DeepAir: Deep Reinforcement Learning for Adaptive Intrusion Response in Software-Defined Networks

In this paper, we propose an adaptive intrusion response solution based on deep reinforcement learning, namely DeepAir, to effectively defend against cyber-attacks in Software-Defined Networks (SDN). Specifically, we first study an intrusion response system (IRS) that operates at the SDN control plane. Next, we propose a dynamic intrusion response solution to maximize the attack defense performance while minimizing the negative impact on benign traffic forwarding and the policy deployment cost in the SDN data plane. Then, we model the intrusion response system based on a Markov decision process (MDP) approach and formulate the related optimization problem. Afterward, we develop a Double Deep {Q} -Network based intrusion response control algorithm to assist the intrusion response system to quickly obtain the optimal intrusion response policy. In our case study, we consider denial-of-service (DoS) attacks-the performance evaluation results demonstrate that DeepAir can effectively prevent malicious packets from arriving at the victim in all considered DoS attack scenarios, i.e., approximately 85% of attack packets are dropped. Moreover, by applying the optimal intrusion response policy, DeepAir can significantly reduce the ratio of Quality-of-Service violated traffic flows compared to a {Q} -learning based approach (by 70%), and to two existing solutions, i.e., GATE (by 75%) and GTAC-IRS (by 80%), respectively.