IntelliHome SDN

Results & Evaluation — Screenshot Report

This page presents the experimental outcomes using static screenshots captured during the lab demo. Evidence supports:


  • MUD baseline enforcement,
  • ML classification performance,
  • Trust (PageRank) analytics,
  • Controller logs showing decision-making,

    • 1) Headline Outcomes

    Place the screenshots listed below in ./assets/results/

    MUD vs Final Decision Matrix
    MUD vs Final Action. Confirms baseline allow/deny and where ML/Trust intervened beyond MUD.
    ML Confusion Matrix
    ML Confusion Matrix. Shows classification performance on labelled flows.“My classifier made no mistakes on the labelled test flows.”
    ROC Curve
    ROC Curve. A plot of True Positive Rate (TPR) vs False Positive Rate (FPR), “Even if I change my detection threshold, the model still distinguishes benign vs malicious traffic extremely well.”.

    2) Trust (PageRank) Analytics

    Top and bottom trust devices
    Top/Bottom Devices by Trust. Cross-checks that low-trust devices see more interventions.

    5) Controller Evidence (Ryu Logs)

    Controller logs
    Event Log Snippet. Shows PacketIn → MUD → ML → Trust → decision → flow_mod.
    Blockedflows table
    Blocked/Quarantined Flows. Concrete examples with timestamps and 5-tuple.

    6) Test Cases & Screenshots

    Link each test case from test.sh to its evidence image. Update the “Observed” column briefly.

    Test Case Description Observed Controller Action Screenshot
    TC1 Benign baseline traffic (DNS/HTTPS) from IoT device ALLOW (fast-path installed under MUD allowlist) tc1_benign.png
    TC2 UDP Flood. BLOCK on 1000+ packets during a UDP flood tc2_udp_flood.png
    TC3 TCP SYN Flood BLOCK and MALICIOUS tc3_tcp_syn.png
    TC4 Flood processing outcome RYU logs tc4_ryu_flood_logs.png

    7) Observations & Analysis

    MUD Baseline: Screenshots confirm that device-specific allowlists prevent off-policy flows (see “MUD vs Final Action”).

    ML/Trust Added Value: Cases where MUD=ALLOW but the controller mitigates/blocks show the ML/Trust layer catching anomalies beyond static policy.

    Performance Behaviour: During test bursts confusion matrix/ROC indicate reliable separation of benign vs malicious flows. A curve close to the top-left corner indicates strong performance with high detection rates with few false alarms.

    Trust Correlation: Low-trust devices (PageRank) align with higher intervention rates, supporting prioritised scrutiny.