Detection of cyber-attacks in network control planes using Hidden Markov Model

Software Defined Networking (SDN) is a networking architecture within the control is centralized through a software-based controller. Like Cyber-Physical Systems manager, this centralization eases the support of advanced application. Being a single point of attack makes the controller a preferred target in case of attack. To enhance the control plane against cyber-attacks, an observer is introduced and is in charge of the detection of cyber-attacks on the nominal controller. In this objective, a detection of anomalies method in the activity of the control is proposed. This activity is defined as the events at the interface of communication between the controller and the network plant. In this paper, a non-deterministic control is considered which means that the decisions are stochastic. Hence, a probabilistic approach is proposed which aims to evaluate the deviation of the likelihood of the sequence of decisions taken by the controller. The formalism used to determine the likelihood is the Hidden Markov Model which permits to infer over the internal states of the controller through the observations. This method is discussed on a network case study.