Indonesian J our nal of Electrical Engineering and Computer Science V ol. 41, No. 3, March 2026, pp. 1000 1016 ISSN: 2502-4752, DOI: 10.11591/ijeecs.v41.i3.pp1000-1016 1000 Classication of DoS/distrib uted DoS thr eats in softwar e dened netw orks using adv anced deep belief netw ork-long short term memory ar chitectur e Manjula Maraiah, V enkatesh Department of Computer Science and Engineering, Uni v ersity V isv esv araya Colle ge of Engineering, Bang alore Uni v ersity , Beng aluru, India Article Inf o Article history: Recei v ed Jul 2, 2025 Re vised Jan 15, 2026 Accepted Feb 26, 2026 K eyw ords: Adv ersarial deep belief netw ork-long short term memory Cybersecurity Denial of service Projected gradient descent Softw are-dened netw orking W asserstein GAN ABSTRA CT W ith the e v olution of telecommunication core and access netw orks, the ne xt generation netw orks le v erages softw are dened netw orks (SDN) to pro vide e xi- bility , scalability and centralized control. Deni al of s ervice (DoS)/distrib uted DoS (DDoS) attacks ha v e been a major threat to ne xt generation netw orks especially to the centralized architecture of SDNs. The e v er -changing and dynamic nature of the DoS/DDoS attacks mak es it challenging to detect and resolv e them. The e xisting models to handle Do S/DDoS attacks often suf fer from f alse positi v e rates and adaptability . In order to solv e these problems , this study aims to create and apply sophisti cated deep learni ng frame w ork namely adv ersarial DBN-LSTM to accurately detect and cl assify v arious DoS/DDoS attack types. The proposed adv ersarial DBN-LSTM model is based on the generati v e adv ersarial netw orks. The proposed model uses generator to generate the adv ersarial attack and discrim- inator to detect the attacks. The adv ersarial DBN-LSTM model is e v aluated using a datas et specically generated in a Mininet-based SDN controller en vironment to ensure rele v ance and practical applicability . The performance of the adv er - sarial DBN-LSTM is compared with other pre v alent models. The adv e rsarial DBN-LSTM m odel achie v es accurac y about 99.4%. The proposed w ork achie v es a breakthrough in identifying a nd pre v enting DoS/DDoS threats in relation to SDN en vironment. This is an open access article under the CC BY -SA license . Corresponding A uthor: Manjula Maraiah Department of Computer Science and Engineering, Uni v ersity V isv esv araya Colle ge of Engineering Bang alore Uni v ersity Beng aluru, India Email: manjula.m82@gmail.com 1. INTR ODUCTION The e v olution of the softw are re gulated (dened) netw orks (SDN) [ 1 ] is considered a radical shift in computer netw orking. By isolating the control plane and data planes, these netw orks reinterprets the con v entional architecture [ 1 ]. In netw orking de vices (for e xample, switches and routers), the decoupling of planes separates the functionalities. Whereas, con v entional netw orking de vices inte grate these tw o planes. When netw ork policies change or ne w protocols are added, ph ysical equipment must be replaced or modied. Because of this, traditional architecture nds it challenging, to adapt to changing conditions and requirements. On the other hand, SDN centralizes the control plane under a softw are entity kno wn as the controller . The controller is used to int eract with the underlying netw ork appliances. In standard netw orks, the netw orking appliances are closely J ournal homepage: http://ijeecs.iaescor e .com Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1001 link ed with the control logic. Ho we v er , by centralizing the control functions, SDN f acilitates administrators in go v erning and optimizing netw ork resources dynamically . SDN uses a standardized, open interf ace, such as OpenFlo w , to connect to switches and routers via a centralized controller . In addition to impro ving scalability and o v erall netw ork ef cienc y , the centralized controller allo ws netw ork administrators to react to shifting traf c patterns. The SDN increases the netw ork’ s programmability and e xibility . Because SDN is so e xible and agile, it is an essential technology for addressing the e v olving needs of contemporary netw orking en vironments. The netw ork architecture in the SDN is distinguished with functionality at three dif f erent layers depicted in the Figure 1 . The SDN controller layer serv es as the central ized system responsible for go v erning and handling the entire netw ork. The application or the management plane hosts all the SDN applications. The application layer interacts through the controller via the northbound APIs to con v e y their requirements and policies and also collects netw ork’ s status from the controller . The control plane recei v es the instructions from the application layer through the northbound APIs and