Athena: A Framework for Scalable AnomalyDetection in Software-Defined Networks

Seunghyeon Lee†, Jinwoo Kim†, Seungwon Shin†, Phillip Porras‡, and Vinod Yegneswaran‡†KAIST ‡SRI International

{seunghyeon, jinwoo.kim, claude}@kaist.ac.kr, and {porras, vinod}@csl.sri.com

Abstract—Network-based anomaly detection is a well-minedarea of research, with many projects that have produced algo-rithms to detect suspicious and anomalous activities at strategicpoints in a network. In this paper, we examine how to integrate ananomaly detection development framework into existing software-defined network (SDN) infrastructures to support sophisticatedanomaly detection services across the entire network data plane,not just at network egress boundaries. We present Athena as anew SDN-based software solution that exports a well-structureddevelopment interface and provides general purpose functions forrapidly synthesizing a wide range of anomaly detection servicesand network monitoring functions with minimal programming ef-fort. Athena is a fully distributed application hosting architecture,enabling a unique degree of scalability from prior SDN securitymonitoring and analysis projects. We discuss example use-casescenarios with Athena’s development libraries, and evaluatesystem performance with respect to usability, scalability, andoverhead in real world environments.

I. INTRODUCTION

Tracking and responding to network traffic anomalies isan ubiquitous and significant challenge faced by all networkoperators [1]. Sudden and massive deviations in the volumeand mix of data flowing through the network infrastructure,due to congestion, outages, network probes, and floodingattacks, are so frequent that few networks would fail to benefitfrom integrated network anomaly detection services. Evenanomalies that arise from benignly-motivated incidents, suchas flash crowds, may threaten the ability an enterprise tomaintain reliable network operations.

Software-Defined Networking (SDN) offers the potentialto explore new efficient strategies for instrumenting networks,integrating software detection services, and responding toanomalies that would otherwise impede network operations.For example, by leveraging the centralized control plane totrack new flow requests and extracting data plane statistics,one can analyze live network data flows without requiring theinsertion of third-party devices (e.g., a network monitoringmiddlebox). Indeed, a survey of recent research proposalsillustrates the increasing exploration of SDN strategies tointegrate network misuse and anomaly detection services [2],[3], [4], [5], [6], [7], [8], [9], [10].

However, while these proposals offer a diverse explorationof SDN-based monitoring strategies, several significant tech-nical challenges remain. First, most SDN-based threat moni-toring proposals that implement monitoring services as SDNapplications, do not consider the issue of network-wide large-scale data extraction and management across a distributed dataplane, with many switches and controller instances. Second,

prior research has primarily focused on applications designedfor specific suspicious or anomalous activity. Prior SDN moni-toring projects have employed focused subsets of features fromSDNs for tracking specific phenomena rather than defining afeature framework for building SDN-enabled network anomalydetection services. Third, there is limited research on networkfeatures and anomaly detection algorithms for activities thatcross the control and data plane boundaries.

We present a scalable framework, called Athena, for con-structing network monitoring services in large-SDN deploy-ments, and providing flexible third-party development of newdetection models. Athena exports an API that provides a well-structured development environment for implementing a widerange network anomaly detection applications across a largephysically distributed SDN control and data plane. Athena’sAPI offers developers an abstraction from a complex dataextraction service, reducing the programming effort required toimplement and deploy new anomaly detection services. In con-trast to existing work, Athena includes a wide range of networkfeatures and detection algorithms for use in simplifying thedesign and deployment of general-purpose network data planeanomaly detection applications in large-scale SDN networks.In fact, other than its requirement for OpenFlow support, theframework avoids the need for specialized hardware, therebydramatically minimizing the need to modify an SDN stackwhen introducing new anomaly detection services.

To address the issue of scalability across large distributedSDN deployments, Athena’s network feature collection anddata management framework employs a distributed database, acomputing cluster, and a distributed controller. It collects andgenerates network features above the SDN controller instancesin a distributed manner, and publishes the network featuresto a distributed database. To accelerate runtime detectionmodel generation, Athena incorporates a machine learning(ML) library from which anomaly detection algorithms maybe implemented and then deployed as jobs across Athena’scomputing cluster. Athena exports high-level APIs that allowoperators to design and deploy anomaly detection applicationswith a minimum of programming effort. This approach both re-duces the total computation time necessary to perform anomalydetection, while increasing the scalability of data managementservices on which these algorithms are run.

The key contributions presented in our paper include thefollowing:

• Introduction of Athena as a new anomaly detectionapplication development framework that leverages SDN func-tionality to explicitly support ML-based network anomaly

detection. Athena integrates without modification into existingSDN infrastructures.

• Presentation of a set of SDN-wide features that enableAthena to host a wide range of anomaly detection services,including the detection of anomalies directly within the SDNcontrol and data planes. Specifically, we considered eightmajor operational functions performed by SDN networks,and from each function extract relevant feature sets to driveanomaly detection services.

• Presentation of eight core APIs, over 70 utility APIs, and11 popular machine learning algorithms that facilitate the rapiddevelopment of new anomaly detection services. Collectively,these facilitate both batch and live mode anomaly detection,while shielding Athena developers from the complexities ofdistributed feature extraction, data management, and threatresponse generation.

• Presentation of a fully-distributed architecture enablinghighly scalable network anomaly detection. We evaluate thesystem on a large-scale dataset from a datacenter-like physicalnetwork environment, and assess performance degradation byevaluating the overhead when it is integrated into one of themost visible open-source network operating systems (ONOS).

• Demonstration of the generality of our framework byreplicating detection algorithms from prior publications ofSDN security services (that had previously required the in-tegration of specialized hardware) and development of a spe-cialized SDN stack anomaly detector capable of detecting anovel anomaly that we refer to as the Network ApplicationEffectiveness (NAE) problem.

We have released the Athena prototype implementation asan open-source project to support the SDN community andstimulate other academic research efforts1.

II. FIVE CONSIDERATIONS IN DESIGNING SCALABLESDN ANOMALY DETECTION SERVICES

The design and integration of network anomaly detectionservices in traditional networks have been well studied [12].We understand how to integrate hardware elements to extractnetwork traffic features at strategic network points, how toapply a wide range of analytics to these features, and how tocorrelate relevant reports to effect a network’s security posture.However, SDNs offer a departure from these strategies by pro-viding new methods for dynamic instantiation of monitoringservices with a global view of the network topology that iscontinuously updated.

The design goals for the Athena anomaly detection frame-work for SDNs include the following: 1) provide for an exten-sive feature extraction infrastructure without hardware deviceintegration, 2) abstract data acquisition and simply anomalydetection service implementation, and 3) simplify large-scaledeployment of monitoring services without modification to theSDN infrastructure itself. This section discusses several keychoices and considerations toward addressing these goals.

1The source code is publicly available at SDNSecurity.org [11].

Firewall Manager

IDSManager

Network Manager #1

Network Manager #n

Third parties

Centralized Monitoring & Management Controller

…

Network Anomaly Detector

a) NAD on traditional networks

SDN Controller (Monitoring & Management)

SDN Apps…

Network Anomaly Detector

b) NAD on SDN networks

Fig. 1. An illustration of network anomaly detector (NAD) in a) traditionalnetworks and b) SDNs.

1) Centralized Management Perspective: We illustrate thetwo management design paradigms, legacy versus SDN, inFigure 1. While SDN‘s support centralized network-widemonitoring, developers are burdened with the requirement toimplement a centralized controller that monitors and managesthe network with a global network view. Furthermore, eachdevice may export a wide menagerie of network features(e.g., logs, statistics, and alerts) forcing the developer toperform post-processing to normalize network features usingapproaches like VAST [13].

