Convolutional Neural Network Based Algorithm for Early Warning Proactive System Security in Software Defined Networks

Software-Defined Networking is an innovative architecture approach in the networking field. This technology allows networks to be centrally and intelligently managed by unified applications such as traffic classification and security management. Traditional networks’ static nature has a minimal capacity to meet organisations business requirements. Software-Defined Networks (SDNs) are the emerging architectures that address a range of networking challenges with new solutions. Nevertheless, these centralised and programmable techniques face various challenges and issues that require contemporary security solutions such as Intrusion Detection Systems. Recently, the majority of this type of security solution has been developed using Machine Learning techniques. Deep Learning algorithms have recently been used to provide more accuracy and efficiency. This paper presents a new detection approach based on Convolutional Neural Network (CNN). The experiments proved that the proposed model could be successfully implemented in a Software-Defined Network controller to detect various attacks with 100% accuracy, achieved a low degradation rate of 2.3% throughput and 1.8% latency when executed in a large-scale network.


I. INTRODUCTION
Security of modern communication networks alongside the integrity and privacy of data are growing to be a necessity in recent years. The essential requirement of an institution is to preserve its own and sensitive data from internal and external attackers. Some authorised users may infiltrate their company's data to be sent to others for various purposes. A continuous live feed of data causes difficulty in identifying an attack in real-time. Modern networks are composed of a combination of hardware and software entities tailored to meet the requirements of each organisation in a manner that appears arbitrary to the observer. These components include risks, weaknesses, and security limitations. The attack used by the software is complicated, and it puts the data at high risk. The developer and the programmers The associate editor coordinating the review of this manuscript and approving it for publication was Tawfik Al-Hadhrami . may ensure security in the systems by using log files. The complexity of modern communication networks makes systems vulnerable to security violations. The types of network attacks differ in severity and speedy based on different networking characteristics. The main challenge in modern network security is efficiently and in real-time detecting and mitigating the threats. Therefore, it is necessary to employ the Intrusion Detection System (IDS) technique to identify the internal and external intruders and protect the systems and networks.
Software-Defined Network (SDN) enables the network to be controlled by software that grans fewer networking devices and provides simple physical connectivity and configuration. Therefore, the network operators can adapt network behaviour to support modern services and security applications. Hence, the majority of the network's services will be more flexible, programmable, and not restricted by a platform [1]. VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ FIGURE 1. SDN structure [6].
The main SDN characteristic is that the control and data planes are separated using the Application Programmable Interface (API). This implies that SDN decouples the forwarding and control functions in the network [2]. The forwarding devices, such as switches and routers, are separated from the control logic and moved into the logical controller. The controller represents the centralisation in SDNs [2]. Therefore, the data plane consists only of forwarding device sets managed by the controller. The decoupling of the data and control planes allows the network's services and applications to be programmable to enhance scalability and reliability [2].
The layers and planes of the SDN architecture are shown in Fig. 1. As indicated, the administrator can activate the network's security and strategies in the application plane by redirecting the network traffic to several applications or systems by adopting the control plane [3]. OpenFlow represents the communication interface between the data and control planes. Therefore, the data plane devices require the OpenFlow protocol to be connected to the control plane [3].
SDN monitors the external and internal environments by using the software [4]. The main advantage of SDN in implementing an efficient IDS is active traffic observation, in which the controller can access network traffic when needed. Therefore, it has the potential to inspect any unusual traffic in a network [5]. An IDS can identify and locate malicious activities by monitoring the network's traffic offline or in real-time [6]. Existing IDSs in SDN are Signature-Based, and Anomaly-Based [6]. This paper presents new IDS developed for modern SDNs, named Deep Learning-Early Warning Proactive System (DL-EWPS). DL-EWPS is a new approach that can detect various attacks across the SDN network in real-time using the CNN classifier. CNN is one of the Deep Learning algorithms used in images classification, Analysing Documents, Face Recognition, etc [1]. The model detects various attacks efficiently, such as Denial of Service (DoS), Distributed Denial of Service (DDoS), Probe, User to Root (U2R), and Remote to local (R2L). The proposed model reduces the controller's overhead in existing IDSs. Therefore, the proposed model offers a lightweight algorithm for SDNs to confirm that the current request has been completed and then sends another request without stressing the controller. DL-EWPS also presents a new swift method to convert the numerical data to RGB images to be used by CNN classifier.
Additionally, we added new features extracted from the flow table statistics to increase the reliability of the proposed model. The added features have been selected based on the investigation and analysis of some typical attacks behaviours. These features are widely practical during attacks. The proposed system has been implemented in the SDN controller. The evaluation shows DL-EWPS can detect various attacks with 100% accuracy and achieve a low degradation rate of throughput and latency when executed in a large-scale network.
The rest of this paper is organised as follows: Section two presents a literature review, while Section three describes the proposed model and the advantages. Section four explains the feature selection and the dataset: Section five discusses the evaluation and the results. Furthermore, Section six included the conclusion of the proposed model and the future work.