utilizes southbound APIs to send these commands to the infrastructure layer . This layer includes the switches and routers as the netw orking de vices. In compliance with the directi v es from the SDN Controller , this layer transmits the pack ets. The data planes ensure the implementation of centrally dened policies and congurations [ 1 ]. Figure 1. Architecture of the SDN with three layers Separating the planes into data and control i n an SDN netw ork has its o wn adv antages and disadv antages. Though it enhances netw ork management and programmability , it also introduces a potential vulnerability . The entire netw ork is concentrated in a central control plane, it is pot ential f ailure point, posing a security risk. The SDN controller is prone to service disruption threats, including both denial of service (DoS) and its counterpart v ariant (distrib uted DoS) attacks [ 2 ], [ 3 ]. The DoS/DDoS attack may be reection based or e xploitation based [ 4 ]. Also the DDoS attacks are cate gorized into v olumetric, protocol based, application layer , reection and amlication attacks [ 5 ], [ 6 ]. W ith in the frame w ork of SDN, DDoS and DoS attacks tar gets the data plane, and the central control plane. The SDN control plane might be o v erloaded by such attempts, which w ould deplete resources of the netw ork and ultimately bring do wn the netw ork as a whole [ 7 ], [ 8 ]. When a lar ge number of sources are initiating the attack simultaneously on a tar get machine it is called as the distrib uted form of denial-of-service (DDoS) attacks [ 9 ]. Online services are rendered inaccessible during a DDoS attack because of an e xcessi v e v olume of malicious data traf c coming from man y sources. The SDN controller , acting as the central point in an SDN netw ork, becomes highly susceptible to DoS/DDoS c yber attacks, potentially impacting the entire netw ork. The distrib uted DoS attack not only tar gets the SDN controller b ut can also impact the switches and routers in the infrastructure layer . Classication of denial-of-service/distrib uted DoS thr eats in softwar e dened ... (Manjula Mar aiah) Evaluation Warning : The document was created with Spire.PDF for Python.
1002 ISSN: 2502-4752 Most DoS/DDoS attacks occur in the TCP/IP stack’ s transport layer . Controlling data o w is the major task of the transport layer . The primary transport layer vulnerabilities include deliberate pack et corruption or de gradation, and the use of protocol a ws to initiate DDoS attacks tar geting the netw ork. The transport layer is frequently tar geted by v olumetric and protocol-dri v en attack v ectors [ 4 ], [ 10 ], [ 11 ], which include: User datagram protocol (UDP) ood attacks occur when an intruder sends enormous amount of IP pack ets containg UDP datagrams to the random ports of tar geted host [ 12 ]. An attack er generates a huge count of ICMP echo request (ping) pack ets to o v erwhelm a intendent endpoint in an ICMP ood attack [ 13 ], sometimes referred to as a ping ood. Multiple synchronization (SYN) pack ets are sent to a serv er by an attack er using a f ak e IP address in a TCP synchronization (TCP-SYN) ood incident [ 14 ]. T o defend the DoS/DDoS at tack scenarios in SDN en vironments, either source-based [ 15 ], netw ork- based [ 16 ], or destination-based [ 17 ] mechanisms can be emplo yed. Also, v arious AI/ML based anomaly identication techniques [ 13 ], [ 18 ], to illustrate, random forest (RF) algorithm [ 19 ], [ 20 ], support v ector machine [ 21 ], logistic re gression [ 22 ], K-Nearest neighbor (KNN) [ 23 ], Nai v e-Bayes classiers [ 24 ], and are used. Apart from these, statistical analyses lik e entrop y and correlation techniques are used to counteract DoS/DDoS attack scenarios in SDN en vironments [ 25 ]. Among these, deep learning based models lik e CNN, GR U, A E - BGR U, LSTM, BiLSTM, etc ha v e e videnced as the most ef cient in reducing DoS/DDoS attack incidents in SDN en vironment [ 26 ]-[ 28 ]. Most e xisting ML/DL models are trained on datasets collected from traditional netw orks, so the y do not capture the f ast, dynamic beha vior of SDN traf c. The y usually ignore controller–switch interactions, o w-setup delays, and control-plane s ignaling, which are critical in SDN. Man y models al so f ail when attack ers mak e small changes in traf c patterns because the y lack adv ersarial rob ustness. Most of the research w ork that is suggested to trace Do S /DDoS incidents in the SDN, with machine and deep learning techniques, uses publicly a v ailable datasets [ 6 ]. The most commonly used datasets i n DoS/DDoS detection are CICDDoS2019, UNSW -NB15, and NSL-KDD datasets. These publicly a v ailable datasets are generally captured in t ypical netw orks and do not fully capture the real-time, dynamic nature of SDN traf c. The k e y limitation, and the main moti v