Indonesian J our nal of Electrical Engineering and Computer Science V ol. 38, No. 2, May 2025, pp. 1245 1255 ISSN: 2502-4752, DOI: 10.11591/ijeecs.v38.i2.pp1245-1255 1245 A deep lear ning appr oach to detect DDoS ooding attacks on SDN contr oller Abdullah Ahmed Bahashwan, Mohammed Anbar , Selv akumar Manickam, T aief Alaa Al-Amiedy, Iznan H. Hasb ullah National Adv anced IPv6 (N A v6) Centre, Uni v ersiti Sains Malaysia (USM), Penang, Malaysia Article Inf o Article history: Recei v ed May 26, 2024 Re vised Oct 22, 2024 Accepted Oct 30, 2024 K eyw ords: DDoS Deep learning Intrusion detection system Multi-layer perceptron Softw are-dened netw orking ABSTRA CT Softw are-dened netw orking (SDN), inte grated into technologies lik e internet of things (IoT), cloud computing, and big data, is a k e y component of the fourth in- dustrial re v olution. Ho we v er , i ts deplo yment introduces security challenges that can undermine its ef fecti v eness. This highlights the ur gent need for security- focused SDN solutions, dri ving adv ancements in SDN technology . The absence of inherent security countermeasures in the SDN controller mak es it vulnerable to distrib uted denial of service (DDoS) attacks, which pose a signicant and per - v asi v e threat. These attacks specically tar get the controller , disrupting services for le gitimat e users and depleting its resources, including bandwidth, memory , and processing po wer . This research aims to de v e lop an ef fecti v e deep learn- ing (DL) approach to detect such attacks, ensuring the a v ailability , inte grity , and consistenc y of SDN netw ork functions. The proposed DL detection approach achie v es 98.068% accurac y , 98.085% precision, 98.067% recall, 98.057% F1-score, 1.34% f alse positi v e rate (FPR), and 1.713% detection time. This is an open access article under the CC BY -SA license . Corresponding A uthor: Mohammed Anbar National Adv anced IPv6 Centre (N A v6), Uni v ersiti Sains Malaysia (USM) Gelugor 11800, Penang, Malaysia Email: anbar@usm.my 1. INTR ODUCTION The proliferation of netw ork de vices has e xposed the limitations of traditional netw orks, complica ting internet de v elopment and hindering progress in areas such as cloud computing, internet of things (IoT), and big data o v er the past decade [1]. In response, softw are-dened netw orking (SDN) has emer ged as a solution by decoupling the control plane from the data plane, enabling centra lized control and more ef cient management of netw ork elements [2]. SDN of fers se v eral adv antages, including a holistic netw ork vie w , centralize d control, impro v ed switch protocol magnet, vitalized netw ork construction, and programmability , making it applicable to v arious netw ork natures [3]. W ith the OpenFlo w protocol, the application, control, and data planes are pi v otal in achie ving central control in SDN architecture [4]. Nonetheless, the widespread adoption of SDN has introduced security vulnerabilities, including susceptibility to denial of service (DDoS) attacks that can de grade performance by tar geting the controller and depleting netw ork resources [5], [6]. Furthermore, DDoS ooding attacks, while often simple in e x ecution, pose signicant challenges in detection and mitig ation [7], [8]. These attacks are launched through compromised de vices within a botnet and utilized v arious techniques to e v ade detection systems, increasing their chance of success. Specically , when tar geting SDN netw orks or controllers, these attacks ood t he netw ork with spoofed transmission control J ournal homepage: http://ijeecs.iaescor e .com Evaluation Warning : The document was created with Spire.PDF for Python.
1246 ISSN: 2502-4752 protocol (TCP), internet control message protocol (ICMP), and user datagram protocol (UDP) traf c, con- suming netw ork bandwidth and o v erwhelming system resources, ultimately disrupting le gitimate services and causing widespread outages. Figure 1 illustrates the impact of a DDoS attack on an SDN controller and its ef fects on the entire SDN netw ork. Attack ers further complicate defense by spoong source IP , which pre v ents Openo w switches from nding matching rules, forcing them to forw ard pack ets to t he SDN controller . This e xhausts controller resources and can lead to a cascading f ailure. Protection ag ainst such attacks is critical, as the y pose signicant threats to both switches and the southbound application programming interf ace (API), and due to their broad scope, these attacks are classied as global threats within SDN netw orks [9], [10]. Figure 1. Hypothetical visualization of DDoS attacks on the SDN controller Ho we v er , as highlighted in the related w orks (section 2) the recently discussed deep learning (DL)- based approaches for detecting