University of Oulu

Evaluation of machine learning techniques for intrusion detection in software defined networking

Saved in:
Author: Ahmad, Ahnaf1
Organizations: 1University of Oulu, Faculty of Information Technology and Electrical Engineering, Communications Engineering
Format: ebook
Version: published version
Access: open
Online Access: PDF Full Text (PDF, 3 MB)
Pages: 50
Persistent link:
Language: English
Published: Oulu : A. Ahmad, 2020
Publish Date: 2020-07-15
Thesis type: Master's thesis (tech)
Tutor: Ylianttila, Mika
Reviewer: Ylianttila, Mika
Harjula, Erkki


The widespread growth of the Internet paved the way for the need of a new network architecture which was filled by Software Defined Networking (SDN). SDN separated the control and data planes to overcome the challenges that came along with the rapid growth and complexity of the network architecture. However, centralizing the new architecture also introduced new security challenges and created the demand for stronger security measures. The focus is on the Intrusion Detection System (IDS) for a Distributed Denial of Service (DDoS) attack which is a serious threat to the network system. There are several ways of detecting an attack and with the rapid growth of machine learning (ML) and artificial intelligence, the study evaluates several ML algorithms for detecting DDoS attacks on the system.

Several factors have an effect on the performance of ML based IDS in SDN. Feature selection, training dataset, and implementation of the classifying models are some of the important factors. The balance between usage of resources and the performance of the implemented model is important. The model implemented in the thesis uses a dataset created from the traffic flow within the system and models being used are Support Vector Machine (SVM), Naive-Bayes, Decision Tree and Logistic Regression. The accuracy of the models has been over 95% apart from Logistic Regression which has 90% accuracy. The ML based algorithm has been more accurate than the non-ML based algorithm. It learns from different features of the traffic flow to differentiate between normal traffic and attack traffic. Most of the previously implemented ML based IDS are based on public datasets. Using a dataset created from the flow of the experimental environment allows training of the model from a real-time dataset. However, the experiment only detects the traffic and does not take any action. However, these promising results can be used for further development of the model.

see all

Copyright information: © Ahnaf Ahmad, 2020. This publication is copyrighted. You may download, display and print it for your own personal use. Commercial use is prohibited.