Intrusion Detection in SDN-Based Networks: Deep Recurrent Neural Network Approach

  • Tuan Anh TangEmail author
  • Des McLernon
  • Lotfi Mhamdi
  • Syed Ali Raza Zaidi
  • Mounir Ghogho
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


Software Defined Networking (SDN) is emerging as a key technology for future Internet. SDN provides a global network along with the capability to dynamically control network flow. One key advantage of SDN, as compared to the traditional network, is that by virtue of centralized control it allows better provisioning of network security. Nevertheless, the flexibility provided by SDN architecture manifests several new network security issues that must be addressed to strengthen SDN network security. So, in this paper, we propose a Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) enabled intrusion detection system for SDN. The proposed approach was tested using the NSL-KDD and CICIDS2017 dataset, and we achieved an accuracy of 89% and 99% respectively with low dimensional feature sets that can be extracted at the SDN controller. We also evaluated network performance of our proposed approach in terms of throughput and latency. Our test results show that the proposed GRU-RNN model does not deteriorate the network performance. Through extensive experimental evaluation, we conclude that our proposed approach exhibits a strong potential for intrusion detection in the SDN environments.


SDN Software-defined networking Network security Network intrusion detection Machine learning Deep learning 


  1. 1.
    AlEroud A, Alsmadi I (2017) Identifying cyber-attacks on software defined networks: an inference-based intrusion detection approach. J Netw Comput Appl 80:152–164CrossRefGoogle Scholar
  2. 2.
    Bang JH, Cho YJ, Kang K (2017) Anomaly detection of network-initiated LTE signaling traffic in wireless sensor and actuator networks based on a hidden semi-markov model. Comput Secur 65:108–120CrossRefGoogle Scholar
  3. 3.
    Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/openflow. In: Local Computer Networks (LCN), 2010 IEEE 35th Conference on, IEEE, pp 408–415Google Scholar
  4. 4.
    Cbench (2009) Accessed 04 Jul 2018
  5. 5.
    Cho K, Van Merriënboer B, Gulcehre C, Bahdanau D, Bougares F, Schwenk H, Bengio Y (2014) Learning phrase representations using RNN encoder-decoder for statistical machine translation. arXiv preprint arXiv:14061078Google Scholar
  6. 6.
    Chollet F (2015) Keras. Accessed 04 Jul 2018
  7. 7.
    Chung J, Gulcehre C, Cho K, Bengio Y (2014) Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:14123555Google Scholar
  8. 8.
    Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural Comput 9(8):1735–1780CrossRefGoogle Scholar
  9. 9.
    Hochreiter S, Bengio Y, Frasconi P, Schmidhuber J (2001) Gradient flow in recurrent nets: the difficulty of learning long-term dependencies. In: Kremer SC, Kolen JF (eds) A field guide to dynamical recurrent neural networks. IEEE Press, New YorkGoogle Scholar
  10. 10.
    Ikram ST, Cherukuri AK (2016) Improving accuracy of intrusion detection model using PCA and optimized SVM. J Comput Inf Technol 24(2):133–148CrossRefGoogle Scholar
  11. 11.
    KDDCup99 (1999) Accessed 04 Jul 2018
  12. 12.
    Kokila R, Selvi ST, Govindarajan K (2014) DDoS detection and analysis in SDN-based environment using support vector machine classifier. In: Advanced Computing (ICoAC), 2014 Sixth International Conference on, IEEE, pp 205–210Google Scholar
  13. 13.
    Kreutz D, Ramos F, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, ACM, pp 55–60Google Scholar
  14. 14.
    Kreutz D, Ramos FM, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76CrossRefGoogle Scholar
  15. 15.
    McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans Inf Syst Secur 3(4):262–294. CrossRefGoogle Scholar
  16. 16.
    McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74CrossRefGoogle Scholar
  17. 17.
    Mehdi SA, Khalid J, Khayam SA (2011) Revisiting traffic anomaly detection using software defined networking. In: International Workshop on Recent Advances in Intrusion Detection, Springer, pp 161–180Google Scholar
  18. 18.
    Mousavi SM, St-Hilaire M (2015) Early detection of DDoS attacks against SDN controllers. In: Computing, Networking and Communications (ICNC), 2015 International Conference on, IEEE, pp 77–81Google Scholar
  19. 19.
    Nie L, Jiang D, Lv Z (2017) Modeling network traffic for traffic matrix estimation and anomaly detection based on Bayesian network in cloud computing networks. Ann Telecommun 72(5–6): 297–305CrossRefGoogle Scholar
  20. 20.
    Niyaz Q, Sun W, Javaid AY (2016) A deep learning based DDOS detection system in software-defined networking (SDN). arXiv preprint arXiv:161107400Google Scholar
  21. 21.
    ONF (n.d) Software-defined networking (SDN) definition. Accessed 12 Feb 2018
  22. 22.
    Parwez MS, Rawat D, Garuba M (2017) Big data analytics for user activity analysis and user anomaly detection in mobile wireless network. IEEE Trans Ind Inf 13:2058–2065CrossRefGoogle Scholar
  23. 23.
    Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay E (2011) Scikit-learn: machine learning in Python. J Mach Learn Res 12:2825–2830MathSciNetzbMATHGoogle Scholar
  24. 24.
    Phan TV, Van Toan T, Van Tuyen D, Huong TT, Thanh NH (2016) Openflowsia: an optimized protection scheme for software-defined networks from flooding attacks. In: Communications and Electronics (ICCE), 2016 IEEE Sixth International Conference on, IEEE, pp 13–18Google Scholar
  25. 25.
    POX (2009) Accessed 04 Jul 2018
  26. 26.
    Scott-Hayward S, Natarajan S, Sezer S (2016) A survey of security in software defined networks. IEEE Commun Surv Tutorials 18(1):623–654CrossRefGoogle Scholar
  27. 27.
    Sharafaldin I, Lashkari AH, Ghorbani AA (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of Fourth International Conference on Information Systems Security and Privacy, ICISSPGoogle Scholar
  28. 28.
    Sommer R, Paxson V (2010) Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, IEEE, pp 305–316Google Scholar
  29. 29.
    Tang T, Mhamdi L, McLernon D, Zaidi SAR, Ghogho M (2016) Deep learning approach for network intrusion detection in software defined networking. In: 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM) (WINCOM’16), FezGoogle Scholar
  30. 30.
    Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analysis of the KDD CUP 99 data set. In: Proceedings of the Second IEEE Symposium on Computational Intelligence for Security and Defence ApplicationsGoogle Scholar
  31. 31.
    Winter P, Hermann E, Zeilinger M (2011) Inductive intrusion detection in flow-based network data using one-class support vector machines. In: New Technologies, Mobility and Security (NTMS), 2011 4th IFIP International Conference on, IEEE, pp 1–5Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Tuan Anh Tang
    • 1
    Email author
  • Des McLernon
    • 1
  • Lotfi Mhamdi
    • 1
  • Syed Ali Raza Zaidi
    • 1
  • Mounir Ghogho
    • 2
  1. 1.University of LeedsLeedsUK
  2. 2.International University of RabatRabatMorocco

Personalised recommendations