Intrusion Detection System in Software-Defined Networks

Using Machine Learning and Deep Learning Techniques –A

Comprehensive Survey
This paper was downloaded from TechRxiv (https://www.techrxiv.org).

LICENSE

CC BY 4.0

SUBMISSION DATE / POSTED DATE

09-12-2021 / 10-12-2021

CITATION

Ahmed, Md. Rayhan; Islam, salekul; Shatabda, Swakkhar; Islam, A. K. M. Muzahidul; Robin, Md. Towhidul
Islam (2021): Intrusion Detection System in Software-Defined Networks Using Machine Learning and Deep
Learning Techniques –A Comprehensive Survey. TechRxiv. Preprint.
https://doi.org/10.36227/techrxiv.17153213.v1

DOI

10.36227/techrxiv.17153213.v1
 Intrusion Detection System in Software-Defined
Networks Using Machine Learning and Deep
Learning Techniques –A Comprehensive Survey
Md. Rayhan Ahmed, Salekul Islam, Senior Member, IEEE, Swakkhar Shatabda, A. K. M. Muzahidul
Islam, Senior Member, IEEE, Md. Towhidul Islam Robin
Abstract— At present, the Internet is facing numerous attacks of developed and intensified. IDS continuously monitors the
different kinds that put its data at risk. The safety of information network by creating a traffic pattern that enables itself to detect
within the network is, therefore, a significant concern. In order to
prevent the loss of incredibly valuable information, the Intrusion traffic behavior or patterns that deviate from the normal pattern.
Detection System (IDS) was developed to recognize the outbreak of Continuous irregular traffic is deemed a threat that can
a stream of attacks and notify the network system administrator eventually turn into an attack. IDS examines the network traffic
providing network security. IDS is an extrapolative model used to
records on computer networks to mark risky events and actions
detect network traffic as routine or attack. Software-Defined
Networks (SDN) is a revolutionary paradigm that isolates the and warns when such an activity is identified. IDS also assists by
control plane from the data plane, transforming the concept of a detecting external attacks in the network.
software-driven network. Through this data and control plane According to [2], the worldwide market size for SDN is
separation, SDN provides us the opportunity to create a manageable
and programmable network, allowing applications in the top plane estimated to rise from USD 13.7 billion in 2020 to USD 32.7
to access physical devices via the controller. The controller billion by 2025. The transpiring SDN architecture [3] provides
functioning inside the control plane executes network modules and more flexibility and control than traditional network architecture
establishes flow rules to forward packets in the switches residing in by splitting the data plane and the control plane in the SDN,
the data plane. Cyber attackers target the SDN controller to subdue
the control plane, which is considered the brain of the SDN, hence providing more programmability and flexibility. The
providing a plethora of functionalities such as regulating flow significant difference of SDNs with the standard hardware-
control to switches or routers in the data plane below via centric network paradigm is their functionality that varies
southbound Application Programming Interfaces (APIs) and
business and application logic in the application plane above via
according to their architecture. In a traditional hardware-based
northbound APIs to implement sophisticated networks. However, network, it is challenging to deploy new protocols and required
the control plane becomes a tempting prospect for security attacks services since many switches are required to be updated or
from adversaries because of its centralization feature. This paper changed with manual configuration, which is error-prone and
includes an in-depth overview of the notable published articles from
2015 to 2021 that used Machine Learning (ML) and Deep Learning sluggish. In contrast, in SDN, it is configured automatically
(DL) techniques to construct an IDS solution to provide security for along with a centralized authentication process. SDN's improved
SDN. We also present two detailed taxonomic studies regarding performance is based on dynamic global control and cross-layer
IDS, and ML-DL techniques based on their learning categories,
information, whereas a traditional network is static with limited
exploring various IDS solutions to secure the SDN paradigm. We
have also conducted brief research on a few benchmark datasets information within it [4]. Nevertheless, it is necessary to preserve
used to construct IDS in the SDN paradigm. To conclude the survey, a satisfactory security level with the versatility and
we provide a discussion that sheds light on continuous challenges manageability of SDN architecture. In addition to the classical
and IDS issues for SDN security.
Index Terms— Intrusion Detection System, Software Defined IDS and Intrusion Prevention System (IPS), the IDS,
Networks, Machine Learning, Deep Learning, Network Security, incorporated with the SDN paradigm provides an additional
Attacks. security level due to the unique programmability feature of SDN.
With the rapid development of ML and DL-based applications
I. INTRODUCTION in numerous network paradigms, IDS based on ML-DL is
Network security is now one of the most significant concerns gaining much popularity for automated threat and intrusion
with the network's explosive development because it directly detection within a network. Supervised and Unsupervised
influences the interests of the nation, the companies, and the Learning schemes of ML and DL methods enable the IDS to
individuals. Modern IDS[1] in the network needs to cope with a distinguish both known and unidentified attacks by training the
substantial quantity of data being generated every second due to model with improved accuracy. In the literature, a number of
the swift expansion of information technology. The internet IDSs are developed in the SDN paradigm by adopting various
progression and the fast exchange of data brings the threat of ML and DL algorithms. However, there is a shortage of in-depth,
increasing cyber-attacks targeting governments and commercial comprehensive survey that summarizes ML and DL-based recent
enterprises worldwide at a rapid rate. In response to that threat, development of IDS within the SDN that maps each study to a
the need to develop an intrusion detection system has been specific IDS domain. Table I presents a comparative analysis of
1
this survey with previous surveys. We believe it is really • A comprehensive survey of existing IDS in SDN that
important for a study covering IDS solutions in SDN to provide use different ML and DL techniques is carried out. The
a detailed study of various IDS mechanisms. existing works are then broadly categorized into ML,
To detect and prevent attacks in SDN, a taxonomic study of DL, RL and ensemble-based models. In each category,
IDS can play a pivotal role for a developer to design a robust the existing solutions are compared based on the
ML-DL-based IDS solution for the SDN paradigm by providing algorithms for building IDS solution, used dataset, core
several IDS domain knowledge about the anomaly-based, feature selection, SDN controller, and the attack
misuse-based, host-based, and network-based IDS mechanisms, classification type along with their names.
covering statistical analysis, log-data analysis, flow rules • Two taxonomies—taxonomy of IDS and taxonomy of
matching, expert-system development, pattern matching, packet ML-DL algorithms utilized in IDS—are developed.
inspection, session data analysis, and time-series-based Using these two taxonomies summary and comparison
subdomains. One of the significant factors in developing any of existing IDS solutions in SDN are also presented.
ML-DL-based IDS in SDN is the appropriate choice of datasets. • The available benchmark datasets used to construct IDS
There is an apparent lack of study of the datasets used in the ML- in the SDN paradigm are reviewed and a comparative
DL-based IDS-SDN research in the surveys mentioned above. study is presented among those by highlighting their
Ref. [5], [6] provides a brief study about some of the commonly metadata, attack types, features, format, label, network,
used datasets in developing IDS solutions. However, those topology, and class balance issue also the reviewed
surveys are not specific to providing solutions for SDN, neither papers are categorized along with their model
provide a comparative summary among those datasets by evaluation metrics.
differentiating each dataset from other in terms of their data • Open issues and challenges in designing ML-DL-based
collection format, labeling, type of addressing attacks, number of IDS for SDN are also identified.
features, utilized network and topology, etc.; instead, those are The organization of this survey is visually presented in Fig.1.
very generic, leaning towards the traditional network-based IDS Rest of the paper is organized as follows: Section II discusses
solution. Besides no other survey paper, reviews shallow ML, about SDN, OpenFlow (OF) architecture, and various
DL, Reinforcement Learning (RL), and Ensemble Learning (EL) applications of SDN. Section III provides a taxonomic study of
mechanisms specific to provide IDS solutions in SDN in a single IDS. In section IV, we provide a taxonomic discussion about the
survey paper. Some notable surveys [6]–[9] provide a state-of- AI-based IDS approaches that. In section V, we discuss about
the-art review of ML-DL-based IDS. However, those are leaning some frequently used ML-based IDS approach in SDN and
towards the generic network-based IDS solution, not specific to review existing literature adopting this ML-based IDS approach.
SDN, which is the primary field of this study. Therefore, this Section VI provides a literature review of some of the frequently
survey paper aims to review the state-of-the-art shallow ML- used DL-based IDS approach in SDN, along with a brief study
based, DL-based as well as RL-based and ensemble models for of the leveraged DL-based algorithms. In section VII, we review
developing IDS in SDN architecture over the last six years hybrid mechanism-based IDS approaches in SDN. In section
following a taxonomic structure. The major contributions of this VIII, we review Ensemble-based IDS approaches in SDN.
paper are enumerated below: Section IX provides taxonomic summary of all the reviewed
articles of this survey. Section X provides a brief study of the
TABLE I
COMPARISON WITH OTHER SURVEYS (✓: ADDRESSED, X: NOT ADDRESSED)
Number of
Study of AI Based Approaches for SDN-based IDS
ML-DL- reviewed papers
Discussion of Discussion of IDS-based datasets in
based using ML and
Ref. Year SDN OpenFlow taxonomic the
taxonomic DL to develop Shallow Deep Reinforcement Hybrid Ensemble
architecture procedure study reviewed
study IDS solution ML Learning Learning Mechanism Learning
papers
(SDN-specific)
[10] 2017 ✓ x ✓ ✓ 5 x ✓ ✓ x x x

[7] 2018 x x x x Not Applicable x ✓ x x ✓ x

[11] 2018 ✓ ✓ x ✓ 16 x ✓ ✓ x x x

[6] 2019 x x ✓ ✓ Not Applicable x ✓ ✓ x ✓ x

[12] 2020 ✓ x x x 17 x ✓ ✓ x x x

[13] 2020 ✓ x x ✓ 13 x ✓ ✓ x ✓ x

[14] 2020 ✓ x x x 30 x ✓ ✓ x x x

[15] 2021 ✓ ✓ x x 9 x ✓ x x x x

[5] 2021 x x x x 4 ✓ x ✓ x ✓ x

[16] 2021 ✓ x x ✓ 79 x ✓ ✓ x ✓ ✓
[9] 2021 x x x ✓ Not Applicable ✓ ✓ ✓ x x x
This
- ✓ ✓ ✓ ✓ 92 ✓ ✓ ✓ ✓ ✓ ✓
Paper
2
frequently used datasets in IDS research along with their attack NMAP Network Mapper
DoS Denial of Service
mechanism. In section XI, we discuss some of the research issues DDoS Distributed Denial of Service
and underlying challenges in developing IDS solutions for SDN. U2R User to Root
Finally, we conclude the survey in section XII. The acronyms R2L Remote to Local
XSS Cross Site Scripting
that will be followed throughout the paper is listed in Table II. DQN Deep Q Network
PPO Proximal Policy Optimization
TABLE II TMANET Tactical Ad hoc Mobile Network
LIST OF SOME IMPORTANT ACRONYMS TPR True Positive Rate
FAR False Alarm Rate
IDS Intrusion Detection System DDPG Deep Deterministic Policy Gradient
SDN Software Defined Networks DPI Deep Packet Inspection
ML Machine Learning IoMT Internet of Medical Things
DL Deep Learning DRL Deep Reinforcement Learning
IPS Intrusion Prevention System
RL Reinforcement Learning
OF OpenFlow
II. SOFTWARE-DEFINED NETWORKS (SDN)
VoIP Voice over Internet Protocol
ICMP Internet Control Message Protocol Due to the rapid changes of information structure from one
MPTCP Multi-Path Transmission Control Protocol
SSH Secure Shell Protocol
place to another, governments and commercial organizations
IMAP Internet Message Access Protocol change their network configuration as per requirements of the
NFV Network Function Virtualization fast-changing network paradigm on the internet. The intricate
DBM Detection-Based Method
DSBM Data Source-Based Method
routine network creates an obstacle for many data centers to
ABM Anomaly-Based Method apply new services, connect various data centers with
MBM Misuse-Based Method organizations. This is where SDN comes to aid. SDN
NBM Network-Based Method
HBM Host-Based Method architecture empowers the system to be centrally controlled and
AI Artificial Intelligence programmed using software applications rather than changing
SL Supervised Learning the structure of physical appliances [11]. The goal of SDN can
UL Unsupervised Learning
ANN Artificial Neural Network be defined as improving network functions by allowing
Bi-RNN Bi-directional Recurrent Neural Network corporations as well as service providers to adapt rapidly to
CNN Convolutional Neural Network evolving market demands. The control plane is physically
DT Decision Tree
ID3 Iterative Dichotomiser 3 separated from the data plane, and it can intelligently control
DNN Deep Neural Network network resources. This intelligent network control is established
KNN K-Nearest Neighbor when SDN decouples the network setup and traffic engineering
LR Logistic Regression
SOM Self-Organizing Map from their underlying hardware infrastructure.
SVM Support Vector Machine SDN separates network controller and data plane/switch
RNN Recurrent Neural Network activities with a protocol that updates forwarding tables in
RBM Restricted Boltzmann Machine
MLP Multi-Layer Perceptron network switches. This enables on-the-fly network optimization
NB Naive Bayes and rapid response to changes in network traffic without the need
MDP Markov Decision Process
for manual reconfiguration of current infrastructure or the
RF Random Forest
FSLC Few Shots Learning Classifier purchase of new devices. SDN removes the control of network
FCM Fuzzy C-Means devices from the data they transmit and switches to software
BCI Bienaymé-Chebyshev Inequality
applications to regulate the behavior of the network residing
CART Classification and Regression Trees
REPTREE Reduced Error Pruning Tree outside of the networking devices (hardware) that offer physical
LSTM Long Short-Term Memory connectivity. The logically centralized SDN controller which is
Bi-LSTM Bidirectional Long Short-Term Memory
a software entity that plays the central management role and does
KM K-Means
GAN Generative Adversarial Network the job of flow management [17]. In a typical SDN outline,
GRU Gated Recurrent Unit packet handling protocols are sent from a controller to the switch.
AE AutoEncoder
SAE Stacked AutoEncoder
An application program executing somewhere on a server and
VAE Variational AutoEncoder switches request supervision from the controller when required
DBN Deep Belief Network to provide it with traffic information that they manage.
HMM Hidden Markov Model
XGBoost Extreme Gradient Boosting
Controllers and switches typically interact through the
AdaBoost Adaptive Boosting OpenFlow [18] interface. There are three stages or layers in SDN
PCA Principle Component Analysis architecture, which are shown in Fig. 2.
LVQ Learning Vector Quantization
SD-IoT Software Defined Internet of Things
Src/Dst Source/Destination
3
 [19], Pantou [20], Indigo [21], and Nettle [22]. Physical switches
are hardware-based such as NetFPGA [23] and multiple vendor
switches. Some of the NetFPGA-based implementations are
[24], [25]. The functions data layer performs are dispatching,
rejecting and transforming data according to the rules or policies
provided by the control layer. The SDN data plane has a variety
of devices that lack intelligence. They just simply carry out the
controller's instructions or rules [26], [27].

Fig. 2. Block diagram of a three-layered SDN architecture.

Control layer: Principal logical controller is the crucial unit

of the control plane that facilitates overall SDN functionalities.
The controller manages the entire traffic flow and is completely
responsible for routing, sending, and dropping packets by
programming [28]. Some of the common OpenFlow-based SDN
controllers extensively used by the researchers are Ryu [29],
POX [30] , NOX [31], OpenDayLight [32], Floodlight [33], and
ONOS [34]. This layer controls the exchange of data between
different applications and the dispatching devices.

Application layer: It is a pool of business applications. The

application plane contains one or more modules, each managed
solely by the SDN controllers over a resource collection [35].
Note that a typical IDS application is deployed in this layer.
Though other studies have placed the IDS module in the control
layer as well [36], [37]. Network security, mobility management,
access control, load balancing, firewall implementation, quality
of service, and cloud integration are some of the examples of
applications that application layer deals, as shown in Fig. 2. The
main function of this layer is to perform the required
optimization for business network services. The following
Fig. 1. Pictorial representation of the organization of this survey. subsections cover the workflow and applications of SDN.
A. Workflow of OpenFlow Based Switching
Data (Infrastructure) layer: It resides in the bottom layer of OpenFlow (OF) is a standard managed by the Open
the SDN paradigm. It is comprised of physical switches, virtual Networking Foundation (ONF) [38]. OF is a protocol, which
or software-based switches routers and access point. software- enables programmability of the data forwarding plane. The
based switches work on a variety of operating systems, including workflow of OF-based switching is governed by the Flow table,
Linux. Some of the common virtual switches are Open vSwitch which stores a list of flow entries sorted by the priority of the

4
flow, and a secure channel that connects the switch to the
controller. The highest priority flow resides at the top of the
table. An entry in the flow table consists of rules (matching
fields), priority, counters, actions, timeouts, cookie and flags [38]
as shown in Fig. 3. The flow rules are being applied to a
corresponding flow [39], one entry per each flow. The rule
(matching fields) consists of an algorithm that can be used for
exact or wildcard matches with the information about the packet
header that defines the flow. The information consists of ingress
ports where OF packets are received, packet header fields such
as IP/MAC address of source/destination (src/dst) and VLAN,
switch port, etc., and metadata from the previous table. The
priority field defines the matching priority of the flow entry to
process the rules. When a packet is matched with the rules, the
highest priority flow entry that matches the packet is selected and
the counter is updated. When a switch finds a match according
to the order of the priority flow, it applies the action, which
defines the packet handling process (e.g., forward packets to
ports/controller, drop, modification of source and destination
IP/MAC address, etc.) to the matching packet. If it does not find
a match, it performs the default operation of the packet, which is
to transfer it to the controller. The maximum amount of time or
inactive time before the switch expires a flow entry is defined as Fig. 4. Workflow procedure of OpenFlow-based switches.
a timeout. Cookies are the flow entry identifiers specified by the
OF controller. Flags change the way flow entries are managed by B. Networking Applications Based on SDN
the controller. A brief workflow procedure of an OF switch For a long time, the SDN research community has proposed
scenario in SDN is presented in a stepwise manner in Fig. 4. Flow and analyzed several network applications. These applications
tables of an OF switch are numbered sequentially, starting from can be assembled into network management, inter-domain
zero (0). The packet is first matched against flow entries in flow routing, traffic engineering, SDN security, virtualization of
table 0, which is the first flow table. If the flow entries do not networks, and load balancing of application servers, and control
match with the packet, then the packet is forwarded to the flow of network access [18]. In the following subsections, some of
table with the larger number. them are briefly described.
1) Traffic Engineering and Network Management
Successful network management needs knowledge of the
network’s current state and prompt adjustment in the control area
of the network. Authors in [40] proposed a multi-protocol level
switching traffic engineering network, based on SDN

Fig. 3. Anatomy of the flow tables of OpenFlow-based switches.

