Cyber-AnDe: Cybersecurity Framework With Adaptive Distributed Sampling for Anomaly Detection on SDNs

By decoupling the control plane and data plane in the software-defined network (SDN), the controller gains a comprehensive global view of the network. The SDN controller samples traffic from all switches to effectively manage data plane traffic. The sampling rate of flow traffic significantly impacts the accuracy of the controller's decisions. While increasing the sampling rate is desirable for improved detection accuracy, it also escalates resource consumption on both switches and the controller. Hence, it is crucial to carefully manage sampling on switches to fine-tune anomaly detection accuracy. Existing flow sampling solutions often struggle to strike a balance between detection accuracy, sampling rate, and overhead. To address this challenge, we propose a robust cybersecurity framework for anomaly detection on SDNs through traffic flow inspection. Our proposed framework, Cyber-AnDe, integrates adaptive distributed sampling (ADS) with a Reinforcement Learning (RL) agent to enhance anomaly detection accuracy while minimizing the increase in controller overhead. In our framework, the controller leverages information gathered from each sampled traffic flow to determine whether the flow's state is malicious, suspicious, or benign based on underlying anomaly detection algorithms. Once the flow state is determined, the controller takes the appropriate action with the help of the RL agent. Through extensive simulations and SDN test-bed experiments, we confirm a significant improvement of up to 93% in network traffic-based anomaly detection compared to existing solutions.