2) Network Feature Quality and Accessibility: The se-lection and accessibility of legitimate network features forreal-time monitoring is an essential task when designing anynetwork monitoring framework, particularly frameworks thatare intended to facilitate off-the-shelf sharing of anomalydetection algorithms. Athena directly addresses these needs forfeature quality and accessibility, by providing (i) normalizednetwork-feature access and libraries from which a wide rangeof ML-based detection algorithms may be designed and de-ployed across large-scale distributed SDNs, and (ii) dynamicthreat mitigation APIs that can be launched in response toperceived threats to the SDN. We will leverage example usecases to address well-known anomaly detection problems, anddemonstrate the utility of the Athena framework by applyingit to detect a novel SDN-specific anomaly (Section V).

3) Monitoring Networks with Highly Dynamic Topologies:Enterprise networks continue to become more complex, morevirtual, and dynamic to meet an increasingly diverse set ofoperational requirements. Traditional security and networkdevices are often integrated at physically strategic points inthe network, and it is the burden of the operator to manageand adjust their integration and configuration as the networktopology changes. Since Athena is built into the SDN controllayer, applications built over this framework can automaticallyextend monitoring and anomaly detection capabilities to dy-namic network topologies.

4) Flexible Scale-up and Scale-out of the Anomaly Detec-tion Framework: Large network environments imply increasedevent volumes, larger sets of distributed switches within thedata plane, and complex network operating requirements thatincrease the complexity of both the control plane and thehosted network applications. A key challenge for Athena isto introduce a network monitoring framework that will enableanomaly detection applications to scale in speed, to offerdistributed computation, and to provide data management APIs

2

that enable high volume event processing. To date, severalnetwork monitoring projects have pursued scalability amongtheir design requirements, such as [14], [15], [16], [17], [18],[7], [3], [2], [19], [20], [5]. However, most of these efforts(with the exception of [17]) focus on uncontrolled environ-ments and none of them provide explicit support for anomalydetection algorithms. In contrast, Athena is designed as afully-distributed event collection and processing frameworkwith scalable feature collection and management to supportanomaly detection.

5) Coding Efficiency for Anomaly Detection AlgorithmDevelopment: While SDN controller APIs [21], [22], [23],[24], [14] enable a wide range of network applications thathave been implemented and shared, these APIs are largelyinsufficient to support network anomaly detection applications.This absence of a generalized network monitor developmentframework for SDNs contributes to slower progress in thedesign and deployment of SDN security applications. To over-come this issue, Athena exports high-level APIs that supportthe extraction of critical features, management of data streams,and detection of anomalous network behaviors.

III. ATHENA DESIGN

Athena is a fully-distributed network anomaly detectionframework, in which an Athena instance is hosted above eachdistributed SDN controller, such as with ONOS instancesdeployed across a wide area network. For example, Figure 2illustrates three Athena instances that are distributed acrossthree SDN controllers. Each Athena instance monitors thenetwork behavior that is associated with its hosted networkcontrollers and the data plane hosted by the controllers.

As shown in Figure 2, conceptually, Athena incorporatesthe Feature Generator, which collects SDN control messagesissued by the local control and data plane, generates networkfeatures, and publishes features to a distributed database (aDB cluster) for feature management. The Attack Detectordetects potential network problems using the developer-defineddetection algorithm. The Attack Reactor has responsibility formitigating detected threats by issuing mitigation actions to thedata plane. Operators need not modify their existing SDN stackto host Athena, as its inputs are SDN control messages, alongwith small code stubs within the controller. We discuss thedetails of Athena’s architecture in Section III-A.

Above the framework, Athena provides the set of compo-nents that compose its user-friendly development environment.Athena exports a high-level API called as the Athena NBAPI, which allows developers to create anomaly detectionapplications in a manner that is agnostic to the underlying SDNimplementation. Athena offers an abstraction to the controllerand data plane implementations and versions, enabling rapidprototyping and minimizing deployment costs.

Athena provides 8 core and 70 utility APIs, described inTable II. Developers implement anomaly detection tasks asAthena apps (shown in Figure 2), using the Athena NorthboundAPI (NB API). These applications generate anomaly detectionmodels, perform real-time detection, and implement live threatresponses.

Control Information

SDN Controller

Feature Generator

Attack Detector

Attack Reactor

AthenaNetwork Management

SDN Controller

Feature Generator

Attack Detector

Attack Reactor

AthenaDB Cluster

Computing Cluster

Network Events

SDN Controller

Feature Generator

Attack Detector

Attack Reactor

Athena

Big data analysis

Detection modelgeneration

Unifiedmonitoring

Athena Application

Real-time detection

Athena GUI/CLI Interface

…

…

Threatresponse

Fig. 2. Athena’s conceptual architecture; An illustration of the Athenaanomaly detection framework hosted over a wide-area SDN with distributedcontrollers. Each controller hosts an instance of Athena that instantiates theanomaly detection task per instance. These components can also integrate withthe third-party DB cluster and computing cluster. Athena applications performdiverse anomaly detection tasks, and operators control the Athena applicationsvia a graphical user interface.

A. Athena System Design

Figure 3 illustrates the three major elements of the Athenaframework: the southbound element, the distributed DB andcomputing clusters, and the northbound element. The south-bound element monitors the network behaviors includingthe control plane, extracts features from the SDN controlmessages, implements live detection algorithms, and invokesmitigation reaction. The northbound element exports high-level APIs to enable analysis applications to perform anomalydetection tasks, including network monitoring. The third majorelement is composed of a distributed database cluster that pro-vides network-wide feature access, and a computing cluster forrunning distributed parallel instances of Athena applications.

1) The Athena Southbound (SB) Element: The Southboundelement’s main purpose is to isolate control messages, ex-tract features to drive the analysis algorithms, and mitigatedetected problems. However, these tasks must be performedacross several parallel controller instances and many physicallydistributed switches. Athena achieves this scale by employingSB instances that operate separately on each controller. Further,it uses distributed 3rd party applications to provide paralleldata processing environments. Each instance is responsible formonitoring its associated controller and those switches that thecontroller directly manages, then provides detection algorithmsand reaction strategies. The Athena SB element consists of fourmajor sub-components:

1A) SB Interface: The main role of the SB Interface isto monitor (selected) SDN control messages issued by boththe data plane and the control plane, and to deliver networkmanagement commands issued by the Attack Reactor (e.g.,issuing flow rules) through the Athena Proxy. The proxy isa small code snippet instantiated at each controller instance.Athena leverages proxy-stubs that work like general networkapplications to avoid consistency issues that might arise fromissuing control messages to the data plane without involvingthe controller. When the Athena Proxy issues flow rules tothe data plane, the controller automatically updates its internalstatus according to the issued flow rules.

3

TABLE I. AN ENUMERATION OF Athena FEATURE TYPES.

Category Description ExamplesProtocol-centric Features derived from SDN control messages directly. Volume (Packet counts, byte counts)Combination Combined features derived from Protocol-centric by pre-defined formula. Flow utilization (Packets / Duration)Stateful Stateful features according to the network states. Pair flow ratio (Pair flows / Total flows)

SDN Stack SDNSwitches

AthenaApplications

Link Flooding Attacks Detector

…

AthenaFramework

Southbound (Extensible APIs)

Southbound Interface

Athena Southbound API

Large-scale DDoS Detector

SDN Application Behavior Analyzer

Feature Mgmt Manager

Reaction Manager

UI Manager

Detector Manager

Northbound (Unified APIs)

Resource Manager

…

DB Cluster

…

Computing Cluster

Third parties

Attack Detector

User-defined algorithms

ML lib nML lib nML lib nK-Means

SDN ControllersAthena Proxy

Feature Generator

User-defined features

ML lib nML lib nML lib nFlow

Attack Reactor

User-definedreactions

ML lib nML lib nML lib nQuarantine

… Consolidated Anomaly Detectors

Athena Northbound API

Fig. 3. An overview of the Athena system architectural components. TheAthena framework is composed of the extensible southbound element, theunified northbound element, and the Athena application instantiation layer.