ation for our study , is that publicly a v ailable datasets f ail to capture these SDN-specic beha viors. Also, these datasets suf f er from class imbalance issues, where benign traf c signicantly outweighs attack traf c. This can cause the deep learning models gi v e biased results. In this research article, DoS/DDoS c yberattacks on the SDN are traced and classied using a deep learning technique. In order to strengthen the det ection process, an adv ersarial ly rob ust deep belief netw ork-long short term memory (DBN-LSTM) architecture is proposed in the w ork. By inte grating W asserstein generati v e adv ersarial netw ork (WGAN) for realistic attack-traf c synthesis and projected gradient descent (PGD) for modeling adapti v e adv ersarial beha vior , the frame w ork reects real-w orld attack e v olution more accurately than con v entional training setups. T o o v ercome the dra wback of using publicly a v ailable dataset and to demonstrat e the model’ s performance, the current research w ork is g auged ag ainst the dataset gene rated on the Mininet emulator for the SDN en vironment. Listed belo w are this paper’ s main contrib utions: Put forw ard an adv ersarial model with DBN-LSTM to trace and classify DoS/DDoS i ncidents in the SDN en vironment; Generate normal and DoS/DDoS attack dataset with Mininet emulator testbed for SDN en vironment; Suggest an adv ersarially rob ust deep learning frame w ork that combines WGAN to produce re alistic attack traf c and PGD to mimic adapti v e DoS/DDoS attacks in SDN; Carries out comprehensi v e tests using both a testbed and public datasets to estimate the ef fecti v eness of suggested model in recognizing DoS/DDoS attack incidents in SDN systems ag ainst the most adv anced models. The upcoming sections are structured as follo ws: re vie w of pre vious research w orks are elaborated in section 2. Problem denition of the research paper is addressed in section 3. A thorough narration of the suggested w ork is discussed ne xt. The in v estig ati v e ndings and dataset description are demonstrated in section 5. In section 6, the research project is successfully concluded. 2. RELA TED W ORK Se v eral deep learni ng algorithmic strate gies ha v e been proposed by v arious researchers to defend the SDN en vironment from DoS and DDoS threats. The research w ork in [ 29 ] focuses on the early identication Indonesian J Elec Eng & Comp Sci, V ol. 41, No. 3, March 2026: 1000–1016 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1003 and separation of netw ork data as a crucial step in reducing DDoS threats. In their w ork, the authors proposed a LSTM based model using CICDDoS2019 as a training and testing dataset. Although the w ork attains an impressi v e acc urac y of 98%, the study ignores issues including the demand for a huge number of labeled data, possible o v ertting, and high computing cost. T o reduce DDoS attacks, the authors in [ 30 ] suggested a unique source-based DDoS protection mechanism for fog and cloud sett ings. Since an LSTM model performs admirably with the sequential data, the authors of the suggested w ork emplo yed it to detect anomalies at the netw ork and transport le v els. The Hogzilla dataset is used to train this deep learning model, and both simulated and actual DDoS attack pack ets are used for testing. Ho we v er , the model suf f ers from high computational o v erhead as it incorporates the LSTM model. Gebremesk el et al. [ 31 ] suggested a DDoS attack identication and classication method for the softw are enabled netw ork en vironment with a multi-controller architecture. The proposed technique used an entrop y-based approach for preliminary detection. It used LSTM as the deep learning m o de l for ne-grained classication. The proposed w ork also suggested distrib uted controllers for SDN scalability and a v ailability , o v ercoming the single-point f ailure. Though the w ork achie v es an accurac y of 99.4%, the dra wbacks include computational comple xity , reliance on specic datasets for e v aluation, and potential performance de gradation under high netw ork loads. Additionally , while cate gorical classication impro v es upon binary detection, the approach may f ace challenges in real-w orld deplo yment due to e v olving attack patterns and netw ork dynamics. Gebremesk el et al. [ 31 ] justied necessity of distrib uted controller design in softw are-dened netw ork- ing (SDN) due to se v eral limitations in centralized systems. In particular , it discusses DDoS attack identication in multicontroller SDN for ne w data centers and suggests a deep learning algorithm for DDoS threat incident with an entrop y . This tw o-le v el detection approach is emplo yed to balance accurac y and computational comple xity . The research w ork implements a solution for multi controller -based SDN en vironment. The