Enhancing Intrusion Detection System for Software-Defined Networks Based on Machine Learning

An intrusion detection system (IDS) is a technology that relies on monitoring network and packet traffic in real time to determine whether a packet present on the network is malicious or unwanted, while also identifying the general behavior of the network and any abnormal behavior [1]. Big data, strong computer resources, and network growth raise the requirement for the necessary tasks that must be done simultaneously in real time. As a result, IDS should monitor with caution, accuracy, and precision qualities that have not been present in prior techniques [2]. However, it is very remarkable how quickly the machine. The accuracy of learning algorithms has increased. Its introduction is based on the increasing demand for improved performance in many kinds of networks [3]. However, the software-defined network (SDN) implementation of the network-based IDS has opened up a new channel for its adoption due to the increasing diversity and magnitude of security threats in modern networks [4]. The exponential growth in network data volume and linked devices is accompanied by inherent security risks. The expansion of some technologies such as artificial intelligence (AI) tools, the Internet of Things (IoT), and quantum computing [5] leads to an increased amount of danger and attack, thereby complicating making network security challenging to implement and necessitating a new paradigm. The demand for sophisticated, flexible, and resilient security implementation has increased because of several assaults [6]. A novel technique that has been researched in recent years, SDN can be defined as a networking architecture that splits it into a control plane (decision-making) and a data plane (packet forwarding) in the network. As seen in Figure 1, the network management tasks are shifted from the various networking devices to a centralized controller, making it simpler to monitor and configure the network overall [7]. It’s crucial to remember that SDN itself adds additional software components, including the controller and related software stack, even if it can aid in lowering the software complexity of network administration [8]. When implementing SDN, consideration should be given to the complexity of these components, which must be maintained and controlled. But all things considered, SDN’s centralization, abstraction, programmability, and automation features help to streamline network administration and lower software complexity [9]. However, SDN is now open to assaults due to centralization, insecure controller communication, and improper authorization and authentication [10]. Data analytics has grown in popularity and usage across a wide range of application were used; this is due to the recent massive rise in computer power. The shortcomings of conventional IDS have drawn increased attention to the utilization of Machine Learning (ML) for advanced combat assaults and enhanced security [11]. The use of machine learning algorithms for malware detection [12], network intrusion detection [13], and botnet attack detection [14] has been investigated by the research community. By learning from experience, machine learning (ML) techniques might help the detecting system become more autonomous. Traditional networks have mostly used these methods to categorize harmful traffic and network assaults [15]. They have demonstrated significant promise in the categorization of network traffic and are frequently used for classification and prediction tasks [16]. The main advantage of using ML techniques in SDN is their capacity to impact network-wide security standards, as opposed to more localized policy implementation in traditional networks [17].

1.png

Figure 1. SDN structure [7]

Three types of machine learning algorithms are frequently distinguished: supervised, unsupervised, and semi-supervised. In IDS, supervised machine learning techniques perform better than unsupervised and reinforced learning, claims [18]. Furthermore, the performance of machine learning techniques is discovered to be influenced by the types of data and learning approaches [19]. This work attempts to examine the potential of ML approaches in offering dependable security protection for SDN, considering previous research that uses a variety of ML algorithms and compares the accuracy and performance of various supervised algorithms. This research specifically examines five machine-learning techniques: Naive Bayes (NB), K-Nearest Neighbor (KNN), Support Vector Machine (SVM), Random Forest (RF), and Decision Tree (DT).

The primary contributions of this paper are as follows:

• The paper proposes an in-depth analysis, and comparative study of five machine learning algorithms, NB, KNN, SVM, RF, and DT, applied to intrusion detection within SDNs.
• It discusses how each algorithm varies in terms of accuracy, precision, recall, and F-score, outlining the most appropriate techniques that shall serve in enhancing the detection capabilities in the SDN environment.
• Because the study focuses on SDNs, it addresses challenges in dynamic and scalable network architectures, hence assuring that the proposed techniques will be optimized for threat detection.
• The contribution of this research study leads to the development of a robust and adaptable IDS framework that will use machine learning and can be integrated into SDN infrastructures to enhance network security.
• One significant contribution of using feature selection techniques in machine learning for IDS within SDN is the enhancement of detection accuracy. By identifying and retaining only the most relevant features from a potentially high-dimensional dataset, feature selection minimizes noise and reduces the risk of overfitting.

The remainder of the paper is structured as follows: The second section of the text is devoted to an examination of the extant literature and related research. The methodological description along with the implementation of machine learning models coupled with the used dataset has been described in Section 3. Section 4 presents the results and a comparison of the results, while Section 5 presents a discussion of the findings.

1.1 Research questions

RQ1. How is the creation of SND facilitated by flow-based network intrusion detection?

