Downloaded from https://iranpaper.

ir
https://www.tarjomano.com https://www.tarjomano.com

Computers & Security 138 (2024) 103661

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

DDoS attack detection and mitigation using deep neural network in SDN
environment
Vanlalruata Hnamte a,∗ , Ashfaq Ahmad Najar b , Hong Nhung-Nguyen c , Jamal Hussain a ,
Manohar Naik Sugali b
a
Department of Mathematics and Computer Science, Mizoram University, Tanhril, Aizawl, 796004, Mizoram, India
b
Department of Computer Science, Central University of Kerala, Tejaswini Hills, Periye, 671320, Kerala, India
c
Department of Information Technology, Viet Tri University of Industry, Tien Son Street, Viet Tri City, 29000, Phu Tho Province, Viet Nam

A R T I C L E I N F O A B S T R A C T

Keywords: In the contemporary digital landscape, the escalating threat landscape of cyber attacks, particularly distributed
Deep learning denial-of-service (DDoS) attacks, has become a paramount concern for network security. This research introduces
Deep neural network an innovative approach to DDoS detection leveraging a deep neural network (DNN) architecture rooted in
SDN
deep learning (DL) principles. The proposed model exhibits a scalable and adaptable framework, enabling
DDoS detection
meticulous analysis of network traffic data to discern intricate patterns indicative of DDoS attacks. To validate
Distributed denial of service attack
Anomaly detection the efficacy of our methodology, rigorous evaluations were conducted using authentic real-world traffic
data. The results unequivocally establish the superiority of our DNN-based approach over traditional DDoS
detection techniques. This research holds significant promise for bolstering network security, particularly within
the dynamic landscape of software-defined network (SDN) environments. The study’s findings contribute to
the continual refinement and eventual deployment of advanced measures in fortifying digital infrastructure
against the evolving threat landscape. Performance metrics, including detection accuracy and loss rates, further
emphasize the effectiveness of our approach across different datasets. With detection accuracy rates of 99.98%,
100%, and 99.99% for the InSDN, CICIDS2018, and Kaggle DDoS datasets, respectively, coupled with low loss
rates, our DNN-based model demonstrates robust capabilities in mitigating contemporary DDoS threats. This
study not only presents a novel DDoS detection approach within SDN infrastructures but also offers insights into
practical implications and challenges associated with deploying DNNs in real-world SDN environments. Network
security professionals can benefit from the nuanced perspectives provided, contributing to the ongoing discourse
on fortifying digital networks against evolving cyber threats.

1. Introduction sively sophisticated. The ramifications of cyberattacks are profound,

encompassing substantial financial losses, severe damage to reputation,
In an era characterized by an ever-increasing reliance on technology, and the perilous compromise of sensitive data. These malevolent in-
the significance of cybersecurity has soared to unprecedented heights. cursions are indiscriminate, targeting individuals, organizations, and
With the pervasive adoption of digital communication, the proliferation even governments, thereby bestowing upon them far-reaching and po-
of the Internet of Things (IoT), the ubiquity of cloud computing, and the tentially devastating consequences.
omnipresence of mobile devices, the attack surface for cyber threats has Among the myriad cyber threats that loom large on the contem-
expanded exponentially. Cybersecurity, encompassing a multifaceted porary cybersecurity landscape, DDoS attacks emerge as a formidable
spectrum of practices, is dedicated to the safeguarding of computer adversary, wielding the potential to wreak havoc upon online ser-
systems and networks against unauthorized access, theft, damage, or vices and enterprises alike. DDoS attacks, characterized by their modus
disruption of services. The imperative for cybersecurity has escalated in operandi of inundating a network or server with a deluge of traffic,
tandem with the evolution of cyber threats, which have grown progres- achieve the nefarious objective of rendering the target inaccessible

* Corresponding author.
E-mail addresses: vanlalruata.hnamte@gmail.com (V. Hnamte), ishfaqnajar@gmail.com (A.A. Najar), nhungnguyen.uet@gmail.com (H. Nhung-Nguyen),
jamal.mzu@gmail.com (J. Hussain), manoharamen@cukerala.ac.in (M.N. Sugali).

https://doi.org/10.1016/j.cose.2023.103661
Received 22 September 2023; Received in revised form 28 November 2023; Accepted 13 December 2023
Available online 18 December 2023
0167-4048/© 2023 Elsevier Ltd. All rights reserved.
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 1. Mapping vulnerabilities within the architecture of SDN at a conceptual level.

to legitimate users. This offensive prowess is often amplified by the (IDS), firewalls, and traffic filtration mechanisms. In concert with these
malefactors harnessing a network of compromised computers, collo- proactive measures, the crystallization of a well-conceived incident re-
quially termed a botnet, thereby obfuscating the identification of the sponse blueprint is imperative, replete with protocols for alleviating the
attacker’s origin. DDoS attacks, notorious for their deleterious effects, impact of an attack and expedited service restoration. The urgency of
precipitate substantial financial losses, inflict reputational harm and or- devising a more precise and efficacious modality for the detection of
chestrate debilitating disruptions to online services. These pernicious nascent attack modalities is underscored within the purview of cloud
attacks have cast a wide net, ensnaring entities ranging from modest computing networks, SDN, and servers.
small businesses to sprawling corporate enterprises, oftentimes serving An expedited and astute identification of malevolent traffic streams
as a conduit for cybercriminals to extort monetary gains or clandes- offers the potential for real-time countermeasures against DDoS on-
tinely infiltrate repositories of sensitive data. slaughts. Were a prospective target equipped with the capability for
However, in the face of this escalating menace, traditional method- instantaneous detection, the resultant impact of such an attack might
ologies for the detection of DDoS attacks have proven increasingly be diminished or potentially negated. Furthermore, the assimilation of
ineffectual in stemming the torrential tide of these network-borne at- a detection system into the fabric of the broader Internet, affording
tacks. The inexorable march of technology begets an ever-expanding networks the acumen to recognize egregiously aggressive traffic and in-
landscape fraught with novel complexities and nuances, demanding terdict its propagation, could substantially curtail the quantum of traffic
correspondingly sophisticated countermeasures. Conventional detection amenable to generation during an attack. A bespoke machine learning
techniques, constrained by their capacity to encapsulate the intricate model, meticulously trained on conventional network data and fine-
relationships and patterns latent within data, falter in their ability to tuned for expeditious and precise detection, stands as a viable conduit
furnish optimal intrusion detection outcomes, rendering them suscepti- for achieving both these objectives.
ble to the perils of both false positives and false negatives. DL, as a subdomain of machine learning, boasts a panoply of
In this swiftly evolving cybersecurity milieu, SDN has emerged as anomaly detection models that can be categorized into three princi-
a salient technological bulwark, poised to bolster network security pal archetypes: supervised, unsupervised, and semi-supervised. Super-
through its centralized vantage point for traffic surveillance and dy- vised learning models, replete with their predilection for data labeled
namic resource management. Concurrently, DL, a specialized domain with ground-truth annotations, exhibit an elevated capacity for predic-
within the purview of Artificial Intelligence, has surfaced as a potent tive modeling and classification tasks. However, the relative scarcity
instrument for detecting DDoS attacks via its aptitude for dissecting of labeled training data attenuates the practical applicability of su-
network traffic patterns. The fusion of SDN and DL holds promise in pervised models, thereby motivating the exploration of alternative
heralding a paradigm shift in the realm of DDoS detection, a testament paradigms.
to its burgeoning adoption and investigation within recent academic This paper embarks on an exploration of the efficacy of DL tech-
research endeavors. Fig. 1 illustrates the conceptual framework for niques in the domain of DDoS attack detection within SDN environ-
mapping vulnerabilities within the SDN architecture. It visually rep- ments. We proffer a comprehensive framework that harnesses DNN
resents the possibility of identification and analysis using DL, providing to scrutinize network traffic data, thereby discerning latent patterns
a comprehensive overview of security considerations in an SDN envi- indicative of incipient DDoS attacks. The inherent scalability and adapt-
ronment. ability of our methodology, designed to accommodate the detection of
SDN, through its radical partitioning of the control plane and data nascent attack modalities as they surface, distinguish our approach.
plane within network devices, empowers centralized governance and Our empirical investigations, underpinned by real-world traffic data,
orchestration of network resources. This newfound vantage furnishes substantiate the superiority of our method vis-a-vis traditional DDoS
network administrators with augmented visibility and precise control detection modalities. The outcomes of our study corroborate the poten-
over network traffic, thereby rendering it an ideal bastion for the de- tial of DL in fortifying network security within SDN domains, hinting at
tection and amelioration of DDoS attacks. Traditional DDoS detection the prospect of further refinement and subsequent deployment within
modalities, grounded in the tenets of signature-based detection and practical network infrastructures. Our approach exhibits marked advan-
anomaly-based detection, grapple with limitations in the contemporary tages over traditional techniques in terms of accuracy, detection rate,
milieu. and false-positive rate.
The efficacious mitigation of DDoS attack vectors hinges upon the The subsequent sections of this paper are structured as follows: Sec-
formulation of robust detection and mitigation strategies. These en- tion 2 furnishes an expository backdrop to this research and proffers
compass a multifaceted arsenal comprising Intrusion Detection Systems an overview of related work. Section 3 expounds upon the conceptual

