Implementation details to reduce the latency of an SDN Statistical Fingerprint-Based IDS

The paper represents the first implementation step of a statistical fingerprint based Intrusion Detection System (IDS) exploiting the SDN architecture already in the state of the art. The IDS collects traffic data and implements a suitable machine learning based algorithm to detect the possible presence of malware within the data traffic, developing the data management scheme within a Ryu SDN controller. The analysis of the performance of the SDN infrastructure by which the Statistical Fingerprint-Based IDS has been implemented identified critical issues. The first issue to tackle is the delay introduced by the SDN hardware/software, which may hinder the practical application of the IDS. This paper presents the improvements applied to the SDN infrastructure in order to reduce the delays introduced by the SDN software infrastructure in a Ethernet-based network, in view of an application over SCADA industrial systems. The analysis focuses on the peak delays that correspond to the action due to the arrival of the first packet of each new flow for which there are not rules in the flow tables of the SDN switch yet. The implemented actions are described in detail. The obtained results are really promising.