5
architecture that follows a new smart and complex paradigm of in business networks only. In [47], the authors proposed a
bandwidth allocation. The architecture handles the Quality of framework made on top of Mininet [48] and Quagga routing suite
Service (QoS) and routing with QoS restrictions. They assessed [49] that uses the centralization functions of SDN to linearly
the performance of their network by improving packet loads on lessen the border gateway protocol’s convergence time as well
HTTP, VoIP, video, and ICMP traffic. To precisely manage the as churn rates. Authors in [50] suggested a method for optimizing
network, the network’s present status and the flow of information the route in an SDN-based setting. Route optimization was based
throughout the network needs to be known. In [41] the authors on different constraints such as bandwidth, flow operations, and
used the network data obtained by the principal controller to number of domains available while a mobile node travels
increase the capacity of the network and lessen packet failures. through the SDN-based structure.
Specifically, they concentrate on the event where SDN is
gradually integrated into a current network. Also, partial 4) Access Control and Network Security
deployment of the optimization problem in the field of traffic The invention of SDN provides a distinctive potential to
engineering is formulated by the SDN controller. In [42] the commendably identify as well as cover security challenges in
authors discussed the user responsive interfaces of SDN based home-based and office-based networks. In [51], authors
paradigm. The article presents an interface to the OF network to incorporate multiple traffic anomaly identification methods
remotely manage the network, titled OMNI. It enables the utilizing OF-based switches and NOX controllers to resolve
administration of OF-based networks that is challenging due to a system security concerns in the home-based and office networks.
large number of configuration variables and various Studies showed that the SDN-based approach resulted in much
configuration management choices. OMNI watches and more reliable in terms of various types of fraudulent activity
configures dynamic flow formation. recognition than the internet service provider driven method.
Yu et al. proposed OpenSketch [43], a traffic measurement In [52], the authors suggest an OF based "Resonance" scheme
architecture of SDN which is described by applications designed that offers complex access management policies to enforce
to support more personalized and complex measurements yet network access control in network components. It helps switches
maintaining the precision of the SDN measurement by separating to take action, such as dropping of packets, to implement
the data plane from the control plane. The authors suggest a 3- increased security policies. Identification and protection against
stage data plane framework consisting of counting, hashing and DoS and DDoS attacks have been studied many times in the field
filtering that can be designed to accommodate a wide variety of of SDN. In [53], the authors detected DDoS attacks by
measurement tasks such a traffic change identification, delay calculating the occurrence of the flow of traffic. With the
measurement, flow size dissemination assessment, etc. occurrence of the stream exceeding the stated level, it is
OpenSketch distinguishes the capacity of the data plane by presumed that there is a DoS attack. In such instances, the SDN
associating many tasks of the control plane by constructing and controller suggests the switches to drop those packets which are
allotting various computation tasks to accomplish this purpose. part of the spiteful stream to minimize the impact of the attack.

2) MiddleBox/Load Balancing 5) Network Virtualization (NV) Based on SDN

To generate improved middlebox-based services such as load In certain ways, NV and SDN are strongly interlinked [54].
balancing, SDN solutions can be utilized. In [44], authors have However, due to many connected elements in a network and their
used Multi-Path TCP (MPTCP) to allocate traffic around various complex communication structure, NV and SDN integration is a
routes in a WAN operated by OF. On one side, MPTCP can challenging task. In [55] authors presented an software defined
change the load balance with regards to the load on the path from network virtualization framework that combines SDN and NV.
flows of different traffic. Whereas, the OF software selects the The SDNV model blends the SDN concept of data isolation and
best routes that can be used by diverse sub-flows of TCP and control plane with the NV principle of convergence operation
compels them to OF based switches. The authors in [45] functions from services and infrastructure, thereby offering a
proposed a method called MiceTrap, It controls the flow simple broader picture of SDN and NV integration.
aggregation power offered by OF for managing the number of
flowing mice and to implement a weighted routing algorithm that In [56], the authors suggest a hierarchical policy-based
can accomplish better load balancing. architecture named PANE that produces flow-specific inputs
from virtualized specifications, which reveals an API via a
3) Inter-Domain Routing northbound interface which could be utilized to query a virtual
Currently, the inter-domain routing method poses several network. The framework is capable of identifying conflicts
serious issues, primarily due to its highly decentralized model. In whenever there is a requirement for a new virtual network.
[46], the authors suggest an inter-domain routing approach using
the NOX [31] - OF infrastructure, initially developed for routing
6
C. IDS in SDN – Concept An anomaly is simply a suspicious event from the standpoint
The goal of the IDS is to inspect traffic from the network, of security [63]. The crucial point of ABM is the settings of a
monitor irregular traffic regarding unusual behavior or trends, standard behavior profile. Any behavior, which deviates beyond
and notify the network administrator. The ML-DL-based IDS the standard profile, can be treated as uncommon behavior. The
implementation in SDN can be divided into three key steps: anomaly detection has robust generalized nature and can identify
attack identification, reporting, and mitigation [57]. In the attack unidentified attacks. Drawbacks are excessive wrong alert levels
identification step, the IDS module collects data, and using the and incapability in offering probable causes for an irregularity in
ML-DL-based model; it detects the attack in SDNs. The the system [6].
reporting step occurs when the IDS module sends an alert to the MBM is also referred to as signature-based detection method.
controller regarding the detected attacks, as shown in Fig. 5. In The primary intuition of MBM is to characterize attack
the mitigation step based on the received alert from the IDS procedures as signatures. It saves each attack procedure in its
module, the controller can change the flow rules for incoming database and checks each new signature sample with the
packets and transfer those rules to the OF-based switches to previously stored signatures to detect misuse. One of the benefits
block the corrupted network traffic. Within that OF-based of this system is that it has a low incorrect warning rate and
switches, the changed flow rules are saved indefinitely. An ideal defines the attack natures with the cause in detail. One of the
IDS must-have features such as higher precision, improved drawbacks is that it needs a large database to store all the
performance, low degree of fault tolerance, fast, low memory signatures; also, this system lacks in identifying unfamiliar attack
consumption, and robustness [58]. In the next section, we [63]. This strategy works well in general, except when we
provide a taxonomic study of different domains of IDS. encounter a novel attack or one that has been purposefully

Fig. 5. A high-level view of the deployment of IDS in SDN architecture.

designed to not match previous attack signatures. Large number
III. IDS TAXONOMY of studies adopted the MBM-based IDS solution for SDN, such
Whenever someone attempts to get unauthorized information as pattern matching, expert system-based MBM-based IDS
to harm the system, it is defined as an intrusion. We need an solution [64]–[67]. Pattern matching technique functions by
effective system to understand those abnormal patterns in data assuming that the infected hosts show analogous behavioral
traffic and keep the system secure. The key task of IDS is to patterns which are unlike from benign hosts [68]. Several studies
monitor suspicious behavior that goes beyond the normal [69], [70] have adopted pattern matching technique for
procedures of action of every individual host in the network, developing SDN-IDS solution. To design a misuse detection
creates warnings when such action is detected, and respond to system in SDN-enabled infrastructure, the expert system is
that chary behavior. A taxonomy of the IDS is presented in Fig. utilized for decision-making based upon behavior-profile [71],
6. [72]. A comparison between ABM and MBM is presented in
Mainly IDS classification approaches are categorized into two Table III.
parts, namely Detection-Based Methods (DBM), and Data We can further classify IDS based on data gathered from
Source-Based Methods (DSBM) [6], [59]–[61]. This survey different input sources to classify normal and abnormal attacks.
includes these two types of IDS classification techniques in SDN Network-Based Method (NBM) and Host-Based Method
paradigm, with the DSBM serving as the primary classification (HBM). NBM-based IDSs are used to analyze the arrival and
criteria and the DBM serving as a secondary classification departure of traffic to and from nodes in the network and raises
criterion. Regarding DSBM and DBM, the survey focusses on alerts if an intrusion is detected [73]. It tracks the extracted
ML and DL-based methods in IDS solution. DBM is further network traffic like packet captured, NetFlow, and further data
categorized into two classes: Anomaly-Based Method (ABM) traffic streams [8]. NBM-based IDSs are capable of detecting
and Misuse-Based Method (MBM). On the other hand, DSBM is particular kinds of protocol oriented and network attacks [74].
further categorized into two more classes: Network-based and ML approaches have been widely used in the field of NBM-
Host-based [62]. based IDS, particularly in the task of classifying network traffic
7
[75]. Researchers have explored a great deal in the possibility of performance; and lastly, attacks are not detected until after they
robust NBM-based IDS development using ML, and DL have already reached the host [93]. The primary downside is that
approaches in the last decade [63], [76]–[81]. On the downside, it must be deployed on all hosts requiring protection from
NBM-based IDS would only track that traffic going through a intrusion, which provides additional processing overhead to each
particular network sector. Most NBM-IDSs do not process node and eventually reduces the IDS's performance. A
encrypted packets. As a result, the encrypted packet might allow comparison between NBM and HBM is presented in Table IV.
a malicious and unnoticed network breach until more serious A solid business network should ideally include both host-
network intrusions occur. Because of the nature of the NMB-IDS based and network-based IDSs.
solutions and their requirement to analyze protocols as they are
collected, NBM-IDS solutions can be subject to the same TABLE III
protocol-based attacks that network hosts are vulnerable to [1]. COMPARISON BETWEEN ABM AND MBM
Criteria ABM MBM
The HBM is an IDS solution that monitors the computer
Machine Learning Model, Expert System, Pattern
infrastructure on which it is deployed, monitoring traffic and Domain [94] Time Series Based Matching, Finite State
logging unwanted and malicious activities. The HBM will Model, Statistical Model. Machine.
High, detects attack
defend local machines and serve as a final line of defense, The efficiency of Depends on a model
with a lower degree of
whereas the NBM will maintain the network backbone safe and Detection [95] hurdle.
false alarms.
secure [82]. HBM-based IDSs detects the non-official operation Unable to identify new
Can detect both identified
New Attack [8] attack types which it has
by matching the new version of the available archives and logs and new attacks.
not seen before.
with the earlier version [83]–[86]. HBM-based IDSs monitor log A large number of false
A large number of
Performance missed alarm rate, lesser
files created by running programs, generating a historical record alarm rate, lesser number
Metrics [96] number of false alarm
of events and functions that can be easily searched for of missed alarm rate.
rate.
abnormalities and evidence of an intrusion. It also compiles Scalability [97] High Low
Speed [10] Low High
the log files and allows a user to organize them in ways that
correspond to the directory structure of the designated log file
Audit logs and system calls are the two primary data sources
server, allowing a user to search or sort the files in various ways.
that may be used for the HBM-Based IDS solution. Audit logs
Numerous studies [82], [85], [87]–[92] have adopted ML and
are a collection of events generated by the Operating System
DL-based algorithms such as SOM, HMM, MDP, KNN, CNN,
(OS) to execute specific tasks and operations. In contrast, system
RNN, and LSTM to effectively design host-based IDSs. The
calls describe the behavior of each user-critical application
drawbacks of HBM-based IDSs are that it consumes host assets,
executing on the OS. Auditing is a technique that a host uses to
are contingent on host stability, and therefore incapable to
identify and record security-related activities. The records of
recognize attacks effectively. A host-based IDS cannot provide
such activities are maintained in audit log files, which typically
the complete solution for the network security all by itself.
contain records of all the operating processes, the consumed
Though monitoring the host seems practical and obvious, there
internal memory, and the file systems that these processes use for
are three major drawbacks: The visibility is confined to a single
their execution [98]. The core notion behind using system calls
specific host; the IDS process consumes many resources like
to detect an intrusion is that an abnormality in the running
memory, file system organization, CPU, storage, implementation
application will also influence how it interacts with the OS.
of commands and procedures etc., potentially affecting host

Fig. 6. Illustration of an IDS taxonomy.

8
 Log-based IDS uses a host's logs after logging into a machine Flow-based IDSs examine just the header of the packet and do
as the primary information to detect attacks on a particular not examine the internal payload [104]. Flow-based data is the
environment [99]. This approach's benefits are that it does not aggregated information of packets related to the network traffic
require costly hardware, system activity visibility, etc. Log- in a flow, thus the amount of data to be examined is reduced. A
based IDS typically contains the following components: log record in a flow generally includes the IP addresses of the hosts,
file/data collection, pre-decoding, decoding, analysis, and report network ports, protocol, flow priority, several counters, quantity
the consequence of the events [100]. of data, and the time of the flow occurred [115]. There is hardly
TABLE IV any article found which used expert system and pattern matching
COMPARISON BETWEEN NBM AND HBM based analysis using ML-DL techniques regarding deployment
Criteria NBM HBM
of IDS solution for SDN paradigm. Besides, these are
Audit Trails, Log Files,
Data Source Network Traffic. subdomains of misuse-based method (MBM), which is not part
System Calls.
of this survey. This survey focuses on NBM, HBM, and ABM-
Packet Parsing, Payload
Analysis, Traffic
based IDSs adopting ML-DL approaches. Therefore, these two
Grouping, Feature Text Analysis, Feature types are out of the scope of this survey.
Domain
Engineering, Sequence Engineering.
Feature, Statistical Feature IV. ARTIFICIAL INTELLIGENCE BASED APPROACHES
Analysis.
The efficiency In this section we provide an ML-DL based taxonomy to
High Low
of Detection review the existing literatures that used to formulate IDS solution
Host-Specific. Needs to for SDN environment. Artificial Intelligence (AI) is an extensive
Hard to assess a network
Drawbacks be installed on every
with high measurement. term for a group of systems that allow machines to emulate
host in the system.
intelligent human expertise. AI uses approaches such as ML, DL,
and RL to solve real-world problems. The researchers
In session-based IDS, the network traffic for a specific session
investigated the use of shallow ML and DL approaches to meet
is analyzed to detect anomalous traffic. The session-based IDSs,
the criteria of efficient and functional IDS. Both shallow ML and
in particular, extract a few fundamental features from the header
DL fall under the broad umbrella of AI and seek to learn
field of the incoming packets and pick payloads of the network
meaningful information from big data. Though DL is a subset of
application layer within a specific session as features. A record
ML, for this survey, we are reviewing each paper based on the
is made up of the header features and payloads of a session. The
traditional/shallow ML and DL-based method/technique adopted
records are then put into a supervised or unsupervised ML-DL-
to develop IDS solution in SDN. Hence, ML and DL are set up
based algorithm, which extracts significant features for
at the same rank in our taxonomy presented in Fig. 7. The way
categorizing legitimate and malicious network traffic [101]–
each algorithm learns is where ML and DL differ. In the last
[103].
decade, there has been an upsurge where the deployment of ML-
Statistical approaches use a statistical function of network
DL methods in IDS is yielding better performance than
traffic parameters to create a profile of regular network traffic.
traditional IDS systems in fields like SDN, mobile cloud, traffic
This regular traffic profile is used to check for unnoticed inbound
engineering, and service optimization.
traffic. Statistical metrics are used to calculate the similarity of
ML-DL methods learn from the knowledge it gathers from the
incoming network traffic with the profile of regular network
data during the training of the model. In general, for IDS, there
traffic. If the similarity measure exceeds a predetermined
exist two types of ML-DL algorithms: supervised ML-DL
threshold, the flow is classified as malicious or benign [1], [104],
algorithms and unsupervised ML-DL algorithms. An IDS model
[105]. The raw captured packets are evaluated for a series of time
attempts to differentiate between regular and malicious traffic
in statistical analysis-based IDS [106] and the packets' variances
patterns in the supervised ML method, provided a set of network
for behavior profile analysis in the packet’s header. Univariate,
flows with labels (normal/malicious) before training [116]. The
multivariate, Markov decision model, and time-series analysis
manual labeling of each data is costly as well as time intensive.
are some of the standard statistical approaches in flow-based IDS
However, unsupervised ML algorithms gather vital information
solution development [104], [107]–[111].
or features directly from the unlabeled dataset. Supervised ML-
Packet-based analysis examines the whole packet (payload +
DL methods show much superiority than unsupervised ML-DL
header) for application-layer data looking for specific rules or
methods in IDS efficiency as observed in the works of previous
signatures [112], [113]. In high-volume networks, packet-based
researchers.
inspection necessitates a large amount of memory and CPU time.
IDS has been using mainstream ML algorithms such as LR,
This is due to the data's low abstraction level, the high frequency
SVM, DT, NB, RF, CART, ID3, KNN, SOM, K-Means and
of data arrival, and the possibility of significant quantities of data
many more for a long time. Often it is observed that a collection
per instance of information [114].
of ML models—supervised and unsupervised is used in
9
ensemble to perform a task. An ensemble-learning algorithm Evaluation: For the performance measurement of a selected
may combine one or more different types of algorithms shown in model, various evaluation metrics and sampling techniques are
the taxonomy presented in Fig. 7. Major problems within this used in this step. The trained model is often tested against unseen
methodology are the need of availability of data and retraining of data using separate validation set or k-fold cross validation. Use
the data. Often, they are prone to overfitting and fail to detect of unseen data depicts the possible performance measure of the
unknown attacks. model in the practical scenario.
In the following, we briefly discuss the workflow of ML-DL
algorithms. Tuning: Tuning is the process of enhancing a model's
performance while avoiding overfitting or excessive variance. In
Workflow of ML-DL Algorithms ML, this can be achieved by choosing optimal hyperparameters.
Building a system through ML-DL algorithms generally pass The performance of the ML models depends on choosing the
through several steps before achieving the outcome. These steps appropriate value of the different hyperparameters. This is often
are data collection, data processing, model selection, training, achieved by hyperparameters searching techniques like random
evaluation, parameter tuning, and testing [117]. However, search, grid search, neural architecture search, etc.
sometimes these steps could be varied subject to the particular In the next section we discuss those studies which have used
task and available data and features. A workflow of a typical ML- shallow ML-based algorithms to develop IDS solutions specific
DL model is presented in Fig. 8. to SDN.