1B) Feature Generator: The Feature Generator examinesincoming control messages to derive Athena features, whichwe enumerate in Table I, and the internal status of control planeto extract important behavioral features from the control plane(e.g., tracking flow origins). The Feature Generator maintainshash tables to track the status of the previous features for gen-erating Variation and network status for maintaining messageState. The Feature Generator includes a garbage collector toperiodically remove outdated entries. It also attaches additionalmeta information (e.g., timestamp). We discuss the details ofAthena features in Section III-A3.

1C) Attack Detector: The Attack Detector uses detectionalgorithms to find potential network threats. The detectorgenerates detection models according to requests from theDetector Manager in the Athena NB, and analyzes generatedfeatures from the Feature Generator. It is designed to operatelive or in batch mode. When it receives a request relatedto one or more tasks, it translates the request to functionsand performs jobs with a single and a distributed manneraccording to the type of job. For example, while in learningmode, the Attack Detector distributes jobs to the computingcluster to provide a scalable analysis environment. For a smalldataset, it handles the request on a single instance to reducecommunication overhead.

1D) Attack Reactor: The Attack Reactor enforces mitiga-tion strategies to the data plane. When it receives mitigationstrategies from the Detector Manager, it translates requests tonetwork management messages to be sent to the data planethrough the Athena Proxy.

2) The Athena Northbound (NB) Element: The AthenaNorthbound element exports Northbound APIs, which allowapplication developers to utilize Athena’s functionalities foran anomaly detection, providing scalability as well as SDN

implementation transparency. We describe below the five majorsub-components of the NB element.

2A) Feature Management Manager: The Feature Man-ager provides a unified mechanism that applications use toretrieve and receive network features according to user-definedconstraints. It receives feature requests from each applica-tion and translates them into queries that it issues to theAthena distributed database. It transfers requested data fromthe distributed database to the computing cluster managed bythe Detector Manager, reducing data transmission overheadwhile transferring large-scale datasets. It maintains an eventdelivery table, which maintains a set of application constraints,that is triggered when incoming network features match theconstraints. When processing real-time incoming features fromthe Athena SB, it forwards the features to both the Athenaapplications and the Detector Manager.

2B) Detector Manager: The Detector Manager provides awide-range of well-known ML algorithms to generate detectionmodels including a simple threshold-based detection algorithm.It also validates large-scale network features. It works with theFeature Manager to dynamically validate incoming networkfeatures and provides unified APIs that allow operators toperform detection tasks with transparency to details of thealgorithms. For example, when running a K-Means algorithmin the clustering category with the Decision Tree algorithmin the classification category, the operator will use the sameAPIs in Table II. An operator does not have to consider thecharacteristics of each ML type, since the Detector Managerautomatically configures ML parameters according to requestsof ML types by operators (e.g., labeling features).

2C) Reaction Manager: The Reaction Manager providesmitigation strategies that allow the Athena applications andoperators to enforce mitigation actions by issuing flow rulesto the data plane. The applications enforce pre-defined course-of-actions to handle network problems, independently fromthe underlying network controller, by issuing requests to theSB Attack Reactor, which are automatically translated to flowrules.

2D) Resource Manager: The Resource Manager exportsfunctions to manage resources related to feature collection. Itdynamically adjusts the number of monitored network entitiesand generated network features, according to requests fromAthena applications. This allows Athena applications to controlmonitoring fidelity based on dynamic network conditions.

2E) UI Manager: The UI Manager services an interface,that displays Athena application‘s results and provides aninteraction mechanism.

3) Athena Off-The-Shelf Strategies: As an anomalydetection framework, Athena provides a set of off-the-shelfstrategies including network features, detection algorithms,and reactions.

4

Index Stateful (+Variation)Protocol-centric CombinationMeta data

Fig. 4. The format of a single Athena feature: The gray box represents indexfields, the white box is for feature fields.

3A) Athena Features: In total, Athena exposes over 100network monitoring features to the NB API. The full list ofnetwork features is available at SDNSecurity.org [11]. Thetypes of features are enumerated in Table I. Protocol-centricfeatures are directly derived from OpenFlow control messages,such as packet count from flow statistics. Combination featuresrefer to combined features derived from pre-defined formulas,such as the features in [10], and include more meaningfulinformation regarding SDN-specific features. For example,Flow Utilization represents how much traffic a flow deliversto its associated output port. The Stateful field represents thefeatures including states of indicator operations. For example,Pair Flow Ratio represents how many flows manifest activetwo-way connection between a sender and a receiver.

Athena‘s feature format is illustrated in Figure 4. Thefeature format consists of the index fields and the featurefields. The index fields include the Index, which containsinformation about feature‘s origins (e.g., Switch ID, portID) including indicators (e.g., OpenFlow match fields), andMeta Data that represents additional information such as atimestamp and semantics of the control plane associated withthe feature (e.g., Flow origins). The feature fields are appendedafter the index fields to represent an actual behavior of thenetwork.

3B) Athena Detection Algorithms: Athena provides aset of detection algorithms that allow its applications to findpotential network threats and problems. The algorithms includefive categories, which are described in Table IV. Currently,Athena supports 11 machine learning algorithms hosted on acomputing cluster to perform scalable analyses.

3C) Athena Reactions: Athena Reactions manage thedata plane according to changes of the network status. Afterdetecting a network threat, the applications hosted by Athenamay choose to invoke a mitigation strategy. Athena currentlysupports two types of mitigation actions: Block, which blockscertain hosts; and Quarantine, which isolates suspicioushosts to user-defined destinations.

IV. THE ATHENA DEVELOPMENT ENVIRONMENT

The Athena development environment (DE) exports a set ofhigh-level APIs that allow operators to design and implementa scalable network anomaly detector in a manner that abstractsboth the SDN version dependencies and infrastructure-specificconfiguration details. Here we discuss Athena’s northboundAPIs and outline the steps involved in implementing variousanomaly detection services.

A. Athena Northbound API

The Northbound (NB) API is configuration-based. Devel-opers use it by configuring parameters to execute anomalydetection tasks. For example, one can generate a detec-tion model by defining a set of 1) detection parameters,

such as “TCP_PORT==80 && time==1 day”; 2) de-tection features, such as “sampling (20%), defaultnormalization”; and 3) a preferred detection algorithm,such as “K-means, k==5”.

Athena currently supports eight core functions describedin Table II, and several pre-defined parameters, describedin Table III. RequestFeatures is a monitoring API thatretrieves desired Athena features using the query interface. Forexample, a developer may create a query that requests “flowutilization per network application”,“unstable ports during a 1-day temporalwindow” and “top 10 congested links”. Athenacurrently supports the query operators described in Table IV.The ManageMonitor API uses queries to turn monitoringon/off for specific network features.

As a detection-related API, we provide theGenerateDetectionModel for creating detectionmodels, and ValidateFeatures for large-scalefeature validation. The APIs commonly receive aquery to retrieve a desired feature set, and apply thePreprocessor, which transforms the features before use.GenerateDetectionModel defines a detection algorithmwith its parameters (e.g., K of the K-Means algorithm),and generates a detection model. The model is used byValidateFeatures to validate target features, and itproduces results that summarize the validation task. Athenagenerates a detection model during the learning phase whena machine-learning (ML) algorithm is employed, and exportsa pre-defined model without a learning phase when usingother algorithms (e.g., threshold-based detection). Table IVdescribes the supported functions of the Preprocessor andML algorithms.

