Artificial Immune Systems and Fuzzy Logic to Detect Flooding Attacks in Software-Defined Networks

Software-defined Networking (SDN) has been discovered as an architecture that uses applications to make networks flexible and centrally controlled. Although SDN provides innovative management, it still susceptible to attacks daily. Traditional detection approaches may not be sufficient to contain these threats. In this paper, we present an Artificial Immune System based IDS named AIS-IDS, which is inspired by the human body’s defense cells. AIS-IDS can detect variations in network behavior and identify attacks without prior knowledge about them. Along with AIS, the fuzzy logic is applied on detection to minimize the uncertainty when there is no clear boundary between anomalous and normal traffic behavior. We have simulated portscan and flooding attacks as well as used a public dataset with several types of DDoS attacks to assess our proposal. We compared the AIS-IDS performance with Naive Bayes, k-nearest neighbors, and the Local Outlier Factor. The AIS-IDS outperformed the compared algorithms, achieving f-measure rates 99.97% and 92.28% when submitted to a simulated and a public dataset, respectively.


I. INTRODUCTION
The networking landscape has continuously evolved to meet the demands of users and emerging services. New technologies, such as Internet of Things (IoT), smart cities, autonomous vehicle networks, and health monitoring systems, are some examples that are already part of everyday life. However, they have vulnerabilities that can be exploited [1], [2].
The vulnerabilities exploited by intruders are often operational problems or internal faults caused by equipment misconfigured. Taking advantage of these security breaches, the intruder may present deviant behavior in comparison to legitimate users when attacks the network services [3]. Anomaly is the term used to refer to a deviant behavior that can represent a threat able to impact service quality and even compromise the entire network [4], [5].
The associate editor coordinating the review of this manuscript and approving it for publication was Wei Yu . Considering all these threats, it is critical to maintaining systems and networks capable of dealing with anomalies that affect their proper functioning. Network administrators use security mechanisms, like Intrusion Detection System (IDS), to analyze the network traffic [6], [7]. When an unusual traffic change is detected, the IDS raises the alarm to warn about the potential threat found. Alarms assist the network administrator in intervening as soon as possible, addressing the anomalies [8].
With the advance of networking technologies and the increasing amount of equipment connected, traditional managing of all network equipment is no longer viable, being necessary effective management, which provides flexibility to the administrators and ensures network resilience [9]- [11]. Software-defined Networking (SDN) is an emerging networking paradigm capable of managing different network types and sizes through a software perspective [2]. Since this type of network has a centralized control plan, called controller [12], it is possible to monitor the entire network and to obtain an extensive analysis of its operations [13] [14], [15]. Contrary, in traditional networks, each device has its own software, security rules, link failure strategy, and forwarding mechanisms. If any of these mechanisms need to be updated, each network device should be managed individually [16], [17].
The possibility of network management via software allows numerous customization of network services [10], [18], including security. Further, SDN provides several advantages grounded by machine learning classification, pattern recognition, and meta-heuristic optimization to improve the administrator task [19]. In this regard, we proposed AIS-IDS, a biological inspired IDS with fuzzy logic, to automate the detection and mitigation of network anomalies. The proposal is placed on the control plane and has three modules with specific functions: one for collecting flows, another for detection, and the lastly for mitigation.
The flow collect module collects the IP flows every second and extracts traffic features that describe the network behavior. The AIS detection module uses the Artificial Immune Systems (AIS), a class of algorithms inspired by the functioning of body defense system. As the human immune system can identify and reacts to foreign organisms in our body, the AIS-IDS can also detect and respond to patterns that differ from those presented in its training phase. AIS-IDS enables an anomalous network traffic pattern recognition, only using normal traffic behavior. The Fuzzy Inference System is used to resolve the degree of uncertainty in the anomaly detection process, as in the network traffic analysis. The mitigation module will recognize the anomaly type and identifies suspicious IP addresses and ports to define the mitigation strategies to block the attack.
To evaluate the efficiency of the AIS-IDS, we compare our approach with Naive Bayes, k-nearest neighbors (kNN), and Local Outlier Factor (LOF) in simulated scenarios with DDoS and portscan attacks in the Mininet network emulator using the Floodlight SDN controller. We also use a public dataset, which contains several types of flooding attacks.
The rest of the paper is organized as follows. Section II presents the recent works of the area. Section III describes the structure and functioning of the proposed AIS-IDS. The experimental tests and results are discussed in Section IV. Finally, Section V concludes the paper.

