See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/337603875

A Flow-based IDS for SDN-enabled Tactical Networks

Conference Paper · November 2019

DOI: 10.1109/IMITEC45504.2019.9015900

CITATIONS READS

8 558

3 authors:

Skhumbuzo Zwane Paul Tarwireyi

University of Zululand University of Zululand
4 PUBLICATIONS 50 CITATIONS 44 PUBLICATIONS 208 CITATIONS

SEE PROFILE SEE PROFILE

Matthew Adigun
University of Zululand
234 PUBLICATIONS 913 CITATIONS

SEE PROFILE

All content following this page was uploaded by Skhumbuzo Zwane on 28 November 2019.

The user has requested enhancement of the downloaded file.

 A Flow-based IDS for SDN-enabled Tactical
Networks
Skhumbuzo Zwane
Department of Computer Science
University of Zululand
KwaDlangezwa, South Africa
201144122@unizulu.ac.za
Paul Tarwireyi
Department of Computer Science
University of Zululand
KwaDlangezwa, South Africa
tarwireyiP@unizulu.ac.za
Matthew Adigun
Department of Computer Science
University of Zululand
KwaDlangezwa, South Africa
adigunM@unizulu.ac.za

Abstract—Tactical Mobile Ad hoc Networks (TMANET)
have received much attention in recent years due to their ability
to provide network connectivity to tactical mobile nodes in a
battlefield without any infrastructure. Additionally, they
provide decentralization, self-organizing, robustness and
scalability to tactical nodes. Research in the tactical network
domain indicates that network security remains a critical and
continuous issue that needs attention. Researchers have
identified the lack of a central management and control unit as
one of the limitations in such networks. That is, there is no single
management system by which the network and security services
can be configured and provisioned. This paper proposes a flow-
based Intrusion Detection System (IDS) framework for
TMANETs. The proposed flow-based IDS framework leverages
Machine Learning (ML) and software-defined network (SDN)
to achieve anomaly detection in TMANETs. The paper also
discusses the envisaged deployment scenarios and the
capabilities of the proposed system.
Keywords—Tactical MANET, Flow-based IDS, Machine
learning, Software Defined Networks, Network Security
I. INTRODUCTION
Mobile ad hoc networks (MANETs) have been adopted in
modern military communication systems due to their ability to
support tactical field operations in different areas without
infrastructure. MANETs are decentralized and have self-
organizing capabilities, which allow them to be robust and
scalable [1]. MANETs are usually deployed in the edge of the
tactical network to provide connectivity to individual nodes
active in tactical field operations. In that sense, a Tactical
MANET (TMANET) is a military communication network
supporting operations on the battlefield.
The increasing growth in technology renders security a
critical subject in networks [2] [3], especially T-MANETs
because any security breach can result in detrimental effects,
such as soldiers being killed or manipulated to engage into
unnecessary gunfights. Over the years, researchers in the
security domain have investigated how network intrusion
detection systems can be effective for securing and mitigating
network security violations. The goal of intrusion detection is
to monitor network assets or devices to detect anomalous
behaviors and misuse [4]. However, due to the network
structure and operational environment, deploying security
mechanisms to secure T-MANETs is very challenging [5].
Modern military communication systems present many
different challenging sets of problems to network operators
[6]. Network operators have to battle with the heavy reliance
on wireless barriers, which often offer a fraction of the
required capacity, the constant changes in quality of service
(QoS) requirements, and the possible take down, move, or
reinstallation of the network in a short notice. For example,
[6] argued that most of the issues in the tactical network are
due to that the is no single management system by which
network services can be configured and provisioned. The lack
of a central management unit makes it difficult to manage,
deploy and redeploy information services which limit the
agility and flexibility of a military force [6]. Hence, the lack
of central management not only limit force ability but also
network security applications.
Moreover, modern military equipment is gradually
embedded with ubiquitous sensing and computing devices [7].
Such devices are capable of collecting operational context
data, and communication information that can be used for the
task of intrusion detection. For example, Flow data has
become easy to acquire, with no significant resource
requirements to the network devices. In this work, we propose
an intrusion detection system, which use network flow data to
detect anomalies.
The proposed flow-based intrusion detection system
framework leverages Machine Learning (ML) and software-
defined network (SDN) for anomaly detection in TMANETs.
From the proposed framework, we describe the architectural
components, how SDN is leveraged, and the flow of events to
accomplish intrusion detection tasks. The paper further
discusses the envisaged deployment scenario with the
advantages and drawbacks of the proposed system.
Preliminary results indicate that flow-based detection