DDoS attacks e xhibit certain limitations. Se v eral of these approaches ha v e been trained and tested on unrealistic datasets, which do not adequately reect the unique characteristics of SDN netw orks. This disconnect leads to decreased accurac y and an increased f alse positi v e rate (FPR) in practical applications of SDN detection approaches in real w orld settings. While some approaches do utilize realistic datasets, the y still deli v er sub optimal performance. In summary , the weaknesses of current DL-based approaches for detecting DDoS attacks on SDN netw ork controller became e vident. Despite their ef cienc y , these approaches ha v e certain dra wbacks: (i) man y rely on unrealistic datasets that do not adequately capture the characteristics of SDN netw ork ar - chitecture, which dif fers signicantly from traditional netw ork architecture; and (ii) man y of these approaches e xhibit lo w detection performance and suf fer from high FPRs when identifying such attacks. Therefore, the k e y contrib utions of this research paper are: (i) proposing a DL-based approach for detecting DDoS ooding attacks on SDN controller -based netw orks; (ii) e v aluating and v alidating the proposed detection approach using a realistic dataset that reects the characte ristics of SDN netw ork architecture; and (iii) enhancing detection performance while reducing FPRs. These contrib utions are directly addressing the challenges present in e xisting DL-based approaches. Indonesian J Elec Eng & Comp Sci, V ol. 38, No. 2, May 2025: 1245–1255 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1247 The remaining sections of this research paper are or g anized to pro vide a comprehensi v e und e rstanding of the proposed w ork. Section 2 presents a re vie w of the rele v ant w orks in the eld, highlighting e xisting approaches and their limitations. F ollo wing that, section 3 outlines the proposed detection approach based on DL, detailing its methodology and inno v ations. Section 4 discusses the results obtained from the proposed detection approach, along with a comprehensi v e analysis of the ndings. Finally , section 5 concludes the paper by summarizing the k e y insights and pro vides recommendations for future w orks. 2. RELA TED W ORKS This section e xamines the literature on DL approaches to detect DDoS attacks on SDN n e tw orks and their limitations. The approaches are listed as follo ws: in a comparati v e study by Ali et al. [11], v ari- ous machine learning (ML) and DL techniques, including support v ector machine (SVM), decision tree (DT), K-nearest neighbour (KNN), con v olutional neural netw ork (CNN), and multi-layer perceptron (MLP), were e v aluated for detecting DDoS attacks in SDN with minimal time and comple xity . The study utilized CIC- DoS2019 and ICIDS2017 datasets with 50 features. The study re v ealed that the SVM achie v ed the highest prediction accurac y at 95.5%, surpassing other algorithms. On the other hand, [12] proposed a DL approach emplo ying recurrent neural netw ork (RNN) for identifying DDoS attacks on the controll er . Ho we v er , it suf fers from relati v ely lo w detection accurac y and high FPR. Another approach by Gadze et al. [13] introduced a system for SDN-based detection of TCP , ICMP , and UDP DDoS attacks, emplo ying DL algorithms lik e CNN and long short -term memory (LSTM), achie ving an accurac y of 89.63%. Additionally , Alshra’a et al. [14] de v eloped a DL-based intrusion detection system (IDS) for SDN defence ag ainst DDoS attacks, utilizing RNN, g ated recurrent unit (GR U), and LSTM models, sho wcasing high accurac y in detect ing attacks with 48 features using the InSDN dataset. DeepIDS, proposed by T ang et al. [15], is a DL-based IDS for SDN netw orks that emplo y DNN and GR U for anomaly detection and achie ving comprehensi v e attack identication, including zero-day attacks. M eanwhile, DDoSNet, proposed by Elsayed et al. [16], utilizes RNN with autoencoder for SDN DDoS attack detection, boasti ng a 99% accurac y compared to traditional ML methods. The system also of fers e xibility to implement null routing or forw ard attacks for further analysis on a hone ypot serv er . An additional approach by Haider et al. [17] is bas ed on a CNN h ybrid model for early detection of DDoS attacks, achie ving an impressi v e accurac y of 99.45% with the CICDS2017 dataset. Further approach by T ang et al. [18] emplo yed a GR U-RNN-based anomaly IDS for SDN netw orks to impro v e anomaly detection rates compared to their pre vious IDS; ho we v er , their approaches yi elded relati v ely lo wer accuracies of 89% and 99% for the NSL-KDD and CICIDS2017 datasets, respecti v ely , which may not f aithfully represent SDN netw ork characteristics. Moreo v er , an approach by Liu et