See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/339771452

Comparative study on IDS using machine learning approaches for software

defined networks

Article · March 2020

CITATIONS READS

0 537

2 authors:

K. Muthamil Sudar P. Deepalakshmi

Mepco Schlenk Engineering College Kalasalingam University
40 PUBLICATIONS 965 CITATIONS 75 PUBLICATIONS 1,204 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by K. Muthamil Sudar on 27 May 2020.

The user has requested enhancement of the downloaded file.

Int. J. Intelligent Enterprise, Vol. 7, Nos. 1/2/3, 2020 15

Comparative study on IDS using machine learning

approaches for software defined networks

K. Muthamil Sudar* and P. Deepalakshmi

Department of Computer Science and Engineering,
School of Computing,
Kalasalingam Academy of Research and Education,
Krishnankoil, Tamilnadu, India
Email: [email protected]
Email: [email protected]
*Corresponding author

Abstract: Software defined networking (SDN) is an emerging network

approach that separates the data plane from control plane and enables
programmable features to efficiently handle the network configuration in order
to improve network performance and monitoring. Since SDN contains the
logically centralised controller which controls the entire network, the attacker
mainly focuses on causing vulnerability towards the controller. Hence there is a
need of powerful tool called intrusion detection system (IDS) to detect and
prevent the network from various intrusions. Therefore, incorporation of IDS
into SDN architecture is essential one. Nowadays, machine learning (ML)
approaches can provide promising solution for the prediction of attacks with
more accuracy and with low error rate. In this paper, we surveyed about some
machine learning techniques such as naive Bayes, decision tree, random forest,
multilayer perceptron algorithms for IDS and compare their performance in
terms of attack prediction accuracy and error rate. Additionally, we also
discussed about the background of SDN, security issues in SDN, overview of
IDS types and various machine learning approaches with the knowledge of
datasets.
Keywords: intrusion detection system; IDS; machine learning; software
defined networking; SDN; naive Bayes; decision trees; random forest;
multilayer perceptron; datasets.
Reference to this paper should be made as follows: Muthamil Sudar, K. and
Deepalakshmi, P. (2020) ‘Comparative study on IDS using machine learning
approaches for software defined networks’, Int. J. Intelligent Enterprise,
Vol. 7, Nos. 1/2/3, pp.15–27.
Biographical notes: K. Muthamil Sudar is working as an Assistant Professor
in the Department of Computer Science and Engineering, School of
Computing, Kalasalingam Academy of Research and Education, Krishnankoil,
Tamilnadu. He is pursuing his PhD in the area of Security in Software Defined
Networks.
P. Deepalakshmi is currently working as a Professor in the Department of
Computer Science and Engineering at Kalasalingam Academy of Research and
Education. She is also serving as the Dean, School of Computing. Her research
interest includes optimisation techniques, network routing, distributed
computing and network security. She also takes care of KARE ACM student
chapter as faculty mentor.

Copyright © 2020 Inderscience Enterprises Ltd.

16 K. Muthamil Sudar and P. Deepalakshmi

1 Introduction

Managing computer networks is a tedious process. In traditional network, if an

administrator wants to add or remove a single device in a network, he must manually
configure the devices on a device-by-device basis only. Also, device level management
tools are to be used to update the configuration settings. This makes the configuration as
time consuming and also error prone. This leads to a new perspective of network
management called software defined networking (SDN). SDN (Scott-Hayward et al.,
2016) is a prominent technology which separates network’s control plane and data plane
physically. Control plane decides how to manage network traffic and data plane forwards
traffic as per the decisions made by control plane. This ability makes control plane
programmable through a centralised controller, and the underlying infrastructure to be
abstracted for applications and network services. Since SDN contains centralised
controller, we need strong security measures to protect the controller from various
attacks. The general mechanism used to detect various attacks in network is to include
intrusion detection system (IDS) in the network architecture. Machine learning
techniques help to build efficient IDS to improve the accuracy and error rate in detection
of attacks. So in this article, we have analysed some of the machine learning techniques
such as decision trees, naive Bayes, random forest, multilayer perceptron (MLP) for the
efficient creation of IDS.
The remainder of this paper is organised as follows: Section 2 we discuss about the
architecture of SDN. Section 3 analyses the security issues of SDN. Section 4 explains
about the IDS. Section 5 discusses about the types of machine learning techniques.
Section 6 explains about datasets used for IDS and describes about the types of attacks to
be categorised. Section 7 analyses various machine learning techniques for IDS in terms
of accuracy, error rate. Finally, Section 8 summarises and concludes our work.