achieves satisfactory results when compared to packet-based
detection.
The rest of the paper is organized as follows, section II
presents the background and literature review, which focuses
on the SDN paradigm, adoption of SDN for tactical networks,
and flow-based intrusion detection methods. In section III the
proposed framework is described, the latter provides an
overview of the stages of the proposed method and the
application scenario and benefits achieved. Section IV
presents a performance study of machine learning methods.
Finally, section V concludes the paper and provide future
works.
II. BACKGROUND AND LITERATURE REVIEW
This section describes a general overview of SDN, SDN
in tactical networks, Flow-based IDS, and ML approaches
used for intrusion detection
A. Software Defined Networking (SDN)
In Software Defined Networks (SDN), the network
intelligence is logically centralized in software-based
controllers, known as Control Plane (CP), and network
devices become simple packet forwarding devices, known as
Data Plane (DP), that can be programmed via an open
interface such as OpenFlow [8]. The motivation for the
development of SDN was the lack of flexibility in traditional
networks. In traditional networks, the task of configuring or
updating network devices is very challenging because the
task is done manually. For example, configuring 100 network
devices located in different places could take several days or
weeks depending on the professionals available. Applying
changes in the network does not happen fast and accurate
enough. Additionally, this approach is prone to errors.
Another issue faced with traditional networks is the large
number of different network device vendors/manufacturers
which makes it difficult to find the right professionals to scale
up the infrastructure when needed.
A survey conducted by [6] presented some of the most
common challenges experienced in tactical networks. In the
list, the heavy reliance on wireless barriers, the critical
dependency of the commander on timely access to
information, and also the moving, reinstalling, and taking
down of the network in a short notice are the critical problems
reported. The authors proposed the adoption of SDN to
address problems experienced in tactical networks. Other
researchers have also proposed different frameworks and
SDN based architecture for tactical communication networks
[1], [9]. The work of [9] presented a practical implementation
of an SDN mobile ad hoc network. This work is one of a few
studies in the wireless network community to demonstrate the
SDN advantages in device-to-device (D2D) data
transmission and the flexibility introduced by centralized
network management. Another recent study in [1] proposed
different novel architecture designs for SDN-enable mobile
ad hoc network in the tactical field
B. Intrusion Detection using Network Flow Data
Flow data have been used over the years in a number of
applications, which include billing, network traffic analysis,
network visibility, congestion control, and more recently
intrusion detection [10]. The importance of flow data and its
applications have resulted in major vendors offering built-in
flow collection and export support in their network devices.
Examples include sFlow, IPFIX, and Cisco’s Netflow, which
is more popular.
In recent years flow-based intrusion detection methods
have attracted many researchers in the network security
domain due to the advantages they offer over the traditional
packet-based intrusion detection methods [10]. Key
advantages of Flow-based IDS (FIDS) include;
 The amount of data processed by FIDS is lesser, making
them better suitable for the protection of backbone links
where the processing of total network traffic is
computationally demanding.
 FIDS is an appropriate choice for intrusion detection
where network applications use end-to-end encryption
because no packet data scanning is required.
 FIDS has fewer privacy concerns because user
information is protected from any intermediate scans.
 Because modern network hardware offer built-in flow
collection support, flow data for FIDS can be collected
in multiple locations across the network without any
additional costs.
Generally, FIDS has a near real-time response, low
deployment cost, and the ability to operate on high-speed
backbone network links [10]. Networks with low energy
budget, high confidentiality, and real-time security
monitoring requirements can benefit from FIDS.
C. Machine Learning enabled IDS
The term Machine Learning (ML) was originally coined
in the 1960s by Arthur Lee Samuel. He defined ML as “a field
of study that gives computers the ability to learn without
being explicitly programmed”. ML is commonly used for
classification and prediction problems based on some known
properties previously learned from some training data. ML
techniques have been around for years, the emergence of new
computing technologies and availability of data allowed the
usage of ML methods in a more efficiently and in real-time
[11]. Recently, researchers [3], [12]–[14] in the intrusion
detection field have been attracted by ML techniques for the
task of intrusion detection. However, since ML is not a new
field, there are many different ML algorithms that can be used
for intrusion detection applications.
