Indonesian
J
our
nal
of
Electrical
Engineering
and
Computer
Science
V
ol.
38,
No.
2,
May
2025,
pp.
1245
∼
1255
ISSN:
2502-4752,
DOI:
10.11591/ijeecs.v38.i2.pp1245-1255
❒
1245
A
deep
lear
ning
appr
oach
to
detect
DDoS
ooding
attacks
on
SDN
contr
oller
Abdullah
Ahmed
Bahashwan,
Mohammed
Anbar
,
Selv
akumar
Manickam,
T
aief
Alaa
Al-Amiedy,
Iznan
H.
Hasb
ullah
National
Adv
anced
IPv6
(N
A
v6)
Centre,
Uni
v
ersiti
Sains
Malaysia
(USM),
Penang,
Malaysia
Article
Inf
o
Article
history:
Recei
v
ed
May
26,
2024
Re
vised
Oct
22,
2024
Accepted
Oct
30,
2024
K
eyw
ords:
DDoS
Deep
learning
Intrusion
detection
system
Multi-layer
perceptron
Softw
are-dened
netw
orking
ABSTRA
CT
Softw
are-dened
netw
orking
(SDN),
inte
grated
into
technologies
lik
e
internet
of
things
(IoT),
cloud
computing,
and
big
data,
is
a
k
e
y
component
of
the
fourth
in-
dustrial
re
v
olution.
Ho
we
v
er
,
i
ts
deplo
yment
introduces
security
challenges
that
can
undermine
its
ef
fecti
v
eness.
This
highlights
the
ur
gent
need
for
security-
focused
SDN
solutions,
dri
ving
adv
ancements
in
SDN
technology
.
The
absence
of
inherent
security
countermeasures
in
the
SDN
controller
mak
es
it
vulnerable
to
distrib
uted
denial
of
service
(DDoS)
attacks,
which
pose
a
signicant
and
per
-
v
asi
v
e
threat.
These
attacks
specically
tar
get
the
controller
,
disrupting
services
for
le
gitimat
e
users
and
depleting
its
resources,
including
bandwidth,
memory
,
and
processing
po
wer
.
This
research
aims
to
de
v
e
lop
an
ef
fecti
v
e
deep
learn-
ing
(DL)
approach
to
detect
such
attacks,
ensuring
the
a
v
ailability
,
inte
grity
,
and
consistenc
y
of
SDN
netw
ork
functions.
The
proposed
DL
detection
approach
achie
v
es
98.068%
accurac
y
,
98.085%
precision,
98.067%
recall,
98.057%
F1-score,
1.34%
f
alse
positi
v
e
rate
(FPR),
and
1.713%
detection
time.
This
is
an
open
access
article
under
the
CC
BY
-SA
license
.
Corresponding
A
uthor:
Mohammed
Anbar
National
Adv
anced
IPv6
Centre
(N
A
v6),
Uni
v
ersiti
Sains
Malaysia
(USM)
Gelugor
11800,
Penang,
Malaysia
Email:
anbar@usm.my
1.
INTR
ODUCTION
The
proliferation
of
netw
ork
de
vices
has
e
xposed
the
limitations
of
traditional
netw
orks,
complica
ting
internet
de
v
elopment
and
hindering
progress
in
areas
such
as
cloud
computing,
internet
of
things
(IoT),
and
big
data
o
v
er
the
past
decade
[1].
In
response,
softw
are-dened
netw
orking
(SDN)
has
emer
ged
as
a
solution
by
decoupling
the
control
plane
from
the
data
plane,
enabling
centra
lized
control
and
more
ef
cient
management
of
netw
ork
elements
[2].
SDN
of
fers
se
v
eral
adv
antages,
including
a
holistic
netw
ork
vie
w
,
centralize
d
control,
impro
v
ed
switch
protocol
magnet,
vitalized
netw
ork
construction,
and
programmability
,
making
it
applicable
to
v
arious
netw
ork
natures
[3].
W
ith
the
OpenFlo
w
protocol,
the
application,
control,
and
data
planes
are
pi
v
otal
in
achie
ving
central
control
in
SDN
architecture
[4].
Nonetheless,
the
widespread
adoption
of
SDN
has
introduced
security
vulnerabilities,
including
susceptibility
to
denial
of
service
(DDoS)
attacks
that
can
de
grade
performance
by
tar
geting
the
controller
and
depleting
netw
ork
resources
[5],
[6].
Furthermore,
DDoS
ooding
attacks,
while
often
simple
in
e
x
ecution,
pose
signicant
challenges
in
detection
and
mitig
ation
[7],
[8].
These
attacks
are
launched
through
compromised
de
vices
within
a
botnet
and
utilized
v
arious
techniques
to
e
v
ade
detection
systems,
increasing
their
chance
of
success.
Specically
,
when
tar
geting
SDN
netw
orks
or
controllers,
these
attacks
ood
t
he
netw
ork
with
spoofed
transmission
control
J
ournal
homepage:
http://ijeecs.iaescor
e
.com
Evaluation Warning : The document was created with Spire.PDF for Python.
1246
❒
ISSN:
2502-4752
protocol
(TCP),
internet
control
message
protocol
(ICMP),
and
user
datagram
protocol
(UDP)
traf
c,
con-
suming
netw
ork
bandwidth
and
o
v
erwhelming
system
resources,
ultimately
disrupting
le
gitimate
services
and
causing
widespread
outages.
Figure
1
illustrates
the
impact
of
a
DDoS
attack
on
an
SDN
controller
and
its
ef
fects
on
the
entire
SDN
netw
ork.
Attack
ers
further
complicate
defense
by
spoong
source
IP
,
which
pre
v
ents
Openo
w
switches
from
nding
matching
rules,
forcing
them
to
forw
ard
pack
ets
to
t
he
SDN
controller
.
This
e
xhausts
controller
resources
and
can
lead
to
a
cascading
f
ailure.
Protection
ag
ainst
such
attacks
is
critical,
as
the
y
pose
signicant
threats
to
both
switches
and
the
southbound
application
programming
interf
ace
(API),
and
due
to
their
broad
scope,
these
attacks
are
classied
as
global
threats
within
SDN
netw
orks
[9],
[10].
Figure
1.
Hypothetical
visualization
of
DDoS
attacks
on
the
SDN
controller
Ho
we
v
er
,
as
highlighted
in
the
related
w
orks
(section
2)
the
recently
discussed
deep
learning
(DL)-
based
approaches
for
detecting
DDoS
attacks
e
xhibit
certain
limitations.
Se
v
eral
of
these
approaches
ha
v
e
been
trained
and
tested
on
unrealistic
datasets,
which
do
not
adequately
reect
the
unique
characteristics
of
SDN
netw
orks.