al. [19] presents real-time mitig ating ooding attacks. On the other hand, [20] proposed a defence and detection approach utilizing RNN, LSTM, and CNN for DDoS attacks in SDN, implemented in the OpenFlo w switch, sho wcasing high v alidation accurac y of 98% and 99% for detection of DDoS attacks in test and training data, respecti v ely , using the ISCX2012 dataset and a simulated SDN netw ork dataset. Ov erall, the recently mentioned DL approaches for detecting DDoS ha v e some limitations. Some of these approaches ha v e been trained and tested using unrealistic datasets, f ailing to capture the distinct character - istics of SDN netw orks. This mismat ch results in reduced accurac y and higher FPR from a practical perspecti v e when it comes to implementing SDN detection approac h e s in real-w orld scenarios. Although some approaches emplo y realistic datasets, the y achie v e lo w performance. 3. PR OPOSED DETECTION APPR O A CH The application of DL to SDN netw orks emer ges as a crucia l research area in recent years. One signicant adv antage of DL o v er traditional ML algorithm s is its superior performance in analyzing lar ge-scale datasets [21]. Additionally , the adoption of SDN technology g ains momentum in v arious domains, including cloud computing and IoT systems, where substantial v olumes of data are generated. Consequently , a multi- neural netw ork architecture is well suited for handling the demands of these emer ging technologies. This research paper adopted MLP , which comprises multiple processing layers that f acilitate the training of data representations at v arying le v els of comple xity [22]. Furthermore, MLP techniques demonstrate signicant adv ancements in adv anced applications com- pared to classical ML techniques [23]. The k e y reasons for choosing MLP are as follo ws: MLP is considered A deep learning appr oac h to detect DDoS ooding attac ks on SDN ... (Abdullah Ahmed Bahashwan) Evaluation Warning : The document was created with Spire.PDF for Python.
1248 ISSN: 2502-4752 one of the most ef cient neural netw ork techniques for detection approaches, consistently deli v ering impressi v e results [24]. Its capability allo ws the proposed detection approach to achie v e notable accurac y and reduce FPRs in detecting DDoS attacks. Additionally , MLP is particularly well-suited for tab ular datasets, which aligns with the input data format used in this study , pro vided as comma-separated v alues (CSV) [25]. Ov erall, this section pro vides a discussion of the phases of the proposed DL-based detection approach. It be gins with dataset preprocessing, follo wed by SDN DDoS attack detection, and concludes with performance e v aluation metrics used to assess the proposed approach. These phases are thoroughly discussed in the follo w- ing subsections. Figure 2 vis ually illustrates the design and impl ementation of the o v erall methodology of the proposed detection approach. The follo wing subsections discuss the methodology phases in more detail. Figure 2. Ov erall proposed DL-based detection approach 3.1. Datasets pr epr ocessing The DL-based detection approach is e v aluated using a realis tic SDN benchmark data set, “DDoS attack SDN dataset” [26], to o v ercome the limitation of e xisting approaches that rely on unrealistic dat asets. Se v eral preprocessing stages are applied to the dataset before training the proposed MLP model to pre v ent o v ertting and ensure meaningful results. These stages are crucial for preparing the dataset for accurate detection: - Dataset cleansing: this in v olv es lling in missing or incomplete columns within the dataset and replacing missing v alues with 0 to ensure completeness and accurac y of the dataset v alues. - Data transformation: the dataset is transformed to enhance readability and analysis. This includes con v ert- ing data formats and replacing te xtual features with numeric v alues using label encoding, making it more suitable for the proposed MLP model. - Dataset balancing: to achie v e a balanced distrib ution of label classes, synthetic minority o v ersampling technique (SMO TE) is applied to o v ersample the minority class, reducing bias and impro ving model per - formance. - Dataset normalization: nally , normalization ensures a consistent scale across all records, which helps the model learn more ef fecti v ely . Once these pre-processing stages are completed, the dataset is passed to the SDN DDoS attack detection stage for training and e v aluation. T able 1 outlines the details and specications of the benchmark datasets used. T able 1. DDoS attack SDN dataset specications Dataset-specications Ref. Normal samples Attack samples T otal samples Normal label Attack label Dataset cate gory T otal of features [26] 62,344 62,344 124,688 0 