2
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

framework underpinning our proposed models, detailing their design lected from the NSL-KDD dataset,1 achieved a detection rate of 76%.
and encapsulating the intricacies of their implementation and empiri- Notably, the authors applied Principal Component Analysis (PCA) to
cal testing. Section 4 delineates the empirical findings emanating from transform NSL-KDD features, followed by feature subset optimization
our testing endeavors, juxtaposing them with antecedent research out- using Genetic Algorithm (GA) and Particle Swarm Optimization (PSO)
comes. Finally, Section 5 furnishes a succinct denouement to the paper techniques. These enhanced features were integrated into a Modular
and charts a course for prospective research trajectories. Neural Network (MNN) model, resulting in GA achieving a detection
rate of 98.2% with a false alarm rate of 1.8%, while PSO achieved
99.4% detection with a false alarm rate of 0.6%. However, it’s essential
2. Recent studies to acknowledge that the evaluation dataset may not entirely capture
SDN network characteristics.
In the last decade, substantial research efforts have been dedicated Isa and Mhamdi (2020) developed a hybrid DL approach, combin-
ing auto-encoding with the Random Forest (RF) algorithm, to combat
to integrating DL techniques into network intrusion detection, particu-
DDoS attacks in SDNs. Focusing on the native SDN environment, their
larly focusing on feature selection as a crucial precursor. Recent studies
method aimed for high detection accuracy while minimizing computa-
have exhibited a notable concentration on employing DNNs for detect-
tional overhead. Though their study reported promising results in terms
ing DDoS attacks within the dynamic landscape of SDN environments
of accuracy and efficiency using realistic datasets, it did not specifically
(Yan et al., 2016; Karan et al., 2018; Ali et al., 2020).
consider the impact of the model on SDN controller performance. Simi-
Zainudin et al. (2022) introduced a framework that harnesses the
lar to Tang et al. (2016), their approach achieved an accuracy of 98.4%
power of DNNs to analyze network traffic data and identify DDoS at-
on the NSL-KDD benchmark dataset.
tacks. Leveraging the benefits of SDN, this framework provides a cen-
Chanu et al. (2023) proposed a voting-based hybrid feature selection
tralized perspective of network traffic, facilitating dynamic control of
technique for detecting DDoS attacks. They highlighted the limitations
network resources to effectively mitigate the impact of DDoS attacks. of naive feature selection methods, emphasizing the challenge of ac-
The authors rigorously evaluated their approach using real-world traf- curately detecting DDoS attacks. Their hybrid feature selection aimed
fic data, demonstrating its superiority over traditional DDoS detection to reduce dimensions, eliminate redundancy, and identify relevant fea-
techniques. However, it’s imperative to highlight that this framework tures, resulting in an impressive accuracy of 98.8% with a low false
was not assessed on an IoT-specific dataset, potentially constraining its positive rate of 0.6% and early detection capability.
effectiveness in detecting DDoS attacks targeted specifically at IoT de- Li et al. (2018) utilized a bidirectional Recurrent Neural Network
vices. Additionally, the study omitted the evaluation of certain attack (RNN) across SDN layers to detect and block DDoS attacks in real-time.
types and samples, which might influence the comprehensiveness of the While effective, this approach may face limitations in larger networks
proposed approach in detecting a wide spectrum of DDoS attacks. with multiple controllers, as RNNs can disrupt controller synchroniza-
Santos-Neto et al. (2022) proposed a hybrid approach for DDoS tion, potentially impacting network performance.
attack detection in SDN environments, combining unsupervised and Bhuyan et al. (2015) proposed a technique for identifying low- and
supervised machine learning techniques. Their method deploys cluster- high-rate DDoS attacks based on correlation coefficients. While the
ing algorithms to identify anomalous network traffic patterns, followed method demonstrated strong correlations between instances of mali-
by DNN classification to distinguish between DDoS attacks and benign cious traffic, its effectiveness in detecting single instances of malicious
traffic. The authors conducted thorough evaluations on a dataset of traffic remained unclear.
network traffic data, revealing high accuracy in DDoS attack detection Pérez-Díaz et al. (2020) proposed an adaptable architectural frame-
while minimizing false alarms. However, it’s essential to recognize that work employing machine learning for the detection and mitigation of
evaluating the approach solely on a network traffic dataset might not slow-rate Denial of Service (DoS) attacks. Their modular system exhib-
fully encapsulate the diversity of real-world DDoS attack scenarios, po- ited a commendable detection accuracy of 95%, a noteworthy achieve-
tentially limiting the generalizability of the results. ment given the inherent difficulty in identifying low-rate DDoS attacks.
Hussain and Hnamte (2021a) proposed a DL-based approach em- Banitalebi Dehkordi et al. (2021) introduced a method for detecting
ploying feed-forward multi-layer perceptrons (MLP) for intrusion detec- DDoS attacks within SDN environments, boasting an impressive maxi-
tion, achieving an impressive accuracy rate of approximately 98%. This mum accuracy rate of 99.96%. However, it is imperative to acknowl-
underscores the effectiveness of DNNs in the field of IDS, where pre- edge the study’s reliance on outdated datasets, potentially restricting its
cise identification of malicious activities is paramount for maintaining capability to recognize emerging DDoS attack patterns.
network security. It’s noteworthy that the experiment primarily focused Berman et al. (2019) conducted an exhaustive inquiry into the realm
on traditional network environments and did not specifically assess the of DL techniques within the domain of cybersecurity. Their research
model’s performance with newer datasets tailored for SDN. delved into diverse attack scenarios, underscoring DL’s potential in
Elmasry et al. (2020) employed a feature selection technique in uncovering novel malware variants and zero-day attacks. Moreover,
conjunction with several models, with the Deep Belief Network (DBN) they emphasized the pivotal requirement for standardized benchmark
datasets and addressed pertinent considerations related to adversaries
emerging as the top performer. However, a limitation of their study
when deploying DL in the cybersecurity landscape.
lies in the absence of extensive evaluation of the DBN model across di-
Najar and Manohar Naik (2022) conducted a comprehensive explo-
verse datasets or explicit exploration of its performance in detecting
ration into the realm of machine learning techniques for the detection
DDoS attacks. Although DBN exhibits comparability to MLP, it follows
and classification of DDoS attack packets. They investigated the per-
a different architectural paradigm and tends to excel with more hidden
formance of various algorithms, including Random Forest (RF), multi-
layers. However, the increased complexity introduced by additional hid-
layer perceptrons (MLP), Support Vector Machine (SVM), and K-Nearest
den layers renders DBN models generally slower than MLP models with
Neighbor, using the NSL-KDD dataset. Notably, RF exhibited excep-
equivalent layer configurations. Nevertheless, their model achieved an
tional accuracy, achieving 99.13% on both training and validation data
accuracy exceeding 99%. Furthermore, the results showcased a sub-
and 97% on the full test dataset. Meanwhile, MLP showcased impres-
stantial improvement of 4 to 6% in network intrusion detection when
sive accuracies of 97.96% on training data, 98.53% on validation data,
compared to models without pretraining, along with a reduction of 5- and 74% on the full test dataset. These results underscore the consider-
1% in false alarm rates on similar datasets.
Tang et al. (2016) introduced a DNN model for network intrusion
1
detection in SDN. Their model, trained on a subset of six features se- https://www.unb.ca/cic/datasets/nsl.html.

3
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

able potential of machine learning techniques for the accurate detection Agarwal et al. (2021) presented a novel approach combining feature
and classification of DDoS attacks. selection with a whale optimization algorithm and a DNN to effectively
Cil et al. (2021) demonstrated the effectiveness of DNN models resist DDoS attacks. Their model also homomorphically encrypted and
in DDoS attack detection, leveraging the CICDDoS2019 dataset. Their securely stored data in the cloud to enhance security. Simulation re-
DNN model exhibited exceptional performance metrics, including an sults demonstrated an impressive accuracy of 95.35% in detecting DDoS
F1-Score of 0.9998, Accuracy of 0.9997, Precision of 0.9999, and Recall attacks. A swarm intelligence technique was utilized to identify opti-
of 0.9998 for Dataset 1. However, for Dataset 2, performance exhibited mal features, and the Aquila optimizer assigned desirable weights to
a slight decline, with an F1-Score of 0.8721, Accuracy of 0.9457, Pre- selected features after the feature selection process.
cision of 0.8049, and Recall of 0.9515. These findings highlight the Various techniques are available for visualizing different types of
necessity for further research to enhance multiclass classification, par- data. For instance, Sayed et al. (2022) utilized t-Distributed Stochas-
ticularly for Dataset 2. tic Neighbor Embedding (t-SNE) to represent the data arrangement of
Ferrag et al. (2020) conducted an exhaustive analysis of DL tech- the InSDN dataset. t-SNE is a method that transforms high-dimensional
niques in the realm of intrusion detection, categorizing diverse cyber- data into a lower-dimensional space while preserving the neighbor-
security datasets. Their study shed light on the limitations of Con- hood relationships among the data points. The results indicate that
volutional Neural Networks (CNNs) in capturing long-time-dependent normal and attack samples exhibit similar characteristics. As a result,
features of IoT traffic. Consequently, they emphasized the critical need it becomes challenging to achieve linear separation between these two
for future research efforts in this domain. classes, highlighting the complexity of intrusion detection issues in net-
Aljabri et al. (2021) introduced DeepDefense, a DDoS attack detec- work traffic.
tion method rooted in Recurrent Neural Networks (RNNs). DeepDefense In this study (Amaizu et al., 2021), the authors have made notable
effectively incorporates fully connected layers, RNNs, and CNNs to bol- advancements in the realm of DDoS detection within 5G/B5G networks
ster detection accuracy while significantly reducing error rates. While by introducing a novel approach. They leverage hybrid DNN models,
this approach shows great promise, the study recommended further ex- enriched with Pearson Correlation Coefficient (PCC) feature extraction,
ploration of hybrid models and the addressing of challenges related to as a robust methodology to enhance the accuracy and efficiency of
the detection of malicious URLs and traffic in encrypted networks and DDoS detection. The experimental results showcase the efficacy of this
IoT environments. approach, with an impressive accuracy rate of 99.66% and a minimal
Wei et al. (2021) addressed the limitations of traditional machine
loss of 0.011, as verified on the CICDDoS2019 dataset. Significantly, the
learning techniques in DDoS attack detection by introducing a hybrid
hybrid model outperforms all other models, except for a CNN ensemble,
DL approach. Their model combines an autoencoder for feature ex-
underscoring the superiority of the proposed hybrid approach. Never-
traction with a multi-layer perceptron for precise attack classification.
theless, the study judiciously addresses a pivotal concern regarding the
Experimental results on the CICDDoS2019 dataset showcased remark-
inherent complexity of the proposed hybrid DNN models. This complex-
able performance, with an accuracy rate exceeding 98%. However, it is
ity introduces valid apprehensions about potential delays in detection
essential to conduct further research to assess the model’s adaptability
times, posing a potential challenge to the real-time applicability of the
to diverse network environments and various attack variations.
framework, particularly in dynamic and high-traffic environments.
Yuan et al. (2017) presented an effective approach for detecting
In this study (Mishra et al., 2023), the authors proposed a frame-
DDoS attacks employing a DL model that incorporates improved fea-
work for the detection and classification of DDoS attacks. The study
ture selection. Their method incorporates feature selection based on
utilizes the CICDDoS2019 dataset as the basis for its investigation into
the chi-square test and combines a bidirectional long short-term mem-
DDoS attack categorization and prediction. The primary methodology
ory (Bi-LSTM) with a CNN for attack detection. Although their results
involves the application of the Extra Tree Classifier, a machine learn-
revealed significant reductions in error rates, additional testing of the
ing algorithm used for feature optimization. The framework achieves
model in real-time scenarios is warranted to evaluate its performance
notable success by incorporating the AdaBoost Classifier, resulting in
comprehensively.
Said Elsayed et al. (2020) elevated anomaly detection by amalga- an impressive 99.87% accuracy. The Extra Tree Classifier is specifically
mating an LSTM-autoencoder with the one-class SVM (OC-SVM) algo- employed to distill 25 key attributes crucial for the effective categoriza-
rithm. This combined approach, termed LSTM-Autoencoder-OC-SVM, tion and prediction of DDoS attacks.
exhibited enhanced accuracy compared to OC-SVM in isolation. Re- In this study (Chouhan et al., 2023), the effectiveness of various ma-
markably, LSTM-Autoencoder-OC-SVM achieved an accuracy of 90.5%, chine learning classifiers, including Support Vector Machines (SVM),
surpassing the OC-SVM’s accuracy of 87.5. Random Forest (RF), K-Nearest Neighbors (K-NN), Extreme Gradient
Fouladi et al. (2022) introduced an innovative technique for the de- Boosting, and Naive Bayes (NB), was rigorously assessed using a gen-
tection and mitigation of DDoS attacks within SDN environments. Their erated dataset for real-time intrusion detection within SDN environ-
approach combines discrete wavelet transforms with autoencoder neu- ments. The results indicate that SVM outperformed other classifiers
ral networks to augment the accuracy of IDSs. By leveraging the discrete with remarkable metrics, achieving 99.398% accuracy, 99.413% preci-
wavelet transform to extract statistical features from network traffic sion, 99.397% recall, 0.718% False Acceptance Rate (FAR), 0.995 Area
data and employing an autoencoder neural network for unsupervised Under the Curve (AUC), and 99.400% F1 value. While the study demon-
learning, their method excels in the precise identification of DDoS at- strates the high performance of SVM in real-time intrusion detection,
tack patterns. it acknowledges certain limitations. The real-time performance of the
Hnamte and Hussain (2023a) proposed a novel approach for detect- proposed model in real-world environments may be impacted by longer
ing DDoS attacks using hybrid DL-based DNNs. Their models, trained detection times due to the complexity of the model structure. Addition-
on the CIC-IDS2017 and CIC-DDoS2019 datasets, achieved a remark- ally, the relatively small size of the dataset raises concerns about the
able accuracy of 99.9% with an impressively low loss rate of 0.0025. generalizability of the findings.
While these results highlight the effectiveness of DNNs in identifying While these studies from Table 1 demonstrate the potential of DL
and classifying DDoS attacks, further research is needed to evaluate in network intrusion detection, their applicability to SDN environments
their applicability in SDN environments. varies. Some studies explicitly target SDN, showcasing adaptability and
Swami et al. (2023) employed OpenFlow Random Host Mutation effectiveness, while others may require further evaluation in SDN con-
(OF-RHM) to enhance system security against attacks, reducing the like- texts. Researchers should consider the nuances of SDN architectures and
lihood of successful attacks by periodically changing host IP addresses traffic patterns when applying DL techniques, ensuring their relevance
randomly. However, this study did not focus on DL-based systems. and efficiency in these dynamic environments.

4
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Table 1
Summary of existing literature.

