Bringing To Light: Adversarial Poisoning Detection for ML-based IDS in Software-defined Networks

Machine learning (ML)-based network intrusion detection systems (NIDS) have become a prospective approach to efficiently protect network communications. However, ML models can be exploited by adversarial poisonings, like Random Label Manipulation (RLM), which can compromise multi-controller software...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on network science and engineering 2024-12, p.1-13
Main Authors: Das, Tapadhir, Shukla, Raj Mani, Rath, Suman, Sengupta, Shamik
Format: Article
Language:English
Subjects:
Adversarial Attacks
Adversarial Detection
Computer architecture
Data models
Data Poisoning
Indexes
Machine Learning
Network intrusion detection
Perturbation methods
Pipelines
Predictive models
Software-defined Networks
Topology
Training
Training data
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Machine learning (ML)-based network intrusion detection systems (NIDS) have become a prospective approach to efficiently protect network communications. However, ML models can be exploited by adversarial poisonings, like Random Label Manipulation (RLM), which can compromise multi-controller software-defined network (MSDN) operations. In this paper, we develop the Trans-controller Adversarial Perturbation Detection (TAPD) framework for NIDS for MSDNs. The detection framework takes advantage of the MSDN architecture and focuses on periodic transference of ML-based NIDS models across the SDN controllers in the topology, and validates the models using local datasets to calculate error rates. We demonstrate the efficacy of this framework in detecting RLM attacks in an MSDN setup. Results indicate efficient detection performance by the TAPD framework in determining the presence of RLM attacks and the localization of the compromised controllers. We find that the framework works well even when there is a significant number of compromised agents. However, the performance begins to deteriorate when more than 40% of the SDN controllers have become compromised.
ISSN:2334-329X
DOI:10.1109/TNSE.2024.3519515