Research on neural networks in computer network security evaluation and prediction methods

Abstract

Anomaly detection in networks to identify intrusions is a common and successful security measure used in many different types of network infrastructure. Network data traffic has increased due to the proliferation of viruses and other forms of cyber-attacks as network technology and applications have developed quickly. The limitations of classical intrusion detection, such as poor detection accuracy, high false negatives, and dependence on dimensionality reduction methods, become more apparent in the face of massive traffic volumes and characteristic information. That’s why IoT infrastructures often use Software-Defined Networking (SDN), allowing for better network adaptability and control. Hence, this paper’s convolutional neural network-based Security Evaluation Model (CNN-SEM) is proposed to secure the source SDN controller from traffic degradation and protect the source network from DDoS assaults. The proposed CNN-SEM system might defend against DDoS assaults once discovered by applying and testing a Convolutional Neural Network (CNN). The model can automatically extract the useful aspects of incursion samples, allowing for precise classification of such data. The detection and mitigation modules evaluate the proposed SDN security system’s performance, and the findings showed promise against next-generation DDoS assaults. The experimental results show the CNN-SEM achieves a high accuracy ratio of 96.6%, a detection ratio of 97.1%, precision ratio of 97.2%, a performance ratio of 95.1% and an enhanced security rate of 98.1% compared to other methods.

Keywords

Computer network convolutional neural network Internet of things (IoT)Software-defined Networking (SDN)security

1. Introduction of Computer Network Security Evaluation based on convolutional neural network

The primary focus of the computer network security measures used by businesses and other organizations is monitoring and preventing illegal access from the outside by potential intruders. The scale of the computer network dictates the specific needs that must be met by each of the several management strategies for computer network security. For instance, a home office just needs the most fundamental level of network security, but huge corporations need high maintenance levels to protect their networks from hostile assaults.

The Network Administrator manages who may access the many data and applications stored on the network. A network administrator gives the user identification number and password to the authorized individual [1]. Wireless sensor networks (WSNs) have increased in recent years, leading to advancements in the Internet of Things (IoT) with many uses. The Internet of Things (IoT) has enormous potential for growth and impact with applications spanning public health, environmental monitoring, and the Intelligent Transportation System (ITS), among others [2]. Smart factories, buildings, and transportation modes (aircraft and cars included) all rely on the ability to share data, photos, and videos across the IoT [3]. It is inappropriate for these private communications to be leaked in such programs [4]. However, as computer networking and communication technologies advance rapidly, privacy and security issues become more pressing than ever [5]. The information system is now significantly endangered by widespread security flaws [6]. As a result of the vastness and interconnectedness of modern computer networks, many would-be attackers must rely on finding and exploiting security holes to gain access to vulnerable systems. [7]. The widespread use of Web applications has brought humanity into the Information Age.

As the most popular data network, the Internet provides unparalleled size and efficiency in its pooled resources. [8]. However, security risks to sites exposed to the intranet are growing in severity due to the disorganization of network use and administration and ignoring security concerns in early network protocol design [9]. Security is the backbone of network growth, as shown by the average number of incursions every second. Regarding national security and commercial interest, the information security business is uniquely sensitive [10]. As a result, given the current state of networks and IT, assessing computer network security to reduce or prevent economic loss due to information leakage or destruction is a crucial strategic problem [11].

Even though the paradigm for Internet security architecture has been excellent, there are still many attacks [12]. For instance, a DoS attack might result from many malicious nodes simultaneously sending data. Therefore, the network should be constructed to accommodate IoT data flows [13]. Some frequent risks remain on the internet despite the existing security measures in place, such as unauthorized access to networks, damage to integrity, denial of service attacks, eavesdropping on information, damage to confidentiality, a Man in the Middle attack, virus invasion exploit assaults and so on [14]. Finding a method that improves safety while increasing convenience seems to be a time-consuming procedure [15]. This study takes this vantage point and investigates the causes of privacy security issues before outlining some relevant IoT risk mitigation strategies [16]. Intelligent processing, comprehensive intuition, and trustworthy transmission are three features of the IoT that contribute to its security [17].

The emerging paradigm, software-defined networking (SDN), aims to simplify and streamline network management [18]. SDN simplifies network administration by replacing “black-box” hardware-based network elements with “white-box” software-based ones [19]. Since the centralized controller controls all control operations, the data and control planes may be separated separately [20]. This controller informs SDN-managed switches and routers of the real-time rules for managing and forwarding packets. Because of these benefits, SDN is a great platform for building and managing computer networks.

The suggested method protects the SDN controller from flood attacks and stops them at the source end of the network, safeguarding the victim’s server in a roundabout way. The system is split into two parts: the Detection Module, which monitors for attacks, and the Mitigation Module, which chooses appropriate drop rules to prevent unauthorized access to the SDN controller. The detection module used CNN to analyze IP traffic in several dimensions. Since this method allows the system to pick up regional patterns in the dataset, it is often employed for image recognition/classification problems. After evaluating computer network security using a neural network simulation model, analyzing the method of choice of the scale calculation, and constructing the system security detection algorithm atop the system security experiment platform, the study explains how it all works.

The main contribution of this paper:

•
Designing the proposed CNN-SEM to reduce traffic degradation and protect the source network from DDoS assaults.
•
The proposed system is split into two parts: the Detection Module, which monitors for attacks, and the Mitigation Module, which decides which drop rules to implement to keep the SDN controller safe.
•
Numerical findings show that the suggested strategy provides a high level of security while outperforming other approaches.

