AI and Machine Learning Enabled

Software Defined Networks

Kavuri K. S. V. A. Satheesh, M. Janani, S. China Venkateswarlu,

R. Ganesh Kumar, Anubhuti Gupta, and Bonthu Kotaiah

Abstract The telecommunications industry has not been exempt from the tech-
nology sector’s massive artificial intelligence (AI) and machine learning (ML) boom
in recent years. Artificial intelligence (AI) and machine learning (ML) provide
advanced analytics and automation that are in line with modern networking concepts
like software-defined networking (SDN) and software-defined wide-area networks
(SD-WAN). Work is being done to determine how AI/ML can benefit SD-WAN and
to demonstrate these benefits in a real SD-WAN network using a workable example.
Modern ML techniques and algorithms are the extent of AI/ML. Today’s Internet
is under constant threat from DDoS (Distributed Denial of Service) attacks. As the
volume of Internet traffic grows, it’s getting harder and harder to tell what’s legiti-
mate and what’s malicious. The DDoS attack was detected using a machine learning
approach that makes use of a Random Forest classifier. To better detect DDoS attacks,
we tweak the Random Forest algorithm. The proposed machine learning approach
outperforms, as demonstrated by our results.

K. K. S. V. A. Satheesh (B)
School of Computer Science and Artificial Intelligence, SR University, Hanuma Konda,
Warangal, India
e-mail: kns9@live.com
M. Janani
IT Department, St. Joseph’s College of Engineering, Hyderabad, India
S. C. Venkateswarlu
Electronics and Communication Engineering, Institute of Aeronautical Engineering, Dundigal,
Hyderabad, Telangana, India
R. G. Kumar
Department of Computer Science and Engineering, School of Engineering and Technology,
CHRIST (Deemed to Be University), Kengeri Campus, Bangalore, India
A. Gupta
Amity Business School, Amity University, Greater Noida, Uttar Pradesh, India
B. Kotaiah
Department of CS and IT, Maulana Azad National Urdu Central University, Gachibowli,
Hyderabad, Telangana, India

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 131
V. Bhateja et al. (eds.), Data Engineering and Intelligent Computing,
Lecture Notes in Networks and Systems 446,
https://doi.org/10.1007/978-981-19-1559-8_14
132 K. K. S. V. A. Satheesh et al.

Keywords Machine learning · Artificial intelligence · Distributed denial of service

and software-defined networking

1 Introduction

SDN is a dynamic, manageable, and cost-effective new network architecture. It relies

on decoupling the forwarding plane from the control plane to operate effectively.
Because of this abstraction, network resources can be dynamically and automatically
configured, managed, secured, and optimised without relying on human intervention.
Traditionally, switches use a proprietary protocol to determine where to send network
packets in traditional networks. Using a switch, all packets with the same destination
are treated the same way. Introducing SDN technology has changed all of that [1].
SDN is capable of deciding how packets in the forwarding plane should be routed
through the network. A controller sends packet handling rules to the switches. The
controller is a piece of software that runs on a server in a different part of the country.
When it comes to packet handling, the switches look to the controller for guidance.
With the controller’s south-bound interface in place, switches can talk to each
other as well [2]. The OpenFlow protocol is used to make this connection. The
controller’s north-bound interface can be used by applications to communicate with
the controller. Figure 1 depicts the SDN architecture.

Fig. 1 Genaral architecture

of SDN
AI and Machine Learning Enabled Software Defined Networks 133

Fig. 2 SDN controller DdoS attacks

The provision of secure communication necessitates ensuring SDN security. The

focus of this study is on data-plane Distributed Denial-of-Service Attacks (DDoS).
A DDoS attack prevents users from accessing a machine or network resource[3].
Consuming all of the network’s bandwidth or resources achieves this goal (such as
memory and CPU). Figure 2 depicts a distributed denial-of-service attack on an SDN
controller.
A southbound SDN protocol establishes communication between the controller
and network nodes so that the controller can set up the data plane. This is different
from traditional networking, where network nodes have control of the control plane
[4]. In order to support communication between the controller and network nodes,
OpenFlow is a standardised southbound SDN protocol. It is shown in Fig. 2 how
the application, control and data layers communicate. Application programming
interfaces connect the control plane to the data plane, such as load balancing in the
SDN architecture (APIs) [5]. The controller implements both the application and
control layers, whilst the data layer is distributed amongst networking devices like
routers and switches. For the implementation of customised network services based
on the requirements of the application layer, APIs are used (quality of service, access
control, bandwidth management, energy management and etc.) [6].
134 K. K. S. V. A. Satheesh et al.