Data Processing: Collected raw data is generally noisy in V. SHALLOW MACHINE LEARNING (ML) MODELS
nature. It may require some pre-processing tasks like removing BASED IDS IN SDN
duplicate data, identifying anomalies, discarding erroneous data,
ML models can be trained based on different learning
scaling, normalization, feature engineering, transformations, etc.
approaches. They can be categorized as Supervised Learning
Besides, the format of the data may require to be converted for
(SL), Unsupervised Learning (UL), and Reinforcement Learning
some specific ML models. Data processing also enables data
(RL). SL-based models are trained with labeled data, as shown
visualization to identify biases.
in Fig. 9. In IDS, most of the intrusion or anomaly detecting tasks
are classified using different SL-based models. On the other
Model Selection: A specific ML-DL method is selected in this
hand, UL-based models gather information from unlabeled data,
step. Results of different ML models can be varied significantly.
as shown in Fig. 10. In contrast, RL-based models rely on
That is why the model should be chosen carefully.
continuous feedback from critics based on some particular
actions. However, in ML-based IDS, RL-integrated models are
Training: In the training step, the selected ML model is being
relatively rare compared to the other two approaches. An ML-
learned by the collected data. The aim of this training step is to
DL taxonomy is showed in Fig. 7. The taxonomy reflects the
prepare the model to perform better against unseen data.
models which are used commonly in IDS.

Fig 7. Taxonomy of ML-DL algorithms utilized in IDS.

10
 label [118]. The route from the root node to the leaf node of a
particular class depicts the classification rule.

Naïve Bayes (NB)

NB classifier is a probabilistic ML model. NB classifier
assigns some probability measure by calculating the frequency
or density of the feature values provided by the input dataset. NB
classifier assumes that every feature is conditionally independent
given the label [119]. For any labeled data, Eq. 1 can be applied,
where C represents the class label and Fi denotes different
attributes or features.
P(C) * P(F1 .........Fn | C)
P(C | F1 .........Fn ) = (1)
P(F1 .........Fn )

Support Vector Machine (SVM)

SVM finds a hyperplane to separate the data into two different
classes [120]. SVM finds some points nearest to the hyperplane
separating the classes; these points are called support vectors.
The goal is to maximize the margin or width of the hyperplane,
separating the support vectors selected from both classes. For a
binary classification regarding intrusion or regular traffic, the
decisive SVM function could be expressed through Eq. 2.
T
F(x) = w .x + b (2)
Here, w=Σi αi yi x i , α i = 0 for all cases except for the support
vectors lying precisely at the splitting hyperplane, and
Fig. 8. Workflow of ML-DL based algorithms. yi ∈{1,-1} refers to the labels, and x i represents data points.

K-Nearest Neighbor (KNN)

A. Supervised Learning (SL) Based ML Models
KNN is an instance-based lazy classifier that performs
In the existing IDS literature in SDN, most of the researchers
relatively well without any assumptions about the underlying
performed classification of network traffic using some
data [47]. This nonparametric feature is a compelling aspect, as
supervised ML models. In SL, the machine is trained with well-
most real-world data do not reflect any fundamental foundations
labeled dataset and aids in the prediction of unseen data as
and assumptions, e.g., linear independence, uniform or normal
shown in Fig. 9. It implies that some input data has already
distribution, etc. It is widely used in the IDS. With a smaller k,
been marked with the accurate output label. DT, NB, RF, KNN
there is a higher chance of overfitting, with the model being a bit
and SVM are used more frequently in intrusion detection
complex. On the other hand, with a larger k, the model's fitting
compared to other supervised models.
capability gets weaker, but the model becomes simpler. The
Euclidean, Manhattan and Minkowski distance functions of
KNN for calculating distance between two points (Pi, Qi) in the
dataset are shown in Eq. 3, 4 and 5.
k

 (P -Q )
2
E(P,Q) = i i (3)
i=1

Fig. 9. Supervised Learning (SL) method structure. M(P,Q) =  |Pi -Q i |

i=i
(4)
Decision Tree (DT)
( )
1
k
v
The DT is a tree-based representation of data and has a MK(P,Q)= (|P -Q |)
v
(5)
i i
structure of nodes. Each node represents a decision to be taken i=1

based on features, and the leaf nodes of the tree denote the class Here, v= {1,2}

11
Supervised ML Based IDS in SDN detected, the IP addresses of the command-and-control servers
Intrusion detection in SDN using ML techniques has gained were located and excluded.
popularity because of the exceptional upsurge of vast amount of Song et al. [128] propose a risk awareness-based IDS in SDN.
success of ML algorithms in network security. In the following, The proposed model has four steps: i. Data processing, ii. Data
we review some of the supervised ML-based IDS solution in modeling, iii. Decision-making, and iv. Response scheme. Data
SDN paradigm. processing steps are designed to find appropriate features set.
Intricate attacks may inject malicious payloads into the Two supervised ML algorithms (DT and RF) have been used in
packets. By inspecting packets deeply, Cheng et al. [121] the data-modeling step to predict malicious activities. Decision
propose an OpenFlow-based deep packet inspection method on making step analyzes the result from the data-modeling step and
the SDN environment that incorporates the DT, RF, directs a signal to the response scheme to initiate a security
Multinomial-NB, KNN, SVM and RF ML algorithms. First, the response. In the response step, the system changes the flow rules
method introduces a primary recognition mechanism linked with for different network routes. Altering the traffic flow of
the filtering of IP at the flow level. After that, the packets are malicious hosts will guard the system from overwhelming
checked by a deep packet inspection (DPI) engine, which potential traffic. Thus, the system could maintain a balanced flow
comprises two key components: unencrypted traffic inspection among all the routes.
and encrypted traffic inspection. For the unencrypted traffic, the Silva et al. [129] develop ATLANTIC project to detect
proposed system extracts the payload (tri-gram frequency based abnormal traffic streams and classify them using SVM. It is two-
on TF-IDF, linguistic) features. For encrypted traffic, the system phase architecture to detect the anomaly and mitigate the traffic
extracts some prominent features such as TLS cipher suites to to achieve normal flow. In the first phase, tables are maintained
train the classifier to classify malicious encrypted packets. This to record the traffic flow. Further, the table records are utilized
work proposes a customizable packet-driven sampling method to find deviation using different entropy theory. In the second
based on the linear prediction to overcome the resource- phase, SVM is used to categorize the abnormal traffic flow.
performance issue at the packet-level granularity. Nanda et al. [84] propose a system that can identify malicious
Yu et al. [122] also performed DPI-based traffic classification connections using four ML algorithms, namely NB, DT,
on the SDN environment. For the classification task, they have BayesNet, and decision table. The prediction results were
used the Tri-Training mechanism [123] consisting of SVM, utilized by SDN to implement security measures to protect
KNN, and NB classifier after collecting flow features from the vulnerable hosts. For their experiment, they used log data from
network traffic. Several other studies also performed DPI different architectures and classified them into two other classes.
mechanisms to detect attacks in the SDN paradigm. [113], [124]– Peng et al. [130] present an SDN-based IDS that detects an
[126]. In ref. [124] Lin et al. add a two-tier mechanism to classify anomaly in the flow of the network. In their system, the
traffic flow to the traditional SDN architecture. First, rather than controllers' flow collection unit gathers information from the
the controller, it conducts traffic classification on the data plane. flow table of the OF switches, collects the flow data features, pre-
If the initial categorization module cannot handle the traffic, it processes the features, and implements the detection of anomaly
will be forwarded to a DPI module. However, forwarding traffic flow from the normal flow using the KNN algorithm.
to specific DPI engines typically results in global network load Satheesh et al. [131] present a priority-based machine
and link usage problems. However, since malware producers learning approach using SDN to manage data packet flow across
switch their product distribution from HTTP to HTTPS to avoid the network. Their model obtains network information and uses
payload analysis, DPI cannot be relied on to extract the principle of packet classification information and adjusts
characteristics for malware identification. For this reason, flow rules to block malicious information flows.
Cusack et al. [127] proposed a scheme that leverages Abubakar and Pranggono [132] propose a neural network-
programmable forwarding engines (PFE). The flow records based IDS solution for SDN. They first built a simulated testbed,
created by PFEs offer per-packet information and allows to which simulates the actual scenario by offering a mechanism for
extract flow characteristics for ransomware classification. The signature-based attacks. The model is then configured to provide
architecture is divided into two sections: processing of anomaly-based detection and incorporated the later model into
stream and classification. The stream processor reads a PCAP, the signature-based model to detect a previously unseen attack
executes, maintains a customized flow table, and collects flow undetected by the first method. They achieved a 97.3% detection
features for the ML-based classifier. The classifier uses the rate using pattern recognition technique.
retrieved features to train a model that can detect ransomware. Schueller et al. [133] present a two tier hierarchical IDS for
In another study, Cabaj et al. [126] utilized the SDN method SDN by combining the flow based properties and packet based
for ransomware detection by tracking the packet lengths of properties of the network data. They have developed the flow-
HTTP POST messages using DPI. Once the ransomware was based IDS using SVM algorithm with DARPA dataset. It
matches the flows of SDN traffic against the database that
12
comprises flow rules. For advance assessment of packets, DDoS attacks in SDN, their IDS solution was integrated along
irregular flows are then transferred to the packet-based IDS. with the POX controller. They have used KNN, DT, and SVM
Ajaeiya et al. [134] implement a model to determine potential for the IDS. Detection performance was evaluated using KNN,
attacks such as DoS and brute force attack variants such as HTTP DT, and SVM algorithms using the NSL-KDD dataset. Using
credential and SSH. The major benefit of SDN is that OF feature selection, they have selected only six features from the
switches sends statistical information per flow item to the forty-one available features in the dataset.
controller. The proposed approach uses the OF switches’ Boero et al. [112] investigate an SVM-based IDS solution in
statistical features to extract flow patterns, features and combine the SDN for detecting various malware intrusions in the network.
them before labeling for classification model. Using the Entropy-based Information Gain (IG) method, they
Wang et al. [135] presented a flow control-based IDS. Their have selected core features based on probability density
enhanced behavior-based SVM model detects and monitors estimation, contributing more to the intrusion. By ranking the
traffic for abnormal flow. They have used the Support Vector features, they have selected nine major features well suited to
Classifier to select the most qualified features from a set of raw SDN architecture to carry out the IDS solution in this study.
features. By doing this, they have enhanced their detection Elsayed et al. [143] have executed a careful investigation of
accuracy. For feature reduction, they used the ID3 DT algorithm. the common ML methods for identifying attacks in the SDN. A
Using SVM for the DDoS attack detection, Yang and Zhao study about the linearity and non-linearity issues of the datasets
[136] propose a 3-module based IDS model. The first module was carried out in their study. The t-Distributed Stochastic
collects traffic data where a RYU controller extract features Neighbor embedding was used to cluster the dataset's malicious
through statistical flow analysis information, then identifies and normal traffic as a nondeterministic measure. Principal
DDoS attacks on the SDN campus network in the second Component Analysis (PCA) algorithm was then used to reduce
module, and finally adjusts the flow delivery rules in the last the dataset's dimensionality and thus reduced features from 122
module to withstand the DDoS attack. to 20. They have suggested that traditional ML algorithms fail to
By analyzing the current IDS solution’s limitation in the SDN classify a wide range of SDN attacks with precision; hence, the
paradigm, Alshamrani et al. [137] present an ML-based DDoS DL-based approach was suggested to work with complex feature
attack recognition and mitigation scheme. They have studied analysis for the detection task.
misbehavior attack, where an attacker can fool the controller by An ML-based TCP-SYN and ICMP Flood attack mitigation
sending a valid packet as the first packet of a flow, then sends method was proposed by N.N. Tuan et al. [144] in the SDN-
malicious packets later, and NewFlow attack where packets with enabled Internet Service Provider (ISP) networks. For the
new and unseen flows are sent to the controller creating a training dataset, they have used CAIDA 2007 and also generated
bottleneck. NSL-KDD dataset was chosen as the dataset and traffic by using the DDoS traffic generator testbed "Bonesi"
selected subset of features form that dataset using ranker, greedy [145] for additional training of the model. The attacker exploits
and genetic algorithm for the model training combining with the Network Address Translation mechanism of the ISP. When
correlation-based feature selector that ranks the subsets of feature the controller (POX) [30] obtains a “packet_in” message for any
following a correlation heuristic evaluation function [138]. unknown flow of packets, the KNN-based IDS module identifies
Vetriselvi et al. [139] propose a ML based two level IDS the packets as normal or traffic, based on ICMP packets volume
solution for SDN paradigm. They created the IDS by combining and by calculating the port's entropy during TCP traffic. For the
ML and genetic algorithms. Their model is separated into two mitigation part, they have used the time monitoring concept to
levels, the 1st level (deployed in the switch) is used to detect the calculate the port's entropy, based on the number of source IP
attacks and the second level categorizes the attack types. address and their corresponding ports that are open. Two
Leveraging the metaheuristic optimization BAT algorithm XGBoost events were used in the study, one is for the prediction
[140] and ML based RF algorithm, Li et al. [141] project an of monitoring windows, and the other is for predicting the
artificial intelligence based 2-stage IDS solution for Software- threshold value of the monitoring window.
Defined IoT (SD-IoT) networks. They have selected five class Afsaneh et al. [146] propose a model for DDoS attack
flow features from KDD CUP 99 dataset using a modified BAT classification method combining three phases: the collector
algorithm with differential mutation and swarm division process. section, the entropy-based section, and the collection section.
A modified RF algorithm and weighted voting mechanism were The system aims to train the classification model with recent data
then used to adapt the weights of the sample data to categorize to overcome relatively older data dependency. They applied
the flow from the initial stage. Their model achieves lower false three different datasets (UNB-ISCX, CTU-13, and ISOT) to test
alarm rates due to optimal and core feature selection processes the classification model's performance, where the chosen models
regarding attacks in the SD-IoT networks. are J48, BayesNet, Random Tree, REPTree, NB, and LR.
Akbas et al. [142] studied ML algorithms' usage and Pérez-Díaz et al. [147] propose a modular architecture for low
effectiveness in the SDN paradigm to detect intrusion. To detect rate DDoS attacks such as DDoSSim, hulk, Slowloris, etc.
13
detection and prevention in SDN. The first module, the IPS IDS solution, used dataset, core feature selection, chosen SDN
running on top of the ONOS SDN controller, captures the flow controller, and the attack classification type along with their
and sends it to the IDS. In the second module, the ML-based IDS names. In Table XI, we have also provided the summary of each
detects the flows and sends back the detection result. Based on reviewed articles performance based on ML-DL algorithms
the IDS’s flow result, the IPS processes the captured flow learning categories, and evaluation metrics.
according to the prevention strategies. They have performed the
experiments on the CIC DoS dataset using six ML methods and B. Unsupervised Learning (UL) Based Models
achieved 95% accuracy with a very low False Alarm Rate (FAR). UL-based models are used when the class label is unknown.
To identify the Man In The Middle (MITM) attack, Sebbar et In most of the IDS, the UL-based algorithm is used for cluster
al. [148] propose a model using the RF algorithm that selects analysis. As shown in Fig. 10, UL-based algorithms do not
nodes based on the context to identify ARP resolution instances require supervision and are trained using unlabeled data. Rather,
and any eavesdropping or poisoning within the network. Any it investigates the trends and patterns on its own. The
connection request with TTL value greater than 200 milliseconds unsupervised model’s goal is to identify the group and
is considered as an attempt of an MITM attack. Nodes within a categorized them according to their shared attributes. The most
specified period will only be accepted. Then, using some pre- popular example of unsupervised models that are being used for
established policies and the TTL delay, the decision regarding intrusion detection are K-Means and SOM algorithm.
any connection will be made. Any connection requests exceeding
the delay will be considered as an attack, and the system cut off
the connection to that node preventing any approval and
verification process for that node.
Aiken and Scott-Hayward propose an IDS [149] for SDN by
developing an anomaly-based network IDS module named
Neptune motivated by Athena [150] and an adversarial test
module as Hydra. Using Hydra, the authors have tested the
detection accuracy of Neptune by attacking with SYN-Flood
Fig. 10. Unsupervised Learning (UL) method structure.
DDoS attack. Neptune uses SL on flow statistics to train and
categorize live traffic. They have evaluated the model's detection
K-Means Clustering
accuracy using four ML classifiers, where RF achieved the best
K-Means clustering method is used to find groups from given
outcome.
dataset where several groups are represented by variable K.
To assess the performance of different ML algorithms for
Generally, centroids are picked randomly, and K-clusters are
identifying DDoS attacks in SDN, Meti et al. [151] presented
formed. It works iteratively to assign a data point to a particular
their experiment results in real-time data. The dataset is created
cluster. At the end of the iterations, each data point is clustered
from real-time TCP traffic between the experiment lab and the
according to its feature similarity. Each time cluster center (mean
outside world. Mininet is used to create SDN topology. For
of a cluster) is updated; Iterated until the criterion function
classification, they have used SVM, NB, and ANN ML models.
converges. Usually, the squared error measure is used through
Their experiment shows that SVM and ANN both achieved 80%
Eq. 6.
accuracy, however the result substantially varied in precision and
k
recall calculation. E= |x-mi |2 (6)
Santos et al. [152] analyze the performance of four ML i=1 xci
methods, MLP, DT, RF, SVM, in detecting DDoS attacks in the Here, E = sum of the squared errors of all objects, x = point in
Mininet simulated SDN environment. They have used the scapy space representing a given object, and mi = mean of cluster ci.
tool to produce malicious traffic for the attack. The analysis was The findings of the K-Means method are the K cluster centroids
done concerning accuracy in the detection of DDoS attacks and that could be utilized for labeling novel data.
processing time. They also provided a feature analysis to find the
best features for training the model. RF algorithm achieved the Self-Organizing Map (SOM)
best accuracy, whereas DT achieved the best efficiency in terms SOM is an UL method that creates a nonlinear mapping of a
of processing time. Some other studies [153]–[155] mainly high-dimensional data manifold on a regular, low-dimensional
adopted SVM-based IDS solution for SDNs. output space [156]. Using dimensionality reduction, they can
cluster large amounts of data. Compared to the performance of
Table V presents a tabular summarization of the other clustering algorithms, such as K-Means, the SOM output
aforementioned reviewed articles that depicts the objective of the allows for simple visualization.
study, adopted SL based Shallow ML algorithms for building
14
 TABLE V
SUMMARY OF THE REVIEWED SUPERVISED LEARNING-BASED SHALLOW ML MODELS TO DETECT INTRUSION IN SDN
Objective Algorithm Dataset Controller Testbed Features Selection FS Approach Classification IDS Domain Ref.
(FS) Type
Deep packet inspection DT, RF, KNN, CTU-BOTNET [157] RYU [29] Mininet Term frequency and Manual Selection Binary Packet-based [121]
based malicious payload SVM, LR, GitHub Payloads Linguistic features. Classification: Flow-based
identification in SDN. Multinomial-NB HTTP CSTC 2010 Normal class and
Anomalous
class.
Develop a QoS-aware Tri-Training Not Mentioned Not Not Mentioned 8 Features – Flow-based Eigenvalue-based Binary Flow-based [122]
traffic classification Mechanism Mentioned Classification:
framework using ML and (SVM, KNN, Normal class and
DPI in SDN environment. NB) Attack class.
ML-based recognition of RF Malware Traffic Not Not Mentioned 28 Features -Flow- Manual selection Binary Packet-based [127]
ransomware in SDN Analysis [158] Mentioned based based on Classification: Flow-based
measuring packet Clean class and
interarrival times. Ransomware
class.
Detection and Mitigation of KNN, SVM Synthetic Data Not Not Mentioned Average byte and Shannon entropy Multiclass Flow-based [159]
DDoS attack in SDN though generated using Mentioned duration. & ϕ-entropy Classification: Statistics-
ϕ-entropy incorporating Hping3 and Nping. Normal, SYN, based
with SVM and KNN ICMP, UDP,
classifier. ACK, TCP
Connection, and
Flash event.
Traffic awareness-based RF KDD’99 Floodlight Mininet 10 Features: Duration, RF Binary Flow-based [128]
IDS to maintain regulated [33] Service, Src. bytes, Dst. Based on vote Classification:
traffic in SDN. bytes, Protocol type, count of correct Normal class and
Flag, Land, Wrong classes. Anomaly class.
fragment, Urgent and
Hot.
Anomalous traffic detection SVM Self-Collected data Floodlight Not Mentioned 2 Features: IP address Based on entropy Binary Flow-based [129]
and flow control from network traffic. and Transport port analysis Classification:
mechanism. number. Normal class and
Anomaly class.
Identify malicious hosts and DT, NB, Log data Not Not Mentioned 3 Features: Invader IP, Not Mentioned Binary Log-based [84]
provide advance security. Decision Table, Mentioned Compromised host and Classification:
BayesNet No. of efforts in an Normal and
outbreak. Attack.
Recognition of DDoS KNN Self-Collected data RYU Mininet 11 Features: Duration, Not Mentioned Binary Flow-based [130]
anomaly flows in SDN. From multiple data Protocol type, Src/Dst. Classification:
centers. bytes, Service and Normal and
Server count, Server DDoS.
SYN error Rate, Dst.
host count, Dst. host
server count, Dst. host
SYN error rate and Dst.
host server REJ error
rate.
Identification of usual and RF, NB, NSL-KDD Floodlight Mininet Nominal, Numeric and Information Gain Multiclass Flow-based [131]
anomalous flow of data BayesNet, Part Binary Feature Set. ratio Classification:
transmission to detect the Normal, DoS,
intruder anomalies. R2L, Probe,
U2R, and
Unknown.
Detection of DDoS attack in Fitting Curve, NSL-KDD OpenDaylight Mininet 5 Features: Duration, Manual Selection Multiclass Flow-based [132]
SDN using a meta-heuristic Pattern [32] Protocol type, Src. Classification:
method. Recognition, bytes, Dst. bytes, Normal, DoS,
Time Series Service and Server R2L, Probe,
count U2R, and
Unknown.
SVM based IDS for SDN in SVM DARPA 1998 RYU Mininet 6 Features: Avg. Manual Selection Multiclass Flow-based [133]
cloud data center. number of packets per Classification: Packet-based
flow, bytes per flow, Normal, DoS, Log-based
avg. duration of a flow, U2R, R2L, and
percentage of Probe.
symmetric paired flows,
rate of increase in the
number of single flows
and growth of new
ports.
Statistical feature analysis SVM, DT, RF, Not mentioned. RYU Not Mentioned 8 Features: Duration, Feature Binary Flow-based [134]
of flow-based IDS in SDN. KNN and Packet count, Byte aggregation based Classification:
Bagged Tress count, Src/Dst IP, on replaying the Normal class and
Anomaly class.
Protocol, Src. and Dst. gathered flows
Multiclass
port. using TCP Replay
Classification:
to the SDN.
Normal, DoS,
HTTP Brute-
Force, SSH
Brute-Force.
Threat detection using flow SVM, KDD’99 RYU sFlow Toolkit 2 Sets of behavioral Information Gain Multiclass Flow-based [135]
control method in SDN. ID3 DT [160] features selected from Classification:
30 features. Normal, DoS,
1ST Set: 23 features
R2L, Probe,
2nd Set: 29 features
U2R.