2 Architecture of SDN

By enabling a centralised controller in SDN, managing entire network will be like

managing a single device. This single software element can control data plane elements
such as routers, switches, firewalls, etc. This feature helps to build intelligent and flexible
networks. Controller and the switches can communicate securely using interfaces like
OpenFlow protocol. OpenFlow is one of the most famous SDN protocols for building
SDN solutions, which acts as a southbound interface between control plane and data
plane. Each Openflow switch contains one or more tables of packet handling rules. These
rules describe how the incoming packets will be handled such as forwarding or dropping
based on the matching fields (packet header content, incoming port, etc.) in the table. An
OpenFlow switch can behave as a router, switch, firewalls, NAT based upon the rules
installed by the controller.
SDN architecture is mainly divided into three functional layers such as Application
layer, control layer and infrastructure layer as shown in Figure 1. Two types of interfaces
such as north-bound interface (NBI) and south-bound interface (SBI) are available. SBI
helps to make a secure communication between infrastructure layer and the control layer.
NBI helps to make a communication between control layer and the application layer.
 Comparative study on IDS using machine learning approaches 17

Figure 1 Architecture of SDN (see online version for colours)

Application
Layer Business Applications

NBI
Control
Layer SDN Controller

SBI
Infrastructure
Layer

Network Devices

2.1 Infrastructure layer

In the infrastructure layer of SDN, physical devices of network such as routers, switches,
hubs etc. are available. Unlike in traditional architecture, devices in SDN do not have any
control functions. They just act as forwarding devices. And the devices in the
infrastructure are interconnected through wired or wireless media. Examples of switches
are OpenVswitch, Juniper, HP, etc. For forwarding packets, a switching device first
identifies the rule that matches with the packet and then forwards the packet to the next
device.

2.2 Control layer

In the control plane, centralised controller will act as a heart of the network. Centralised
controller is a logical entity and can make the decision about where the traffic has to be
routed based on the abstract view of the network. Other common functions of controller
are system configuration, management and exchanging the routing information. The
controller gets information or requirement from the application plane and processes the
requests and makes it available to the data plane components.

2.3 Application layer

Application layer contains all business applications and virtual network functions.
Applications in the application layer can communicate with the controller through NBI.
The main scope of the SDN applications is implementation of security policies, traffic
engineering, load balancing and offering QoS.
18 K. Muthamil Sudar and P. Deepalakshmi