RQ2. How may machine learning be used to increase the accuracy of intrusion detection in SDN architectures with limited raw features?

RQ3. How can the system’s throughput and latency performance be assessed?

RQ4. How can the feature selection techniques enhance the performance of ML algorithms?

2.png

Figure 2. The proposed IDS ML-based methodologies architecture

The preprocessing starts with data division; dividing the dataset into training and testing, usually in 70-30 proportions helps analyze the generalized performance of the machine learning model, while the data pre-processing step involves preparations of the dataset, making it ready for analysis. It includes normalization to enhance the performance of distance-based models like KNN. This step is, therefore, crucial for noise reduction and ensuring the integrity of the data for training the model. Classification is done after preprocessing with five machine learning techniques usually supervised: NB, KNN, SVM, RF, and DT. Each model will be trained based on pre-processed data to identify and classify network intrusions. In this regard, each classifier's performances are measured based on accuracy, precision, recall, and F1-score so that no comparison is left concerning the efficacies brought in by these algorithms in finding cybersecurity threats using the UNSW-NB15 dataset.

3.1 UNSW-NB15 dataset description

The UNSW-NB15 dataset had evolved by the Australian Center for Cyber Security (ACCS) in partnership with other academics from across the world. The IXIA Perfect Storm program was utilized to generate a diverse array of both standard and atypical contemporary network traffic. The IXIA tool proactively gathers and compiles information systems security vulnerabilities and exposures that are known to the public. It serves as a useful resource for learning about contemporary public attacks.

The UNSW-NB15 dataset embeds many contemporary low-key assaults in an attempt to replicate contemporary network settings. The dataset's 10 different traffic types are normal, fuzzing, analysis, backdoor, DOS, exploits, generic, reconnaissance, and worms [36].

3.2 Data preprocessing

Data can contain different types of data, whether images, audio files, video clips, structured and unstructured tables, etc. The free text, video, or image must be converted into 1s and 0s since a machine cannot comprehend it in its original form. Therefore, the utilization of raw data directly input into a machine learning model is not a viable approach to achieve the desired results [37]. The first stage of machine learning is called data preprocessing, during which the input is changed or encoded so that the computer can process or read it more rapidly. Stated differently, it might also mean that the model method can quickly assess the data's characteristics. The most significant and influencing factor in a supervised machine learning algorithm’s ability to generalize is data pre-processing [38]. About the input space dimension, the amount of training data increases exponentially. Pre-processing is an important process for model construction since the model can account for a range of 50% to 80% of the whole classification process, according to estimates. Furthermore, enhancing the quality of the data is also necessary for amended performance of the model [39].

Data Splitting: is an important technique used for removing or minimizing bias in training data that have used in machine learning models. The researchers invariably execute some procedure to circumvent the production of overfitting machine learning algorithms that could demonstrate substandard performance on authentic test data. Data scientists and analysts typically divide the datasets into several distinct subsets, which they then use to train various parameters [40]. One of the very common methodologies in machine learning, when it comes to splitting data for model performance assessment, is this k-fold cross-validation approach. Unlike splitting the data into a fixed training and testing set, this approach splits the data into "K" roughly equal-sized subsets (or folds) [41]. The remaining "K-1" folds are used as the training set, and the model is trained and validated "K" times, using a different fold as the validation set each time. This gives the performance evaluation greater robustness by guaranteeing that every data point is used for both training and validation. K-fold cross-validation reduces variance associated with a single estimate, hence giving a better estimate of how well the model will generalize to unseen data. It also makes the outcome of the evaluation less sensitive to the way the data has been initially split. Common choices are 5-fold or 10-fold cross-validation, but the number of folds can vary depending on the size of the dataset and the computational resources. This technique is particularly useful when working with limited data, as it maximizes the use of available information [42].

Data Normalization: Certain features in the “UNSW-NB15” dataset may have lower values than others, while other features may have comparatively higher values. Furthermore, because the classification algorithm may be biased in favor of characteristics with larger values, out-of-range values may yield inaccurate findings. To prevent the outweighing issue, which would prefer features with higher values over those with lower ones, data standardization is crucial. There are several normalization methods, including traditional scalar approaches and min-max. As stated in Eq. (1), the min-max approach is used in this work to scale the feature values between zero and one.

$Z=\frac{x-\min (x)}{\max (x)-\min (x)}$  (1)

where, X stands for the feature value and Z for the normalized value. The maximum and minimum feature amounts are denoted by max(x) and min(x) respectively [43]. Normalization in this work involves scaling certain features of the dataset within a common range, usually between 0 and 1 or -1 and 1. And this method was chosen because it preserves the distribution of the data and ensures that all features have the same range, making it easier for the model to learn from the data. This helps in reducing different magnitudes and units across features, making it impossible for one feature to dominate others in the learning process. Convergence happens more efficiently and faster; thus, with normalized data, algorithms make better models and yield accurate results. Besides, it stabilizes gradient descent and other methods of optimization. In general, normalization improves the robustness of machine learning models.