research w ork in [32] proposed an LSTM-Autoencoder -based deep learning model. The w ork demons trated high detection rates with a reduced feature set. The random forest and information g ain methods are in v olv ed to reduce the count from 48 features to 10 k e y features. Ev en if the model accomplishes an remarkable le v el of 99% accurac y rate, it incorporates high computational o v erhead and a lack of real-time e v aluation as it relies on a public dataset. A h ybrid CNN-BiLSTM strate gy for identifying netw ork intrusion in the SDN w as proposed in the research study in [ 33 ]. Despite e v aluating the model including the UNSW -NB15, NSL-KDD, and InSDN datasets, the w ork tackles the dataset’ s issues of class imbalance and data redundanc y . A k e y technical dra wback of this research w ork is the computational comple xity introduced by the h ybrid CNN-BiLSTM architecture, which may lead to increased inference time in real-time SDN en vironments. While the model reduces training time compared to other CNN-based approaches, the sequential nature of BiLSTM layers can slo w do wn detection in high-throughput netw orks. CNNs rely on spatial feature e xtraction, which is not as ef f ecti v e for capturing deep, latent patterns in netw ork traf c data. CNN-BiLSTM models require more ne-tuning and h yperparameter optimization to achie v e rob ustness of the model. Chen et al. [ 34 ] presented the adv ersarial approach with DBN-LSTM model to predict and thw art the DDoS attacks in SDNs using the CICDDoS 2019 dataset. Ho we v er , the dependence on FGSM for adv ersarial sample generation reduces the m o de l’ s rob ustness ag ainst more sophisticated adv ersarial strate gies. The author’ s w ork highlights the reacti v e defense strate gy focusing on mitig ation aft er attack detection. Ho we v er , it lacks a proacti v e component to adapt to e v olving threats. Lim et al. [ 35 ] and Zacaron et al. [ 36 ] highlighted the importance of WGAN for analyzing netw ork traf c patterns. WGAN uses W asserstein distance and gradient penalty to g auge the dif ference in distrib utions of real and generated data. This results in more stable training and higher netw ork anomaly detection accurac y . Also, P ark et al [ 37 ] proposed an AI-dri v en netw ork intrusion detection system (NIDS) using WGAN to synthesize attack samples. The authors suggested that class imbalance in intrusion detection can be addressed with WGAN. These research w orks demonstrate ho w WGAN may impro v e resilience, scalability , and representation learning, making it a useful instrument for spotting anomalies in netw ork security applications. F or anomaly identication in IoT netw orks, Y ao et al. [ 38 ] presented an unsupervised deep learning technique utilizing bidirectional generati v e adv ersarial netw orks (BiGAN). Using the CIC-IDS2017 and UNSW - NB15 datasets, the model achie v es impro v ed accurac y and a decreased f alse alarm rate by including W asserstein distance to enhance attack identication performance and stability . Although the method successfully identies abnormalities in the absence of labeled data, it has dra wbacks lik e a high computing cost and the potential for adv ersarial attacks. In spite of these dra wbacks, it presents a viable option for precise and scalable intrusion detection in internet of things settings. Classication of denial-of-service/distrib uted DoS thr eats in softwar e dened ... (Manjula Mar aiah) Evaluation Warning : The document was created with Spire.PDF for Python.
1004 ISSN: 2502-4752 3. PR OBLEM ST A TEMENT Ne xt-generation netw orks, especially SDN en vironments, are al w ays prone to DoS/DDoS attacks. These attacks increase so rapidly that con v entional DoS/DDoS detection mechanisms generally f ail to detect them. Also, the traditional DoS/DDoS detection mechanisms do not class ify di v erse DoS/DDoS attack subtypes . Generally , the SDN en vironment generates high-dimensional netw ork data, and the comple xity of feature e xtraction and classication is not properly handled by con v entional solutions. There is a need to de vise techniques that can ef f ecti v ely address these challenges by adapting to e v olving attack patterns. The design should ef ciently detect and classify di v ers e DoS/DDoS odding attacks for TCP-SYN, UDP , and ICMP protocols, ensuring rob ust netw ork security . The techniques should handle the comple xity of feature e xtraction and requirement of high dimensional netw ork data. 4. PR OPOSED METHOD In this research w ork, an adv ersarial DBN-LSTM frame w ork is proposed to ef fecti v ely identify and perform classication of the diferent DoS/DDoS incidents in the SDNs. The frame w ork can classify the DoS/DDoS ooding attack types lik e ICMP , UDP , and TCP-SYN ood. The suggested w ork performance is e v aluated using the dataset created on the Mininet emulator for the SDN controller en vironment. The proposed approach in v olv es dataset created using Mininet testbed emulator , data pre-processing, model design and implementation, and performance e v aluation. The model demonstrates impro v ed accurac y when e v aluated on standard datasets such as CICDDoS2019. 