3 Security issues in SDN

Providing security and managing security in computer networks is quiet a complex task.
Network administrator has to provide security in all means and to prevent the network
from both internal and external intruders. By applying firewalls in the application layer,
we can restrict unauthorised access within the network. But, firewalls help to prevent the
network environment only by applying predefined security policies.
Even though we have effective mechanisms to handle the security issues, centralised
controller (Abubakar and Pranggono, 2017) leads to security threat for SDN architecture.
In control plane, the controller gives an abstract view to applications so that the
applications can make use of the resources available in the data plane. If the controller
gets compromised, an attacker can modify the rules in the network controller and disrupts
the legitimate users to access the available resources. The major security issues caused by
the attackers in the controller are denial of service, data modification, data leakage,
illegitimate access to the network. In unauthorised access and data modification, an
attacker pretended as a controller, then the attacker could able to manipulate, modify the
network operation and then it would completely take the control over entire network.
In data plane, each OpenFlow switch has its own forwarding table which contains
rules for packet handling. It is possible for an intruder to suspect the action applied for
each packet with the help of packet processing time analysis. For example, time taken by
the single packet to be processed from one port to another port will be smaller than for a
packet to be processed from one port to controller. After identifying the nature of the
packet, an attacker could determine more information about the network. By applying
these techniques, an attacker can generate more number of fake requests towards the
controller. This causes the legitimate users to stop accessing the network resources. This
kind of attack is called data leakage.
In application plane, any third party application can be integrated in the application
layer. So, it is possible to impose malicious application to gain control over the
controller. And also poorly designed applications or buggy applications may cause
serious security issues in SDN architecture. One of the effective mechanisms to handle
the common security issues in the SDN is to integrate the IDS in the SDN architecture
itself.

4 Intrusion detection system

An IDS plays an important role in providing security for a network infrastructure. The
main function of IDS (Hamed et al., 2018) is to monitor the network environment and
detect malicious activities in that network. An IDS can be generally categorised into two
types namely anomaly detection method and misuse detection method. Both of the
detection mechanisms can classify given data into normal and abnormal data. In misuse
detection method, intrusions can be defined based on the pattern of attacks that are
predefined with the history of previous attacks. This leads to low false positive rate in
prediction. But the problem is misuse detection cannot detect new attacks unless we
update it with new patterns. On the other hand, anomaly detection methods can detect
attacks based on change in normal behaviour of the network. This helps to detect new
 Comparative study on IDS using machine learning approaches 19

attacks also. At the same time, anomaly detection leads to high false positive rate.
Generally, misuse detection helps to identify known attacks and anomaly detection helps
to identify unknown attacks based on different features.
The general factors to consider the IDS as efficient one are accuracy, reliability,
detection speed. There are many ways to provide successful IDS such as data mining
techniques, machine learning techniques etc. In that, machine learning provides flexible
solutions for network-based IDS because it can allow the network to take decision such
as whether it is attack or normal without any external interference (Dayal et al., 2016).

5 Machine learning techniques

Machine learning (Sultana et al., 2018) is the process of making a machine that can
automatically learn from the data and improve with the prior experience. It is categorised
into different types based on the learning style and the functionality of how they work on
new data. Machine learning techniques are commonly categorised into supervised
learning, unsupervised learning and semi-supervised learning. In supervised learning,
machine is trained with labelled data to predict the unknown cases. Supervised learning
algorithms are used for both classification and regression problems. Some examples are
support vector machines, random forest algorithm, linear regression algorithm. In
unsupervised learning, machine is trained with unlabelled data to predict the unknown
cases. Some examples are K-means clustering, association rules, principal component
analysis. In semi-supervised learning, machine is trained with both labelled and
unlabelled data. Some examples are semi-supervised SVM, spectral graph transducer,
Gaussian fields approach. Machine learning techniques (Dayal et al., 2016) are regarded
as one of the prominent solution for effective development of IDS by providing improved
detection rate, low false alarm rate, high positive alarm rate.

6 Datasets background

The commonly used datasets for IDS are DARPA98/99, KDD99 and NSL-KDD. In
KDD99 (Knowledge Discovery and Data Mining) (http://kdd.ics.uci.edu/databases/
kddcup99/kddcup99.html), each connection is labelled as either attack or normal
connection. Totally this dataset contains 39 attack types. Among these, 14 types will be
available in test data only. This dataset contains 41 attributes for each connection. These
41 attributes come under any one of the three following categories namely basic features,
content features and traffic feature. NSL-KDD is a new dataset that was derived from
KDD99. In case of large number of records, experiments can be done using random
samples. Some records are redundant in nature.
To overcome problems identified in KDD99 dataset, a derived dataset, NSL-KDD
was introduced. In NSL-KDD, number of samples is reasonable in case of both testing
and training. Also, there are no redundant records. This helps the experiments to run the
complete set rather than working with only random samples. Attacks defined in this
dataset can be in any one of the following categories.
20 K. Muthamil Sudar and P. Deepalakshmi

a Denial of service (DoS) attack (http://kdd.ics.uci.edu/databases/kddcup99/task.html;

