Information Entropy based Network Anomaly Detection in Software-Defined Networking

Abstract

Due to the spread of various smart devices and concomitant rise of network traffic rate, the importance of network infrastructure to accommodate them is increasing. As the network environment changes, a flexible and efficient network infrastructure that can easily deal with this has become necessary. So, Software-Defined Networking (SDN) has gained a lot of attention in recent years. SDN separates the physical forwarding function and logical control function of the network, and it centrally controls the network via API. However, the centralized control and programmable characteristics bring a lot of security issues. To mitigate security threats in SDN, many researchers have tried to monitor network traffic. Particularly to monitor SDN network, they collect flow statistics from the OpenFlow switches and detect network anomalies in the controller. But when the network scale becomes large, the flow statistics collecting process burdens the communication between the OpenFlow switches and the controller. In this thesis, we design a flow aggregation module in the OpenFlow switch based on the flow-based nature of SDN. This lightens the controller's overhead caused by the flow statistics collecting process and achieves a distributed flow statistics collection in SDN. In view of computing overhead and scalability, we apply information entropy to monitor and detect network anomalies in the controller. Information entropy is an important concept of information theory, which is a measure of the uncertainty or randomness associated with data. We prove the practicality of proposed network anomaly detection mechanism by using real legitimate and malicious traffic traces. The proposed mechanism achieves a high detection accuracy with a low false positive rate and significantly improves CPU utilization, compared with previous work.