1 / 15

Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN

This research paper explores the integration of Anomaly-based Intrusion Detection Systems (IDS) with Software-Defined Networking (SDN) to enable dynamic network access control. The study presents a case study on network access control using SDN-FlowGuard and proposes a policy generation framework based on outcome explanations from the IDS. Future work includes improving explanation mechanisms and formalizing the policy generation process.

dmaye
Download Presentation

Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN Hongda Li, Feng Wei, and Hongxin Hu SDN-NFV Security 2019

  2. Outline • Motivation • Background • Our Approach • Case Study

  3. Network Access Control with SDN FlowGuard [HotSDN’14] Dynamic Firewall [RAID’15] Access Control Policies Virtual Firewall [NDSS’17] How to generate new ACP? Anomaly Unknown vulnerabilities Zero-day security threat

  4. Existing Anomaly-based IDS Semantic Gap Access Control Policies Uncover novel security threats Obscure outcome

  5. Machine Learning Model Explanation CAT Predictor DOG Input Outcome Explanation

  6. Explanation Mechanisms Black Box x y Whitebox Blackbox x1 y1 xi yi … … xn yn Local Explanation Global Explanation

  7. Local & Blackbox Explanation • Local Approximation • Explanation Logic e e Why is predicted as circle?

  8. Approach Overview SDN Controller SDN Flow Rule Access Control Policy Mirrored Traffic AIDS Outcome Outcome Explanation Anomaly-based IDS Outcome Explanator Policy Generator SDN Switch

  9. AIDS Outcome Explanation • Local Approximation • Explanation Logic Linear Regression F(x) x Feature Importance : (duration, proto_type, service, flag, src_byte, dst_byte, … ) FI: (97, 96, 99, 100, 95, 98, … )

  10. Access Control Policy Generation <filers, actions> Selects network entities Defines action to take Networks; Hosts; Connections; Flows; Packets; Combination of above; Allow; Deny; Redirect; Quarantine; Mirror; … : (duration, proto_type, service, flag, src_byte, dst_byte, … ) FI: (97, 96, 99, 100, 95, 94, … ) Explanation

  11. Case Study: AIDS • Recurrent Neural Network (RNN) • Detect across multiple records • NSL-KDD dataset • 41 raw feature • Keras + TensorFlow for implementation

  12. Case Study: Outcome Explanation • Choose Neptune attack in dataset • Extensive SYN error or SYN rejection • Two records labeled as Neptune attack • Explanation (Feature Importance) Record1: (0, tcp, private, S0, …, 255, 20, 0.08, 0.07, 0, 0, 1, 1, 0, 0) Record2: (0, tcp, imap4, REJ, …, 255, 17, 0.07, 0.07, 0, 0, 0, 0, 1, 1) Percentage of SYN Error Percentage of Rejection Error

  13. Case Study: Policy Generation Outcome Explanation <filters=(ip_proto=tcp, tcp_flags=syn, sip=192.168.1.2, dip=192.168.1.3), actions=(drop)> Access Control Policy

  14. Conclusion and Future Work • Conclusion • Explained the outcome of anomaly-based IDS • Generated network access control policy according to the explanation • Future work • Better explanation that handles decency among records • Policy generation process formalization • More evaluation on realistic traffic and attacks

  15. Q & A Hongda Li (hongdal@clemson.edu) Thank you!

More Related