3.3 Features selection stage

The field of machine learning relies primarily on feature selection and extraction from the database that have been used. Furthermore, it is worth noting that incorporating a large number of features from the database can lead to increased model complexity and increased training time. Therefore, selecting relevant features is essential for the effectiveness of machine learning approaches. Therefore, an effective feature selection strategy must be followed carefully to address this problem [44]. There is an important thing to get successful implementation of machine learning algorithms: a judicious selection of relevant features selection is of paramount importance. It has been posited that the omission of certain elements, which are of the utmost importance, may result in a consequential deficiency in the accuracy of the results. A multitude of issues must be addressed. A variety of feature selection techniques are applied in the field of machine learning. These consist of recursive feature elimination, chi-square, and backward feature selection [45]. These methods are applied according to correlation, dimensionality, and datasets. In our model, we employed a variety of methods, including recursive feature elimination (RFE), backward elimination, and forward feature selection, to identify the most salient features. These techniques were selected because they yielded higher accuracies compared to other methods.

1. Recursive Feature Elimination (RFE) “1st technique”

RFE is a wrapper feature selection method that recursively eliminates the least important features based on a predefined model performance metric. In each iteration, the model is retrained with the remaining features until the optimum subset of features is achieved. This method is particularly efficient in feature dimensionality reduction while preserving important features [46]. RFE improves model interpretability and reduces computational complexity by focusing on the most impactful attributes. This has extensive use both in linear and nonlinear models.

2. Backward Elimination “2nd technique”

Backward selection starts by considering all the available features and iteratively removes the least relevant among them [47]. After the model retraining in each step, one can check the removal effect of any particular feature. This process is continued until an optimal subset of features is obtained that balances performance with simplicity. Backward selection is computational for large data but gives more elaborative insight into the relevance of the features. This reduces overfitting by eliminating either irrelevant or redundant features, hence increasing the efficiency of the model.

3. Forward Feature Selection “3rd technique”

Forward selection is the process where an empty set of features is considered at the start, and one feature is progressively added based on its contribution to model improvement. At each step, the feature whose addition increases any performance metric, including accuracy and AUC, is included in the set of selected features. This is computationally much easier than backward elimination and is therefore suitable for high-dimensional data. Forward selection guarantees that only the most relevant features are used, which enhances model accuracy and reduces the possibility of overfitting. It is useful when the computational resources are limited [48].

3.4 Machine learning-based intrusion detection

An AI technology and subset of artificial intelligent that called machine learning (ML) investigates different approaches to learning from and forecasting data. It uses features that correspond to an object’s features to find and learn data patterns. Supervised learning and unsupervised learning are the two main subcategories of ML [49]. Supervised learning requires labeled data with relevant information, but classification is a common problem. Manual tagging is costly and time-consuming, making it difficult to obtain enough annotated data. Unsupervised learning is simpler to implement but can extract relevant feature information from unlabeled data. Despite this, supervised learning techniques often outperform unsupervised learning in detection [50]. The intrusion detection with five machine learning techniques involves the training of NB, KNN, SVM, RF, and DT algorithms on how to recognize malicious activities within the traffic as shown in Figure 3.

Figure 3. ML-based intrusion detection model

Each method processes the input features extracted from the dataset to classify the traffic as normal or suspicious. NB is based on probabilistic inference using feature distributions, while KNN decides on the class of a data point based on the analysis of its closest neighbors in the feature space. SVM develops hyperplanes to separate classes, trying to provide a maximal margin between the instances that belong to normal and attack classes. RF combines several DT for robust classification by aggregating outputs of trees, while DT develops a flowchart-like model composition based on decision rules derived from the dataset itself. By using these algorithms, it enables the detection of both known and newly emerging threats through learning complex patterns within network flows.

KNN: The KNN method uses the nearest means to divide a dataset into sets that are either malicious or non-malicious. It takes prior training to make accurate predictions. To determine the weight of each attribute, we first determined the probability of each of the K neighbors to be classified using the KNN. The dataset, or new instance (X), is provided, and the Euclidean distance is calculated in terms of locating the associated class variable as indicated by equation in order to determine the output variable.

$Euclidean_{i, j}=\sqrt{\sum_{k=1}^n\left(x_{i k}-y_{i k}\right)}$   (2)

where, $\left(x_i\right)$ represents a new instance, $\left(y_j\right)$ represents an old instance [51].