The most popular ML category for intrusion detection is
classification. Usually, standalone, hybrid and ensemble
classifiers are used, depending on the requirements and
resources available for the IDS. Different researchers in the
field of intrusion detection have conducted performance
analysis of machine learning methods for intrusion detection.
A recent study [15], reported that ensemble learning methods
performed better than single learning methods in terms of
accuracy. This demonstrates the applicability of ensemble
methods to address the high false-positive rate in T-MANET
as reported by [5]. On the other hand, [15] also reported that
single learning methods tend to be quicker when building and
testing the model.
D. ML and SDN based IDS
SDN offer built-in information gathering, flexibility,
programmability, and network global view, thus, it is
regarded as one of the best options for network data collection
and analysis. On the other hand, Machine learning has gained
popularity in the network security domain [14], [16], [17] due
to more network-enabled devices getting connected,
malicious activities becoming stealthier, and the emergence
of new technologies, such as SDN [3]. Over recent years,
many techniques have been proposed that use SDN and
machine learning (ML) for data collection, analysis, and
traffic classification.
In [18] a simple architecture for data collection in both
SDN networks and legacy networks using OpenFlow is
proposed. Their method is solely based on OpenFlow and can
be implemented as an SDN application in the controller. The
authors deployed a single OpenFlow switch in a non-SDN
enterprise production network. An HP E3800 OpenFlow
enabled switch and HP VAN SDN controller were used to run
their traffic monitoring application. The authors argued that
their set up was very lightweight and does not interfere with
the normal flow of traffic in the monitored network. The
extracted data were classified using ensemble machine
learning methods, such as random forest (RF) and two
variations of gradient boosting classifiers, namely; Stochastic
Gradient Boosting (SGB) and Extreme Gradient Boosting
(EGB). Their initial results indicated that supervised learning
algorithms can be used with their architecture and with the
data that is collected with high accuracy levels.
The work in [19] proposed an SDN based secure IoT
framework called SoftThings to detect abnormal behaviors
and attacks and to mitigate as appropriate. Their framework
used Support Vector Machine to classify traffic. The study
applied both linear and non-linear RBF kernel. They
conducted their experiments on Mininet network emulator,
and they were able to achieve 98% precision in attack
detection. In [20] an application-aware multipath flow
routing using machine learning in SDN is proposed. This
method uses the C4.5 decision tree algorithm on a 40-feature
dataset. DDoS attack detection and mitigation system in SDN
is proposed in [21]. This method employed entropy-based
feature extraction and SVM for attack detection. [22]
Proposed traffic classification deployed at Access Point using
C5.0 decision tree algorithm. 11 ML models were made
available in a library in [23], they can allow developers to
quickly develop network security applications that can
perform real-time detection and responses.
However, although integrating these two technologies
have been an active topic in recent years, little attention has
been paid to the gap between the initial work and practical
real-world deployments. In this work, OpenFlow and sFlow
are utilized to construct an intrusion detection system capable
of feedback control that optimizes performance and
automatically adapts the network to meet challenging
demands.
Fig. 1: Flow-based IDS model
III. PROPOSED FRAMEWORK
This section presents and describes the proposed flow- 2) Data Collection and Preparation
based intrusion detection system (FIDS) model, leveraging Flow records are exported to the flow collector which
SDN, and the flow of events. receive, store, and pre-process flow data from one or more
flow exporters in the network. The flow collector also
A. Proposed FIDS model conducts feature extraction, which includes the task of
The proposed model employs flow sampling techniques picking the optimal features that will be used by the model to
to acquire network flow data from SDN enabled network and successfully classify the records. The Collector then further
use ML to analyze the flow data for anomaly detection, as export the data for storage and pass it on to the data pre-
shown in Figure 1. The model is composed of four essential processing module. Data pre-processing is the process of
components/stages, namely; Packet Observation, Flow converting flow records into a specific format that is
metering and Export, Data collection, and Data Analysis. acceptable to the detection algorithm used. This phase can
include data cleaning, fixing missing values, data encoding,
1) Flow Metering and Export and normalization. In this component, all the features of each
flow record from the data collector is encoded and scaled.
In this stage, packets are aggregated into flows and flow This allows the data analysis to be consistent while using less
records are exported. Packet aggregation is performed through processing power.
