Flow-based intrusion detection on software-defined networks: a multivariate time series anomaly detection approach

In this study, we present and implement the SAnDet (SDN anomaly detector) architecture, an anomaly-based intrusion detection system designed to take advantage of the capabilities offered by software-deﬁned networking (SDN) architecture, as a controller application. The SAnDet system is composed of three modules: statistics collection, anomaly detection, and anomaly prevention. In particular, we utilize replicator neural networks (RNN), which is a specialized variant of the autoencoder, and the LSTM-based encoder–decoder (EncDecAD) method, which is a special type of long short-term memory (LSTM) network that has demonstrated a strong performance on data series particularly, to identify unknown attacks using ﬂow features collected from OpenFlow switches. In our experiments, we utilize ﬂow-based features extracted from network trafﬁc data containing various types of attacks as input to our models in the form of time series. We evaluate the performance of our methods using the accuracy and area under the receiver operating characteristic curve (AUC) metrics. Our experimental results demonstrate that EncDecAD outperforms RNN and that our approach offers several beneﬁts over previously conducted research.

transmitted to the central controller. On the controller, the applications can be run to analyze and associate the feedback gathered across the entire network. New or updated security policies can be deployed to the network components in the form of flow rules based on the results of the analysis. This unified approach can effectively accelerate and protect against security threats to the network [4]. As OpF security applications, intrusion detection and intrusion prevention or mitigation methods can be implemented.
The major contributions of the study are summarized as follows: • This study focuses on the detection of network attacks from flow-based features based on an anomaly-based approach to SDN environments. More specifically, the SAnDet (SDN anomaly detector) architecture, which is designed to detect intrusions by taking advantage of the facilities offered by the SDN architecture, is presented and implemented as a controller application. A detailed description of the SAnDet consisting of three main modules which are: statistics collector, anomaly detector, and anomaly prevention is given. • The anomaly detectors replicator neural networks (RNN) and long short-term memory (LSTM)-based encoder-decoder (EncDecAD) are built using a semisupervised learning approach. In addition, unlike the other studies, this one is unique in that it uses deep learning techniques to detect intrusions by feeding flowbased data as a multivariate time series. • Based on the area under the receiver operating characteristic curve (AUC) and the accuracy findings, it is proved that EncDecAD-based anomaly detection outperforms RNN. Furthermore, this study has been shown to have several advantages over the previous research.
The remainder of this article is organized as follows. In the subsequent section, we review the existing literature on flow-based attack detection in SDN environments. The third section presents the theoretical foundations of our research methodologies. The fourth section outlines the experimental methods and presents the results of our study. Finally, in the last section, we offer concluding remarks and suggest potential directions for future works.