15
 TABLE V (Continued)
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Approach Classification IDS Domain Ref.
Type
Analyze flow statistics SVM KDD’99 RYU Mininet 8 Features: Count, Service Not Mentioned Binary Flow-based [136]
and develop an SVM Count, Same Service Count, Classification:
based real-time DDoS Dst. Host Count, Dst. Host Normal class and
attack detection and Service Count, Dst. Host DDoS class.
resistance model. Same Service, Same Port
Rate, Dst. Host SYN and
REJ Error Rate.
Investigates New flow SVM, NSL-KDD POX Mininet 25 Features were selected out Ranker, Multiclass Flow-based [137]
and Misbehavior attack J48, of 41 features using Genetic and Classification:
NB correlation heuristic function Greedy Normal, DoS,
evaluation. algorithm. R2L, Probe,
U2R.
Build a Two-level ML ID3 Not Mentioned. Not Mininet Not Mentioned Genetic Not Mentioned. Flow-based [139]
based IDS in SDN. Mentioned. algorithm Packet-based
Attack detection is Modified KDD’99 Not 32 Features-Flow. Modified BAT Multiclass Flow-based [141]
Software Defined Internet BAT, Mentioned. algorithm Classification:
of Things network using Modified RF Not Mentioned Normal, DoS,
modified BAT and RF R2L, Probe,
algorithm. U2R.
ML algorithms SVM, NSL-KDD POX Mininet 6 Features: Duration, Type of Manual Multiclass Flow-based [142]
performance analysis KNN, the protocol, Src/Dst. bytes, Selection Classification:
using NSL-KDD dataset DT Count, SYN error Rate. Normal, DoS,
for attack detection in R2L, Probe,
SDN paradigm. U2R.
SVM incorporated with SVM NSL-KDD RYU Mininet 9 Features: Manual Binary Flow-based [153]
selective IP traceback- Duration, Type of the Selection Classification:
based IDS mechanism for protocol, Flag, Src/Dst. Normal and
SDN. bytes, Count, Service, Attack.
Srv_count,
Dst_host_same_src_port_rate
Malware intrusions SVM Not Mentioned. Not Not Mentioned 7 Features: No. of packets, Ranker Binary Flow-based [112]
detection in SDN using Mentioned. No. of bytes, Flow duration, algorithm Classification:
SVM based IDS. Byte rate, Avg. length of the Normal and
Malware.
packet, Packet rate, First
packet length.
Performance evaluation SVM, NSL-KDD Not Not Mentioned 20 Features - Flow based. t-SNE Binary Flow-based [143]
of Traditional ML J48, Mentioned. algorithm Classification:
methods regarding attack NB, [161] Normal and
RF Malicious.
detection in SDN.
DDoS attack (TCP-SYN KNN, CAIDA 2007 POX Self-constructed Not Mentioned Based on Time Binary Flow-based [144]
and ICMP Flood) XGBoost window Classification: Statistics-
detection in the SDN monitoring and Normal and based
DDoS.
enabled ISP networks. entropy
calculation
Building a robust J48, BayesNet, UNB-ISCX, CTU Floodlight Mininet 15 Features: Manual Binary Flow-based [146]
classification system to Random Tree, 13, ISOT. Statistical, IP, TCP, UDP and Selection based Classification:
detect DDoS attack by REPTree, NB, Raw Feature Set. on neighboring Normal and
DDoS.
reducing the dependency LR. nodes.
on outdated data.
Low-rate DDoS attack J48, REPTree, CIC-DDoS-2019 ONOS [34] Mininet 44 Features-Flow. Manual Binary Flow-based [147]
detection using ONOS RF Random selection Classification:
controller and ML Tree, SVM, Normal and
DDoS.
methods. MLP
Man In the Middle Attack RF Self-Collected from OpenDaylight Mininet Not Mentioned Not Mentioned Binary Flow-based [148]
recognition in the SDN. SDN traffic. Classification: Session-
Normal and based
MITM.
SYN-Flood DDoS attack RF, LR, KNN, CICIDS, DARPA Faucet [162] Self-Constructed 15 Features – Packet header Ranker Binary Flow-based [149]
detection in SDN. SVM 2009 and Stateful Features. algorithm Classification: Packet-based
Benign and
Malicious.
Evaluating performance NB, SVM, Self-Constructed Not Mininet Two Features: Not Mentioned Binary Flow-based [151]
of different ML ANN from Real-Time Mentioned Host time, No. of requests. Classification:
algorithms Traffic. Normal and
DDoS.
Performance analysis of MLP, DT, Simulated Data. POX Mininet 23 Features – Flow. Experimental Binary Flow-based [152]
four ML algorithms to SVM, RF Trail-based Classification:
identify DDoS attack in Normal and
DDoS.
the SDN.
DDoS Flooding SVM Real-Time Traffic POX Mininet 5 Features: Shannon Binary Flow-based [154]
Occurrence recognition Collected from Source IP, port Entropy Classification:
and mitigation scheme in home office and Destination IP, port Normal and
Protocol DDoS.
SDN. ISP.
Advanced-SVM-based SVM Real-Time Traffic Not Not Mentioned Not Mentioned Manual Binary Flow-based [163]
DDoS Detection in SDN. Mentioned Selection Classification:
Normal and
DDoS.
DDoS attack detection SVM, ANN, Self-Generated POX Self-constructed 12 Features – Flow. Filter, Wrapper Multiclass Flow-based [155]
using feature selection KNN, NB Simulated Data using Open and Classification:
and ML-based techniques vSwitch. Embedded- Normal, TCP,
ICMP, and UDP.
in SDN. based method.

16
The initialization of the weight vectors is the first stage in the signature-based IDS detection system and a progressive IDS
SOM mapping process. Then, a sample vector is chosen at system. They used KNN, K-Means, NB, and K-Medoids
random, and the map of weight vectors is explored for the weight methods for the signature-based IDS. The signature IDS module
that best describes that sample. Every weight vector has weights classifies abnormal traffic and identifies the hosts responsible for
in its immediate vicinity. The chosen weight is rewarded by the generating unusual traffic in the network. The advanced module
ability to become increasingly similar to the randomly picked inspects the packets from suspected hosts and puts a verdict on
sample vector. The neighbors of that particular weight are each host; either it is an authorized host or an irregular host
rewarded as well, as they can become increasingly similar to the responsible for a DDoS attack. The authors also claimed that the
sample vector chosen, allowing the map to expand and take on processing time is reduced as advanced modules only check the
new forms. SOM algorithm is extensively used in developing suspected hosts among all hosts.
unsupervised learning-based intrusion detection solutions for Hurley et al. [167] propose a HMM based IDS that can
SDNs [67], [164]–[166]. monitor the network and learn from the evolving nature of the
network to detect the probability of intrusion inside the network.
Hidden Markov Model (HMM) The HMM defines the likelihood of intrusion by treating features
The Hidden Markov Model is a probabilistic model based on like packet length, src/dst. port number, src/dst. IP addresses as
the Markov processes that have been used in a variety of independent measures.
research fields, including bioinformatics, speech recognition, By creating a virtual testbed for SDN traffic generation,
and network intrusion detection [92], [167]. It enables us to Jankowski and Amanowicz [172] propose an IDS based on SOM
forecast a series of hidden (unknown) states based on a set of and Learning Vector Quantization (LVQ) methods. They have
observed states. HMMs can be applied to detect complicated also experimented with multiple improved versions of both the
internet attacks with a high noise ratio because of the variations algorithm like Multipass SOM, Multipass LVQ-1 and
in action sequence throughout execution of each identical attack Hierarchical LVQ-1 with an average True Positive Rate (TPR)
[168]. value of more than 94%.

Unsupervised ML Based IDS in SDN Table VI presents a tabular summary of the aforementioned
In the following, we analyze some of the unsupervised ML- reviewed articles that depicts the objective of the study, adopted
based IDS in SDN. UL based shallow ML algorithms for building IDS solution, used
In a study by Wang et al. [169], HMM is combined with the dataset for the task, core feature selection, chosen SDN
calculated Renyi entropy of the source and destination IP of the controller, and the attack classification type, corresponding IDS
incoming data packets collected by the SDN controller to create domain along with their simulated testbed.
an HMM-R scheme that detects low-rate DDoS attacks. For the In the next section we discuss those studies which have used
traffic acquisition, the authors have employed an SDN controller. RL-based algorithms to develop IDS solutions specific to SDN.
In order to reduce detection time, the packet_in message is
utilized to set the detection period. The authors then used the C. Reinforcement Learning (RL) Based Models
Renyi entropy as a statistical feature to limit the number of false Reinforcement Learning (RL) is one of three primary ML
positives. Finally, the authors employed the proposed HMM-R paradigms, next to supervised and unsupervised learning. RL is
scheme to define a range of states in the form of probability to concerned about how intelligent agents can achieve a goal in an
identify low-rate DDoS attacks at various rates. Baum–Welch unknown, potentially intricate environment in order to optimize
algorithm was used for training the observation sequence data, the concept of total collective reward. RL can be used to solve
and viterbi algorithm was utilized for detecting low-rate DDoS problems where notable domain information is either
attacks in the HMM-R scheme. inaccessible or prohibitively expensive [173]. In most cases, a
function approximator, such as Neural Network, SVM, etc. is
The DDoS attack is one of the substantial threats to security in used to map state to value. For IDS, designing a reward feature
SDN. Braga et al. [170] present a DDoS attack recognition associated with the detection of intrusions is incredibly
system applied on a NOX controller based SDN. NOX is used challenging because there is no automated approach to
for collecting traffic flow features. These features were utilized distinguish intrusions from the normal traffic flow. Algorithms
using the SOM to detect the fake hosts. Their proposed model such as Q-learning, Deep-Q Network (DQN), and Proximal
provides a guard against fake hosts that could produce many Policy Optimization (PPO) are mostly used in RL-based IDS for
requests to exhaust SDN and limit genuine hosts' resources. SDNs. Q-learning is an off-policy RL algorithm that determines
the optimum course of action given the present situation [174].
Barki et al. [171] design a module-based DDoS attack Because the Q-learning function learns from its actions and isn't
recognition structure. Their offered IDS has two modules: reliant on the existing policy, it's termed off-policy.
17
 TABLE VI
SUMMARY OF THE REVIEWED UNSUPERVISED LEARNING-BASED SHALLOW ML MODELS TO DETECT INTRUSION IN SDN
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Approach Classification IDS Ref.
Type Domain
Detecting low-rate HMM, Data packets POX Mininet Source and Destination IP Renyi entropy Binary Flow-based [169]
DDoS attacks using SOM, collected from addresses. Classification: Statistics-
HMM at different rates KNN, synthetically Normal and based
in the SDN. Back-Propagation created data center. DDoS.
DDoS attack SOM Self-Collected data NOX Not Mentioned Per flow average of Self-Extracted Binary Flow-based [170]
recognition. from network packets, bytes, duration, Classification: Statistics-
traffic. and percentage of pair- Normal and based
flows. DDoS.
DDoS attack recognition K-Means, Self-Collected data RYU Mininet Not Mentioned. Self-Extracted Binary Flow-based [171]
and identify the attacker K-Medoids, from network classification: Statistics-
hosts. NB, traffic. Normal and based
KNN DDoS. Log-based
Develop an HMM-based HMM Self-collected data Floodlight Mininet Packet length, Src and Dst. Manual Binary Flow-based [167]
IDS for SDN. from port number, Src. and Dst. Selection Classification:
network traffic. IP addresses. Normal and
Anomaly.
Network-based DDoS SOM Simulated data. Floodlight NS-3 Not Mentioned. Manual Binary Flow-based [67]
attack recognition in Selection Classification:
SDN environment. Normal and
DDoS.
Competence Evaluation SOM, Self-collected from OpenDaylight Mininet 9 Features: Packet count in Not Mentioned Multiclass Statistics- [172]
of ML based algorithms LVQ a virtual testbed. a flow, Src. TCP/UDP port, Classification: based
in IDS for SDN. Byte’s count in a flow, Dst. Normal, DoS, Flow-based
TCP/UDP port, Duration,
R2L, Probe,
Flows with diverse ports
from Src/Dst. hosts, Flow U2R.
rate to the host, and Single
flow rate to the host.
Rather than estimating the value function with a greedy They have collected regular traffic from the network and divided
approach, Q-learning updates its value functions using equations them into numerous clusters using K-Means, SOM, FCM
such as the Bellman equation. The letter 'Q' stands for quality in algorithm to train the RL agent. For RL, they have used DQN
Q-learning. In this situation, quality refers to how valuable a and PPO.
specific action is in obtaining a future reward. By combining Q- A Neural Fitted Q-Learning agent-based threat detection
learning with DNN, V. Mnih et al. [175] proposed the DQN mechanism named ATMoS was proposed by Akbari et al. [180]
algorithm that operates within discrete action spaces. A DQN using OpenDayLight, Snort, Docker, etc. This model's three key
agent is a value-based RL-based agent that teaches a critic to components are profiling of the behavior of the host, autonomous
predict future rewards or returns. The OpenAI team launched the management for the RL agent, and SDN infrastructure. APT and
PPO algorithm in 2017 [176], and it immediately became one of TCP SYN-flood attacks were detected using deploying malicious
the most popular RL approaches, overtaking Deep-Q learning. It hosts and variations of benign hosts in the simulated testbed.
is a policy gradient method that is used to train policies in a Q-Learning is also explored by Phan et al. in their DoS defense
variety of prominent RL-based applications [177]. It involves framework named Q-Mind [181] in SDN. The Q- Learning-
gathering a small sample of the environment and using that based agent controls the anomaly classification system based on
sample to update the decision-making policy. SVM, SOM, and RF. A module named application operator and
Sampaio et al. [178] emphasize the use of RL and Network scheduler selects the optimal features from the collected data and
Function Virtualization (NFV) architecture for detecting chooses appropriate ML algorithms to classify each source IP
anomalies in SDN. The authors suggested that network metrics address into a normal or malicious one.
be collected and categorized into profiles, each with a series of Table VII presents a tabular summary of the aforementioned
actions that handle functions through RL, NFV, and an SDN reviewed articles that depicts the objective of the study, adopted
controller. Based on the rewards for individual actions, authors RL based ML-DL algorithms for building IDS solution, used
have set up the anomaly detection policies. They have load dataset for the task, core feature selection, chosen SDN
balanced the traffic flow in an online manner without any controller, and the attack classification type, corresponding IDS
supervision. Their model also detects honeypots by initiating a domain along with their simulated testbed. In the next section,
Linux bot running with secure shell and telnet service. we discuss those studies which have used DL-based algorithms
Zolotukhin et al. [179] propose an RL-based technique for to develop IDS solutions specific to SDN.
attack detection and real-time dynamic reconfiguration of the
network by redirecting the SDN flows to multiple security VI. DEEP LEARNING MODELS BASED IDS IN SDN
middle boxes. They have calculated the maximum number of Feature-based shallow ML detection schemes are incredibly
packets sent to a host and created a set of rules defining threshold resource-intensive, and their efficacy in intrusion detection
values for different processes. The snort virtual appliance detects performances in large-scale SDN is not very reliable [182].
any amount exceeding the threshold volume. They adopted a Recently, DL-based models have gained popularity over
centroid-based clustering method to detect anomalous payload. traditional ML models because of higher accuracy and precision.
18
 TABLE VII
SUMMARY OF THE REVIEWED REINFORCEMENT LEARNING-BASED ML MODELS TO DETECT INTRUSION IN SDN
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Approach Classification IDS Domain Ref.
Type
Usage of RL and NFV in RL Self-generated POX Mininet Not Mentioned. Not Not Mentioned Flow-based [178]
SDN for Anomaly using Mininet Mentioned.
Detection. platform along with
Docker.
Attack detection and DQN, Self-generated OpenDaylight Not Mentioned Port, TCP flags, Packet size, Manual Multiclass Flow-based [179]
alleviation using SDN PPO using regular Packet count, Security logs Selection. Classification: Packet-based
flow through redirection network traffic. and alerts, Protocol, and SSH password
into virtual appliances. SDN flows. brute-force,
Slowloris DDoS,
DNS Tunneling.
TCP SYN-flood and Neural Fitted Simulated Traffic. OpenDaylight Mininet Not Mentioned. Not Binary Flow-based [180]
Advanced Persistent Q-Learning Mentioned. Classification:
Threats (APT) detection TCP SYN-flood
using RL based agent. class and APT
attack.
Develops a Defense Q-Learning Simulated Traffic. ONOS MaxiNet [183] 10 Features: PCA with Binary Flow-based [181]
mechanism for DoS Average packets/flow, SVM, Classification: Statistics-
attack by incorporating average packet size/flow, Binary BAT Normal and based
packet change ratio, flow with RF. DoS.
the optimal policy
change ratio, average
resulting from the Q- duration/flow, percentage of
Learning agent pair- flows, growth of
different ports, average flow
inter-arrival time, fraction of
TCP flows over total
incoming flows and entropy
of incoming flows.
Deep RL-based traffic DDPG, Generated traffic OpenDaylight Self-Constructed. Not Mentioned. Not Binary Flow-based [184]
sampling for several MDP using Iperf, and Mentioned. Classification: Packet-based
traffic analyzers in SDN. Hping3 tools. Normal and
Malicious.