II. LITERATURE REVIEW
An IDS has been shown in [7] called DDosTC utilising the hybrid neural network, which consists of flexible transformers and CNN algorithm. The proposed model achieved a prediction accuracy of 99.86% with a 6:4 (training: testing) ratio, which is considered relatively high. However, the used hybrid model increased the complexity of the model, which required more resources, such as memory and CPU processing. The proposed IDS can only detect DDoS attacks. In addition, the proposed model involves many extracted features that require extra memory and a long-time process. Therefore, it will cause the controller's bottleneck and cannot be implemented in real-time in large-scale networks. The majority of these extracted features are not related to the practices of DDoS attacks. A less complex model was presented in [8]. The authors proposed a Deep learning (DL) approach for the SDN context to identify the DDoS and DoS attacks between the controller and end-user devices in real-time. The proposed model in this research detects the attack by utilising the standard DL algorithm with Relu and Softmax functions. The CICIDS2017 public dataset was used for the training and testing phases. The proposed model achieved a prediction accuracy of 99.6%, which is also considered relatively high. However, the presented model also involves many extracted features that require high memory and a long CPU process. Some of these features are unreachable in the SDN context or require additional operations, leading to congestion on the OpenFlow channel and controller overhead.
Niyaz et al. [9] presented an IDS which is Deep Learningbased, identifying a DDoS attack in the SDN environment for multi-vector attack detection. The model includes three modules: Traffic Collector and Flow installer (TCFI), Feature Extractor (FE), and Traffic Classifier (TC). The system checks every packet in the SDN controller, extracts the features, and then passes the extracted features to be classified as either a regular or malignant packet. The authors collected a dataset from a home wireless network (HWN). In this paper, they employed the tcpdump tool and hping3 tools to generate DDoS traffic. At the Feature Extractor (FE) module, the proposed system extracts 68 features to be used in the classification for every single packet. However, it could only achieve a low accuracy of 95.65%. The number of extracted features requires high-level memory and a long processing time as this process performs for every packet. Therefore, this causes a bottleneck in the controller. In addition, most of these extracted features are not related to the practices of DDoS attacks. Moreover, the authors broke the concept of SDN architecture as they configured the controller to force the switches to send all packets through the controller to be treated and ignored the flow table function. Therefore, the controller will be crashed when running such a model in large-scale networks, resulting in a low performance in small networks.
On the other hand, in [10], a detection technique was proposed by employing a Deep Neural Network (DNN) approach to identify the DDoS attacks in the SDN networks. The NSL-KDD public dataset was used during the training and testing stages. The proposed model used the six basic features in the classification, and the controller extracts these features for each flow in real-time. However, the small number of the extracted features caused too low accuracy in the detection stage, which was 75.75%. These features have been extracted from the flow's basic statistics information and are not sufficient to cover the attacks' behaviours; therefore, the attacker can easily avoid the IDS. The authors configured the controller to receive flow statistics from all OpenFlow switches sequentially each fixed time. This process stresses the controller, but not more than in the model proposed in [9].
A comprehensive IDS is presented in [11]. The proposed model is a flow-based anomaly detection approach in the OpenFlow controller that uses Gated Recurrent Unit Long Short-Term Memory (GRU-LSTM DNN). A feature selection technique called ANOVA F-TEST was used to obtain a high-performance classification. The NSL-KDD public dataset was utilised for the training and testing stages of the experiment. The proposed model detects various attacks such as Prop, U2R, R2L, and DoS. The proposed model employed 41 features in the classification extracted for each flow at the SDN controller in real-time. However, the model achieved an accuracy of 87% with a false alarm rate of 0.76% which are considered relatively low. The proposed system is complex as more DL algorithms have been used in feature selection and classification. Such algorithms utilise