This
disconnect
leads
to
decreased
accurac
y
and
an
increased
f
alse
positi
v
e
rate
(FPR)
in
practical
applications
of
SDN
detection
approaches
in
real
w
orld
settings.
While
some
approaches
do
utilize
realistic
datasets,
the
y
still
deli
v
er
sub
optimal
performance.
In
summary
,
the
weaknesses
of
current
DL-based
approaches
for
detecting
DDoS
attacks
on
SDN
netw
ork
controller
became
e
vident.
Despite
their
ef
cienc
y
,
these
approaches
ha
v
e
certain
dra
wbacks:
(i)
man
y
rely
on
unrealistic
datasets
that
do
not
adequately
capture
the
characteristics
of
SDN
netw
ork
ar
-
chitecture,
which
dif
fers
signicantly
from
traditional
netw
ork
architecture;
and
(ii)
man
y
of
these
approaches
e
xhibit
lo
w
detection
performance
and
suf
fer
from
high
FPRs
when
identifying
such
attacks.
Therefore,
the
k
e
y
contrib
utions
of
this
research
paper
are:
(i)
proposing
a
DL-based
approach
for
detecting
DDoS
ooding
attacks
on
SDN
controller
-based
netw
orks;
(ii)
e
v
aluating
and
v
alidating
the
proposed
detection
approach
using
a
realistic
dataset
that
reects
the
characte
ristics
of
SDN
netw
ork
architecture;
and
(iii)
enhancing
detection
performance
while
reducing
FPRs.
These
contrib
utions
are
directly
addressing
the
challenges
present
in
e
xisting
DL-based
approaches.
Indonesian
J
Elec
Eng
&
Comp
Sci,
V
ol.
38,
No.
2,
May
2025:
1245–1255
Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian
J
Elec
Eng
&
Comp
Sci
ISSN:
2502-4752
❒
1247
The
remaining
sections
of
this
research
paper
are
or
g
anized
to
pro
vide
a
comprehensi
v
e
und
e
rstanding
of
the
proposed
w
ork.
Section
2
presents
a
re
vie
w
of
the
rele
v
ant
w
orks
in
the
eld,
highlighting
e
xisting
approaches
and
their
limitations.
F
ollo
wing
that,
section
3
outlines
the
proposed
detection
approach
based
on
DL,
detailing
its
methodology
and
inno
v
ations.
Section
4
discusses
the
results
obtained
from
the
proposed
detection
approach,
along
with
a
comprehensi
v
e
analysis
of
the
ndings.
Finally
,
section
5
concludes
the
paper
by
summarizing
the
k
e
y
insights
and
pro
vides
recommendations
for
future
w
orks.
2.
RELA
TED
W
ORKS
This
section
e
xamines
the
literature
on
DL
approaches
to
detect
DDoS
attacks
on
SDN
n
e
tw
orks
and
their
limitations.
The
approaches
are
listed
as
follo
ws:
in
a
comparati
v
e
study
by
Ali
et
al.
[11],
v
ari-
ous
machine
learning
(ML)
and
DL
techniques,
including
support
v
ector
machine
(SVM),
decision
tree
(DT),
K-nearest
neighbour
(KNN),
con
v
olutional
neural
netw
ork
(CNN),
and
multi-layer
perceptron
(MLP),
were
e
v
aluated
for
detecting
DDoS
attacks
in
SDN
with
minimal
time
and
comple
xity
.
The
study
utilized
CIC-
DoS2019
and
ICIDS2017
datasets
with
50
features.
The
study
re
v
ealed
that
the
SVM
achie
v
ed
the
highest
prediction
accurac
y
at
95.5%,
surpassing
other
algorithms.
On
the
other
hand,
[12]
proposed
a
DL
approach
emplo
ying
recurrent
neural
netw
ork
(RNN)
for
identifying
DDoS
attacks
on
the
controll
er
.
Ho
we
v
er
,
it
suf
fers
from
relati
v
ely
lo
w
detection
accurac
y
and
high
FPR.
Another
approach
by
Gadze
et
al.
[13]
introduced
a
system
for
SDN-based
detection
of
TCP
,
ICMP
,
and
UDP
DDoS
attacks,
emplo
ying
DL
algorithms
lik
e
CNN
and
long
short
-term
memory
(LSTM),
achie
ving
an
accurac
y
of
89.63%.
Additionally
,
Alshra’a
et
al.
[14]
de
v
eloped
a
DL-based
intrusion
detection
system
(IDS)
for
SDN
defence
ag
ainst
DDoS
attacks,
utilizing
RNN,
g
ated
recurrent
unit
(GR
U),
and
LSTM
models,
sho
wcasing
high
accurac
y
in
detect
ing
attacks
with
48
features
using
the
InSDN
dataset.
DeepIDS,
proposed
by
T
ang
et
al.
[15],
is
a
DL-based
IDS
for
SDN
netw
orks
that
emplo
y
DNN
and
GR
U
for
anomaly
detection
and
achie
ving
comprehensi
v
e
attack
identication,
including
zero-day
attacks.
M
eanwhile,
DDoSNet,
proposed
by
Elsayed
et
al.
[16],
utilizes
RNN
with
autoencoder
for
SDN
DDoS
attack
detection,
boasti
ng
a
99%
accurac
y
compared
to
traditional
ML
methods.
The
system
also
of
fers
e
xibility
to
implement
null
routing
or
forw
ard
attacks
for
further
analysis
on
a
hone
ypot
serv
er
.
An
additional
approach
by
Haider
et
al.
[17]
is
bas
ed
on
a
CNN
h
ybrid
model
for
early
detection
of
DDoS
attacks,
achie
ving
an
impressi
v
e
accurac
y
of
99.45%
with
the
CICDS2017
dataset.
Further
approach
by
T
ang
et
al.
[18]
emplo
yed
a
GR
U-RNN-based
anomaly
IDS
for
SDN
netw
orks
to
impro
v
e
anomaly
detection
rates
compared
to
their
pre
vious
IDS;
ho
we
v
er
,
their
approaches
yi
elded
relati
v
ely
lo
wer
accuracies
of
89%
and
99%
for
the
NSL-KDD
and
CICIDS2017
datasets,
respecti
v
ely
,
which
may
not
f
aithfully
represent
SDN
netw
ork
characteristics.
Moreo
v
er
,
an
approach
by
Liu
et
al.
[19]
presents
real-time
mitig
ating
ooding
attacks.
