CTMBIDS: Convolutional Tsetlin Machine Based Intrusion Detection System for DDoS attacks in an SDN environment
Rasoul Jafari Gohari, Laya Aliahmadipour, Marjan Kuchaki Rafsanjani
TL;DR
This work tackles the SDN IDS challenge by introducing CTMBIDS, a lightweight, interpretable detector based on Convolutional Tsetlin Machines for DDoS attacks. It couples data-generation in SDN environments with three novel DDoS-oriented SDN datasets and a two-phase preprocessing/learning pipeline, achieving competitive accuracy with substantially lower memory footprints than deep learning baselines. The study demonstrates that CTMBIDS can operate efficiently in memory-constrained SDN controllers while preserving detection quality, and provides accessible datasets and code to advance research. Overall, CTMBIDS advances practical, resource-aware IDS solutions for SDN and opens avenues for extending TM/CTM approaches to related domains and tasks.
Abstract
Software Defined Networks (SDN) face many security challenges today. A great deal of research has been done within the field of Intrusion Detection Systems (IDS) in these networks. Yet, numerous approaches still rely on deep learning algorithms. These algorithms suffer from complexity in implementation, high processing power and high memory consumption. In addition to security issues, firstly, the number of datasets that are based on SDN protocols are very small. Secondly, the ones that are available encompass numerous attacks in the network and do not focus on a single attack. For this reason, to introduce an SDN-based IDS with a focus on Distributed Denial of Service (DDoS) attacks, it is necessary to generate a DDoS-oriented dataset whose features can train a high-quality IDS. In this work, in order to address two important challenges in SDNs, initially, we generate three DDoS attack datasets based on three common and different network topologies. In the second step, using the Convolutional Tsetlin Machine (CTM), we introduce a lightweight IDS for DDoS attack dubbed CTMBIDS. The lightweight nature of the CTMBIDS stems from its low memory consumption and also its interpretability compared to the existing complex deep learning models. The low usage of system resources for the CTMBIDS makes it an ideal choice for an optimal software that consumes the SDN controllers least amount of memory. Also, in order to ascertain the quality of the generated datasets, we compare the CTMBIDS empirical results with the DDoS attacks of the KDDCup99 benchmark dataset as well. Since the main focus of this work is on a lightweight IDS, the results show the CTMBIDS performs much more efficiently than deep learning based approaches. Furthermore, the results also show in most datasets, the proposed method has relatively equal or better accuracy and also consumes much less memory than the existing methods.