Reference Year Model Dataset Accuracy Loss Recall Precision F1-Measure

Li et al. (2018) 2018 DNN ISCX 98% * * 99% *

Elmasry et al. (2020) 2020 Double PSO + DBN CICIDS2017, 99.91% * 99.92% 99.99% 99.95%
NSL-KDD 99.79% 99.81% 99.83% 99.82%

Isa and Mhamdi (2020) 2020 Hybrid Approach NSL-KDD 98.4% * * * *

Pérez-Díaz et al. (2020) 2020 MLP CICDDoS2017 95% * 94.51% 95.46% 94.98%

Banitalebi Dehkordi et al. (2021) 2020 RandomTree, UNB-ISCX, 99.96% * 99.44% 97.15% 98.28%
REPTree CTU-13, and ISOT 98.55% 98.10% 99.64% 98.86%

Ferrag et al. (2020) 2020 DNN CICIDS2018 97.28% * * * *

RNN 97.31%
CNN 97.38%
DNN BoT-IoT 98.22%
RNN 98.31%
CNN 98.37%

Said Elsayed et al. (2020) 2020 LSTM Based AE InSDN 90.5% * 93% 93% 93%

Hussain and Hnamte (2021a) 2021 DNN KDDCUP99, 98.99% * 98.99% 98.75% 98.79%
NSL-KDD 96.00% 96.0.% 94.12% 95.75%

Cil et al. (2021) 2021 DNN CICDDoS2019 99.9% * 99.98% 99.99% 99.98%
94.57% 95.15% 80.49% 87.21%

Hussain and Hnamte (2021b) 2021 DNN KDDCUP99, 99.69% 0.0207 99.61% 99.37% 99.48%
NSL-KDD 97.26% 0.1615 98.12% 97.73% 97.83%

Hussain and Hnamte (2021c) 2021 DNN KDDCUP99, 99.69% 0.0207 99.61% 99.37% 99.48%
NSL-KDD 95.38% 0.1615 98.12% 97.73% 97.83%
UNSW-NB15 81.70% 0.5245 81.70% 74.79% 77.35%

Wei et al. (2021) 2021 AE-MLP CICDDoS2019 98.34% * 98.48% 97.91% 98.18%

Agarwal et al. (2021) 2021 FS-WOA–DNN CICIDS2017 95.35% 0.0928 90.71% * *

Zainudin et al. (2022) 2022 CNN-LSTM CICDDoS2019 99.50% * * * *

Santos-Neto et al. (2022) 2022 Hybrid DNN Self Generated 99% * * * *

Najar and Manohar Naik (2022) 2022 RF NSL KDD 97% 0.0656 61.75% 90.72% 96.61%
MLP 74% 72.93% 85.57% 77.43%

Fouladi et al. (2022) 2022 AE -NN MAWI 98.85% * * * *

Fatani et al. (2022) 2022 CNN CICIDS2017, NSL-KDD, 99.91% * 99.88% 99.88% 99.88%
BoT-IoT, and KDDCUP99

Hnamte et al. (2023) 2023 LSTM-AE CICIDS2017, 99.99% 0.0005 99.99% 99.99% 99.99%
CSE-CICDIS2018 99.10% 0.0040 99.10% 99.07% 99.02%

Chanu et al. (2023) 2023 Hybrid Approach(MLP-GA) CICDDoS2017 98.8% * * * *

Hnamte and Hussain (2023b) 2023 DCNNBiLSTM CICIDS2018, 100% 0.0000 * * *

Edge_IIoT datasets 99.64% 0.0080

* Not available.

3. Methodology tained in the data might hamper performance. Data cleansing is es-
sential since actual acquired data might contain numerous irrelevant
This section is primarily comprised of three subsections: dataset features. We prepared the dataset by removing some features and nor-
preparation, model construction, and evaluation of the model. The ob- malizing the data. The majority of machine learning models can only
jective of data preparation is to decrease the time required by the deal with numerical numbers for training and testing, which is their
model and maintain the objectivity of the evaluation. The model gen- limitation. Thus, it is important to do a data numericalization to trans-
eration section produces a DNN model and improves its performance form any non-numerical values into numerical ones. Basically, there are
through continuous execution until the expected performance is found two approaches to numericalizing data. The first is known as “one-hot
and meets the value specified. Fig. 2 depicts our proposed method. encoding,” which assigns a unique binary vector to each kind of nom-
The first flowchart (2a) depicts the process of dataset preparation; inal characteristic. For example, the InSDN dataset contains nominal
the second flowchart (2b) depicts the process of model generation; and characteristics such as protocol type, service, etc.
the third flowchart (2c) depicts the process of evaluating the generated Algorithm 1 takes as input the dataset  and the desired percentage
model in an SDN environment. 𝑝 for the training set. It shuffles the dataset randomly to ensure a ran-
dom distribution of samples. It then calculates the number of samples
3.1. Data preprocessing to include in the training set based on the percentage 𝑝. The algorithm
extracts the first 𝑛𝑡𝑟𝑎𝑖𝑛 samples as the training set 𝑡𝑟𝑎𝑖𝑛 and the remain-
Data preprocessing is applied to clean the data, normalize the data, ing samples as the testing set 𝑡𝑒𝑠𝑡 . The algorithm allows for additional
and filter a subset of features. This step is critical since the noise con- data preprocessing steps to be performed on the training and testing sets

5
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 2. Flowchart of the method.

Algorithm 1 Dataset preprocessing and splitting. justing its weights and biases. Below is a detailed breakdown of each
Require: Dataset , Training set percentage 𝑝 step:
Ensure: Training set 𝑡𝑟𝑎𝑖𝑛 , Testing set 𝑡𝑒𝑠𝑡
1: Shuffle  randomly
2: Calculate the number of samples in the training set: 𝑛𝑡𝑟𝑎𝑖𝑛 = 𝑟𝑜𝑢𝑛𝑑(𝑝 × ||) 1. Input Parameters:
3: Extract the first 𝑛𝑡𝑟𝑎𝑖𝑛 samples from  as 𝑡𝑟𝑎𝑖𝑛 • 𝐱 : Input data vector, where each element represents a feature.
4: Extract the remaining samples from  as 𝑡𝑒𝑠𝑡 • 𝐲 : Output data vector, corresponding to the desired output.
5: Preprocessing: Perform any required data preprocessing steps on 𝑡𝑟𝑎𝑖𝑛 and 𝑡𝑒𝑠𝑡 ,
• 𝐿: Number of hidden layers in the DNN.
such as feature scaling, normalization, or missing data handling.
6: Store 𝑡𝑟𝑎𝑖𝑛 , 𝑡𝑒𝑠𝑡 • 𝑁 : Number of neurons per hidden layer.
• 𝛼 : Learning rate, determining the step size during weight updates.
• 𝜎 : Activation function, introducing non-linearity to the model.
if needed, such as feature scaling, normalization, or handling missing 2. Initialization: Initialize weights and biases for all layers randomly.
data. Optionally, the training set 𝑡𝑟𝑎𝑖𝑛 can be further split into train- This step involves assigning initial values to the parameters that
ing and validation sets for tasks like hyperparameter tuning or model the model will learn during training.
selection. Finally, the algorithm stores the training set 𝑡𝑟𝑎𝑖𝑛 and the 3. Training Loop: The training process is iterative and occurs within
testing set 𝑡𝑒𝑠𝑡 as the output.
a repeat-until loop, which continues until convergence or the max-
imum number of iterations is reached.
3.2. DNN model
4. Iteration Over Training Data: For each iteration over the training
data (𝑁𝑡𝑟𝑎𝑖𝑛 instances):
A DNN is a type of artificial neural network (ANN) characterized
• Feedforward: Calculate the predicted output 𝐲̂ by passing the in-
by a deep architecture with multiple layers, particularly multiple hid-
put 𝐱𝑖 through the DNN using feedforward propagation.
den layers between the input and output layers. Each layer in a DNN
• Compute Loss: Calculate the loss 𝐸 using a specified loss function,
comprises interconnected nodes, or neurons, and these networks are
commonly mean squared error (𝐲𝑖 − 𝐲) ̂ 2.
capable of learning intricate representations of data through a process
• Backpropagation: Compute the gradients ∇𝐸 of the loss with re-
called DL. DNNs are a fundamental component of DL, a subset of ma-
chine learning that focuses on using neural networks with many layers spect to all weights and biases using backpropagation. This step
(hence “deep”) to model and solve complex problems. involves calculating how much the loss would change with re-
In the realm of performance, DL models surpass traditional machine spect to each parameter.
learning algorithms, albeit with an associated increase in training time • Update Weights and Biases: Update the weights and biases using
due to their inherent complexity. However, their efficacy is intricately the gradients and the learning rate through the process of gradi-
tied to the hyperparameter values employed. Thus, a critical concern ent descent: 𝜃𝑡+1 = 𝜃𝑡 − 𝛼∇𝐸 .
when utilizing DL models revolves around the judicious tuning of these 5. Convergence Check: The algorithm repeats the training loop un-
hyperparameters, which are pivotal settings dictating the behavior, ar- til convergence, where the model’s performance stabilizes, or the
chitecture, and performance of the model for a given task. The challenge maximum number of iterations is reached.
lies in the task-specific variability of these hyperparameter values, ne-
cessitating a thoughtful selection process before initiating the learning The input data 𝐱 and output data 𝐲 are first given as input to the
process. algorithm, along with the number of hidden layers, number of neurons
The Algorithm 2 outlines the proposed DNN model, a critical phase per hidden layer, learning rate, and activation function. The weights
where the network learns to map input data to desired output by ad- and biases for all layers are then initialized randomly.

6
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Table 2 model to learn more complex representations of the input data. In