Peddabachigari et al., 2004): in this type, the attacker denies legitimate users to
access the available resources by making the resources too busy. Some of the DoS
attacks are neptune, land, pod, teardrop, back, etc.
b Users to root (U2R) attack (http://kdd.ics.uci.edu/databases/kddcup99/task.html;
Peddabachigari et al., 2004): in this type, a normal user tries to act as a root user and
gains the privileges of root user and exploits some vulnerability in the network.
Some known U2R attacks are perl, loadmodule, rootkit, buffer-overflow, etc.
c Remote to local (R2L) attack (http://kdd.ics.uci.edu/databases/kddcup99/task.html;
Peddabachigari et al., 2004): in this type, an attacker who doesn’t have an account
in a local machine sends packets to machine over a network and exploits some
vulnerability to gain the privilege as normal user. Some of the R2L attacks are
guess-password, warezmaster, multihop, imap, ftpwrite, etc.
d Probe attack (http://kdd.ics.uci.edu/databases/kddcup99/task.html; Peddabachigari
et al., 2004): in this attack, an attacker continuously monitors a network of
computers and gathers information about the network and checks for known
vulnerabilities. With the help of gathered information, an attacker will try to exploit
vulnerability in the network. Some of the probe attacks are nmap, satan, portsweep.

7 Machine learning approaches for IDS

7.1 Random forest method

Random forest method (Zhang and Zulkernine, 2005) is one of the supervised
0classification techniques. This method could generate many classification trees. Each
tree is constructed using different sample from the original dataset. Once the tree is
constructed, classification for new data will be done. Each new object will be given to
root of each tree in the forest. Then, each tree will indicate the decision about the object
by giving its vote. Based on the votes, new object can be classified either as normal
object or attacker object.
In Zhang et al. (2008), the authors have used KDD’99 dataset. They have taken 10%
samples for training and testing set which contains 494020 connection records. This 10%
sample covers the attack types, DoS, U2R, R2L, probe, normal. But the initial dataset
used by the authors is unbalanced one. So, they applied down sampling techniques to
make it as a balanced one. As a result, balanced training set shrinks with 60,620 samples.
Then they made a comparison among the original dataset and the balanced dataset to
check which dataset provides more accuracy. They have taken 66% samples as training
data and 34% samples as testing data. The overall error rate is observed as 0.05% in
balanced dataset and 1.92% in original dataset. Then they experimented about how to
select the important features by employing feature selection algorithm. They concluded
that appropriate feature selection and dataset can improve detection rate and decrease
error rate.
 Comparative study on IDS using machine learning approaches 21

In Aung and Min (2017), the authors have used 10% of samples from KDD’99
dataset by applying two algorithms which are K-means and random forest algorithm.
They used K-means algorithm to generate homogeneous dataset and random forest
algorithm to classify the sample as either normal or attack. They have compared the
performance against single random forest versus combination of K-means algorithm and
random forest algorithm. They concluded that prediction accuracy is same for both the
methods but the training time will be comparatively less for K-means than random forest
model as indicated in Table 1.
Table 1 Comparison of performance measures for random forest

Dataset
Methodology used Techniques used Performance
used
Random forest with 10% of  Down sampling is used Unbalanced dataset:
feature selection KDD’99 to make the balanced 1.92% error rate
algorithm (Zhang dataset. Balanced dataset:
et al., 2008)  Appropriate feature 0.05% error rate
selection technique.
K-means algorithm 10% of  K-means algorithm to Training time:
for feature KDD’99 generate homogeneous  For single RF:
selection, random dataset. 11,939.73 seconds
forest for  Random forest algorithm
classification (Aung  For RF-based K-means:
for classification. 5,420.45 seconds
and Min, 2017)