1 Normal and DDoS attacks 22 Indonesian J Elec Eng & Comp Sci, V ol. 38, No. 2, May 2025: 1245–1255 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1249 3.2. SDN DDoS attack detection This research adopt ed the MLP algorithm for feedforw ard supervised learning prediction, speci cally classication. The MLP architecture mak es it an ef cient anomaly-based IDS for detecting DDoS attacks [27]. The supervised feedforw ard process technique analyses the data and detects such attacks accurately . Determin- ing ideal h yperparamete rs relies on the problem, model architecture, and dataset characteristics. Consequently , e xperimentation with v arious v alues and continuous monitoring of model performance during training is nec- essary to identify the optimal combination. This research unders cores the importance of specic h yperparameters, such as cate gorical cros s- entrop y with SoftMax function, the Adam optimizer , and the number of epochs, in enhancing the proposed model’ s performance. Notably , balancing the number of epochs is crucial to a v oid undertting, where inad- equate tting to training used in this study achie v ed con v er gence i n less than 50 iterations with a batch size of 100, considered optimal v alues. Critical f actors lik e learning rate and momentum, set at 0.001 and 0.9, signicantly impact detecti o n accurac y . Incorporating techniques lik e L2 re gularization, early stopping, and a attened layer further contrib utes to the model’ s rob ustness and pre v ents o v ertting. T able 2 presents the model h yper -parameters. T able 2. DL-based MLP model parameters tuning No 1 2 3 4 5 6 7 8 9 10 11 Hyper parameters Losses function Classication function Optimizer No of epochs Batch size Learning rate Momentum Re gularization No of hiding layers Acti v ation function No of neuron Optimized parameters Cate gorical cross-entrop y SoftMax function Adam 50 100 0.001 0.9 L2 (0.001) 4 ReLU 100 Additionally , the early stopping technique w as used (monitoring loss with patience =3). F or the pro- posed detection approach, the e xperiment w as e x ecuted and formulated in Python, utilizing the T ensorFlo w , K eras, and Scikit-Learn libraries with 3.10.5, 2.11, 2.11, and 1.2, respecti v ely . The detection approach is ap- plied to the “DDoS attack SDN dataset” with al l features. The assessment of this approach’ s performance in v olv es split testing techniques to e v aluate its generalization, which di vides the datasets into a substantial 80% for the training set, enabling the model to learn di v erse DDoS attack patterns. Simultaneously , the remaining 20% allocated to the testing set acts as a representati v e sample to assess approach performance on unseen data for reliable e v aluation. 3.3. Ev aluate perf ormance The proposed DL-based approach under goes e v aluation, and its performance, when inte grated with data mining, is measured using se v eral crucial matrices [28]. These metrics are calculated through a confusion matrix, illustrating the comparison between predicted and actual classes. The elements of the confusion matrix are claried as follo ws: (i) true positi v e signies the accurate identication of att acks by the detection approach. (ii) true ne g ati v e denotes the precise identication of normal traf c as normal, while (iii) f alse positi v e indicates the misclassication of normal traf c as an attack. Lastly , (i v) f alse ne g ati v e reects the misclas sication of an attack as normal traf c. Moreo v er , additi onal performance e v aluation metrics were considered based on those metrics, including recall, F1-score, precision, o v erall accurac y , area under the recei v er operating characteristic curv e (A UC-R OC) score, and FPR. 4. EXPERIMENT RESUL TS AND DISCUSSION This section discusses and analyses the e xperiment results, highlighting the accurac y and reliability of the proposed approach for future SDN netw ork security appl ications. It also pro vides a thorough comparison between the proposed detection approach and e xisting methods. Lastly , this section outlines k e y discussions, identies limitations and suggests future w orks. 4.1. Results and analysis The tra ining model is generated using an MLP model architecture with all features ( f = 22) , as sho wn in Figure 3. The dataset used for training the proposed detection approach is described in T able 1. As sho wn in the table, the tot al number of instance samples is 124,688. The dataset is split into 80% for training and 20% A deep learning appr oac h to detect DDoS ooding attac ks on SDN ... (Abdullah Ahmed Bahashwan) Evaluation Warning : The document was created with Spire.PDF for Python.