II. RELATED WORK
Anomaly detection has become a significant data mining task for analysis of inconsistent or suspicious data. It has been attracting attention from many researchers in various application fields, such as financial analysis, fraud detection, network intrusion detection and in new environments, including IoT [20], [21]. Recently, researchers proposed various anomaly detection models to protect and keep the network safe from malicious users [1], [2], [22].
Many types of algorithms and techniques have been used to detect network traffic anomalies. Statistical algorithms [23], clustering [6], classification [24], evolutionary [25] are some examples of techniques used in IDS. The IDS may be inside or outside of the network to protect it from various attackers trying to gain access to the network [26].
Intrusion detection can be divided into signature-based and anomaly-based detection. The former uses signatures, which can be considered a sequence of occurrences that define an attack [27]. It can achieve high detection rates with known attacks but has a lower performance for new or unknown threats. The latter creates a profile representing the normal network behavior, and deviation on this pattern can be an anomaly [8], [28].
Arivudainambi et al. [29] presented an IDS using the Convolutional Neural networks (CNN) and Lion optimization algorithm (LOA). CNN is a model for visual recognition and LOA is a bio-inspired algorithm that mimics the lifestyle of lions. CNN is used to transforms the collected traffic features into high-level features, and LOA performs a feature selection in these features. The NSL-KDD dataset 1 is used to evaluate the approach. It compares with other bio-inspired methods in feature selection, such as Ant Colony Optimization and Bee colony optimization algorithm. The CNN with LOA approach outperforms the compared algorithms in 1.2%, reaching an accuracy value of 98.2%. Although the approach is lightweight, it is focused on DDoS attacks and did not use mitigation strategies for the detected threats.
Regarding signature-based in SDN networks, Lai et al. [24] proposed a flow-based anomaly detection using Multilayer Perceptron (MLP). Six features were extracted from the IP flows and used in the input layer of the MLP. In addition, it was developed a packet-based detector, and the approaches were compared using the NSL-KDD dataset. Both methods have been able to detect threats. However, the flow-based approach performed better because it caused less overhead and presented a satisfactory performance compared to the packet-based model. As the approach uses anomalous data for training, it can suffer from misclassification when new types of attacks occur. Also, the scheme presented for the authors has no attack mitigation policy.
Still exploring the techniques applied in SDN networks, Mansour et al. [30] proposed an approach using Genetic Algorithm (GA). Their method was designed to select the best attributes of the KDD Cup dataset 2 and also to calculate a fitness function for anomaly detection. A fitness function was defined for each protocol (TCP, UDP, and ICMP) to achieve better results. When an anomaly is detected, the approach divides its analysis into four attacks: DoS, probe, R2L, and U2R. After classifying the attack, the value of the fitness function is recalculated to classify other attack instances. Overall, the approach was able to detect most of the attacks, and the True Positive Rate (TPR) was close to 80%. However, the proposal used abnormal traffic for training that may restrict the recognition of unknown anomalous events. Also, the countermeasure strategy blocks the communication to the attacked device, which can lead to the blocking of legitimate requests.
Duy et al. [31] presented an anomaly-based method that uses the concept of entropy to detect DDoS attacks. Their method has four modules: flow collector, entropy-based sensor, attack confirmation sensor, and mitigator. With the collected flows, it is computed entropy of destination IP addresses to find abnormalities. Once an unusual network behavior is detected, the attack confirmation module analyzes all relevant flows to find the origin of the threat. With the source of the attack located, the mitigator modifies the flows to block the attack. The approach was evaluated using the mininet network emulator. The authors reported that the approach detects attacks in early stages, but only DDoS was explored.
Vidal et al. [25] used NFV to elaborate a decentralized anomaly-based method through various agents spread through the network. These detectors can use innate or adaptive from immune system theory to detect potential threats and mitigate them. KDD Cup and CAIDA 2007 datasets were used to evaluate the system. Also, the tool DDoSIM was applied to generate flooding attacks in the subnet traffic of the Faculty of Computer Science of the Complutense University of Madrid. In the results, the authors pointed out the adaptive responses were more effective than innate reactions. Moreover, innate responses behave like conventional IPS (Intrusion Prevention System), and adaptive reactions can be used as an alternative over traditional mitigation schemes. The approach has been effective in blocking attacks, but it has to be spread over the entire network for its proper operation. The proposed detection is specialized in DDoS attacks, so attacks of other types may not be detected.
