Software-Defined Networking (SDN) improves programma- bility and operational agility by separating the control plane from the forwarding one and by relying on a logically central- ized controller. This architectural shift also concentrates risk: the controller ecosystem becomes a high-value target and a potential bottleneck, so security monitoring must be effec- tive and remain feasible under near-real-time constraints. A recurring limitation in the SDN Intrusion Detection System (IDS) literature is that many results are obtained on bench- marks that provide limited temporal continuity, simplified operational dynamics or insufficient multi-plane observabil- ity, which complicates reproducibility and weakens deployment-oriented conclusions. This thesis tackles the above gap through both a dataset and methodological contribution. First, it derives concrete bench- marking requirements from a structured comparison of SDN intrusion datasets and evaluation practices, then it introduces KRONOS-SDN, a reproducible SDN IDS benchmark dataset designed to support controlled experiments over temporally coherent traces and cross-plane signals. KRONOS-SDN aligns flow-derived representations with controller host telemetry, enabling the investigation of detection behavior under realis- tic workload variation. Second, the thesis develops a deep- learning–based IDS that infers on sliding temporal windows of entity-level feature vectors, enabling streaming-compatible analysis and presents a controlled comparison of representa- tive reconstruction-based models (CNN, LSTM, Transformer and MLP-based autoencoders) under homogeneous training, calibration and scoring assumptions. In addition to detection effectiveness, the study quantifies operational indicators such as alert latency, throughput and computational footprint. The results show that deep anomaly detection can achieve meaningful detection capability on realistic SDN traces, but also that alert stability is sensitive to legitimate operating- regime changes. To address this issue and to increase the IDS performances, the third contribution of the thesis con- sists of proposing a lightweight cross-plane strategy based on context modulation: controller-side telemetry is used to in- fer the current operating regime and to adapt the detection threshold over time, reducing workload-induced false pos- itives while preserving responsiveness to related deviations to attacks. Overall, the thesis advances SDN IDS evaluation toward realistic, reproducible and deployment-oriented con- clusions by jointly contributing an enabling benchmark dataset and an operationally grounded methodology for near-real- time anomaly detection.
Innovative Deep Learning Methods and a Benchmarking Dataset for Intrusion. Detection Systems in Software-Defined Networks
DI GENNARO, FRANCESCO
2026
Abstract
Software-Defined Networking (SDN) improves programma- bility and operational agility by separating the control plane from the forwarding one and by relying on a logically central- ized controller. This architectural shift also concentrates risk: the controller ecosystem becomes a high-value target and a potential bottleneck, so security monitoring must be effec- tive and remain feasible under near-real-time constraints. A recurring limitation in the SDN Intrusion Detection System (IDS) literature is that many results are obtained on bench- marks that provide limited temporal continuity, simplified operational dynamics or insufficient multi-plane observabil- ity, which complicates reproducibility and weakens deployment-oriented conclusions. This thesis tackles the above gap through both a dataset and methodological contribution. First, it derives concrete bench- marking requirements from a structured comparison of SDN intrusion datasets and evaluation practices, then it introduces KRONOS-SDN, a reproducible SDN IDS benchmark dataset designed to support controlled experiments over temporally coherent traces and cross-plane signals. KRONOS-SDN aligns flow-derived representations with controller host telemetry, enabling the investigation of detection behavior under realis- tic workload variation. Second, the thesis develops a deep- learning–based IDS that infers on sliding temporal windows of entity-level feature vectors, enabling streaming-compatible analysis and presents a controlled comparison of representa- tive reconstruction-based models (CNN, LSTM, Transformer and MLP-based autoencoders) under homogeneous training, calibration and scoring assumptions. In addition to detection effectiveness, the study quantifies operational indicators such as alert latency, throughput and computational footprint. The results show that deep anomaly detection can achieve meaningful detection capability on realistic SDN traces, but also that alert stability is sensitive to legitimate operating- regime changes. To address this issue and to increase the IDS performances, the third contribution of the thesis con- sists of proposing a lightweight cross-plane strategy based on context modulation: controller-side telemetry is used to in- fer the current operating regime and to adapt the detection threshold over time, reducing workload-induced false pos- itives while preserving responsiveness to related deviations to attacks. Overall, the thesis advances SDN IDS evaluation toward realistic, reproducible and deployment-oriented con- clusions by jointly contributing an enabling benchmark dataset and an operationally grounded methodology for near-real- time anomaly detection.| File | Dimensione | Formato | |
|---|---|---|---|
|
Revised Thesis_DI GENNARO.pdf
accesso aperto
Licenza:
Tutti i diritti riservati
Dimensione
7.86 MB
Formato
Adobe PDF
|
7.86 MB | Adobe PDF | Visualizza/Apri |
I documenti in UNITESI sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/20.500.14242/373507
URN:NBN:IT:IMTLUCCA-373507