The remainder of the study is organized as follows: Section 2 analyzes the literature review, Section 3 describes the suggested approach, Section 4 discusses the findings, and Section 5 summarizes the paper.
2. Literature review

Information technology has become so important to contemporary firms that upper management is keen to keep tabs on how it is being protected [21]. A conceptual design for a powerful information security performance assessment tool for senior management is presented, with the InfoSec BSC translated into five governance and control frameworks.

Cybersecurity and protecting private data are more crucial than ever in today’s interconnected digital world [22]. The essay discusses the moral considerations in striking a middle ground between cyber-security and privacy issues and offers concrete recommendations. By highlighting the need to balance cyber-security and privacy, this article aims to draw attention to the necessity for ethical and legal issues in creating digital technologies and their regulation.

As internet use has increased over time IoT has become more commonplace and widely adopted [23]. The proposed study introduces a cascading wormhole detection method (CWDM) for IoT networks using a Dynamic Trust Factor (DTF) and the federated deep learning method. The DTF is based on two trust qualities, and federated training of deep learning models such as CNNs and LSTMs ensures confidentiality and integrity of data at the network’s edge. Lightweight and accurate, the suggested method uses a cascaded and federated learning strategy.

Cloud computing, vehicle network systems, the Internet of Things (IoT), etc. have all contributed to a rise in the volume of data transferred during the last several years [24]. This research uses a machine Learning (ML) based IDS framework (ML-IDSF). The XGBoost-LSTM and the XGBoost-GRU multiclass classification methods outperformed their respective benchmarks on the NSL-KDD (86.93%) and the UNSW-NB15 dataset (78.40%). Based on these findings, our suggested IDS framework outperformed the state-of-the-art alternatives.

To keep up with the ever-increasing need for bandwidth, many businesses are turning to optical networks because of their vast capabilities [25]. Spectrum Chain (SC) is a distributed BC-enabled inter-ISP coordination framework (BC-EI-ISPCF) for assigning spectrum in SDONs with a focus on Quality of Service (QoS) to remove centralized intermediaries while coordinating QoS-based inter-ISP traffic. Simulation results under HWS, BWS, and NWS conditions demonstrate that the SC framework is capable of managing QoS-enabled inter-ISP routing in SDON architecture concerning Flow Setup Time (FST), Messaging Processed (MEP), Request Serviced (RS), and Accepted Ratio (AR).

Consistent information security breaches have shifted attention to company culture [26]. This research aims to learn how an organization’s culture affects its approach to information security. The study’s theoretical foundation is the well-established anthropological notion of basic message systems. The relevance of security culture and awareness is highlighted, adding to our knowledge of the aspects that impact information security.

Research and development efforts are already creating prototype implementations of autonomous transportation, garnering growing attention [27]. As a potential answer to the problem of moving people through urban waterways, this article focuses on autonomous passenger ships (APS). The paper’s risk assessment approach (RAA) examined how a Cyber-Physical System (CPS) might affect safety and security, especially considering how CPS vulnerabilities may jeopardize APS passengers and the surrounding operational environment.

The digital age and the advancement of science and technology have made it imperative to find a way to integrate complicated and dynamic data with the capacity for self-protection [28]. Traditional methods of security in the computer system are relatively inactive. This article seeks to do this by thoroughly analysing the existing landscape and future possibilities for employing AI deep learning technology to monitor the security of computer networks. It can monitor the network’s weak spots and alert to potential security breaches before they happen.

Sensitive information is protected by firewalls, IDSs, and other network security measures [29]. Audit log administration, safety event surveillance, and account password administration are the three primary tenets of the unified security management platform for wireless data networks that are the subject of this study. Adaptable rule-based organizational structure designed for computer systems with moderate connectivity between modules.

Data are the most valuable metric because of how dependent the world is becoming on the internet [30]. This study simulates an intrusion detection system taught to recognize these assaults in LANs and other data-processing networks. They use neural networks, a kind of machine learning to achieve this goal. As our research shows, this study intrusion detection system model (IDSM) using neural networks to detect intrusions into a network seems to be a viable option.

Analysis shows problems with the current approaches, such as poor performance and inaccurate results. The papers suggest security architecture to prevent internal DDoS assaults against the SDN controller. In contrast to other efforts, our solution does not call for changes to the existing network infrastructure. As a result, network administration is simplified since the need for push-back in mitigation is removed. To defend the targeted server and the SDN controller from a DDoS, it is necessary first to reduce the impact of the assault at the source end of the network.

3. Proposed methodology

The heterogeneity of IoT devices shows that traditional network designs can’t handle these devices’ wide range of requirements. Since SDN allows for a more adaptable and controllable network architecture, it is sometimes assumed that IoT is synonymous. Recent instances have shown that the insecurity of IoT devices may be exploited to launch widespread Distributed Denial of Service (DDoS) assaults. As the amount of data generated by IoT botnets grows, it becomes more difficult to use traditional methods of detecting and mitigating this attack at the target end network. This research presents a near real-time security solution for SDN, which shields the origin SDN controller from traffic disruption and blocks DDoS assaults before they ever reach the network. After a DDoS attack has been noticed, the suggested system shows how it may protect itself using a Convolutional Neural Network (CNN).

Figure 1.

IoT Devices with different ISP networks.