Hyperparameters and their domains. this case, the model has four hidden layers.
Hyperparameter Domain Type 4. Numbers of neurons in hidden layers: Each hidden layer con-
tains a certain number of neurons, which determine the capacity
Learning rate 0.0001 Continuous
Dropout rate 0.1 Continuous
and complexity of the model. The given values of 128, 256, and
Number of hidden layers 4 Step=1 128 indicate that the first and third hidden layers have 128 neu-
Numbers of neurons of hidden layers 128, 256, 128 Step=1 rons, while the second hidden layer has 256 neurons.
Number of epochs 30 Step=1 5. Number of epochs: An epoch refers to a complete pass through
Batch size 128 Step=1
the entire training dataset. The number of epochs determines how
Optimizer Adam Step=1
Layer type Dropout, Dense Step=1 many times the model will be trained on the entire dataset. In this
Activation function Softmax, Relu Step=1 case, the model is trained for 30 epochs.
6. Batch size: During training, the dataset is divided into smaller
batches, and the model updates its parameters after processing each
The algorithm then performs a repeat-until loop for a maximum batch. The batch size of 128 means that the model updates its pa-
number of iterations or until convergence is achieved. For each itera- rameters after processing 128 samples.
tion, the algorithm processes the training data by first feeding it forward 7. Optimizer: The optimizer is responsible for updating the model’s
through the network to calculate the output 𝐲̂ . The loss function 𝐸 is parameters based on the computed gradients during training. The
then computed as the mean squared error between the predicted output “Adam” optimizer is commonly used and adapts the learning rate
and the actual output. for each parameter individually.
In the next step, the gradients of the loss function with respect to 8. Layer type: This hyperparameter specifies the types of layers used
all the weights and biases are computed using backpropagation. These in the neural network model. The model includes “Dropout” layers,
gradients are then used to update the weights and biases of the network which help regularize the model by randomly dropping out units,
through the process of gradient descent. The learning rate 𝛼 determines and “Dense” layers, which are fully connected layers.
the step size of the weight and bias updates. 9. Activation function: Activation functions introduce non-linearities
The process is repeated for all training data until convergence is to the model, allowing it to learn complex relationships in the data.
achieved or the maximum number of iterations is reached. The trained The activation functions used in this case are “Softmax” and “Re-
DNN model with the updated weights and biases is then returned as the lu”. Softmax is often used for multi-class classification, while Relu
output of the algorithm. is a popular choice for hidden layers due to its simplicity and ef-
fectiveness in handling non-linearities.
Algorithm 2 DNN algorithm.
Require: Input data 𝐱 = 𝑥1 , 𝑥2 , ..., 𝑥𝑛 , output data 𝐲 = 𝑦1 , 𝑦2 , ..., 𝑦𝑚 , number of hidden The hyperparameters chosen for our proposed model wield signifi-
layers 𝐿, number of neurons per hidden layer 𝑁 , learning rate 𝛼 , and activation cant influence over its performance. The strategic adjustment of these
function 𝜎 hyperparameters holds the potential to optimize the model, aligning it
Ensure: Trained DNN model
1: Initialize weights and biases for all layers randomly
more effectively with the training data and enhancing its capacity for
2: repeat generalization when confronted with novel, previously unseen data.
3: for 𝑖 ← 1 to 𝑁𝑡𝑟𝑎𝑖𝑛 do In the context of this study, the hyperparameters detailed in the Ta-
4: Feedforward: Calculate output 𝐲̂ of the DNN for input 𝐱𝑖 ble 2 assume pivotal roles in the training process of our DNN model.
5:
1
Compute the loss 𝐸 = (𝐲𝑖 − 𝐲) ̂ 2
2 The meticulous selection of suitable values for each hyperparameter
6: Backpropagation: Compute gradients ∇𝐸 with respect to all weights and bi-
ases embodies the authors’ overarching objective: to harness these hyperpa-
7: Update weights and biases using gradient descent: 𝜃𝑡 + 1 = 𝜃𝑡 − 𝛼∇𝐸 rameters’ potential to bolster the model’s accuracy while concurrently
8: end for mitigating the loss function. This intricate hyperparameter tuning pro-
9: until convergence or maximum number of iterations is reached cess aims to calibrate the model to deliver superior performance across
10: return Trained DNN model with weights and biases
various data scenarios, equipping it to make more precise predictions
and exhibit enhanced adaptability to uncharted data domains.
The three sequential steps of our proposed technique are prepro-
cessing, model training, and evaluation in an SDN environment. It 3.3. Model loading in SDN
begins with the preparation phase, during which the primary parame-
ters and a list of desired hyperparameters and their default domains are Once the model is trained, we can use it to detect DDoS attacks in
specified. There were nine hyperparameters defined: learning rate, de- SDN by following the steps below.
cay, momentum, number of epochs, batch size, optimizer, initialization
function, number of hidden layers, layer type, dropout rate, activation • Capture Network Traffic: We need to capture the incoming net-
function, and number of hidden layer neurons. The specified hyperpa- work traffic in real-time using the SDN controller.
rameters and their default domains are shown in Table 2. • Data Preprocessing: Data preprocessing is optional in our study.
Table 2 provides an overview of the proposed DNN hyperparameters One can preprocess the captured data by normalizing it and con-
and their corresponding settings for a specific model. verting it into a format that the DNN model can use as input.
• Run the Model: We load the saved model, then feed the captured
1. Learning rate: The learning rate determines the step size at which data as input to the trained DNN model to obtain the predicted
the model adjusts its parameters during training. A learning rate output. Determine an appropriate threshold for the model’s output
of 0.0001 indicates a small step size, which helps ensure gradual to classify instances as normal or attacks. This threshold can be
convergence and prevents overshooting. based on a predefined value or determined dynamically based on
2. Dropout rate: Dropout is a regularization technique that randomly the desired balance between false positives and false negatives.
sets a fraction of input units to 0 during training to prevent overfit- • Attack Detection: Compare the output predictions with the thresh-
ting. A dropout rate of 0.1 means that 10% of the input units will old to identify whether each instance of network traffic is classified
be dropped out or set to 0. as normal or an attack. Instances exceeding the threshold are con-
3. Number of hidden layers: This hyperparameter defines the depth sidered attacks, while those below the threshold are classified as
of the neural network model. Having more hidden layers allows the normal traffic.

7
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

• Alert or Mitigate: Based on the classification results, appropriate originating from an SDN environment, holds the potential to signif-
actions can be taken, such as generating alerts, logging events, or icantly ameliorate the detection process. This, in turn, can yield a
implementing mitigation strategies to protect the SDN environment tangible reduction in detection errors and a marked enhancement in
from the detected attacks. detection accuracy. Consequently, the effective detection of DDoS at-
tack scenarios pivots on two critical pillars: the optimization of traffic
data and the deployment of an expeditious and highly proficient detec-
Algorithm 3 DDoS attack detection using DNN model. tion model.
Require: Input network traffic data, DNN model weights 𝐖 and biases 𝐁
Ensure: DDoS attack detection results 4. Results and discussions
1: Load the DNN model weights 𝐖 and biases 𝐁
2: Initialize an empty list to store attack instances
3: for 𝑖 ← 1 to 𝑁𝑠𝑎𝑚𝑝𝑙𝑒𝑠 do In this section, we embark on a comprehensive exploration of our
4: Pass the network traffic data 𝑥𝑖 through the DNN model experimental methodology. We initiate this journey by providing an
5: Perform forward propagation using the loaded model weights 𝐖 and biases 𝐁 insightful summary of the datasets meticulously curated for the pur-
6: Obtain the output prediction 𝑦̂𝑖 from the DNN model
pose of our experiments. Subsequently, we delve into the precise details
7: if 𝑦̂𝑖 > 𝑡ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 then
8: Add 𝑥𝑖 to the list of detected attack instances of the evaluation metrics meticulously chosen to gauge the efficacy
9: end if and performance of our proposed model. Following this, we meticu-
10: end for lously outline the intricate facets of the attack scenario that we have
11: return List of detected attack instances
meticulously crafted to rigorously assess the capabilities of our pro-
posed model. We also offer a detailed exposition of the specificities of
Algorithm 3 provides a comprehensive depiction of the DDoS de- our experimental setup, meticulously describing the network topology,
tection process using a DNN model. It elucidates the intricate steps configuration, and all relevant parameters that govern our experimen-
involved in the evaluation of input network traffic data for the iden- tation.
tification of potential DDoS attacks. The results of our comprehensive experimentation endeavor have
The algorithm commences by loading the essential components of unveiled the formidable capabilities of DNN models in the realm of
the DNN model, namely its weights (𝐖) and biases (𝐁). These param- DDoS attack detection within SDN environments. Our approach has
eters are instrumental in shaping the model’s predictive capabilities. achieved a remarkable accuracy rate of 99.9%, showcasing its prowess
Subsequently, the algorithm takes as input the network traffic data, in accurately distinguishing malicious traffic from benign data flows.
which serves as the raw material for the detection process. Furthermore, the false-positive rate, a crucial metric in the context of
The process unfolds within a structured loop, iteratively processing intrusion detection, stands at a mere 0.003%. These exceptional results
each sample within the network traffic data. For every sample, a crit- underscore the potential and promise of DNN-based approaches in bol-
ical step is executed: the application of forward propagation through stering the security posture of SDN-based networks against the menace
the DNN model. This pivotal operation is enacted by leveraging the of DDoS attacks.
pre-loaded model weights and biases. The outcome of this operation
materializes as an output prediction (𝑦̂𝑖 ) originating from the DNN 4.1. Dataset
model.
The algorithm operates on a binary decision mechanism, hinging on In the realm of cybersecurity research, IDS datasets are assumed
the comparison of this output prediction against a predefined threshold. to play a paramount role. These datasets comprise meticulously curated
If the prediction surpasses this threshold, signifying a substantial like- collections of network traffic data, thoughtfully annotated to demarcate
lihood of a DDoS attack, the corresponding instance of network traffic instances of normal network behavior from those tainted by nefarious
(𝑥𝑖 ) is promptly enlisted in the growing roster of detected attack in- activities. The objective behind the creation of IDS datasets is to facil-
stances. itate the rigorous evaluation of IDS algorithms, thereby gauging their
Ultimately, the algorithm culminates in the aggregation of these efficacy in detecting an array of malicious activities, encompassing but
detected attack instances into a dedicated list. This list serves as a con- not limited to DDoS attacks, port scanning, and insidious malware infil-
cise yet comprehensive record of network traffic samples deemed to trations. The development of IDS datasets represents a multifaceted and
correspond to DDoS attacks. It encapsulates the primary goal of the labor-intensive endeavor, involving the intricate processes of data col-
algorithm: the precise identification of instances within the network lection, judicious traffic filtration, meticulous labeling of distinct attack
traffic data that exhibit characteristics indicative of DDoS attacks. Upon types, and the stringent preservation of data privacy and security con-
completion, the algorithm delivers this list of detected attack instances, siderations. Prominent organizations, such as the venerable National
thereby fulfilling its intended purpose. Institute of Standards and Technology (NIST), have undertaken the
In our research endeavor, we have meticulously devised a DNN arduous task of formulating IDS datasets. These datasets stand as in-
model tailored specifically for the detection of DDoS attacks within valuable resources, widely embraced by the research community for
the context of SDN. This model has been systematically stored and their pivotal role in advancing the field of cybersecurity.
meticulously loaded to facilitate the rapid and efficient detection of Access to high-quality IDS datasets stands as a linchpin in the devel-
network attacks, thereby fortifying the security posture of SDN-based opment and evaluation of IDS algorithms. As underscored by Hnamte
networks. and Hussain (2021), these datasets serve as indispensable tools, em-
The core of our detection model hinges upon a meticulously crafted powering both researchers and practitioners to rigorously assess the
process that encompasses the collection of network traffic data, the performance of their algorithms across an expansive spectrum of at-
meticulous design and training of a bespoke DNN architecture, and a tack scenarios. Beyond mere assessment, these datasets also function
comprehensive evaluation of the model’s performance. Post-training, as treasure troves of information, enabling the discernment of patterns
our model seamlessly transitions into real-time operation, where it as- and trends within network attacks. Such insights are instrumental in
sumes the pivotal role of detecting and mitigating DDoS attacks. This the perpetual quest to fortify network security defenses. However, it’s
is achieved through the continuous capture of network traffic, which is noteworthy that until the introduction of InSDN dataset (Elsayed et al.,
subsequently fed as input to our expertly trained DNN model. Our pi- 2020), there has been a noticeable dearth of datasets meticulously tai-
oneering approach to the detection of DDoS attacks is grounded in a lored for the SDN environment. The emergence of InSDN represents a
profound insight. We surmise that the utilization of the InSDN dataset, pivotal milestone, addressing this critical gap in the research landscape

8
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 3. InSDN data distribution. (For interpretation of the colors in the figure(s), the reader is referred to the web version of this article.)