In IDS, many authors successfully applied deep learning models single layer neural network because, through various layers, each
for classification tasks. DL-based models generally consist of layer creates features that are conceptual and represent the
complex and wide neural networks. DL-based models can extract complex association among those. It also means that the run time
a feature from the input data and do not require feature complexity and training of the model are computationally costly.
engineering. This is one of the significant reasons why DL
models are becoming more popular day by day. DL models can Recurrent Neural Network (RNN)
also be classified as SL-based models and UL-based models. The
most common SL-based DL models are CNN, RNN, DNN, and
DBN. On the other hand, RBM, Stacked Auto Encoder, and
Generative Adversarial Network (GAN) are the UL-based
models.
A. SL Based DL Algorithms
Below, we briefly discuss some commonly used SL-based DL
algorithms and review the existing literature utilizing these
algorithms for IDS solution in SDN.
Deep Neural Network (DNN)
DNN is a feedforward architecture with numerous hidden Fig. 12. A generic RNN structure.
layers. There is only one hidden layer in a shallow neural
network, there are at least two or more hidden layers, as shown RNN is designed to model contextual/sequential data by
in Fig. 11. The performance of DNN is excellent compared to a expanding the functionalities of the conventional feed-forward
ANN. RNN consists of the input unit, hidden and output layers,
where the memory components are the hidden layers. Every unit
in a RNN obtains the current state as well as the previous states
to extract contextual information to model the sequential data.
Without ambiguity as depicted in Fig. 12, if the network's initial
input is X and the output is S, the network is fed both S and X1
(i.e., the next input in the sequential dataset) for the next round
of learning. By doing this, the data context (previous inputs) is
retained along with the network's training. The distributed hidden
layers allow the RNN to store previous information efficiently,
Fig. 11. A generic DNN architecture.
making it a powerful tool. LSTM and GRU are the two variants

19
of RNN that try to overcome the short-term memory problem of have also assessed their model in terms of resource utilization,
RNN by using a mechanism named as Gates. Gates are basically latency and throughput.
neural networks that control the flow of data through the Albahar [189] presents an RNN based DL-based model on a
sequence chain. novel regularization method called RNN-SDR by decaying the
Convolutional Neural Network (CNN) weights according to the calculated standard deviation of weight
CNNs are neural networks with one or more convolutional matrices and then matches the result through its predecessor. The
layers that are primarily used for image processing, detection, proposed system is a 3-part framework collects flow information
segmentation, classification-related tasks. Convolution and at stage-1. At stage-2, using the novel regularization method it
pooling are two primary procedures that are often present in detects anomaly, and based on the detection at stage-2, the
CNN. The convolution operation with multiple filters is capable mitigation module (i.e., stage-3) drops or forwards the packet.
of extracting features (i.e., feature map) from the dataset while Li et al. [190] propose a DL model to distinguish DDoS
preserving their spatial information. Pooling, also known as attacks in the paradigm of SDN. Their system is comprised of an
subsampling, is a technique for reducing the dimensionality of input layer, forward and recursive layer, a fully connected hidden
extracted features (feature maps) created by the convolution layer, and finally, the output layer. In their model, they have
operation. A typical CNN architecture is shown in Fig. 13, where made use of RNN, LSTM, and CNN. They have used the time
every input image is processed through multiple layers of window concept for data inputting to the model.
convolution and pooling of different kinds and filters before Boukria and Guerroumi [191] propose a DNN-based IDS
being passed to the fully connected layers. solution using the CICIDS2017 dataset in a Mininet environment
set up using an ONOS controller [192]. Letteri et al. [193] also
Supervised DL BASED IDS In SDN proposed a MLP-based botnet detection method in SDN with a
Now, we analyze some of the supervised DL-based IDS in subset of SDN-specific HogZilla dataset.
SDN. Kurochkin and Volkov [194] propose a GRU-RNN based
Tang et al. [185] present a DL scheme for flow based anomaly model using a more advanced and practical attack-oriented
recognition method in SDN with an input layer, 3 hidden layers dataset named CSE-CIC-IDS2018. The model achieved an F1-
and lastly an output layer. The model achieved 75.75% accuracy score of 1.00 in detecting DDoS attacks. However, it yields a low
in detecting flow traffic-based anomaly. detection score in web and infiltration labeled attacks.
Tang et al. [186] have extended their previous work [185] by Novaes et al. [195] propose an anomaly recognition and
proposing a GRU-RNN facilitated IDS for the SDN paradigm mitigation oriented modular system for detecting port scan and
and attained an accuracy of 89%, which is improved by 13.25% DDoS attacks by utilizing LSTM and Fuzzy inference logic
from their previous work. The GRU-RNN acquires the long-term algorithm in the SDN environment. The authors quantified the
contextual representations better, which yields higher anomaly network attribute using the entropy measurement and then used
detection rate. LSTM to predict the pattern of each feature of normal traffic
A DL-based botnet detection method is presented by Maeda et [12]. Its 1st module is the classification module that uses LSTM
al. [187]. The proposed system initially detects the infected host to predict ordinary network traffic activity. The 2 nd module is
and then separates that host using SDN. For detecting malware, responsible for detecting anomalous activities, and it uses the
training is conducted using the data obtained from the botnet BCI theorem to dynamically create a normality threshold,
traffic collected on the traditional network and afterward testing followed by Fuzzy logic to classify the presence of an anomaly
the detection performance. Botnet traffic is retransmitted to at a specific point in the analysis. The system's third module is in
isolate a bot-infected device in the SDN, and connectivity with charge of mitigating observed irregularities, intending to
the source IP defined by the ML classifier is clogged and minimize the damage caused by an intruder.
secluded. Gadze et al. [196] analyze the DL-based models' performance
DeepIDS, a flow based Deep Learning based IDS in SDN model for identifying and mitigating DDoS attacks in SDN. The
is proposed by Tang et al. [188]. Using DNN and GRU-RNN primary focus of their investigation is to detect UDP, TCP, and
they have implemented the DeepIDS in a POX controller. They ICMP flood attacks. LSTM and CNN have been used to

Fig. 13. A generic CNN architecture.

20
demonstrate the DL-based models’ performance over classical exist various types of AE’s, such as sparse, stacked, and
ML-based models. These models are trained and tested with denoising AE’s.
simulated traffic using the hping3 tool. Their experiment result
shows that LSTM is the best model with an accuracy of 89.63%
under the given circumstances. On the other hand, SVM
performs best among linear-based models with an accuracy of
86.85%. Additionally, they also present a comparison that
reflects the highest and lowest time taken to detect anomaly using
different split ratios.
Ali and Yousaf [197] propose a novel three IDS and
prevention system regarding validation of user, packet, and flow
in the network. It is a three-phase architecture where authentic
Fig. 14. A generic structure of an autoencoder.
IoT users are validated using radio-frequency identification and
signature using SHA-256 in the first phase. To encrypt the
Restricted Boltzmann Machine (RBM)
security credentials, the authors also provided a novel algorithm.
RBM is an UL-based method, an energy-based probabilistic
In the second phase, using type-2 fuzzy, packets are classified as
neural network having a two-layer network structure with
normal, dubious, and malicious. Using a CNN-based model,
symmetric connectivity and no connections within a layer [201].
dubious packets are analyzed to predict invader packets and
One layer is called the visible layer, and the other one is called
classify the source device correctly in the last phase.
the hidden layer. Every visible layer node is connected with all
CNN is also explored in the IDS solution in SDN by Kim et
other nodes in the hidden layer, as shown in Fig. 15, Vi represents
al. [198]. For the CNN-based model, the authors have created
a visible layer node, Hj represents a Hidden layer node and Wij
two kinds of intrusion images, namely RGB and grayscale. They
represents weight between nodes. RBM does not differentiate
have used KDD CUP 1999 and CSE-CIC-IDS2018, focusing on
between the forward and backward propagation, keeping the
detecting DoS attacks. They have also experimented with the
weights same in both directions.
multiple kernel size, achieving different accuracies. Experiments
are conducted using an RNN-based model with five (5)
embedding vectors and a sigmoid activation function as
hyperparameters and compared the performances between the
two models using both binary and multiclass frameworks.
Dey and Rahman [199] investigate two different flow-based
IDS methods in the OF controller. The first methods have used
the RF classifier algorithm with gain ratio feature selection
assessor. The second method has used GRU-LSTM memory
with a recursive feature selection elimination method and
achieved improved performance from the first one.

B. UL Based DL Algorithms
Fig. 15. A generic architecture of an RBM.
Now we briefly discuss some of the commonly used UL-based
DL algorithms and review the existing literature utilizing these
Unsupervised DL BASED IDS In SDN
algorithms for IDS solution in SDN.
Now we analyze some of the unsupervised DL-based IDS in
SDN.
AutoEncoder (AE) To create a multi-vector DDoS detection method, Niyaz et al.
AEs are unsupervised DL technique that learns a compressed [202] have used a Stacked Auto-Encoder (SAE). Their model
distributed representation of the given data mainly focusing on also outlines whether a received traffic is regular or attack
dimensionality reduction. It can learn Non-Linear (NL) oriented. The model reduced the collection of feature attributes
transformations using NL activation function in multiple layers extracted through the network traffic headers to increase the
providing many representations of diverse dimensions [200], recognition performance and lessen the FAR.
making it an alternative for PCA. It is composed of two An adaptive pooling and sFlow-based sampling scheme for
symmetric modules namely, encoder and decoder, and a code identifying DDoS attacks in IoT network was proposed by Ujjan
segment, as shown in Fig. 14. The encoder collects features from et al. [203]. They have used a snort-based IDS along with SAE
the input data, the decoder recreates the data from the features for the detection process between normal and malicious traffic.
collected. The code segment holds the extracted features. There
21
 Dawoud et al. [204] propose an unsupervised method for it produces an accuracy rate of 94%, which is greater than the
anomaly detection in SDN. At the first stage, they have employed PCA and SVM.
AE algorithm to minimize the reconstruction error of input Shu et al. [208] demonstrate an IDS for Vehicular Ad Hoc
samples. In the second stage, clustering was done using K-Means Networks (VANETs) by installing a distributed SDN controller
algorithm to cluster normal and abnormal traffic. on each base station to distinguish regular network traffic and
By exploiting the collective intelligence between the data and malicious network traffic. Using the full network flow
control plane of SDN, Han et al. proposed a framework named information, they used GAN to jointly train numerous SDN
Overwatch [205]. It detects DDoS attacks by utilizing controllers for the entire VANET without directly trading their
autoencoder along with the softmax classifier. The framework sub-network flows. This IDS approach allows distributed SDN
also decreases overhead in the southbound interface of SDN. It controllers to detect their sub-network flows separately, reducing
divides defensive functions collectively between the data and communication and computation overheads.
control planes, allowing both planes to detect and defend against Mohanapriya and Shalinie demonstrate a DDoS detection
DDoS attacks at various levels. method based on RBM [209]. The suggested approach is divided
In another study, Novaes et al. [206] have developed a into two phases: data acquisition and attack detection. Flow
detection and prevention system in SDN based on adversarial collector captures incoming traffic flows from data plane
training, which leverages the GAN framework to identify DDoS switches and saves them in the database during the data
attacks. The adversarial training makes the system less collection step. The hit count and energy consumption rate are
vulnerable to adversarial attacks. They also compared the determined initially in the attack detection step. The RBM model
proposed system's performances to those of other DL- starts for a particular MAC address if the hit count exceeds the
based techniques for detecting DDoS in SDN, such as CNN, average threshold value and the energy consumption rate is
LSTM, and MLP. The system is divided into two phases. They higher than another threshold.
assessed the suggested method for detecting UDP flood attacks
in an SDN environment with high transmission rates in the first Table VIII presents a tabular summary of the aforementioned
stage. The system performance for identifying DDoS attacks reviewed articles that depicts the objective of the study, adopted
against various applications is evaluated in the second stage. DL algorithms for building IDS solution, used dataset for the
In [35], Dawoud et al. demonstrate a reliable anomaly task, core feature selection, chosen SDN controller, and the
detection system for an SDN-based IoT network. IoT devices are attack classification type, corresponding IDS domain along with
positioned at the lowest layer of their proposed architecture, their simulated testbed.
whereas SDN layers such as control and forward layers are
located at the top of the IoT devices. The detection system resides In the next section we discuss those studies which have
at the controller layer and uses RBM to interface directly with adopted hybrid approaches to develop IDS solutions specific to
the network in their proposed system. According to the authors, SDN.
the deployment of IDS at the application layer is unable to avoid
the controller threats. This approach employs a two-layer RBM
network with hidden and visible layers, the latter of which
comprises 41 nodes equal to the characteristics of the KDD'99
dataset. The tests of this anomaly detection system revealed that

TABLE VIII
SUMMARY OF THE REVIEWED DEEP LEARNING-BASED MODELS TO DETECT INTRUSION IN SDN
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Classification Type IDS Ref.
Approach Domain
Securing SDN-IoT RBM KDD’99 Not Self-Constructed All 41 Features of KDD’99 NA Binary Classification: Flow-based [35]
network through DL Mentioned dataset. Normal class and
method. Anomaly class.
Detecting Intrusion in DNN NSL-KDD Not Self-Constructed Duration, Protocol type, Manual Multiclass Flow-based [185]
SDN using a DNN. Mentioned. Src/Dst. bytes, Server count Selection Classification:
and Dst. Host Same Source Normal, DoS, R2L,
Port Rate. Probe, U2R and
Unknown Attacks.
DDoS Attack SAE Collected from a POX RIT and GENI 68 features, extracted for NA Multiclass Flow-based [202]
Recognition System. real network [207] TCP flow, UDP flows and Classification: Packet-
scenario and a ICMP flows. Normal and 7 class of based
private network DDoS attacks.
Testbed.
Develop a GRU-RNN GRU-RNN NSL-KDD POX Not Mentioned 6 Features - Duration, NA Binary Classification: Flow-based [186]
based IDS solution in Protocol type, Src/Dst. Legitimate class and
SDN. bytes, Server count, and Anomaly class.
Dst. Host Same Src. Port
Rate.