Figure 1 depicts a distributed denial-of-service attack using the same technique as in the previous example but without the proposed defense. The Internet is a network that links many different local area networks (LANs) and other devices. Increased network size and traffic are common results of the popularity of Internet of Things technologies. The potential vulnerability of IoT devices to malware infections renders these LANs potentially formidable sources for distributed denial of service (DDoS) attacks. The goal of these assaults is to stop the target’s server from working by exploiting its decentralized architecture. Infected devices from several ISP LANs may converge on a target server, as seen in Figure 1. This assault, together with those from competing ISPs, has severely depleted the capacity of the network used to provide the victim’s location. This might affect the performance of the SDN central controller and, by extension, the quality of services provided to end customers, depending on the number of infected devices inside an ISP’s network.

Figure 2.

Proposed CNN-SEM.

CNNs process the raw pixel data of an image via several filters before learning and using more abstract properties for image categorization. Modern model architecture for image classification issues is the convolutional neural network. Convolutional, pooling, and fully linked layers comprise CNN’s hidden layers, which sit between the input and output layers. The image is processed using a convolutional layer that acts as a set of filters. The layer uses a geographic extent and stride value that have already been calculated to generate a single value for each area in the final feature map. Nonlinearities may be introduced into the model by applying activation functions to the output after the convolutional layers. By preserving the largest value and discarding the remainder, the pooling layers scale down the picture data collected by the convolutional layers, reducing the number of dimensions in the feature map’s sub-regions. After convolutional and pooling layers have recovered features, they are compressed by fully connected layers and utilized for classification. Each node in a dense layer is linked to each node in the layer above it.

This paper aims to create and implement a DOS monitoring IDS. Figure 2 displays the IDS-CNN architecture developed in this study to detect DDoS attacks in network traffic. The four levels of this architecture are as follows: data collecting, data pre-processing, a Convolutional Neural Network (CNN)-based Denial of Service (DoS) Detection model, and decision-making.

Real-time network traffic is received from the sampler or collector system, and any preexisting data is also added to this layer, which is responsible for data collection. The first stage in building a CNN model is preprocessing the raw data for input. Once collected, the data normalisation module will preprocess the gathered data at the bottom layer. These details might have a wide range of sizes and types. It must be transformed into a single type and confined to the interval [0, $\ldots$ , 255]. After the data has been normalized, we’ll transform the matrix conversion module into a matrix for input to a CNN model. Model for the Detection of DOS Using Convolutional Neural Networks: The next detection model layer employs a trained CNN model to categorize the incoming traffic into one of five distinct classes, including those above “normal” traffic and the four “attack” traffic types. Detection reliability is knowledge-dependent. They provide CNN training with a database of relevant information, which is then utilized to generate traffic policy. When CNN classification is finalised, a decision will be made on blocking or allowing the traffic. If the communication is malicious, it may be blocked or forwarded to another server for further inspection. The observed result may be used to improve the system’s detection capabilities by updating the knowledge database.

Figure 3.

Analysis of CNN-SEM based on IP flow dimensions.

Measurements of IP fluxes are the basis for the suggested technique. It uses many approaches to detect DDoS assaults and identify patterns associated with regular network activity. As a result of the investigation, this safety measure is now accessible. The suggested system updates its analysis of IP traffic data every second. The purpose is to limit the damage caused by DDoS attacks to legitimate users. The SDN controller (and, by extension, its users) and the targeted external server may suffer less harm if the assault is identified and countered promptly through this time interval analysis.

It is crucial to stress the system’s autonomy, enabling detection and mitigation to proceed briskly. Human intervention is unnecessary since the system will notify the network administrator whenever a DDoS is detected. Figure 3 is a high-level flowchart explanation of the proposed system’s operation. The SDN controller exports every other dimension or aspect of IP flows through the Open Flow protocol. These factors are measured using both quantitative and qualitative information. The Detection Module cannot use the information until the qualitative component is quantified. Therefore, the Shannon Entropy is applied to the qualitative dimensions to reveal the level of concentration or dispersion within the time frame under consideration. If we have a dimension $Y=\left\{{{"}y_{1},y_{2},\ldots,y_{m}}\right\}^{\prime\prime}$ where $y_{j}$ is the occurrence frequency of sample i at a particular time interval compute the Shannon entropy ( $g$ ) for the dimension $y$ by following these steps:

$\displaystyle g\left(y\right)=-\sum_{j=1}^{M}\left({\frac{y_{j}}{t}}\right)% \log_{2}\left({\frac{y_{j}}{t}}\right)$ (1)

As shown in Eq. (1) shannon entropy dimension has been calculated. Where $t$ is the total number of times each element occurred over the studied period and $t=\sum_{j=1}^{M}\left({\frac{y_{j}}{t}}\right)$ is the formula for calculating this total. Consequently, the dimension in question will have a low entropy value if a large concentration of a certain kind of destination IP Address exists. On the other hand, if the data about the same dimension are highly dispersed, an entropy value greater in absolute terms will be obtained. Next, the Detection Module receives the numerical information about the analyzed dimensions so it may analyze it and decide whether a DDoS attack has happened. The Mitigation Module kicks into gear if a DDoS is identified. The SDN controller will next create and implement a countermeasure policy.

Figure 4.

DoS attack detection through CNN-SEM.

Since CNN is widely used as an image classification model, it makes sense for it to accept pictures as input. Even if the input data differ, CNN may be used to categorize speech or text. It is recommended that these datasets be transformed into the standard one, a matrix of the values of each pixel in the picture. A number between 0 and 255 may be assigned to each pixel.