7.2 Naive Bayes method

Naive Bayes (https://machinelearningmastery.com/naive-bayes-for-machine-learning/) is
one of the simple and efficient classification machine learning algorithm which can be
applicable for both binary and multiple class classifier. Naive Bayes model is a simplified
Bayesian probability model. This model works on strong independence assumption that
probability of one attribute does not affect the attribute. So, the Bayes classifier can
generate 2n! independent assumptions for n attributes. The most significant job of this
method is feature selection.
In Mukherjee and Sharma (2012), the authors described about three feature subset
selection techniques such as correlation-based feature selection (CFS), gain ratio (GR)
and information gain (IG). To improve the accuracy in feature selection, they proposed
the model called as feature vitality-based method (FVBM). In this method, they have set
certain threshold value to select or ignore a feature for the dataset. By applying the same
strategy for each attribute, they made sequential search to identify important features
from original set of features. After that, they have considered only 24 subset of features
based on three performance metrics such as classification accuracy, true positive rate and
false positive rate. They have used WEKA tool to compute and measure the classification
performance for each feature. The dataset used in their experiments is NSL-KDD labelled
dataset. NSL-KDD contains reasonable amount of test and train datasets. They have
compared their results with different feature selection methods. Prediction accuracy is
comparatively improved among the other methods CFS, GR, IR. But time taken to build
FVBM model is slightly high compared to the other models.
22 K. Muthamil Sudar and P. Deepalakshmi

Table 2 Comparison of performance measures for naive Bayes

Methodology Dataset Techniques used Performance

Naïve Bayes NSL-KDD  Feature vitality-based For naïve Bayes:
(Mukherjee and dataset method (FVBM) – for  Prediction accuracy: 95.11
Sharma, 2012) feature selection.
 Error rate: 0.12
For FVBM-based naïve Bayes:
 Prediction accuracy: 97.78
 Error rate: 0.083
Advanced naïve 10% of  Attribute weighted For NBC:
Bayesian KDD’99 NBC technique  Prediction accuracy: 91.73%
classification  ReliefF algorithm is
with weighted  Error rate:11.98%
used to determine the
attribute (Wang weight for each For NBC-A:
et al., 2017) attribute.  Prediction accuracy: 98.50%
 Error rate: 5.79%

Figure 2 Prediction accuracy of NBC and modified NBC (see online version for colours)

In Wang et al. (2017), the authors have proposed advanced naive Bayes classification
(NBC-A). Naive Bayes classifier model works well for uncertain probabilistic events.
They stated that detecting an intrusion using IDS is also an uncertain behaviour and
hence IDS using NBC is a reasonable one. But independence assumption is difficult in
real time network situations. Each network has its own attributes and also has complex
relationships. So detection is critical one. In order to overcome this problem, they have
implemented attribute-weighted NBC. By applying this method, they have assigned
different weights for each attributes. To determine the weight for the attributes, they have
proposed ReliefF algorithm. This algorithm mainly focuses on determining relationships
between the attributes and the final classification class. A weight is then assigned to each
attribute based on the level of relation between an attribute and classification class.
Higher the relation, large value will be set for the attribute. After that they determined the
 Comparative study on IDS using machine learning approaches 23

network behaviour by the classification NBC-A module. They have used KDD’99
dataset. Since it is a large dataset they have used only 10% of KDD’99.
They made a comparison with NBC and NBC-A in terms of accuracy and error-rate.
Average prediction accuracy for NBC-A is 98.50% while in case of NBC, it is 91.73 %.
Average error rate for NBC-A is 5.79% whereas for NBC, it is 11.98%. From that they
concluded, attribute selection using ReliefF algorithm in NBC-A efficiently determines
intrusion attacks compared to Naive Bayes classification as indicated in Table 2 and
Figure 2.