Related works
The goal of the anomaly detection technique is to create a statistical model that can be used to characterize typical traffic patterns [7]. In such a situation, any deviation from this pattern is counted as an anomaly and identified as an attack. There have been several studies that have investigated the effectiveness of anomaly-based attack detection in SDN environments. In this section, a summary of the studies in the literature is given in five categories, taking into account the taxonomy done by Jafarian et al. [7], flowcount-based schemes, information theory-based schemes, entropy-based schemes, deep learning-based schemes, and hybrid schemas. A more in-depth look at studies on anomaly-based intrusion detection on SDN networks can be found in [8] and [7].
Traffic flows in the network are initially obtained and aggregated according to a subnet prefix in the flowcounting-based anomaly detection methods. Although this process brings extra load to the system, it accurately detects abnormal conditions in the network [7]. Zhang et al. [9] suggested a prediction-based scheme that dynamically alters the level of detail of the measurement across both spatial and temporal dimensions to better balance surveillance overhead, and the anomaly detection accuracy to detect anomalies. Ha et al. [10] provide a traffic sampling strategy for an intrusion detection system capable of operating on large-scale SDN networks that maximize the usage of malicious traffic's control capacity while keeping the sampled traffic's overall aggregation volume below the control computing capacity. Granby et al. [11] designed SDNPANDA, a plug-in software package to identify anomalies in a software-defined data center. In the Denial of Service (DoS) attacks, Hommes et al. [12] investigate the flow table saturation problem of the OpF switches. Attack events are determined in the study by assessing the variation in the network's logical topology for various attack kinds and measuring the distance requirements on a table. Using traffic analysis of packet flows, Carvalho et al. [13] demonstrate a real-time anomaly detection and prevention system in SDN. The digital signature of the flows acquired using the OpF protocol is created by profiling normal traffic behavior. The existing traffic is compared to a previously developed traffic profile to identify any suspicious traffic events that deviate from the expected behavior. As a result, reporting is done to verify the prevention and the results in the event of an attack. He et al. [14] present an anomaly detection scheme in SDN by selecting the required features of the data set and using a density peak-based clustering algorithm. Carvalho et al. [15] present an ecosystem based on SDN to proactively identify anomalies by scanning the network traffic. Peng et al. [16] propose a preprocessing module that normalizes the flow property vectors to detect distributed DoS (DDoS) attacks in SDN based on central control, as well as a scheme that processes these vectors and detects anomalies using the KNN method.
Information theory methods are based on the assumption that an existing anomaly in traffic causes a change in the information of traffic data sets. Mehdi et al. [17] focus on traffic anomaly detection in SDN environments. Multiple anomaly detection algorithms in SOHO environments have been experimentally tested to verify their applicability. The study provides experimental results on the efficiency of the TRW-CB [18], rate-limiting [19], maximum entropy detector [20] and NETAD [21] intrusion detection algorithms using only low network traffic speeds. Dotcenko et al. [6] proposed a method that uses fuzzy logic as well as a mechanism for analyzing network traffic to classify the network traffic into attack traffic and normal traffic. Kokila et al. [22] conducted a study examining different machine learning techniques for identifying DDoS attacks in SDN environments and their performance in intrusion detection. In SDN networks, Sathya and Thangarajan [23] investigate gathering data and applying the Decision Tree approach for anomaly detection using the NSL-KDD data set rather than the intended properties of the network traffic.
In determining the randomness of a data set, entropybased anomaly detection algorithms have proven to be beneficial, particularly in spotting network anomalies [7,24]. Wang et al. [25] proposed a method that could be applied to the low-layer switches of the SDNs such as Open vSwitch to detect low-throughput DDoS flooding attacks based on the entropy level. On the other hand, Giotis et al. [26] offer a scalable and effective mechanism for anomaly detection and mitigation in SDN architectures. Unlike the study in [17], this study offers a mechanism that uses sFlow [27] monitoring data instead of OpF statistics, which reduces the controller process load and therefore works at higher line speeds, and gives their experimental results. Besides, when an anomaly is detected, it is shown that the network anomaly is successfully reduced (mitigation) by making modifications in the flow tables using the OpF protocol. Also, when the sampled statistical data are given as input to the anomaly detection algorithm, it is seen that the anomaly detection rate is lower than [17]. Francois and Festor [28] capture the flow entries of each device by the SDN controller, such as switches for anomaly detection in SDN. After the attack has been identified and the characteristics of the attack packets have been discovered, surveillance will be undertaken on the switch where the attack has been detected, depending on the advantages offered by the controller.
Deep learning methods include a knowledge-based learning-based development algorithm, and the keywords for deep learning are unsupervised machine learning, multilayer learning, and artificial intelligence [29] [29]. Instead, the deep learning structure has a solid capability for adaptability in the SDNs in terms of its features and the ability to learn the process data on its own [30]. Dey and Rahman [30] propose a network breach detection system based on deep learning for SDN environments. They used the ANOVA F-Test and the REF feature selection scheme to show that the Gated Recurrent Unit LSTM is the best classifier based on several performance assessment metrics. Three components are proposed by Niyaz et al. [31] for a DDoS detection system for SDN environments. A deep learning method is used in the proposed system for feature selection and traffic regulation. A deep learningbased solution for flow-based anomaly identification in SDN is proposed by Tang et al. [32]. To detect suspicious flows in SDN, Garg et al. [33] suggest an anomaly detection method based on a hybrid and real-time constrained Boltzmann machine and a gradient decay-based SVM (Support Vector Machine). For SDN-based 5G networks, Li et al. [34] propose an intelligent hybrid intrusion detection system (IDS). In the suggested system, the k-means algorithm was used for flow classification in addition to the Random Forest (RF) method for feature selection. Yang et al. [35] propose Griffin, a network IDS (NIDS) for SDN that uses unsupervised machine learning to detect known and zero-day intrusion attacks in real-time with high accuracy by utilizing an ensemble autoencoder (AE) for feature extraction, and cluster analysis for scale reduction. Using a hybrid deep learning approach that combines a convolutional neural network (CNN) and an extreme learning machine (ELM) for anomaly detection, IP traceback for attacker localization, and flow rule-based traffic filtering for attack detection and mitigation, Wang and Wang [36] present the design and implementation of an online attack detection and mitigation system for securing SDN against DDoS attacks. Isa and Mhamdi [37] propose a hybrid deep AE model with an RF classifier that exhibits high performance in identifying intrusions in a native SDN environment, obtaining an average AUC of 0.9 and an accuracy of 98%.
In addition to all the aforementioned methods, hybrid schemes have been proposed in the literature for anomalybased violation detection in SDN networks. For SDN, Santos Da Silvo et al. [38] propose anomaly detection and traffic classification based on machine learning techniques. Anomaly detection and classification is the lightweight phase based on entropy analysis with low computational cost to instantly detect possibly malicious flows, and heavyweight using SVM to categorize such flows according to their abnormal behavior. Pang et al. [39] propose a new high throughput and highly accurate anomaly detection scheme FADE in SDN. FADE generates a few custom flow rules on these flows to precisely measure its statistics and commands the loading and timeout of these reserved flow rules. Cui et al. [40] propose a scheme that includes four modules in SDN to overcome DDoS: attack detection trigger, attack detection, traceback, and attack prevention. In the study conducted by Braga et al. [41], the forwarding plane of the network device is managed using OpF, and the flow statistics are collected, focusing only on Distributed Denial of Service (DDoS) attacks on the data plane, and the performance analysis presented is restricted to the suggested attack detection method and does not include information with the entire performance of the system. The method used in the detection of attacks is self-organizing maps (SOM), a type of unsupervised artificial neural network. The method in question employs traffic flow statistics as input parameters. Alzahrani and Alenazi [42] demonstrate the use of tree-based machine learning methods, such as XGBoost, decision tree, and RF for identifying various types of attacks in SDN as part of a NIDS, utilizing the NSL-KDD dataset and advanced preprocessing techniques to achieve a multi-class classification accuracy of 95.95%.