Because of its usefulness in levelling the playing field between data of varying dimensions, data normalization has widespread use in computers. This study uses the min-max normalization technique to deal with the information. Here is the form of the transformative function:

$\displaystyle Y_{j2}=\frac{y_{j1}-y_{\min}}{y_{\max}-y_{\min}}$ (2)

As described in Eq. (2) transformative function has been deliberated. Where $y_{j1}$ is the feature’s first set of data representing $j$ . In this notation $y_{\max}$ is the feature’s maximum data $y_{\min}$ its minimum data and $Y_{j2}$ its normalized data.

While more advanced feature selection methods exist, this phase employs a straightforward approach based on the coefficient of variance (CV) to choose the feature to be omitted. Here is how we characterize CV’s role:

$\displaystyle\text{coefficient varient}=\frac{\alpha}{\pi}$ (3)

As found in Eq. (3) coefficient variant has been deliberated. Where $\alpha$ is the feature’s standard deviation $\pi$ an is its average, and CV is its coefficient of variation. Generally speaking, a feature’s significance in the feature set increases as its CV grows. Thus, the characteristic with the lowest CV should be eliminated. However, if a feature’s average is zero, it’s important to emphasize that it should be eliminated first.

The convolution layer is the heart of every convolutional neural network (CNN). With the introduction of local perception, all neurons can use the same convolution kernel, with the number of weights determined by the total number of convolution kernels. As a consequence, a lot of weights may be eliminated, which improves computing efficiency. One possible expression for the convolution function is:

$\displaystyle G_{i}=e\left({g_{i-1}\otimes z_{i}+a_{i}}\right)$ (4)

As found in Eq. (4) convolution function has been examined. In this formula, $e\left(y\right)$ represents the activation function and $\otimes$ represents the convolution function. Nonlinear functions, represented here by the rectified linear unit (ReLU) $e\left(y\right)$ are used. To be effective, the pooling layer must follow the convolution layer. Over-fitting can be avoided and the size of the feature picture $G_{i}$ may be reduced. It may also be stated as:

$\displaystyle g_{i}=\textit{pool}\left({G_{i}-1}\right)$ (5)

As obtained in Eq. (5) pooling function has been discussed. Reconfirming $g_{i}$ to a vector is necessary after many layers of convolution and pooling. The fully connected layer may then categorize the vector data, leading to the desired output $x_{j}$ . Once $x_{j}$ is attained, the loss function may be used to determine how far off $x_{j}$ was from its target. Training strives to reduce mistakes as much as possible. In addition, the gradient descent technique is often used for error backpropagation.

Furthermore, $\max$ stands for the highest possible value. The weights of the cost functions for the category $m_{j}$ samples may be expressed as:

$\displaystyle Z_{j}\approx\frac{\max}{m_{j}}$ (6)

The $\approx$ in Eq. (6) demonstrates that while $Z_{j}$ is often computed using Eq. (6), $Z_{j}$ may be modified in practice. One record in the network data set has 41 characteristics of various types. Whether it is a string, an integer, or a float, its range is drastically different for each type. Due to the specific requirements of CNN, the data must be transformed into a new dataset where each value is an integer between 0 and 255. For this challenging situation, Line 7 may show the average number for each column. If a row’s value is less than 122, it may be adjusted by adding 122. The new value may be calculated at line 13 in all other cases. This is if the old value is less than twice the mean. Since CNN requires a square matrix for its input picture, the smallest matrix that can appropriately store all 41 attributes is a 7 $\times$ 7. As can be seen in Fig. 4, each new record in the dataset may be converted into a 77-square matrix. The matrix’s last eight bits are all set to 0.

Figure 5.

Detection module.

CNN architecture for optimally classifying input data builds and constructs the architecture using a variety of configurations and runs it repeatedly to see which one works best. Two Convolutional Layers and three connected layers make up our system’s CNN-SEM architecture, as shown in Fig. 5. Since the samples in our dataset are so little exclude the Pooling Layers from our CNN architecture. Our architecture makes use of two convolutional layers. The CNN-SEM $64\left[{3\times 3}\right]$ filters in our approach for the first convolutional layer, or Conv1. This layer inputs two-dimensional pictures of size $\left[{7\times 7}\right]$ created by network traffic. Feature maps of the size $\left[{7\times 7\times 64}\right]$ will be generated by this layer. Conv2, the second convolutional layer, employs $128\left[{3\times 3}\right]$ filters, yielding $\left[{7\times 7\times 128}\right]$ feature maps.

Our arrangement consists of three levels, all of which are linked. The first completely linked layer delivers Conv2’s map of characteristics generator outputs. The self-learning module collects data and feeds it into the classifier module, which then provides the final test results. This piece employs a convolutional neural network classification module based on the Softmax classifier. The Eq. (7) illustrates the Softmax classifier. In this formula $i$ represents the $i$ weight vector, and $X_{i}$ is the $i$ sample of data.

$\displaystyle X_{i}=\frac{f^{\theta_{i}Y^{\left(j\right)}}}{\sum_{L}\theta_{l}% y^{\left(j\right)}}$ (7)

As found in Eq. (7), a softmax classifier has been obtained to improve the high performance of the proposed work.

The class scores are calculated in the last fully connected layer (the Output Layer), yielding a volume of size $\left[{1\times 1\times 5}\right]$ , where each of the five values represents a class score among the five types of DoS assaults. Overfitting is avoided during CNN training using a drop-out value of $c=0.5$ .

Figure 6.

Mitigation mechanism module.

The implementation of a safeguard is shown in Fig. 6. Security mechanisms for the SDN and CNN are suggested here. It was intended to function as part of the SDN hub in ISP networks, where it can better help in DDoS defense. The suggested method also mitigates distributed denial of service (DDoS) attacks against external targets by stopping them before they reach the Internet. Using a “divide and conquer” strategy, multiple different ISPs’ source-end networks work together to reduce the impact of a DDoS assault.