the resources. In addition, the presented model also involves a large number of extracted features that require high memory and a long CPU processing time. Hence, the controller will generate an overload, negatively affecting the network's performance. In contrast, a lightweight method was proposed in [12] to reduce the controller overload. This approach utilises the Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) to classify traffic in real-time. The NSL-KDD public dataset was used during the training and testing phase. The proposed model used six basic features for the classification. These features are extracted for each flow inside the SDN controller in real-time. However, the presented model achieved a low throughput degradation rate of 7% and achieved a low detection rate of 89%. This limited number of extracted features has resulted in low efficiency in attack detection because it is primitive and does not sufficiently cover the attack behaviours, especially when traffic is real-time and threats can harm the communication in a short time.
Jiaqi et al. [13] proposed an ML approach in the SDN 5G environment for identifying DDoS, DoS, U2R, and R2L attacks. The proposed system is executed using the SDN controller. The K-means++ and AdaBoost algorithms were used to classify the traffic, and the Random Forest (RF) algorithm was used for feature selection. The authors used the KDD Cup 1999 dataset, which is widely used to evaluate the IDSs. However, the proposed model in this paper uses a Big Data Center module to store the network packets for further analysis, resulting in increased model complexity. The model has been achieved an accuracy of 84%, which is considered relatively low. The Random Forest (RF) algorithm failed to select related features that cover the behaviours of the attack, and this can be observed when the model achieves a low detection accuracy. The authors did not consider the controller's bottleneck as the controller requests all flows from flow tables while it has not yet finished the previous request. Therefore, the presented model requires a technique to confirm that the current process has been completed and then sends other flow statistics requests. Conversely, Hybrid Neural Network (HYBRID-CNN) method was used in [14] in order to detect the attacks. The model has been achieved an accuracy of 95.64% which is considered relatively high. The proposed method is highly complex because it combines two Deep Learning (DL) algorithms: Deep Neural Network and Convolutional Neural Network. The nature of these algorithms is high resources utilisation. Therefore, the proposed system is inappropriate with a large network.
Alternatively, in [15], an approach to identify attacks was presented. The neural network algorithm was used to classify each flow inside the SDN controller. The NSL-KDD public dataset is used to train and test the proposed IDS. VOLUME 10, 2022 The model's target is to define the DOS, U2R, R2L, and Probes. The model achieved a detection rate of 97.4%. However, in the training stage, the use of a small dataset size negatively affects the actual test's detection accuracy. The extracted features are obtained only from the header packet, which are not cover the attack behaviours. In addition, the dataset used has a highly redundant record. The processing operation was conducted in the controller for each packet involved in generating a bottleneck for the controller and a single point of failure. This is a big challenge in implementing Machine Learning (ML) approaches with IDS. Additionally, the proposed model requires a feature selection method to select the features that are effective when an attack occurs.
The essential issues with ML/DL approaches are extraction and feature selection methods. Existing systems suffer from many features used in classification or use only basic features. Using a large number of features causes overload and problematic latency in the network. While using a small number/basic features does not provide accurate detection of attacks as it does not cover the behaviour of attacks. Therefore, obtaining a high accuracy with limited raw features using DL/ML approaches requires more attention from researchers.
Most researchers propose models that require monitoring traffic in real-time; therefore, this process needs to analyse each packet/flow pass through the network and then classify it as normal or malignant by using a specific classifier. Therefore, the processing requires time, memory, and more CPU usage to collect, process, and classify the traffic. This process causes congestion in the controller and the switches. Therefore, researchers must consider the trade-off between classifiers efficiency and network performance.