Rathore et al. [32] presented a bio-inspired anomalydetection approach to detect DoS attack in SDN networks. The innate system is used to mitigate DoS attacks from malicious users, and the adaptative system is applied to mitigate DoS attacks caused by switches. When an attack is detected, a mitigation module blocks the malicious user cutting off the communication with the network. When an attack comes from switches, the mitigation module reduces the bandwidth from the switch to protect the SDN controller. The mininet network emulator was used to evaluate the proposed systems. The presented approach outperforms other techniques regarding the time necessary to react to threats and overhead of the detection scheme. However, the approach is specialized in DoS attacks, and the network used for the comparisons is tiny, containing only a few hosts.
Among the works that address AIS in traditional networks, Aziz et al. [27] proposed a two-tier IDS. The first layer uses negative selection to create the detectors with feature values representing the normal network behavior. When there are variations in the normal behavior of the network, the second layer applies classifiers to identify specific attacks. The classifiers GA, AIS, Decision Trees, MLP, and Naive Bayes were tested to ranking the best classifiers for the second layer.
The IDS was evaluated using the NSL-KDD dataset. 3 In the tests, none of the tested classifiers were superior in detecting all types of attacks. The authors report that the average f-measure among all classifiers was 78%. The approach used the AIS to detect anomaly moments. However, it used classifiers that need training with the attack samples to identify anomalies with precision, hampering the approach in detecting attacks that are not present within the training dataset.
Hooks et al. [33] presented a comparative between negative selection approach and clonal selection in anomaly detection. Both techniques use the NSL-KDD dataset, and various scenarios were created, changing the number of attributes, instances, and detectors. The authors concluded that both approaches suffered from large amounts of samples and features, and also the negative selection delivered results faster than clonal selection. The approach requires at least 22 features for accuracy greater than 80%, which generates a high computational cost for large networks. Both algorithms use a training dataset with attacks so that the unknown attacks may not be detected.
Shen and Wang [34] presented an IDS based on negative selection. The paper also compared Rough Set, Linear Genetic Programming (LGP) and Multivariate Adaptive Regression Splines (MARS) to find the best feature selection algorithm. Each algorithm chose six features out of 41 available in the KDD Cup 99 dataset. According to the authors, the MARS algorithm obtained the best features, reaching detection rates similar to other IDS in the literature. The proposed IDS did not take into account the mitigation process and was deployed in a traditional network architecture.
Another approach was presented by Tabatabaefar et al. [35], which used two AIS techniques: negative and positive selection. The method has two categories of detectors. The first category was designed for recognizing legitimate traffic and the second one identifies anomalies. Particle Swarm Optimization algorithm was used to perform detector training. The tests were performed using the KDD Cup 99 dataset. Results showed that the proposed approach presented a detection rate over 99%. Using the same dataset, Suliman et al. [7] developed an IDS using the clonal selection technique. The authors reported that results obtained were comparable to other approaches found in the literature. The proposal was based on the detection of DoS and probe attacks. The paper is focused on traditional networks and does not discuss strategies for attack mitigation.
Among the works found in the literature, only one resembled our proposal. Zhou and Pezaros [36] presented an IDS using negative selection on SDN networks. The approach builds detectors and conducts training on data collected from network switches. Subsequently, the detectors are sent to the controller, which selects the best detectors to obtain the best collection possible. This collection is sent to all switches to use these detectors to locate anomalies. The proposed IDS was evaluated with two datasets, the KDD Cup and NSL-KDD. According to the authors, the approach proved to be more efficient in detection compared to previous IDS approaches using AIS and also lighter to other methods assessed in the paper. The solution did not propose a mitigation strategy and used the network switches to carry out the anomaly detection, which can lead to a data plane overload. Table 1 summarizes all related works presented. Works [27] and [31] use techniques to profile regular network operation. However, if the network behavior changes, classification errors can occur. Similarly, [24] and [30] can suffer from misclassification of anomalous events because they use historical data with anomalies for training, and their approach may not generalize the detection from other unknown attacks. Besides, the former does not provide policies for mitigation of attacks, and the latter approach blocks all communication to the victim device, impairing legitimate packets.
Some works focused on detecting only one type of attack [25], operate in traditional network architecture [34], or does not act against the attack spreading [36]. In this paper, we present a comprehensive AIS-based IDS, which can detect anomalies in near-real time. Also, we focus specifically on the SDN environment to take advantage of the programming capabilities of network resources, providing countermeasures for detected threats, leveraging network resilience.

