SDN Intrusion Detection: An Ensemble Approach to Reducing False Negative Rate for Novel Attacks

Abstract

Machine Learning (ML) based Intrusion Detection Systems (IDSs) have rapidly overtaken other solutions for securing networks. Robust and varied datasets are required to train the ML models to perform this role. The separation of the control plane from the forwarding plane within Software Defined Networks (SDNs) results in differences in network traffic patterns and different potential intrusion vectors when compared to traditional networks. Consequently, SDN specific ML models need to be trained on datasets captured from SDNs, and have the potential to recognise SDN specific attacks in addition to the standard cadre of exploits. When assessing the performance of an ML based IDS, reduction of the incidences of attacks that have been misclassified as normal traffic is of key importance. Therefore, measuring the False Negative Rate (FNR) of a trained model is crucial once high percentiles have been reached across the standard metrics used in ML model assessment. This paper establishes high baseline scores in all key metrics and then focuses on the importance of FNR in the assessment of model performance. In addition, identification of unseen attacks is of paramount importance given the rapid evolution of malicious traffic. A hold out testing strategy is employed to assess each model across a range of unseen attacks. An ensemble of models that compensate for each other's relative weaknesses is proposed to mitigate variability, thus maximising detection of new attacks. The performance of the proposed ensemble is evaluated and demonstrates a clear improvement on the performance of the individual component models.