploys various techniques to provide security services.The main objective of IDS is to detect all intrusions efficiently.The implementation of IDS allows network administrators to detect security objective violations.These security objective violations range from external attackers trying to gain unauthorized access to network security infrastructure or making resources unavailable to insiders abusing their access to the system resources.With the passage of time and the growth of computer attacks,several IDSs architectures have been proposed.Axelsson[40]proposed a common architecture for IDS as depicted in Fig.4.

Figure 4:IDS architecture[4]

According to Axelsson [40], standard components of IDS consist of the following:Network to monitor is the identity to be monitored for intrusions.This can be a single host or a network;Data collection&storage unit is responsible for collecting the data of various events and converting them in proper format and store to disk; Data analysis & processing unit is the brain of IDS.It contains the complete functionality to find the suspicious behaviour of attack traffic.On detecting an attack,a signal is generated.Based on the type of IDS,the system can raise the action to alleviate the problem or a signal is passed to the network administrator to take appropriate action;Signal:This part of the system handles all output from IDS.The output may be an automated response to an intrusion or alert of malicious activity for a network security administrator.IDSs can be categorized into various classes depending upon different modules.

Based on data collected&storage unit,IDS can be divided into two classes:host-based IDS and Network-based IDS.Host-based IDS collects the data from a host to be protected.They generally collect the data from system calls, operating system logs, NT events log files, CPU utilization,application log files,etc.The advantage of Host-based IDS is that they are operating system dependent&are very efficient to detect attacks like buffer overflow.These systems become inefficient in the case of encrypted data and switched networks.Network-based IDS collects the data from the network directly in the form of packets.These IDS are operating system independent and easy to deploy to various systems.

Based upon criteria adopted for data analysis & processing unit, IDS can be divided into two classes; namely, Misuse or signature-based IDS and anomaly-based IDS.Signature-based IDSs maintain a database of known attack signatures.The detection of attack involves comparing data from the data collection unit and data stored in the database.If the match occurs,then an attack signal gets generated.The challenging task is to keep the database of signatures up to date.Signature-based IDS perform well for attacks whose signatures are in the database,but they are inefficient to detect zero-day attacks.They also have a meagre false alarm rate.Anomaly-based IDS reacts to abnormal behaviour as defined by some history of the monitored systems,previous behaviour or some previously defined profile.The system matches the current profile with the previous profile.If there is any significant deviation,that activity is notified as an attack.These systems are capable of detecting zero-day attacks.

Depending upon the criteria adopted for generating the response, IDS can be divided into two classes:Passive IDS and Active IDS.Active IDS responds to attacks by initiating specific actions.The action can be against two entities, further classifying Active IDS into subclasses.These entities can be:Attacking system:In this class, the IDS try to control the attacking system.IDS tries to attack the attacker system to remove his operation platform.Attacked system:In this class,the IDS tries to control the attacked system.They modified the state of the attacked system to mitigate the attack.They can terminate the network connections,increase the security logging,kill the concerned processes,etc.Passive IDS respond to attacks by generating network administrator or user signals to act.They do not themselves try to mitigate the damage done or actively seek to harm or hamper the attacker.

The available commercially as well as open-source IDSs have been categorized and summarized based on different criteria mentioned-above as shown in Tables 5–7 and Figs.5 and 6.

Table 5:Classification of IDSs(based on data collection&storage unit)

Table 6:Classification of IDSs(based on data analysis&processing unit)

Table 6 (continued)Category IDS Processing criteria Audit data Response Tripwire[46] Signature Host Passive Network based IDS AAFID[62] Anomaly Host Active Comp Watch[63] Anomaly Host Passive IDES[42] Anomaly Host Passive NADIR[50] Anomaly Network Passive W&S[64] Anomaly Host Passive

Table 7:Classification of IDSs(based on response)

Figure 5:Summary of IDSs

Figure 6:Summary of IDS studies

4 ML Techniques

Several techniques from different disciplines have been designed for developing effective and efficient IDS.Statistical techniques,Knowledge-based techniques and artificial intelligence(AI)based techniques are the trending techniques for IDS development.AI-based techniques, specifically ML(ML) techniques have many advantages of Flexibility (vs.Threshold definition of conventional technique); Adaptability (vs.specific rules of conventional technique); Pattern recognition (and detection of new patterns);Fast computing(faster than humans,actually)and Learning abilities[67].ML techniques can learn from data automatically without explicit programming during the training phase[22].