and heralding a new era of exploration and innovation in SDN-based scenarios are represented, providing a holistic view of potential security
network security. threats.
Within the expansive CICIDS2018 dataset, the subset labeled “DDoS-
4.1.1. InSDN LOIC-UDP-HOIC-21-02-2018” holds particular significance in the con-
The InSDN2 dataset was recently developed to address the limita- text of this research. Fig. 4 illustrates the distribution of data sets.
tions of existing datasets for DDoS attack detection in SDN environ- Focused on instances of DDoS attacks orchestrated through LOIC, and
ments. The InSDN dataset was created by collecting real-world network HOIC, this subset provides a concentrated collection of network traf-
traffic from an SDN environment and labeling it according to the pres- fic data specifically related to DDoS scenarios. CICIDS2018 contains
ence of DDoS attacks. Several virtual machines with an SDN network a substantial volume of network traffic data, enabling robust analysis
architecture were constructed to generate the dataset. The standard and evaluation of intrusion detection algorithms. The dataset is suffi-
Ubuntu system represents regular users, whereas the Kali system repre- ciently large to support the training and validation of DL models. The
sents attackers doing various forms of attacks on the SDN network. The dataset is designed to mirror real-world network conditions, facilitating
dataset comprises a total of 343889 instances of data, with 84 charac- the creation and assessment of intrusion detection solutions that can
teristics per instance. The dataset contains eight separate traffic classes. be deployed in practical settings. Due to its scope, realism, and com-
There are 68424 instances of regular traffic and 275465 instances of at- prehensive labeling, the CICIDS2018 dataset has become a valuable
tack traffic. Fig. 3 illustrates the distribution of data sets. The dataset resource in the cybersecurity research community. Researchers lever-
includes a variety of attack scenarios, including TCP, UDP, and ICMP age this dataset to benchmark and compare the performance of various
floods, as well as SYN floods and Slowloris attacks. For this reason, we intrusion detection algorithms, ultimately contributing to the advance-
have used the InSDN dataset to train the proposed DNN model. ment of cybersecurity measures and practices.
Several modern IDSs for SDN use datasets such KDD99,3 NSL-KDD
(Tavallaee et al., 2009), etc. These are good datasets; however, the 4.1.3. Kaggle DDoS
protocol and network topology used by conventional networks are sig- In the realm of DDoS detection research, the unavailability of a
nificantly different from those of SDN networks. perfectly tailored public dataset exclusively dedicated to DDoS sce-
narios has prompted researchers to employ innovative methodologies.
4.1.2. CICIDS2018 Addressing this challenge, Prasad et al. (2019) undertook a meticu-
The CICIDS2018 (Sharafaldin et al., 2018) (Canadian Institute for lous process to curate a Kaggle DDoS dataset, amalgamating data from
Cybersecurity Intrusion Detection Evaluation Dataset 2018) is a com- various public IDS datasets, namely CSE-CIIDS2018, CICIDS2017, and
prehensive and widely used benchmark dataset designed for the evalu- CICDoS 2016 datasets. Each of these IDS datasets provides a distinct
ation of IDS. Developed by the Canadian Institute for Cybersecurity, this perspective on DDoS activities, incorporating diverse attack scenarios
dataset is instrumental in advancing research and development in the and traffic patterns.
domain of network security. CICIDS2018 encompasses a diverse range The extracted DDoS flows are not limited to a single temporal snap-
of network traffic scenarios, including normal activities and various shot. Instead, data is drawn from IDS datasets produced in different
types of cyber attacks. The dataset is designed to simulate real-world years, offering a longitudinal perspective on the evolution of DDoS
network environments, capturing both benign and malicious network attacks. Additionally, the inclusion of DDoS flows generated using dif-
behaviors. The dataset covers a variety of network traffic types, such ferent experimental traffic generation tools enhances the dataset’s com-
as normal traffic, DDoS, brute-force attacks, and more. Different attack prehensiveness.
The inclusion of “Benign” flows is pivotal as it provides a baseline for
comparison, enabling a more nuanced understanding of DDoS-induced
2
https://aseados.ucd.ie/datasets/SDN/. anomalies. This comparative analysis is essential for the development
3
http://kdd.ics.uci.edu/. of effective intrusion detection models capable of discerning malicious

9
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 4. CICIDS2018 data distribution.

𝑇𝑃
Recall = (4)
𝑇𝑃 + 𝐹𝑁
(Precision × Recall)
F1-Score = 2 × (5)
Precision + Recall
𝑇𝑁 +𝑇𝑃
Accuracy = (6)
𝑇𝑁 + 𝑇𝑃 + 𝐹𝑁 + 𝐹𝑃
Here, TP, TN, FP, and FN represent true positives, true negatives,
false positives, and false negatives, respectively. These metrics collec-
tively form a robust framework for evaluating the model’s performance
across different facets.
In binary classification, the True Positive Rate (TPR), also known
as sensitivity or recall, and the False Positive Rate (FPR) are pivotal
metrics for assessing the effectiveness of a classification model. TPR
is a measure of the model’s capability to correctly identify instances
Fig. 5. Kaggle DDoS data distribution.
belonging to the positive class. Whereas, FPR gauges the ratio of in-
stances incorrectly classified as positive to the total number of actual
negatives.
activities from routine network behavior. Fig. 5 illustrate the data distri- The equations encapsulate the intricate relationships among these
bution of Kaggle DDoS. The Kaggle_DDoS4 dataset emerges as a strate- metrics, providing a quantitative basis for assessing the model’s pre-
gic response to the limitations in the availability of dedicated DDoS cision, recall, overall predictive power (F1-Score), and classification
datasets. accuracy. This evaluation methodology, based on foundational metrics,
not only facilitates a nuanced understanding of the model’s strengths
4.2. Evaluation metrics and limitations but also aligns with established practices in the field of
model evaluation (Powers, 2011).
The efficacy of our proposed model is meticulously assessed through The experimental findings derived from the proposed DNN model
a comprehensive set of performance metrics, each offering distinct in- across various datasets, namely CICIDS2018, Kaggle DDoS, and InSDN,
sights into the model’s capabilities. The chosen metrics, namely preci- underscore a robust and formidable performance in the realm of DDoS
sion, recall, F1-Score, and accuracy, are derived from a fundamental attack detection. The model, trained over a course of 30 epochs, man-
set of measures: true positives (TP), true negatives (TN), false positives ifests commendable proficiency in discerning intricate patterns within
(FP), and false negatives (FN). This evaluation framework is widely ac- each dataset, attaining a noteworthy level of accuracy and minimizing
knowledged in the academic domain and has been extensively utilized the associated loss.
to gauge the performance of various models in diverse contexts (Pow-
ers, 2011). The essential performance metrics are computed as follows: 4.2.1. CICIDS2018 dataset
𝑇𝑃 • Training Dynamics: The model exhibits an exemplary capacity to
TPR = (1)
𝑇𝑃 + 𝐹𝑁 assimilate the intricacies of the CICIDS2018 dataset, achieving a
𝐹𝑃 flawless accuracy of 100% on the training set. The concomitant
FPR = (2) diminution of the loss function over the epochs underscores the
𝐹𝑃 + 𝑇𝑁
𝑇𝑃 model’s adeptness in learning the underlying representations em-
Precision = (3) bedded in the training data.
𝑇𝑃 + 𝐹𝑃
• Validation Proficiency: Generalization to the validation set is
discerned through an impeccable accuracy of 100%, reinforcing
4
https://www.kaggle.com/datasets/devendra416/ddos-datasets/data. the model’s ability to transcend the confines of the training set.

10
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Table 3
Performance comparison across datasets.

Dataset Evaluation Metrics Time (in seconds)

Accuracy Loss Recall Precision F1 Score Training Inference

InSDN 99.98% 0.0052 99.98% 99.97% 99.97% 4.00 s 3.37 s

CICIDS2018 100% 0.0000 100% 100% 100% 15.00 s 9.75 s
Kaggle DDoS 99.99% 0.0000 99.99% 99.99% 99.99% 171.00 s 117.09 s

Fig. 6. Model accuracy and loss.

The nominal validation loss further corroborates the model’s profi- • Evaluation Metrics: While maintaining superlative performance
ciency in extending its predictive capabilities to unseen instances. across evaluation metrics, it is noteworthy that the training time
• Evaluation Metrics: The suite of evaluation metrics, comprising and inference time, while marginally reduced compared to the
recall, precision, F1 score, training time and inference time, uni- other datasets, is indicative of the model’s capability to delin-
formly attains a perfect score of 100%, reflecting a model that eate between benign and malicious activities within the InSDN
excels in both sensitivity and specificity, substantiating its efficacy paradigm.
in DDoS detection within the CICIDS2018 context.
The DNN model evinces a consistent and formidable performance
4.2.2. Kaggle DDoS dataset across diverse datasets, substantiating its mettle as a robust classifier
• Training Prowess: Parallel to the performance on the CICIDS2018 in the domain of DDoS attack detection. The convergence of high ac-
dataset, the DNN model demonstrates remarkable training accu- curacy, diminished loss, and superlative evaluation metrics collectively
racy of 100%, coupled with a rapid attenuation of the loss function, validate the efficacy of the model in real-world scenarios, portraying it
indicative of a model that rapidly adapts to the nuanced character- as a potent tool for bolstering network security through the identifica-
istics of the Kaggle DDoS dataset. tion of DDoS threats. The detailed results of the model performance, in-
cluding accuracy, loss, evaluation metrics (recall, precision, F1-Score),
• Validation Robustness: The model sustains an elevated validation
inference time, and training time, across different datasets are presented
accuracy of 99.99%, accompanied by a notably low validation loss.
in Table 3.
This attests to the model’s ability to generalize effectively to in-
Fig. 6 presents a comprehensive depiction of the training and val-
stances beyond the training data, thereby fortifying its reliability
idation performance metrics across multiple datasets, namely InSDN,
in practical deployment scenarios.
Kaggle DDoS, and CICIDS2018. The figure provides a detailed insight
• Evaluation Metrics: The evaluation metrics, while not reaching
into the model’s learning dynamics and generalization capabilities.
a perfect score, maintain a marginal differential, substantiating
For each dataset, the training accuracy, validation accuracy, train-
the model’s exceptional performance in precision, recall, F1 score,
ing loss, and validation loss are illustrated over the course of training
training time and inference time, consolidating its position as an epochs in Fig. 6a and 6b. These metrics serve as crucial indicators of
adept classifier in the Kaggle DDoS domain. the model’s ability to learn from the training data and its performance
on previously unseen validation data.
4.2.3. InSDN dataset The training accuracy curve showcases the model’s ability to cor-
• Training Competence: The DNN model imparts its discrimina- rectly classify instances within the training dataset, while the training
tive capacity to the InSDN dataset, culminating in a commendable loss curve reflects the convergence of the model during training. Si-
training accuracy of 99.98%, accompanied by a gradual attenua- multaneously, the validation accuracy and validation loss curves offer
tion of the loss function. This underscores the model’s acumen in insights into the model’s performance on data not used during training,
assimilating the distinctive features characterizing the InSDN data thereby indicating its generalization capabilities.
distribution. The distinct trajectories of these curves for each dataset highlight
• Validation Excellence: Validation accuracy of 99.98%, coupled the dataset-specific intricacies in model learning and performance. An-
with a judiciously low validation loss, attests to the model’s adept- alyzing these curves aids in assessing how well the model adapts to the
ness in extrapolating learned patterns to previously unseen in- characteristics of each dataset and whether it is prone to overfitting or
stances within the InSDN dataset. underfitting.

11
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Table 4
Comparison of models performance.

Reference Model Dataset Evaluation Metrics Time (in seconds)

Accuracy Loss Training Inference

AL-Hawawreh et al. (2018) ADS NSL-KDD 92.4% 8.2 194.67 5.55 s

UNSW-NB15 98.6% 1.8 119.03 2.25 s

Elmasry et al. (2020) PSO + DNN NSL-KDD 96.38% 0.51 * *

PSO + LSTM-RNN 98.18% 0.39 * *
PSO + DBN 99.81% 0.23 * *
PSO + DNN CICIDS2017 97.58% 0.28 * *
PSO + LSTM-RNN 98.68% 0.16 * *
PSO + DBN 99.92% 0.1 * *

Marvi et al. (2021) LGBM/PM-Model CICDDoS2019 100% 0.0038 <3 mins *

LGBM/LDAP-Model 99.98% 0.0056 <5 mins *
LGBM/SYN Model 99.98% 0.0023 <10 mins *

Cil et al. (2021) DNN CICDDoS2019_1 99.97% * * *

CICDDoS2019_2 94.57% * * *

Hnamte and Hussain (2023c) DCNN ISCX2012 99.79% 0.0058 26 s 19.50 s

Kaggle DDoS - 1 99.99% 0.0002 10 s 7.11 s
Kaggle DDoS - 2 100% 0.0000 17 s 11.79 s
CICIDS2017 99.96% 0.0015 40 s 29.36 s
CICIDS2018 100% 0.0000 15 s 9.91 s

Hnamte and Hussain (2023b) DCNNBiLSTM CICIDS2018 100% 0.0000 202 s 95.04 s
EDGE_IIoT 99.64% 0.0080 500 s 219.29 s

This study DNN InSDN 99.98% 0.0052 4.00 s 3.37 s

CICIDS2018 100% 0.0000 15.00 s 9.75 s
Kaggle DDoS 99.99% 0.0000 171.00 s 117.09 s

* Not available.

