Implementing an intrusion detection and prevention system using software-defined networking: defending against port-scanning and denial-of-service attacks

Research output: Contribution to journalArticle

Full text download(s)

Published copy (DOI)



Publication details

JournalJournal of Network and Computer Applications
DateAccepted/In press - 18 Mar 2019
DateE-pub ahead of print (current) - 22 Mar 2019
Number of pages15
Pages (from-to)71-85
Early online date22/03/19
Original languageEnglish


Over recent years, we have observed a significant increase in the number and the sophistication of cyber attacks targeting home users, businesses, government organizations and even critical infrastructure. In many cases, it is important to detect attacks at the very early stages, before significant damage can be caused to networks and protected systems, including accessing sensitive data. To this end, cybersecurity researchers and professionals are exploring the use of Software-Defined Networking (SDN) technology for efficient and real-time defense against cyberattacks. SDN enables network control to be logically centralised by decoupling the control plane from the data plane. This feature enables network programmability and has the potential to almost instantly block network traffic when some malicious activity is detected.
In this work, we design and implement an Intrusion Detection and Prevention System (IDPS) using SDN. Our IDPS is a software-application that monitors networks and systems for malicious activities or security policy violations and takes steps to mitigate such activity. We specifically focus on defending against port-scanning and Denial of Service (DoS) attacks. However, the proposed design and detection methodology has the potential to be expanded to a wide range of other malicious activities. We have implemented and tested two connection-based techniques as part of the IDPS, namely the Credit-Based Threshold Random Walk (CB-TRW) and Rate Limiting (RL). As a mechanism to defend against port-scanning, we outline and test our Port Bingo (PB) algorithm. Furthermore, we include QoS as a DoS attack mitigation, which relies on flow-statistics from a network switch. We conducted extensive experiments in a purpose-built testbed environment. The experimental results show that the launched port-scanning and DoS attacks can be detected and stopped in real-time. Finally, the rate of false positives can be kept sufficiently low by tuning the threshold parameters of the detection algorithms.

Bibliographical note

©2019 Elsevier Ltd. This is an author-produced version of the published paper. Uploaded in accordance with the publisher’s self-archiving policy.

    Research areas

  • Intrusion detection and prevention system, Software-defined networking, Anomaly detection, Denial of service, Port scanning

Discover related content

Find related publications, people, projects, datasets and more using interactive charts.

View graph of relations