On
the
other
hand,
[20]
proposed
a
defence
and
detection
approach
utilizing
RNN,
LSTM,
and
CNN
for
DDoS
attacks
in
SDN,
implemented
in
the
OpenFlo
w
switch,
sho
wcasing
high
v
alidation
accurac
y
of
98%
and
99%
for
detection
of
DDoS
attacks
in
test
and
training
data,
respecti
v
ely
,
using
the
ISCX2012
dataset
and
a
simulated
SDN
netw
ork
dataset.
Ov
erall,
the
recently
mentioned
DL
approaches
for
detecting
DDoS
ha
v
e
some
limitations.
Some
of
these
approaches
ha
v
e
been
trained
and
tested
using
unrealistic
datasets,
f
ailing
to
capture
the
distinct
character
-
istics
of
SDN
netw
orks.
This
mismat
ch
results
in
reduced
accurac
y
and
higher
FPR
from
a
practical
perspecti
v
e
when
it
comes
to
implementing
SDN
detection
approac
h
e
s
in
real-w
orld
scenarios.
Although
some
approaches
emplo
y
realistic
datasets,
the
y
achie
v
e
lo
w
performance.
3.
PR
OPOSED
DETECTION
APPR
O
A
CH
The
application
of
DL
to
SDN
netw
orks
emer
ges
as
a
crucia
l
research
area
in
recent
years.
One
signicant
adv
antage
of
DL
o
v
er
traditional
ML
algorithm
s
is
its
superior
performance
in
analyzing
lar
ge-scale
datasets
[21].
Additionally
,
the
adoption
of
SDN
technology
g
ains
momentum
in
v
arious
domains,
including
cloud
computing
and
IoT
systems,
where
substantial
v
olumes
of
data
are
generated.
Consequently
,
a
multi-
neural
netw
ork
architecture
is
well
suited
for
handling
the
demands
of
these
emer
ging
technologies.
This
research
paper
adopted
MLP
,
which
comprises
multiple
processing
layers
that
f
acilitate
the
training
of
data
representations
at
v
arying
le
v
els
of
comple
xity
[22].
Furthermore,
MLP
techniques
demonstrate
signicant
adv
ancements
in
adv
anced
applications
com-
pared
to
classical
ML
techniques
[23].
The
k
e
y
reasons
for
choosing
MLP
are
as
follo
ws:
MLP
is
considered
A
deep
learning
appr
oac
h
to
detect
DDoS
ooding
attac
ks
on
SDN
...
(Abdullah
Ahmed
Bahashwan)
Evaluation Warning : The document was created with Spire.PDF for Python.
1248
❒
ISSN:
2502-4752
one
of
the
most
ef
cient
neural
netw
ork
techniques
for
detection
approaches,
consistently
deli
v
ering
impressi
v
e
results
[24].
Its
capability
allo
ws
the
proposed
detection
approach
to
achie
v
e
notable
accurac
y
and
reduce
FPRs
in
detecting
DDoS
attacks.
Additionally
,
MLP
is
particularly
well-suited
for
tab
ular
datasets,
which
aligns
with
the
input
data
format
used
in
this
study
,
pro
vided
as
comma-separated
v
alues
(CSV)
[25].
Ov
erall,
this
section
pro
vides
a
discussion
of
the
phases
of
the
proposed
DL-based
detection
approach.
It
be
gins
with
dataset
preprocessing,
follo
wed
by
SDN
DDoS
attack
detection,
and
concludes
with
performance
e
v
aluation
metrics
used
to
assess
the
proposed
approach.
These
phases
are
thoroughly
discussed
in
the
follo
w-
ing
subsections.
Figure
2
vis
ually
illustrates
the
design
and
impl
ementation
of
the
o
v
erall
methodology
of
the
proposed
detection
approach.
The
follo
wing
subsections
discuss
the
methodology
phases
in
more
detail.
Figure
2.
Ov
erall
proposed
DL-based
detection
approach
3.1.
Datasets
pr
epr
ocessing
The
DL-based
detection
approach
is
e
v
aluated
using
a
realis
tic
SDN
benchmark
data
set,
“DDoS
attack
SDN
dataset”
[26],
to
o
v
ercome
the
limitation
of
e
xisting
approaches
that
rely
on
unrealistic
dat
asets.
Se
v
eral
preprocessing
stages
are
applied
to
the
dataset
before
training
the
proposed
MLP
model
to
pre
v
ent
o
v
ertting
and
ensure
meaningful
results.
These
stages
are
crucial
for
preparing
the
dataset
for
accurate
detection:
-
Dataset
cleansing:
this
in
v
olv
es
lling
in
missing
or
incomplete
columns
within
the
dataset
and
replacing
missing
v
alues
with
0
to
ensure
completeness
and
accurac
y
of
the
dataset
v
alues.
-
Data
transformation:
the
dataset
is
transformed
to
enhance
readability
and
analysis.
This
includes
con
v
ert-
ing
data
formats
and
replacing
te
xtual
features
with
numeric
v
alues
using
label
encoding,
making
it
more
suitable
for
the
proposed
MLP
model.
-
Dataset
balancing:
to
achie
v
e
a
balanced
distrib
ution
of
label
classes,
synthetic
minority
o
v
ersampling
technique
(SMO
TE)
is
applied
to
o
v
ersample
the
minority
class,
reducing
bias
and
impro
ving
model
per
-
formance.
-
Dataset
normalization:
nally
,
normalization
ensures
a
consistent
scale
across
all
records,
which
helps
the
model
learn
more
ef
fecti
v
ely
.
Once
these
pre-processing
stages
are
completed,
the
dataset
is
passed
to
the
SDN
DDoS
attack
detection
stage
for
training
and
e
v
aluation.
T
able
1
outlines
the
details
and
specications
of
the
benchmark
datasets
used.
T
able
1.
DDoS
attack
SDN
dataset
specications
Dataset-specications
Ref.
Normal
samples
Attack
samples
T
otal
samples
Normal
label
Attack
label
Dataset
cate
gory
T
otal
of
features
[26]
62,344
62,344
124,688
0
1
Normal
and
DDoS
attacks
22
Indonesian
J
Elec
Eng
&
Comp
Sci,
V
ol.
38,
No.
2,
May
2025:
1245–1255
Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian
J
Elec
Eng
&
Comp
Sci
ISSN:
2502-4752
❒
1249
3.2.
SDN
DDoS
attack
detection
This
research
adopt
ed
the
MLP
algorithm
for
feedforw
ard
supervised
learning
prediction,
speci
cally
classication.
The
MLP
architecture
mak
es
it
an
ef
cient
anomaly-based
IDS
for
detecting
DDoS
attacks
[27].
The
supervised
feedforw
ard
process
technique
analyses
the
data
and
detects
such
attacks
accurately
.
Determin-
ing
ideal
h
yperparamete
rs
relies
on
the
problem,
model
architecture,
and
dataset
characteristics.