The suggested security solution may monitor the SDN traffic patterns at one-second intervals. It can identify and prevent distributed denial of service (DDoS) assaults on the controller and, by extension, the external server being attacked. They demonstrated a Convolutional Neural Network (CNN) method for the Detection module and compared it to other methods for detecting anomalies. Accuracy, precision, and f-measure results were improved using the CNN approach, and the false-positive rate was also reduced.

The suggested CNN-SEM security solution may prevent internal DDoS attacks against an external server, keeping the SDN controller safe. In contrast to previous studies, our approach does not need adjustments to the preexisting network setup. Additionally, push-back is no longer required to achieve mitigation, which simplifies network administration. If the DDoS attack is mitigated on the networks at its origination points, it should also be possible to do so at its final destination. The SDN controller and the attacked server will be safe from harm now.

4. Results and discussion

As the person in charge of making sure everything runs well, network security is a top priority. The intrusion detection system (IDS) is a critical component for identifying and blocking malicious traffic before it causes damage to the system. By shielding the SDN controller from flood assaults and halting them at their origin, this strategy indirectly protects the victim’s server. Separate from the Mitigation Module, which selects the most suitable drop rules to block attackers from reaching the SDN controller, is the Detection Module, which keeps an eye out for assaults. For the Detection module’s multidimensional IP traffic analysis to deep learning’s Convolutional Neural Network (CNN). Since it allows the algorithm to pick up regional patterns in the dataset, this method is often employed for image recognition/classification challenges. After analyzing the method for choosing and determining the scale, constructing the system security detection algorithm on the system protection experiment platform, and detailing the processes involved in actualizing the algorithm, a neural network simulation model of computer network security evaluation reaches its conclusion. To conduct their research, the authors of this publication [31] used the SDN-based DDOS attack detection dataset. Using a neural network simulation model of computer network security evaluation concludes by analysing the selection strategy of the calculation scale, building the system security detection algorithm based on the system security experiment platform, and explaining the steps involved in the algorithm’s actualization. This paper utilized the SDN-based DDOS attack detection dataset for this analysis [31]. To measure how well the CNN model performs, this study uses three metrics: false alarm rate (FAR), detection rate (DR), and accuracy (AC). First, the four parameters TP, FP, FN, and TN are presented to calculate AC, DR, and FAR. Number of samples of an assault correctly identified as belonging to the attack class; abbreviated as true positive (TP). A false positive (FP) occurs when an otherwise healthy sample is incorrectly labeled as harmful. Number of malicious samples incorrectly assigned to the normal category; abbreviated false negative (FN). The number of samples is mistakenly categorized as normal (TN) when abnormal.

This SDN-specific data set was developed using a mininet emulator for traffic classification utilizing machine learning and deep learning. Ten mininet topologies with Ryu controllers and switches are created to start the project. Our network simulates genuine and malicious traffic, including TCP Syn assaults, UDP flood attacks, and ICMP attacks. The collection contains 23 attributes, some calculated and others collected from switches. One technique to compute packet rate is to divide by monitoring interval. You may also compute bytes per flow, the number of bytes transmitted each flow. The class name in the last column indicates malicious or benign traffic. Benign and harmful transmissions are 0 and 1. We simulate the network for 250 minutes with 1,04,345 rows of data. The simulation is repeated at regular intervals to collect fresh data [31].

Figure 7.

Accuracy ration (%).

4.1 Accuracy ratio (%)

A Convolutional Neural Network (CNN) is used in this research to detect DDoS attacks. By contrast, CNN-SEM states that a convolutional layer can only learn local patterns in the input feature space, whereas a fully connected layer can learn global patterns. Classification accuracy is enhanced greatly when CNNs are used in image processing settings because they can extract local patterns from the picture. Section 4 comparative analysis of CWDM [23], ML-IDSF [24], BC-EI-ISPCF [25], IDSM [30] and proposed CNN-SEM results are shown in Fig. 7 accuracy ratio with dataset [31].

$\displaystyle\textit{Accuracy}=\frac{\textit{TP}+\textit{TN}}{\textit{TP}+% \textit{TN}+\textit{FP}+\textit{FN}}$ (8)

As shown in Eq. (8), accuracy ratio. For this investigation, CNN data preparation involves modifying the initial data format and standardising the data values. When optimizing the performance of CNN models, converting normalized data into image data format is very necessary. During the training process, the parameters of the CNN model are adjusted to improve the overall accuracy of the model. The training process also includes making adjustments to a few parameters, which ultimately improves the accuracy of the model. Performing experiments and tests. The accuracy rate of the CNN model needs to be evaluated with the help of data. If the accuracy rate does not fulfil the training criterion, the model will continue to undergo the training procedure. The proposed CNN-SEM method employs a CNN to classify and identify malicious traffic based on its visual representation of raw IP flow data. The proposed CNN-SEM was successful in their attempts to identify a variety of harmful occurrences. Using CNN in this way of representing data shows promise. Raw flow data submitted during the training phase may teach the algorithm that certain IP addresses are linked to harmful activity.

4.2 Attack detection rate (%)

Network intrusion anomaly detection is widely used in networked computer systems to avoid security breaches. Virus and attack types have grown in number and sophistication with the explosion in network data traffic brought on by the fast development of network infrastructure and applications. Traditional intrusion detection suffers from poor detection accuracy, high false negatives, and dependency on dimensionality reduction methods when confronted with massive traffic and characteristic information. Therefore, developing a rapid and effective network intrusion anomaly detection system is crucial to managing the modern complex network environment. Figure 8 explores the detection rate based on the dataset [31].