4.1. Dataset g with Mininet testbed Mininet emulator using Ryu frame w ork. Mininet is often used as a tool to simulate SDN netw orks. Specically , it can mimic an entire netw ork with computers, connections, and switches running on one Linux system using process-based virtualization. The netw ork simulation using Mininet w as run on a virtual machine (VM). The netw ork topology w as create d using Mininet as depicted in Figure 2 . SDN architecture w as implemented with the Ryu controller operating as the control plane. Using the R YU controller , the feature’ s source and destination IP addresses, port number , and timestamp are tak en out from the pack ets. The o w collector rst contacts the controller to request traf c statistics. OpenFl o w (OF) switches are used for the data plane. Flo w tables are g athered using the OF protocol. The controller sends a o w-stats request to e v ery switch that is link ed to it, asking it to pro vide o w statistics. Consequently , all o w tables’ o w entries, along with the o w description and an y related counters, are included in a o w-stats reply message which is transmitted back to the controller . Once the controller has g athered all of the switch traf c data, it responds to this component. The normal and attack data traf c w as generated emplo ying the Scap y tool. The data traf c w as generated on TCP-SYN, UDP , and ICMP protocols with random hosts in the netw ork by using HPing-3. The implemented system consisted of modules for attack identication and also to mitig ate them. The dataset used in this research w ork includes a di v erse set of DDoS attack oods of ICMP , UDP , and TCP-SYN, among the most common and impactful forms of DDoS attacks. T o create a comprehensi v e and balanced dataset, both benign and malicious traf c w as generated in f air proportions. This balanced dataset helps to pre v ent the proposed model from being biased and to ensure that the model can ef ciently perform classication of the normal and attack traf c data. 4.2. Adv ersarial DBN-LSTM The proposed method emplo ys generator and discriminator components to incorporate adv ersari al concepts for DoS/DDoS threat identication in a SDN. The model uses PGD to craft adv ersarial attack generation techniques. The discriminator is b uilt with WGAN to discriminate between real and attack samples. The adv antage of PGD is that it allo ws for more sophisticated and di v erse adv ersa rial attack scenarios [ 39 ]. PGD ensures the resilience of the proposed w ork by generating stronger adv ersarial samples during the training process. The GAN training process is stabilized by WGAN [ 40 ]. WGAN helps to mitig ate issues lik e mode collapse and non-con v er gence, which are common in standard GAN implementations. By impro ving the W asserstei n distance, WGAN creates a more stable training en vironment and increases the ef cienc y and dependability of adv ersarial samples. By combining PGD and WGAN, the adv ers arial DBN-LSTM approach is guaranteed to achie v e greater resilience ag ainst adv ersarial attacks. This greatly enhances the rob ustness and detection accurac y of our suggested adv ersarial DBN+LSTM model in SDN sett ings. Adv ersarial samples Indonesian J Elec Eng & Comp Sci, V ol. 41, No. 3, March 2026: 1000–1016 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1005 generated in this study u s ing PGD attack introduces a bounded perturbations to netw ork traf c features to simulate adapti v e DoS/DDoS beha vior . During training, these adv ersarial samples ar e used together with clean data to impro v e model rob ustness. A WGAN–based discriminator is emplo yed to distinguish real and adv ersarial traf c samples. The model is e v aluated on adv ersarial data before and after adv ersarial training. The equations used in the proposed method are presented belo w . Figure 2. Mininet topology used to generate TCP SYN, ICMP , and UDP ooding traf c 4.2.1. PGD-based adv ersarial sample generation The adv ersarial sample in the ( k + 1) -th round is computed using: x ( k +1) = Proj B p ( x,ϵ ) x ( k ) + α · sign x L ( x ( k ) , y , θ )  (1) where, x (0) = x is the original input sample. α is the step size for perturbation. B p ( x, ϵ ) is the p -norm ball of radius ϵ around x . L ( x, y , θ ) is the models’ function to calculate loss. Proj denotes the projection back into the norm ball. The nal adv ersarial e xample after K iterations is x adv = x ( K ) . 4.2.2. W asserstein GAN loss functions The discriminator loss without gradient penalty is represented as: L disc = E z Q gen [ D ( G ( z ))] E y Q real [ D ( y )] (2) On the other side, the generator under goes training to o v ercome the discriminator v alues on the samples that are generated. The loss is gi v en as, L gen = E z Q gen [ D ( G ( z ))] (3) Classication of denial-of-service/distrib uted DoS thr eats in softwar e dened ... (Manjula Mar aiah) Evaluation Warning : The document was created with Spire.PDF for Python.
