TIBS : A Deep-Learning Model for Network Intrusion Detection for SDN Environments

Software-Defined Networking (SDN) is a modern network strategy that replaces traditional network structures. Its management efficiency and convenience are significantly higher than traditional networks. However, it should be pointed out that the centralized control mechanism adopted in SDN may increase the risk of single points of failure, making it more susceptible to different types of network attacks, such as Distributed Denial of Service (DDoS), DoS, PortScan and Brute Force etc. The identification and defense of these attacks are complex and require effective preventive measures. Network intrusion detection technology increasingly plays an irreplaceable role in network security. Therefore, this paper proposes an intrusion detection method for SDN environments. The system covers multiple stages, each with unique functions and roles. First, it is proposes an imbalanced data oversampling method based on improved Auxiliary Classifier Generative Adversarial Networks (ACGAN) to solve the problem of data imbalance. At the same time, an intrusion detection model TIBS based on Transformer and Inception-BiGRU-SA network is proposed. First, the Encoder part of Transformer is used to capture the connection globally and perform preliminary feature extraction on the input data. Secondly, the improved Inception module is used to extract multi-scale features. Extract, use the self-attention (SA) to weight the extracted spatial features of different scales, use bidirectional gated recurrent unit(BiGRU) to improve the model's ability to extract temporal features, and use the Softmax activation function for final classification. The experiment uses the CIC-IDS-2017 dataset and CIC-DDoS-2019 dataset. The experimental results show that the proposed method has high accuracy and robustness in intrusion detection tasks, and can better identify various types of attack behaviors than traditional methods. And provides more accurate prediction results. Therefore, this method has potential value and practicality in SDN network security applications.