Fig. 6 serves as a valuable reference for researchers and practitioners Table 4 provides a comparative analysis of various models employed
seeking a nuanced understanding of the model’s behavior across diverse for DDoS attack detection, including the current study. Each entry de-
datasets, contributing to the interpretability and generalization analysis lineates the reference, model architecture, dataset used, evaluation met-
of the trained model. rics (accuracy and loss), and time-related metrics (training and infer-
Table 3 provides a comprehensive overview of the quantitative per-
ence durations). In comparison to the referenced studies, the proposed
formance metrics for the employed model across distinct datasets, in-
DNN model in this study demonstrates competitive or superior accu-
cluding InSDN, Kaggle DDoS, and CICIDS2018. This table encapsulates
racy across all datasets. Moreover, the training and inference times are
key evaluation metrics such as recall, precision, F1 score, accuracy, loss,
inference time, and training time, facilitating a detailed comparison of considerably lower, indicating the model’s efficiency. It’s noteworthy
the model’s performance on each dataset. that the DNN architecture employed in this study achieves compara-
In conjunction with the detailed numerical results presented in Ta- ble or better results with reduced computational overhead, making it a
ble 3, Fig. 6 serves as a visual counterpart, offering a dynamic portrayal promising approach for real-time DDoS attack detection in SDN envi-
of the model’s learning and generalization patterns during training ronments.
epochs. This figure encompasses training accuracy, training loss, val- The efficacy of the DNN model in detecting DDoS attacks has been
idation accuracy, and validation loss curves for each dataset, providing empirically validated, establishing its practical applicability. With this
insights into the model’s behavior over time. Researchers and practi-
demonstrated capability, the next imperative step involves the imple-
tioners can synergistically utilize both resources to draw nuanced con-
mentation of DDoS attack detection within the SDN paradigm. In pur-
clusions about the model’s strengths, weaknesses, and its adaptability
to distinct data characteristics. suit of this objective, our chosen approach involves the utilization of a
In the context of deploying DL models for intrusion detection within pre-trained DNN model. This model has been previously trained using
an SDN environment, each of the models, trained on distinct datasets the InSDN dataset, a comprehensive and representative dataset for SDN
comprising InSDN, Kaggle DDoS, and CICIDS2018, holds potential ap- environments.
plicability. However, in pursuit of operational simplicity, a judicious The integration of the DNN model into the SDN framework is or-
decision has been made to select the model derived from the InSDN chestrated through the Ryu controller. The Ryu controller serves as
dataset, primarily owing to its marginally diminished accuracy perfor- a pivotal component, facilitating seamless communication and coor-
mance relative to its counterparts. This deliberate choice is motivated
dination between the DNN model and the SDN infrastructure. This
by the overarching goal of optimizing the intricacies associated with
strategic amalgamation aims to harness the discriminative capabilities
model integration into the SDN infrastructure while still harnessing
of the DNN model to discern normal network behavior from anoma-
the discerning capabilities of the chosen model for robust detection of
DDoS attacks within the SDN paradigm. This strategic alignment aims lous patterns indicative of potential DDoS attacks. The utilization of a
to balance model efficacy with pragmatic considerations, ensuring a pre-trained model enhances the efficiency and accuracy of DDoS detec-
streamlined and effective deployment process tailored to the unique de- tion within the SDN ecosystem, offering a sophisticated layer of defense
mands of the SDN environment. against evolving cyber threats.

12
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

4.3. System setup • Number of Topologies: The experimentation encompasses the

consideration of six distinct network topologies, each contributing
The system configuration, delineated in the following, establishes to the diverse scenarios evaluated within the study.
the foundational framework for conducting experimental simulations
in the realm of SDN. Each parameter in the table contributes to the 4.4. Network topologies, attacks detection and mitigation
nuanced configuration and distinctive characteristics of the simulated
network. The elucidation of the system setup is as follows: In the context of SDN, network topologies serve as the architectural
foundation, defining the interconnection of switches, controllers, and
• Host: The chosen operating system is Ubuntu 22.04. hosts within a given network fabric. This infrastructure is pivotal for or-
• Python: Version 3.9.5 of the Python programming language is em- chestrating the communication and behavior of network components.
ployed for scripting and executing diverse functionalities within The typical constituents include switches forming the network fabric,
the system. controllers managing switch behavior, and hosts facilitating communi-
• CPU/RAM: The hardware infrastructure comprises an Intel i9 cation through the network. The SDN topology can manifest diverse
10900K processor and 64 GB of DDR4 RAM. configurations, ranging from simple structures to intricate arrange-
• Emulator: Mininet (https://mininet.org/), a network emulator, is ments, such as trees, meshes, or hybrids, depending on the specific
harnessed to instantiate a virtual SDN environment, providing a demands of the network.
controlled space for testing and developmental endeavors. In our experimental setup, a network controller instantiated through
• Controller: Ryu is designated as the SDN controller, assuming the Ryu framework assumes the crucial role of orchestrating an SDN
responsibility for the orchestration and regulation of network be- network topology. This topology encompasses six switches (switch_1
haviors. to switch_6) and hosts (host_1 to host_18). The controller establishes
• Number of Controllers: The system integrates two Ryu controllers communication with switches, exerting control over packet flow in the
to augment the managerial and control capabilities of the SDN. SDN infrastructure.
• Number of Switches: Six switches are incorporated into the net- The network controller, implemented as a Ryu application, adeptly
work configuration to facilitate the routing and forwarding of net- handles events and messages from network switches. By defining spe-
work traffic. cific flow rules, the controller governs switch routing, ensuring the
• Number of Hosts: Each switch accommodates three hosts, aggre- directed flow of packets throughout the network in adherence to prede-
gating to a total of three hosts in each of the six switches. fined specifications. The ensuing code snippet illustrates the instantia-
• Protocol: OpenFlow serves as the communication protocol be- tion and configuration of this network.
tween the SDN controller and the switches. The pivotal function, get_topology_data, assumes the responsibil-
• Visualization: MiniEdit is employed as a visualization tool, offer- ity of simulating DDoS attacks by generating a substantial volume
ing graphical representation of the network topologies and config- of packet-in events. Each packet-in event is emblematic of an attack
urations. packet, complete with a randomly assigned source IP address.
• Traffic Generation: The mgen (https://www.nrl.navy.mil/Our- In addition, the packet_in_handler function has been meticulously
Work/Areas-of-Research/Information-Technology/NCS/MGEN/) adapted to address these attack packets. Researchers and practitioners
tool is employed for the purpose of generating controlled network can, at their discretion, devise bespoke logic within this function to pro-
traffic within the SDN. cess the attack packets and execute appropriate actions. These actions
• Port for Controller: The controllers utilize ports 6633 and 6634 may encompass traffic blockade or the initiation of alert mechanisms to
for communication with the switches. signal potential security breaches.
• Simulation Duration: The simulation is conducted over a duration As shown in the following code snippet, the app will generate a
of 5 hours. large number of packet-in events, running in endless loop, simulating a
• Statistics Collection Interval: Network statistics are systemati- DDoS attack. The packet-in events will trigger the packet_in_handler
cally collected at regular intervals of 40 seconds throughout the function, allowing you to implement the desired DDoS detection and
simulation. mitigation mechanisms.
• Bandwidth Plot Interval: Bandwidth plots are generated at inter-
vals of 30 seconds, contributing to the comprehensive assessment
of network performance.

# Define the DNN model path

MODEL_PATH = ’path_to_saved_model.h5’

class DDoSDetectionController(app_manager.RyuApp):
OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]

def __init__(self, *args, **kwargs):

super(DDoSDetectionController, self).__init__(*args, **kwargs)

# Load the saved DNN model

self.dnn_model = tf.keras.models.load_model(MODEL_PATH)

@set_ev_cls(event.EventSwitchEnter)
def get_topology_data(self, ev):
# Simulate DDoS attack by generating a large number of packet-in events
num_attacks = 1000 # Number of packet-in events to generate

for _ in range(num_attacks):

13
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

# Generate random source IP address for the attack packet

src_ip = f"{random.randint(1, 255)}.{random.randint(1, 255)}.
{random.randint(1, 255)}.{random.randint(1, 255)}"

# Create the attack packet

pkt = packet.Packet()
pkt.add_protocol(ethernet.ethernet(ethertype=ether_types.ETH_TYPE_IP))
pkt.add_protocol(ipv4.ipv4(src=src_ip, dst=’1.0.0.4’))

# Create a packet-in event

msg = ev.msg
msg.data = pkt.serialize()
msg.match = self.create_match()
msg.buffer_id = 0xffffffff

# Call the packet_in_handler to process the attack packet

self.packet_in_handler(msg)

@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)
def packet_in_handler(self, ev):
msg = ev.msg
datapath = msg.datapath
parser = datapath.ofproto_parser

pkt = packet.Packet(msg.data)
eth = pkt.get_protocols(ethernet.ethernet)[0]

if eth.ethertype == ether_types.ETH_TYPE_LLDP:
return

# Extract relevant features from the packet

src_ip = pkt.get_protocol(ipv4.ipv4).src
dst_ip = pkt.get_protocol(ipv4.ipv4).dst
src_port = pkt.get_protocol(tcp.tcp).src_port
dst_port = pkt.get_protocol(tcp.tcp).dst_port

# Preprocess the features

features = np.array([src_ip, dst_ip, src_port, dst_port])
preprocessed_features = preprocess_features(features)

# Pass the preprocessed features to the DNN model for prediction

prediction = self.dnn_model.predict(preprocessed_features)

# Check if the prediction indicates a DDoS attack

if prediction > 0.5:
# Block the incoming packet from the source
self.logger.info("DDoS attack detected: Packet from %s to %s", src_ip, dst_ip)

# Block the incoming packet from the source

self.block_source_packet(datapath, msg, src_ip)

# Add the source IP address to the spoof IP table

self.add_to_spoof_ip_table(src_ip)

def preprocess_features(self, features):

# Extract features from the raw feature vector
src_ip, dst_ip, src_port, dst_port = features

# Normalize numerical features

src_port_normalized = self.normalize_port(src_port)
dst_port_normalized = self.normalize_port(dst_port)

# Convert IP addresses to numerical values

src_ip_numeric = self.ip_to_numeric(src_ip)
dst_ip_numeric = self.ip_to_numeric(dst_ip)

14
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

# Combine all preprocessed features into a single array

preprocessed_features = np.array([src_ip_numeric, dst_ip_numeric,
src_port_normalized, dst_port_normalized])

return preprocessed_features

def normalize_port(self, port):

# Normalize port to a range between 0 and 1
return port / 65535.0 # Assuming port ranges from 0 to 65535

def ip_to_numeric(self, ip_address):

# Convert IP address to a numerical value
ip_parts = [int(part) for part in ip_address.split(’.’)]
return sum(ip_parts[i] << (24 - 8 * i) for i in range(4))

def block_source_packet(self, datapath, msg, src_ip):

ofproto = datapath.ofproto
parser = datapath.ofproto_parser

# Blocking incoming packets from the source IP

match = parser.OFPMatch(eth_type=0x0800, ipv4_src=src_ip)
actions = []

# Drop the packet

inst = [parser.OFPInstructionActions(ofproto.OFPIT_CLEAR_ACTIONS, actions)]
mod = parser.OFPFlowMod(datapath=datapath, table_id=0, priority=10, match=match,
instructions=inst)
datapath.send_msg(mod)

# Log the information

self.logger.info("Blocked incoming packets from source IP: %s", src_ip)

def add_to_spoof_ip_table(self, src_ip):

# Add the source IP to your spoof IP table
# You need to implement this method based on your application’s data structure
# It might involve updating a list, dictionary, or database
pass

The provided code represents a Ryu application designed for the racy would be contingent upon the model’s ability to generalize effec-
detection of DDoS attacks in a SDN environment. The underlying mech- tively to unseen data.
anism relies on a pre-trained DNN model for predicting potential DDoS From a comparative standpoint, the code alludes to the ease of im-
attacks based on extracted features from incoming network packets. plementing mitigation measures in response to identified DDoS attacks
The necessary libraries are also imported, including numpy, tensor- within an SDN framework. The inherent programmability and dynamic
flow, and the required Ryu modules. The path to the saved DNN model control afforded by SDN, coupled with the capabilities of the Ryu con-
is defined in the MODEL_PATH variable. The DDoSDetectionController troller, facilitate swift and adaptive responses to security incidents. This
class is defined, which extends the RyuApp class provided by Ryu. The stands in contrast to traditional networking paradigms where man-
__init__ method initializes the controller and loads the saved DNN model ual reconfiguration and static rule-based approaches may impede the
using tf.keras.models.load_model(). agility required for timely threat mitigation.
The process begins with the instantiation of the SDN topology,
4.5. Performance scenario
where a simulated DDoS attack is emulated by generating a substantial
number of packet-in events. Each event encapsulates an attack packet
The attacker gains control over one of the hosts and uses it to launch
with randomly assigned source IP addresses. The packet_in_handler
a DoS attack against another host (the victim). The legitimate traffic
method processes these events, extracting relevant features from the in- comes from a different host, which is neither the victim nor the at-
coming packets, preprocesses these features, and passes them through tacker, and this legal host tries to communicate with the controller in
the pre-trained DNN model for prediction. a harmless manner. Despite the fact that the topology created is not a
Upon prediction, if the model determines a likelihood of a DDoS large one, the attacker can generate malicious packet streams that ap-
attack (prediction > 0.5), the system logs the pertinent information, pear to originate from various IP addresses. While the topology is not
signaling the detection of a potential threat. At this juncture, the code extensive, the information collected will be helpful in comprehending
provides the necessary actions for DDoS attack mitigation. how DoS attacks function on small to medium-sized networks and will
In the context of detection accuracy, the model’s proficiency in iden- serve as the foundation for future research in this area.
tifying DDoS attacks can be ascertained through the evaluation of the
prediction accuracy metric, which is not explicitly presented in the # Using scapy tools to send normal traffic
provided code snippet. However, assuming a well-trained DNN model >>> p = IP(dst="1.0.0.9")/ICMP()
which was shown earlier in the previous subsection, the detection accu- >>> r = sr1(p)

15
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 7. CPU utilization: packets in an attack-free scenario.

