The Devil is in the Details: Confident & Explainable Anomaly Detector for Software-Defined Networks

Deployment of SDN control plane in high-end servers allow many network applications to be automated and easily managed. In this paper, we propose an SDN anomaly detection application, Confident and Explainable Anomaly Detector (CEAD), that automatically detects malicious network flows in SDN-based network architectures. The proposed application employs a set of Machine Learning (ML) classifiers to improve the confidence score of a prediction, thereby creating improved trust upon the prediction, while providing interpretability to the anomaly detector. The method utilizes the Explainable Artificial Intelligence (XAI) framework to provide interpretation to predictions to unearth network features that establish the most influence between predicted anomaly types. Results show that the proposed framework can achieve efficient anomaly detection performance, with near perfect confidence scores. Analysis with XAI highlights that byte and packet transmissions, and their robust statistics, can be significant indicators for prevalence of any attacks. Results also indicate that a subset of influential features can generally be used to decipher between normal and anomalous flow, while certain dataset features can be specifically influential in detecting specific attack types. This can lead to more efficient network resource utilization.