III. SYSTEM OVERVIEW
The AIS-IDS has three modules coupled in the SDN controller: Flow Collector, AIS Detection, and Mitigation. The first module periodically acquires IP flows from the data plane using the OpenFlow Protocol and preprocesses them to represent the network behavior. The processed data is sent to the second module, and the AIS is used to classify network behavior as abnormal or normal. If the classified behavior is normal, forwarding rules were created to forward the packets of benign flows to the destination. In contrast, when an anomalous event is detected, the malicious traffic is blocked by the Mitigation module by creating forwarding rules to block the packets of anomalous flows. All these forwarding rules are sent through the OpenFlow Protocol to switches in the data plane. Figure 1 presents an overview of the entire functioning of AIS-IDS.

A. FLOW COLLECTOR MODULE
To collect the data used by the AIS detection module, we used the OpenFlow protocol. This protocol is the common interface used to instruct switches about new forwarding rules for incoming packets as well as provides access to statistical data and control plan configuration [37].
An IP flow is a collection of IP packets with similar features, like source and destination IP addresses, ports, and other features [22]. Each flow has rules assigned to it for enabling packet forwarding. Packets that share some characteristics use the same flow forwarding rule. For each new packet that arrives at a switch and does not have a flow that matches it, a new flow is created to allow the packet to be forwarded to its destination.
Every instant, many flows are created and expired in an SDN network. The more frequent the collection of flows information is, the more accurate the anomaly detection and, consequently, the faster actions to stop an attack from spreading are taken. To detect attacks in near real-time, traffic statistics must be collected in short time intervals. However, a disadvantage of periodic data collection in a short time interval is the volume of flows to be analyzed. Thus, creating an IDS that reacts accurately in real-time when detecting threats is a challenging issue. In this regard, each module of our proposal was designed to seek the best tradeoff between computational efficiency and anomaly detection effectiveness.
The first module collects statistics from flows in the switches and extracts the traffic features every second. The AIS-IDS uses four traffic features: source and destination IP addresses and source and destination ports. The benefit of using these traffic features is twofold. Firstly, IP addresses and ports become sensitive to changes in traffic behavior when converted to quantitative, leading to identification of moments in which the traffic behaves anomalously. Secondly, it is possible to locate hosts and services involved in the anomalous event and mitigate them [38].
The entropy is efficient in measuring the distribution of qualitative features [31] [39]. We use Shannon entropy [40] to quantify the level of concentration of information according to the distribution of a set of samples [41]. Shannon entropy is computed based on a histogram for each qualitative traffic feature and use this information in equation (1), in which X stands for one of the qualitative features, n i is the number of times the i-th IP address or port was observed in the interval of analysis and s = i=1 n i is the total of all occurrences in the histogram.
Thus, the Flow Collector is responsible for collect the incoming traffic, process, summarize, and forward it to the AIS module for pattern characterization. The internal procedure of this module is presented in Figure 2.

B. AIS DETECTION MODULE
Artificial Immune System (AIS) is a technique of computation intelligence inspired in biological immune systems [34].
There are several implementations of AIS theory, each one suitable to the objective and problem addressed [42].
One of the best-known AIS algorithms is the Negative Selection Algorithm (NSA), proposed by Forrest et al. [43]. NSA is a computational model to generate immune detectors. It simulates the recognition of biological antibody epitopes to accomplish the self and non-self classification [44]. NSA classifies the data into self when it is legit and non-self when it is anomalous. An advantage of this approach is the ability to detect threats without requiring abnormal examples in the training dataset [45].   Figure 3(a) represents the free anomaly network behavior. Each column represents a one-second interval, and each green circle is the data collected and preprocessed from the Flow Collector Module. Figure 3(b) presents the Training Phase, in which the detectors, represented by the purple circles, are created. At the end of the training phase, the objective is that the maximum possible behaviors are covered by the detectors, as in Figure 3(c). The classification phase is shown in Figure 3(d), where the current traffic is captured by the Flow Collector and is represented by the yellow circles. If the current traffic is different than expected, the detectors present at the anomalous moment are activated and inform about the detected anomaly. In the figure, red circles represent the activated detectors.
The AIS Detection Module divides NSA into two phases. The training phase creates detectors that are used in the classification for recognizing unusual behavior. In both stages, the similarity calculation is used. In the training phase, the similarity is used to accepts or rejects the created detectors. In the application phase, similarity detects intervals that contain anomalies.