1250 ISSN: 2502-4752 for testing. This is a stra ightforw ard approach and a commonly used technique. As a result, a confusion matrix is generated to represent and e v aluate the performance of the proposed detection approach. It is commonly used to compare the predicted labels ag ainst the actual labels. Figure 3. DL-based MLP model architecture Moreo v er , Figure 4 presents the confusion matrix of DDoS oodi ng attack on SDN netw ork. The detection approach achie v ed a high number of true positi v es (TP=15,655), which indicates the instances that were correctly detected as positi v e. The true ne g ati v es (TN=14,915) represent the instances that were correctly detected as ne g ati v e. There w as a relati v ely lo w number of f alse positi v es (FP=203), which indicates instances that were detected as positi v e b ut were actually ne g ati v e. Also, there w as a relati v ely lo w number of f alse ne g- ati v es (FN=399), indicating the number of positi v e instances incorrectly predicted as ne g ati v e by the proposed approach. In some cases, the proposed detection approach predicted a ne g at i v e outcome, b ut the actual label w as positi v e. The confusion matrix analysis allo ws for the computation of v arious e v aluation matri ces, such as a v erage accurac y , preci sion, F1-score, recall, and FPR, of fering a comprehensi v e understanding of the o v er - all performance of the proposed detection approach, as represented in T able 3. The detection DL approach archi v es 98.068% detection accurac y , 98.085% precision, 98.067% F1-score, 98.057% recall, and 1.34% FPR for detecting DDoS attacks on the SDN netw ork. These e v aluation results highlight the ef fecti v eness of the proposed DL approach in accurately detecting such attacks. Indonesian J Elec Eng & Comp Sci, V ol. 38, No. 2, May 2025: 1245–1255 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1251 Figure 4. Confusion matrix of the DL-based MLP detection approach T able 3. A v erage results of MLP detection approach Performance e v aluation metrics Accurac y (%) Precision (%) F1-score (%) Recall (%) FPR (%) 98.068 98.085 98.067 98.057 1.34 Further assessment is utilized, such as the A UC-R OC carv e. The R OC curv e represents the trade -of f between true positi v e rates (TPR) and FPR for dif ferent classication thresholds. The A UC score quanties the o v erall performance of the proposed approach with a perfect score of 1, indicating a wless detection. Con v ersely , if the A UC score approaches 0, it indicates poor performance by the proposed approach. As clearly sho wn in Figure 5, the A UC score v alue of the proposed approach is 98%, which indicates that the proposed approach e xcels at dif ferentiating between normal traf c DDoS attacks. Figure 5. R OC-A UC carv e of the DL-based MLP detection approach 4.2. Comparison of pr oposed detection In addition to the pre viously mentioned results, this section pro vides a comprehensi v e e v aluation of the proposed detection approach compared to the e xisting DLADSC approach [12], which utilizes RNN-based techniques for detecting DDoS attacks in an SDN controller en vironment. Both approaches aim to address A deep learning appr oac h to detect DDoS ooding attac ks on SDN ... (Abdullah Ahmed Bahashwan) Evaluation Warning : The document was created with Spire.PDF for Python.
1252 ISSN: 2502-4752 similar challenges; ho we v er , k e y dif ferences emer ge when e v aluating their performance using se v eral metrics, including (i) the SDN dataset itself, (ii) the a v erage accurac y , (iii) precision, (i v) recall, (v) FPR, (vi) the F1-score, and (vii) time of DDoS attack detection (measured using Python time functions from inputting test data to producing the nal prediction output). As sho wn in T able 4, the proposed detection consistently achie v es higher scores across most me trics: 98.068% detection accurac y , 98.085% precision, 98.057% recall, 1.34% FPR, and F1-score 98.067%. In con- trast, DLADSC e xhibits signicantly lo wer performance, with 94.186% detection accurac y , 92.146% precision, 8.114% FPR, a an 94.276% F1-score. These results highlight the superior capabilit y of the proposed detection approach in a ccurately identifying DDoS attacks with fe wer f alse positi v es, where minimizing f alse alarms is paramount for enduring ef cient netw orks management. T able 4. A comparison of this approach with the DLADSC RNN approach Approach SDN dataset Accurac y Precision Recall FPR F1-score T imes of detection DLADSC RNN [12] 94.186 92.146 8.114 94.276 1.627 This approach (MLP) 98.068 98.085 98.057 1.34 98.067 1.713 ( ) : matches the metrics, ( ) : does not match the metrics. Despite the impro v ed performance, the detection time re v eals a slight trade-of f. The proposed ap- proach has a mar ginally longer detection time of 1.713 seconds compared to 1.627 seconds for DLADSC. While this dif ference is