Theoretical background
In this section, we delve into the fundamental components of SDN architecture and how it addresses the challenges inherent in traditional networks. Furthermore, we provide theoretical details of the RNN and EncDecAD anomaly detection methods.

Software-defined networking
As stated by the Open Networking Foundation (ONF) [43], SDN is a new architecture that separates network forwarding and control tasks. This allows network control to be directly programmable and the architecture for network services and applications to be conceptualized. Infrastructure devices operate as simple forwarding engines in this architecture, dealing with incoming packets according to several rules that are instantaneously produced by a controller in the control layer along with the pre-described program logic. The controller typically executes on a distant machine and communicates with the forwarding elements over a secure link utilizing a few standardized commands. For SDN, ONF offers a high-level architecture [44] that is divided vertically into three main essential layer: (i) The infrastructure layer which consists of forwarding elements, including physical and virtual switches that can be accessed with an open interface. (ii) The control layer is composed of a collection of software-based SDN controllers that provide unified control capabilities via open APIs for handling forwarding behavior. Controllers can communicate with one another via three communication interfaces: Southbound, Northbound, and East/Westbound. (iii) The application layer which mainly comprises end-user apps that make use of SDN communication and network services. The main parts of this architecture such as the control layer, application layer, infrastructure layer, and the communication interfaces between these three layers are shown in detail in Fig. 1.
Through three open interfaces, the SDN controller communicates with these three layers: (a) The southbound interface enables communication between the controller and the forwarding components of the infrastructure layer. The OpF protocol, which is managed by ONF, is an essential element for generating SDN solutions according to ONF and can be seen as an encouraging implementation of such an interaction. (b) The northbound interface enables the controllers to be programmable by exposing the controllers' universal network abstraction and other features for usage by programs at the application layer. Rather than a protocol, it is viewed as a software API that enables the programming and management of the network. While there is no standardization effort for this, many brands offer REST-based APIs for applications to use to provide a programming interface to their controllers. c) East/Westbound interface, which is considered a communication interface, is not backed by a recognized standard yet. This is primarily intended to allow inter-controller communication to synchronize the situation for high availability.
Forwarding elements (usually switches) are required to verify a southbound API to be useful in the SDN architecture. OpF switches come in two types: Software-based (e.g., Open vSwitch) and hardware-based implementations. Software switches are generally well-designed and contain all the features. However, even the latest implementations suffer from being slow. Hardware-based OpF switches are usually implemented as ASICs. Although they offer line speed forwarding for a large number of ports, unlike software implementations, they lack flexibility and feature completeness.
The OpF-enabled switch can be divided into three main elements [46]. These elements are data path, control path, and OpF protocol: (a) The data path contains one or more group tables flow tables that search and forward packets. A flow table consists of flow entries associated with actions that tell the switch how to handle the flow. Flow tables are  [45] often created by the controller and enable the controller to explain alternative methods of transferring flows. (b) A control path is a channel that connects the switch to the controller in programming terms. The OpF protocol is used to substitute commands and packets across this channel. (c) The OpF protocol is responsible for interconnecting switches and controllers. It may include information about messages exchanged, packets sent and received, statistics collected, and actions to be executed in certain flows.
A flow table entry consisting of several fields in an OpFenabled switch can be organized as follows: a. Matching fields are used to identify network packets based on their 15-tuple packet header, ingress port, and optional packet metadata. In OpF messages can be grouped into three main categories [45]. There are three types of connections: controller-toswitch, asynchronous, and symmetric. Controller-to-switch messages are those initiated by the controller and used to monitor the state of the switches. A switch can initiate asynchronous messages to notify the controller of network events and to modify the switch's state. Finally, symmetric   The controller stands at the heart of SDN networks, connecting applications, and network devices. The SDN controller is responsible for managing all the network flows by loading flow entries into the switch devices. There are two distinct forms of flow configuration: proactive and reactive. Proactive settings preload the flow rules into flow tables. Thus, the flow configuration procedure is completed before the first packet of a flow reaches the OpF switch. The primary advantage of a proactive setup is that it reduces the frequency with which the controller is contacted, resulting in a minor installation delay. However, it has the potential to overload switch flow tables. In the reactive setup mode, the controller adds a flow rule to the flow table only when there is no entry, which occurs when the first packet of a flow arrives at the OpF switch. As a result, communication between the controller and the switch is initiated by a single packet. After a specified period of inactivity, these flow entries are overridden and erased from the table. To respond to the flow setup request, the controller first evaluates the flow to the application's policies and then determines the necessary steps to execute. Following that, it determines a route for this flow and loads new flow entries, including launching requests to each switch along that path.
Transferring information between switches and controllers provides an overview of switch traffic. There are two ways for the switch to provide statistics to the controller. There are two types of flow monitoring: pull-based and push-based. The controller accumulates counters for numerous flows that fit a specified flow specification in the pull-based approach. This technique can optionally generate a report that includes all flows that match a wildcard specification. While this minimizes switch-to-controller traffic, it makes the controller ineffective at learning about the actions of other flows. The pull-based strategy necessitates an improvement in the latency between controller requests, as this can impair the scalability and reliability functions based on statistics collecting. In the push-based approach, statistics are delivered to the controller of each switch to alert it of certain occurrences, such as the creation of a new flow, a timeout, or the deletion of a table entry due to inactivity. Before the entry timeout, this procedure does not notify the controller about the flow's behavior (which indicates that it is unsuitable for scheduling).