1006 ISSN: 2502-4752 The Lipschitz constraint is applied by a gradient penalty term. L GP D = L D + λ · E ˆ x P ˆ x ( ∥∇ ˆ x D ( ˆ x ) 2 1) 2 (4) ˆ x is dened as α x + (1 α ) ˜ x , where α U (0 , 1) . The generator’ s objecti v e is dened as: L G = E ˜ x P g [ D ( ˜ x )] (5) In addition to the adv ersarial model with PGD and WGAN, the proposed w ork uses LSTM and DBN as seen in Figure 3 . This ADBN–LSTM combination is chosen to e xplicitly separate feature learning from temporal modeling. The DBN captures deep and non-linear relationships among heterogeneous o w and control-plane features in SDN en vironments. It does not rely on spatial assumptions, which are required by typical CNN-based models. The LSTM then models long-term temporal beha viors such as sustained ooding and b urst patterns that characterize DoS/DDoS attacks. In contrast, CNN-LSTM and standalone deep models jointly learn spatial and temporal patterns together . This tight coupling in CNN-LSTM and standalone models reduces rob ustness; also increasing their sensiti vity to noise and adv ersarial perturbations. Figure 3. Architectural o v ervie w of the adv ersarial DBN+LSTM Model The prepared input dataset is fed to DBNs that act as a multi-layer feature e xtractor to capture high-le v el, compact representations of the input data. The stack ed Bernoulli restricted Boltzmann machines (R BMs) within the DBN are with progressi v ely decreasing dimensions of 128, 64, and 32 units. Each RBM is gi v en training in a greedy , layer -by-layer approach, learning hidden representations of the netw ork traf c features while reducing noise and dimensionality . The input for the ne xt LSTM netw ork is the output of the last RBM layer . The LSTM is responsible for learning both high-le v el and granular temporal features in netw ork traf c, such as sustained ooding and b urst beha viors. The LSTM module is implemented as a stack ed architecture. Dif f erent LSTM depths are e v aluated during e xperimentation including one-layer (64 units), tw o-layer (64 32 units) and three-layer (128 64 32 units). The LSTM processes x ed-length traf c sequences with a time-step size of T = 10, construct ed from consecuti v e o w-le v el records. The proposed methodology incorporates adv anced adv ersarial training techniques such as PGD and WGAN, to increase generalization to unkno wn data and strengthen resilience ag ainst adv ersarial attacks. This combination strengthens the model’ s capacity to handle adv ersarial perturbations, it ensures the e xtracted features remain rob ust and rele v ant. The nal LSTM output is passed through a dense layer with 16 units to capture the comple x feature interactions. Finally a Softmax output layer with 4 classes is used for multiclass classication. The complete process of the methodology is summarized as Algorithm 1 . Indonesian J Elec Eng & Comp Sci, V ol. 41, No. 3, March 2026: 1000–1016 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1007 Algorithm 1 Enhanced Adv ersarial DBN-LSTM T raining with Norm Constraints Input: DBN-LSTM model parameters θ T raining dataset D Perturbation b udget ϵ Norm type p Learning rate η Maximum iterations T Initialize model parameters θ for DBN-LSTM while t < T and stop condition not met do f or each mini-batch { ( x i , y i ) } m +1 i =1 from D do Generate adv ersarial samples: Compute gradients: x L ( x i , y i , θ ) Normalize perturbation: δ i = η · x L ( x i , y i , θ ) ∥∇ x L ( x i , y i , θ ) p Generate adv ersarial sample: x i, adv = x i + δ i such that x i, adv x i p ϵ Construct h ybrid dataset: D h ybrid = { ( x i , y i ) , ( x i, adv , y i ) } m +1 i =1 Update model parameters: Compute loss on D h ybrid : L m = 1 |D h ybrid | X ( x ,y ) ∈D h ybrid L ( x , y , θ ) Update θ using gradient descent: θ = θ η · θ L m end f or end while Retur n: T rained DBN-LSTM parameters θ 5. RESUL TS AND DISCUSSIONS 5.1. Dataset description The dataset is preprocessed before model training to remo v e all redundant and irrele v ant features. All numerical features are normalized using min–max scaling. This step brings all feature v alues into a common range and impro v es tr aining stability . The preprocessed dataset is then di vided into training, v alidation, and testing subsets using a x ed split of 70%, 15%, and 15%, respecti v ely . The same data split is applied to all e xperiments to ensure f air and reproducible e v aluation. 