Athena: A Framework for Scalable Anomaly Detection in Software-Defined Networks

Lee, Seunghyeon; Kim, Jinwoo; Shin, Seungwon; Porras, Phillip; Yegneswaran, Vinod

doi:10.1109/dsn.2017.42

Cited by 52 publications

(27 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Aggregate network load observed at various locations suggests the overall health of a network [5], and the ratio of correspondence between pair flows can suggest asymmetry and in many cases illegitimacy [10]. Generic volume-based statistics (counts, counts per duration, average packet sizes) have seen effectiveness in such as k-nearest neighbours classifiers trained to detect DDoS attacks in progress [15]. Most importantly, there is evidence showing behavioural changes in response to bandwidth expansion [7], suggesting similar artefacts might arise after throttling, packet drop, or other interference.…”

Section: Motivationmentioning

confidence: 99%

“…Athena [15] is a generalised SDN framework for intrusion detection, but has shown the use of a k-nearest neighbours classifier to detect individual attack flows. Although heavyweight (and proven to be effective compared with Braga et al [41]), their comparison against SPIFFY lacks the quantitative evidence required to understand how the system compares.…”

Section: X R E L At E D W O R Kmentioning

confidence: 99%

See 1 more Smart Citation

Per-Host DDoS Mitigation by Direct-Control Reinforcement Learning

Simpson

Simon

Pezaros

2020

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

DDoS attacks plague the availability of online services today, yet like many cybersecurity problems are evolving and non-stationary. Normal and attack patterns shift as new protocols and applications are introduced, further compounded by burstiness and seasonal variation. Accordingly, it is difficult to apply machine learning-based techniques and defences in practice. Reinforcement learning (RL) may overcome this detection problem for DDoS attacks by managing and monitoring consequences; an agent's role is to learn to optimise performance criteria (which are always available) in an online manner. We advance the stateof-the-art in RL-based DDoS mitigation by introducing two agent classes designed to act on a per-flow basis, in a protocol-agnostic manner for any network topology. This is supported by an indepth investigation of feature suitability and empirical evaluation. Our results show the existence of flow features with high predictive power for different traffic classes, when used as a basis for feedback-loop-like control. We show that the new RL agent models can offer a significant increase in goodput of legitimate TCP traffic for many choices of host density.

show abstract

Section: Motivationmentioning

confidence: 99%

Section: X R E L At E D W O R Kmentioning

confidence: 99%

Per-Host DDoS Mitigation by Direct-Control Reinforcement Learning

Simpson

Simon

Pezaros

2020

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…These controls did the performance in this suggested system for enhancing the security levels. Lee et al recommended an Athena that comprised a scalable anomaly detection‐based SDN framework for supporting the ML‐based network anomaly detection unequivocally. This paper suggests a new network model for transmitting the data packets without affecting the data plane.…”

Section: Related Workmentioning

confidence: 99%

A meta‐heuristic Bayesian network classification for intrusion detection

Prasath

Perumal

2018

Int J Network Mgmt

View full text Add to dashboard Cite

Software-defined networking (SDN) is an innovative network paradigm much in demand today in academics and industry. In this network, the SDN controller must be able to observe and examine traffic flow through the network systems. However, intrusion-based data packets affect the whole system is a major drawback. To overcome this issue, we propose a Novel Agent Program (NAP) framework for preventing switches from the external compromised attacks. A Meta-Heuristic Bayesian Network Classification (MHBNC) algorithm for intrusion detection is proposed in this paper. The proposed algorithm follows certain procedures for preprocessing, feature selection, feature optimization, and classification. Normal and anomaly-based data packets are classified successfully with its improved detection capabilities based on the optimization technique. The simulation results of the proposed ID_MBC (intrusion detection based on meta-heuristic Bayesian classifier) technique is compared with existing techniques such as the association rule, PSO+GA, and the GA+RVM. The proposed MHBNC classifier performs better than existing methods.Int J Network Mgmt. 2019;29:e2047.wileyonlinelibrary.com/journal/nem

show abstract

“…However, the flow data does not contain any payload or applicationlayer protocol headers and therefore limits the data analysis. Therefore, IDS based on OpenFlow monitoring work well for those attacks that have a distinct signature on flow level, such as DDoS attacks (Lee et al 2017). Shirali-Shahreza and Ganjali (2013) propose to extend OpenFlow such that the controller has full access to the packet payload.…”

Section: Sdn For Intrusion Detection and Ics Securitymentioning

confidence: 99%

A Two-level Intrusion Detection System for Industrial Control System Networks using P4

Ndonda

Sadre

2018

Electronic Workshops in Computing

View full text Add to dashboard Cite

The increasing number of attacks against Industrial Control Systems (ICS) have shown the vulnerability of these systems. Many ICS network protocols have no security mechanism and the requirements on high availability and real-time communication make it challenging to apply intrusive security measures. In this paper, we propose a two-level intrusion detection system for ICS networks based on Software Defined Networking (SDN). The first level consists of flow and Modbus whitelists, leveraging P4 for efficient real-time monitoring. The second level is a deep packet inspector communicating with an SDN controller to update the whitelists of the first level. We show by experiments in an emulated environment that our design has only a small impact on communication latencies in the ICS and is efficient against Modbus/TCP oriented attacks.

show abstract

Athena: A Framework for Scalable Anomaly Detection in Software-Defined Networks

Cited by 52 publications

References 16 publications

Per-Host DDoS Mitigation by Direct-Control Reinforcement Learning

Per-Host DDoS Mitigation by Direct-Control Reinforcement Learning

A meta‐heuristic Bayesian network classification for intrusion detection

A Two-level Intrusion Detection System for Industrial Control System Networks using P4

Contact Info

Product

Resources

About