RNN-based anomaly detection
RNNs are neural networks and are specific examples of AEs [47] originally proposed as a compression technique [48]. The first study to suggest its use as an anomaly detection technique is recommended by Hawkins et al. [49]. Typically, input vectors in multilayer neural networks are mapped to the target output vectors. However, RNN also uses input vectors for output vectors. In other words, the input values in the output are reproduced by RNN. The RNN's weights are chosen in such a way that the mean squared error is as small as possible. As a result, while standard models are more probable to be successfully replicated by the trained RNN, models characterizing outliers are less accurately represented and have a greater error. Data exclusion is quantified using reconstruction error.
Cordero et al. propose an approach that uses RNN to identify anomalies in network flows [50]. In this method, an RNN [49] is used primarily to create a model that represents the normal network flow. While it has been demonstrated that the original RNN may be lowered to three layers [51], using the original five layers with the dropout regularization technique [52] produces superior results and avoids overfitting.
Each layer in an RNN is completely connected to every other layer. The activation function of layers 2 and 4 is a nonlinear hyperbolic tangent. The output layer's activation function is linear or identical. The sole distinction between the original RNN and the one used in [50] is in the middle layer's activation function (Layer 3). The original RNN makes use of a stepwise activation function that, in theory, aims to reduce the dimensionality of input data by clustering data samples [49]. While the stepwise activation function possesses intriguing theoretical properties, backpropagation approaches based on gradient reduction do not work adequately with it [50]. Because the gradient components of progressive functions are nearly zero, the learning process stalls. Instead of this activation function, it employs the sigmoid activation function, which has been shown to be effective as an intermediate activation function for RNNs [53].
The features extracted from different network flows are used to build RNN models. Depending on the tools used, many different features can be extracted from the network for training. The number of selected features is proportional to the number of input neurons. At each training stage, the RNN is fed the extracted flow features as an input. A validation set is used to ascertain the degree to which the learning process is capable of generalization. After training, the RNN can be used as a normal model for the purpose of calculating anomaly scores (ASs). ASs that exceed a predetermined threshold are considered abnormal. Let the output of an RNN. The reconstruction of x is represented with the vector b x, and the vector ! ¼ is the error elements of the reconstruction. The weights of the neural network are updated by employing backpropagation with particular gradient descent techniques such as stochastic gradient descent (SGD). In the learning process, the loss function being minimized is formulated in Eq. 1.
The network aims to achieve a combination of weights such that b x % x and % 0 since the purpose of backpropagation with gradient descent is to minimize L. The noise is added throughout the network by randomly detaching units in each learning iteration with the dropout method [52] to evade learning the trivial identity solution f ðxÞ ¼ x. The residual value which determines how anomalous a set of features is. The AS of the set of flow features x is defined in Eq. 2.
To determine whether the network flow x is an anomaly or not, a threshold is selected to decide if the AS is too high for a flow to be counted as normal. The threshold is assigned to the highest reconstruction error E found during training after the elimination of the outliers.

LSTM-based encoder-decoder for anomaly detection
LSTM networks [54] are recurrent models used for a variety of learning tasks such as handwriting recognition, speech recognition, and emotion analysis. To map an input sequence to a vector representation of constant dimensionality, an LSTM-based encoder is used. The decoder is another LSTM network that generates the desired sequence using this vector representation.
Malhotra et al. [55] suggest an LSTM-based encoderdecoder (EncDecAD) scheme for time series anomaly detection. In this architecture, the encoder generates a vector representation of the input time series, which the decoder uses to reproduce it. The EncDecAD is trained to recreate samples of ''normal'' time series using the input time series as the output. Following that, the reconstruction error is used to determine the probability of an anomaly occurring at that location. It is demonstrated that using an encoder-decoder model trained on solely normal sequences, anomalies in multivariate time series may be detected. According to this theory, the encoder-decoder has only seen and understood normal examples of the training data during the training phase. Given an abnormal sequence, the trained model fails to reproduce it well by resulting in higher reconstruction errors in contrast with normal sequence reconstruction errors.
The definition of the EncDecAD approach is mathematically expressed as follows. Given a time series X ¼ x ð1Þ ; x ð2Þ ; . . .; x ðLÞ È É of length L, where each point x ðiÞ 2 R m is an m-dimensional vector of readings for m variables at a time t i . The case is explored where such time series are available or can be acquired by selecting a window of length L over a longer time series. To recreate the normal time series, the EncDecAD model is trained. Following that, the reconstruction errors are used to determine the likelihood of a point in a test time series being anomalous to produce an anomaly score a ðiÞ for each point x ðiÞ . A greater score for anomaly indicates that the point is more likely to be abnormal.
To reconstruct examples of normal time series, an LSTM encoder-decoder is trained. The LSTM encoder approximates the input time series with a fixed-length vector representation. Using the current hidden state and the value calculated by the LSTM decoder at the previous time step, this representation is used to reconstruct the time series.
The input x ðiÞ is used to achieve the state h The normal time series is subdivided into four groups as s N ; v N1 ; v N2 and t N . Additionally, the anomalous time series are divided into two groups as v A and t A . The LSTM encoder-decoder reconstruction model is developed using the set of sequences s N . When the encoder-decoder model is being trained, the set v N1 is used for early stopping. The formula of e ðiÞ ¼j x ðiÞ À x 0 ðiÞ j is used to calculate the reconstruction error vector for t i . The parameters l and R of a normal distribution N ðl; RÞ are estimated by using the error vectors for the points in the sequences in the set v N1 with maximum likelihood estimation. After that, the anomaly score is calculated by a ðiÞ ¼ e ðiÞ À l À Á T R À1 e ðiÞ À l À Á for any point x ðiÞ . In a supervised approach, if a ðiÞ is greater than the threshold s, a point in a sequence can be expected to be ''anomalous'', otherwise ''normal''. If sufficient anomalous sequences are present, a threshold s over the probability values is learned to opti- where R is recall and P is precision. Here, ''normal'' refers to the negative class, while ''anomalous'' refers to the positive class. If a window contains an anomalous pattern, the entire window is marked as ''anomalous.'' This method is particularly advantageous in a variety of practical applications where the precise location of the anomaly is unknown. On the validation sequences in v N2 and v A , the parameters s and c are determined with the maximum F b .

