Vol.:(0123456789) 1 3 Journal of Ambient Intelligence and Humanized Computing https://doi.org/10.1007/s12652-020-02099-4 ORIGINAL RESEARCH MitM detection and defense mechanism CBNA‑RF based on machine learning for large‑scale SDN context Anass Sebbar 1,2  · Karim ZKIK 1  · Youssef Baddi 3  · Mohammed Boulmalf 1  · Mohamed Dafr Ech‑Cherif El Kettani 2 Received: 30 December 2019 / Accepted: 15 April 2020 © Springer-Verlag GmbH Germany, part of Springer Nature 2020 Abstract Software defned network (SDN) is a promising new network abstraction that aims to improve and facilitate network manage- ment. Due to its centralized architecture and the lack of intelligence on the data plane, SDN sufers from many security issues that slows down its deployment. Man in the Middle (MitM) attack is considered as one of the most devastating attacks in an SDN context. In fact, MitM attack allows the attackers to capture, duplicate and spoof fows by targeting southbound interfaces and SDN nodes. Furthermore, it’s very difcult to detect MitM attacks since it is performed passively at the SDN level. To reduce the impact of this attack, we generally set up security policies and authentication mechanisms. However, these techniques are not applicable for a large scale SDN architecture as they require complexes and static confgurations and as they negatively infuence on network performance. In this paper, we propose an intrusion detection and prevention framework by using machine learning techniques to detect and stop MitM attempts. To do so, we build a context-based node acceptance based on the random forest model (CBNA-RF), which helps to setting-up appropriate security policies and to automating defense operations on a large-scale SDN context. This mechanism can realize a quick and early detection of MitM attacks by automatically detecting malicious nodes without afecting performances. The evaluation of the proposed framework demonstrates that our model can correctly classify and detect malicious connections and nodes while keeping high accuracy and precision scores. Keywords SDN · MitM attack · Random Forest · machine learning · CBNA · ODL Controller 1 Introduction Information technologies are evolving rapidly, more than 26 billion devices are currently connected, 80% of enterprise applications are already deployed in the cloud (Scale 2019; Bhushan and Gupta 2019a) and many new technologies have emerged to satisfy the expectations of businesses and cus- tomers such as Cloud Computing, internet of things, mobil- ity and virtualization. To follow the development of these new technologies, system designers often need to modify networks, updates software and orchestrate computer and network resources according to specifc requirements. To meet the expectations of users and companies and to reduce the complexity of operations, it has become necessary to develop a new agile network architecture that easily enforces policies and supports automation. It is in this context that the idea of Software Defned Net- working (SDN) emerged (Kreutz et al. 2014). The basic idea of SDN was born from the need for free interoperability between equipment. In an SDN architecture the control and data planes are decoupled, network intelligence and control are logically centralized and the underlying network infra- structure is abstracted from the applications which allows the network to be dynamically programmed according to events occurring in real time. SDN ofers several benefts regarding agility, automa- tion, loop avoidance, failure response and management; it provides a promising architecture for future networks (Rowshanrad et al. 2014). However, SDN sufers from many security issues. In fact, according to several studies (Scott- Hayward et al. 2013; Hu et al. 2015), SDN architecture can be considered as a single point of failure and single point of attacks (Zkik et al. 2018) as it’s exposed to multiple threats such as hijacking (Lu et al. 2017), poisoning (Hong et al. 2015), confguration errors, denial of service (Kandoi and * Anass Sebbar anass.sebbar@uir.ac.ma; anass.sebbar@ieee.org 1 Université Internationale de Rabat, TICLAB, Sala Al Jadida, Morocco 2 ENSIAS, Mohammed V University, ESIN, Rabat, Morocco 3 ESTSB-Chouaib Doukkali, STIC, El Jadida, Morocco