minimal, it could be rele v ant in e xtremely high-speed netw ork en vironments where e v ery fraction of a second counts. Ho we v er , the s light increase in detection time is lik ely due to the use of four model hidden layers, which, while adding comple xity and depth to the detection process, result in more accurate classication. This slight increase in det ection time is justied by the signicant impro v ements in accurac y and precision, making the proposed approach more comprehensi v e detection of DDoS attacks. The implications of these results are substantial for future applications of DDoS detection in SDN en- vironments. The enhanced accurac y and reduced FPR suggest that the proposed detection approach can better handle the comple xity of SDN architectures, pro viding more trustw orth y and ef cient detection. Furthermore, the approach’ s ability to maintain high precision and recall across a realistic SDN dataset demonstrates its scal- ability and applicability in real-w orld scenarios. While DLADSC performance is mar ginally f aster in detection time, the proposed approach of fers a more rob ust solut ion with greater accurac y and fe wer f alse alarms, making it the preferred choice for practical implementation in SDN-based netw orks. 4.3. Discussion and limitations The enhanced accurac y and reduced FPR indicate that the proposed detection approach can handle the comple xity of SDN architectures, of fering trustw orth y and ef cient detection. Additionally , the ability to maintain high precision and recall across a realistic SDN dataset demonstrates its scalability and applicability in real-w orld scenarios, positioning it as a more rob ust detection approach compared to other ones, especially in practical SDN-based netw orks. The results highlight the superior capability of the proposed detection approach in accurately identi- fying DDoS attacks with fe wer FP , which is crucial for m aintaining ef cient netw ork management. Despite the impro v ed performance, there is a slight trade-of f in detection time, where the proposed approach has a mar ginally longer detection time of 1.713 seconds compared to 1.627 seconds for the DLADSC approach. Al- though this dif ference is minimal, it may be due to the number of hidden layers, which adds comple xity and depth to the detection process, resulting in more accurate detection. 5. CONCLUSIONS AND FUTURE W ORKS SDN technology pro vides e xible and cost-ef fecti v e netw ork management b ut remains s usceptible to signicant security vulnerabilities, especially DDoS attacks. T o address these challenges, this research introduces a DL-based detection approach designed to o v ercome the shortcomings of e xisting approaches. By e xperimenting with a realistic SDN dataset and emplo ying comprehensi v e features, the study detected both norma l and m alicious traf c patterns, ensuring accurate detection. The proposed det ection methodology operates in three phases: dataset pre-processing, attack detection using DL algorithm, and ri g or o us e v aluation based on performance metrics. Indonesian J Elec Eng & Comp Sci, V ol. 38, No. 2, May 2025: 1245–1255 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1253 The results demonstrate a clear impro v ement, achie ving a detection accurac y of 98.068% while mi ni- mizing FPRs to 1.34%, thereby outperforming other approaches in this space. These ndings hold substantial implications for the eld of SDN security and the broader netw ork management community . The proposed approach not only enhances detection accurac y b ut also signicantly reduces f alse alarms, contrib uting to more stable and ef cient SDN operations. This adv ancement addresses a critical need for trustw ort h y and scalable solutions in real-w orld SDN en vironments. By aligning with modern DL practices, the study bridges g aps in current approaches, of fering a rob ust and reliable solution for DDoS detection. Future w orks could focus on se v eral k e y areas to further impro ving the proposed detection approach. One potential direction is optimizing attack detection time without compromising accurac y . Additionally , incorporating feature selection techniques, such as ensemble methods, could help streamline the dataset by selecting the most rele v ant features, leading to f aster processing times and reduced comput ational comple xity . This w ould not only enhance detection ef cienc y b ut also mak e the model scalable and adaptable to SDN netw orks. Furthermore, the potential to e xtend this detection approach to safe guard ag ainst other attack types indicates a promising direction for future research and inno v ation, ultimately contrib uting to stronger and more secure netw ork infrastructures. A CKNO WLEDGEMENT The Ministry of Higher Education