Evaluation metrics
The proposed approach should be validated using a relevant metric. The binary classification results can be classified into four categories [56]: (1)  Accuracy: This metric is expressed as the proportion of correct predictions to total instances: True positive rate (TPR): This metric is equivalent to the proportion of all ''correctly identified instances'' to all ''examples that should be identified''.
False positive rate (FPR): This metric denotes the proportion of the ''number of misclassified negative instances'' to the ''total number of negative instances''.
Receiver operating characteristics (ROC): In the case of a class imbalance problem in the dataset, the ROC curve [58][58] is being used as a normal criterion for testing classifiers [60]. When faced with an issue of class imbalance, the area under the receiver operating characteristic curve (AUC) metric is frequently utilized as a de facto criterion for evaluating the effectiveness of the classifiers. After sorting by classification probabilities, the AUC can be used to determine how frequently a random instance of a positive class ranks higher than an instance of a negative class.

Anomaly-based intrusion detection system for SDN
Some principles should be taken into consideration in SAnDet, which is designed to work in SDN environments and can actively use the opportunities offered by this architecture. In the design of SAnDet, the key principles given in the following were considered taking into account the potentials offered by OpF in addition to a few principles determined by Giotis et al. [26]: a. Separating data collection, anomaly detection, and prevention (mitigation) with a modular design. b. Compatibility with OpF-enabled Layer 2 and Layer 3 devices. c. Fast anomaly detection and prevention (mitigation) in real-time environments using separate data and control planes. d. Utilizing OpF's capabilities for gathering statistics and mitigating attacks.
The proposed approach is based on a set of 12-tuple flow definitions associated with four specific variables, usually included as a flow entry in the OpF switch. These variables are; (i) an action rule specifying how to forward when any packet matches its associated flow entry, (ii) a soft timeout variable in place of the flow being invalidated after the final packet match, (iii) the quantity of packets matching that flow since the flow entry processing, (iv) in the event of a packet match conflict, a specific priority is delegated to each flow entry, indicating which flow rule will be determined in the event of an occurrence.
SAnDet's architecture consists of three main modules as illustrated in Fig. 5 [26]: -Statistics Collector Module: The collector module is in charge of collecting the data necessary for flow-based anomaly detection. This module collects flow data on a periodic basis and passes it to the Anomaly Detection module. Two distinct data collection strategies have been described in the literature. The first of these is the OpF approach, which works by periodically querying the switch and accumulating the incoming responses. The second is a flow monitoring mechanism that makes use of packet sampling. Giotis et al. use sFlow, which is vendor-independent [26]: -Anomaly Detection Module: At specified periodic time intervals, the collection module sends data to the Anomaly Detection module. It has been designated as a ten-second time slot. Giotis et al. [26] utilized an algorithm based on entropy. They also mentioned that this module can be utilized with any statistical anomaly detection, machine learning-based anomaly detection, or data mining-based anomaly detection technique. -Mitigation Module: The anomaly prevention module attempts to mitigate identified attacks or breaches by adding (or modifying) flow entries to the OpF switch's flow table in order to prohibit the targeted malicious traffic [26]. These flow entries have a higher priority than other flows in the flow

