Adaptive Anomaly Detection for SDN

Abstract

In traditional approach, extracting important features for the application to analyze the anomaly detection problem, introduce significant overhead on the way of switch handling. Furthermore, high volumes of network traffic introduce notable issues that affect the performance and anomaly detection accuracy. Taking advantage of centralized control plane of Software Defined Networking (SDN), the task to handle the flow information is much more simplified programmatically. The accuracy of the measured flow statistic play important role in anomaly detection. While the use of sampling is capable to lessen the scalability problem of traffic monitoring, the insufficiency of sampled flow statistic may led to inaccurate detection rate of anomaly. In this paper, we propose an adaptive sampling strategy that is able to provide essential traffic statistics for accurate anomaly detection in SDN. Our sampling mechanism utilizes the clustering analysis, which is used to classify the attack in the network to determine the severity of monitored traffic. By manipulating the type of service of incoming packet together, these two important parameter formulate our sampling mechanism algorithm.