Consequently
,
e
xperimentation
with
v
arious
v
alues
and
continuous
monitoring
of
model
performance
during
training
is
nec-
essary
to
identify
the
optimal
combination.
This
research
unders
cores
the
importance
of
specic
h
yperparameters,
such
as
cate
gorical
cros
s-
entrop
y
with
SoftMax
function,
the
Adam
optimizer
,
and
the
number
of
epochs,
in
enhancing
the
proposed
model’
s
performance.
Notably
,
balancing
the
number
of
epochs
is
crucial
to
a
v
oid
undertting,
where
inad-
equate
tting
to
training
used
in
this
study
achie
v
ed
con
v
er
gence
i
n
less
than
50
iterations
with
a
batch
size
of
100,
considered
optimal
v
alues.
Critical
f
actors
lik
e
learning
rate
and
momentum,
set
at
0.001
and
0.9,
signicantly
impact
detecti
o
n
accurac
y
.
Incorporating
techniques
lik
e
L2
re
gularization,
early
stopping,
and
a
attened
layer
further
contrib
utes
to
the
model’
s
rob
ustness
and
pre
v
ents
o
v
ertting.
T
able
2
presents
the
model
h
yper
-parameters.
T
able
2.
DL-based
MLP
model
parameters
tuning
No
1
2
3
4
5
6
7
8
9
10
11
Hyper
parameters
Losses
function
Classication
function
Optimizer
No
of
epochs
Batch
size
Learning
rate
Momentum
Re
gularization
No
of
hiding
layers
Acti
v
ation
function
No
of
neuron
Optimized
parameters
Cate
gorical
cross-entrop
y
SoftMax
function
Adam
50
100
0.001
0.9
L2
(0.001)
4
ReLU
100
Additionally
,
the
early
stopping
technique
w
as
used
(monitoring
loss
with
patience
=3).
F
or
the
pro-
posed
detection
approach,
the
e
xperiment
w
as
e
x
ecuted
and
formulated
in
Python,
utilizing
the
T
ensorFlo
w
,
K
eras,
and
Scikit-Learn
libraries
with
3.10.5,
2.11,
2.11,
and
1.2,
respecti
v
ely
.
The
detection
approach
is
ap-
plied
to
the
“DDoS
attack
SDN
dataset”
with
al
l
features.
The
assessment
of
this
approach’
s
performance
in
v
olv
es
split
testing
techniques
to
e
v
aluate
its
generalization,
which
di
vides
the
datasets
into
a
substantial
80%
for
the
training
set,
enabling
the
model
to
learn
di
v
erse
DDoS
attack
patterns.
Simultaneously
,
the
remaining
20%
allocated
to
the
testing
set
acts
as
a
representati
v
e
sample
to
assess
approach
performance
on
unseen
data
for
reliable
e
v
aluation.
3.3.
Ev
aluate
perf
ormance
The
proposed
DL-based
approach
under
goes
e
v
aluation,
and
its
performance,
when
inte
grated
with
data
mining,
is
measured
using
se
v
eral
crucial
matrices
[28].
These
metrics
are
calculated
through
a
confusion
matrix,
illustrating
the
comparison
between
predicted
and
actual
classes.
The
elements
of
the
confusion
matrix
are
claried
as
follo
ws:
(i)
true
positi
v
e
signies
the
accurate
identication
of
att
acks
by
the
detection
approach.
(ii)
true
ne
g
ati
v
e
denotes
the
precise
identication
of
normal
traf
c
as
normal,
while
(iii)
f
alse
positi
v
e
indicates
the
misclassication
of
normal
traf
c
as
an
attack.
Lastly
,
(i
v)
f
alse
ne
g
ati
v
e
reects
the
misclas
sication
of
an
attack
as
normal
traf
c.
Moreo
v
er
,
additi
onal
performance
e
v
aluation
metrics
were
considered
based
on
those
metrics,
including
recall,
F1-score,
precision,
o
v
erall
accurac
y
,
area
under
the
recei
v
er
operating
characteristic
curv
e
(A
UC-R
OC)
score,
and
FPR.
4.
EXPERIMENT
RESUL
TS
AND
DISCUSSION
This
section
discusses
and
analyses
the
e
xperiment
results,
highlighting
the
accurac
y
and
reliability
of
the
proposed
approach
for
future
SDN
netw
ork
security
appl
ications.
It
also
pro
vides
a
thorough
comparison
between
the
proposed
detection
approach
and
e
xisting
methods.
Lastly
,
this
section
outlines
k
e
y
discussions,
identies
limitations
and
suggests
future
w
orks.
4.1.
Results
and
analysis
The
tra
ining
model
is
generated
using
an
MLP
model
architecture
with
all
features
(
f
=
22)
,
as
sho
wn
in
Figure
3.
The
dataset
used
for
training
the
proposed
detection
approach
is
described
in
T
able
1.
As
sho
wn
in
the
table,
the
tot
al
number
of
instance
samples
is
124,688.
The
dataset
is
split
into
80%
for
training
and
20%
A
deep
learning
appr
oac
h
to
detect
DDoS
ooding
attac
ks
on
SDN
...
(Abdullah
Ahmed
Bahashwan)
Evaluation Warning : The document was created with Spire.PDF for Python.
1250
❒
ISSN:
2502-4752
for
testing.
This
is
a
stra
ightforw
ard
approach
and
a
commonly
used
technique.
As
a
result,
a
confusion
matrix
is
generated
to
represent
and
e
v
aluate
the
performance
of
the
proposed
detection
approach.
It
is
commonly
used
to
compare
the
predicted
labels
ag
ainst
the
actual
labels.
Figure
3.
DL-based
MLP
model
architecture
Moreo
v
er
,
Figure
4
presents
the
confusion
matrix
of
DDoS
oodi
ng
attack
on
SDN
netw
ork.
The
detection
approach
achie
v
ed
a
high
number
of
true
positi
v
es
(TP=15,655),
which
indicates
the
instances
that
were
correctly
detected
as
positi
v
e.
The
true
ne
g
ati
v
es
(TN=14,915)
represent
the
instances
that
were
correctly
detected
as
ne
g
ati
v
e.
There
w
as
a
relati
v
ely
lo
w
number
of
f
alse
positi
v
es
(FP=203),
which
indicates
instances
that
were
detected
as
positi
v
e
b
ut
were
actually
ne
g
ati
v
e.
Also,
there
w
as
a
relati
v
ely
lo
w
number
of
f
alse
ne
g-
ati
v
es
(FN=399),
indicating
the
number
of
positi
v
e
instances
incorrectly
predicted
as
ne
g
ati
v
e
by
the
proposed
approach.