Fig. 8. CPU utilization: packets in an under-attack scenario.

Begin emission: and CPU utilization is significant. It’s worth noting that if the proposed
Finished to send 1 packets. method was not used, the CPU resources would have initially dropped,
. but then there would have been some slight enhancements. This im-
. provement would have been possible because of the partial failure of
. the controller due to high traffic volume, leading to dropped malicious
>>> r[IP].src requests or disconnecting the OpenFlow switch to which the attacker is
’10.0.0.4’ connected. Other reasons could include the overload of the OpenFlow
switch tables and the flow rules installed by the controller on the Open-
At first, the performance of the CPU is evaluated when the network Flow switches, reducing the number of incoming “packet_in” requests
is not under attack and generates normal traffic using the Scapy tool.5 from the attacker to the controller. As the attacking traffic continues to
In this scenario, the hosts transmit packets with equal likelihood, which be directed towards the controller, the entropy value gradually drops
indicates that there is no clustering of traffic around a specific target. until the end of the attack period. Finally, as the system receives gen-
Fig. 7 illustrates the connection between the number of incoming pack- uine packets after the attack is over, it improves.
ets received by the controller when the time interval for generating We conducted an experiment to assess the effectiveness of the pro-
traffic is set to 0.02 seconds. This means that within 0.02 seconds, a posed DNN in detecting attacks of varying intensities. The experiments
batch of packets is generated and sent to the controller from the au- involved generating attack traffic at different rates and measuring the
thentic host. time it took for the DNN to detect the attack. The regular traffic gen-
The utilization of the CPU in relation to the number of incoming eration interval was kept constant at 0.02 seconds. Fig. 9 shows that
“packet_in” requests is depicted in Fig. 8, both with and without the higher attack rates led to shorter detection times, likely because the en-
proposed method under the attack scenario. The measurements shown tropy value dropped rapidly in a short period of time. Increasing the
in the figure were taken after the system was established, following attack intervals resulted in a greater number of attacking packets being
the completion of the exchange of ARP requests and replies between generated. Fig. 9 shows that when the attack rate is higher, the detec-
the hosts during the initial network setup. During this experiment, the tion time is shorter. This is because the entropy value drops quickly
interval for generating regular traffic was set at 0.02 seconds, while the within a short period of time.
interval for generating attacking traffic was set at 0.005 seconds, which In a different series of experiments, the team evaluated the effective-
translates to 25% of the traffic being malicious. The Scapy tool was ness of the proposed solution in maintaining reliable network connec-
used to generate attacking traffic, with the source IP being spoofed and tions during an attack. They used a packet analyzer tool, Wireshark, to
directed towards the victim host. analyze the network’s behavior by examining the exchanged packets. In
When a host receives a large volume of packets, the system’s ran- particular, they filtered out the TCP packets marked for re-transmission,
domness decreases quickly, causing the CPU utilization to drop below which are packets that are resent due to network congestion or partial
the threshold and allowing for the maximum available CPU resource. failure.
This is because all the packets with a spoofed source IP have the victim’s The results are visually presented in Fig. 10, illustrating the
IP address in their destination IP, resulting in less variability in desti- TCP packets that were exchanged and subsequently marked for re-
nation addresses. This inverse relationship between IP address variety transmission within distinct time frames, during both attack-free and
under-attack conditions. Initially, the pattern of packet exchange ex-
hibits similarities in both scenarios. However, a notable deviation
5
https://github.com/scrapy/scrapy/releases. becomes evident as the attacker instigates a substantial volume of

16
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 9. Attack detection time versus attack rate.

Fig. 10. Exchanged control packets over time.

Fig. 11. Incoming packets to victim from all sources over time.

“packet_in” requests, culminating in a noteworthy surge in the count analyzer, utilizing the destination IP address of the victim host as a filter
of packets marked for re-transmission approximately at 𝑡 = 25 seconds. criterion.
This conspicuous escalation signifies instances of packet loss or cor- At the beginning of the experiment, the trend in received traffic on
ruption within the network, thereby contributing to heightened latency the victim host was the same for both the attack-free and attack sce-
narios, with traffic from both legitimate and illegitimate sources being
and a reduction in request processing velocity.
reported in Fig. 11. However, when the attacker begins to send fake
Furthermore, we conducted an assessment of the effectiveness of
packets at around 𝑡 = 25 seconds, the number of packets received by
the proposed method in shielding the victim host against incoming at-
the victim host starts to increase.
tack packets. To conduct this evaluation, we conducted an analysis of
all packets that were successfully received by the victim host. Fig. 11 5. Conclusion
provides an inclusive representation of all packets directed towards
the victim host, encompassing those originating from both legitimate The persistent and escalating threat of DDoS attacks necessitates
sources and malicious attackers. In contrast, Fig. 12 selectively presents continuous advancements in defensive strategies to safeguard online
only those packets initiated by attackers and explicitly aimed at the services and applications. This manuscript introduces a robust and ef-
victim host. This selection was facilitated by employing the Wireshark fective approach to DDoS attack detection and mitigation within SDN

17
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Fig. 12. Incoming packets to victim from attacker over time.

environments through the deployment of DNN-based detection systems. Visualization, Literature review, Conceptualization, Validation, Formal
The proposed model has undergone meticulous validation using three analysis. Hong Nhung-Nguyen: Writing – review and editing. Jamal
diverse datasets — CICIDS2018, InSDN, and Kaggle DDoS datasets — Hussain: Supervision, resources. S. Manohar Naik: Supervision, re-
affirming its efficacy in detecting and countering DDoS attacks, as evi- sources.
denced in the results section.
The application of DNNs in identifying DDoS attacks within SDN en- Declaration of competing interest
vironments has demonstrated remarkable potential. DNNs, with their
intrinsic capability to meticulously scrutinize network traffic data, The authors declare that they have no known competing financial
unveil intricate patterns indicative of DDoS attacks. This analytical interests or personal relationships that could have appeared to influence
prowess empowers organizations to respond swiftly and precisely to po- the work reported in this paper.
tential threats. The availability of high-caliber datasets, exemplified by
the InSDN dataset, emerges as a cornerstone for the development and Data availability
comprehensive evaluation of robust DNN-based DDoS attack detection
systems. Data will be made available on request.
Crucially, our results indicate that CPU availability during Packet-in
events under an attack scenario remains almost the same as in free- References
attack scenarios. This underscores the efficiency and feasibility of the
proposed DNN-based model, suggesting that it can handle DDoS attacks Agarwal, A., Khari, M., Singh, R., 2021. Detection of DDoS attack using deep learning
without compromising CPU resources, a vital aspect for maintaining model in cloud storage application. Wirel. Pers. Commun., 1–21. https://doi.org/10.
1007/s11277-021-08271-z.
network performance.
AL-Hawawreh, M., Moustafa, N., Sitnikova, E., 2018. Identification of malicious activities
As DDoS attacks evolve in sophistication, future research should pri- in industrial Internet of things based on deep learning models. J. Inf. Secur. Appl. 41,
oritize the refinement of DNN-based detection systems, enhancing their 1–11. https://doi.org/10.1016/j.jisa.2018.05.002.
robustness and efficiency to cope with the escalating intricacy of con- Ali, J., Roh, B.-h., Lee, B., Oh, J., Adil, M., 2020. A machine learning framework for
temporary DDoS attacks. The exploration of hybrid models, seamlessly prevention of software-defined networking controller from DDoS attacks and dimen-
sionality reduction of big data. In: 2020 International Conference on Information and
integrating DNNs with complementary techniques such as traffic profil-
Communication Technology Convergence (ICTC), pp. 515–519.
ing or feature selection, holds significant promise for augmenting the Aljabri, M., Aljameel, S.S., Mohammad, R.M.A., Almotiri, S.H., Mirza, S., Anis, F.M.,
precision and efficiency of DDoS attack detection. Aboulnour, M., Alomari, D.M., Alhamed, D.H., Altamimi, H.S., 2021. Intelligent tech-
Additionally, future research directions should focus on enhancing niques for detecting network attacks: review and research directions. Sensors 21 (21),
the scalability and adaptability of DNN-based detection systems to op- 7070. https://doi.org/10.3390/s21217070.
Amaizu, G., Nwakanma, C., Bhardwaj, S., Lee, J., Kim, D., 2021. Composite and efficient
erate effectively within large-scale SDN networks. The development of DDoS attack detection framework for B5G networks. Comput. Netw. 188, 107871.
real-time DNN-based DDoS attack detection systems is also imperative, https://doi.org/10.1016/j.comnet.2021.107871.
requiring the innovation of avant-garde algorithms and architectural Banitalebi Dehkordi, A., Soltanaghaei, M., Boroujeni, F.Z., 2021. The DDoS attacks detec-
constructs to operate seamlessly in real-time environments with strin- tion through machine learning and statistical methods in SDN. J. Supercomput. 77
(3), 2383–2415. https://doi.org/10.1007/s11227-020-03323-w.
gent latency constraints.
Berman, D.S., Buczak, A.L., Chavis, J.S., Corbett, C.L., 2019. A survey of deep learn-
Lastly, prospective research endeavors should meticulously evalu- ing methods for cyber security. Information 10 (4), 122. https://doi.org/10.3390/
ate DNN-based detection systems across diverse SDN environments and info10040122.
network topologies, including edge computing, Quality of Service (QoS) Bhuyan, M., Kalwar, A., Goswami, A., Bhattacharyya, D., Kalita, J., 2015. Low-rate and
paradigms, and IoT networks. Holistic assessments in these domains high-rate distributed dos attack detection using partial rank correlation. In: 2015
Fifth International Conference on Communication Systems and Network Technolo-
promise a deeper comprehension of the challenges and attributes of gies, pp. 706–710.
SDN-based network security, facilitating the development of bespoke Chanu, U.S., Singh, K.J., Chanu, Y.J., 2023. A dynamic feature selection technique to
and laser-focused defense mechanisms against the ever-evolving land- detect DDoS attack. J Inf. Secur. Appl. 74, 103445. https://doi.org/10.1016/j.jisa.
scape of DDoS attacks. The marriage of advanced technologies and 2023.103445.
Chouhan, R.K., Atulkar, M., Nagwani, N.K., 2023. A framework to detect DDoS attack in
insightful research endeavors holds the promise of fortifying defenses
Ryu controller based software defined networks using feature extraction and classifi-
against the relentless onslaught of DDoS threats in the future. cation. Appl. Intell. 53, 4268–4288. https://doi.org/10.1007/s10489-022-03565-6.
Cil, A.E., Yildiz, K., Buldu, A., 2021. Detection of DDoS attacks with feed forward based
CRediT authorship contribution statement deep neural network model. Expert Syst. Appl. 169, 114520. https://doi.org/10.
1016/j.eswa.2020.114520.
Elmasry, W., Akbulut, A., Zaim, A.H., 2020. Evolving deep learning architectures for
Vanlalruata Hnamte: Data curation, Writing – original draft, Con- network intrusion detection using a double PSO metaheuristic. Comput. Netw. 168,
ceptualization, Methodology, Formal analysis. Ashfaq Ahmad Najar: 107042. https://doi.org/10.1016/j.comnet.2019.107042.

