Athena: A Framework for Scalable Anomaly Detection in Software-Defined Networks

Network-based anomaly detection is a well-mined area of research, with many projects that have produced algorithms to detect suspicious and anomalous activities at strategic points in a network. In this paper, we examine how to integrate an anomaly detection development framework into existing software-defined network (SDN) infrastructures to support sophisticated anomaly detection services across the entire network data plane, not just at network egress boundaries. We present Athena as a new SDN-based software solution that exports a well-structured development interface and provides general purpose functions for rapidly synthesizing a wide range of anomaly detection services and network monitoring functions with minimal programming effort. Athena is a fully distributed application hosting architecture, enabling a unique degree of scalability from prior SDN security monitoring and analysis projects. We discuss example use-case scenarios with Athena's development libraries, and evaluate system performance with respect to usability, scalability, and overhead in real world environments.