Visible to the public Evaluation of Apache Spot's Machine Learning Capabilities in an SDN/NFV Enabled Environment

TitleEvaluation of Apache Spot's Machine Learning Capabilities in an SDN/NFV Enabled Environment
Publication TypeConference Paper
Year of Publication2018
AuthorsMathas, Christos M., Segou, Olga E., Xylouris, Georgios, Christinakis, Dimitris, Kourtis, Michail-Alexandros, Vassilakis, Costas, Kourtis, Anastasios
Conference NameProceedings of the 13th International Conference on Availability, Reliability and Security
Date PublishedAugust 2018
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-6448-5
KeywordsApache Spot, composability, decomposition, defense, latent Dirichlet allocation, machine learning, Metrics, network function virtualisation, Penetration Testing, pubcrawl, resilience, Resiliency, SHIELD Project, software defined networking, virtual machine security, Zero day attacks
Abstract

Software Defined Networking (SDN) and Network Function Virtualisation (NFV) are transforming modern networks towards a service-oriented architecture. At the same time, the cybersecurity industry is rapidly adopting Machine Learning (ML) algorithms to improve detection and mitigation of complex attacks. Traditional intrusion detection systems perform signature-based detection, based on well-known malicious traffic patterns that signify potential attacks. The main drawback of this method is that attack patterns need to be known in advance and signatures must be preconfigured. Hence, typical systems fail to detect a zero-day attack or an attack with unknown signature. This work considers the use of machine learning for advanced anomaly detection, and specifically deploys the Apache Spot ML framework on an SDN/NFV-enabled testbed running cybersecurity services as Virtual Network Functions (VNFs). VNFs are used to capture traffic for ingestion by the ML algorithm and apply mitigation measures in case of a detected anomaly. Apache Spot utilises Latent Dirichlet Allocation to identify anomalous traffic patterns in Netflow, DNS and proxy data. The overall performance of Apache Spot is evaluated by deploying Denial of Service (Slowloris, BoNeSi) and a Data Exfiltration attack (iodine).

URLhttps://dl.acm.org/doi/10.1145/3230833.3233278
DOI10.1145/3230833.3233278
Citation Keymathas_evaluation_2018