18
 Downloaded from https://iranpaper.ir
https://www.tarjomano.com https://www.tarjomano.com

V. Hnamte, A.A. Najar, H. Nhung-Nguyen et al. Computers & Security 138 (2024) 103661

Elsayed, M.S., Le-Khac, N.-A., Jurcut, A.D., 2020. InSDN: a novel SDN intrusion dataset. Sharafaldin, I., Habibi Lashkari, A., Ghorbani, A.A., 2018. Toward generating a new in-
IEEE Access 8, 165263–165284. https://doi.org/10.1109/ACCESS.2020.3022633. trusion detection dataset and intrusion traffic characterization. In: Proceedings of the
Fatani, A., Dahou, A., Al-Qaness, M.A., Lu, S., Abd Elaziz, M., 2022. Advanced feature 4th International Conference on Information Systems Security and Privacy - ICISSP.
extraction and selection approach using deep learning and Aquila optimizer for IoT INSTICC, SciTePress, pp. 108–116.
intrusion detection system. Sensors 22 (1), 140. https://doi.org/10.3390/s22010140. Swami, R., Dave, M., Ranga, V., 2023. Mitigation of DDoS attack using moving target
Ferrag, M.A., Maglaras, L., Moschoyiannis, S., Janicke, H., 2020. Deep learning for cy- defense in SDN. Wirel. Pers. Commun., 1–15. https://doi.org/10.1007/s11277-023-
ber security intrusion detection: approaches, datasets, and comparative study. J Inf. 10544-8.
Secur. Appl. 50, 102419. https://doi.org/10.1016/j.jisa.2019.102419. Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M., 2016. Deep learning
Fouladi, R.F., Ermiş, O., Anarim, E., 2022. A DDoS attack detection and countermeasure approach for network intrusion detection in software defined networking. In: 2016
scheme based on DWT and auto-encoder neural network for SDN. Comput. Netw. 214, International Conference on Wireless Networks and Mobile Communications (WIN-
109140. https://doi.org/10.1016/j.comnet.2022.109140. COM), pp. 258–263.
Hnamte, V., Hussain, J., 2021. An extensive survey on intrusion detection systems: Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A., 2009. A detailed analysis of the KDD
datasets and challenges for modern scenario. In: 2021 3rd International Conference CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security
on Electrical, Control and Instrumentation Engineering (ICECIE), pp. 1–10. and Defense Applications, pp. 1–6.
Hnamte, V., Hussain, J., 2023a. DDoS detection using hybrid deep neural network ap- Wei, Y., Jang-Jaccard, J., Sabrina, F., Singh, A., Xu, W., Camtepe, S., 2021. AE-MLP: a
proaches. In: 2023 IEEE 8th International Conference for Convergence in Technology hybrid deep learning approach for DDoS detection and classification. IEEE Access 9,
(I2CT), pp. 1–8. 146810–146821. https://doi.org/10.1109/ACCESS.2021.3123791.
Hnamte, V., Hussain, J., 2023b. DCNNBiLSTM: an efficient hybrid deep learning-based Yan, Q., Yu, F.R., Gong, Q., Li, J., 2016. Software-Defined Networking (SDN) and dis-
intrusion detection system. Telemat. Inform. Rep. 10, 100053. https://doi.org/10. tributed denial of service (DDoS) attacks in cloud computing environments: a survey,
1016/j.teler.2023.100053. some research issues, and challenges. IEEE Commun. Surv. Tutor. 18 (1), 602–622.
Hnamte, V., Hussain, J., 2023c. Dependable intrusion detection system using deep convo- https://doi.org/10.1109/COMST.2015.2487361.
lutional neural network: a novel framework and performance evaluation approach. Yuan, X., Li, C., Li, X., 2017. DeepDefense: identifying DDoS attack via deep learning.
Telemat. Inform. Rep. 11, 100077. https://doi.org/10.1016/j.teler.2023.100077. In: 2017 IEEE International Conference on Smart Computing (SMARTCOMP). IEEE,
Hnamte, V., Nhung-Nguyen, H., Hussain, J., Hwa-Kim, Y., 2023. A novel two-stage pp. 1–8.
deep learning model for network intrusion detection: LSTM-AE. IEEE Access 11, Zainudin, A., Ahakonye, L.A.C., Akter, R., Kim, D.-S., Lee, J.-M., 2022. An efficient hybrid-
37131–37148. https://doi.org/10.1109/ACCESS.2023.3266979. DNN for DDoS detection and classification in software-defined IIoT networks. IEEE
Hussain, J., Hnamte, V., 2021a. Deep learning based intrusion detection system: modern Int. Things J., 1. https://doi.org/10.1109/JIOT.2022.3196942.
approach. In: 2021 2nd Global Conference for Advancement in Technology (GCAT),
pp. 1–6.
Hussain, J., Hnamte, V., 2021b. Deep learning based intrusion detection system: software Vanlalruata Hnamte received a B.C.A in the year 2009 from Makhanlal Chaturvedi
defined network. In: 2021 Asian Conference on Innovation in Technology (ASIAN- National University for Journalism and Communication, Bhopal, India, and an M.C.A in
the year 2011 from Annamalai University, India. He qualified National Eligibility Test and
CON), pp. 1–6.
was awarded Lecturership by University Grants Commission in the year 2012. Currently,
Hussain, J., Hnamte, V., 2021c. A novel deep learning based intrusion detection system:
he is pursuing the Ph.D program from the Department of Mathematics and Computer Sci-
software defined network. In: 2021 International Conference on Innovation and In-
ence, Mizoram University. His research interests include Artificial Intelligence, Machine
telligence for Informatics, Computing, and Technologies (3ICT), pp. 506–511. Learning, Deep Learning, Network Security, Cyber Security, and Machine Automated Lan-
Isa, M.M., Mhamdi, L., 2020. Native SDN intrusion detection using machine learning. guage Translation.
In: 2020 IEEE Eighth International Conference on Communications and Networking
(ComNet). IEEE, pp. 1–7.
Ashfaq Ahmad Najar is a Ph.D. scholar at the Central University of Kerala, India. He
Karan, B., Narayan, D., Hiremath, P., 2018. Detection of DDoS attacks in software defined
holds an M.Sc. in Information Technology from the Central University of Kashmir, India.
networks. In: 2018 3rd International Conference on Computational Systems and In-
He received the Young Researcher Award from the Institute of Scholars (InSc), certified
formation Technology for Sustainable Solutions (CSITSS), pp. 265–270.
under the Ministry of MSME & Corporate Affairs, Government of India, for his publication
Li, C., Wu, Y., Yuan, X., Sun, Z., Wang, W., Li, X., Gong, L., 2018. Detection and defense on “DDoS Attack Detection using MLP and Random Forest Algorithms.” He is currently
of DDoS attack–based on deep learning in openflow-based SDN. Int. J. Commun. a Graduate Student Member at IEEE, and his research interests encompass cybersecurity
Syst. 31 (5), e3497. https://doi.org/10.1002/dac.3497. (DDoS Security), machine learning, deep learning, network security, and software-defined
Marvi, M., Arfeen, A., Uddin, R., 2021. A generalized machine learning-based model for networks.
the detection of DDoS attacks. Int. J. Netw. Manag. 31 (6), e2152. https://doi.org/
10.1002/nem.2152.
Hong Nhung-Nguyen received the B.S. degree in information technology and the
Mishra, A., Gupta, N., Gupta, B., 2023. Defensive mechanism against DDoS attack based master’s degree in software engineering from Ha Noi National University, Ha Noi, Viet-
on feature selection and multi-classifier algorithms. Telecommun. Syst. 82, 229–244. nam, in 2015 and 2018, respectively. She had pursued the Ph.D. degree in 2023 with the
https://doi.org/10.1007/s11235-022-00981-4. Information Technology Convergence Laboratory, Department of Electronic Engineering,
Najar, A.A., Manohar Naik, S., 2022. DDoS attack detection using MLP and random forest Myongji University (MJU), South Korea, where she was advised by Prof. Yong Hwa-Kim.
algorithms. Int. J. Inf. Technol. 14 (5), 2317–2327. https://doi.org/10.1007/s41870- Since 2016, she has been a Lecturer with the Faculty of Information Technology, Viet
022-01003-x. Tri University of Industry, Vietnam. Her research interests include machine learning and
Pérez-Díaz, J.A., Valdovinos, I.A., Choo, K.-K.R., Zhu, D., 2020. A flexible SDN-based software engineering.
architecture for identifying and mitigating low-rate DDoS attacks using machine
learning. IEEE Access 8, 155859–155872. https://doi.org/10.1109/ACCESS.2020. Jamal Hussain received his M.Sc. and Ph.D. from Tezpur University (TU), Assam,
3019330. India in the year 1996 and 2000 respectively. Currently he is working as Professor at
Powers, D., 2011. Evaluation: from precision, recall and f-measure to ROC, informedness, Department of Mathematics and Computer Science, Mizoram University since 2007. He
markedness & correlation. J. Mach. Learn. Technol. 2 (1), 37–63. https://doi.org/10. had conducted more than 30 International Conferences. He had guided ten Ph.D. schol-
48550/arXiv.2010.16061. ars successfully and completed various project including Applicability of Artificial Neural
Prasad, M. Devendra, Babu V., Prasanta, Amarnath, C., 2019. Machine learning DDoS Network for Intrusion Detection, funded by Department of Information Technology, Min-
detection using stochastic gradient boosting. Int. J. Comput. Sci. Eng. 7, 157–166. istry of Communication and Information Technology, Govt. of India. His research interests
https://doi.org/10.26438/ijcse/v7i4.157166. include Mathematical Modelling of Biosystems, Artificial Intelligence, Deep Learning, and
Said Elsayed, M., Le-Khac, N.-A., Dev, S., Jurcut, A.D., 2020. Network anomaly detection Network Security.
using LSTM based autoencoder. In: Proceedings of the 16th ACM Symposium on QoS
and Security for Wireless and Mobile Networks, pp. 37–45. Manohar Naik Sugali is currently working as an Assistant Professor in the Depart-
Santos-Neto, M.J., Bordim, J.L., Alchieri, E.A.P., Ishikawa, E., Dourado, L.S., 2022. Detect- ment of Computer Science at the Central University of Kerala. With 10 years of teaching
ing DDoS attacks in SDN using a hybrid method with entropy and machine learning. experience, he holds an M.C.A. and M.Tech (C.S.E) from Acharya Nagarjuna University,
In: 2022 Tenth International Symposium on Computing and Networking Workshops Guntur, India. He has been awarded a Ph.D. from the Department of Computer Science &
(CANDARW), pp. 248–254. Technology, Sri Krishnadevaraya University, Anantapuramu, Andhra Pradesh, India. He
Sayed, M.S.E., Le-Khac, N.-A., Azer, M.A., Jurcut, A.D., 2022. A flow-based anomaly de- has published around 15 research papers in international journals and conferences. His
current research interests include Cyber Security, Cryptography & Network Security, In-
tection approach with feature selection method against DDoS attacks in SDNs. IEEE
trusion Detection Systems, Pattern Matching Algorithms, Wireless Sensor Networks, and
Trans. Cogn. Commun. Netw. 8 (4), 1862–1880. https://doi.org/10.1109/TCCN.
Machine Learning.
2022.3186331.

19