Data collection and feature extraction
The OpF approach uses the OpF protocol to collect flow statistics from switches. As required by the OpF protocol, the controller handles periodic flow statistics requests by aggregating them with the relevant counters for all flow entries in the OpF switch [26]. The switches' flow counters are updated only when a forwarding query procedure matches an entry in the flow table. As a result, the gathering of flow statistics in a native OpF environment is inextricably linked to the controller's packet forwarding mechanism [26]. In our scenario, when the forwarding logic is dictated by the anomaly detection strategy, layer 3 and 4 protocol fields are utilized. As a result, the flow table's necessary entries are reduced to a single flow, and a single flow entry is formed by evaluating forward and backward directions based on the source IP, source port, destination IP, destination port, and protocol fields. The remainder of the fields in the flows contain wildcards, which allow them to match any value in the fields. The OpF approach sends a message (FlowRemoved) to the controller when a flow entry is deleted from the switch, along with this information, as well as other data such as counter values of the flow entry. Gathering statistics with the OpF approach can be performed when a switch responds (FlowStatsReply) to a flow statistics request (FlowStatsRequest message querying the switch for flow statistics) from the associated OpF controller. By using these two messages together, data collection of flow entries can be accomplished [61]. Every new packet that arrives initially is added to a flow table on the controller. Later, messages are expected from these flow entries that are programmed to send a message when the flow entry is deleted at a certain time. If these messages are received from all entries in the table during this period, it is assumed that all flow statistics have been obtained, and these data are transferred to the detection algorithm. If there is no deleted message from at least one flow entry, the statistics collection message is sent to the OpF switch and a response message is expected. The algorithm of this approach can be given in Fig. 6. As a result, the switch reacts to huge portions of the flow table's content. Each stack includes a subset of the flow entries, as well as packet counters for each flow. The anomaly detection algorithm, on the other hand, only includes counter contents from the counters as a consequence of the query, such as the number of packets matching each flow entry within a certain timeframe, whereas flow table records' packet counters contain the total number of packets after each rule was instantiated. Therefore, to find the number of packets corresponding to the specified time window, a record of the status of the flow chart for the previous time windows must be kept and compared with the valid data for each flow entry. Due to the absence of sampling in the OpF data-collecting process, it is able to collect and analyze in great detail all the network traffic streaming through the switch [26]. As a result, this approach has proven to be effective in monitoring networks of low to medium traffic volumes [41] [41]. The derived features in Table 1 are also calculated for the flow, which is the corresponding pair of a flow, and added separately to the data set. In Table 1, P, B, n, and D correspond to the number of packets, the number of bytes, the number of flows, and the active duration, respectively.

Attack detection and prevention
A method should be developed to take the features extracted from the flows as input and detect whether there is an attack on the network. The deep learning-based methods, which are popular recently and have contributed significantly to the solution of many problems, have been preferred as the detection method, and their performance has been examined. In SAnDet architecture, the focus is to employ anomalybased techniques which are capable of detecting both known and zero-day attacks. In deep learning methods, RNN and EncDecAD were able to detect anomalies in data sets successfully according to the studies in the literature.
In addition to the flow statistics collected from the network, the features derived from them are given as input to these two methods and the detection performances are calculated according to certain evaluation criteria. Although AUC is recommended to be used as a criterion in the evaluation of anomaly-based methods, some state that accuracy criteria should also be taken into account in data sets with imbalanced class distribution [60]. In the event of an attack being detected through the employed detection method, a corresponding flow entry will be written onto the switch to mitigate the attack. The algorithm for preventing intrusions is depicted in Fig. 7.

Performance evaluation
In this section, a performance evaluation is made as to the attack detection and prevention mechanism of the OpF protocol. Also, the benefits of OpF are investigated to prevent identified malicious traffic, by using SDN controller facilities.
Floodlight [63] is an open-source OpF controller with a modular architecture. Through the API provided by the Floodlight controller, periodic and aperiodic data collection are performed. After that, the derivation of new features from the basic features of the flow entries collected was performed, and three different components responsible for flow entry modification tasks were implemented. The Statistics Collector module, which collects statistics and generates new features, has been implemented. An anomaly detector module has been implemented, where models developed from both RNN and EncDecAD methods can be applied, and together with which different detection algorithms can be easily integrated. The results of this action are then sent to the Anomaly Prevention module to provide intrusion countermeasures. This enables the user to create or employ their preferred anomaly detection technique as long as it can forward the required information to the Anomaly Prevention module. Performance assessment trials were conducted with some of the network traffic in the ISCX2012 data set.