7.3 Decision trees

Decision tree (https://machinelearningmastery.com/classification-and-regression-trees-
for-machine-learning/) is another classification technique which performs better for large
datasets. Decision tree will be useful for computer networks since large amount of data
flow through the network every second. Decision tree can construct the classification
model from the predefined data rules. Each rule is defined by the value of attributes.
Based on the attribute values, classification can be done. To classify the network
behaviour, it should start from the root of decision tree and follow the branch till reaching
the leaf node based on the rules assigned at every branch. Then final leaf node that is
reached offers the name of the resulting classification.
In Peddabachigari et al. (2004), the authors have used binary classification tree,
which can classify either as attack or normal. Attack is a collection of four classes such as
Dos, R2L, U2R, Probe. The main aim is to separate the attacks from the normal network
pattern. Since they have used binary classification tree, they repeated this problem for all
five cases. In the training phase, they have constructed the classifier using training data.
In the testing phase, they tested the test data set using same classifier. They have found
that training time is less compared to testing time and accuracy is also high for normal,
DoS, probe classes and low for U2R, R2L classes because they have used five different
classifiers to classify the attacks from the normal class.

Figure 3 Prediction accuracy of ID3, C4.5, C5.0, DT (see online version for colours)
24 K. Muthamil Sudar and P. Deepalakshmi

In Kumar et al. (2012), the authors have experimented with three algorithms in decision
tree learning such as ID3, C4.5 and C5.0. ID3 algorithm uses information theory to build
the decision tree and selects the attributes with highest information gain (IG) as splitting
attribute. In C4.5 algorithm, they have used gain ratio (GR) as a component to select the
splitting attribute. In C5.0 algorithm, they have used boosting technique to improve the
performance of building trees by combining different classifiers. The outcome of the
C4.5 and C5.0 will be either rule sets or decision trees. To evaluate the performance of
intrusion detection algorithm, they have used KDD’99 dataset. After comparison with the
three algorithms, they concluded that C5.0 performs well compared to C4.5 and ID3 in
terms of both prediction accuracy and false positive. According to Figure 3, prediction
accuracy of decision tree is high compared to C5.0, C4.5, and ID3 as we shown in
Table 3 and Figure 3.
Table 3 Comparison of performance measures for decision tree

Methodology used Dataset used Techniques used Performance

Decision tree using 10% of Binary classification Normal:
binary classifier KDD’99 technique  Training time: 1.53
(Peddabachigari
et al., 2004)  Testing time: 0.03
 Accuracy: 99.64
Probe:
 Training time: 3.09
 Testing time: 0.02
 Accuracy: 99.86
Training time is high for all the
cases compared to testing time.
Comparison of 10% of Information gain for ID3:
decision tree KDD’99 ID3, gain ratio for C4.5,  Accuracy: 96.63 (normal)
techniques ID3, boosting techniques for
C4.5, C5.0 (Kumar C5.0 to identify the  Error: 0.66 (normal)
et al., 2012) splitting attribute. C4.5:
 Accuracy: 97.77 (normal)
 Error: 0.14 (normal)
C5.0:
 Accuracy: 98.22 (normal)
 Error: 0.10 (normal)

7.4 Multilayer perceptron

Multilayer perceptron (Amato et al., 2017) is another powerful classification technique in
machine learning. MLP is mainly used to classify when the problem is not linearly
separable. Normally MLP consists of three layers such as input layer, hidden layer, and
output layer. In order to construct MLP classifier we have to identify two things:
 Comparative study on IDS using machine learning approaches 25