The Absolute Distance (AD) technique was chosen to calculate the similarity. It has been successfully used in other works [46], [47]. The AD is expressed by equation (2), in which p and q are the values being compared to calculate the similarity.
A detector is represented by a set t i = {H (srcIP), H (dstIP), H (srcPort), H (dstPort)}, where 1 ≤ i ≤ n represents its index, t represents the second to which group belongs. Each detector has values of entropy of source and destination IP, and source and destination ports, respectively.
A collection of detector t = { t 1 , t 2 , . . . , t n } contains all the detectors that were created for the instant t.
The training phase needs anomaly-free training dataset to generate the detectors. Thus, it is commonly generated in a controlled environment to provide a dataset without any type of attack. The training phase starts by generating a random value for each feature f present in the training dataset. This random value is generated from the uniform distribution on the interval zero and the highest value of this feature in the training data. After that, a similarity score δ f is calculated between the random value and all samples of feature f , and the score must be less than the minimum similarity hyperparameter k; otherwise, a new random value is generated for that feature, and the process restarts.
A detector is complete only when its features have similarity values greater than the minimum similarity with the training dataset. The new detector is added to the detectors' collection and the generation process terminates when this collection reaches n detectors, i.e., | t | = n.
As the detectors are generated, the similarity calculation between the detectors is also carried out, to avoid creating similar detectors and thus not covering the entire search space in an optimized way. The smaller the similarity score, the more similar the detector is to the instances of training. The objective is grounded on creating dissimilar detectors from the observed training and previously detector generated. Thus, a detector needs to represent a possible abnormal traffic event. Accordingly, the collection of detectors is intended to represent possible unusual behaviors.
Calculating feature-by-feature similarity, rather than a complete detector, speed up the generation process because the generated detector is not entirely discarded, but only feature values that were not accepted by the minimal similarity. Also, in the classification phase, it is possible to evaluate each feature separately and thus detect attacks with specific behaviors. At the end of the first phase, the generated detectors' collection is sent to the second phase of the AIS module. Algorithm 1 describes the first phase of the detectors' generation.
The second phase of the AIS Module classifies the ongoing traffic into normal or abnormal. Samples collected and preprocessed by the Flow Collector Module are receipts to calculate the similarity with the detectors' collection previously generated.
Using collected or extracted data by statistical means to detect anomalies can lead to significant errors. In addition, there is no clear boundary between what is abnormal or usual behavior [48], [49]. In this sense, instead of using a hard threshold like classical classification, we used fuzzy logic to provide the recognition of network threats.
A Fuzzy Inference System aims to generate an output value supported by fuzzy logic on a given input. It assigns values ranging from 0 to 1 [50] to provide a rational analysis in an environment that has no precise information or incomplete ones [48], as the network traffic analysis. The first step is to fuzzify the input through a membership function, creating

Algorithm 1 Pseudocode for Detectors Generation
Input : Training Data (tData), number of detectors (n) and minimum similarity (k) Output: Detectors Collection ( t ) a fuzzy set. Several rules are applied in the fuzzy set, preparing it for the defuzzification process, which outputs a crisp set that takes into account all the rules used previously.
To use a Fuzzy Inference System in the similarity score δ f , calculated with a given feature f from the incoming data and the detectors' collection ( t ), one can use the fuzzy membership function. We applied the Gaussian membership, expressed by the equation (3), where δ f is the similarity score, k is the minimum similarity and σ f is the standard deviation of the similarity score of feature f . If δ f is less than k, the result of this equation is 1. This rule was created to avoid the similarity value decreases when the δ f is smaller than k. After using the fuzzy membership function, each sample has four ζ f fuzzy values, i.e., one value for each traffic feature. One way to calculate an overall score of the sample is to sum the similarity scores. However, each feature is affected differently by different types of attacks. Therefore, calculating an importance coefficient for each feature provides more accurate detection, making it possible to detect attacks that do not significantly affect the normal behavior of the network or have specific behaviors, such as portscan attacks.
In this manner, to obtain these four coefficients importance, it is used the multinomial logistic regression (MLR). The MLR is a method that uses a logistic regression in data that dependent variables are unordered, and independent values are continuous or categorical [51], [52].
The MLR method requires a labeled dataset containing normal and abnormal traffic samples to generate the importance coefficients. The coefficients were incorporated into the calculation of the overall score of each sample. The MLR was used only once to obtain these coefficients, and it is no longer necessary to have a labeled database for the rest of the detection.