5.1.1. Mininet testbed dataset The dataset utiliz ed in this research w ork w as created from an SDN testbed implemented using Mininet. Netw ork features are identied from the generated dataset for both re gular and attack traf c. The attrib utes for the attack and normal dataset that are generated during the e xperiment are listed in the T able 1 . A v ariety of netw ork traf c scenarios for the TCP , UDP , and ICMP protocols are included in the dataset that serv es as the foundation for training and assessing detection and mitig ation algorithms of malicious and le gitimate traf cs. The data collected are used for the de v elopment and e v aluation of systems in SDN en vironments. Classication of denial-of-service/distrib uted DoS thr eats in softwar e dened ... (Manjula Mar aiah) Evaluation Warning : The document was created with Spire.PDF for Python.
1008 ISSN: 2502-4752 T able 1. Attrib utes in attack and normal traf c datasets generated in mininet testbed T raf c type Attrib utes Attack dataset Frame Features (frame.encap type, frame.len, frame.protocols), IP Header Fields (ip.hdr len, ip.ags.rb, ip.len, ip.ags.mf, ip.ags.df, ip.frag of fset, ip.src, ip.ttl, ip.proto, ip.dst), TCP Attrib utes (tcp.srcport, tcp.dstport, tcp.len, tcp.ack, tcp.ags.syn, tcp.ags.ack, tcp.windo w size,), ICMP/UDP Fields (icmp.seq, icmp. checksum, icmp.id, udp.length), Flo w T iming Info(o w start time, o w end time ) Normal dataset ICMP Details (icmp type, icmp code), OpenFlo w/SDN Identiers (timestamp, o w id, datapath id, ip src and ip dst, ip proto, tp dst tp src,), T imeout & Flag, Settings(idle timeout, ags, hard timeout), Flo w Durations (o w duration nsec, o w duration sec), T raf c V olume parameters (pack et count, byte count per second, pack et count per second, byte count, pack et count per nsecond,), Statistical Features (request reply ratio, byte count per nsecond, syn ack ratio, pack et size v ariance and label) 5.1.2. CICDDoS2019 T o tackle the challenges laid out by DoS/DDoS attacks, the CICDDoS2019 dataset [ 41 ] w as created. It includes a wide v ariety of DDoS attacks, such as those that are focused on reection or e xploitation attacks. Notably , the datase t encompasses v arious attack types including SSDP , MSSQL, SNMP , CharGen, NTP , LD AP , TFTP , NetBIOS, DNS, SYN and UDP ood, and UDP-Lag. The dataset use the data from pack et capture (PCAP) les. Netw ork traf c analysis information is pro vided through the use of labeled o ws. These o ws include informations, for instance ports, protocols, source and destination’ s IP addresses, timestamps, and cate gories of attacks. In order to accurately depict the complicated nature of actual netw ork settings, the dataset models the abstract beha vior of users across a v ariety of protocols, lik e HTTP , SSH, HTTPS, FTP , and emai l. T able 2 lists the DoS/DDoS attacks tak en into consideration when producing the dataset. T able 2. DoS/DDoS attacks addressed in CICDDoS2019 dataset Scenario Attack names T otal count Attacks carried out during the day of training NTP , LD AP , DNS, NetBIOS, MSSQL, SSDP , SNMP , UDP-Lag, UDP , TFTP , W ebDDoS, and SYN 12 Attacks carried out during the day of testing PortScan, LD AP , NetBIOS, MSSQL, UDP-Lag, UDP and SYN 7 5.1.3. InSDN InSDN dataset is proposed by author Elsayed et al. [ 42 ]. This dataset’ s objecti v e is to gi v e a complete set of data for e xamining and creating solutions for security issues in SDN netw orks. The data generation methodology in v olv es creating attack scenarios specic to SDN en vironments. These attacks tar get critical SDN components such as controllers and OF switches. The attack also e xploit vulnerabilities present in SDN applications, such as b uf fer o v ero w , command injection, and SQL injection. The attack classes addressed in the virtual en vironment are DoS, web attacks, DDoS, R2L, Probe, Mal w are, and U2R. In addition se v eral SDN specic attacks are co v ered, including o w-rule ooding attack, data-to-control plane ooding attack, passw ord-guessing attacks, link-ooding attack (LF A), and remote application e xploitation. 5.2. Metrics f or perf ormance e v aluation The o v erall ef cac y of the proposed research methodology is assessed using accurac y and F-score. Accurac y g auges the e xtent to which o ws are accurately identied as normal or attack, using the intrusion identication system. In the entire dataset, the count of properly identied data o ws with respect to the total amount of data o w is represented as accurac y . Accurac y is gi v en as in ( 6 ). Acc = T r ueP os + T r ueN eg T r ueP os + T r ueN eg + F al seP os + F al seN eg (6) The F-score, is a more comprehensi v e indicator combi ning precision and recall. Precision measures the e xactness of an y IDS system, in correctly identifying attacks. It is estimated as fraction of correctly labeled attack o ws to all the o ws labeled as at tacks through IDS. Recall, measures the completeness in identifying all the actual attacks by the system present in the gi v en dataset. Recall is gi v en as a fraction of correctly labeled Indonesian J Elec Eng & Comp Sci, V ol. 41, No. 3, March 2026: 1000–1016 Evaluation Warning : The document was created with Spire.PDF for Python.