22
 TABLE VIII (Continued)
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Classification Type IDS Ref.
Approach Domain
Detecting Botnets in MLP CTU-13 and ISOT RYU Not Mentioned Statistical, IP, TCP, UDP NA Binary Classification: Session- [187]
SDN. and Raw Feature Set. Normal class and Botnet based
class. Flow-based
Deep Learning based DNN NSL-KDD POX Cbench [210] Basic, Traffic and Mixed NA Multiclass Flow-based [188]
IDS solution in SDN. GRU-RNN Feature Set. Classification:
Normal, DoS, R2L,
Probe, U2R.
Developing an RNN RNN KDD99 Beacon [211] Mininet Protocol Type, NA Multiclass Flow-based [189]
based IDS for SDN. NSL-KDD and Service, Duration and Flag. Classification:
UNSW-NB15 Normal, DoS, R2L,
Probe, U2R.
DDoS attack DNN ISCX 2012 Not Not Mentioned 20 Features-Flow based. NA Binary Classification: Flow-based [190]
Detection using Deep Mentioned. Normal class and DDoS Statistics-
Learning Method in attack. based
SDN.
Detection of DDoS SAE Self-Generated RYU Mininet 18 Features – TCP Flows NA Binary Classification: Flow-based [203]
Attack using sFlow and using Mininet 15 Features – UDP Flows Normal class and DDoS
Adaptive polling Virtual IoT 10 Features – ICMP Flows class.
sampling method. Topology.
DNN-based IDS solution MLP CICIDS2017 ONOS Mininet 79 Features-Flow based. Min/Max Multiclass Flow-based [191]
for SDN paradigm. Scaler Classification:
Technique Normal, DDoS, DoS,
PortScan, Web Attack,
Brute force, Bot,
Infiltration.
DNN-based Botnet MLP HogZilla Not Not Mentioned 22 Features-Flow based. Manual Binary Classification: Flow-based [193]
detection Mentioned. Selection Normal and Botnet.
in SDN.
IDS solution for SDN GRU-RNN CSE-CIC-IDS2018 Not Not Mentioned 80 Features-Flow based. NA Multiclass Flow-based [194]
and evaluate different Mentioned. Classification:
ML algorithms Normal, DDoS, DoS,
performance. Infiltration, Web Attack,
Brute force, Bot.
Building a modular LSTM CIC-DDoS2019 Floodlight Mininet Time-stamp Features. LSTM Multiclass Flow-based [195]
architecture to detect FUZZY [212], [213] Classification: Packet-
Port Scan and DDoS INFERENCE Normal, DDoS, Port- based
attack in SDN. LOGIC Scan.
Investigating the RNN Simulated Floodlight Mininet 7 Features: NA Binary Classification: Flow-based [196]
performance of DL- LSTM Src/Dst. IP address, Normal and DDoS. Statistics-
based models in DDoS CNN Transmission protocol, based
Delay, throughput, Number
attack detection
of packets, Number of hosts.

Developing a 3-tier IDS CNN Not mentioned. Not Not Mentioned 6 Features: CNN Binary Classification: Flow-based [197]
and prevention Type-2 Fuzzy Mentioned. Protocol type, Transport Normal and Malicious.
framework through protocol, Src/Dst. IP
address, Src/Dst. port no.
validation of user, packet
and flow of the network
in SDN-IoT paradigm.
CNN-based DoS attack CNN KDD CUP 1999 Not Not Mentioned. 41 Features – KDD CUP NA Binary Classification: Flow-based [198]
detection. RNN CSE-CIC-IDS2018 Mentioned. 1999 Benign & Attack.
78 Features - CSE-CIC-IDS Multiclass
2018 Classification:
Benign, Hulk,
SlowHTTPTest,
GoldenEye, Slowloris,
LOIC-HTTP, HOIC.
Evaluating ML methods RF NSL-KDD Not Not Mentioned Nominal, Numeric and RF Multiclass Flow-based [199]
impact in flow-based GRU-LSTM Mentioned. Binary Feature Set. Classification:
anomaly detection. Normal, DoS, R2L,
Probe, U2R and
Unknown Attacks.
Detection and prevention CNN, LSTM, Self-Generated RYU Not Mentioned Packet length sequence and NA Binary classification: Flow-based [214]
mechanism of SSH MLP, SAE using synthetic packet header information Normal and Attack.
brute-force and DDoS topology.
attacks in SDN.
Synthesized attack GAN Self-Generated Not GENI [215] Not Mentioned. GAN Binary Classification: Flow-based [216]
generation using GAN in KNN using synthetic Mentioned. RF Benign and Suspicious. Packet-
SDN test the IDS against RF topology. based
those attacks.
Evaluating UL based AutoEncoder KDD’99 Not Not Mentioned All 41 Features of KDD’99 NA Binary classification: Flow-based [204]
AutoEncoder, and K- K-Means Mentioned. dataset. Normal and Abnormal.
Means algorithm to
recognize anomalies in
SDN.
Prevent DDoS attacks AutoEncoder Self-generated RYU Self-Constructed 16 Features- TCP, UDP, and NA Multiclass Flow-based [205]
using a cross-plane Softmax real-time network with real ICMP based. Classification:
framework that uses the traffic. hardware setup. Normal, UDP flood,
collective intelligence of SYN flood, ICMP flood.
both the data and control
plane.

23
 TABLE VIII (Continued)
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Classification Type IDS Ref.
Approach Domain
GAN-based DDoS GAN CIC-DDoS 2019 Floodlight Mininet 6 Features: Manual Multiclass Flow-based [206]
detection and prevention LSTM Quantitative features: Selection Classification:
mechanism in SDN. CNN bits and packets. Normal, NTP, DNS,
MLP Qualitative Features: LDAP, MSSQL,
Source IP & Ports. NetBIOS, SNMP,
Destination IP & Ports. SSDP, UDP, UDP-Lag,
WebDDoS, SYN, and
TFTP.
A DL-based GAN KDD’99 Not Not Mentioned All 41 Features of KDD’99 NA Binary classification: Flow-based [208]
collaborative IDS for NSL-KDD Mentioned dataset Normal and Attack.
VANET.
A GRU-based DL GRU CIC-DDoS 2019 Not Not Mentioned 83 Features Manual Binary classification: Flow-based [217]
system against DDoS FCN CIC-IDS-2018 Mentioned Selection Normal and Attack.
attack in SDN.
RBM-based DDoS attack RBM Self-generated POX Mininet Not Mentioned NA Binary classification: Flow-based [209]
detection in SDN. using synthetic Normal and Attack.
topology.

A DL-based detection and prevention mechanism from SSH

VII. HYBRID MODELS BASED IDS IN SDN brute-force attack is proposed by Lee et al. in [214]. Four
This section discusses the IDS schemes that have combined different DL-based models, including CNN, LSTM, MLP, and
two or more ML and DL techniques in either supervised or SAE, are constructed and evaluated using the proposed IDS to
unsupervised manner in various steps of training a single model, detect SSH brute-force attacks on SDN-enabled networks using
such as preprocessing, feature selection, and classification, as features, such as packet length sequence and packet headers.
presented in Fig. 6 of the intrusion detection process in SDNs. Encouraged by the transformer network architectures [222]
By hybrid model, we mean that for feature selection module, it text-classification and image classification task in natural
can use an ML or DL-based algorithm; however, the language processing and computer vision, He et al. [223] and
classification module can use a different ML or DL-based Bikmukhamedo et al. [224] have applied the transformer
algorithm in a single proposed model. Those studies which have architecture to traffic classification and attained decent results.
experimented with both supervised and unsupervised ML-DL- By combining the CNN and the transformer to apply DDoS
based algorithms without combining them in a single model are attack detection in SDN, Wang and Li propose a hybrid DDoSTC
classified as hybrid (multiple models) in this study (see Table architecture [225]. They have divided the DDosTC model into
XI). Intrusion detection performances in SDNs were individually three parts: the transformer Layer, CNN layer, and dense layer.
evaluated for each supervised and unsupervised learning-based The transformer architecture provides computational proficiency
algorithm in either ML or DL field in mixed architecture. and scalability, and the CNN provides robust analytical ability.
Abdallah et al. [218] present a hybrid IDS that learn spatial The authors in [226] create a hybrid of SVM and improved
and temporal features from input flow by combining the CNN history-based IP filtering scheme and a SOM classifier to secure
and LSTM algorithms. They have employed one of the most the network. In this scheme, the raw-data processing module
recent SDN attack-specific dataset, InSDN [219]. The high- gathers traffic, extracts features, and sends it to the classifier
dimensional features extracted from the CNN are passed into the module. The ensembled classifier determines if the data is an
second stage, which comprises three layers: an LSTM, a fully anomaly or routine. To filter the traffic for mitigation, an
connected, and an output layer. enhanced history-based IP filtering scheme filtering approach is
Latah and Toker [220] propose a flow statistics based used.
five‑level hybrid IDS for SDN. They have used one classifier in To identify ICMP attacks, Nam et al. [164] suggest a hybrid
each layer of the model. For the 1 st level, they have applied the ML model based on SOM and KNN. They have added four
KNN method; at the 2nd layer, an extreme learning machine was additional modules to the controller: monitor, algorithm, alert,
used; and for the following levels, a hierarchical extreme and DDoS mitigation. During the training phase, SOM is utilized
learning machine was used in their approach. They have adopted in the algorithm module to cluster traffic into intrusion and
the NSD-KDD datasets and selected six significant features for normal categories. KNN assigns a label to the network state
the model. based on the labels of the k nearest neighbor.
Malik et al. [221] propose a hybrid DL framework that detects To classify an abnormal flow in the SDN-based Smart Grid
cyber threats in the SDN's control plane by leveraging the communication network, Ding et al. suggest a HYBRID-CNN
extrapolative power of LSTM and CNN. They have used the approach [227]. The HYBRID-CNN, in particular, employs a
CICIDS2017 dataset for their experiment. Their proposed DNN to efficiently learn global features from one-dimensional
framework successfully detects three separate attacks: XSS, Port (1D) data and a CNN to generalize local features from two-
Scan, and Botnet with a low FAR. dimensional (2D) data. The HYBRID-CNN uses dual-channel
data input to extract useful features from 1D and 2D flow data.

24
It fuses essential features using the self-attention process and provides feedback to the generator for any modification of
ultimately detects using an FCN. weights to create sufficient samples to dodge the IDS, and an
Elsayed et al. proposed a new hybrid DL-approach based on intrusion detector that manages both OF and Non-OF traffic. The
CNN and SD-Reg, a new regularizer technique [228]. The model generated attacks were used against IDS built with KNN and RF.
incorporates the CNN architecture as well as machine learning The detection performance of the IDS drastically reduced when
methods (SVM, KNN, and RF). CNN is used to extract the tested against GAN-generated attacks.
deeper representations of the data features, while ML methods Combining three supervised and one unsupervised ML
are used to accomplish the classification task. The new algorithm, namely KNN, NB, SVM, and SOM, Deepa et al. [232]
regularization technique avoids the risk of overfitting the model. present an ensemble model for recognizing DDoS attacks in the
A hybrid two-module DL-based model is presented by Garg SDN controller. By creating a Mininet virtual setup and a POX
et al. [229] detects anomaly for abnormal detection of flow in the controller, they have created a virtual network setup, then applied
sector of social multimedia. For anomaly detection module, it the CAIDA 2016 dataset into the network consisting of TCP,
uses enhanced RBM and Gradient Descent based SVM to ICMP, and UDP packets. A time difference of 0.004 sec between
identify anomalous activities. Their module contains two parts, the source and the destination is chosen as the threshold value to
namely selection of features and classification of anomaly. In distinguish between attack and regular traffic. In their system,
addition to the anomaly recognition module, they have also the SL-based models are passed through traffic, and the type of
suggested a method that safeguards the frequently carriage of the traffic is identified. If a novel type of attack is identified, the very
multimedia content over the SDN paradigm. same supervised learning systems is carried through the
Khan and Akhunzada [230] propose a hybrid deep learning unsupervised configuration to recognize traffic, and the
model for the detection of malwares in IoMT. The model is connection is then terminated.
composed of CNN and LSTM. The CNN models extract the local Javed et al. propose a DL-based hybrid method by
features and pass the output to the LSTM model to acquire more incorporating the DNN, LSTM, and GRU algorithms [233] to
independent features to train the hybrid model. detect cyber-attacks in the IoT environment. In their approach,
By configuring the sampling rate for each switch, Kim et al. SDN's programmable control plane accommodates the hybrid
[184] propose a deep reinforcement learning-based traffic intrusion detection model. The proposed model consists of
monitoring system in an SDN environment. They utilized a deep several layers. DNN-LSTM is made up of two layers, having 500
deterministic policy gradient-based method to manage MDPs and 300 neurons, respectively. They've also added a DNN-GRU
with continuous action spaces to address intrusion utilizing real- layer of 200 neurons. In the output layer, Softmax is employed.
time traffic analyzers and monitoring findings dynamically. The The model achieved an efficient and accurate IDS solution by
suggested system learns a sampling resource distribution strategy consuming a very little testing time of 9.33 ms.
based on selected traffic inspection findings received from Tan et al. [234] suggest a hybrid DDoS detection trigger
various traffic analyzers under the uncertainty of flow mechanism by merging K-Means and KNN on the SDN data
distribution. plane. This technique counts the rate at which packet_in
Jiaqi et al. [231] propose an IDS solution for 5G enabled SDN messages are sent on switches by utilizing the CPU resources of
paradigm. For feature selection using sub features of the dataset, the switches. It notifies the controller to identify the abnormality
it utilizes RF and combines K-Means with the AdaBoost when it detects the possibility of a DDoS attack, allowing the
classifier to classify flows. A comparative analysis of balanced controller to respond quickly to the detection trigger mechanism.
and imbalanced data by evaluating cross validation technique It comprises a training data processing module based on the K-
results was also performed. Means algorithm and a traffic detection module based on the
AlEroud and Karabatis [216] propose a GAN-based method KNN algorithm. The K-Means technique is only used to
that generates synthetic attacks in SDN. Their method collects categorize related instances into distinct categories during the
flow entries sent back and forth between the controller and OF training phase. The measured instance is first normalized in the
switches. Similarity analysis of those OFs flow was done against detection phase. The distances between that instance and the
the non-OFs flow. They have hypothesized that the sampling cluster centers are then determined. Finally, the measured
flow entries of OFs and testing those using appropriate IDS can instance is classified as normal or abnormal based on the labels
be used to determine threats on SDN. For data generation, they of the k points nearest to it [16].
have used two samples. The first sample was collected from a By combining entropy and C4.5 algorithm to detect DDoS
dataset of one hour of malicious traffic from a DDoS attack. Only flooding attack in SDN, Sudar and Deepalakshmi [235] have
IP packets are used in the second sample. Both OF and non-OF proposed a two-level IDS. A suspicious detection module and a
data were used to generate attacks. The GAN structure in their C4.5 classification module make up the proposed system. In
study consists of a Generator network which creates an agitated level one, an entropy-based approach is suggested to identify
form of attack examples, a Discriminator network which DDoS flooding attacks early on by temporarily interrupting a
25
specific flow. A C4.5 approach based on ML is presented in level of features make the RF much more precise than the DT
two to identify the attack by assessing additional attributes and algorithm. RF is suitable when we have a larger dataset, and
sending a permanent notification to drop the packets. To identify interpretability is not our core concern.
DDoS attacks, the suspicious detection module analyzes the
entropy of the IP addresses of the source to a threshold. The
retrieved characteristics are evaluated, and a DDoS attack
classification is done in the C4.5 classification module.
Table IX presents a tabular summary of the aforementioned
reviewed articles that depicts the objective of the study, adopted
Hybrid (ML+DL) algorithms for building IDS solution, used
dataset for the task, core feature selection, chosen SDN
controller, and the attack classification type, corresponding IDS
domain along with their simulated testbed.
In the next section, we discuss those studies which have used
ensemble-based approaches to develop IDS solutions specific to
SDN.

