INFOTEH-JAHORINA Vol. 16, March 2017. - 621 - SDN-Based Intrusion Detection System Literature review Juma Ibrahim Computer science and informatics School of Electrical Engineering Belgrade, Serbia jumaibrahim04@yahoo.com Slavko Gajin Computer science and informatics School of Electrical Engineering Belgrade, Serbia slavko.gajin@rcub.bg.ac.rs Abstract—The word of the network has been changed from a small group of interconnected devices to billions of devices - servers, hosts, printers, Smartphone etc. This phenomena increase the requirements in term of network security. Decoupling the data and control planes Software Define Network (SDN) transforms traditional network architecture to reliable centralized manageable structure with programming ability. However, computer and network security is still the main concern for network and system administrator. Different types of software and hardware solutions are used to eliminate the dangers of attackers, but new type of attacks appear on daily bases. Intrusion Detection System (IDS) has the availability to locate and identify malicious activity in the network by examining network traffic in real time. It gives administrators visibility and reliability to monitor and control their systems. This paper present a survey of various research efforts towards the development of intrusion detection system based on software define network. Keywords-SDN; IDS; OpenFlow I. INTRODUCTION A successful attack will allow intruders to get authorized access to the system resources, but we have to prevent attacks. It is important to build security features and techniques to prevent attacks and protect the infrastructure, such as access control, permissions, firewalls, and other secure software and hardware. However, in complex system it is very hard to achieve full protection, as well as manage and maintain such environments. Therefore it is a cheaper to prevent some attacks and detect the rest and this is the idea of Intrusion Detection System (IDS). They have the availability to locate and identify malicious activity in the network by examining network traffic in real time. The function of IDS is to monitor and analyze events within a computers and network. When attacks happen we should know about them, and can take technical measures to stop the threat and protect our system. SDN is an emerging architecture that allows network administrators to manage network devices through a separation of data and control functions. It provides centralized control and view of the network, with the ability to program the network through external applications. A lot of papers and research proposal have been published regarding intrusion detection system in classical IP-based networks, but few of them introduce the concept of intrusion detection system based on software define network technology. This paper present a survey of various research efforts towards the development of intrusion detection system based on software define network. Section I providesa brief introduction, while Section II gives an overview of the SDN technology. In section III the different types of IDS and its detection techniques is introduced. The concept of SDN-based IDS and a comparison of different approaches are discussed in Section IV. Finally, we draw conclusions and future work in Section V. II. SOFTWARE DEFINE NETWORK (SDN) The existing network devices such as routers and switches have their own operating systems which have a limited set configuration options. If network administrators or security engineers what to make significant changes deploying new protocols or technologies which is not currently supported, they must change the whole device must be changed which is costly and unacceptable approach. The concept of Software Define Network (SDN) involves managing network services through abstraction of lower level functionality. In other words, separation of data and control planes with well-defined Application Programmable Interface (API) is the main characteristic of SDN. Data plane functionalities cover all activities related to data packets transmitting, such as forwarding, fragmentation, reassembly, replicating for multicasting etc. The Control plane defines functional logic for network communication equipment (routers or switches) that determines how one device communicates with other devices in the network. All the routing protocols in routers or other protocols with switches are control plane protocols. It includes all activities that are necessary to operate data plane, but do not involve end-user data packets (making routing tables, setting packet handling policies, base station beacons announcing availability of services). Figure 1 depicts a logical view of the SDN architecture. Network intelligence is (logically) centralized in software-based SDN controllers, which maintain a global view of the network [1].