III. SYSTEM MODEL
DL-EWPS is a flow-based IDS for the SDN networks, as shown in Fig. 2 Fig. 2. This model is the first step process that the controller must perform. After receiving all ofp_flow_stats reply messages, the module extracts the selected eleven features in Table 2 for each updated flow in the last three seconds. Three seconds interval time was selected to obtain sufficient information to identify the attack [17]. The too-long interval time allows the controller and switches to process many flows, which negatively affects the network's performance and sometimes causes controller crashes. The module then calculates the number of received messages and the number of flows (CountFlow) to be used in the next module.

C. FLOW CLASSIFICATION AND COUNTER MODULE
This module is being enabled when the features have been extracted. After the essential process is complete, the module will receive all the currently requested flows from the Statistics' Receiver and Features' Extractor module. At this time, each flow was enclosed by its features and statistics. Afterwards, the module performs a pre-processing step for each flow. In the pre-processing stage, the module converts the numerical features into RGB images to be classified utilising the CNN algorithm. The purpose of converting numerical data into RGB images is that the CNN classifier is designed for images classification. Therefore, the CNN requires images as input to work appropriately [18]. Hence, the proposed model presents a novel method to generate RGB images using the selected eleven features, as demonstrated in Fig. 3. These features are numerical; to convert it to an RGB image, the model demands to re-scale the data within the range of 0-255 because the RGB image takes values within that range for red, green, and blue. The RGB image consists of a set of pixels, and each pixel has three bytes acting on the R, G, and B values [19]. To adapt that with the given numerical data, we selected a 3 × 4 array to cover all the selected eleven features. Each location in the array has three identical values. Only the last location in the array takes three different values, where R is the value of the first feature, G is the value of the fifth feature, and B is the value of the eleventh feature. These specific features were selected to take the location (3,2) of the image array because these features are widely affected when an attack occurs. For example, the first feature's value is 33.36, after re-scale it by equation 1, it will be equalled to 0.2, so the R, G, and B values will be equal to (0.2, 0.2, 0.2), and these values will be settled in location (0,0) of the array. The combination of these values gives a special colour, as depicted in Fig. 2.
where x is an original value, New_Value is the re-scaled value. The converted RGB image will be forwarded to the pre-trained CNN classifier. The CNN classifier will predict forwarded image according to its analysing. When CNN has performed the forecasting process, the result will be allocated to the type of the current flow, whether normal or attack. The CNN model was fully trained by using the InSDN dataset [20]. In the experiments, we employed Keras and TensorFlow to develop the CNN model [21], [22]. The specifications of the CNN model are listed in Table 1. These specifications have been selected through several experiments. It was noted that the use of Epoch 10 with a batch size of 32 is more convenient and contributes to reducing the training time. Fig. 4 shows the architecture of the proposed CNN algorithm. The CNN architecture included two Convolutional 2D and two Max Pooling Layers.
If the current flow is identified as normal, the counter flow (CountFlow) will be decreased by one, and then will take the following flow within the current request. The controller sends two orders if the current flow is identified as attack flow. The first action will send to the switch to update the flow table of the predicted flow by sending of.OFPP_DROP request. This order orders the switch to drop any further matching packets in the future. The second action will be forwarded to the administrator to take further actions to minimise the risk of the detected malignant traffic. In this case, the counter of the flows (CountFlow) will also be decreased, and the module then processes the following flow in the current request to be processed using the same procedure that followed previously. If the CountFlow counter has elapsed, the model will send new ofp_flow_stats request messages for all the connected switches, as shown in Fig. 1 and Algorithm 1. This process is novel and reduces the controller's overload and OpenFlow channel congestion by confirming that the current request has been completed and then sending another request without stress to the controller and the OpenFlow channel.