Fig.7 depicts a general work-flow of machine learning project [68–70].The first phase consists of the data management phase of any ML project.It collects the data and uses it as training and test data for training and validation of the ML model.The data management phase also applies data cleaning management techniques for 1)data cleaning to remove missing values and noisy data; and 2)data transformation to normalize data,select relevant features,and discretize features for ensuring the quality of data and compatibility with the ML model.After pre-processing the data,it is split into training and test datasets and loaded for the training and test of the ML model.

Figure 7:ML phases[4]

An appropriate ML model is chosen based on learning tasks such as classification,regression and clustering.The training dataset is fed to ML model for achieving optimized parameters during the training phase[71,72].Finally,trained ML is evaluated for the test dataset by getting its predictions and comparing them with actual output.The performance of the trained ML model using suitable metrics like accuracy, true positive rate, false-positive rate, F1-score, kappa statistics, precision and recall.After achieving satisfaction on validation metrics and performance of ML model,it is deployed in real-world scenario for making actual predictions[32].ML model are generally retrained for new training data to update it with changing scenarios up to a benchmark performance satisfaction.

Generally, ML techniques are classified based on learning style, such as supervised learning,unsupervised learning and semi-supervised learning,and reinforcement learning techniques[4,73]as presented in Fig.8.

Figure 8:ML types

The supervised learning process consists of labelled training data samples[74].In contrast,unsupervised learning of ML techniques used un-labelled data during the training phase.Reinforcement learning attempts to learn the problem by taking suitable action per given circumstances to optimize the objective function.ML techniques can be applied for predicting the class of data samples in a given discrete category(known as classification task)or estimating one or more continuous variables(known as regression task)[75].

Supervised learning has several potential benefits, such as clarity of data and ease of training[76,77].However,there are many disadvantages,including the inability to learn by itself,requirement of labelled data.Supervised techniques take advantages of using prior knowledge to clearly classify unknown sample data.Supervised learning process is easy to understand, however, in case of unsupervised learning, it is difficult to understand machine learning process.Supervised learning does not require holding training data in memory after training phase.In stead,only mathematical function representing boundary function can be maintained for predicting unknown samples.

Supervised learning techniques generally provide biased results in case of imbalanced training datasets, hence it become difficult for dealing with a large amount of imbalanced training data.However,supervised learning cannot give you unknown information from the training data like unsupervised learning do.In contrast,un-supervised learning can cluster or classify data by discovering its features on its own that is not feasible in case of supervised learning.

Supervised and un-supervised learning have different goals.Supervised learning aims to predict outcomes for new data [78].Expected result types are known in advance.Whereas, in case of unsupervised learning, the main aim is to get insights from large volumes of new data.The learning process itself determines what is different or interesting from the dataset.Supervised learning methods are computationally less complex than un-supervised learning methods.These models are generally time-consuming while their training,and the labels for input and output variables require expertise.Meanwhile, unsupervised learning methods can have wildly inaccurate results unless some human intervention for validating the output variables.

Reinforcement learning is different from supervised and un-supervised learning methods [79].Here, the machine learns by itself after making several mistakes.From all the mistakes made, the machine can understand what the causes were,and it will try to avoid those mistakes again and again.Reinforcement learning is also known as the trial and error way of learning.