In
some
cases,
the
proposed
detection
approach
predicted
a
ne
g
at
i
v
e
outcome,
b
ut
the
actual
label
w
as
positi
v
e.
The
confusion
matrix
analysis
allo
ws
for
the
computation
of
v
arious
e
v
aluation
matri
ces,
such
as
a
v
erage
accurac
y
,
preci
sion,
F1-score,
recall,
and
FPR,
of
fering
a
comprehensi
v
e
understanding
of
the
o
v
er
-
all
performance
of
the
proposed
detection
approach,
as
represented
in
T
able
3.
The
detection
DL
approach
archi
v
es
98.068%
detection
accurac
y
,
98.085%
precision,
98.067%
F1-score,
98.057%
recall,
and
1.34%
FPR
for
detecting
DDoS
attacks
on
the
SDN
netw
ork.
These
e
v
aluation
results
highlight
the
ef
fecti
v
eness
of
the
proposed
DL
approach
in
accurately
detecting
such
attacks.
Indonesian
J
Elec
Eng
&
Comp
Sci,
V
ol.
38,
No.
2,
May
2025:
1245–1255
Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian
J
Elec
Eng
&
Comp
Sci
ISSN:
2502-4752
❒
1251
Figure
4.
Confusion
matrix
of
the
DL-based
MLP
detection
approach
T
able
3.
A
v
erage
results
of
MLP
detection
approach
Performance
e
v
aluation
metrics
Accurac
y
(%)
Precision
(%)
F1-score
(%)
Recall
(%)
FPR
(%)
98.068
98.085
98.067
98.057
1.34
Further
assessment
is
utilized,
such
as
the
A
UC-R
OC
carv
e.
The
R
OC
curv
e
represents
the
trade
-of
f
between
true
positi
v
e
rates
(TPR)
and
FPR
for
dif
ferent
classication
thresholds.
The
A
UC
score
quanties
the
o
v
erall
performance
of
the
proposed
approach
with
a
perfect
score
of
1,
indicating
a
wless
detection.
Con
v
ersely
,
if
the
A
UC
score
approaches
0,
it
indicates
poor
performance
by
the
proposed
approach.
As
clearly
sho
wn
in
Figure
5,
the
A
UC
score
v
alue
of
the
proposed
approach
is
98%,
which
indicates
that
the
proposed
approach
e
xcels
at
dif
ferentiating
between
normal
traf
c
DDoS
attacks.
Figure
5.
R
OC-A
UC
carv
e
of
the
DL-based
MLP
detection
approach
4.2.
Comparison
of
pr
oposed
detection
In
addition
to
the
pre
viously
mentioned
results,
this
section
pro
vides
a
comprehensi
v
e
e
v
aluation
of
the
proposed
detection
approach
compared
to
the
e
xisting
DLADSC
approach
[12],
which
utilizes
RNN-based
techniques
for
detecting
DDoS
attacks
in
an
SDN
controller
en
vironment.
Both
approaches
aim
to
address
A
deep
learning
appr
oac
h
to
detect
DDoS
ooding
attac
ks
on
SDN
...
(Abdullah
Ahmed
Bahashwan)
Evaluation Warning : The document was created with Spire.PDF for Python.
1252
❒
ISSN:
2502-4752
similar
challenges;
ho
we
v
er
,
k
e
y
dif
ferences
emer
ge
when
e
v
aluating
their
performance
using
se
v
eral
metrics,
including
(i)
the
SDN
dataset
itself,
(ii)
the
a
v
erage
accurac
y
,
(iii)
precision,
(i
v)
recall,
(v)
FPR,
(vi)
the
F1-score,
and
(vii)
time
of
DDoS
attack
detection
(measured
using
Python
time
functions
from
inputting
test
data
to
producing
the
nal
prediction
output).
As
sho
wn
in
T
able
4,
the
proposed
detection
consistently
achie
v
es
higher
scores
across
most
me
trics:
98.068%
detection
accurac
y
,
98.085%
precision,
98.057%
recall,
1.34%
FPR,
and
F1-score
98.067%.
In
con-
trast,
DLADSC
e
xhibits
signicantly
lo
wer
performance,
with
94.186%
detection
accurac
y
,
92.146%
precision,
8.114%
FPR,
a
an
94.276%
F1-score.
These
results
highlight
the
superior
capabilit
y
of
the
proposed
detection
approach
in
a
ccurately
identifying
DDoS
attacks
with
fe
wer
f
alse
positi
v
es,
where
minimizing
f
alse
alarms
is
paramount
for
enduring
ef
cient
netw
orks
management.
T
able
4.
A
comparison
of
this
approach
with
the
DLADSC
RNN
approach
Approach
SDN
dataset
Accurac
y
Precision
Recall
FPR
F1-score
T
imes
of
detection
DLADSC
RNN
[12]
✓
94.186
92.146
✗
8.114
94.276
1.627
This
approach
(MLP)
✓
98.068
98.085
98.057
1.34
98.067
1.713
(
✓
)
:
matches
the
metrics,
(
✗
)
:
does
not
match
the
metrics.
Despite
the
impro
v
ed
performance,
the
detection
time
re
v
eals
a
slight
trade-of
f.
The
proposed
ap-
proach
has
a
mar
ginally
longer
detection
time
of
1.713
seconds
compared
to
1.627
seconds
for
DLADSC.
While
this
dif
ference
is
minimal,
it
could
be
rele
v
ant
in
e
xtremely
high-speed
netw
ork
en
vironments
where
e
v
ery
fraction
of
a
second
counts.
Ho
we
v
er
,
the
s
light
increase
in
detection
time
is
lik
ely
due
to
the
use
of
four
model
hidden
layers,
which,
while
adding
comple
xity
and
depth
to
the
detection
process,
result
in
more
accurate
classication.
This
slight
increase
in
det
ection
time
is
justied
by
the
signicant
impro
v
ements
in
accurac
y
and
precision,
making
the
proposed
approach
more
comprehensi
v
e
detection
of
DDoS
attacks.
The
implications
of
these
results
are
substantial
for
future
applications
of
DDoS
detection
in
SDN
en-
vironments.
The
enhanced
accurac
y
and
reduced
FPR
suggest
that
the
proposed
detection
approach
can
better
handle
the
comple
xity
of
SDN
architectures,
pro
viding
more
trustw
orth
y
and
ef
cient
detection.
Furthermore,
the
approach’
s
ability
to
maintain
high
precision
and
recall
across
a
realistic
SDN
dataset
demonstrates
its
scal-
ability
and
applicability
in
real-w
orld
scenarios.
