A robust Intrusion Detection System (IDS) for Software-Defined Networks (SDN) leveraging machine learning and deep learning techniques to classify and detect malicious network traffic in real-time.
This project implements an intelligent intrusion detection system designed specifically for SDN environments, utilizing the centralized control plane architecture to monitor network traffic and identify security threats. The system is deployed on CloudLab infrastructure, enabling scalable multi-node experimentation and real-time traffic analysis.
- Real-time Traffic Monitoring: Continuous network traffic analysis with low latency detection
- Multi-Model Classification: Implements multiple ML/DL algorithms including Random Forest, Decision Tree, Gradient Boosting, and Neural Networks
- Scalable Architecture: Deployed on CloudLab for distributed, multi-node network experimentation
- High Detection Accuracy: Achieves industry-leading performance metrics for intrusion detection
- Attack Type Classification: Identifies various attack patterns including DDoS, port scans, and flood attacks
- SDN-Native Integration: Leverages SDN controller capabilities for centralized traffic management
- Programming: Python
- SDN Framework: Mininet, Ryu Controller, OpenFlow
- Cloud Platform: CloudLab
- Machine Learning: scikit-learn, TensorFlow/Keras, XGBoost, LightGBM
- Data Processing: pandas, NumPy, Feature Engineering
- Networking: SDN Architecture, Flow Statistics, Packet Analysis
- Deployment: Linux, SSH, Docker (optional)
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β CloudLab Infrastructure β
β βββββββββββββββββββββββββββββββββββββββββββββ β
β β SDN Controller (Ryu) β β
β β ββββββββββββββββββββββββββββββββ β β
β β β ML/DL Detection Engine β β β
β β β - Feature Extraction β β β
β β β - Classification Models β β β
β β β - Alert Generation β β β
β β ββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββ¬ββββββββββββββββββββββββββ¬ββ β
β β Flow Statistics β β
β βββββββββββββββββΌββββββββββββββββββββββββββΌββ β
β β Mininet Virtual Network β β
β β ββββββ ββββββ ββββββ ββββββ β β
β β β S1 ββββ S2 ββββ S3 ββββ S4 β β β
β β βββ¬βββ βββ¬βββ βββ¬βββ βββ¬βββ β β
β β β β β β β β
β β βββΌββ βββΌββ βββΌββ βββΌββ β β
β β βH1 β βH2 β βH3 β βH4 β β β
β β βββββ βββββ βββββ βββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
The system utilizes network flow statistics extracted from SDN switches, including:
- Packet count and byte count
- Flow duration and inter-arrival times
- Protocol distribution (TCP/UDP/ICMP)
- Port numbers and flags
- Packet header features
- QoS metrics
Attack Types Detected:
- TCP SYN Flood
- UDP Flood
- ICMP Flood
- Port Scan (OS/Port probe)
- DDoS attacks
- Bandwidth exhaustion attacks
# System requirements
- Python 3.8+
- Ubuntu 18.04/20.04 LTS
- Mininet 2.3+
- Ryu Controller 4.34+# Clone the repository
git clone https://github.com/alirafiqmalik/SDN-Based-Machine-Learning-IDS.git
cd SDN-Based-Machine-Learning-IDS
# Install dependencies
pip install -r requirements.txt
# Install Mininet
sudo apt-get install mininet
# Install Ryu Controller
pip install ryu-
Create CloudLab Account: Sign up at CloudLab
-
SSH Key Setup: Add your SSH public key to CloudLab profile
-
Instantiate Experiment:
# Use the provided CloudLab profile or create custom topology # Access nodes via SSH ssh username@node0.experiment.project.cloudlab.us
-
Deploy IDS:
# Clone repository on CloudLab node cd /local/repository git clone https://github.com/alirafiqmalik/SDN-Based-Machine-Learning-IDS.git # Run setup script ./setup.sh
# Train machine learning models
python train_models.py --dataset data/network_traffic.csv --model rf
# Available models: rf (Random Forest), dt (Decision Tree),
# gb (Gradient Boosting), xgb (XGBoost), nn (Neural Network)# Start Ryu controller with IDS application
ryu-manager ids_controller.py
# In another terminal, start Mininet topology
sudo python topology.py
# Monitor detection results
tail -f logs/ids_detection.log# Start real-time monitoring
python real_time_detection.py --controller localhost:6633The system achieves the following performance on benchmark datasets:
| Model | Accuracy | Precision | Recall | F1-Score |
|---|---|---|---|---|
| Gradient Boosting | 99.87% | 99.85% | 100% | 99.85% |
| Random Forest | 99.38% | 99.35% | 99.40% | 99.37% |
| Decision Tree | 99.95% | 99.83% | 99.95% | 99.89% |
| XGBoost | 99.45% | 99.42% | 99.48% | 99.45% |
Throughput: 6,737,147 samples/second
- Node Type: Physical machines with OpenFlow support
- Topology: Multi-switch mesh network
- Controller: Centralized Ryu controller
- Traffic Generation: hping3, iperf, scapy
- Switch count: 4-10 OpenFlow switches
- Host count: 10-50 network hosts
- Link bandwidth: 1 Gbps
- Controller placement: Co-located with detection engine
- Flow Collector: Extracts flow statistics from SDN switches
- Feature Extractor: Processes raw flow data into ML features
- Detection Engine: Runs trained models for classification
- Alert Manager: Generates and logs security alerts
- Mitigation Module: Implements reactive flow rules for blocking attacks
βββ controllers/ # Ryu controller applications
βββ models/ # Trained ML models
βββ data/ # Datasets and preprocessed features
βββ scripts/ # Training and evaluation scripts
βββ topologies/ # Mininet network topologies
βββ logs/ # Detection logs and metrics
βββ requirements.txt # Python dependencies
βββ README.md # Project documentation
This project builds upon state-of-the-art research in SDN security and machine learning-based intrusion detection.
This project is licensed under the MIT License - see the LICENSE file for details.
Ali Rafiq Malik
- GitHub: @alirafiqmalik
- CloudLab for providing infrastructure resources
- Mininet and Ryu development teams
- Research community for SDN security advancements