2 AI and ML in SDN

To make use of ML, the SD-WAN system’s data must be made available to the
ML system. When SD-WAN and ML are combined, they form a larger system with
capabilities that come from both of them. Consider ML as an SD-WAN capability
that can be embedded in the management layer of the orchestrator/directory node.
This approach would place ML on the management layer. However, the north bound
interface provided by SD-WAN systems is excellent for networking applications
[7]. The management layer node would be less monolithic if ML were placed in
the network application layer(s). Figure 3 shows this architecture. SD-architecture
WAN’s and design principles make using the northbound interface for new features
a no-brainer. The northbound interface can be used to fetch data, but it can also be
used to make network configuration changes and take other administrative actions.
Closed-loop automation based on ML is now possible, allowing the network to adapt
based on what it has learned. As opposed to human operators, enabling closed-loop
automation reduces reliance on human intervention in the network and speeds up
response times in the event of problems or configuration requirements. As a result
of SD-ability WAN’s to centrally manage and configure the network, this closed-
loop automation can make changes to all network devices and optimise the network
overall [8] (Fig. 4).
SDN, or software-defined networking, is a cutting-edge networking technology
that makes networking easier and more flexible. In addition to providing basic IP

Fig. 3 Functionality of the SDN architecture

AI and Machine Learning Enabled Software Defined Networks 135

Fig. 4 Machine learning applications in SDN

(Internet Protocol) connectivity, a software-defined network has a programmable

interface. SD-WAN is a form of software-defined networking (SDN). SD-WANs
are commonly used by businesses that require secure connectivity between remote
offices or data centres (VPN) [9]. SD-WAN networks are easier to configure than
traditional decentralised networks, but adding new policies to an SD-WAN network
is time consuming and difficult. Policy makers must know how and why a network
is used before they can design effective policies around it. Experts have traditionally
interacted with users and monitored the network to gain this type of understanding.
To gather and analyse network traffic data, you’ll need the right tools. Network
analysis could benefit from artificial intelligence (AI) or, more specifically, machine
learning (ML). They could be used to create configuration proposals or templates, or
even automate configuration changes for administrators and users, for example. This
would make network management simpler and less time consuming, or even lead
to network automation. Configuring a network will no longer be as difficult with a
smart and user-friendly system.

3 BackGround

The NOX controller has a DDoS detection method based on Self-Organizing Maps
(SOM). Using the network flow features that are periodically gathered from the
switches, SOM creates an artificial neural network that works without human super-
vision. Based on the SOM pattern, the traffic is either classified as normal or abnormal
[10]. Figure 5 depicts this detection method, which utilises three modules running in
a loop within the NOX controller on a periodic basis. The controller’s performance
136 K. K. S. V. A. Satheesh et al.

Fig. 5 Loop operation of SDN detection

will be impacted if switches are queried on a regular basis, especially in large cloud
architectures with a large number of switches. An additional consideration is how to
handle the large volume of flows that will be processed in the flow tables.

4 Methodlogy

As soon as an attack on a switch is detected, the algorithm should attempt to mitigate

the problem. Installing flows in attack paths to drop packets until the attack is stopped
or blocking incoming ports where the attack traffic is arriving are just a few options
for attack mitigation. Although all of these measures will help to lessen the impact of
an attack and give network operators more time to identify the attack’s origins before
the controller or switches fail, the implementation of these measures will have an
equal impact on legitimate traffic as well as attack traffic, making network services
unavailable or slow to respond [11].
As a result of the controller’s high capacity, it’s unlikely to crash often. On the other
hand, switches are resource constrained and vulnerable to attack. A large number of
short flows will eventually break the switch if an attack is underway and the flow
table on the switches is full. To keep the switches from breaking down, the proposed
mitigation algorithm will set the flow idle timer to a lower value than the default. Due
AI and Machine Learning Enabled Software Defined Networks 137

Fig. 6 Attack mitigation of proposed algorithm implementation

to the mitigated value being lower than the default value, any malicious short-lived
flows will time out and be removed from the switch flow tables. Tables of the switch A
longer connection with a greater number of packets are expected for legitimate traffic
flows in contrast [12]. As long as the mitigated value is selected correctly, legitimate
flow entries will be unaffected, but malicious flows will be removed quickly from
the system (Fig. 6).