Algorithm 2 Pseudocode for Data Classification
Input : Data to be classified (newData), detectors collection ( t ), importance values (impValues) and minimum similarity (k) Output: Classification Result Thus, the overall sample score is calculated, multiplying each fuzzy value with its respective importance coefficient, and sum these results. When this score is higher than the cutoff threshold of , this data is considered abnormal; otherwise, it is normal. Unlike rate-limiting approaches that use a fixed number to define maximum connections, the AIS-IDS uses the normal network behavior to define when an attack is occurring. Algorithm 2 presents the pseudo-code for the second phase and Figure 4 presents an overview of both phases of the AIS detection module.
Traditional IDS typically uses several days as a training dataset. Thus, a new behavior can be delayed to be recognized. As a result, new patterns in the network data may not be detected rapidly [53]. To address this issue, we used a sliding window. This technique ensures that the AIS algorithm rapidly generates the detectors, and the analysis of new flows can be performed in near real-time. Another advantage is that only recent data is used for the detectors creation, thus improving the detection capacity, since, during the day, the behavior of the network can lead to erroneous detections.   Figure 5 shows how the sliding window works using the window size w. As can be seen, two datasets are used, one of them containing one-day traffic without anomalies (d) and the other one with the measurements performed periodically during the current day (dA). The former is used to detector's generation process, and the latter is used in the classification process. For instance, the last w samples of the dataset d is used to detectors generation and classify the sample dA (w) .
After the sample classification into normal or abnormal, both sliding windows advance one position to classify the next incoming sample. During the beginning of the process, if the last w samples are not available for training, all available samples are used until the number is reached. Thus, the w hyperparameter defines the number of samples used in the generation phase, and the variation directly affects the quality of the classification and the time required to perform this task.

C. MITIGATION MODULE
When the AIS detection module detects the anomaly, it forwards all flows from the anomalous interval to the mitigation module to apply packet dropping policies to contain the detected attack. DDoS and portscan alter the behavior of traffic attributes, making it possible to discover IP addresses and ports in malicious communication.
Two strategies are defined and used according to the type of anomaly, DDoS, and PortScan attacks. DDoS floods a server to make an online service unavailable through multiple requests sent from various sources. The first step to cease the attack is to discover the IP address of the host that is under attack. Then it is identified all the hosts that are flooding a specific port associated with a service offered by the attacked host.
After the malicious IP address identification, the AIS-IDS mitigation module creates a flow with discard action enabled to drop packets from the attacker. This flow is sent from the controller to switches in the data plane via OpenFlow. Incoming packets that match with these mitigation flows are dropped to avoiding overwhelming the target. Portscan attacks attempt to discover active services by sending messages to different ports of the victim. The scanning of ports can be performed from a single-source or coordinated by multiple adversaries. This second approach is not easy to be detected by an IDS because the scanning traces are scattered on different hosts [54], [55]. After recognizing the target, the policy for interrupting a portscan attack finds the IP address of the attacker based on an IP address associated with several flows destined to different ports of the target.
When the attacker's IP address is identified, the policy enables the strategy of discard all packets from the malicious source intended to the destination. The blocker flow created has the highest possible priority (65535) among all flows, so it is executed before all regular forwarding flows. Algorithm 3 presents the pseudo-code for the mitigation module and Figure 6 shows the module scheme.

A. TEST SCENARIO
To evaluate the AIS-IDS, we used Mininet [56], which enables the emulation of an SDN structure with switches, controllers, hosts, and links in a single Linux kernel. Applications developed in the emulated environment can be deployed in real scenarios with minimal changes. Also, Mininet supports Open vSwitch, a virtual multilayer switch that can handle both software and hardware-based switching. All steps required for traffic monitoring, feature extraction, detection, and mitigation of anomalies were performed by applications incorporated into the Floodlight, a Java-based open-source controller. The entire topology was tested on a six-core 2.6 GHz with 32 GB of memory, running Mininet 2.2.2, Floodlight 1.2, and Ubuntu 18.04. The emulated topology comprised six Open vSwitch switches, sixty hosts and an SDN controller, as can be seen in Figure 7. The chosen topology was tree-based. s1 is the root switch, and all the other switches were connected to it. There were twelve hosts connected in each switch of the second level of the tree. The Floodlight controller communicated directly to each switch via OpenFlow protocol.
We used Scapy 2.4.0 4 to generate the usual traffic in the emulated network. Scapy is a powerful tool to support a testbed environment, to forge packets and send them through a network interface. Flows that composed the network traffic were generated randomly, and the volume of data has changed throughout the day to simulate variations in network usage.
