Exploring Honeypot as a Deception and Trigger Mechanism for Real-Time Attack Detection in Software-Defined Networking

Abstract

Cyberattacks are becoming more frequent and sophisticated, making their detection harder. Probe attacks in Software Defined Networking (SDN) not given much attention by the research community, which represents the starting phase for other attacks. The attacker scans the network to get the necessary details about hosts and services running in network to launch successful attacks exploiting vulnerabilities in the system. The issue with probe attacks is that they occur passively and the target system is not aware of them. On one hand, additional mechanism is required to check the network traffic continuously by embedding switches with independent agents, which is against the OpenFlow standard. On the other hand, using statistics provided by OpenFlow switches to the controller, which overloads the controller with the extra task of continuously checking traffic statistics. In this work, a lightweight detection mechanism proposed that detects probe attacks in real-time using machine learning. Honeypot integrated into the detection mechanism to detect passive probe attacks by luring attackers through proving fake services and serving as a trigger mechanism that activates the detection mechanism when necessary. The experimental results show that the proposed mechanism successfully detects probe attacks in real-time achieving accuracy (94.73%) with the minimum CPU load.