IV. FEATURES SELECTION AND DATASET
Some of the researchers have used only basic flow statistics extracted directly from the flow tables. Such basic  Next end end statistics: duration, protocol_type, count_bytes, src_port, and count_packet [23], [24]. These statistics are inadequate for identifying attacks efficiently and do not cover the attack's behaviours [24]. This issue negatively reflects the reliability of the IDSs to detect the attacks. In addition, the high number of extracted features also affects the network's performance, as it requires more processing time and consumes the network resources.
To solve the above issues, we fed the model with eleven features to increase the reliability of the proposed model, which covered most of the attacks behaviours, as shown in Table 2. These features were chosen depending on how its effects when an attack occurred. This feature number is not large; hence, it avoids the long time and complexity of the process.
We used the InSDN dataset to train our DL-EWPS. The InSDN is a new dataset created by the University College Dublin team in September 2020 [20]. This dataset was generated by a mechanism that is realistic. Most of the public dataset issues are solved in the InSDN, such as redundancy [20]. The InSDN dataset is the first public dataset created within the SDN architecture. Furthermore, this dataset includes updated attacks and simulates new behaviours. The InSDN includes the attacks such as DoS, DDoS, Prob, U2R, R2L, and Portscan. The InSDN dataset is the first public dataset collected from the SDN environment [20].
In addition, we added new features extracted from the flow table statistics to increase the reliability of the proposed model. These features are the following, Con_s_service, ave_bytes, N_uiqIP, N_reDstIP, and Pkt_Avg, as described in Table 2. The added features were selected based on the investigation and analysis of some typical attack behaviours. These features have been evaluated and clearly observed that are effective when an attack occurs, as shown in Fig. 5. Therefore, DL-EWPS has another contribution when these features are added. Our experiments showed that the model reduced the overhead on the controller and increased the accuracy of the CNN classifier, as described in the next section.

V. SYSTEM MODEL EVALUATIONS AND EXPERIMENTS A. THE DETECTION TECHNIQUE EVALUATION
We evaluated the DL-EWPS through various experiments. We used the following metrics to test and evaluate the effectiveness and performance of the detection technique in our model.  • Accuracy (AC): Percentage of accurate predictions over the total traffic. The following equation has been used to calculate the accuracy: • Precision (P): also known as a false alarm, it is used to assess the number of attack traffic detected correctly. P calculates by equation 3: • Recall (R): estimates the rate of predicted attacks against the total of attack traffic. R is calculated by follows equation: • F1-measure (F1): returns a more reliable measurement of the model's accuracy depending on both R and P.
The CNN model was evaluated by using the above metrics with a binary labelled dataset (Normal and Attack). The CNN algorithm has been selected to classify the sample flows in real-time. The architecture and CNN specifications are shown in Fig. 4 and Table 1. The CNN was implemented by using the TensorFlow and Keras libraries in Python. TensorFlow and Keras libraries developed specifically for ML and DL implementation in Python language [21], [22]. The experiments were conducted by training and testing the model using three feature groups of the InSDN dataset. The feature groups are as follows, • Basic Features Group: includes only basic statistics directly extracted from the flow table. These features VOLUME 10, 2022 include Flow Pkts/s, Flow Byts/s, Flow Duration, Pro-tocol_type, Src Port, and Dst Port. The researchers have widely used these Features Group. These features sets are rudimentary and do not cover the behaviours of attack [24].
• All features Group: includes all features sets in the InSDN dataset, which includes 83 features extracted for each flow [20].
• 11 Features Group: includes the basic features and five new features added to cover the behaviour of attacks and increase the model efficiency. These features are listed and described in Section IV and Table 2. The results of these experiments are shown in Table 3. Our CNN achieved the highest accuracy, P, R, and F1. In all features groups, the proposed model has achieved the highest accuracy of 100%. This proves that the proposed model is promising and can detect attacks with a 100% accuracy. The CNN model was evaluated using a 5-fold cross-validation method in all scenarios. We compared our model with other classifiers, such as NB, DNN, SVM, and Logistic Regression. The proposed system achieved the highest accuracy among the other classifiers, as shown in Table 4.
We can conclude from the experiments that the CNN architecture and the invented method of generating RGB images contributed to achieving highly accurate attack detection.