Testbed environment and traffic generation
SAnDet system was implemented as Floodlight controller modules for anomaly detection and prevention functions. OpF-enabled switches are required to run experiments. Open vSwitch [64], a software switch capable of handling traffic loads, is used for this purpose. The experimental environment of the study was provided by Mininet [65] emulation software, which is an open-source tool that is frequently used in the literature. This emulation environment supports OpenFlow vSwitch [64], which is superior to hardware switches in its features and is designed to develop SDN-supported network prototypes. The emulation environment was hosted on a virtual server with 16 GB of RAM, and a quad-core 3 GHz processor. Besides, Floodlight [63] is used as controller software because of the open-source functionality it provides. Figure 8 shows the experimental setup together with Floodlight modules used to evaluate the two approaches mentioned above. The controller software is run on a virtual machine on the server. Network traffic captured for performance evaluation is injected into a single switch (in this case softwarebased Open vSwitch). It should be made clear that the proposed mechanism can be applied to multiple OpF-enabled switches and more general network topologies with the corresponding prevention rules. Figure 9 illustrates the schematic representation of the experimental environment.
Some parameters need to be set in the OpF-based statistics collection. In particular, a specific value has to be set for the idle timeout for each flow entry. This is because the collector module requests any flow entry to expire to gather the relevant flow statistics. Therefore, the time window is specified by assigning the statistical collection period to 10 s, and the idle timeout to 3 s.
The normal or benign traffic of the ISCX2012 data set is used to evaluate the performance of the attack detection and prevention mechanism. To be more precise, the traffic captured on ''Friday, 11 June'' and ''Wednesday, 16 June'' is used as normal network traffic. Moreover, benign traffic, which includes the ''Saturday'' traffic track, is played normally, and the specified DoS and port scanning attacks are performed at certain time intervals.
The ISCX2012 dataset [66] was produced in 2012, catching traffic in the network emulation environment for Active duration in seconds 4 4 Packet rate in seconds 4 4 Byte rate in seconds 4 4 Derived Features1 [41,62] The average number of packets per flow (APf) The average number of bytes per flow (ABf) Average active duration per flow (ADf) The growth of single flows (GSf) GSf more than a week. The authors describe attack scenarios while a profiles, a dynamic approach to creating an attack detection dataset with normal and malicious network behavior, whereas b profiles describe typical user behavior such as email writing or web browsing. These profiles are used to create a different data set that is packet-based and flow-based in both directions. The dynamic strategy enables the ongoing generation of fresh data sets. Although this data set includes a wide variety of attacks such as SSH brute force, DoS, or DDoS, the traffic traces containing these attacks were not used in this study because it disrupts the attack characteristics of the tcpreplay tool. These traffic trace files were used in experiments to assess the accuracy and detection abilities of the OpF approach. Replaying captured packet trace data and injecting produced traffic onto a particular Ethernet port is accomplished using the tcpreplay [67] program, which is capable of replaying captured traffic at the rate at which it is captured. To perform the attack, hping3 [68], a programmable software tool, was used to allow sending packet strings with random protocol field values. This enables packets to be sent to a predefined destination IP address and the port to perform a DoS attack. Finally, through the hping3 tool, the attack is performed by randomly selecting the source and destination ports with a specific source and destination IP address for the portscan scenario.
Using the flow statistics gathered from the OpF switches during the flow collection time interval, the derived features corresponding to that time interval are calculated and added to the data set as a single instance. In other words, Fig. 7 Anomaly mitigation algorithm Fig. 8 Semi-supervised learning strategy [69] with the aid of derived features, numerous flow entries during the time interval in which the statistics are collected are aggregated into a single instance in the data set. A similar process was repeated for flows at successive time intervals in order to generate a time series dataset in which each instance corresponds to a time step. Since each instance corresponding to sequential time steps in the dataset comprises several features (derived features), a multivariate time series dataset is produced. The maximum active duration, maximum packet counts, and maximum byte counts for all flows during the specified time interval are also included as a derived feature. The number of all flows collected from the generated traffic is shown in Table 2. Besides, the number of samples containing features derived from the flows collected in a certain time interval (10 s) is shown in Table 3.