Popular supervised ML techniques include Naive Bayes, Nearest Neighbor, Decision Trees,Support Vector Machines (SVM), Linear Regression, Neural Networks.Different supervised ML techniques different concepts for classification tasks based on training dataset’s features.For example,Decision Trees(DTs)refers to feature values.They use a tree-like model of decisions and their results.DT algorithm contains conditional control statements and branch symbolizes a feature of the dataset.Whereas,Naive Bayes(NB)algorithm works on independence assumption of all the datasets.NB suits for large datasets and uses direct acyclic graph for classification tasks.It is most appropriate for solving multi-class prediction models.This algorithm is computationally less expensive for handling huge and complex data.In contrast, Random Forests (RF) algorithm, an advanced version of DT, involves generating decision trees on data samples and then predicts for each attempt till best solution obtained.RF reduces the over-fitting issues of DT by taking average the result.Neural Networks(NN)algorithm involves clustering raw input and identify patterns.NN are comparatively computationally expensive and become more complicated for multiple observations.NNs are generally known as ‘black-box’algorithms.Support Vector Method (SVM) involves separation of hyper-planes as discriminative classifiers.This method is concerned with kernel networks that produces an optimal hyperplane as output for binary classification problems.

Standard unsupervised ML techniques are k-means clustering, Hierarchical Cluster Analysis(HCA), Expectation Maximization, Locally-Linear Embedding (LLE), and t-distributed Stochastic Neighbor Embedding(t-SNE).

Standard reinforcement ML techniques include Q-Learning, Temporal Difference (TD), and Deep Adversarial Networks.

Tables 8–10 and Figs.9–11 summarize the most common supervised, unsupervised and semisupervised ML techniques with respective pros and cons.

Table 8:Summary of supervised ML techniques

Table 8 (continued)ML technique Pros Cons Decision Tree Easy interpretation Unstable,subject to training data Selection of discriminatory features Over-fitting issue Less CPU intensive Works with continuous and discrete data Random forest suitable for large training data Slow training process Comparatively less instability Biased results in case of imbalanced data Avoids over-fitting problem Neural network Quick prediction after training Suitable for high-dimensional data Requires high computationally power for training Difficult to interpret the results SVM Suitable for high-dimensional data Suitable for linearly and non-linearly separable data Computationally expensive for large data Avoids over-fitting problem Bayesian network Easy implementation Independence assumption Good results for a small training data Difficult to handle continuous data HMM Statistical fundamentals Computationally expensive for large data Instable

Table 9:Summary of unsupervised ML techniques

Table 10:Summary of semi-supervised ML techniques

Figure 9:Supervised learning techniques

Figure 10:Un-supervised learning techniques

Figure 11:Semi-supervised learning techniques

5 Software Defined Networking(SDN)and Its Architecture

SDN enables flexibility in network control by decoupling the control plane and data plane in a conventional network.It helps the network administrators in customizing the network as per dynamic requirements of the organizations[80],presented in Fig.12[81].

Figure 12:SDN architecture[81]

The decoupling of control plane and data plane allows data plane devices called switches in forwarding data as per decisions of the controller [82].The controller decisions are maintained in the form of flow tables of switches.OpenFlow protocol is used for ensuring communication between controller and switch.

Fig.12 shows SDN architecture and interaction of different planes.SDN architecture consists of three planes:data plane,control plane and application plane.

·Data plane:This plane is responsible for forwarding data among different nodes of the network using various forwarding devices.Several forwarding devices, virtual switches and physical switches can be equipped in this plane.The most common virtual devices at this layer include Open vSwitch[83],Indigo and Pantou switches.Whereas,physical switches includes NetFPGA[84],SwitchBlade[85]and ServerSwitch[86].Virtual switches have exclusive features of SDN but provide a low flow forwarding rate.In contrast,physical switches possess limited flexibility but show a higher flow forwarding rate.These switches forward,drop and modify data packets as per policies provided in the control plane.The communication between the data plane and control plane occurs through Southbound Interfaces(SBIs).