B. NETWORK PERFORMANCE EVALUATION
It is vital to evaluate the network performance when installing an IDS to check the integration. The most commonly used metrics in network performance evaluation are throughput and latency. Therefore, the throughput and latency metrics have been utilised to evaluate our DL-EWPS.

1) THROUGHPUT EVALUATION
In general, throughput is defined as the number of elements passing through a process. In this step, DL-EWPS was tested using the Cbench tool. Cbench is a benchmark equipment employed to evaluate the throughput and latency of the controller [17]. This tool is open-source and programmed in C language and is available online on [25]. Cbench calculates how many packets the controller can treat per second. In throughput mode, Cbench sends extensive packet_in requests to the controller by all switches and calculates how many packet_out replies have been returned per second. We used the Mininet emulator and POX controller to implement the DL-EWPS and test the network performance with the throughput evaluation. The implementation was performed utilising six scenarios. Each scenario used a specific number of OpenFlow switches: 8, 16, 32, 64, 128, and 256. These switches were connected to a single controller via port number 6633. Each switch had 1000 end-users in all scenarios. All scenarios were tested using our features extraction method and the traditional method. Our features extraction was performed in two phases. The first phase extracts only the features of flows that are updated within the last 3 seconds to minimise the generated overhead on the controller. In the second phase, the controller does not send further ofp_flow_stats requests to the switches without completing the processing of the current request. This phase reduced the overload on both the controller and OpenFlow channel. In comparison, many researchers have configured the controller to send requests during a fixed period, regardless of the current request has been processed or not. Hence, such a process will lead to exhausting the OpenFlow channel and the controller.
As shown in Fig. 6, the DL-EWPS does not have a high controller's degradation rate. The highest degradation rate was 2.3% when the controller was tested using 256 switches. The degradation rates of the other scenarios were between 1% and 2%. These rates are insufficient and do not affect the controller performance when the DL-EWPS is installed in the POX controller. Therefore, the throughput evaluation proves that the proposed DL-EWPS is promising and highly efficient in large-scale networks. In contrast, as shown in Fig. 6, we tested the topology using the traditional method to coach all flows in the OpenFlow tables of the connected switches. The controller sorts the data and extracts the features for all flows. This process increased the overhead/congestion of the controller and decreased the throughput to a degradation rate of approximately 29.5% when 256 switches were used.

2) LATENCY EVALUATION
Latency is defined as the time required for packet_in to reach a target [26]. In the latency evaluation, we used a series of the same experiments used in the throughput evaluation. In latency mode, Cbench makes all connected switches send a single packet_in request to the controller and calculates how long it will take to hit the destination [17].
As shown in Fig. 7, DL-EWPS does not cause a high latency rate. The highest latency rate was 1.8% when the controller was tested using 256 switches. Moreover, the latency rates of the other scenarios were between 1.4% and 1.8%. These rates do not affect the network performance when installing the DL-EWPS. Accordingly, the latency evaluation also proves that the proposed model is highly efficient for large-scale networks.
As presented in Fig. 7, the topology was tested utilising the traditional method to coach all the flows in the OpenFlow tables of the connected switches. This process increased the latency rate to 34.8% when 256 switches were used. Therefore, this rate is considered very high and causes deficient network performance.

VI. CONCLUSION
This paper presented a new DL-EWPS model that can predict the network attacks early using a Deep Learning approach in SDN networks. The model employed a novel method to convert the numerical data into RGB images to benefit from the advantages of a CNN-based classifier. This method increased the accuracy of the CNN predictor and reduced the size of the images. In addition, we added new features extracted from the flow table statistics to increase the reliability of the proposed model. The added features were selected based on the investigation and analysis of some typical attack behaviours.
Through the experiments and evaluations, the DL-EWPS achieved an accuracy of 100% in traffic classification. At the same time, the latency and throughput evaluations prove that our model is promising and has high efficiency for large-scale networks. In general, our proposed system is the first model in SDN to achieve 100% accuracy with significant performance when installed on large-scale SDN networks.
In future work, we intend to implement our proposed detection system on physical devices, where all the researchers use emulation to evaluate their systems.