Malaysia supports this w ork under the Fundamental Research Grant Scheme with project Code: FRGS/1/2022/ICT11/USM/02/1. REFERENCES [1] A. A. Bahashw an, M. Anbar , and N. Abdullah, “Ne w architecture design of cloud computing using softw are dened netw orking and netw ork function virtualization technology , in Advances in Intellig ent Systems and Computing , v ol. 1073, 2020, pp. 705–713. [2] S. Scott -Hayw ard, S. Natarajan, and S. Sezer , A surv e y of security in softw are de ned netw orks, IEEE Communications Surve ys and T utorials , v ol. 18, no. 1, pp. 623–654, 2016, doi: 10.1109/COMST .2015.2453114. [3] M. I. Kareem and M. N. Jasim, “Entrop y-based distrib uted denial of service attack detection in softw are-dened netw ork- ing, Indonesian J ournal of Electrical Engineering and Computer Science (IJEECS) , v ol. 27, no. 3, p. 1542, Sep. 2022, doi: 10.11591/ijeecs.v27.i3.pp1542-1549. [4] C. Kannan, R. Muthusamy , V . Srini v asan, V . Chidambaram, and K. Karunakaran, “Machine learning based detection of DDoS attacks in softw are dened netw ork, Indonesian J ournal of Electr ical Engineering and Computer Science (IJEECS) , v ol. 32, no. 3, p. 1503, Dec. 2023, doi: 10.11591/ijeecs.v32.i3.pp1503-1511. [5] S. Singh and S. Prakash, A surv e y on softw are dened netw ork based on architecture, issues and challenges, in 2019 3r d International Confer ence on Computing Methodolo gies and Communication (ICCMC) , Mar . 2019, pp. 568–573, doi: 10.1109/ICCMC.2019.8819785. [6] M. A. Aladaileh et al. , “Ef fecti v eness of an entrop y-based approach for detecting lo w- and high-rate DDoS attacks ag ainst the SDN controller: e xperimental analysis, Applied Sciences (Switzerland) , v ol. 13, no. 2, p. 775, Jan. 2023, doi: 10.3390/app13020775. [7] E. Alomari , S. Manickam, B. B. Gupta, P . Singh, and M. Anbar , “Design, deplo yment and use of HTTP-based bot- net (HBB) te stbed, in 16th International Confer ence on Advanced Communication T ec hnolo gy , Feb . 2014, pp. 1265–1269, doi: 10.1109/ICA CT .2014.6779162. [8] A. K. Al-Ani, M. Anbar , A. Al-Ani, and D. R. Ibrahim, “Ma tch-pre v ention technique ag ainst denial-of-service attack on address resolution and duplicate address detection processes in IPv6 link-local netw ork, IEEE Access , v ol. 8, pp. 27122–27138, 2020, doi: 10.1109/A CCESS.2020.2970787. [9] A. A. Bahashw an, M. Anbar , S. Manickam, T . A. Al-Amiedy , M. A. Aladaileh, and I. H. Hasb ullah, A systematic literature re vie w on machine learning and deep learning approaches for detecting DDoS attacks in softw are-dened netw orking, Sensor s , v ol. 23, no. 9, p. 4441, May 2023, doi: 10.3390/s23094441. [10] M. A. Aladaileh, M. Anbar , I. H. Hasb ullah, A. A. Bahashw an, and S. Al-Sara wn, “Dynamic threshold-based approach to detect lo w-rate DDoS attacks on softw are-dened netw orking controller , Computer s, Materials Continua , v ol. 73, no. 1, pp. 1403–1416, 2022, doi: 10.32604/cmc.2022.029369. [11] T . E. Ali, Y .-W . Chong, and S. Manickam, “Comparison of ML/DL approaches for detecting DDoS attacks in SDN, Applied Sciences , v ol. 13, no. 5, p. 3033, Feb . 2023, doi: 10.3390/app13053033. [12] A. Mans oor , M . Anbar , A. A. B ahashw an, B. A. Alabsi, and S. D. A. Rihan, “Deep learning-based approach for detecting DDoS attack on softw are-dened netw orking controller , Systems , v ol. 11, no. 6, pp. 1–21, 2023, doi: 10.3390/systems11060296. [13] J. D. Gadze, A. A. Bamfo-Asante, J. O. Agyemang, H. Nunoo-Mensah, and K. A.-B. Opare, An in v estig ation into the application of deep learning in the detection and mitig ation of DDOS attack on SDN controllers, T ec hnolo gies , v ol. 9, no. 1, p. 14, Feb . 2021, doi: 10.3390/technologies9010014. [14] A. S. Alshra’a, A. F arhat, and J. Seitz, “Deep learning algorithms for detecting denial of service attacks in softw are-dened net- w orks, Pr ocedia Computer Science , v ol. 191, pp. 254–263, 2021, doi: 10.1016/j.procs.2021.07.032. [15] T . A. T ang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, M. Ghogho, and F . El Moussa, “DeepIDS: deep learning ap- proach for intrusion detection in soft w are dened netw orking, Electr onics (Switzerland) , v ol. 9, no. 9, pp. 1–18, 2020, doi: 10.3390/electronics9091533. A deep learning appr oac h to detect DDoS ooding attac ks on SDN ... (Abdullah Ahmed Bahashwan) Evaluation Warning : The document was created with Spire.PDF for Python.