$\displaystyle\textit{ADR}=\frac{\textit{TP}}{\textit{TP}+\textit{FN}}$ (9)

Figure 8.

Attack detection ratio (%).

As discussed in Eq. (9) attack detection ratio has been expressed. The attack detection rate (ADR) is the proportion of spotted assaults. This study creates a model for intrusion detection in computer networks using a CNN and SDN. This article’s primary goal is to use the CNN model to create a framework for an emergency response system in the context of network security. A possible per-second inspection of SDN communication is suggested as part of the proposed safety scheme. DDoS attacks on both the controller and the server being attacked from the outside are prevented and mitigated. Network administration is simplified when counteracting factors are removed. The targeted server and the SDN controller may be spared damage if the DDoS assault is thwarted at its source. According to CNN-SEM, exact network security is ensured by correctly segmenting the network, regularly updating and patching security devices, validating and testing security settings carefully, and investing in solutions that allow centralized administration and monitoring. It is possible to keep the accuracy and effectiveness of the security infrastructure regardless of whether the number of devices is increasing or decreasing. This can be accomplished by having a clearly defined policy and conducting audits several times.

4.3 Precision ratio (%)

Precision measures how often intervals are accurately identified as DDoS relative to the total number of samples labelled as DDoS. Since the SDN controller is along the path of the DDoS traffic it is reasonable to assume that the controller is the intended target. Section 4 comparative analyses of CWDM [23], ML-IDSF [24], BC-EI-ISPCF [25], IDSM [30] and proposed CNN-SEM results are shown in Fig. 9 precision ratio with dataset [31].

$\displaystyle\textit{Precision}=\frac{\textit{TP}}{\textit{TP}+\textit{FP}}$ (10)

As Eq. (10) described, the precision ratio has been deliberated. The classifier’s precision is the proportion of the test set samples properly labelled as belonging to the attack. As a result, the DDoS attacker strives for maximum harm with little detection of the SDN controller based on the dataset [31].

Figure 9.

Precision ratio (%).

A CNN cannot be fed raw network data without first undergoing preprocessing. Data must be transformed into a network-friendly format for this to happen. Common preprocessing tasks include encoding categorical variables, dealing with missing data, and normalizing results. The CNN’s input layer reads the network data that has been preprocessed. Protecting a network may include sending the CNN a series of packets or flows. Convolutional layers take in data and use it to learn hierarchical features. The input is convolved across these layers, which utilize filters called kernels to extract local patterns. These patterns could indicate benign or harmful network activity depending on the context. A labelled dataset is used to train the CNN, where each packet of input network traffic is tagged with the appropriate categorization (normal or attack). During training, the network adjusts weights by reducing the discrepancy between the expected and real labels. After training, it is possible to test the CNN’s ability to detect network intrusions using newly introduced data. As a result, the DDoS attacker strives for maximum harm with little detection of the SDN controller. In turn, the security system attempts to mitigate the disruption caused by the attacking user so that the SDN’s (ISP’s) services may continue functioning normally. Four metrics determine the payoff: (i) the deviation of the observed SDN behaviour from the period being analyzed interval, (ii) the attack cost for the attacker player, (iii) the ratio of trustworthy users’ consumption of bandwidth to that of attacking ones, and (iv) the anticipated packet drop for legitimate users following mitigation. The proposed security system may be broken down into two primary parts, as shown above. These are the Detection and Mitigation modules, each of which is made up of many smaller supplementary modules.

The purpose of the Detection Module is to detect and identify DDoS assaults. The second component, Anomaly Detection, monitors the network for DDoS attacks based on the properties of IP flows that have been examined. When a DDoS event is detected, the system sends a signal to the Mitigation Module, which makes the call on what steps should be taken in response. The results demonstrate the effectiveness of the mitigation strategy in resuming normal SDN functioning.

4.4 Performance ratio (%)

CNN’s high precision is made possible by its convolutional processes. Convolution, an action between two functions yielding a third function, may be used to symbolize how another changes one function’s shape. According to research on feature maps, convolutions are tensors in three dimensions. Dot-product filters are applied to the input, and the filtered data is convolved to pull out regional patterns. Similar to a sliding window, this filter uses a dot product of all filtering places on the picture to encode data. Figure 10 describes the performance ratio based on the dataset [31].

Figure 10.

Performance Ratio (%).

The area under the ROC curve (AUC) measures accuracy that considers every conceivable combination of TPR and FPR. The area under the ROC curve (AUC) may be calculated using the formula:

$\displaystyle\textit{AUC}=\int_{0}^{1}\textit{ROC}\left(s\right)ds$ (11)

The necessity for an unbiased and understandable statistic led to the use of a scale ranging from 0 to 1 for performance analysis. This decision was made to quantify model performance in tasks such as binary classification using metrics such as the Area Under the Receiver Operating Characteristic curve (AUC-ROC). It is not difficult to comprehend the range of AUC-ROC values, which extends from 0 to 1. A score of 1.0 would indicate that the model exhibits perfect performance, while a score of 0.5 would indicate that the model performs roughly as well as chance would. The comparison and contrast of the outcomes of many models is a pleasure to accomplish because of the convenience with which it can be used. The scale that ranges from 0 to 1 offers a range that is consistent and uniform within which to evaluate the performance of a model. As found in Eq. (11) AUC has been explained. Convolution is achieved by stopping these fixed-size filters at each accessible location along the 3D input feature map. This allows the 3D patches to be extracted, and then the dot products are transformed into 1D outputs. Commonly used after Convolutional layers in CNN networks, pooling layers try to decrease the spatial size of the representation. Since features are pooled before being downsampled in a CNN, fewer parameters and computations are required. Max pooling is this layer’s most often used approach because it performs well. It takes feature maps as input, extracts windows from those maps, and returns the channels’ maximum values as output.