VIII. ENSEMBLE MODELS BASED IDS IN SDN

The ensemble represents a group of independently trained
classifiers, such as neural networks or DTs as shown in Fig. 16.
The results are combined while categorizing new data points or Fig. 17. A random forest (RF) classifier based on multiple DT’s.
instances to improve overall performance [236]. Models that
belong to the ensemble, known as ensemble members, might be Most popular ensemble methods include RF, boosting,
similar types or from various types and might not be trained on bagging, cascading and stacking. Boosting is a useful tool that
similar training data. Although ensemble learning is a very learns flaws from previous models to improve classification
efficient technique, it does have some trade-offs. If an ensemble efficiency [238]. Bagging improves the performance of the
has one excellent performing member method and some other prediction by using DT’s that decreases variance to a substantial
member methods do not give many benefits, or the ensemble measure. Bagging is categorized into two kinds: bootstrapping
cannot make effective use of their participation, this may lead to and aggregation. Stacking functions through enabling a training
poor performance or unexpected outcome. algorithm to combine a number of related learning algorithms
result.
Demirpolat et al. [239] propose a novel SDN-specific
intrusion dataset in their study. They have used Few Shots
Learning Classifier (FSLC), weighted average ensemble, and
SVM models to detect intrusion in SDN by evaluating
performance in two publicly available datasets UNSW-NB15,
Bot-IoT, and one proposed SDN Dataset. They have also
highlighted how traditional intrusion datasets cannot capture full
information regarding SDN architecture.
Swami et al. [240] propose two ensemble models named
Voting-CMN combining CART, MLP, and NB algorithm and
Fig. 16. A generic architecture of an ensemble learning-based model. Voting-RKM combining RF, KNN, and MLP algorithm to
identify DDoS attacks in SDN architecture. They have evaluated
Random Forest (RF) those models' performance along with each model used in the
RF is another very useful algorithm that is being used for ensemble using the UNSW-NB15, CICIDS2017, and NSL-KDD
regression and classification. By constructing multiple DT’s and datasets. Voting-CMN performed better than individual CART,
combining them, RF is providing a more efficient and MLP, and NB models with an F1-Score of 99.28% and an
comprehensive prediction, as shown in Fig. 17. RF is a mixture accuracy of 89.29% in the UNSW-NB15 dataset. Voting-RKM
of tree predictors, in which every tree depending on the values of achieved an accuracy of 97.77% and F1-Score of 96.36% on the
the arbitrary vectors, is sampled separately with almost the CICIDS2017 dataset, which is better than individual models
similar dissemination across all the trees in the forest [237]. RF comprising that architecture. However, the False Alarm Rate of
make the data more general in a better way. This randomized set Voting-CMN performed poorly with a value of 20.2%.
26
 TABLE IX
SUMMARY OF THE REVIEWED HYBRID MODELS TO DETECT INTRUSION IN SDN
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Classification Type IDS Ref.
Approach Domain

SOM-based methods in SOM Caida DDoS POX Not Mentioned 5 Features: Entropy of Manual Binary Classification: Flow-based [164]
DDoS flooding attack KNN Attack 2007 [241] source IP, entropy of source Selection Normal and Attack.
detection using SDN. port, entropy of destination
port, entropy of packet
protocol, total no. of
packets.

Flow‑based 5‑level KNN NSL-KDD POX [30] Not Mentioned 5 Features: Duration, Manual Multiclass Flow-based [220]
hybrid IDS in SDN. Protocol type, Src. bytes, Selection Classification:
Dst. bytes, and Server count. Normal, DoS, R2L,
Probe, U2R and
Unknown Attacks.
Developing a hybrid DL LSTM CICIDS2017 Not Not Mentioned 83 Features-Flow based. NA Multiclass Flow-based [221]
based Reconnaissance CNN Mentioned Classification:
and Surveillance Benign, Botnet, Port
Recognition method on
Scan, Cross Site
the control plane of SDN.
Scripting, Brute force.

A transformer-based Transformer CICDDoS2019 Not Not Mentioned 76- Flow features NA Binary classification: Flow-based [225]
hybrid IDS mechanism in CNN Mentioned Normal and DDoS.
SDN. FCN
Effective Defense SOM, SVM, CAIDA and Not Self-Constructed 10 Features: Not Binary classification: Flow-based [226]
mechanism to detect and History- Synthetic data Mentioned Flow duration, Packet Mentioned Normal and DDoS. Statistics-
DDoS attack in SDN- based IP using BoNeSi. number, Byte number, based
Protocol, Active time,
based cloud. filtering.
Priority, Flag, Flow number
and Transferred packet per
flow.
Deep RL-based traffic DDPG, Generated traffic OpenDaylight Self-Constructed Not Mentioned. Not Binary Classification: Flow-based [184]
sampling for several MDP using Iperf, and Mentioned Normal and Malicious. Packet-based
traffic analyzers in SDN. Hping3 tools.
A hybrid-CNN based CNN UNSW-NB15 Not Not Mentioned 42 – Flow features N/A Multiclass Flow-based [227]
abnormal flow detection FCN KDD’99 Mentioned Classification:
model in the SDN-Based Normal, DoS, R2L,
Smart Grid. Probe, U2R.
A novel hybrid model for CNN InSDN Not Not Mentioned 48 – SDN specific flow NA Both Multiclass and Flow-based [228]
ids in SDN-based on KNN Mentioned features Binary classification.
CNN and a new RF Binary: Normal and
regularization method. SVM Attack.
Multiclass: Normal,
U2R, Web, Probe,
Password guessing, DoS
(HULK, TorshHammer,
HTTP-Flood), DDoS,
and Botnet.

Suspicious Flow RBM Real-time data Not Not Mentioned Real-time: 35 features. 10 RBM Multiclass Flow-based [229]
Recognition in SDN. Gradient traffic and KDD99 Mentioned basic features, 8 content- Classification:
Descent based benchmark dataset. based and 6 host-based Normal, DoS, R2L,
SVM features. Probe, U2R and
KDD99: 41 features. Unknown Attacks.
A hybrid DL-based SDN- CNN IoT-23 [242] Floodlight, Not Mentioned 24 – Flow features NA Binary classification: Flow-based [230]
enabled malware LSTM POX, and Normal and Malware.
detection framework for Open daylight
IoMT.
IDS solution for 5G RF, KDD99, Not Not Mentioned KDD99 - 41 Features RF Multiclass Flow-based [231]
enabled SDN paradigm. K-Means, NSL-KDD Mentioned NSL-KDD - 23 Features Classification:
AdaBoost Normal, DoS, R2L,
Probe, U2R.
DL-based hybrid IDS DNN-LSTM CIC-DDoS-2019 Not Not Mentioned 80 Flow features. N/A Multiclass Flow-based [233]
solution in SDN-IoT + Mentioned Classification:
environment. DNN-GRU Normal, SYN, PortMap,
DrDoS_MSSQL,
DrDoS_SSDP,
WebDDoS, WebDDoS,
DR DoS, DrDoS_UDP,
UDP-Lag.

A hybrid trigger KNN NSL-KDD ONOS Mininet 41 – Flow Features K-Means Binary Classification: Flow-based [234]
mechanism-based DDoS + Normal and DDoS.
detection on SDN data K-Means
plane.

A hybrid entropy and Entropy Self-Generated POX Mininet 6 Features: Average C4.5 Binary Classification: Flow-based [235]
C4.5-based two-level IDS + using synthetic number of Packets per Flow, Normal and Attack. Statistics-
solution for SDN. C4.5 tool. Average number of Bytes based
per Flow, Average of
Duration per Flow, Pair
Flows Percentage, Growth
of Single Flows, and Growth
of Different Ports.

27
 Shahzeb et al. [243] present a DL-based ensemble model for attack-generation tools. The XGBoost model is trained and tested
classifying DDoS attacks using the ISCX dataset. They provided using the KDD’99 dataset by selecting nine significant features
an ensemble solution by implementing two CNN models. The out of 41 features from the dataset. The proposed XGBoost
authors also claimed that the proposed models are scalable and model achieved 98.53% accuracy.
cost-effective in terms of CPU utilization. The experiment result Sen et al. [249] propose a DDoS attack recognition model by
shows that the proposed model achieved 99.48% accuracy to creating a Mininet testbed for SDN. They have used the sFlow-
identify DDoS attacks. RT network analyzer for traffic monitoring. Their model
Zwane et al. [244] evaluate different ensemble methods to achieved 93% detection accuracy using the AdaBoost classifier.
detect abnormal flows in SDN and compare their performance Van et al. [250] present an anomaly detection framework
with single classifier models. The experiment is conducted using based on the NetFPGA-10G board, including an anomaly-based
a flow-based CIDDS-001 dataset. They used the DT, NB, and IDS based on the J48 algorithm. The suggested framework is
SVM as a single classifier. On the other hand, Bagging, separated into three sections: Input, Processing, and Output. The
Adaboost, RF, and Majority Voting are used as ensemble data and control input ports on the Input unit are used to receive
methods. The accuracy of the ensemble methods is slightly incoming packets. The processing unit handles incoming packet
greater than the accuracy of the individual SL-based non- processing, OpenFlow processing, security processing, and
ensemble methods. The NB model achieved 69.56% accuracy, outbound packet processing. After being processed by the
whereas the bagging version of NB model achieves 70.74% processing components, the packet is transferred to an output
accuracy. queue. The queue delivers this packet to a relevant data output
Zwane et al. [245] propose an ML-based IDS for Tactical Ad port based on OpenFlow protocol routing information. Initially,
hoc Mobile Network (TMANET) that resembles the concept of they conducted five J48 DT analyses on the KDD CUP 1999
SDN. Their proposed model consists of two SDN controllers: dataset. The Bagging method was then used to generate the
local and global. The global controller manages the overall outcomes of five different DTs, and electoral rules were used to
network and different ML methods. SVM, DT, Bagging, choose the final result.
Adaboost, and RF are used as classification methods. On the To predict attacks and effectively reduce the packet drop
other hand, the local controller deals with D2D connection, roles ratio, Alamri and Thayananthan [251] propose an adaptive
of nodes, embedded sampling agent, etc. A flow-based CIDDS- bandwidth control procedure. Their framework consists of three
001 dataset is used to train and test the ML models. Ensemble phases: monitoring, bandwidth control, and attack detection and
method Adaboost performs best among other models with 90.3% alleviation phase. They used a bandwidth management algorithm
accuracy according to the experiment result. combined with an adaptive threshold to reprimand flows that
Yang et al. [246] present a DL-based UL-based model named exceeded the threshold by using a punishment mechanism that
Griffin, to detect SDN anomaly. Griffin is a packet-based confines the bandwidth by half for flow exceeding the threshold,
anomaly recognition system that can revise the model preventing bandwidth exhaustion and ensuring smooth operation
dynamically to adapt to the recent cyberattacks. Griffin of the network even during an attack. They used the XGBoost
architecture has four parts, which are deployed in SDN, utilizing algorithm to analyze and identify traffic as normal or DDoS
an ensemble of AutoEncoders. These four parts are packet using a trigger-based identification and classification strategy.
capture module, feature extraction module, feature mapper They have tested their model in three datasets: CICDDoS2019,
module, and anomaly detector, respectively. Each packet with CAIDA-DDoS and NSL-KDD. They have performed both
nine characteristics is accumulated in packet capture parts. binary and multiclass classification. The binary module classifies
Feature extractor generates statistically significant features. normal and DDoS attacks. The multiclass classifier classifies
Feature mapper subdivides each feature into several instances for Normal, DNS, LDAP, MSSQL, SYN, UDP, NetBIOS, TFTP,
increasing memory efficiency. The anomaly detector is placed in NTP, UDP-lag, and SSDP attack from CICDDoS2019 dataset
the SDN control plane, where the ensemble of AutoEncoders is and Normal, Apache2, Back, Land, Mailbomb, Smurf, Teardrop,
responsible for filtering out the anomalous packet. The model's Pod, Neptune, and Processtable attack from NSL-KDD dataset.
performance was tested with an open data set contributed by Alzahrani and Alenazi [252] explore the tree-based DT, RF,
Yisroel Mirsky [247]. The dataset contains packets with four and XGBoost algorithm to analyze their performance in
different attack types: DoS, MITM, Recon, and Bot Malware. detecting attacks in SDN using only five features of the NSL-
To detect the DDoS attacks in the SDN cloud, a DT-based KDD dataset. XGBoost performs better with a higher accuracy
ensemble method is proposed by Cheng et al. [248]. The authors rate of 96.55% in the binary classification problem and similar
claimed that their proposed eXtreme Gradient Boosting performances in the multiclass problem.
(XGBoost) models exhibit higher accuracy and provide high- Table X presents a tabular summary of the reviewed literature
speed anomaly detection. The experiment is executed in a based on utilizing ensemble models for developing IDS solution
simulated SDN topology using Mininet, and Hyenae is used as for SDN infrastructure.
28
 TABLE X
SUMMARY OF THE REVIEWED ENSEMBLE LEARNING-BASED MODELS TO DETECT INTRUSION IN SDN
Objective Algorithm Dataset Controller Testbed Features Selection (FS) FS Approach Classification Type IDS Ref.
Domain
Intrusion Detection in FSLC, Bot-IoT, UNSW- ONOS Mininet UNSW-NB15- 16 Features. Based on Multiclass Flow-based [239]
SDN using Few Shots SVM NB15, and Bot-IoT - 16 Features. Flow entry Classification: Statistics-
ensemble learning, and proposed SDN SDN dataset – 10 Features statistics. DDoS, DoS, Port based
proposing a novel SDN dataset. (Duration, Mean, Standard Scanning, Fuzzing,
specific dataset. Deviation, Summation, Exploits, Fuzzers,
Minimum, Maximum of Reconnaissance,
records duration, packet Generic,
count from src. to dst. and Os_Fingerprint, OS_and
vice versa, byte count from Service_Detection
src. to dst. and vice versa ). Service_scan, Theft.
Developing voting- CART, MLP, UNSW-NB15, Not Not Mentioned UNSW-NB15-49 Features. Manual Binary Classification: Flow-based [240]
based DDoS attack NB, RF, CICIDS2017, and Mentioned CICIDS2017-78 Features. Selection Normal and DDoS.
detection framework KNN, NB NSL-KDD NSL-KDD-41 Features.
against SDN.
DDoS attack detection SVM, CAIDA 2016 POX Mininet Not Mentioned Manual Binary Classification: Flow-based [232]
performance analysis KNN, Specifically. Extraction of Normal and DDoS.
between individual ML NB, qualitative
SOM
algorithm and ensemble and
learning. quantitative
features.
Detection of DDoS CNN ISCX 2012 Not Not Mentioned 4 Features-Packet length, Z-score Binary Classification: Flow-based [243]
attack using CNN in Mentioned Avg. packet size, duration, normalization. Normal and DDoS
SDN and IAT.
Compare the SVC, NB, CIDDS-001 Not Not Mentioned 14 Features-Flow based. Not Multiclass Flow-based [244]
performance of different DT, RF, Mentioned Mentioned Classification:
ensemble methods with Bagging, 5 Classes (normal,
Adaboost, attacker, victim,
single model classifiers.
Majority suspicious, unknown)
Voting.
Design a flow-based SVM, CIDDS-001 Not Not Mentioned 14 Features-Flow based. Manual Multiclass Flow-based [245]
anomaly classifier for DT, Mentioned Selection Classification:
Tactical Mobile Adhoc Bagging, 5 Classes (normal,
Adaboost, attacker, victim,
Network (TMANET)
RF suspicious, unknown)
incorporating with ML
and SDN.
Develop an Autoencoder Open-Source Not Mininet 23 Features-based on RF Not Mentioned. Flow-based [246]
unsupervised DL-based Dataset Mentioned packets size, jitter,
model to intensify the magnitude, and count.
accuracy through
dynamically train the
model.
Detection of DDoS XGBoost KDD’99 POX Mininet 9 Features: Not Multiclass Flow-based [248]
attack using DT based Service, source bytes, Mentioned Classification:
ensemble method packet count, service count, Normal, DoS, R2L,
dst. host count, dst. host Probe, U2R.
service count, dst. host
service rate, dst. host
service error rate
DDoS attack detection AdaBoost, Self-collected Not Mininet 9 Features: Service, TTL, Not Binary Classification: Flow-based [249]
through various ML Bayes Net, dataset generated Mentioned Header Length, Flags, Mentioned Normal and DDoS.
algorithms. NB, SVM, from synthetic Protocols, Data Bytes,
Land, Epoch Time and
MLP, J48, RF topology.
Reply Response Time
Implementing a 3-phase XGBoost CIC-DDoS-2019, RYU Mininet CICDDoS2019 - 20 Information Both Binary Flow-based [251]
IDS solution in SDN to CAIDA-DDoS, Features Gain Classification and
detect DDoS attack NSL-KDD. NSL-KDD - 24 Features Multiclass
CAIDA - 7 Features Classification:
along with a bandwidth
control method utilizing Normal, DoS, R2L,
a threshold function to Probe, U2R.
penalize the corrupted
flow.
Evaluating the attack DT, RF, NSL-KDD Not Not Mentioned 5 Features: Experimental Both Binary Flow-based [252]
detection performance XGBoost Mentioned Duration, protocol-type, Trial-based. Classification and
of the Tree-based DT, source bytes, and service (Manual) Multiclass
RF and XGBoost count Classification:
classifier. Normal, DoS, R2L,
Probe, U2R.
Anomaly detection J48 KDD’99 Not Not Mentioned 41 Features Statistical Multiclass Packet- [250]
using payload analysis Mentioned Analysis on Classification: based
in OpenFlow switches the features. Normal, DoS, R2L, Statistics-
Probe, U2R. based

