AI-Based Intrusion Detection Systems for Software-Defined Networks

Abstract

Software-Defined Networks (SDNs) decouple the control plane from the data plane, enabling centralized orchestration, dynamic programmability, and fine-grained resource management across complex network fabrics. While these innovations accelerate deployment of new services and simplify policy enforcement, they also introduce novel attack surfaces: the logically centralized controller becomes a high-value target for adversaries seeking to manipulate flow rules, disrupt network topology, or exfiltrate sensitive information. Traditional signature-based intrusion detection systems (IDSs) are ill-suited for such environments, as they rely on static rule sets and often incur significant performance overhead when processing high-velocity, flow-level telemetry. To address these limitations, this study proposes a hybrid deep learning-based IDS specifically tailored for SDN architectures. The system integrates a lightweight Data Collection Module within the SDN controller’s northbound interface to capture real-time flow statistics—packet counts, byte counts, flow durations, and inter-arrival times—across sliding windows. A robust Feature Engineering Pipeline then normalizes continuous variables, encodes categorical fields, and computes higher‐order statistical descriptors (e.g., skewness, kurtosis) over microflow batches. These enriched vectors feed into a novel detection engine combining one-dimensional Convolutional Neural Network (CNN) layers for spatial correlation learning and a Long Short-Term Memory (LSTM) layer for temporal pattern recognition, culminating in a sigmoid-activated output layer for binary classification.

Experimental evaluation leverages a Mininet-based SDN testbed with an OpenDaylight controller and twenty emulated hosts generating mixed benign and malicious traffic. The NSL-KDD dataset is adapted to reflect SDN-specific flows, supplemented by synthetic attack traces including distributed denial-of-service (DDoS), TCP port scanning, and covert DNS tunneling. Training and validation employ a 70/15/15 split, with Synthetic Minority Over-Sampling Technique (SMOTE) to mitigate class imbalance. Hyperparameters are tuned via grid search: convolutional filters at 64 and 128 kernels, LSTM units at 100, learning rate of 0.001, and dropout at 50%. Performance is benchmarked against a baseline Snort deployment using default SDN rule sets.

Statistical analysis reveals that the proposed AI-based IDS achieves 98.5% detection accuracy—an 8.4% improvement over the baseline—alongside a false-positive rate of 1.2%, compared to 7.5% for the signature-based system. Precision and recall both exceed 96%, demonstrating balanced detection of known and zero-day threats. Simulation under varying network loads (100 Mbps, 500 Mbps, 1 Gbps) confirms sustained accuracy above 98% and end-to-end detection latency below 220 ms, suitable for real-time deployments. These results underscore the viability of leveraging deep learning techniques to fortify SDN infrastructures against sophisticated cyber threats without compromising performance.