5. Computer network security analysis (%)

The importance of computer network security grows as more and more services go to the web. Distributed denials of service (DDoS) assaults, which are becoming widespread, have caused substantial financial losses. Good detection performance is often achieved using deep learning techniques based on the dataset [31]. Figure 11 deliberates the security rate (%).

Figure 11.

Computer network security analysis (%).

Convolutional neural networks (CNNs) can only be trained using an annotated dataset containing safe and dangerous network traffic instances. A label stating whether it reflects normal or aberrant behaviour is required for a sample to be included in the dataset. The supplied dataset will condition the convolutional neural network (CNN). The network becomes better at parsing the input data for useful characteristics and making predictions based on the labels given as it gains experience. The supplied dataset will condition the convolutional neural network (CNN). The network becomes better at parsing the input data for useful characteristics and making predictions based on the labels given as it gains experience. Use a dataset from the training set to evaluate the model’s performance. Adjust the design or the hyperparameters based on the validation findings for better performance. Some computer network-dependent Internet of Things solutions may function normally in an SDN setting. To mitigate the effects of DDoS assaults on the Internet, ISPS must install DDoS security measures at the starting point of the end of their relationships, where they can most secure their SDN controller. In this research a Convolutional Neural Network (CNN) with Software-Defined Networking (SDN) based DDoS attack detection module and mitigation module that can make full use of data from many network packages and provide an early warning system. When used to identify DDoS attacks CNN-SEM relies on information from the relevant channels to conclude. The experimental results demonstrate that CNN-SEM outperforms other common machine learning techniques regarding accuracy. This result demonstrates that our method generally detects anomalous attacks, not DDoS attacks based on Eq. (6).

5.1 False alarm rate (%)

Figure 12.

False alarm rate (%).

Figure 13.

Detection rate (%).

The percentage of harmless occurrences that are wrongly identified as harmful is what is meant to be measured by the false alarm rate. Figure 12 provides a straightforward comparison of all models’ evaluation indices. An intrusion detection system is a vital network infrastructure protection against the ever-changing threat environment. This system can identify new assaults with a low false alarm rate and protect the network from threats. It has been shown via experiments that the model suggested in this work achieves an accuracy rate of 97.02% and a false positive rate of 5.02%.

Additionally, it has a high generalization ability and good detection ability for unknown attack kinds. The accuracy of the detection results and the false alarm rate are lower than the best detection result in the literature. The accuracy of the detection results is greater than the best detection result.

5.2 Detection rate (%)

Figure 13 examines the detection rate. Defects may also have their detection rate computed. Finding the attack detection rate is as simple as dividing the total number of attacks by the number of attacks detected. In this study CNN data preparation, the original data format is modified and the data values are normalized. Converting normalized data into image data format is essential for CNN model performance optimization. During training, the parameters of the CNN model are fine-tuned to increase the model’s performance. The training procedure also involves adjusting a few parameters, which improves the model’s performance. Conducting experiments. The CNN model’s accuracy rate should be tested using data. Unless the accuracy rate meets the training criteria, the model will repeat the training process. Therefore, CNN-SEM attack correlation is employed to raise the accuracy rate of intrusion detection while decreasing the false alarm rate for cyber-security research.

The provided CNN approach was evaluated in two test situations to determine its efficiency on the Detection module. They used OpenFlow (IP flow data), the Mininet network simulator and Floodlight (an SDN controller) to simulate various designs and DDoS intensities on the first one. Protecting the SDN controller against internal distributed denial of service attacks that aim at an external server is the capability of the security system. There is no need to change the network infrastructure to implement our approach. Additionally, it simplifies network administration by doing away with push-back mitigation. Safeguarding the targeted server and the SDN controller may be achieved by reducing the impact of the assault on the destination-end network, which in turn reduces the impact of the DDoS attack on the source-end networks.

6. Conclusion

The IoT paradigm brings in exciting new prospects for goods and services. Due to the diverse nature of IoT devices, the rigid architectures of legacy networks are ill-equipped to meet their unique needs. Software-defined Networking (SDN) is often linked to the Internet of Things because it allows for a more adaptable and controllable network architecture. Recent occurrences have highlighted the potential for Distributed Denial of Service (DDoS) attacks to be launched via compromised IoT devices. As IoT botnets generate more and more data, the conventional method of detecting and counteracting this kind of assault at the receiving end of the network is becoming more infeasible. This study focuses on protecting the origin SDN controller against traffic degradation and distributed denial of service attacks, and a near real-time SDN security solution is presented. After DDoS attacks have been found, the suggested method shows how a Convolutional Neural Network (CNN) might be used to protect against them. The proposed SDN security system was tested in two different situations, with encouraging findings for its ability to fight off the next generation of DDoS attacks. The results of two tests reveal that the proposed SDN security system can effectively fend off the next generation of DDoS attacks. The experimental results show the CNN-SEM achieves a high accuracy ratio of 96.6%, a detection ratio of 97.1%, precision ratio of 97.2%, a performance ratio of 95.1% and an enhanced security rate of 98.1% compared to other methods.