Anomaly detection and mitigation
The SSL (semi-supervised learning) strategy has been chosen as a learning strategy because it requires less information, time, and effort, and unlabeled data is easier to obtain for an intrusion detection system than labeled data [69]. To explain the SSL strategy with greater clarity, during the training phase, it is known that the dataset comprises only normal examples, which is supervised information (labeled as normal) for the model. In the testing phase, we provide no information about the dataset, and we expect the model to classify the samples as normal or abnormal (the label which is not been trained before). Furthermore, this strategy is better suited to the detection methods' unsupervised training nature.
As can be seen in Fig. 8, the data set is divided into two separate parts as training and test data sets. To create a normal profile of the network traffic by applying the SSL strategy, only the labeled data set containing normal flow characteristics is used in the training phase. The testing process makes use of an unlabeled data set containing both normal and attack flow characteristics.
Since the techniques used in this analysis are parameterized, the models' performance should be calculated using the right parameters. Because abnormal data is not included in the training process, the cross-validation operation cannot be accomplished in hyperparameter optimization [70]. Thus, the adjustment of the hyperparameters is done mostly taking into account the suggestions mentioned by Patterson and Gibson [71]. Following that, the RNN and EncDecAD hyperparameters are often set by trial and error.
The experiments were carried out using a basic deep AE architecture. The architectural diagram of the RNN and the architectural diagram of EncDecAD are shown in Figs. 3 and 4, respectively (when the window size is 3). Models were trained and developed using different dimensions such as 8,16,32,48,64,80, and 96 in the bottleneck layer of RNN and hidden layers of EncDecAD. The dimensions of the layers in the best-performing RNN and EncDecAD models were established by trial and error while maintaining the layer count constant, that is, conforming to the given architectures. The following parameters are utilized in the RNN and EncDecAD neural network configurations: In training trials, learning rates (learning rates) such as [0.1, 0.01, 0.001] are employed. The optimal value for the learning rate is 0.001. Both neural networks were trained using the backpropagation technique and the conjugate gradient optimization approach, which is suggested for big   data sets and outputs with real values [71]. The Adam updater [72] was chosen to avoid the local minimum and seek more efficient optimization alternatives. The following additional parameters are utilized in the EncDecAD configuration. In hidden layers, the hyperbolic tangent function is utilized as the activation function. n the hyperparameters used to configure the RNN, which is commonly used and recommended in [50], the sigmoid activation function was used in addition to the output layer and the mean square error loss function, and the soft-max activation function were used in the output layer. Both RNN and EncDecAD models were implemented with the library [73] based on Pytorch [74] and trained for 50 epochs with 16 batch sizes. Reconstruction error was used as an anomaly score in both the RNN and EncDecAD methods. Initially, the min-max normalization process was performed on the traffic traces by using the feature scaling method [75] to bring all the values to the range [0,1]. To assess the algorithms' performance, distinct training and test data sets were used. The models were constructed by training the neural network exclusively on ''Friday'' and ''Wednesday'' normal flow data. This is because models are developed in an unsupervised manner, and the label for the final column in the dataset corresponds to the attack class that was not used during training. The testing procedure included both normal and attack traffic on alternate days. All attacks classified as ''anomalies'' during the testing procedure are those that are not ''normal'' or ''benign.'' Metrics were computed for the performance evaluation of an attack class using only normal flow records and attack class-specific flow data, ignoring any other attack classes.
Performance evaluation of the methods is carried out using AUC and accuracy metrics. An assessment based on the AUC criterion is performed as it is the de facto standard for imbalanced anomaly detection and easy interpretation [76]. The AUC results of the methods are given in Table 4.  In addition, the confusion matrix of EncDecAD method for window size 6 and dimension 32 is shown in Fig. 12. When the results are examined, it is seen that the EncDecAD method gives better results than RNN in different time windows and bottleneck layers as can be seen in Figs. 10 and 11. It means that EncDecAD learns the relationship from the sequences better than RNN. The results show that EncDecAD also gives better results compared to studies listed in Table 5 in terms of accuracy and AUC. As seen in Table 5, there is a wide range of techniques that have been proposed in the literature for detecting network attacks. These techniques differ in terms of the methods they use, the number of features they consider, the types of attacks they are capable of detecting, the controller software they utilize, and the datasets they are tested on. In general, the proposed detection approach in this study, referred to as SAnDet, utilizes an EncDecAD method with 21 features and is capable of detecting DoS and Portscan attacks. It is tested on the Floodlight controller using the ISCX2012 dataset and reports accuracy and AUC results of 99.3% and 93.3%, respectively.
The proposed detection approach in this study is no exception, as it is trained on normal network traffic and tested on both normal and attack traffic during the test phase, similar to previous studies. However, what sets this study apart from others is its focus on real-time anomaly detection from multivariate time series flow-based data. Specifically, the proposed approach attempts to detect attacks occurring within a specific time window, which contains multiple time steps, by considering the flow features at each time step as a multivariate. This is a unique contribution that has not been explored in previous research. Furthermore, this study has the advantage of evaluating the proposed approach using a more recent dataset than many previous studies. While this is a strength of the study, it is worth noting that the proposed method only considers a limited number of attack types in its evaluation phase, which could be seen as a weakness compared to other studies that consider a wider range of attack types.
It is important to note that comparing the accuracy and AUC results in Table 5 with those of other studies may not be entirely fair, as this study employs a different methodological approach. However, it is still useful to present the results using both accuracy and AUC criteria so that future research can make comparisons. Overall, the performance of the proposed approach, as demonstrated by its high accuracy and AUC, suggests that it is a promising approach for detecting network attacks in real-time.

Conclusion
The use of deep learning-based anomaly detection methods on SDN environments has been shown to be a promising approach for improving network security. SAnDet, a modular SDN anomaly detector that utilizes the capabilities of OpF to gather statistics and mitigate attacks in real time, was proposed as a solution for detecting and preventing attacks in networks. By separating the functions of data collection, anomaly detection, and prevention into distinct modules, SAnDet is able to efficiently analyze flow data and identify potential threats in the network. The use of RNN and EncDecAD methods in the Anomaly Detection module allowed for the detection of both known and zero-day attacks. The Mitigation module was able to effectively block malicious traffic and prevent further damage by adding flow entries to the OpF switch's flow table.
The performance of SAnDet was evaluated using a range of metrics and the ISCX2012 data set, with the results demonstrating the effectiveness of the system in detecting and preventing attacks in the network. The analysis showed that SAnDet was able to achieve high levels of accuracy and AUC, with the EncDecAD method outperforming the RNN method in terms of both metrics. In particular, the EncDecAD method achieved an accuracy of 99.3% and an AUC of 93.3%, indicating its strong ability to accurately identify and mitigate attacks in the network. These findings highlight the potential of using OpF and SDN technologies in conjunction with deep learning methods for improving network security and suggest that the EncDecAD method is effective means of achieving this goal particularly.
While the results of this study are encouraging, there is still room for further research and development in the field of SDN security. For example, additional studies could be conducted to examine the performance of SAnDet in different network environments and with different types of attacks. Additionally, the research could be done to explore the use of alternative deep learning or statistical approaches for anomaly detection in SDN environments. Another direction for future work is to explore how the modification of the time interval for statistics collection will impact the system performance in terms of both the controller load and the accuracy of attack detection, as this could have significant consequences for the efficiency and effectiveness of the anomaly detection process in SDN environments. By continuing to advance the capabilities of anomaly detection and prevention systems like SAnDet, it may be possible to better protect networks from a wide range of potential threats and vulnerabilities. Overall, the results of this study emphasize the importance of developing robust and effective methods for detecting and preventing attacks in SDN environments and the potential of using deep learning and OpF technologies to achieve this goal.