Evaluation of Apache Spot\textquotesingles machine learning capabilities in an SDN/NFV enabled environment

TitleEvaluation of Apache Spot\textquotesingles machine learning capabilities in an SDN/NFV enabled environment
Publication TypeConference Paper
Year of Publication2018
AuthorsMathas CM, Segou OE, Xylouris G, Christinakis D, Kourtis M-A, Vassilakis C, Kourtis A
Conference NameProceedings of the 13th International Conference on Availability, Reliability and Security - ARES 2018
PublisherACM Press
KeywordsApache Spot, Latent Dirichlet Allocation, Machine Learning, Network Function Virtualisation, Penetration Testing, SHIELD Project�, Software Defined Networking
AbstractSoftware Defined Networking (SDN) and Network Function Virtualisation (NFV) are transforming modern networks towards a service-oriented architecture. At the same time, the cybersecurity industry is rapidly adopting Machine Learning (ML) algorithms to improve detection and mitigation of complex attacks. Traditional intrusion detection systems perform signature-based detection, based on well-known malicious traffic patterns that signify potential attacks. The main drawback of this method is that attack patterns need to be known in advance and signatures must be preconfigured. Hence, typical systems fail to detect a zero-day attack or an attack with unknown signature. This work considers the use of machine learning for advanced anomaly detection, and specifically deploys the Apache Spot ML framework on an SDN/NFV-enabled testbed running cybersecurity services as Virtual Network Functions (VNFs). VNFs are used to capture traffic for ingestion by the ML algorithm and apply mitigation measures in case of a detected anomaly. Apache Spot utilises Latent Dirichlet Allocation to identify anomalous traffic patterns in Netflow, DNS and proxy data. We evaluate the overall performance of Apache Spot by deploying Denial of Service (Slowloris, BoNeSi) and a Data Exfiltration attack (iodine).
DOI10.1145/3230833.3233278