Athena provides APIs that allow an application tohandle network features in an online manner. First,AddEventHandler enables analysis applications to receiveAthena features dynamically. Applications register an eventhandler with a user-defined query. The manager then dynami-cally evaluates whether an incoming feature satisfies the query,and if so it forwards the feature to the applications. For exam-ple, an application may pass the query “IP_DST==serveraddress && Port==80”. The event handler is also usedfor live validation by AddOnlineValidator. This allowsan operator to define an operational mode for specific anomalydetection tasks (e.g., A stand-alone mode, and a distributedmode). ShowResults represents the results as a visualizedgraph, providing operators with direct insight to Athena’sresults. The Reactor enforces mitigation strategies to thedata plane according to requests of the application withqueries, such as “IP_SRC in {suspicious hosts}”and invokes response functions described in Table IV.

B. Athena Application

Figure 5 illustrates the steps involved in designing andimplementing an anomaly detector. Developers select off-the-shelf strategies (e.g., network features, detection algorithms,and reactions) to perform anomaly detection tasks. Based onthese selections, they use supported NB APIs to construct aconsolidated anomaly detector, including the selected networkfeature generation, model creation with fine-grained filtered

5

TABLE II. THE Athena CORE NORTHBOUND API.

Function DescriptionRequestFeatures(q) Request a set of Athena features with user-defined constraints including feature re-organization.ManageMonitor(q, o) Turn on/off a network monitoring including a feature generation.GenerateDetectionModel(q, f, a) Generate an anomaly detection model according to an user-defined algorithm and features.ValidateFeatures(q, f, m) Validate a set of Athena features with a generated detection model.AddEventHandler(q) Register an event handler to retrieve features from Athena according to user-defined constraints.AddOnlineValidator(f, m, e) Register an online validator to examine an incoming feature in an online manner.Reactor(q, r) Enforce an action to the data plane.ShowResults(r’) Display the results from Athena with a graphical interface.

TABLE III. PARAMETERS OF THE Athena NORTHBOUND API.

Parameter DescriptionQuery (q) Unified query to retrieve Athena features with

constraints.Preprocessor (f ) Preprocessing statement to re-design features.Algorithm (a) Description of an algorithm including parameters

of the algorithm.Model (m) Generated detection model.Results (r’) Results of a validation or a feature request.Event handler (e) Event handler to receive online Athena events.Reactions (r) Reactions for handling suspicious hosts.Operations (o) Flags for a network monitoring per features.

TABLE IV. AN ENUMERATION OF SUPPORTED FUNCTIONS PERPARAMETER.

Query (q) OperatorsArithmetic >, >=, ==, !=, <=, <Relationship and, orOptions Sorting, Aggregation, LimitingPreprocessor (f) DescriptionWeighting Emphasize certain featuresSampling Select a subset from entire featuresNormalization Standardize the range of independent variablesMarking Mark a set of entry labeled as malicious entryAlgorithm (a) Supported algorithmsBoosting Gradient Boosted TreeClassification Decision Tree, Logistic Regression, Naive Bayes,

Random Forest, SVMClustering Gaussian Mixture, K-MeansRegression Lasso, Linear, RidgeSimple ThresholdReactions (r) DescriptionBlock Block target hostsQuarantine Isolate hosts in honeynetsOperations (o) DescriptionTrue Turn on network monitoringFalse Turn off network monitoring

network features, feature validation with a large-scale dataset,run-time threat detection logic, a dynamic threat mitigationpolicy, and results from GUI/CLI generation.

Athena automatically performs the anomaly detection task,including task integration with the external DB cluster andcomputing cluster. It reports (intermediate) results to the ap-plication while performing anomaly detection. The applicationupdates internal status and configures new Athena hostedanomaly tasks based on the results. Furthermore, Athena pro-vides a GUI/CLI interface that allows the operator to receivealerts and manage the Athena application in a centralizedmanner.

V. ATHENA USE CASES

To illustrate the utility of the Athena framework, we presentmultiple sample anomaly detection applications. Due to space

Athena Application

Network Events

Athena Framework

Consolidated executorJobs/Results

…

DB Cluster

…

Computing Cluster

Features (Large)

K-Means Threshold

Algorithm pool…

Quarantine Block

Reaction pool…

Pair_Flow Throughput

Feature pool…

Monitor Detector

Reactor

Select features

Select algorithms

Select reactions

1. Configure 2. Results 3. ReconfigureAthena GUI/CLI Interface

ReactionControl Information

SDN ControllerSDN Controller SDN Controller

Fig. 5. Implementing a general purpose anomaly detector across a distributedSDN stack with Athena.

limitations, we only show the pseudocode for the DDoSDetector (scenario #1).

TABLE V. A LIST OF POSSIBLE FLOW-RELATED FEATURES TO DETECTDDOS ATTACK. THE (*) STAR NOTATION INDICATES THE PREFIX OR

POSTFIX OF THE Athena FEATURES.

Characteristic Possible featuresUnidirectional traffic PAIR_FLOW, PAIR_FLOW_RATIOTraffic volume pattern PACKET_COUNT, BYTE_COUNT,

BYTE_PER_PACKET,PACKET_PER_DURATION,BYTE_PER_DURATION

Duration of flow DURATION_SEC, DURATION_N_SEC

A. Scenario 1: A Large-scale DDoS Attack Detector

One strength of the Athena framework is its ability to createscalable network anomaly detection services across large andphysically distributed network environments. To demonstratethis scalability, we implement a large-network DDoS attackdetection application using Athena’s northbound APIs. SinceAthena automatically collects all of the network features acrossthe SDN data plane by default, an operator may deploy Athenaon the network to automatically gather the features necessaryto drive our detector. Here, we discuss DDoS model creation,feature validation, and summarize our test results.

Creating the DDoS Detection Model: Detection modelcreation begins with a definition of the desired network fea-tures for use during the training phase. The developer sets

6

Application 1 A pseudo-code illustration of an Athena-basedDDoS attack detection application./* Define the features to be trained */q_train = GenerateQuery (constraints of features);

/* Define data pre-processing */f = GeneratePreprocessor (Normalization,

Weight for certain features,Marking malicious entries,...);

/* Register the features used in the algorithm */f.addAll(candidate features);

/* Define an algorithm with parameters */a = GenerateAlgorithm (a detection algorithm);

/* Generate a detection model */m = GenerateDetectionModel (q_train, f, a);

/* Define the features to be tested */q_test = GenerateQuery (constraints of features);

/* Test the features */r’ = ValidateFeatures(q_test, f, m);

/* Show results with CLI interface */ShowResults(r’);

TABLE VI. A COMPARISON OF THE TEST ENVIRONMENT.

Category [10] AthenaSwitch 3 OF switches 18 OF switches

(6 physical, 12 OVS)Link 3 links 48 linksController 1 instance 3 instancesFeature 6-tuples 10-tuplesAlgorithm SOM K-Means

the data preprocessing parameters to normalize the featuresthat capture the characteristics of a DDoS attack described inTable V. These features are set by the f.addAll() utilityAPI. Here, we configure Weight for emphasizing certainnetwork features, and Marking for annotating maliciousentries 2.

Algorithm represents a detection model, and it is con-figured with a machine learning algorithm and its parameters(e.g., we may choose K-Means with k = 5, and 20 iterations).Developers then invoke GenerateDetectionModel tocreate the detection model, and Athena distributes the MLdetection tasks to compute worker nodes. After job completion,the application receives the detection model. These steps areoutlined in the pseudocode.