While
DLADSC
performance
is
mar
ginally
f
aster
in
detection
time,
the
proposed
approach
of
fers
a
more
rob
ust
solut
ion
with
greater
accurac
y
and
fe
wer
f
alse
alarms,
making
it
the
preferred
choice
for
practical
implementation
in
SDN-based
netw
orks.
4.3.
Discussion
and
limitations
The
enhanced
accurac
y
and
reduced
FPR
indicate
that
the
proposed
detection
approach
can
handle
the
comple
xity
of
SDN
architectures,
of
fering
trustw
orth
y
and
ef
cient
detection.
Additionally
,
the
ability
to
maintain
high
precision
and
recall
across
a
realistic
SDN
dataset
demonstrates
its
scalability
and
applicability
in
real-w
orld
scenarios,
positioning
it
as
a
more
rob
ust
detection
approach
compared
to
other
ones,
especially
in
practical
SDN-based
netw
orks.
The
results
highlight
the
superior
capability
of
the
proposed
detection
approach
in
accurately
identi-
fying
DDoS
attacks
with
fe
wer
FP
,
which
is
crucial
for
m
aintaining
ef
cient
netw
ork
management.
Despite
the
impro
v
ed
performance,
there
is
a
slight
trade-of
f
in
detection
time,
where
the
proposed
approach
has
a
mar
ginally
longer
detection
time
of
1.713
seconds
compared
to
1.627
seconds
for
the
DLADSC
approach.
Al-
though
this
dif
ference
is
minimal,
it
may
be
due
to
the
number
of
hidden
layers,
which
adds
comple
xity
and
depth
to
the
detection
process,
resulting
in
more
accurate
detection.
5.
CONCLUSIONS
AND
FUTURE
W
ORKS
SDN
technology
pro
vides
e
xible
and
cost-ef
fecti
v
e
netw
ork
management
b
ut
remains
s
usceptible
to
signicant
security
vulnerabilities,
especially
DDoS
attacks.
T
o
address
these
challenges,
this
research
introduces
a
DL-based
detection
approach
designed
to
o
v
ercome
the
shortcomings
of
e
xisting
approaches.
By
e
xperimenting
with
a
realistic
SDN
dataset
and
emplo
ying
comprehensi
v
e
features,
the
study
detected
both
norma
l
and
m
alicious
traf
c
patterns,
ensuring
accurate
detection.
The
proposed
det
ection
methodology
operates
in
three
phases:
dataset
pre-processing,
attack
detection
using
DL
algorithm,
and
ri
g
or
o
us
e
v
aluation
based
on
performance
metrics.
Indonesian
J
Elec
Eng
&
Comp
Sci,
V
ol.
38,
No.
2,
May
2025:
1245–1255
Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian
J
Elec
Eng
&
Comp
Sci
ISSN:
2502-4752
❒
1253
The
results
demonstrate
a
clear
impro
v
ement,
achie
ving
a
detection
accurac
y
of
98.068%
while
mi
ni-
mizing
FPRs
to
1.34%,
thereby
outperforming
other
approaches
in
this
space.
These
ndings
hold
substantial
implications
for
the
eld
of
SDN
security
and
the
broader
netw
ork
management
community
.
The
proposed
approach
not
only
enhances
detection
accurac
y
b
ut
also
signicantly
reduces
f
alse
alarms,
contrib
uting
to
more
stable
and
ef
cient
SDN
operations.
This
adv
ancement
addresses
a
critical
need
for
trustw
ort
h
y
and
scalable
solutions
in
real-w
orld
SDN
en
vironments.
By
aligning
with
modern
DL
practices,
the
study
bridges
g
aps
in
current
approaches,
of
fering
a
rob
ust
and
reliable
solution
for
DDoS
detection.
Future
w
orks
could
focus
on
se
v
eral
k
e
y
areas
to
further
impro
ving
the
proposed
detection
approach.
One
potential
direction
is
optimizing
attack
detection
time
without
compromising
accurac
y
.
Additionally
,
incorporating
feature
selection
techniques,
such
as
ensemble
methods,
could
help
streamline
the
dataset
by
selecting
the
most
rele
v
ant
features,
leading
to
f
aster
processing
times
and
reduced
comput
ational
comple
xity
.
This
w
ould
not
only
enhance
detection
ef
cienc
y
b
ut
also
mak
e
the
model
scalable
and
adaptable
to
SDN
netw
orks.
Furthermore,
the
potential
to
e
xtend
this
detection
approach
to
safe
guard
ag
ainst
other
attack
types
indicates
a
promising
direction
for
future
research
and
inno
v
ation,
ultimately
contrib
uting
to
stronger
and
more
secure
netw
ork
infrastructures.
A
CKNO
WLEDGEMENT
The
Ministry
of
Higher
Education
Malaysia
supports
this
w
ork
under
the
Fundamental
Research
Grant
Scheme
with
project
Code:
FRGS/1/2022/ICT11/USM/02/1.
REFERENCES
[1]
A.
A.
Bahashw
an,
M.
Anbar
,
and
N.
Abdullah,
“Ne
w
architecture
design
of
cloud
computing
using
softw
are
dened
netw
orking
and
netw
ork
function
virtualization
technology
,
”
in
Advances
in
Intellig
ent
Systems
and
Computing
,
v
ol.
1073,
2020,
pp.
705–713.
[2]
S.
Scott
-Hayw
ard,
S.
Natarajan,
and
S.
Sezer
,
“
A
surv
e
y
of
security
in
softw
are
de
ned
netw
orks,
”
IEEE
Communications
Surve
ys
and
T
utorials
,
v
ol.
18,
no.
1,
pp.
623–654,
2016,
doi:
10.1109/COMST
.2015.2453114.
[3]
M.
I.
Kareem
and
M.
N.
Jasim,
“Entrop
y-based
distrib
uted
denial
of
service
attack
detection
in
softw
are-dened
netw
ork-
ing,
”
Indonesian
J
ournal
of
Electrical
Engineering
and
Computer
Science
(IJEECS)
,
v
ol.
27,
no.
3,
p.
1542,
Sep.
2022,
doi:
10.11591/ijeecs.v27.i3.pp1542-1549.
[4]
C.
Kannan,
R.
Muthusamy
,
V
.
Srini
v
asan,
V
.
Chidambaram,
and
K.
Karunakaran,
“Machine
learning
based
detection
of
DDoS
attacks
in
softw
are
dened
netw
ork,
”
Indonesian
J
ournal
of
Electr
ical
Engineering
and
Computer
Science
(IJEECS)
,
v
ol.
32,
no.
3,
p.
1503,
Dec.
2023,
doi:
10.11591/ijeecs.v32.i3.pp1503-1511.
[5]
S.
Singh
and
S.