a metering process which is based on Information Elements
that define the layout of flow. Information elements are fields 3) Data Analysis
that can be exported in flow records. After the metering
process flow record sampling and filtering functions are In this stage, the results of all the previous stages come
performed. In contrast with packet sampling and filtering together. In the data analysis stage different data analysis
performed on the packet observation stage, flow sampling and methods can be applied, for example, flow analysis and
filtering work on flow records instead of packets. Flow reporting, threat detection, and performance monitoring [24].
records are packaged into a specific message format Our proposed framework employed threat detection by
depending on the protocol used. For example, the IPFIX employing Machine learning to model network behavior and
format or NetFlow format. After constructing the message, it detect anomalies. In order to use machine learning for
is then exported to the flow collector. The most implemented intrusion detection, a machine learning model is required. In
and deployed transport protocol for exporting flows is User the proposed framework, a machine learning classifier is built
Datagram Protocol (UDP) [24]. using the pre-processed data. The ML decision engine uses
the machine learning classifier constructed to classify new
instances as malicious or normal. If an instance is classified
as malicious then an alert is generated, else the instance is
dropped. In addition, the decision engine logs all the
instances and decision in a log file. Such log files can be
exported to a Log Management and Analysis tool, to further
analyze and visualize generated alerts.
B. Leveraging SDN architecture
SDN plays a significant role in the proposed machine
learning intrusion detection framework described above. The
following section presents an overview of how our method
leverages SDN.
 Data Plane (Packet Observation, Flow Metering and
Export Stage): All the network devices in the data plane
are embedded with collector agents, as shown in Figure
1, the agents sample and send flow records to the
centralized collector. The devices are configured to
collect specific flow metrics and export them to the
collector. Today built-in flow collection and export
support are already offered by major vendors, like Cisco.
 Control Plane (Data Collection and Preparation Stage):
The data collector residing in the CP module collect
network flow records. It then filters the data and conduct
feature extraction. Thus, the collector generates and
creates different datasets which are important for the
adopted ML technique. Data sources are all network
devices capable of communicating with the OpenFlow
controller.
 Application Plane (Data Analysis Stage): The machine
learning model is constructed and implemented as an
SDN application. Different ML methods or algorithms
can be applied for different purposes as SDN
applications using different datasets generated by the
flow collector. Different applications can be constructed
that are powered by ML models to influence the
functioning of the network. Examples include incident
handling applications, such as Rule or policy
enforcement, and path selection applications. In our case,
a ML model is built and used as an SDN intrusion
detection application.
Fig. 2: SDN based ML Intrusion detection system
It is envisaged that the application will be capable of
classifying a network flows as malicious or normal. The
discussed process is described in Figure 2.
C. Flow of Events
The proposed flow-based intrusion detection system can
be divided into three modules; flow sampling module, data
collector module and ML IDS application. The flow of events
in each of these components is described in Figure 3.
1) The Sampling agents
The sampling agents wait for packets to be transmitted,
and collects flow information. The agent verifies if the
packets meet specified criteria, which is important for
filtering network control messages, as depicted in Fig.3. If the
packets met specified criteria, filtering is conducted by
specifying a threshold. The threshold specifies and manages
flows by inspecting packet header. Flows are then packaged
and sent to the collector.
2) The Data Collector
The collector module is responsible for collecting the data
from the different sampling agents embedded in each network
device. Its task is to collect the flow data, employ feature
extraction then pass the data with appropriate features or
attributes to the SDN application for data pre-processing and
cleaning.
3) The IDS Application
The IDS application periodically queries or retrieves flow
records from the collector. It waits with time out and repeats
the process. For each new flow record, pre-processing
methods are applied to the flow record. After converting the
flow record into ML acceptable input format, the ML model
is used to classify it as normal or malicious. If the record is
normal, then the IDS application move on to the next flow
record retrieved. However, if the record is malicious, the
application makes a snapshot of the flow record’s data and
insert the information in a log file. Logging detected
malicious incidents could then be helpful for visualization
and security incident handling