DDoS Feature Validation: The developer next de-fines the desired network features to receive results froman analysis of the testing phase. The developer de-fines Query and Preprocessor in the same way, andcalls ValidateFeatures with the pre-defined Query,Preprocessor, and the Model. Upon completion of thetesting phase, Athena generates a testing summary, as illus-trated in Figure 6.

DDoS Testing Environments and Results We establisheda testing environment to reflect an enterprise-scale networktopology as illustrated in Figure 7, and compare our envi-

2These labels are used by the supervised and unsupervised learning algo-rithms.

Fig. 6. Output of the DDoS detector application. The details of clusterinformation are excluded after cluster #2.

18 OpenFlow Switches (6 Physical, 12 OVS)48 Links36 Hosts

Target ServersBenign site #1 Benign site #2Attacker site

Fig. 7. Enterprise-scale topology for evaluating the DDoS Detectionapplication.

ronment with previous work for an SDN-based DDoS detec-tion [10], as described in Table VI. Our topology consists of48 links and 18 switches (6 physical switches, and 12 OVSswitches) managed by three distributed network controllers,including Athena instances. We deployed a K-Means-based al-gorithm with 10 tuples, and simulated the testing environmentusing a Mininet environment. The attack scenario is similar totraffic patterns in [10]. The detection rate is 99.23%, and falsealarm rate is 4.46%. We will discuss these results further inSection VII-B.

B. Scenario 2: Link Flooding Attacks (LFA) Mitigation

LFA represents a serious and common network attack, inwhich the adversary saturates a target network area with fewresources [25]. A noteworthy aspect of the Athena frame-work is that, unlike some other tools, it produces moni-toring applications that are deployable without modificationto the underlying network infrastructure. For example, wecompare the implementation of LFA mitigation using Athenawith Spiffy [26], which utilizes the transmission rate controlmechanism within the TCP protocol to detect and mitigateLFA. Spiffy adjusts how much traffic should be deliveredthrough a conditional assessment of the current network status.It assumes that malicious flows do not respond to a temporarychange of a network status, which differs from the normalprofile of legitimate flows. As a solution, temporary bandwidthexpansion (i.e., expanding bandwidth temporarily to detectmalicious flows by leveraging characteristics of TCP) andruntime flow migration (i.e., re-assigning flows to expandbandwidth for a suspicious link) are proposed.

7

TABLE VII. COMPARISON OF LINK FLOODING ATTACK DETECTIONAND MITIGATION STRATEGIES USING SDNS.

Category Spiffy [26] AthenaLink congestion SNMP Built-inRate change OpenSketch [4] OF switchTraffic engineering Edge router All switchesInsider threat Out of scope Covered

LFA Mitigation Service using Athena: We have im-plemented a comparable Link Flooding Attacks mitigationservice as an Athena application. In Table VII, we present acomparison of the Spiffy implementation of the LFA mitigationservice using the same solution implemented with the Athenaframework. Here, the demanding functions involved in LFAdetection and mitigation include solving link congestion de-tection, recognizing per-flow rate changes, and implementingflow alterations.

LFA Event Handler Registration: The LFA detectorreceives link usage to measure link utilization and per-flowchanges to distinguish attackers. Since Athena provides variousvolume-based features including per-flow changes, we definethese candidate features, including a threshold. For example,the candidate features are volume-based features such asport_rx_bytes_var, which represents changes at eachport, and flow_byte_count_var, which represents thechange in byte counts. Likewise, we choose volume-basedfeatures (e.g., port_rx_bytes). Finally, we simply call theAddEventHandler API with a pre-defined event handler toperform the detection and mitigation of incoming events.

LFA Detection Logic: Developers may implement thecustom detection logic in the Event_Handler. The detectionlogic includes lightweight threshold-based flooding detection,which measures volume per port, and may use a TBE-baseddetector that tracks per flow changes. Lastly, the mitigationlogic simply blocks suspicious hosts based on the detectionresults by invoking Reactor.

Using Athena, we can implement the proposed SpiffyLFA detection and mitigation mechanism with our SDN testenvironment in under 25 lines of Java code, excluding thecustom detection logic.

Comparing Athena-based LFA mitigation with Spiffy:Table VII shows the comparison of LFA detection and miti-gation using Spiffy and Athena. Spiffy uses an SNMP-basedlink utilization measurement to detect congested links. How-ever, operators need to configure SNMP-based measurementfunctions, and the network’s switches must also support thisfunction. Spiffy leverages OpenSketch-enabled switches [4] todetect rate changes from an edge. Although OpenSketch couldreduce overhead to measure rate changes, operators must de-ploy OpenSketch-enabled switches into their existing networkinfrastructure. This increases the deployment cost of the Spiffysolution, as it requires features that are non-standard in manySDN environments. Implementing the same anomaly detectionalgorithm using Athena removes the need for vendor-specificnetwork devices and SNMP-enhanced monitoring capabilities.In contrast to the Spiffy environment, Athena’s application canoperate directly on the SDN without data plane alterations.

Security device

All) s1 -> s2 -> s3 -> s4 -> Server farm s5 -> s6 -> s7 -> Server farm

100

10

RulesApplication

Load balancer

Security

Priority

FTP) any -> DPI -> DST(Shortest path)

No rule conflicts!

S1 S2 S3

S6S5

S4

S7

Web, FTP server farm

Hosts

Hosts

Load balancer Security

Legend

Fig. 8. An illustration of the Network Application Effectiveness problem.

C. Scenario 3: Network Application Effectiveness (NAE)

Network applications are critical elements of a network’sSDN stack, as they embody the logic that defines the flowpolicies for the entire network. Thus, validating applicationbehavior is important, particularly before their adoption intocritical or sensitive network environments. Unfortunately, itis difficult to verify application behavior, as modern SDNenvironments may allow multiple applications to run on a con-troller in parallel. These applications can also cause conflicts inthe form of flow rule contradictions. Several SDN researchershave tried to solve this problem through control mechanismsto resolve network application conflicts [27], [28], [29], [30].However, they did not explore misuse anomalies that canviolate network policies defined at deployment. We refer tothis as the Network Application Effectiveness (NAE) problem,as illustrated in Figure 8.

Let us assume that an operator installs a load-balancing(LB) application, which defines flow rules intended to evenlydistribute a target traffic load across a given set of networkservices. Consider a security application that attempts todirect FTP-related traffic through an inline security devicethat analyzes the FTP traffic for signs of malicious commandpatterns. In this scenario, the LB app and the security appmay conflict in their decisions regarding packet forwarding. Tohandle conflicts, operators set a higher priority for the securityapp, thus allowing it to over-rule the LB app when their rulesconflict. While the problem is well known and addressed byprior work [27], [28], [29], [30], these projects do not considerhow to detect the wide range of unwanted network anomaliesthat may arise as flow rules are evaluated and discarded by thecontrol layer.

The above scenario leads to interesting potential flowpattern anomalies that can arise as the control plane beginsto resolve conflicts in the rules produced by the competingapplications. For example, if the primary purpose of thenetwork in Figure 8 is to serve FTP users, the network maysuffer significant overhead by the unbalanced load producedby the security policy. When the network is dominated byFTP flows, this traffic will begin to saturate S6 due to thesecurity app. Although S3 is available to deliver traffic tothe destination, it cannot receive traffic due to the securityapp’s shortest path policy which dictates that all traffic fromS6 goes to S7. To evaluate this, we set up an experimentalenvironment, with the edge switches S1 and S5, where eachhost downloads files or accesses pages from the FTP and web

8

Security app activated

Rule expired

Fig. 9. The coarse-grained analysis result alerted by the Athena UI manager,when applications obey the user-defined SLA.

servers respectively.