·Control plane:It is the central controlling part of SDN systems.It enables network device programming, maintains forwarding rules, and provides flexibility in the SDN.Logically Central controller is the primary component in the control plane of SDN architecture.The central controller controls the communication between different applications and forwarding devices at the data plane.The central controller also allows the translation of application requirements into respective policies for forwarding devices.It also provides the functionality of network application requirements such as network topology storage,shortest path routing.Several central controller architectures have been proposed, including NOX [87], POX [87],Floodlight [88], Ryu [89], OpenDaylight [90] and Beacon [91].There are three interfaces for interacting with the controllers,southbound,northbound and eastbound/westbound interfaces.A southbound interface defines the communication between the data and control planes.This interface enables forwarding devices to transmit network state information and control policies to and from the control plane.It also provides functionality for programming of all devices for or forwarding operation notifications and statistical reports.The northbound interface enables communication between the application plane and the control plane.Applications can access abstract network perspectives provided by the control plane using northbound interfaces to define network behaviour and requirements.The northbound interface helps in automating,innovating and managing the SDN.Eastbound/westbound interfaces are mainly used in a multicontroller SDN.These interfaces are deployed in a large scale SDN consisting of a massive amount of data flows.

·Application plane:This is the top layer in SDN system architecture consisting of business applications.It enables new network services for managing and optimizing business applications.The business applications access network state information through the controllers for implementing control logic to update the network behaviour.

SDN flexibility feature helps reduce dependence on software and hardware vendors,thus reducing operational expenses.It also enables node level security implementation by replacing firewalls with flow tables of switches.Despite several advantages,SDN architecture has several security vulnerabilities due to the single point of failure of SDN controller[92].Single point of failure of central SDN controller can lead to failure of the entire network.Most attackers target the central SDN controller to control the entire network[93].Several attacks such as Denial of Service(DoS)attack,black-hole attack[94],malicious controller application deployment,and global network view manipulation[92]can be easily mounted by compromising SDN controller.

Data plane is also suspectable to several attacks, including flow-table overflow attacks.Such attacks exploit the flow table’s limited size and non-availability of standards.Security issues at different SDN planes can be further explored in[22,81,82]

6 ML Techniques for Intrusion Detection in SDN

SDN architecture comprising of a central controller that provides a global network perspective[1].The global network perspective helps manage and control network easily.It provides an edge for ML techniques for analyzing network data and optimizing network configuration and other functionality by adding intelligence to the SDN central controller.Besides, the programmability feature of SDN also allows to detect and mitigate network attacks quickly.Notably,from a security perspective,ML techniques have been successfully applied in SDN to differentiate intrusive and non-intrusive network traffic.

Several industrial and academic efforts have been made to address the security problems of SDN, considering its wide acceptability.Researchers focused on improving security by adopting SDN in conventional networks, and the security of SDN framework [80,92,95–98].Song et al.[99]suggested an IDS for SDN architecture.The proposed architecture comprises different subsystems:data preprocessor, predictive data model, and response system.The authors proposed using the feature selection method for data processing to select relevant features, followed by the decision tree and random forest method to differentiate intrusive and non-intrusive network traffic.Based on classification results, the proposed architecture makes the decision and triggers the response using reactive routing in different flow tables.The experimental deserts of the proposed architecture demonstrate that the threat-aware system can reduce the data processing and provide high intrusion detection accuracy.

Similarly,Hurley et al.[100]also proposed a network IDS for SDN using Hidden Markov Model(HMM)based upon selected flow traffic features:packet length,source sport,destination port,source IP address and destination IP address.

In contrast, da Silva et al.[101] proposed a framework called ATLANTIC.The proposed framework can detect the anomalies in SDN network traffic and classify them into different categories.This framework performs classification tasks in two phases:lightweight and heavyweight faces.The former phase computes the derivation of network traffic based on entropy values of flow tables.At the same time,the later phase applies an SVM classifier to classify the abnormal network traffic.The classification is followed by mitigation actions to handle abnormal network flows.

Similarly,the authors of[102]also proposed an intrusion detection and mitigation system for the smart home environment based on ML techniques for detecting inclusive activities.

In [103], the authors used different ML techniques for predicting malicious connections and vulnerable hosts.They used decision tree (DT), decision tables (D table), Bayesnet and Naive Bayes (NB) ML techniques.They performed a comprehensive comparison of ML techniques.They demonstrated in their results that BayesNet could produce more accurate results than the other techniques.

Some researchers also focused on deep learning techniques for detecting intrusions in SDN.For example,Tang et al.[104]used a deep neural network ok for detecting inclusions in SDN.They use the KDD dataset for validating the proposed approach.

