Two-stage machine learning for efficient network intrusion detection in software defined networks

Intrusion detection in computer networks is vital to mitigate the growing number of internet-based attacks and machine learning (ML) is an ideal candidate for classifying malicious traffic. However, due to high traffic volumes, existing ML approaches can be too computationally intensive for packet level intrusion detection in practical networks; this important constraint is not considered by most ML based intrusion detection research. This paper proposes a novel two-stage machine learning based solution for intrusion detection leveraging software-defined networking (SDN). The proposed solution distributes the machine learning tasks between a centralized classifier in the SDN controller and classifiers deployed at edge SDN switches. The centralized classifier uses straightforward, low-data rate, flow statistics to identify traffic flows as benign/malicious/uncertain. This centralised classification is used to instruct edge switches, through OpenFlow, to either forward or drop the traffic for traffic that is highly probable benign/malicious and only pass uncertain traffic to a packet-based classier at the edge. The proposal is evaluated using real traffic flow measurements to show that the processing requirements of the hierarchical approach is two or three orders of magnitude less than existing, purely edge based, ML approaches.