NAE Monitor Implementation: Detecting the NAE prob-lem is straightforward with Athena since it provides a strongquery mechanism to retrieve network features with advanceddata preprocessing capabilities (e.g., sorting, aggregation, andranking). We register an event handler to retrieve flow-relatednetwork features per application by AddEventHandler, andanalyze whether a given feature obeys a user-defined SLA (ser-vice level agreement)3 by the Check_SLA()4. If an incomingevent obeys the SLA, the ResultsGenerator utility API isinvoked to generate the Results to notify operators. Finally,it reports anomalous behavior to the operator’s GUI interfacevia the ShowResults API, as illustrated in Figure 9.

NAE Analysis Results: Figure 9 shows our applicationresults. Since we set up a query with “Match DPID==(6or 3)”, the results only represent relevant features aggre-gated by app ID, switch ID, and timestamp. It shows a globalview of packet count information per switch. The sawtoothpattern in this graph is caused by the expiration of flow rules,since LB app issues flow rules with soft timeout 5. After thesecurity app is activated from 03:58, the security app takesover most traffic flows, re-routing their packets into the pathof the security device. Therefore, the LB App loses forwardingcontrol due to its low priority. Although the LB app is active,the network begins to suffer unexpected saturation in somelinks and low volume in others. We implemented the NAEproblem detector on Athena within 30 lines of Java code.

VI. IMPLEMENTATION

We have developed a prototype implementation of theAthena framework that integrates within ONOS [14], whichis an emerging SDN distributed controller for large-scale net-works, focusing on service provider use-cases. Athena also em-ploys MongoDB [31] for its distributed database, Spark [32],[33] for its scalable computing cluster, and JfreeChart [34]for the graphical interface. The prototype operates on ONOSversion 1.6, using OpenFlow 1.0 and 1.3, MongoDB version

3In this scenario, the SLA is that traffic should be distributed evenly pereach switch.

4This function is a custom algorithm to detect asymmetric traffic patterns.5The soft timeout is used for deleting flow rules, when there are no incoming

packets within a certain time.

3.2, Spark version 1.6, and JfreeChart version 1.0.13. Wehave implemented the prototype of Athena with approximately15,000 lines of Java code.

Athena is implemented as an ONOS subsystem, whichprovides services to an application layer. We modify the imple-mentation of OpenFlowController to get OpenFlow con-trol messages directly, and OpenFlowDeviceProvider toissue statistics request messages to the SDN data plane. Wemark an XID value for statistics request messages to calculatevariation features exactly, as ONOS issues request messagesto the data plane as part of its management functions. Toextract application information per flows, Athena leveragesthe FlowRule subsystem, which manages flow entries withinthe controller. The Athena application operates as a separateprocess and communicates with the Athena framework viainterprocess communication to reduce dependencies.

VII. EVALUATION

We now evaluate Athena with respect to its usability,network scalability, and overhead. To explore its usability, weconsider the design of Athena’s anomaly detection applicationsagainst comparable applications developed without Athena.For the scalability assessment, we evaluate performance ofthe large-scale DDoS anomaly detection algorithm introducedin Section V-A. Finally, we measure the overhead of Athenafeature extraction using the Cbench benchmark. To evaluateour work, we created an experimental environment with fivehigh performance servers (four Intel hexa-core Xeon E5-1650,one Intel octa-core Xeon E5-2650) with 64GB RAM, two IntelI5 quad-core I5-4690 and 16GB RAM memory, seven physicalswitches 6.

A. Evaluating Usability of Athena

TABLE VIII. THE LINES OF JAVA CODES FOR A DDOS DETECTOR PERALGORITHM (EXCLUDING IMPORTS).

DDoS detector(Algorithm)

Athena Spark Hama [35]

K-Means 45 825 817Logistic Regression 42 851 829

In evaluating the usability of Athena, we implemented aDDoS detection application within different environments, andthen provide a rough approximation of the implementationcomplexity by quantifying the source lines of code (SLoC)required to implement the application. While imperfect, SLoCis often used as a metric of usability (e.g., [36], [37]). Webelieve that SLoC (application compactness), given the lackof a large developer-base for feedback, provides a useful earlyusability measure, similar in spirit to how it was applied toanswer this same question in related prior work.

Each resulting application embodies the functionality ofthe DDoS attack detector in Section V. As summarized inTable VIII, the application based on Athena uses 5% of thelines of code that comparable functionalities require whenimplemented on Spark [32] and Hama [35].

6Two Pica8 P3290, two PICA8 P3297, two PICA8 AS4610, and oneARISTA 7050T-36.

9

200

400

600

800

1000

1200

1400To

tal t

estin

g tim

e (s

)

Athena application Spark application

1 2 3 4 5 6Number of computing nodes

0

200

Fig. 10. A performance assessment of the DDoS application while performinganomaly detection tasks per the number of computing nodes.

B. Measuring Scalability of Athena

Figure 10 presents the performance results for the DDoSdetection application in Section V-A. We use an experimentalenvironment with ten instances on the three Xeon servers. Theinstances consist of six compute nodes and a master node onthe two hexa-core Xeon servers, and three DB nodes on theocta-core Xeon server. Here, we measure the total testing timeaccording to the number of compute instances. The datasetincludes 37,370,466 entries for a 50GB dataset. As the numberof computing instances increases, we observe a linear decreasein the total processing time and the total test time with sixnodes is approximately 27.6% of the test time with a single-compute node instance. We compare the application hostedby Athena with an application on Spark, and results showAthena introduces a small overhead (under 10%) over theSpark application.

C. Overhead of Athena’s Feature Extraction

We measure the overhead of Athena’s feature extractionwhile handling external events and compare this overhead tothe ONOS baseline (e.g., Cbench benchmark, and CPU usage).We set up an experimental environment with the hexa-coreXeon server to test Cbench benchmark and two hexa-coreXeon servers with seven physical switches to measure CPUusage while gathering events from the switches.

TABLE IX. CBENCH BENCHMARK FLOW INSTALL THROUGHPUT WITHAND WITHOUT ATHENA (RESPONSE/S) OVER 50 ROUNDS OF TESTING.

MIN MAX AVGWithout 773,618 883,376 831,366With 107,245 610,724 389,584With (no DB) 631,647 686,227 658,514Overhead(no DB)

86.13%(18.35%)

30.86%(22.31%)

53.13%(20.79%)

1) Cbench benchmark with/without Athena: The ONOStesting group evaluates the scalability of ONOS to measurehow many burst events could be handled. For example, theyevaluate burst Packet_IN event handling throughput with asingle instance, which is called the Cbench benchmark. To dothis, we evaluate Athena using Cbench’s throughput mode with

2 4 6 8 10 12 14Total number of flows (x10K)

0

20

40

60

80

100

CPU

usa

ge (%

) ONOS with Athena ONOS baseline

Fig. 11. Average CPU usage while handling flow events with/without Athena.

the ONOS’s recommended settings [38] and summarize resultsin Table IX. On average Athena has 53.13% lower throughputand in the worst-case has 86.13% performance degradation.However, without DB operations, Athena induces only 20%performance degradation.