Prakash,
“
A
surv
e
y
on
softw
are
dened
netw
ork
based
on
architecture,
issues
and
challenges,
”
in
2019
3r
d
International
Confer
ence
on
Computing
Methodolo
gies
and
Communication
(ICCMC)
,
Mar
.
2019,
pp.
568–573,
doi:
10.1109/ICCMC.2019.8819785.
[6]
M.
A.
Aladaileh
et
al.
,
“Ef
fecti
v
eness
of
an
entrop
y-based
approach
for
detecting
lo
w-
and
high-rate
DDoS
attacks
ag
ainst
the
SDN
controller:
e
xperimental
analysis,
”
Applied
Sciences
(Switzerland)
,
v
ol.
13,
no.
2,
p.
775,
Jan.
2023,
doi:
10.3390/app13020775.
[7]
E.
Alomari
,
S.
Manickam,
B.
B.
Gupta,
P
.
Singh,
and
M.
Anbar
,
“Design,
deplo
yment
and
use
of
HTTP-based
bot-
net
(HBB)
te
stbed,
”
in
16th
International
Confer
ence
on
Advanced
Communication
T
ec
hnolo
gy
,
Feb
.
2014,
pp.
1265–1269,
doi:
10.1109/ICA
CT
.2014.6779162.
[8]
A.
K.
Al-Ani,
M.
Anbar
,
A.
Al-Ani,
and
D.
R.
Ibrahim,
“Ma
tch-pre
v
ention
technique
ag
ainst
denial-of-service
attack
on
address
resolution
and
duplicate
address
detection
processes
in
IPv6
link-local
netw
ork,
”
IEEE
Access
,
v
ol.
8,
pp.
27122–27138,
2020,
doi:
10.1109/A
CCESS.2020.2970787.
[9]
A.
A.
Bahashw
an,
M.
Anbar
,
S.
Manickam,
T
.
A.
Al-Amiedy
,
M.
A.
Aladaileh,
and
I.
H.
Hasb
ullah,
“
A
systematic
literature
re
vie
w
on
machine
learning
and
deep
learning
approaches
for
detecting
DDoS
attacks
in
softw
are-dened
netw
orking,
”
Sensor
s
,
v
ol.
23,
no.
9,
p.
4441,
May
2023,
doi:
10.3390/s23094441.
[10]
M.
A.
Aladaileh,
M.
Anbar
,
I.
H.
Hasb
ullah,
A.
A.
Bahashw
an,
and
S.
Al-Sara
wn,
“Dynamic
threshold-based
approach
to
detect
lo
w-rate
DDoS
attacks
on
softw
are-dened
netw
orking
controller
,
”
Computer
s,
Materials
Continua
,
v
ol.
73,
no.
1,
pp.
1403–1416,
2022,
doi:
10.32604/cmc.2022.029369.
[11]
T
.
E.
Ali,
Y
.-W
.
Chong,
and
S.
Manickam,
“Comparison
of
ML/DL
approaches
for
detecting
DDoS
attacks
in
SDN,
”
Applied
Sciences
,
v
ol.
13,
no.
5,
p.
3033,
Feb
.
2023,
doi:
10.3390/app13053033.
[12]
A.
Mans
oor
,
M
.
Anbar
,
A.
A.
B
ahashw
an,
B.
A.
Alabsi,
and
S.
D.
A.
Rihan,
“Deep
learning-based
approach
for
detecting
DDoS
attack
on
softw
are-dened
netw
orking
controller
,
”
Systems
,
v
ol.
11,
no.
6,
pp.
1–21,
2023,
doi:
10.3390/systems11060296.
[13]
J.
D.
Gadze,
A.
A.
Bamfo-Asante,
J.
O.
Agyemang,
H.
Nunoo-Mensah,
and
K.
A.-B.
Opare,
“
An
in
v
estig
ation
into
the
application
of
deep
learning
in
the
detection
and
mitig
ation
of
DDOS
attack
on
SDN
controllers,
”
T
ec
hnolo
gies
,
v
ol.
9,
no.
1,
p.
14,
Feb
.
2021,
doi:
10.3390/technologies9010014.
[14]
A.
S.
Alshra’a,
A.
F
arhat,
and
J.
Seitz,
“Deep
learning
algorithms
for
detecting
denial
of
service
attacks
in
softw
are-dened
net-
w
orks,
”
Pr
ocedia
Computer
Science
,
v
ol.
191,
pp.
254–263,
2021,
doi:
10.1016/j.procs.2021.07.032.
[15]
T
.
A.
T
ang,
L.
Mhamdi,
D.
McLernon,
S.
A.
R.
Zaidi,
M.
Ghogho,
and
F
.
El
Moussa,
“DeepIDS:
deep
learning
ap-
proach
for
intrusion
detection
in
soft
w
are
dened
netw
orking,
”
Electr
onics
(Switzerland)
,
v
ol.
9,
no.
9,
pp.
1–18,
2020,
doi:
10.3390/electronics9091533.
A
deep
learning
appr
oac
h
to
detect
DDoS
ooding
attac
ks
on
SDN
...
(Abdullah
Ahmed
Bahashwan)
Evaluation Warning : The document was created with Spire.PDF for Python.
1254
❒
ISSN:
2502-4752
[16]
M
.
S.
Elsayed,
N.-A.
Le-Khac,
S.
De
v
,
and
A.
D.
Jurcut,
“DDoSNet:
a
deep-learning
model
for
detecting
netw
ork
attacks,
”
in
2020
IEEE
21st
International
Symposium
on
“A
W
orld
of
W
ir
eless,
Mobile
and
Multimedia
Networks”
(W
oWMoM)
,
Aug.
2020,
pp.
391–396,
doi:
10.1109/W
oWMoM49955.2020.00072.
[17]
S
.
Haider
et
al.
,
“
A
deep
CNN
ensemble
frame
w
ork
for
ef
cient
DDoS
attack
detection
in
softw
are
dened
netw
orks,
”
IEEE
Access
,
v
ol.
8,
pp.
53972–53983,
2020,
doi:
10.1109/A
CCESS.2020.2976908.
[18]
T
.
A.
T
ang,
D.
McLernon,
L.
Mhamdi,
S.
A.
R.
Zaidi,
and
M.
Ghogho,
“Intrusion
detection
in
sdn-based
netw
orks:
deep
recurrent
neural
netw
ork
approach,
”
in
Advanced
Sciences
and
T
ec
hnolo
gies
for
Security
Applications
,
Springer
,
2019,
pp.
175–195.
[19]
Y
.
Liu,
M.
Dong,
K.
Ota,
J.
Li,
and
J.
