Method for detecting intrusion in network
First Claim
1. A method for detecting an intrusion in a network, the method performed by a system, said system comprising the network having a plurality of nodes for data transmission/reception and switches for relaying flow transmission/reception between the nodes, an intrusion detection system (IDS) combined with the network and a Software Defined Networking (SDN) controller, the method comprising:
- installing, by the SDN controller, SDN-enabled switches for flow sampling in the network to connect the network to the SDN controller;
determining, by the SDN controller, information on the number of network flows and the number of the switches in the network;
calculating, by the SDN controller, a function M(x), minimizing a maximum value of missing rates of malicious attacks in the IDS, based on an initial value of a rate at which a malicious attack takes place for each of the network flows, where x represents a sampling rate vector of the each of the SDN-enabled switches;
calculating, by the SDN controller, a sampling rate for each of the SDN-enabled switches using a flow table which is created by the SDN controller based on the calculated function M(x);
forwarding, by the SDN-enabled switches, packet information to the IDS according to the calculated sampling rate;
identifying, by the IDS, malicious data based on the packet information; and
updating, by the SDN controller, the sampling rate of the each of the SDN-enabled switches based on the identified malicious data.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting an intrusion in a network is disclosed. The network includes a plurality of nodes for data transmission/reception and switches for relaying flow transmission/reception between the nodes, and an intrusion detection system (IDS) is combined with the network to form a system The method includes: installing SDN-enabled switches for flow sampling in the network to connect them to SDN controllers; determining, by the SDN controller, the number of network flows and the number of switches; deriving a sampling rate for each of the SDN-enabled switches; forwarding, by the switches, packet information sampled at respective sampling rates to the IDS; and identifying, by the IDS, malicious data based on the packet information to update the sampling rate of each of the SDN switches.
-
Citations
6 Claims
-
1. A method for detecting an intrusion in a network, the method performed by a system, said system comprising the network having a plurality of nodes for data transmission/reception and switches for relaying flow transmission/reception between the nodes, an intrusion detection system (IDS) combined with the network and a Software Defined Networking (SDN) controller, the method comprising:
-
installing, by the SDN controller, SDN-enabled switches for flow sampling in the network to connect the network to the SDN controller; determining, by the SDN controller, information on the number of network flows and the number of the switches in the network; calculating, by the SDN controller, a function M(x), minimizing a maximum value of missing rates of malicious attacks in the IDS, based on an initial value of a rate at which a malicious attack takes place for each of the network flows, where x represents a sampling rate vector of the each of the SDN-enabled switches; calculating, by the SDN controller, a sampling rate for each of the SDN-enabled switches using a flow table which is created by the SDN controller based on the calculated function M(x); forwarding, by the SDN-enabled switches, packet information to the IDS according to the calculated sampling rate;
identifying, by the IDS, malicious data based on the packet information; andupdating, by the SDN controller, the sampling rate of the each of the SDN-enabled switches based on the identified malicious data. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification