{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,12]],"date-time":"2025-11-12T14:10:11Z","timestamp":1762956611632,"version":"build-2065373602"},"reference-count":47,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2021,4,23]],"date-time":"2021-04-23T00:00:00Z","timestamp":1619136000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The increasing availability of mobile devices and applications, the progress in virtualisation technologies, and advances in the development of cloud-based distributed data centres have significantly stimulated the growing interest in the use of software-defined networks (SDNs) for both wired and wireless applications. Standards-based software abstraction between the network control plane and the underlying data forwarding plane, including both physical and virtual devices, provides an opportunity to significantly increase network security. In this paper, to secure SDNs against intruders\u2019 actions, we propose a comprehensive system that exploits the advantages of SDNs\u2019 native features and implements data mining to detect and classify malicious flows in the SDN data plane. The architecture of the system and its mechanisms are described, with an emphasis on flow rule generation and flow classification. The concept was verified in the SDN testbed environment that reflects typical SDN flows. The experiments confirmed that the system can be successfully implemented in SDNs to mitigate threats caused by different malicious activities of intruders. The results show that our combination of data mining techniques provides better detection and classification of malicious flows than other solutions.<\/jats:p>","DOI":"10.3390\/s21092972","type":"journal-article","created":{"date-parts":[[2021,4,25]],"date-time":"2021-04-25T02:12:57Z","timestamp":1619316777000},"page":"2972","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Detection and Classification of Malicious Flows in Software-Defined Networks Using Data Mining Techniques"],"prefix":"10.3390","volume":"21","author":[{"given":"Marek","family":"Amanowicz","sequence":"first","affiliation":[{"name":"NASK National Research Institute, 01-045 Warsaw, Poland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Damian","family":"Jankowski","sequence":"additional","affiliation":[{"name":"Ministry of National Defense, 01-045 Warsaw, Poland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2021,4,23]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Chaudet, C., and Haddad, Y. (2013, January 21\u201323). Wireless Software Defined Networks: Challenges and opportunities. Proceedings of the 2013 IEEE International Conference on Microwaves, Communications, Antennas and Electronic Systems (COMCAS 2013), Tel Aviv, Israel.","DOI":"10.1109\/COMCAS.2013.6685237"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"138","DOI":"10.1016\/j.micpro.2017.03.005","article-title":"SDNoC: Software defined network on a chip","volume":"50","author":"Berestizshevsky","year":"2017","journal-title":"Microprocess. Microsyst."},{"key":"ref_3","first-page":"654","article-title":"SDN Security Issue and Resolution","volume":"7","author":"Kumar","year":"2017","journal-title":"Indian J. Appl. Res."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Gonzalez, A.J., Nencioni, G., Helvik, B.E., and Kamisinski, A. (2016, January 4\u20138). A Fault-Tolerant and Consistent SDN Controller. Proceedings of the 2016 IEEE Global Communications Conference (GLOBECOM), Washington, DC USA.","DOI":"10.1109\/GLOCOM.2016.7841496"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Lee, S., Yoon, C., and Shin, S. (2016). The Smaller, the Shrewder. Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, ACM.","DOI":"10.1145\/2876019.2876024"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"623","DOI":"10.1109\/COMST.2015.2453114","article-title":"A Survey of Security in Software Defined Networks","volume":"18","author":"Natarajan","year":"2016","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1109\/MCOM.2015.7081073","article-title":"Securing software defined networks: Taxonomy, requirements, and open issues","volume":"53","author":"Akhunzada","year":"2015","journal-title":"IEEE Commun. Mag."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Shin, S., Xu, L., Hong, S., and Gu, G. (2016, January 1\u20134). Enhancing Network Security through Software Defined Networking (SDN). Proceedings of the 2016 25th International Conference on Computer Communication and Networks (ICCCN), Waikoloa, HI, USA.","DOI":"10.1109\/ICCCN.2016.7568520"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1016\/j.comnet.2015.05.005","article-title":"Enabling security functions with SDN: A feasibility study","volume":"85","author":"Yoon","year":"2015","journal-title":"Comput. Networks"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Jankowski, D., and Amanowicz, M. (2018, January 22\u201323). A study on flow features selection for malicious activities detection in software defined networks. Proceedings of the 2018 International Conference on Military Communications and Information Systems (ICMCIS), Warsaw, Poland.","DOI":"10.1109\/ICMCIS.2018.8398697"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Jankowski, D., and Amanowicz, M. (2016, January 23\u201324). A method of network workload generation for evaluation of intrusion detection systems in SDN environment. Proceedings of the 2016 International Conference on Military Communications and Information Systems (ICMCIS), Brussels, Belgium.","DOI":"10.1109\/ICMCIS.2016.7496575"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1016\/j.jnca.2012.09.004","article-title":"Intrusion detection system: A comprehensive review","volume":"36","author":"Liao","year":"2013","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"238","DOI":"10.1016\/j.cose.2017.05.009","article-title":"Flow-based intrusion detection: Techniques and challenges","volume":"70","author":"Umer","year":"2017","journal-title":"Comput. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"2901","DOI":"10.1002\/sec.1549","article-title":"Evolutionary-based packets classification for anomaly detection in web layer","volume":"9","author":"Kozik","year":"2016","journal-title":"Secur. Commun. Networks"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1109\/SURV.2013.052213.00046","article-title":"Network Anomaly Detection: Methods, Systems and Tools","volume":"16","author":"Bhuyan","year":"2014","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Boriah, S., Chandola, V., and Kumar, V. (2008, January 24\u201326). Similarity Measures for Categorical Data: A Comparative Evaluation. Proceedings of the 2008 SIAM International Conference on Data Mining, Philadelphia, PA, USA.","DOI":"10.1137\/1.9781611972788.22"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"193","DOI":"10.1007\/978-3-319-15705-4_19","article-title":"FP-tree and SVM for Malicious Web Campaign Detection","volume":"Volume 9012","author":"Nguyen","year":"2015","journal-title":"Intelligent Information and Database Systems. ACIIDS 2015"},{"key":"ref_18","first-page":"24","article-title":"Comparative study of supervised learning methods for malware analysis","volume":"4","author":"Kruczkowski","year":"2014","journal-title":"J. Telecommun. Inf. Technol."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","article-title":"A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection","volume":"18","author":"Buczak","year":"2016","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Dua, S., and Du, X. (2016). Data Mining and Machine Learning in Cybersecurity, Auerbach Publications.","DOI":"10.1201\/b10867"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Denatious, D.K., and John, A. (2012, January 10\u201312). Survey on data mining techniques to enhance intrusion detection. Proceedings of the International Conference on Computer Communication and Informatics, Coimbatore, India.","DOI":"10.1109\/ICCCI.2012.6158822"},{"key":"ref_22","first-page":"25","article-title":"A Survey on Deep Packet Inspection for Intrusion Detection Systems","volume":"24","author":"AbuHmed","year":"2008","journal-title":"Mag. Korea Telecommun. Soc."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A.A. (2009, January 8\u201310). A detailed analysis of the KDD CUP 99 data set. Proceedings of the 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref_24","first-page":"446","article-title":"A study on NSL-KDD dataset for intrusion detection system based on classification algorithms","volume":"4","author":"Dhanabal","year":"2015","journal-title":"Int. J. Adv. Res. Comput. Commun. Eng."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Sommer, R., Balzarotti, D., and Maier, G. (2011). Revisiting Traffic Anomaly Detection Using Software Defined Networking. Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, Springer.","DOI":"10.1007\/978-3-642-23644-0"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Dotcenko, S., Vladyko, A., and Letenko, I. (2014, January 16\u201319). A fuzzy logic-based information security management for software-defined networks. Proceedings of the 16th International Conference on Advanced Communication Technology, Pyeongchang, Korea.","DOI":"10.1109\/ICACT.2014.6778942"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1016\/j.bjp.2013.10.014","article-title":"Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments","volume":"62","author":"Giotis","year":"2014","journal-title":"Comput. Netw."},{"key":"ref_28","unstructured":"Phaal, P., Panchen, S., and McKee, N. (2021, February 20). InMon Corporation\u2019s Sflow: A Method for Monitoring Traffic in Switched and Routed Networks. Available online: https:\/\/tools.ietf.org\/pdf\/rfc3176.pdf."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Braga, R., Mota, E., and Passito, A. (2010, January 10\u201314). Lightweight DDoS flooding attack detection using NOX\/OpenFlow. Proceedings of the IEEE Local Computer Network Conference, Denver, CO, USA.","DOI":"10.1109\/LCN.2010.5735752"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Sathya, R., and Thangarajan, R. (2015, January 26\u201327). Efficient anomaly detection and mitigation in software defined networking environment. Proceedings of the 2nd International Conference on Electronics and Communication Systems (ICECS), Coimbatore, India.","DOI":"10.1109\/ECS.2015.7124952"},{"key":"ref_31","first-page":"1114","article-title":"Decision tree analysis on J48 algorithm for data mining","volume":"3","author":"Bhargava","year":"2013","journal-title":"Int. J. Adv. Res. Comput. Sci. Softw. Eng."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Nakamura, R.Y.M., Pereira, L.A.M., Costa, K.A., Rodrigues, D., Papa, J.P., and Yang, X.-S. (2012, January 22\u201325). BBA: A Binary Bat Algorithm for Feature Selection. Proceedings of the 2012 25th SIBGRAPI Conference on Graphics, Patterns and Images, Ouro Preto, Spain.","DOI":"10.1109\/SIBGRAPI.2012.47"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"663","DOI":"10.1007\/s00521-013-1525-5","article-title":"Binary bat algorithm","volume":"25","author":"Mirjalili","year":"2014","journal-title":"Neural Comput. Appl."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Le, A., Dinh, P., Le, H., and Tran, N.C. (2015, January 23\u201325). Flexible Network-Based Intrusion Detection and Prevention System on Software-Defined Networks. Proceedings of the 2015 International Conference on Advanced Computing and Applications (ACOMP), Ho Chi Minh City, Vietnam.","DOI":"10.1109\/ACOMP.2015.19"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1109\/69.991727","article-title":"Efficient C4.5 [classification algorithm]","volume":"14","author":"Ruggieri","year":"2002","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S., and Ghogho, M. (2016, January 26\u201329). Deep learning approach for Network Intrusion Detection in Software Defined Networking. Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco.","DOI":"10.1109\/WINCOM.2016.7777224"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1016\/j.jnca.2019.01.016","article-title":"An approach for SDN traffic monitoring based on big data techniques","volume":"131","author":"Queiroz","year":"2019","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Tuan, N.N., Hung, P.H., Nghia, N.D., Van Tho, N., Van Phan, T., and Thanh, N.H. (2020). A DDoS Attack Mitigation Scheme in ISP Networks Using Machine Learning Based on SDN. Electronics, 9.","DOI":"10.3390\/electronics9030413"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"165263","DOI":"10.1109\/ACCESS.2020.3022633","article-title":"InSDN: A Novel SDN Intrusion Dataset","volume":"8","author":"Elsayed","year":"2020","journal-title":"IEEE Access"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Gomez-Rodriguez, J.R., Sandoval-Arechiga, R., Ibarra-Delgado, S., Rodriguez-Abdala, V.I., Vazquez-Avila, J.L., and Parra-Michel, R. (2021). A Survey of Software-Defined Networks-on-Chip: Motivations, Challenges and Opportunities. Micromachines, 12.","DOI":"10.3390\/mi12020183"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"105997","DOI":"10.1109\/ACCESS.2020.3000457","article-title":"A Systemic and Secure SDN Framework for NoC-Based Many-Cores","volume":"8","author":"Ruaro","year":"2020","journal-title":"IEEE Access"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"177296","DOI":"10.1109\/ACCESS.2020.3025206","article-title":"SDN-Based Secure Application Admission and Execution for Many-Cores","volume":"8","author":"Ruaro","year":"2020","journal-title":"IEEE Access"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Chaves, C., Azad, S., Hollstein, T., and Sep\u00falveda, J. (2019). DoS Attack Detection and Path Collision Localization in NoC-Based MPSoC Architectures. J. Low Power Electron. Appl., 9.","DOI":"10.3390\/jlpea9010007"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1361684.1361686","article-title":"Interpreting TF-IDF term weights as making relevance decisions","volume":"26","author":"Wu","year":"2008","journal-title":"ACM Trans. Inf. Syst."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Hyv\u00e4rinen, A., Karhunen, J., and Oja, E. (2001). Independent Component Analysis, John Wiley & Sons, Inc.. Adaptive and Learning Systems for Signal Processing, Communications, and Control.","DOI":"10.1002\/0471221317"},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1016\/S0925-2312(03)00433-8","article-title":"A comparison of PCA, KPCA and ICA for dimensionality reduction in support vector machine","volume":"55","author":"Cao","year":"2003","journal-title":"Neurocomputing"},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Wrona, K., Amanowicz, M., Szwaczyk, S., and Gierlowski, K. (2017, January 15\u201316). SDN testbed for validation of cross-layer data-centric security policies. Proceedings of the 2017 International Conference on Military Communications and Information Systems (ICMCIS), Oulu, Finland.","DOI":"10.1109\/ICMCIS.2017.7956483"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/9\/2972\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T05:52:04Z","timestamp":1760161924000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/9\/2972"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,4,23]]},"references-count":47,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2021,5]]}},"alternative-id":["s21092972"],"URL":"https:\/\/doi.org\/10.3390\/s21092972","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2021,4,23]]}}}