Fig. 3: Proposed model event flow
D. Envisaged Deployments and Capabilities
In environments where security handling is a significant
factor, such as military tactical networks, it is not only
important to detect intrusions but also to emphasize security
incident handling. The combination of SDN and ML becomes
an obvious solution for such an implementation. This is
because SDN introduces centralized control and global view,
while ML enhances network intelligence and awareness. The
architecture is shown in Figure 4, illustrates an SDN based
TMANET architecture where the proposed ML intrusion
detection can be useful. In the figure, local SDN controllers
are installed on portable stations that are near mobile nodes.
Each of them can view part of the network and have to collect
and send network state information to the higher level SDN
controller available through the cloud. ML intrusion
detection models are placed in the local controllers for
intrusion detection in partial topology, and a global IDS can
be applied in the global controller. This global controller
constructs the universal network topology, create operational
policies and rules, and then disseminate them to the
forwarding nodes through the local controllers.
Fig. 4: SDN based tactical mobile ad hoc network architecture
Although the local controllers appear to be bridges, they
can take full control when the network is interrupted and
when serving real-time transmissions. Local ML intrusion
detection will serve part of the network in real-time, and the
global controller continues with further analysis and
formulate new network operation policies and rules if a
serious breach is detected. The IDS operates hand in hand
with the SDN controller, while the controller oversees how
packets in the network are transmitted, the IDS collects and
analyses network flow data and generates alerts.
Visualization methods can then be used to visualize the
generated alerts which help address the problems of
analyzing and evaluation of the tactical networks quickly.
Besides, the proposed architecture will help network
administrators in perceiving, exploring, analyzing, and
understanding complex and abstract security incidents.
Therefore simplifying their security incident handling and
decision-making capabilities. Which can help improve QoS,
incident analysis, incident containment, and incident
recovery as they are the most appealing for military
communication systems.
IV. PRELIMINARY RESULTS
Initially, two popular single learner ML methods,
namely; Decision Tree (DT) and Support Vector Machine
(SVM), and three ensemble ML classifiers, namely;
Adaboost, Bagging, and Random Forests are evaluated and
compared for their effectiveness in intrusion detection. The
classifiers were compared based on their performance in
detecting intrusions in packet-based and flow-based network
datasets. The aim was to understand the relationship between
ML classifiers in both packet-based and flow-based network
traffic datasets. For the packet-based dataset evaluation, the
results from the UNSW-NB15 experiments conducted in our
previous paper [15] was used, while the CIDDS-001-
external-week1 [26] dataset was used for flow-based
evaluations. The flow-based dataset was evaluated using
python 2.7 and scikit-learn library [27] version 0.20.0,
installed in an Asus laptop with 1.80GHz Intel (R) Core i7
processor with 8 GB RAM.
The CIDDS-001-external-week1 is a subset of the