4.1 DDoS Attack Detection Using Machine Learning

Approach

The previous section’s entropy-based DDoS attack detection is best suited for
detecting attacks on a single victim. We can’t rely solely on entropy to protect against
attacks with multiple victims because the attack is aimed at multiple locations. As
a result, the system includes a second DDoS detection method based on flow rate
in addition to entropy variation [12]. The switch is subjected to a large number of
DDoS attacks that use spoofed source IP addresses. To set up flows, the switch sends
numerous packet-in messages to the controller. As a result, the controller’s CPU is
taxed, and switch memory and network bandwidth are depleted. The controller or
switch may be damaged as a result.
The contact volume editor or the publication chair may be the person in charge of
reviewing all of the PDFs. The authors aren’t involved in the checking process when
this happens. Proofs are used to ensure that the text, tables and figures are free of
typographical or conversion errors, and are complete and accurate. There is no way
to make significant changes to the content, such as adding new results, fixing errors,
or changing the title or author.
DDoS detection uses a variety of machine learning techniques. Random Forest
(RF) classifier was used as a classification technique in our investigation. There
are numerous software tools available today for detecting DDoS attacks. Malicious
traffic, on the other hand, can take many forms. The assailants frequently alter their
138 K. K. S. V. A. Satheesh et al.

Fig. 7 Machine learning methodology for attack detection

methods of attack. As a result, it’s critical to draw lessons from past mistakes.
Machine learning can help with this. Analyzing traffic with the Machine Learning
algorithm can reveal an attack pattern [13]. Random Forest Algorithm for Prediction
We can use Majority voting to predict the unknown test data after building a forest
with the training data.
• Select the test features and use the rules of each randomly created decision tree
to predict the result. Save the result as the target.
• Calculate the votes for each predicted target.
• High voted target is declared as final prediction.
The random forest algorithm generates a large number of decision trees, each
with its own set of rules based on the input variables. Classification rules can be set
automatically. As a result, the dataset is critical in this case. Our datasets must be
error-free if we are to get reliable results (Fig. 7).
Finally, the machine learning models are ready to be trained. Figure 8 depicts the
training process. Get the input dataset (UCLA) and process it are the first two steps.
In other words, columns or features with zero values must be edited or removed based
on the data’s importance. In order for the algorithms to process the data, any values
containing characters must be converted to numeric. In order to detect an attack, you
must first select the features that will be useful. As a result, we use the scikit-learn
libraries’ random forest algorithm to build the models, which we then cross-validate
to get better predictions. Finally, we store and use the cross-validated results to build
new models.
Figure 9 depicts our proposed system’s machine learning model’s testing phase.
Assemble a random forest classifier model in training and feed it the data from
the controller every 10 s. To see if you’ve been attacked, run this test. If an attack
is discovered, notify authorities and create a log file to document it. If this is the
case, go ahead and get more input. Our RF classifier will be built and applied to the
training data after which we will perform tenfold cross-validation to determine the
AI and Machine Learning Enabled Software Defined Networks 139

Fig. 8 Training flow chart

accuracy of the classifier. Scikit-learn is used in our proposed method to create an RF

classifier. In order to proceed, we must create decision trees. Decision trees generated
can have an impact on accuracy. As the number of decision trees grows, so does the
accuracy. It is possible to specify the number of decision trees to be generated. For
better detection accuracy, we created 100 decision trees in our work with minimal
processing overhead.
140 K. K. S. V. A. Satheesh et al.

Fig. 9 Testing flow chart

5 Results

However, the controller programme has been modified to include two machine
learning modules: a classifier module that has access to the training dataset and
a prediction module that classifies incoming network traffic as attack traffic or not
(Fig. 10).
Because a single victim attack is easy to detect, the experiment focuses on attacks
on multiple victims. We’re running two Scapy programmes in parallel during the
simulation. The person who is launching the attack sends packets at a faster rate than
the person who is sending out regular traffic. Our detection system’s performance is
evaluated by running a simulation 50 times based on the calculated threshold values.
Pattern B attack traffic is generated on four hosts for each run. There are several
simulations running at the same time, and they each take about 30 min. Table 1
summarises the False Positive and False Negative results, which were documented.
Table 1 shows that an attack traffic can pass through the detection system as
normal traffic, which is harmful to the system, based on the values therein. The way
the thresholds are derived differs significantly between the conventional approach
and ours. Figure 11 illustrates the contrast between the basic approach’s accuracy rate
AI and Machine Learning Enabled Software Defined Networks 141

Fig. 10 Network setup for proposed methodology

Table 1 Values of FP and FN

FP and FN values
No. of attacks 50
FP 3
FN 1
Accuracy 92%

Fig. 11 Comparison chart for existing and proposed method

142 K. K. S. V. A. Satheesh et al.

and our modified approach’s accuracy rate. Thus, using thresholds derived from mean
and standard deviation, we’ve seen an increase in the detection system’s accuracy.
In order to keep the switches from failing, the mitigation module is activated after
an attack has been confirmed by our detection system’s Stage II. Figure 12 depicts the
results of running the POX controller’s mitigation module to stop the attack traffic.
In Fig. 13, the proposed statistical approach to attack detection and mitigation is
depicted in full.