Distributed Denial of Service (DDoS) attacks were generated using hping3 5 software. We have configured multiple sources to create several requests to a single destination in the emulated network. A host in the network was the victim of portscan attacks conducted by a host with Scapy. In this case, the attacker has sent packets with the SYN flag enabled to different ports of the destination host, trying to receive confirmation of ports that were in operation.
Three days of traffic was generated in the controlled environment for assessing the efficiency of our proposal. The first one comprises a day with non-anomalous traffic. These data were used as the training dataset of the AIS-IDS. It was also generated two more days, each of these days with a DDoS and a portscan attack. We make available the dataset of both abnormal and normal traffic resulting from the traffic generation. 6 The complete information of the attacks is presented in Table 2.

B. AIS-IDS EVALUATION
The proposed AIS-based IDS has some hyperparameters that need to be defined for its use. The size of the sliding window is w, k is the minimum similarity score, n stands for the number of detectors and is the cutoff threshold value. The tests were performed using the first day as the training dataset and the second day as the test dataset.
Five metrics were used for evaluation: accuracy, precision, recall, false positive rate and f-measure. Accuracy (ACC) evaluates the ratio of intervals correctly classified. The second metric, precision (PREC), emphasizes the detection of abnormal intervals and penalizes the normal intervals classified erroneously. Therefore, this metric complements the information provided by the accuracy, showing suitable results when the classes are not represented equally. Recall (REC) indicates the proportion of correctly classified anomalous samples from all abnormal samples. The False Positive Rate (FPR) indicates the proportion of wrong classified normal samples from all normal samples. Finally, f-measure consists of a general score given to the classifier. This score is obtained by the harmonic mean between precision and recall. The outcome of the metrics used to assess the detection scheme ranges from 0 to 1, in which the former is the worstcase scenario, and the latter represents optimal value.
In order to find the best value for w, tests were performed varying this hyperparameter and evaluated the f-measure score. The results are shown in Figure 8. The best results were obtained when the window size is 60. Therefore, hyperparameter s will be considered 60 for the experiments.
Grid search was used to define the optimal n and k hyperparameters. In the tests, the value n has varied from 30 to 140, and k from 0.1 to 0.4. The f-measure metric was used for comparing the overall performance.
All the results are depicted in Figure 9. The heatmap presents the results of each test. With this chart, it was possible to verify that from 90 detectors, the results obtained by the 6 http://www.uel.br/grupos/orion/datasets.html   The last hyperparameter, , representing the cutoff threshold, was defined using a precision-recall curve as depicted in Figure 10. This curve represents the precision and recall values of each cutoff value from 0 to 10.5, ranging from 0.1. The best cutoff value was chosen when the highest recall and accuracy values were reached. In the test performed, the best value achieved was 7.1, so this was the value assigned to in the evaluation experiments.
After all the hyperparameters defined, AIS-IDS was executed and Figure 11 displays the behavior of each network features and the intervals with attacks on the analyzed day. Intervals the AIS-IDS detected as anomalous are highlighted in red. As represented in the figure, it was possible to observe the most of the intervals in which the traffic was affected by the attacks was correctly detected. However, some periods without attacks were considered abnormal (false-positive) and also intervals with attacks were considered normal (falsenegative). In general, the AIS-based IDS yielded reliable detection rates, the f-measure was superior to 99.97%. Another analysis is presented in the scatter plot, which demonstrates how each feature behaves during the day. Figure 12 represents the fuzzy values of each feature used in the test dataset. For a better view, every 60 seconds were grouped into a single point. It is possible to note at the moment where the attacks occur, the fuzzy values in all features are high, showing an apparent variation, demonstrating the attacks present in these intervals.
To evaluate the result of AIS-IDS attack detection and mitigation, the AIS detection module was configured for triggering the alarm and informing the mitigation module. Figure 13 shows in green the traffic after the mitigation and the red lines are the traffic before the mitigation process. It was possible to notice that variations in the features were eliminated after the mitigation process. This result confirms that attack flows have been correctly blocked and that normal flows have been maintained.

C. COMPARISON WITH OTHERS METHODS
In this section, the proposed AIS-based IDS is compared with some machine learning algorithms. We choose Naive Bayes (NB) [57], k-Nearest Neighbors (kNN) [58] and Random Forest (RF) [59] algorithms because they follow different learning paradigms with varying biases of learning. Besides, the Local Outlier Factor (LOF) [60] algorithm was selected because it is similar to the proposed solution, i.e., it does not use anomaly samples for training.