Indonesian J Elec Eng & Comp Sci ISSN: 2502-4752 1009 attack o ws to all the actual attack o ws in the dataset, indicating ho w well the system a v oids f alse ne g ati v es. Precision (pre) and also recall are gi v en in ( 7 ) and ( 8 ) respecti v ely . P r e = T r ueP os T r ueP os + F al seP os (7) R ecal l = T r ueP os T r ueP os + F al seN eg (8) The F-score, as gi v en in ( 9 ) , is representing the combined measure of recall and precision, and it of fers a equal measure of the procienc y pertaining to the intrusion identication system. F - S cor e = 2 X P r ecisionX R ecal l P r ecision + R ecal l (9) The higher the F-score, the better the equilibrium among precision as well as recall, which indicates a higher o v erall ef cienc y in the model’ s intrusion detection. It’ s w orth emphasizing that impro ving one measure, such as precision, at the e xpense of the other , such as recall, may not necessarily impro v e the F-score. It is calculated with the v alues of recall, and precision and the o v erall system performance should be e v aluat ed with reference to both metrics. 5.3. Experimental analysis All e xperiments for implementing the proposed model were conducted on a w orkstation equi pped with an Intel Core i7-9700 CPU (3.0 GHz, 8 cores) and an NVIDIA GeF orce R TX 2080 T i GPU with 11 GB VRAM, enabling ef cient training of deep learning models. The system w as congured with 32 GB of RAM to support lar ge-scale dataset processing during training and e v aluation. The e xperiments were performed on a Linux-based operating system using Python 3.8.10. The deep learning models were implemented using the T ensorFlo w frame w ork with GPU acceleration enabled. The proposed adv ersarial DBN+LSTM model emplo ys PGD in the generat or and WGAN in the discriminator . Inte gration of PGD and WGAN enhances rob ustness ag ainst adv ersarial attacks and also impro v es classication accurac y . PGD-based adv ersarial training is included to generate perturbed input samples. These perturbed input data ensure the model stays resilient to adv ersarial manipulations. Meanwhile, WGAN synthesizes attack samples, impro ving data di v ersity and enhancing model generalization. The perturbed inputs are then passed to the LSTM netw ork during training to enhance rob ustness ag ainst adv ersarial attacks. T able 3 illustrates ho w the model is tested with dif ferent hidden layer congurations, neuron/unit counts, and dropout rates to optimize the performance. F or enhancing the non-linearity of the model, ReLU acti v ation function is in v olv ed. At last, the Softmax function guarantees multi-class classication. F or the whole process, dropout layers are used to add re gularizati on, preserving model generalization while a v oiding o v ertting. As indicated in the T able 3 , a dropout rate of 0.2 pro vi des optimal performance, balancing model comple xity and stability . In order to impro v e resilience ag ainst e v asion attacks, perturbed input samples are also used in adv ersarial training. The adv ersarially trained models (DBN+LSTM-2 and DBN+LSTM-3) are able to identify comple x c yberthreats in SDN systems because of their consistently high accurac y . These ndings suggest that a moderate number of hidden layers, proper dropout adjustment, and adv ersarial training signi cantly enhance model performance and dependability for netw ork intrusion detection. The ndings sho w that accurac y increases with the number of hidden units (up to 128). Due to their deeper feature e xtraction capabilities, DBN+LSTM-2 and DBN+LSTM-3 achie v ed the greatest v alidation accurac y of 99.40%. Adv ersarial DBN+LSTM performance with v arious parameters is displayed in T able 4 . T able 3. Results of v arying adv ersarial DBN+LSTM model with dif ferent parameters Model type DBN+LSTM without hidden layers DBN+LSTM 1 DBN+LSTM 2 DBN+LSTM 3 Acti v ation Functions in v olv ed ReLU and Softmax ReLU and Softmax ReLU and Softmax ReLU and Softmax V alidation Accurac y Percentage No. of hidden units = 32 96.45 97.33 98.67 99.10 No. of hidden units = 64 96.89 98.12 99.02 99.25 No. of hidden units = 128 97.34 98.79 99.40 99.40 Dropout = 0.0 97.56 98.64 99.10 99.12 Dropout = 0.1 98.12 99.02 99.25 99.30 Dropout = 0.2 98.56 99.12 99.40 99.40 Classication of denial-of-service/distrib uted DoS thr eats in softwar e dened ... (Manjula Mar aiah) Evaluation Warning : The document was created with Spire.PDF for Python.