Fig. 12 Execution of mitigation

Fig. 13 Mitigation of attack traffic

AI and Machine Learning Enabled Software Defined Networks 143

6 Conclusion

In order to complete a literature review on the use of AI/ML in SD-WAN, the study
conducted a case study to show how AI/ML can be used in SD-WAN as a proof-of-
concept example. Until recently, AI/ML was restricted to the use of modern machine
learning algorithms and techniques. There are many moving parts to detecting and
countering a DDoS attack. We began our investigation initially with the goal of
enhancing our DDoS detection system. To arrive at various cutoff points, we calcu-
lated the mean and standard deviation. A better mitigation method was also intro-
duced to guard against failures on the controller and switches themselves. Despite
our best efforts, the detection rate still falls short of our expectations. In order to
further improve the detection rate, we proposed an ML strategy. We propose using
an RF algorithm with weighted voting to implement our strategy. As a result of our
findings, we believe the approach we’ve proposed performs the best overall.

References

1. Vasseur J (2020) Why (and How) machine learning will change (SD)WAN and the ınternet.
English. Presented on 25.11.2020 in the SD-WAN & SASE Virtual Summit
2. Sumantra I, Indira Gandhi S (2020) DDoS attack detection and mitigation in software defined
networks. 2020 ınternational conference on system, computation, automation and networking
(ICSCAN). pp 1–5. https://doi.org/10.1109/ICSCAN49426.2020.9262408
3. Zhang D, Yu FR, Yang R (2019) Blockchain-based distributed software-defined vehicular
networks: a dueling deep ${Q}$-learning approach. IEEE Trans Cogn Commun Networking
5(4):1086–1100. https://doi.org/10.1109/TCCN.2019.2944399
4. Zhao Y, Li Y, Zhang X, Geng G, Zhang W, Sun Y (2019) A survey of networking applications
applying the software defined networking concept based on machine learning. IEEE Access
7:95397–95417. https://doi.org/10.1109/ACCESS.2019.2928564
5. Rafique W, Qi L, Yaqoob I, Imran M, Rasool RU, Dou W (2020) Complementing IoT
services through software defined networking and edge computing: a comprehensive survey.
IEEE Commun Surv Tutorials 22(3):1761–1804. https://doi.org/10.1109/COMST.2020.299
7475. Thirdquarter
6. Alves RCA, Oliveira DAG, Nunez Segura GA, Margi CB (2019) The cost of software-defining
things: a scalability study of software-defined sensor networks. In: IEEE Access vol 7, pp
115093–115108. https://doi.org/10.1109/ACCESS.2019.2936127
7. Zhang P et al (2021) Network-wide forwarding anomaly detection and localization in soft-
ware defined networks. IEEE/ACM Trans Networking 29(1):332–345. https://doi.org/10.1109/
TNET.2020.3033588
8. Theodorou T, Mamatas L (2020) A versatile out-of-band software-defined networking solution
for the internet of things. IEEE Access 8:103710–103733. https://doi.org/10.1109/ACCESS.
2020.2999087
9. Tadros CN, Rizk MRM, Mokhtar BM (2020) Software defined network-based management
for enhanced 5G network services. IEEE Access 8:53997–54008. https://doi.org/10.1109/ACC
ESS.2020.2980392
10. Wang J et al (2019) A software-defined clustering mechanism for underwater acoustic sensor
networks. IEEE Access 7:121742–121754. https://doi.org/10.1109/ACCESS.2019.2937832
144 K. K. S. V. A. Satheesh et al.

11. Nkenyereye L, Nkenyereye L, Islam SMR, Kerrache CA, Abdullah-Al-Wadud M, Alamri A

(2020) Software defined network-based multi-access edge framework for vehicular networks.
IEEE Access 8:4220–4234. https://doi.org/10.1109/ACCESS.2019.2962903
12. Garrich M, Moreno-Muro F, Bueno Delgado M, Pavón Mariño P (1 Jan 2019) Open-source
network optimization software in the open SDN/NFV transport ecosystem. J Lightwave Technol
37(1):75–88. https://doi.org/10.1109/JLT.2018.2869242
13. Qureshi KI, Wang L, Sun L, Zhu C, Shu L (2020) A review on design and implementation
of software-defined WLANs. IEEE Syst J 14(2):2601–2614. https://doi.org/10.1109/JSYST.
2019.2960400