All the classifiers used in the comparison were implemented using the scikit-learn library version 0.21.3. We evaluated the result of kNN by varying the number of nearest neighbors k from 1 to 40, and the best result is when k = 3. Regarding the Random Forest (RF), we evaluate the number of estimators from 1 to 120, and the best results were reached with 60. For Local Outlier Factor (LOF), we evaluated the number of the neighbors from 1 to 20 and contamination values from 0.05 to 0.4. In the experiments, the neighbors value 23 and contamination 0.4 yielded the best values regarding the evaluation metrics.
NB, kNN and RF used in the comparison require previous knowledge about the attacks, hence we used day 3 (Table 2) as the training dataset. All the results presented in this section were obtained from the evaluation of the compared methods, including our IDS, using the traffic of day 2. All the results are detailed in Table 3. RF outperformed all the compared algorithms, achieving the best possible results in the simulated scenarios. AIS obtained the second-best result. Comparing the NB and kNN approaches, the results obtained have already been slightly lower when compared to AIS. However, when analyzing the LOF algorithm, which has a similar operation, the advantage is more significant.

D. COMPARISON USING PUBLIC DATASET
Our proposal was also evaluated on a public dataset, the CiCDDoS2019, 7 which contains generated flows Analyzing the dataset, it was found that anomalous and normal flows were imbalanced due to the flows of DDoS attacks, which usually are numerous to flood the target. Thus, a downsampling process was performed to balance the database relating to each type of attack. For each type of attack, five available normal flows were randomly collected. This ratio was adopted observing the frequency of attacks for maintaining the pattern network even with a fewer imbalanced distribution of common traffic.
In the approaches that require attacks in training such as NB, kNN and RF, an analysis was made, and it was possible to verify all one-second intervals have attacking flows, compromising the evaluation since all intervals would be considered attacks. In this manner, the anomalous and normal flows were regrouped to avoid this problem. After that, the same strategy of sampling of the training dataset was employed on the test dataset. For approaches that do not use sample attacks in the training dataset, such as AIS-IDS and LOF, all attacks have been removed. In the comparison of the CiCDDoS2019 dataset, the same features and algorithms were used. Comparing the metric results presented in Table 4, the RF maintains good performance, reaching an f-measure of 84.59%. Nonetheless, the AIS approach reached the best result in this scenario, reaching an f-measure of 92.28%. LOF algorithm achieved an f-measure of 83.39%. KNN and NB were the algorithms that had the worst performances, respectively. Figure 14 shows the anomaly detections for each tested approach. Blue intervals are assigned as anomalous moments by the compared algorithm, and the red bars indicate intervals when anomalous events occurred. As can be seen, the AIS and RF approaches were the best approaches, detecting long anomalous moments and obtained less false positives when compared to other approaches. LOF was also able to detect long-term attacks; however, with many false positives compared to AIS and RF. On the other hand, NB and kNN had high amounts of false positives, impairing the quality of detection significantly.  Figure 15 shows the Operating Characteristic Curve (ROC) of each approach used in the comparison and their respective Area Under the Curve (AUC) value. AIS was the approach that obtained the best result, RF achieved a result very close to our approach, while LOF had a slightly lower result. The NB and kNN approaches had the worst results.

V. CONCLUSION
In this paper, we proposed an AIS-IDS to detect and mitigate anomalies in software-defined networks. Our proposal uses four features of IP flows collected every second to create the detectors. Also, it was created a sliding window to perform detection in near real-time.
The experiments were performed in an emulated environment, show an f-measure value higher than 99.9%, showing the proposed IDS is reliable to protect a network. Also, using a public dataset of attacks, the value was higher than 92%, demonstrating the ability to detect the most different attacks without requiring prior information about them. Also, the mitigation module was able to drop anomalous packets and block the attacks. The AIS-IDS has proved to be an effective approach to detecting several types of flooding attacks and portscan. The approach recognizes anomalies only with network behavior and thus becoming an alternative to today's networks, which are suffering from new attacks every day and which traditional techniques do not end up keeping pace with these changes. In future work, we will focus on improving the creation of detectors, using other techniques in the generation stage. Also, we aim to distinguish between flash crowd and DDoS attacks, and pursue mitigation strategies to flash crowd as load balancing between servers. Finally, we intend to evaluate our proposal in real network environments.