W
u,
“Deep
reinforcem
ent
learning
based
smart
mitig
ation
of
DDoS
ooding
in
softw
are-
dened
netw
orks,
”
in
2018
IEEE
23r
d
International
W
orkshop
on
Computer
Aided
Modeling
and
Design
of
Communication
Links
and
Networks
(CAMAD)
,
Sep.
2018,
v
ol.
2018-Septe,
pp.
1–6,
doi:
10.1109/CAMAD.2018.8514971.
[20]
C
.
Li
et
al.
,
“Detection
and
defense
of
DDoS
attack–based
on
deep
learning
in
OpenFlo
w-based
SDN,
”
International
J
ournal
of
Communication
Systems
,
v
ol.
31,
no.
5,
p.
e3497,
Mar
.
2018,
doi:
10.1002/dac.3497.
[21]
I.
H.
Sark
er
,
“Deep
learning:
a
comprehensi
v
e
o
v
ervie
w
on
techniques,
taxonomy
,
applications
and
research
directions,
”
SN
Computer
Science
,
v
ol.
2,
no.
6,
p.
420,
No
v
.
2021,
doi:
10.1007/s42979-021-00815-1.
[22]
B.
A.
Mohammed
et
al.
,
“Hybrid
techniques
of
analyzing
MRI
im
ages
for
early
diagnosis
of
brain
tumours
based
on
h
ybrid
features,
”
Pr
ocesses
,
v
ol.
11,
no.
1,
p.
212,
2023,
doi:
10.3390/pr11010212.
[23]
M.
A.
Al-Garadi,
A.
Mohamed,
A.
K.
Al-Ali,
X.
Du,
I.
Ali,
and
M.
Guizani,
“
A
surv
e
y
of
machine
and
deep
learning
meth-
ods
for
internet
of
things
(IoT)
security
,
”
IEEE
Communications
Surve
ys
T
utori
als
,
v
ol.
22,
no.
3,
pp.
1646–1685,
2020,
doi:
10.1109/COMST
.2020.2988293.
[24]
A.
H.
H.
Kabla,
A.
H.
Thamrin,
M.
Anbar
,
S.
Manickam,
and
S.
Karuppayah,
“PeerAmb
ush:
multi-layer
perceptron
to
detect
peer
-to-peer
botnet,
”
Symmetry
,
v
ol.
14,
no.
12,
p.
2483,
No
v
.
2022,
doi:
10.3390/sym14122483.
[25]
N.
S.
Shaji,
T
.
Jain,
R.
Muthalagu,
and
P
.
M.
P
a
w
ar
,
“Deep-disco
v
ery:
anomaly
disco
v
ery
in
softw
are-dened
netw
orks
using
articial
neural
netw
orks,
”
Computer
s
and
Security
,
v
ol.
132,
p.
103320,
2023,
doi:
10.1016/j.cose.2023.103320.
[26]
N.
Ahuja,
G.
Sing
al,
and
D.
Mukhopadh
yay
,
“DDOS
attack
SDN
dataset,
”
Mendele
y
Data
,
v
ol.
1,
no.
September
,
p.
17632,
2020,
doi:
10.17632/jxpfjc64kr
.1.
[27]
A.
H.
H.
Kabla
et
al.
,
“Machine
and
deep
learning
techniques
for
detecting
internet
protocol
v
ersion
six
attacks:
a
re-
vie
w
,
”
International
J
ournal
of
Electrical
and
Computer
Engineering
(IJECE)
,
v
ol.
13,
no.
5,
pp.
5617–5631,
Oct.
2023,
doi:
10.11591/ijece.v13i5.pp5617-5631.
[28]
M.
Anbar
,
R.
Abdullah,
I.
H.
Hasb
ullah,
Y
.-W
.
Chong,
and
O.
E.
Elejla,
“Comparati
v
e
performance
analysis
of
classication
algorithms
for
intrusion
detection
system,
”
in
2016
14th
Annual
Confer
ence
on
Privacy
,
Security
and
T
rust
(PST)
,
Dec.
2016,
pp.
282–288,
doi:
10.1109/PST
.2016.7906975.
BIOGRAPHIES
OF
A
UTHORS
Abdullah
Ahmed
Bahashwan
earned
his
Ph.D.
de
gree
in
internet
infrastructures
security
from
the
National
Adv
anced
IPv6
Centre
of
Excellence
(N
A
v6),
Uni
v
ersiti
Sains
Malaysia
(USM),
where
he
also
completed
his
M.Sc.
in
internet
engineering.
He
also
holds
a
Bachelor
of
Computer
Applications
(B.C.A.)
from
Osmania
Uni
v
ersity
(OU),
Hyderabad,
India.
His
research
interests
in-
clude
c
ybersecurity
,
IDS,
articial
intelligence
(ML
and
DL),
feature
selection
techniques,
internet
protocol
v
ersion
6
(IPv6)
security
,
softw
are-dened
netw
orks
(SDN)
security
,
and
the
IoT
.
He
can
be
contacted
at
email:
a.a.o.bahashw
an@gmail.com.
Mohammed
Anbar
obtained
his
Ph.D.
in
Adv
anced
Internet
Security
and
Monitoring
from
Uni
v
ersity
Sains
Malaysia
(USM).
He
is
a
senior
lecturer
at
National
Adv
anced
IPv6
Cen-
tre
(N
A
v6),
Uni
v
ersiti
Sains
Malaysia.
His
current
research
interests
include
mal
w
are
detection,
web
security
,
IDS,
intrusion
pre
v
ention
systems
(IPS),
netw
ork
monitoring,
IoT
,
and
IPv6
security
.
He
can
be
contacted
at
email:
anbar@USM.my
.
Selv
akumar
Manickam
director
and
associate
professor
at
Uni
v
ersiti
Sains
Malaysia
Di-
rector
and
associate
professor
at
National
Adv
anced
IPv6
Centre
(N
A
v6),
Uni
v
ersiti
Sains
Malaysia.
His
research
interests
include
c
ybersecurity
,
the
IoT
,
Industry
4.0,
and
machine
learning.
He
has
authored
and
co-authored
more
than
160
articles
in
journals,
conference
proceedings,
and
book
re-
vie
ws
and
graduated
13
Ph.D..
He
has
ten
years
of
industri
al
e
xperience
prior
to
joining
academia.
He
is
a
member
of
technical
forums
at
national
and
international
le
v
els.
He
also
has
e
xperience
b
uilding
IoT
,
embedded,
serv
er
,
mobile,
and
web-based
applications.
He
can
be
contacted
at
email:
selv
a@USM.my
.
Indonesian
J
Elec
Eng
&
Comp
Sci,
V
ol.
38,
No.
2,
May
2025:
1245–1255
Evaluation Warning : The document was created with Spire.PDF for Python.