1 select the architecture (identify the number of layers and neurons that each neuron
should contain)
2 train the network (appropriate weight of each neuron and its threshold).
Too many layers can create too many decision regions and in such cases perceptron loses
the ability to generalise the samples. They experimented with 10% of KDD’99 dataset.
To choose the essential features, they have considered greedy stepwise and bestfit
algorithm. They concluded that their proposed model achieves highest classification
accuracy, low error rate and scalability but at the cost of higher training time.
In Esmaily et al. (2015), the authors have randomly taken 43,000 train records,
21,000 test records from KDD’99 dataset. Among these, 10,000 records belong to normal
and remaining are of attacks. By applying random sampling, they have removed the
redundant records. To achieve better results they have combined both decision tree (DT)
and multilayer perceptron (MLP) to train the model. Further they experimented in two
separate phases. In the first phase, they have considered 41 features as an input layer, two
hidden layers with eight neurons of each layer which maps the input features and output
layer as the classification of attacks or normal. In the second phase, the output of the first
phase is taken as an input and processed through the hidden layer and finally done with
classification. They observed that prediction accuracy for DT is 98.01% and for MLP, it
is 99.89%. The error rate for DT is 2.19% and for MLP, it is 0.12%. In Table 4,
performance measures for multilayer perceptron algorithms are listed
Table 4 Comparison of performance measures for multilayer perceptron

Methodology used Dataset used Techniques used Performance

Multilayer 10% of Greedy stepwise and High prediction accuracy.
perceptron (Amato KDD’99 best fit algorithm for Needs more training time.
et al., 2017) feature selection
High scalability.
Multilayer 10% of Random sampling to MLP:
perceptron (MLP) KDD’99 remove the redundant  Prediction accuracy: 99.89%
and decision trees data
(DT) (Esmaily  Error rate: 0.12%
et al., 2015) DT:
 Prediction accuracy: 98.01%
 Error rate: 2.19%

8 Evaluation and discussion

In our survey work, we have considered four machine learning-based techniques such as
Random forest, naïve Bayes, decision tree, multilayer perceptron for the creation of IDS.
Naïve Bayes algorithm can make independent assumptions to classify the instances and a
widely used method. Decision tree and random forest can classify the instances based on
available attributes (i.e., dependent). Multilayer perceptron can classify in linearly
inseparable instances. We have compared every method with its modified version.
Random forest with K-means clustering shows the best result in terms of time taken to
26 K. Muthamil Sudar and P. Deepalakshmi

build and prediction accuracy compared to simple random forest technique (Zhang et al.,
2008; Aung and Min, 2017). Naïve Bayes algorithm with FVBM feature selection
technique shows the best result in terms of prediction accuracy compared to simple naïve
Bayes algorithm (Mukherjee and Sharma, 2012; Wang et al., 2017). Decision tree using
binary classifier shows a high accuracy in prediction, but it needs more training time to
train the model (Peddabachigari et al., 2004). Another comparison shows that decision
tree technique C5.0 provides better prediction accuracy compared to C4.5 and ID3
(Kumar et al., 2012). Multilayer perceptron using feature selection techniques shows high
prediction accuracy but it requires more training time (Amato et al., 2017). Another
comparison shows that Multilayer perceptron works well compared to decision tree in
term of prediction accuracy and error rate (Esmaily et al., 2015). By choosing necessary
datasets, appropriate features selection techniques, performance can be improved in terms
of prediction accuracy, error rate, time taken to build the model.

9 Conclusions

Machine learning-based techniques have been used to detect malicious attacks in normal
networks and it is also a promising technique to secure a SDN. It can classify the normal
network from malicious network. By applying machine learning techniques, we can
define security rules for SDN controller to prevent the network from malicious users. In
this paper, we provided overview of SDN and also its security issues and the possible
machine learning approaches for creation of IDS. Classification accuracy will vary for
each machine learning techniques based on the datasets used, feature selection methods.
From our survey, we identified that the dataset to be considered for testing and training
phase should be a balanced one in the aspects of Normal, DoS, U2R, R2L, Probe attacks.
So, we could apply techniques like downsampling, random sampling and K-means to
make it as a balanced and redundant-free one. Also training and testing with all the
available features is a time consuming one. So, we should train our model with essential
features only. For that, we could employ suitable techniques like FVBM, greedy
stepwise, best fit, IG, GR, boosting techniques to identify the essential features. We
should use relevant metrics to evaluate the performance of constructed model. In this
survey work, we have identified that the important metrics to be considered are prediction
accuracy, error rate and time taken to build the model. Prediction accuracy should be high
and error rate, time taken to build the model should be low in both testing and training
phases. Finally, we conclude that by constructing ML-based IDS with greater accuracy in
prediction and high scalability will help to secure the real time centralised SDN control
plane from various attacks and intrusions.