CIDDS-001 flow-based datasets consisting of 14 attributes,
in which 3 were used in our evaluation, namely; flow
duration, bytes, and the number of packets. These attributes
were selected because they consist of numeric values which
are useful for effective ML models. The attributes were then
normalized using the standard scaler from scikit-learn.
129628 instances were used for training and 43210 instances
used for testing.
Table 1: Packet-based and flow-based detection accuracy
Packet-based Flow-
Algorithm [15] based
Decision Tree 0.887 0.9909
Support Vector
Machine 0.882 0.6289
Adaboost 0.903 0.9915
Bagging 0.901 0.9908
Random Forest 0.902 0.9914
 Accuracy was used for comparison since it measures
the ratio of correctly classified instances over the total
number of instances. Table 1 presents the accuracy of the five
classifiers in both packet-based and flow-based datasets.
From Table 1 Adaboost outperformed the other classifiers by
obtaining 90.3% accuracy followed by Random forest with
90.2% accuracy in the packet-based dataset. When we
consider the flow-based data, Adaboost obtained 99.15%
accuracy while random forest obtained 99.14% accuracy. The
Support Vector Machine obtained poor results compared to
the other classifiers in both packet and flow-based datasets,
with 88.2% and 62.89% accuracy. The bagging classifier
obtained slightly better results than the decision tree classifier
in the packet-based datasets. The results are graphically
illustrated in Figure 5
Fig 5: Packet and flow based accuracy for each classifier
V. CONCLUSION AND FUTURE WORKS
SDN and machine learning-based intrusion detection can
help improve network security and management in
TMANETs. SDN can simplify the task of managing and
deploying security incident handling strategies, network
traffic classification can be achieved through ML techniques.
This paper proposed a flow-based intrusion detection system
model that can be deployed in SDN based TMANET.
Preliminary results suggest that flow-based detection
technique can perform better than packet based intrusion
detection. A proof-of-concept prototype of the proposed
method is currently under development. The prototype will be
evaluated for its effectiveness and efficiency through
accuracy-based and resource usage metrics. Moreover,
insights into a practical deployment case will be acquired.
ACKNOWLEDGMENT
The authors acknowledge Armscor and CSIR for support
and sponsorship.
REFERENCES
[1] K. Poularakis, G. Iosifidis, and L. Tassiulas, “SDN-enabled
Tactical Ad Hoc Networks : Extending Programmable Control to
the Edge,” IEEE Communications Magazine, pp 132-138, 2018.
[2] S. M. Mousavi and P. Affairs, “Early Detection of DDoS Attacks
in Software Defined Networks Controller ,” Diss. Carleton
University, 2014.
[3] T. N. Nguyen, “The Challenges in SDN/ML Based Network
Security : A Survey,” arXiv preprint arXiv:1804.03539, 2018.
[4] P. Innella, “The evolution of intrusion detection systems,” Secur.
Novemb., vol. 1514, pp. 1–9, 2001.
[5] W. Pawgasame and K. Wipusitwarakun, “Tactical wireless
networks: A survey for issues and challenges,” 2015 Asian Conf.
Def. Technol., pp. 97–102, 2015.
View publication stats
[6] J. Spencer, O. Worthington, R. Hancock, and E. Hepworth,
“Towards a tactical software defined network,” 2016 Int. Conf.
Mil. Commun. Inf. Syst., pp. 1–7, 2016.
[7] A. Castiglione, R. K.-K. Choo, and M. Nappi, “Context Aware
Ubiquitous Biometrics in Edge of Military Things,” IEEE Cloud