1254 ISSN: 2502-4752 [16] M . S. Elsayed, N.-A. Le-Khac, S. De v , and A. D. Jurcut, “DDoSNet: a deep-learning model for detecting netw ork attacks, in 2020 IEEE 21st International Symposium on “A W orld of W ir eless, Mobile and Multimedia Networks” (W oWMoM) , Aug. 2020, pp. 391–396, doi: 10.1109/W oWMoM49955.2020.00072. [17] S . Haider et al. , A deep CNN ensemble frame w ork for ef cient DDoS attack detection in softw are dened netw orks, IEEE Access , v ol. 8, pp. 53972–53983, 2020, doi: 10.1109/A CCESS.2020.2976908. [18] T . A. T ang, D. McLernon, L. Mhamdi, S. A. R. Zaidi, and M. Ghogho, “Intrusion detection in sdn-based netw orks: deep recurrent neural netw ork approach, in Advanced Sciences and T ec hnolo gies for Security Applications , Springer , 2019, pp. 175–195. [19] Y . Liu, M. Dong, K. Ota, J. Li, and J. W u, “Deep reinforcem ent learning based smart mitig ation of DDoS ooding in softw are- dened netw orks, in 2018 IEEE 23r d International W orkshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD) , Sep. 2018, v ol. 2018-Septe, pp. 1–6, doi: 10.1109/CAMAD.2018.8514971. [20] C . Li et al. , “Detection and defense of DDoS attack–based on deep learning in OpenFlo w-based SDN, International J ournal of Communication Systems , v ol. 31, no. 5, p. e3497, Mar . 2018, doi: 10.1002/dac.3497. [21] I. H. Sark er , “Deep learning: a comprehensi v e o v ervie w on techniques, taxonomy , applications and research directions, SN Computer Science , v ol. 2, no. 6, p. 420, No v . 2021, doi: 10.1007/s42979-021-00815-1. [22] B. A. Mohammed et al. , “Hybrid techniques of analyzing MRI im ages for early diagnosis of brain tumours based on h ybrid features, Pr ocesses , v ol. 11, no. 1, p. 212, 2023, doi: 10.3390/pr11010212. [23] M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, A surv e y of machine and deep learning meth- ods for internet of things (IoT) security , IEEE Communications Surve ys T utori als , v ol. 22, no. 3, pp. 1646–1685, 2020, doi: 10.1109/COMST .2020.2988293. [24] A. H. H. Kabla, A. H. Thamrin, M. Anbar , S. Manickam, and S. Karuppayah, “PeerAmb ush: multi-layer perceptron to detect peer -to-peer botnet, Symmetry , v ol. 14, no. 12, p. 2483, No v . 2022, doi: 10.3390/sym14122483. [25] N. S. Shaji, T . Jain, R. Muthalagu, and P . M. P a w ar , “Deep-disco v ery: anomaly disco v ery in softw are-dened netw orks using articial neural netw orks, Computer s and Security , v ol. 132, p. 103320, 2023, doi: 10.1016/j.cose.2023.103320. [26] N. Ahuja, G. Sing al, and D. Mukhopadh yay , “DDOS attack SDN dataset, Mendele y Data , v ol. 1, no. September , p. 17632, 2020, doi: 10.17632/jxpfjc64kr .1. [27] A. H. H. Kabla et al. , “Machine and deep learning techniques for detecting internet protocol v ersion six attacks: a re- vie w , International J ournal of Electrical and Computer Engineering (IJECE) , v ol. 13, no. 5, pp. 5617–5631, Oct. 2023, doi: 10.11591/ijece.v13i5.pp5617-5631. [28] M. Anbar , R. Abdullah, I. H. Hasb ullah, Y .-W . Chong, and O. E. Elejla, “Comparati v e performance analysis of classication algorithms for intrusion detection system, in 2016 14th Annual Confer ence on Privacy , Security and T rust (PST) , Dec. 2016, pp. 282–288, doi: 10.1109/PST .2016.7906975. BIOGRAPHIES OF A UTHORS Abdullah Ahmed Bahashwan earned his Ph.D. de gree in internet infrastructures security from the National Adv anced IPv6 Centre of Excellence (N A v6), Uni v ersiti Sains Malaysia (USM), where he also completed his M.Sc. in internet engineering. He also holds a Bachelor of Computer Applications (B.C.A.) from Osmania Uni v ersity (OU), Hyderabad, India. His research interests in- clude c ybersecurity , IDS, articial intelligence (ML and DL), feature selection techniques, internet protocol v ersion 6 (IPv6) security , softw are-dened netw orks (SDN) security , and the IoT . He can be contacted at email: a.a.o.bahashw an@gmail.com. Mohammed Anbar obtained his Ph.D. in Adv anced Internet Security and Monitoring from Uni v ersity Sains Malaysia (USM). He is a senior lecturer at National Adv anced IPv6 Cen- tre (N A v6), Uni v ersiti Sains Malaysia. His current research interests include mal w are detection, web security , IDS, intrusion pre v ention systems (IPS), netw ork monitoring, IoT , and IPv6 security . He can be contacted at email: anbar@USM.my . Selv akumar Manickam director and associate professor at Uni v ersiti Sains Malaysia Di- rector and associate professor at National Adv anced IPv6 Centre (N A v6), Uni v ersiti Sains Malaysia. His research interests include c ybersecurity , the IoT , Industry 4.0, and machine learning. He has authored and co-authored more than 160 articles in journals, conference proceedings, and book re- vie ws and graduated 13 Ph.D.. He has ten years of industri al e xperience prior to joining academia. He is a member of technical forums at national and international le v els. He also has e xperience b uilding IoT , embedded, serv er , mobile, and web-based applications. He can be contacted at email: selv a@USM.my . Indonesian J Elec Eng & Comp Sci, V ol. 38, No. 2, May 2025: 1245–1255 Evaluation Warning : The document was created with Spire.PDF for Python.