References
Abubakar, A. and Pranggono, B. (2017) ‘Machine learning based intrusion detection system for
software defined networks’, 2017 Seventh International Conference on Emerging Security
Technologies (EST), pp.138–143, IEEE.
Amato, F. et al. (2017) ‘Multilayer perceptron: an intelligent model for classification and intrusion
detection’, 2017 31st International Conference on Advanced Information Networking and
Applications Workshops (WAINA), IEEE.
 Comparative study on IDS using machine learning approaches 27

Aung, Y.Y. and Min, M.M. (2017) ‘An analysis of random forest algorithm based network
intrusion detection system’, 2017 18th IEEE/ACIS International Conference on Software
Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD),
IEEE.
Dayal, N., Maity, P., Srivastava, S. and Khondoker, R. (2016) ‘Research trends in security and
DDoS in SDN’, Security and Communication Networks, Vol. 9, No. 18, pp.6386–6411.
Esmaily, J., Moradinezhad, R. and Ghasemi, J. (2015) ‘Intrusion detection system based on
multi-layer perceptron neural networks and decision tree’, 2015 7th Conference on
Information and Knowledge Technology (IKT), IEEE.
Hamed, T., Ernst, J.B. and Kremer, S.C. (2018) ‘A survey and taxonomy of classifiers of intrusion
detection systems’, Computer and Network Security Essentials, pp.21–39, Springer, Cham.
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (accessed 12 May 2018).
http://kdd.ics.uci.edu/databases/kddcup99/task.html (accessed 12 May 2018).
https://machinelearningmastery.com/classification-and-regression-trees-for-machine-learning/
(accessed 12 May 2018).
https://machinelearningmastery.com/naive-bayes-for-machine-learning/ (accessed 12 May 2018).
Kumar, M., Hanumanthappa, M. and Kumar, T.V.S. (2012) ‘Intrusion detection system using
decision tree algorithm’, 2012 IEEE 14th International Conference on Communication
Technology (ICCT), IEEE.
Mukherjee, S. and Sharma, N. (2012) ‘Intrusion detection using naive Bayes classifier with feature
reduction’, Procedia Technology, Vol. 4, No. 1, pp.119–128.
Peddabachigari, S., Abraham, A. and Thomas, J. (2004) ‘Intrusion detection systems using decision
trees and support vector machines’, International Journal of Applied Science and
Computations, Vol. 11, No. 3, pp.118–134, , USA.
Scott-Hayward, S., Natarajan, S. and Sezer, S. (2016) ‘A survey of security in software defined
networks’, IEEE Communications Surveys & Tutorials, Vol. 18, No. 1, pp.623–654.
Sultana, N., Chilamkurti, N., Peng, W. and Alhadad, R. (2018) ‘Survey on SDN based network
intrusion detection system using machine learning approaches’, Peer-to-Peer Networking and
Applications, pp.1–9, ISSN 1936-6450.
Wang, Y. et al. (2017) ‘A novel intrusion detection system based on advanced naive Bayesian
classification’, International Conference on 5G for Future Wireless Networks, Springer,
Cham.
Zhang, J. and Zulkernine, M. (2005) ‘Network intrusion detection using random forests’,
PST 2005, October.
Zhang, J., Zulkernine, M. and Haque, A. (2008) ‘Random-forests-based network intrusion detection
systems’, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and
Reviews), Vol. 38, No. 5, pp.649–659.

View publication stats