2) CPU usage with/without Athena: The overhead ofAthena is dependent on how much information is in the SDNstack, including the control and data plane, as it passivelymonitors and analyzes them both. To compute the monitoringoverhead of handling network events from SDN stacks, weconducted experiments to measure the CPU load when usingONOS with and without Athena. To do this, we established atesting environment with a controller on the hexa-core Xeonserver, which is connected to the six physical switches, and12 OVS instances on the two hexa-core Xeon and the two i5servers respectively with dummy flows to generate monitoringevents. Figure 11 illustrates the testing results. Since Athenastores events to the data plane while maintaining internalstatus to generate stateful features, the flow handling overheadincreases according to the total number of flow entries in theswitches. We find that ONOS with Athena saturates at about140K flows per second, while the CPU utilization is about31% for the basic ONOS instance.

3) Discussion: We found that the performance overheadof our system primarily originates from MongoDB relatedoperations. To boost Athena‘s performance, we will considerreplacing MongoDB with a high-performance database likeCassandra [43].

VIII. RELATED WORK

We now discuss how prior projects have sought to addressthe challenges described in Section II, including various limita-tions in their coverage. Table X provides a comparison betweenAthena and existing work related to network anomaly detectionand monitoring in SDN environments.

Anomaly detection strategies: The inherent centralizedcontrol-layer design of SDNs enables operators an efficient po-tential network-wide choke-point from which to gather a widerange of network features. In fact, several prior anomaly detec-tion projects [26], [6], [9], [5], [39] have successfully leveragedvolume-based network features available through monitoringthe OpenFlow protocol to detect network anomalies, such asDDoS attacks and switch anomalies. Mehdi et.al. [8] exploredthe feasibility of adopting traditional anomaly detection tech-niques with OpenFlow‘s monitoring capabilities, and Braga

10

TABLE X. COMPARISON OF Athena WITH RELATED WORK FROM NETWORK ANOMALY DETECTION AND NETWORK MONITORING WITH DIVERSEPERSPECTIVES. (V : VOLUME-BASED, S: STATEFUL, SP: SAMPLING, D: DPI, SS: SDN-SPECIFIC)

Network Anomaly detectionPurpose Architecture NB Interface SB Interface Feature Network Features

Management V S SP D SS

Athena Framework for anomaly detection Distributed Ad-hoc API OpenFlow 3 3 3 3[37] Framework for security apps Single Script OpenFlow 3 3 3 3

[8], [10] General anomaly detection Single - OpenFlow 3 3[6] Malicious switch detection Single - OpenFlow 3[16] NFV optimization Distributed - OpenFlow

[5], [9] General anomaly detection Single - OpenFlow, sFlow 3 3 3[26] LFA detection Single - OpenFlow, SNMP 3[39] Framework for anomaly detection Single - OpenFlow 3

Network MonitoringPurpose Architecture NB Interface SB Interface Custom Switch Resource Data Query

Optimization Persistency

Athena Framework for anomaly detection Distributed Ad-hoc API OpenFlow 3 3[40] Framework for network monitoring Single RESTful API OpenFlow 3 3[17] Distributed network analysis Distributed NetConf Netflow, SNMP, IPSLA 3 3[18] Distributed network monitoring Distributed - OpenFlow 3 3[4] Scalable flow counter monitoring Single Ad-hoc API OpenSketch 3 3[3] Scalable flow counter monitoring Single Ad-hoc API OpenFlow 3 3[2] Resource allocation for measurement Distributed Ad-hoc API - 3 3

[7], [19] Efficient flow counter monitoring Single - OpenFlow 3[20] Low latency flow counter monitoring Single - sFlow 3[41] Network monitoring with NFV Single Policy Language OpenFlow[42] Framework for network monitoring Single Policy Language Various sources

et.al. [10] leveraged OpenFlow statistics to demonstrate low-cost detection of DDoS flooding attacks. FRESCO [37] ex-ports a script-based development environment that facilitatesthe creation of security applications that monitor well-knownnetwork features (e.g., TCP session). However, these effortsdo not consider how to fully utilize network features derivedfrom an SDN environment to monitor it for behavioral andoperational stability.

From the perspective of detection strategies, most relatedefforts [26], [6], [9], [5], [39], [8], [10] focus on fixed detectionalgorithms against specific attacks, not general purpose algo-rithms. While FRESCO [37] and ATLANTIC [39] provide aset of libraries that aim to facilitate attack detection (e.g., portscanning), only the former provides well-structured mitigationactions and it does not support multi-instance controller envi-ronments.

Scalable SDN monitoring: Several prior projects have ex-plored various ways to reduce the overhead of gatheringvolume-based network features [20], [19], [7], [3], [2], [4],[18]. In fact, there have been prior efforts to incorporate adistributed architecture that allows operators to scalably gathernetwork features, such as [17], [2], [18]. However, thoseprojects have not proposed detection strategies for tracking ma-licious network behaviors. Furthermore, most of these projecthave assumed the adoption of additional customized switchesto perform their scalable network monitoring [17], [18], [4],[3], [2].

Bohatei [16] proposed a scalable DDoS detection andmitigation solution, leveraging an optimization technique thatdistributes jobs to NFV machines to increase data process-ing throughput. Bohatei leverages additional NFV devicesto perform network functions, and does not directly im-plement the anomaly detection algorithms. There have alsobeen sampling-based SDN monitoring approaches to reducecollection overhead when collecting statistics from OpenFlowenvironments [9], [5]. These techniques rely on the adoption

of sFlow sampling. Spiffy [26] has demonstrated strategies forLink Flooding Attacks mitigation [25], relying on the SDN’scentralized management to insert flow mitigation. A limitationof Spiffy is that it requires a customized switch to measure thenetwork behavior. Finally, there are several additional projectsthat have explored the feasibility of anomaly detection inSDNs: [37], [10], [8], [6], [39]. Unlike Athena, none of theseprojects address our scalability requirements.

Improving SDN usability: Several prior projects have intro-duced northbound APIs that allow operators to conduct variousforms of network monitoring [42], [41], [2], [3], [4]. Pay-less [40] provides a semantical monitoring capability that helpsoperators monitor networks by calling well-structured RESTfulAPIs that reflect a high-level set of monitoring requirements.DNA [17] introduces a scalable network monitoring functionto examine telemetry data sources. Although these previousprojects enhance usability by exporting well-structured APIsto operators, they do not provide a detection algorithm to findnetwork anomalies.

IX. CONCLUSION

We explore several challenges in designing scalableanomaly detection services in large-scale SDN environments.We evaluate an initial prototype implementation of our so-lution, Athena, over the open-source ONOS distributed SDNcontroller. We discuss how Athena enables security researchersand developers to make anomaly detection applications witha minimum of programming effort through its API abstrac-tion layer. We also discuss generalized use of off-the-shelfstrategies for driving network anomaly detection algorithmdevelopment and introduce a new SDN-specific anomaly.

Athena employs a distributed database and a clusteredcomputing platform, which can deploy these detection al-gorithms across a large-scale distributed control plane. TheAthena framework is designed to operate on existing SDN in-frastructures, enabling operators to deploy it in a cost efficient

11

manner. Our evaluations demonstrate that Athena can supportwell-known network anomaly detection services in an efficientmanner, by scaling to a large-scale dataset from a large-scaledatacenter-like physical network environment. Athena has beenpublicly released as an open-source project to the academic andSDN research community.

ACKNOWLEDGMENT

This work was supported by the ICT R&D program ofMSIP/IITP, Republic of Korea [No. B0190-16-2011, Korea-US Collaborative Research on SDN/NFV Security/NetworkManagement and Testbed Build]. This material is based uponwork supported by the National Science Foundation underGrant Numbers 1446426 and 1642150. Any opinions, findings,and conclusions or recommendations expressed in this materialare those of the author(s) and do not necessarily reflect theviews of the National Science Foundation.