Data availability statement

The data of this paper can be obtained through the email to the authors.

Funding

There is no funding information for the work in this paper.

Footnotes

Conflict of interest

The authors declare that there is no conflict of interest regarding the publication of this work.

References

Dolan

Widayanti

. Implementation of authentication systems on hotspot network users to improve computer network security. International Journal of Cyber and IT Service Management. 2022; 2(1): 88-94.

Wang

. The application of data encryption technology in computer network security. In 2023 International Conference on Networking, Informatics and Computing (ICNETIC). IEEE. 2023 May: 114-118.

Bansal

Jenipher

Jain

Dilip

Kumbhkar

Pramanik

, … Gupta

. Big data architecture for network security. Cyber Security and Network Security. 2022: 233-267.

Qin

Lao

. Computer network security protection system based on genetic algorithm. In 2023 International Conference on Applied Intelligence and Sustainable Computing (ICAISC). IEEE. 2023 June: 1-8.

Guo

Zhao

Chen

Zhang

Sun

Feng

. Research on the application risk of computer network security technology. In 2023 International Conference on Networking, Informatics and Computing (ICNETIC). IEEE. 2023 May: 36-39.

Dewangan

Sarkar

. A study on network security using deep learning methods. Advanced Engineering Science. 2022; 54(2).

Yina

. Discussion on computer network security technology and firewall technology. International Journal of New Developments in Engineering and Society. 2022; 6(4).

Hossain

Islam

. Ensuring network security with a robust intrusion detection system using ensemble-based machine learning. Array. 2023; 19: 100306.

Badonnel

Fung

Scott-Hayward

Valenza

Hesselman

. Guest editors introduction: special section on recent advances in network security management. IEEE Transactions on Network and Service Management. 2022; 19(3): 2251-2254.

10.

. Network security evaluation and optimal active defense based on attack and defense game model. In 2023 International Conference on Distributed Computing and Electrical Circuits and Electronics (ICDCECE). IEEE. 2023 April: 1-7.

11.

Talib

Alothman

Mohammed

. Malicious attacks modelling: a prevention approach for ad hoc network security. Indonesian Journal of Electrical Engineering and Computer Science. 2023; 30(3): 1856-1865.

12.

. Application of information communication network security management and control based on big data technology. International Journal of Communication Systems. 2022; 35(5): e4643.

13.

Astrida

Saputra

Assaufi

. Analysis and evaluation of wireless network security with the penetration testing execution standard (PTES). Sinkron: jurnal dan penelitian teknik informatika. 2022; 7(1): 147-154.

14.

Shandilya

Upadhyay

Kumar

Nagar

. AI-assisted computer network operations testbed for nature-inspired cyber security based adaptive defense simulation and analysis. Future Generation Computer Systems. 2022; 127: 297-308.

15.

Liu

Yang

Liu

Ding

. A BIPMU-based network security situation assessment method for wireless network. Computer Standards & Interfaces. 2023; 83: 103661.

16.

Liu

. A network security situation prediction method based on attention-CNN-BiGRU. In 2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD). IEEE. 2022 May: 257-262.

17.

Johari

Alsaqour

. Blockchain-based model for smart home network security. Int J Comput Networks Appl. 2022; 9(4): 497-509.

18.

Parenreng

. Network security analysis based on internet protocol security using virtual private network (VPN). Internet of Things and Artificial Intelligence Journal. 2023; 3(3): 239-249.

19.

Logeshwaran

Ramkumar

Kiruthiga

Sharanpravin

. The role of integrated structured cabling system (ISCS) for reliable bandwidth optimization in high-speed communication network. ICTACT Journal on Communication Technology. 2022; 13(1): 2635-2639.

20.

Mirlekar

Kanojia

. Role of intrusion detection system in network security and types of cyber attacks-a review. International Journal. 2022; 7(9): 28-32.

21.

Herath

Cullum

. An information security performance measurement tool for senior managers: Balanced scorecard integration for security governance and control frameworks. Information Systems Frontiers. 2023; 25(2): 681-721.

22.

Allahrakha

. Balancing cyber-security and privacy: legal and ethical considerations in the digital age. Legal Issues in the Digital Age. 2023; 4(2): 78-121.

23.

Alghamdi

Bellaiche

. A cascaded federated deep learning based framework for detecting wormhole attacks in IoT networks. Computers & Security. 2023; 125: 103014.

24.

Kasongo

SM.

. A deep learning technique for intrusion detection system using a recurrent neural networks based framework. Computer Communications. 2023; 199: 113-125.

25.

Guler

Karakus

Uludag

. Blockchain-enhanced cross-isp spectrum assignment framework in sdons: spectrumchain. Computer Networks. 2023; 223: 109579.

26.

Tejay

Mohammed

. Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective. Information & Management. 2023; 60(3): 103751.

27.

Amro

Gkioulos

Katsikas

. Assessing cyber risk in cyber-physical systems using the ATT&CK framework. ACM Transactions on Privacy and Security. 2023; 26(2): 1-33.

28.

Liu

Zhang

. Deep learning technology of computer network security detection based on artificial intelligence. Computers and Electrical Engineering. 2023; 110: 108813.

29.

Yeshmuratova

Amanbaev

. Ensuring computer data and management system security. International Bulletin of Applied Science and Technology. 2023; 3(4): 282-287.

30.

Zainel

Koçak

. Lan intrusion detection using convolutional neural networks. Applied sciences. 2022; 12(13): 6645.

31.

https://data.mendeley.com/datasets/jxpfjc64kr/1.