A two-phase detection method against APT attack on flow table management in SDN

Long-term occupation of flow table can occur in the management mechanism of software-defined networking (SDN), which is a prerequisite for APT attacks. The task of detecting such APT attacks in existent research is mainly undertaken by the controller, which results in high computation overhead. To address this problem, a two-phase detection method for APT attacks on flow table management (TMAF) is proposed in this paper. Firstly, the suspicious flow entries are pre-detected in the SDN switch according to the periodicity of the packet. Secondly, the five-dimensional features of suspicious flow entries are selected according to the characteristics of packets in load and frequency, and then the B-P neural network on the controller for further analysis. Experiments show that TMAF reduces the controller's load and improves the detection efficiency and accuracy compared to existing works. Additionally, the potential risk of APT attacks can be reduced to a certain extent.