Similarly,They also used a deep recurrent neural network for detecting anomalies in SDN traffic using six flow features in[105].

Wang et al.[106] proposed an approach for detecting intrusions in SDN using SVM classifier.Their approach applied a feature selection method to select relevant features using a decision tree followed by classifying network traffic into intrusive and non-intrusive categories.

Shone et al.[107]proposed a hybrid approach of deep learning and random forest method.The deep learning method reduces the features,and the random forest is applied for classification network traffic.

The researchers have focused on detecting DDoS attacks targeting the availability of SDN.DDoS attacks exhaust the network or system resources by sending tremendous traffic into the network.The enormous network traffic makes the system unavailable to legitimate users.

Braga et al.[108] proposed a lightweight DDoS attack detection system and implemented it on a NOX a based SDN.They used network traffic flow features collected using OpenFlow switches at NOX controller.The collected features are used for classifying attacks and normal network traffic.They used a self-organising map neural network for detecting flooding based DDoS attacks in SDN.They demonstrated that their proposed system provide promising result in detecting DDoS attacks.However,they have not installed any flow rules in their system.

Barki et al.[109] implemented an IDS in SDN controller for detecting DDoS attacks using a hybrid approach of Signature and advanced IDS.They’ve used different ML techniques in signaturebased IDS modules:k-NN,Naive Bayes,k-means and k-medoids.The packets detected as abnormal are forwarded to the advanced IDS module to differentiate anomalous or legitimate traffic.

Li et al.[110] also applied recurrent neural networks and convolutional neural networks in detecting DDoS attacks.Their deep learning architecture consists of input,forward recursive,reverse recursive,and fully connected hidden layers followed by an output layer for detecting DDoS attacks based upon the features extracted using deep learning models.Similarly, Jankowski et al.[111] used a self-organizing map(SOM)along with a learning vector quantization(LVQ)method for detecting intrusion in SDN.

Similarly, Niyaz et al.[112] used deep learning techniques stacked autoencoder for feature reduction to detect the DDOS attacks in SDN.They reported that their system could detect the DDOS attacks but have a controller bottleneck in an extensive network.

Table 11 summarizes the above-cited studies of ML techniques for intrusion detection in SDN.Fig.13 presents dataset wise analysis of intrusion detection studies in SDNs.It can be observed that most researchers preferred KDD dataset for validating their intrusion detection approaches in SDNs.

Table 11:Summary of ML techniques for intrusion detection in SDN

Table 11 (continued)Study Learning method Pros Cons Dataset Avg.Acc.(%)[106] Hybrid of DT and SVM Use of reduced features using decision tree for accurate classification by SVM[107] Hybrid of DL-NN and RF Use of reduced features using DL-NN for accurate classification by RF[108] SOM DDoS attack detection using SOM[110] DL-NN DDoS attack detection and defense method based on DL-NN[112] DL-NN stack auto-encoder based DL model for reducing features[111] Hybrid of SOM and LVQ Used SOM and LVQ for intrusion detection[113] RF Used RF for intrusion detection in SDN Comparative result not provided Not evaluated in real backbone traffic Unable to detect attack launching hosts-Controller bottleneck for large networks Computational cost for SDN controller for extracting features and attack detection Not evaluated in real backbone traffic Poor results for minority attack classes like U2R and R2L Not evaluated in real backbone traffic KDD 97.55 KDD Cup’99 and NSL-KDD 99.79 KDD 98.61 ISCX 98 Synthetic 95.65 Synthetic TPR=99.6 CICIDS 2017 99.968(Continued)

Table 11 (continued)Study Learning method Pros Cons Dataset Avg.Acc.(%)[114] SVM Used selective logging for IP Traceback in SDN Low computational overhead Ability to track the actual source of the packets in the eventuality of an attack[115] Tree-based machine learning techniques XGBoost model outperformed[116] SVM Used Mininet emulator based virtual network[117] GRU and BiLSTM Hybrid model with GRU,GRU-LSTM,deep neural network,DNN-LSTM[118] Stacked autoencoder Hybrid model of stacked auto-encoder,SoftMax classifier and parameter optimizer Used outdated KDD dataset Used outdated KDD dataset Not evaluated on real datasets Not evaluated on real datasets Not evaluated on real datasets KDD 95.98(Full KDD dataset),87.74(selective features)KDD 95.95 UNSW-NB15 and NSL-KDD datasets 99.8 CICIDS 2018 99.87 NSL-KDD and CICIDS 2017 98.5

