Adaptive Anomaly Detection for SDN

Nor Masri Sahri, Koji Okamura


In traditional approach, extracting important features for the application to analyze the anomaly detection problem, introduce significant overhead on the way of switch handling. Furthermore, high volumes of network traffic introduce notable issues that affect the performance and anomaly detection accuracy. Taking advantage of centralized control plane of Software Defined Networking (SDN), the task to handle the flow information is much more simplified programmatically. The accuracy of the measured flow statistic play important role in anomaly detection. While the use of sampling is capable to lessen the scalability problem of traffic monitoring, the insufficiency of sampled flow statistic may led to inaccurate detection rate of anomaly. In this paper, we propose an adaptive sampling strategy that is able to provide essential traffic statistics for accurate anomaly detection in SDN. Our sampling mechanism utilizes the clustering analysis, which is used to classify the attack in the network to determine the severity of monitored traffic. By manipulating the type of service of incoming packet together, these two important parameter formulate our sampling mechanism algorithm.

Full Text:



S. Jain, A. Kumar, S.Mandal, J. Ong, L. Poutievski, A. Singh, S. Venkata, J.Wanderer, J. Zhou, M. Zhu, J. Zolla, U. Holzle, S. Stuart, and A. Vahdat, “B4: Experience with a Globally-deployed Software DefinedWAN,” SIGCOMM Comput. Commun. Rev., vol. 43, no. 4, pp. 3–14, Aug. 2013

P. Barford and D. Plonka, “Characteristics of Network Traffic Flow Anomalies,” Proc. 1st ACM SIGCOMM Internet Measurement Wksp, San Francis- co, CA, Nov. 2001, pp. 69–74.

POX.’An Openflow Controller’, Online Referencing, (2008, accessed May 2015).

Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in network traffic using maximum entropy estimation,” in Proc. Internet Measurement Conference, 2005

RAMADAS, M., OSTERMANN, S., AND TJADEN, B. C., “Detecting anomalous network traffic with self-organizing maps.” In Proceedings of the Conference on Recent Advances in Intrusion Detection. 2003, 36–54

Ed. Belson David, “The State of the Internet,” Volume 6, Number 2, Akamai Internet Quarterly Report, Online Referencing, (2013, accessed March 2015).

Open Networking Foundation, "OpenFlow switch specification, version 1.3.", Online Referencing, (2012, accessed April 2015).

Mininet, “An Instant Virtual Network on your Laptop”, Online Referencing, (2012, accessed April 2015).

Ben Plaff et al., Extending networking into the virtualization layer, in: 8th ACM Workshop on Hot Topics in Networks (HotNets-VIII), New York, City, 2009.

CAIDA, “The CAIDA UCSD Anonymized Internet traces 2013.”, Online Referencing, (2013, accessed August 2015).

Tcpreplay, Online Referencing, June 2015).

SCAPY, Online Referencing, (accessed June 2015).

Rodrigo Braga, Edjard Mota, Alexandre Passito, Lightweight DDoS flooding attack detection using NOX/OpenFlow, in: LCN ‘10 Proceedings of the 2010 IEEE 35th Conference on Local, Computer, 2010, pp. 408–415.

Syed Akbar Mehdi, Junaid Khalid, Syed Ali Khayam, Revisiting traffic anomaly detection using software defined networking, in: RAID’11 Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, 2011, pp. 161–180.

K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, “Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments,” Computer Networks, vol. 62, no. 0, pp. 122 – 136, 2014.



  • There are currently no refbacks.