SVM: it is a machine learning tool that has been used for different models to get classification and regression. An SVM operates by using critical data points known as support vectors to determine the optimal hyperplane to optimize the margin between classes. It can handle both linearly and non-linearly separable data thanks to the kernel approach, which comprises the linear, polynomial, and radial basis functions and sigmoid kernels. It works especially well for classification issues that are binary or even multi-class. The equation for a SVM classifier can be represented as Eq. (3):

$f(x)=W^T x+b$   (3)

where, $f(x)$ is the decision function indicating the label of the class of the input, w defines the orientation of the hyperplane because it is the weight vector, x represents an input feature vector, and b is the bias term, shifting the hyperplane away from the origin [52, 53].

RF: is a technique for ensemble learning that uses numerous decision trees to generate predictions. Also, it can demonstrate how to enhance the classification and regression tasks by training multiple decision trees on various subsamples of the data set. After that, the predictions of these distinct trees are then integrated to enhance accuracy and prevent overfitting. The equation of RF is based on an aggregation of many decision trees’ predictions as Eq. (4). The final prediction $\breve{y}$ for a given input x can be expressed as:

$\breve{y}=\frac{1}{N} \sum_{i=1}^N T_i x$  (4)

The forest has a total of $N$ decision trees, while $T_i x$ indicates the forecast for the input $x$ that the $i$-th decision tree made [54].

NB: is predicated on the idea that features are naïvely and independently unconnected to one another. Based on observed feature values, it computes the posterior probability of classes using the Bayes theorem. Gaussian, Multinomial, and Bernoulli Naive Bayes algorithms are available, depending on the kind of distribution that is assumed for the features. Naive Bayes has gained popularity for a variety of applications due to its ease of use and effectiveness in training and prediction tasks [55]. The equation for a Nb is shown in Eq. (5).

$p(c \mid x)=\frac{p(x \mid c) p(c)}{p(x)}$       (5)

$p(c)$ is the posterior probability of class ($c$, target) ($x$, characteristics) given the predictor, $p(x)$ is the prior probability of the predictor, $p(c)$ is the historical probability of a specific class, and $p(c \mid x)$ is the probability of a predictor in a specific class [56].

DT: is an approach to prediction tasks that divide the predictor space into easily analysed segments. Regression and classification of real-world scenarios are two more uses for it. Additionally, the machine learning algorithm to decision tree structures makes decisions based on the feature values. In contrast, the root of the tree is located at the very top. In addition to gradually evolving the decision tree, the branches are constructed using objective rules derived from the features of the dataset [57].

To create a decision tree, follow these steps [58]:

1. Divide the entire dataset into training and test sets.
2. Use the training set as an input to the tree's root.
3. Use information theory to find the root, as demonstrated in (2).
4. Follow the prone procedure.
5. Repeat steps 1 through 4 until all nodes have become leaf nodes.

As show in the Eqs. (6) and (7) the entropy equation.

$Entropy\, E(H)=\sum_{k=1}^d-P_j \log _2 P_j$    (6)

$\begin{gathered}\text { information gain }=\text { Entropy }(\text { before })- \sum_{k=1}^d \text { Entropy }(j \backslash k, \text { later })\end{gathered}$    (7)

To achieve this, the algorithm progressively separates the database into several subgroups based on entropy or information amount, and it continues to do so until a halt condition is satisfied [59].

3.5 Model evaluation

Several evaluation methodologies are chosen to gauge the effectiveness of the employed ML techniques to give a thorough explanation of the outcomes of ML-based IDS. Specifically, the confusion matrix, displayed in Table 1, is used to evaluate the performance of the detection rate using precision, recall, F-measure, and accuracy metrics, as detailed below [60, 61].

Table 1. Typical structure of confusion matrix [61]

where, TP is true positive, FP is False Portative, FN is false negative, TN is true negative.

Accuracy: According to Eq. (8), accuracy is defined as the ratio of the model's accurate data to the whole data, as shown below.

Accuracy $=\frac{\mathrm{T P+T N}}{\mathrm{T P+T N+FP+F N}}$    (8)

Precision: The percentage of actual cases among all positive examples found by the model (TP) is what defines precision, which is described in Eq. (9). Stated differently, it indicates the proportion of classified assault incidents that are truly classed as an attack.

Precision $=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}$  (9)

Recall: is defined as the proportion of attack traffic instances overall, as provided by Eq. (10) to the number of attacks that the model classified as attacks. It shows the proportion of real cases that were disclosed to all true instances.

Recall $=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}$  (10)

F1-Score: This metric provides a harmonic average measurement of an estimator's sensitivity and precision and is defined in Eq. (11).

F - score $=2 * \frac{\text { precision } * \text { recall }}{\text { precision }+ \text { recall }}$  (11)