Computing, vol 4, no 6, pp 16-20, 2017.
[8] D. Kreutz, F Ramos, P Verissimo, CE Rothenbergl., “Software-
Defined Networking : A Comprehensive Survey,” Proc. of the
IEEE, vol 103, no 1, pp. 14–76, 2015.
[9] H. C. Yu, G. Quer, and R. R. Rao, “Wireless SDN Mobile Ad Hoc
Network : from Theory to Practice,” IEEE Int. Conf. on Com,
Paris, pp 1-7, 2017.
[10] M. Fahad, M. Sher, and Y. Bi, “Flow-based intrusion detection :
Techniques and challenges,” Comput. Secur., vol. 70, pp. 238–
254, 2017.
[11] A. L. Buczak and E. Guven, “A Survey of Data Mining and
Machine Learning Methods for Cyber Security Intrusion
Detection,” vol. 18, no. 2, pp. 1153–1176, 2016.
[12] S. Agrawal and J. Agrawal, “Survey on Anomaly Detection using
Data Mining Techniques,” Procedia - Procedia Comput. Sci., vol.
60, pp. 708–713, 2015.
[13] F. Ertam, and O. Yaman, “Intrusion Detection in Computer
Networks via Machine Learning Algorithms,” Int. Arti. Intell and
Data Proc Sym, Malatya, pp 1-4, 2017.
[14] D. Jankowski and M. Amanowicz, “On Efficiency of Selected
Machine Learning Algorithms for Intrusion Detection in Software
Defined Networks,” Int. J. Electron. Telecommun., vol. 62, no. 3,
pp. 247–252, 2016.
[15] S. Zwane, P. Tarwireyi, and M. Adigun, “Performance Analysis of
Machine Learning Classifiers for Intrusion Detection,” 2018 Int.
Conf. Intell. Innov. Comput. Appl., pp. 1–5, 2019.
[16] K. F. Yu, R. E. Harang, and K. N. Wood, “Machine learning for
intrusion detection in mobile tactical networks,” vol. 10185, p.
1018504, 2017.
[17] M. Zaman, “Evaluation of Machine Learning Techniques for
Network Intrusion Detection,” NOMS 2018 - 2018 IEEE/IFIP
Netw. Oper. Manag. Symp., pp. 1–5, 2018.
[18] J. Suárez-Varela and P. Barlet-Ros, “Flow monitoring in Software-
Defined Networks: Finding the accuracy/performance tradeoffs,”
Comput. Networks, vol. 135, 2018.
[19] S. Ezekiel, D. M. Divakaran, and M. Gurusamy, “Dynamic attack
mitigation using SDN,” 2017 27th Int. Telecommun. Networks
Appl. Conf. ITNAC 2017, vol. 2017-Janua, pp. 1–6, 2017.
[20] S. T. V. Pasca, S. S. P. Kodali, and K. Kataoka, “AMPS:
Application aware multipath flow routing using machine learning
in SDN,” 2017 23rd Natl. Conf. Commun. NCC 2017, 2017.
[21] D. Hu, P. Hong, and Y. Chen, “FADM: DDoS Flooding Attack
Detection and Mitigation System in Software-Defined
Networking,” 2017 IEEE Glob. Commun. Conf. GLOBECOM
2017 - Proc., vol. 2018-Janua, pp. 1–7, 2018.
[22] D. Lee and C. S. Hong, “Access point selection algorithm for
providing optimal AP in SDN-based wireless network,” 19th Asia-
Pacific Netw. Oper. Manag. Symp. Manag. a World Things,
APNOMS 2017, no. 1, pp. 362–365, 2017.
[23] S. Lee, J. Kim, S. Shin, P. Porras, and V. Yegneswaran, “Athena:
A Framework for Scalable Anomaly Detection in Software-
Defined Networks,” Proc. - 47th Annu. IEEE/IFIP Int. Conf.
Dependable Syst. Networks, DSN 2017, pp. 249–260, 2017.
[24] R. Hofstede et al., “Flow Monitoring Explained : From Packet
Capture to Data Analysis With NetFlow and IPFIX,” vol. 16, no.
4, pp. 2037–2064, 2014.
[25] N. Moustafa and J. Slay, “UNSW-NB15: a comprehensive datta
set for network intrusion detection systems,” Mil. Com. and Inf.
Sys. Conf, pp 1-6, 2015.
[26] M. Ring, S. Wunderlich, D. Grüdl, D. Landes, and A. Hotho,
“Flow-based benchmark data sets for intrusion detection,” Eur.
Conf. Inf. Warf. Secur. ECCWS, pp. 361–369, 2017.
[27] F. Pedregosa, R. Weiss, and M. Brucher, “Scikit-learn : Machine
Learning in Python,” vol. 12, pp. 2825–2830, 2011.