REFERENCES

[1] S. Subashini and V. Kavitha, “A survey on security issues in servicedelivery models of cloud computing,” Journal of network and computerapplications, vol. 34, no. 1, pp. 1–11, 2011.

[2] M. Moshref, M. Yu, R. Govindan, and A. Vahdat, “Scream: Sketchresource allocation for software-defined measurement,” in CoNEXT,Heidelberg, Germany, 2015.

[3] ——, “Dream: dynamic resource allocation for software-defined mea-surement,” in Proceedings of ACM SIGCOMM 2014.

[4] M. Yu, L. Jose, and R. Miao, “Software defined traffic measurementwith opensketch,” in USENIX Symposium on Networked Systems Designand Implementation (NSDI 2013).

[5] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, andV. Maglaris, “Combining openflow and sflow for an effective andscalable anomaly detection and mitigation mechanism on sdn environ-ments,” Computer Networks, vol. 62, pp. 122–136, 2014.

[6] A. Kamisinski and C. Fung, “Flowmon: Detecting malicious switchesin software-defined networks,” in Proceedings of the ACM Workshopon Automated Decision Making for Active Cyber Defense, 2015.

[7] C. Yu, C. Lumezanu, Y. Zhang, V. Singh, G. Jiang, and H. V.Madhyastha, “Flowsense: Monitoring network utilization with zeromeasurement cost,” in Passive and Active Measurement, 2013.

[8] S. A. Mehdi, J. Khalid, and S. A. Khayam, “Revisiting traffic anomalydetection using software defined networking,” in Recent Advances inIntrusion Detection, 2011.

[9] K. Giotis, G. Androulidakis, and V. Maglaris, “Leveraging sdn forefficient anomaly detection and mitigation on legacy networks,” in ThirdEuropean Workshop on Software Defined Networks (EWSDN), 2014.

[10] R. Braga, E. Mota, and A. Passito, “Lightweight ddos flooding attackdetection using nox/openflow,” in IEEE Local Computer Networks(LCN), 2010.

[11] SDNSecurity, http://www.sdnsecurity.org/.[12] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network

anomaly detection: methods, systems and tools,” IEEE CommunicationsSurveys & Tutorials, vol. 16, no. 1, 2014.

[13] M. Vallentin, V. Paxson, and R. Sommer, “Vast: a unified platform forinteractive network forensics,” in USENIX Symposium on NetworkedSystems Design and Implementation (NSDI 2016).

[14] P. Berde, M. Gerola, J. Hart, Y. Higuchi, M. Kobayashi, T. Koide,B. Lantz, B. O’Connor, P. Radoslavov, W. Snow et al., “ONOS: towardsan open, distributed SDN OS,” in Proceedings of ACM HotSDN 2014.

[15] T. Koponen, M. Casado, N. Gude, J. Stribling, L. Poutievski, M. Zhu,R. Ramanathan, Y. Iwata, H. Inoue, T. Hama et al., “Onix: A distributedcontrol platform for large-scale production networks.” in Proceedingsof OSDI, 2010.

[16] S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey, “Bohatei: flexible andelastic ddos defense,” in Proceedings of the 24th USENIX Conferenceon Security Symposium. USENIX Association, 2015, pp. 817–832.

[17] A. Clemm, M. Chandramouli, and S. Krishnamurthy, “Dna: An sdnframework for distributed network analytics,” in IFIP/IEEE Interna-tional Symposium on Integrated Network Management (INM), 2015.

[18] Y. Yu, C. Qian, and X. Li, “Distributed and collaborative trafficmonitoring in software defined networks,” in Proceedings of ACMHotSDN, 2014.

[19] L. Jose, M. Yu, and J. Rexford, “Online measurement of large trafficaggregates on commodity switches.” in Hot-ICE, 2011.

[20] J. Suh, T. T. Kwon, C. Dixon, W. Felter, and J. Carter, “Opensample:A low-latency, sampling-based measurement platform for commoditysdn,” in International Conference on Distributed Computing Systems(ICDCS), 2014.

[21] POX, “Python network controller,” http://www.noxrepo.org/pox/about-pox/.

[22] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown,and S. Shenker, “NOX: Towards an Operating System for Networks,”in Proceedings of ACM SIGCOMM Computer Communication Review,July 2008.

[23] J. Medved, R. Varga, A. Tkacik, and K. Gray, “Opendaylight: Towardsa model-driven sdn controller architecture,” in 2014 IEEE 15th Inter-national Symposium on WoWMoM, 2014.

[24] FloodLight, “Open sdn controller,” http://floodlight.openflowhub.org/.[25] M. S. Kang, S. B. Lee, and V. D. Gligor, “The crossfire attack,” in

IEEE Symposium on Security and Privacy, 2013.[26] M. S. Kang, V. D. Gligor, and V. Sekar, “Spiffy: Inducing cost-

detectability tradeoffs for persistent link-flooding attacks,” 2016.[27] A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey, “Veriflow:

Verifying network-wide invariants in real time,” in USENIX Symposiumon Networked Systems Design and Implementation (NSDI 2013).

[28] P. Kazemian, G. Varghese, and N. McKeown, “Header space analysis:Static checking for networks,” in USENIX Symposium on NetworkedSystems Design and Implementation (NSDI 2012).

[29] M. Canini, D. Venzano, P. Perešíni, D. Kostic, and J. Rexford, “Anice way to test openflow applications,” in USENIX Symposium onNetworked Systems Design and Implementation (NSDI 2012).

[30] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, “Asecurity enforcement kernel for openflow networks,” in Proceedings ofACM HotSDN 2012.

[31] MongoDB, https://www.mongodb.com.[32] M. Zaharia, M. Chowdhury, M. J. Franklin, S. Shenker, and I. Stoica,

“Spark: Cluster computing with working sets.” HotCloud, 2010.[33] X. Meng, J. Bradley, B. Yavuz, E. Sparks, S. Venkataraman, D. Liu,

J. Freeman, D. Tsai, M. Amde, S. Owen et al., “Mllib: Machine learningin apache spark,” arXiv preprint arXiv:1505.06807, 2015.

[34] Jfreechart, http://www.jfree.org/jfreechart/.[35] Apache, “Hama,” https://hama.apache.org/.[36] S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, “En-

forcing network-wide policies in the presence of dynamic middleboxactions using flowtags,” in USENIX Symposium on Networked SystemsDesign and Implementation (NSDI 2014).

[37] S. Shin, P. A. Porras, V. Yegneswaran, M. W. Fong, G. Gu, andM. Tyson, “Fresco: Modular composable security services for software-defined networks.” in NDSS, 2013.

[38] OnLab, “Master-performance and scale-out,” https://wiki.onosproject.org/display/ONOS/Master-Performance+and+Scale-out.

[39] A. S. da Silva, J. A. Wickboldt, L. Z. Granville, and A. Schaeffer-Filho,“Atlantic: A framework for anomaly traffic detection, classification, andmitigation in sdn,” in NOMS 2016-2016 IEEE/IFIP Network Operationsand Management Symposium.

[40] S. R. Chowdhury, M. F. Bari, R. Ahmed, and R. Boutaba, “Payless: Alow cost network monitoring framework for software defined networks,”in IEEE Network Operations and Management Symposium (NOMS)2014.

[41] J. R. Ballard, I. Rae, and A. Akella, “Extensible and scalable networkmonitoring using opensafe.” in INM/WREN, 2008.

[42] H. Kim and N. Feamster, “Improving network management with soft-ware defined networking,” IEEE Communications Magazine, vol. 51,no. 2, pp. 114–119, 2013.

[43] Apache, “Cassandra,” http://cassandra.apache.org/.

12