Figure 13:Dataset wise analysis

Fig.14 presents accuracy analysis of intrusion detection studies in SDNs.It can be observed that researchers reported an accuracy of 99.96% and 99.79% based on CICIDS and KDD datasets,respectively.

Figure 14:Accuracy analysis

7 Research Challenges and Future Directions

Despite much prominent research in ML and SDN fields, there is a requirement to improve robustness and security by addressing many significant challenges.The most significant research challenges that require the community’s immediate attention follows:

· To improve the intelligence in SDN using ML techniques,quality training data set are required[5,119].ML techniques require a high-quality training data set for training models that can be used to detect intrusions.However,the lack of publicly available updated benchmark datasets leads to the failure to validate new approaches.Therefore,there is a requirement for developing benchmark data set[120,121].

· It can be observed from the discussion cited in Section 6 that many IDS suffers from the limitation of scalability in SDN.A single controller deployment can be a significant cause for scalability issues in SDN[122–124].

· To solve the scalability issue,distributed multi-controller platforms can be is promising direction[125,126].

· SDNs involve decoupling of the data plane and control plane to provide a flexibility feature.The data plane comprises forwarding devices without any intelligence.This can be a severe flaw in the system that the attacker can exploit to launch many attacks.The attack can be overloading the controller by forwarding a massive amount of flow requests.In this scenario,ML model trained on historical data may not effectively detect new attack variants.This issue can be resolved by using recent developments in deep learning techniques such as generative adversarial network(GAN)[71,75,127,128].

· SDN implementation requires updating network switches that can be economically costlier.Therefore, incremental deployment of SDN can be a promising solution for handling the deployment issue of SDN[129,130].

· Training time and accuracy of ML techniques are highly dependent upon features selected for the training of ML models.However,selecting appropriate features for training the ML model is challenging.Feature selection techniques for automatically selecting high-level features can be a promising solution to this issue[131–133].

· It can be noticed that ML techniques achieved exemplary performance and flexibility by learning and representing real-world problem features as nested hierarchy of concepts in a simple way[134,135].However,the performance of ML techniques depends upon the quality of training data and handcrafted features.In contrast, a deep learning technique can learn incrementally using its layered architecture and can extract high-level features automatically from data with minimal human interaction[136,137].Several deep learning architectures have been developed for different types of the task such as CNN,ResNet,Inception Nets,RNN and LSTM.Deep learning techniques can be a promising research direction for detecting intrusions accurately without requiring handcrafted features,particularly in SDN due to the availability of centralized data.

· It can be observed from Table 11 that many researchers have used outdated KDD dataset for validating their approach.KDD dataset have been critically analyzed for not representing realworld network traffic[138,139].

· Deploying the SDN in large networks can face the performance issue due to the processing of massive network traffic.Therefore, successful deployment of SDN IDS requires reduction of controller bottleneck[140–142].

8 Conclusion

This study presented a comprehensive review of ML techniques for detecting intrusion detection in SDN.It presented intrusion detection, ML techniques, and types, followed by SDN and its architecture.We explained the benefits of using SDN.We presented prominent research on using ML techniques for detecting intrusion in SDN.We provided a comprehensive comparison of different studies describing the pros and cons of each study.Finally, we presented and discussed significant research issues and future directions for applying ML to detect SDN intrusions.

In a nutshell, it can be concluded that the application of ML techniques in detecting intrusion in SDN faces many challenges.The findings of this study can help fellow researchers understand the development of ML-based intrusion detection in the SDN context.

Funding Statement:This work is supported by King Khalid University,Saudi Arabia under Grant No.RGP.2/61/43.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.