Other than the reviewed ML-DL-based IDS solutions in SDN, methods [51], [108], [254], [263], [264], fuzzy evaluations
researchers all over the world also adopted numerous other [265]–[267], inference-based methods [257], [268], blockchain-
technologies to detect various attacks in the context of SDNs. For based methods [269]–[271], and honeynet-based methods [71],
instance, statistics algorithms [37], [111], [253]–[255], [134], [272]–[274].
[144], [159], [167], [170]–[172], [226], similarity-based methods In the next section, we summarize the reviewed studies
[256], graph model-based methods [257]–[259], third-party focusing on the learning categories of ML-DL algorithms,
software like Snort [57], [94], [95], [260]–[262], threshold-based detection and mitigation approach, and hyperparameters of
29
utilized ML-DL models as well as their performance evaluation evaluation metrics such as accuracy, TPR, F1-score, recall, and
metrics. FAR. Among different ML-DL algorithms, different supervised
learning algorithms are commonly used with relatively low or
IX. TAXONOMY BASED SUMMARY OF EXISTING medium complexity. On the other hand, different unsupervised
WORK algorithms, supervised and unsupervised algorithms together and
reinforcement learning algorithms can achieve better accuracy
Not all ML and DL algorithms are being used equally in
with relatively higher complexities.
developing IDS. By studying the literature, we have identified
Based on different IDS techniques we have developed an IDS
the commonly used ML and DL algorithms in designing IDS and
taxonomy that has been presented in Fig. 6. After studying the
thus we have developed a taxonomy of ML-DL algorithms
existing ML-DL based different IDSs, we can classify these IDSs
utilized in IDS. The taxonomy is presented in Fig. 7. After
using the IDS taxonomy presented in Fig. 6. In Table XII, we
reviewing all the existing works that use ML-DL algorithms, we
present the classification of the existing works based on the IDS
have prepared Table XI that presents a comparative analysis of
taxonomy presented in Fig. 6. In this table, all the existing works
the existing works based on the ML-DL taxonomy presented in
are categorized into five IDS types, such as flow-based, log-
Fig. 7.
based, session-based, statistical analysis-based, and packet-
For this summarization, we have considered the learning
based since all the existing works mainly focused on those types.
techniques of the ML-DL algorithms, detection and mitigation
Note that among different types of IDS flow-based IDSs are most
approach, cross validation, train test split ratio, and various
common in SDN.
TABLE XI
A SUMMARIZATION OF THE EXISTING WORKS BASED ON ML-DL TAXONOMY, DETECTION APPROACH, MITIGATION APPROACH AND EVALUATION METRICS
Learning Detection Mitigation Cross- Train-Test Split Classification Accuracy/Detection
ML-DL Method FAR Ref.
Category Approach Approach Validation Ratio (%) Rate/F1- Score/Recall/Fitness
DT Accuracy -98.64%
RF Accuracy -92.19%
KNN Accuracy -97.41%
✓ x 5-Fold 90-10 Not Mentioned [121]
SVM Accuracy -99.26%
Multinomial-NB Accuracy -97.68%
LR Accuracy -98.96%
Heteroid Tri-
Training (KNN, ✓ x Not Mentioned 80-10 Accuracy – 80% Not Mentioned [122]
SVN, NB)
RF ✓ x 10-Fold 70-30 F1-Score -87% 12.5% [127]
DT Accuracy -82.48%
✓ x Not Mentioned Not Mentioned Not Mentioned [128]
RF Accuracy -98.75%
SVM ✓ ✓ Not Mentioned Not Mentioned Accuracy -88.7% 12% [129]
F1-Score-92.8%-KNN-ICMP Flood 0.010%-KNN
KNN, SVM ✓ x Not Mentioned Not Mentioned [159]
F1-Score -90.6%-SVM-ACK Flood 0.009%-SVM
DT Accuracy -86.19%
NB Accuracy -87.78%
✓ x Not Mentioned Not Mentioned Not Mentioned [84]
Bayes Net Accuracy -91.68%
Decision table Accuracy -88.52%
KNN ✓ x 10-Fold Not Mentioned Accuracy -97.8% 5.8% [130]
Performed
KNN ✓ x (Fold-Not Not Mentioned Accuracy -84.29% 6.3% [220]
Mentioned)
KNN, SVM, ANN,
✓ x 10-Fold Not Mentioned Accuracy -98.3% (KNN) Not Mentioned [155]
Supervised NB
(ML and DL) RF Accuracy -82%
✓ x 10-Fold Not Mentioned 0.143% [199]
GRU-LSTM Accuracy -88%
RF Accuracy -82.28% 2.49%
✓ x 10-Fold [131]
PART Not Mentioned Accuracy -79.19% Not Mentioned
Fitting Curve Accuracy -89.5%
Not Mentioned
Pattern Recognition ✓ x Accuracy -97.3% < 1% [132]
Not Mentioned
Time Series Accuracy -33%
Accuracy -Flow IDS – 84.78% Flow IDS – 9.99%
SVM ✓ x Not Mentioned Not Mentioned Packet IDS – [133]
Accuracy -Packet IDS-98.86%
5.12%
SVM F1-Score -85.4% 4.7%
DT F1-Score -89.5% 3.5%
RF ✓ x 10-Fold 90-10 F1-Score -96.3% 0.9% [134]
KNN F1-Score -93.9% 1.9%
Bagged Tress F1-Score -96.0% 1.2%
SVM, ID3 DT ✓ ✓ 10-Fold 90-10 Accuracy -97.55% Not Mentioned. [135]
SVM ✓ ✓ Not Mentioned 75-25 Accuracy – 99.8% < 1% [136]
SVM, J48, NB ✓ ✓ Not Mentioned Not Mentioned F1 Score – 93.3% Not Mentioned. [137]
Accuracy – 95.98% (Full 41 Features)
SVM ✓ ✓ Not Mentioned Not Mentioned Not Mentioned. [153]
Accuracy – 87.74% (Selected 9 Features)
SVM ✓ ✓ Not Mentioned Not Mentioned Detection Rate – 99.95% Not Mentioned [154]
Recall – 93.4% (Adaboost)
Bayes Net, NB, Recall – 85.2% (SVM)
SVM, MLP, ✓ ✓ 20-Fold Not Mentioned Recall – 90.8% (J48) Not Mentioned. [249]
Adaboost, J48, RF Recall – 88.5% (BayesNet)
Recall – 83.6% (MLP)
Modified BAT, RF ✓ x Not Mentioned Not Mentioned Accuracy- 96.03% 1.18% [141]

30
 SVM Accuracy – 87.883%
KNN ✓ x Not Mentioned Not Mentioned Accuracy – 90.109% Not Mentioned. [142]
DT Accuracy – 91.206%
Accuracy – 80% for Malware. 5.4% - Malware.
SVM ✓ x 10-Fold Not Mentioned [112]
Accuracy – 95% for Normal traffic. 18.5% - Normal.
SVM Accuracy -75.3%
J48 Accuracy -81.5%
✓ x Not Mentioned Not Mentioned Not Mentioned. [143]
NB Accuracy -76.1%
RF Accuracy -80.4%
KNN
XGBoost ✓ ✓ Not Mentioned Not Mentioned Accuracy – 98.21% Not Mentioned. [144]
DT
MLP ✓ ✓ Not Mentioned 80-20 Accuracy – 99.6% 0.84% [191]
MLP ✓ x Not Mentioned Not Mentioned Accuracy – 96.52% Not Mentioned. [193]
GRU-RNN ✓ x Not Mentioned 70-30 F1-Score – 78.14% Not Mentioned. [194]
LSTM-FUZZY ✓ ✓ Not Mentioned Not Mentioned Accuracy- 96.22% 0.25% [195]
LSTM, CNN ✓ ✓ Not Mentioned 70-30 Accuracy-89.63% (LSTM), 66% (CNN) Not Mentioned. [196]
J48 F1-Score-97.30% 0.06%
BayesNet F1-Score-89.24% 0.12%
REPTree F1-Score-98.28% 0.17%
✓ x 10-Fold Not Mentioned [146]
Random Tree F1-Score-97.95% 0.07%
NB F1-Score-98.28% 0.04%
LR F1-Score-91.53% 0.04%
J48, REPTree, RF
Random Tree, SVM, ✓ ✓ Not Mentioned Not Mentioned Accuracy – 95% - MLP 0.0052% [147]
MLP
RF ✓ ✓ 5-Fold 80-20 F1-Score – 98% Not Mentioned. [148]
Accuracy-99.48%
CNN ✓ x Not Mentioned 80-20 Not Mentioned. [243]
F1-Score-99.63%
Accuracy – 99.14% (RF)
DT, SVC, NB, RF,
Accuracy – 99.15% (Adaboost)
Bagging, AdaBoost, ✓ x Not Mentioned 75-25 Not Mentioned. [244]
Accuracy – 99.08% (Bagging)
Majority Voting
Accuracy – 99.09% (DT)
DT Accuracy - 88.70%
SVM Accuracy -88.20%
Bagging ✓ x Not Mentioned Not Mentioned Accuracy -90.10% Not Mentioned. [245]
Adaboost Accuracy -90.30%
RF Accuracy -90.20%
DNN ✓ x Not Mentioned Not Mentioned Accuracy -75.75% Not Mentioned. [185]
GRU-RNN ✓ ✓ Not Mentioned Not Mentioned Accuracy -89% Not Mentioned. [186]
Performed
MLP ✓ x (Fold-Not Not Mentioned Accuracy -98% Not Mentioned. [187]
Mentioned)
DNN Accuracy -80.7%
✓ ✓ Not Mentioned 94-6 Not Mentioned. [188]
GRU-RNN Accuracy -89%
Accuracy -99.5% - KDD 99
RNN ✓ ✓ Not Mentioned Not Mentioned Accuracy -97.39% - NSL-KDD Not Mentioned. [189]
Accuracy -99.9% - UNSW-NB15
ID3 DT ✓ x 10-Fold Not Mentioned Accuracy -95% 15% [139]
DNN ✓ ✓ Not Mentioned 90-10 Accuracy -98% Not Mentioned. [190]
LSTM+CNN ✓ x 10-Fold Not Mentioned Accuracy -98.6% 2.4% [221]
FSLC, SVM, CNN,
NB, Deep Auto ✓ x 10-Fold Random Selection F1-Score – 94% Not Mentioned. [239]
Encoder.
Accuracy – 89.29%,
Voting-CMN ✓ x 70-30
F1 Score - 99.28%
10-Fold 20.2% [240]
Accuracy – 97.77%,
Voting-RKM ✓ x 70-30
F1 Score-96.36%
RF, KNN, SVM, LR ✓ x Not Mentioned 80-20 Accuracy – 99.79% 1.6% [149]
NB, ANN, SVM ✓ x Not Mentioned Not Mentioned Accuracy- 70% (NB), 80% (ANN, SVM) Not Mentioned. [151]
MLP, DT, RF, SVM ✓ x 10-Fold 70-30 Accuracy – 99.9 % (RF) Not Mentioned.

XGBoost ✓ x Not Mentioned Not Mentioned Accuracy-98.53% Not Mentioned [248]

Accuracy-98.50% (Type-2 Fuzzy),
Type-2 Fuzzy, CNN ✓ ✓ Not Mentioned Not Mentioned Not Mentioned. [197]
99% (CNN)
F1 Score – 100% (Binary classifier)
F1 Score –92% (CICDDoS2019)
XGBoost ✓ ✓ 10-Fold Not Mentioned (Multiclass classifier) 0.002% [251]
F1 Score –97% (NSL-KDD) (Multiclass
classifier)
XGBoost F1 Score –95.55% - XGBoost
DT ✓ x Not Mentioned 94-6 F1 Score –94.5% - DT Not Mentioned. [252]
RF F1 Score –94.6% - RF
J48
✓ x Not Mentioned Not Mentioned Accuracy –93.3% 0.55% [250]
Bagging
GRU
LSTM ✓ ✓ Not Mentioned Not Mentioned Accuracy – 99.94% Not Mentioned [217]
CNN
SVM ✓ x Not Mentioned Not Mentioned Accuracy – 95% 50% [163]
HMM ✓ x Not Mentioned Not Mentioned TPR – 99.50% 4.9% [169]

SOM ✓ x Not Mentioned Not Mentioned Accuracy -98.61% 0.12% [170]

Unsupervised SAE ✓ x Not Mentioned 70-30 Accuracy -95.65% Not Mentioned. [202]
(ML and DL) SAE ✓ x Not Mentioned 80-20 Accuracy -95% 4% [203]
Autoencoder ✓ x Not Mentioned Not Mentioned Accuracy -98% Not Mentioned. [246]
Autoencoder
✓ x Not Mentioned Not Mentioned Accuracy -99% Not Mentioned. [204]
K-Means

31
 Autoencoder
✓ ✓ Not Mentioned 65-35 Accuracy -96% Not Mentioned. [205]
Softmax
Accuracy – 98.40% (KDD’99)
GAN ✓ x Not Mentioned Not Mentioned Not Mentioned [208]
Accuracy – 97.76% (NSK-KDD)

RBM ✓ x Not Mentioned Not Mentioned Accuracy – 92% 8% [209]

HMM ✓ x Not Mentioned Not Mentioned Not Mentioned. Not Mentioned. [167]

RBM ✓ x Not Mentioned Not Mentioned Accuracy – 94% Not Mentioned [35]

SOM ✓ ✓ Not Mentioned Not Mentioned F1-Score – 98.3% Not Mentioned [67]
NB Accuracy -94%
KNN Accuracy -90%
✓ x Not Mentioned Not Mentioned Not Mentioned. [171]
K-Means Accuracy -86%
K-Medoids Accuracy -88%
SOM TPR-94.4% 3.9%
Hybrid Multipass SOM TPR-94.6% 3.9%
(Multiple LVQ1 ✓ x 10-Fold Not Mentioned TPR-95.6% 3.2% [172]
Models) Multipass LVQ1 TPR-95.6% 3.1%
(ML + DL) Hierarchical LVQ1 TPR-98.1% 1.9%
(Supervised + Accuracy – 94.38% (GAN)
Unsupervised) GAN, LSTM, CNN, Accuracy – 94.08% (CNN)
✓ ✓ Not Mentioned Not Mentioned Not Mentioned. [206]
MLP Accuracy – 90.29% (LSTM)
Accuracy – 92.12% (MLP)
Accuracy – 98% (SAE)
SAE, CNN, LSTM, Accuracy – 96.9% (CNN)
✓ ✓ Not Mentioned Not Mentioned Not Mentioned. [214]
MLP Accuracy – 94.3% (LSTM)
Accuracy – 98.3% (MLP)
SVM, NB, KNN,
✓ x Not Mentioned 67-33 Accuracy – 97.14% - SVM-SOM 2.71% [232]
SOM
RBM, Gradient
✓ x Not Mentioned Not Mentioned Accuracy - 99.98% 1.31% [229]
Descent Based SVM

CNN, LSTM ✓ x Not Mentioned Not Mentioned Accuracy – 96.32% 6% [218]

Detection Rate (Before GAN):

RF- 85%
GAN, KNN, RF ✓ x Not Mentioned Not Mentioned Not Mentioned. [216]
Detection Rate (After GAN):
RF- 53%
Transformer 80-20
CNN ✓ x Not Mentioned 70-30 Accuracy – 99.95% Not Mentioned. [225]
FCN 60-40
SOM
✓ ✓ Not Mentioned Not Mentioned Detection Rate – 98.24% 2.14% [164]
KNN
Accuracy – 99.30%
SOM & SVM ✓ ✓ Not Mentioned Not Mentioned 0.67% [226]
Detection Rate – 99.27%
Hybrid
(Single Model) CNN ✓ x Not Mentioned Not Mentioned Accuracy – 95.64% 4.42% [227]
(ML + DL)
CNN
(Supervised + F1-Score – 99.80% (CNN-RF)
KNN
Unsupervised) ✓ x Not Mentioned 70-30 F1-Score – 99.36% (CNN-SVM) Not Mentioned [228]
RF
F1-Score – 99.49% (CNN-KNN)
SVM
CNN
✓ x 10-Fold Not Mentioned Accuracy – 99.83% 0.01% [230]
LSTM
RF Performed
AdaBoost ✓ x (Fold-Not 90-10 Accuracy – 96.62% 0.54%. [231]
K-Means Mentioned)
DRL
DDPG ✓ x Not Mentioned NA Fitness – 95% N/A [184]
MDP
DNN-LSTM Accuracy - 99.74% (DNN-GRU-LSTM)
DNN-GRU ✓ x 10-Fold Not Mentioned F1-Score – 99.79% (DNN-GRU-LSTM) 0.52% [233]
Bi-LSTM Precision – 99.89% (DNN-GRU-LSTM)
Accuracy – 98.85%
K-Means, KNN ✓ ✓ Not Mentioned Not Mentioned 0.97% [234]
Recall – 98.47%

Entropy, C4.5 ✓ x 10-Fold Not Mentioned Accuracy – 95.056% Not Mentioned [235]

Deep RL ✓ ✓ N/A NA N/A N/A [178]

SOM, K-Means,
✓ ✓ N/A NA N/A N/A [179]
Fuzzy C-Means
Reinforcement Neural Fitted Q-
x ✓ N/A NA N/A N/A [180]
Learning
Accuracy – 93%
Q-Learning ✓ ✓ Not Mentioned NA 8% [181]
Fitness – 95%

difficult and laborious too. Therefore, whenever a standard

X. BENCHMARK DATASETS IN IDS RESEARCH dataset is created, researchers from the entire world can reuse it
ML-DL method’s role is to extract useful insight from data. in their work. A few most important of them are briefly described
Thus, based on the quality of input data the performance of ML- here.
DL method is enhanced. The foundation of the ML-DL approach DARPA1998: Developed by MIT's Lincoln laboratory,
depends on the in-depth understanding of data. The approved DARPA1998 dataset is a frequently used benchmark dataset in
dataset for IDS must be simple to obtain and it must represent the the IDS study. There are raw data packets along with labels in
host’s activities or systems. However, creating a dataset is the dataset. Five classes of labels are available in this dataset,
32
 TABLE XII Denial of Service (DoS): DoS is an attack intended to close
CLASSIFICATION AND MAPPING OF THE REVIEWED WORKS BASED ON down a device or network, thus making it unavailable to
THE IDS AND ML-DL TAXONOMY legitimate users. A basic illustration of a DoS attack is refusing
ML-DL-
IDS Domain/Subdomain
Based Model
References rightful users access to a web service when the server is
[67], [84], [112], [121], [122], [127]– overwhelmed through multiple connection requests, e.g., SYN
[133], [135]–[137], [139], [141]–
[144], [146]–[149], [151]–[155], flood. A DoS attack's primary objective is not to obtain data but
Shallow ML [159], [163], [167], [169]–[172],
[199], [204], [216], [220], [226], to delay or take down a website/service.
[228], [231], [234], [235], [244],
[245], [249] Remote to Local (R2L): With R2L attack, one tries to access
[35], [184]–[186], [188]–[191], [193]– a remote machine in an unauthorized manner, e.g., guessing a
Flow-based DL [199], [202]–[206], [209], [214],
[216], [221], [225], [228], [229] password using brute force technique by an automated script.
Reinforcement [178]–[181], [184] R2L is usually initiated while legitimately accessing a local
[231], [232], [239], [240], [243]–
NBM Ensemble
[246], [248], [251]
computer to acquire the root access unlawfully.
DSBM
[164], [184], [216], [218], [220], User to Root (U2R): The attacker begins with accessing the
Hybrid [221], [225]–[228], [230], [231],
[234], [235] credentials of a standard user account on the device in the U2R
[121], [122], [276], [127], [133],
Shallow ML
[139], [149], [170]–[172], [250]
attack and can leverage the weakness to obtain root privileges to
Packet-
based DL [195]–[197], [202], [216]
the system. The attacker will access a regular user account using
RL [184] a social engineering method or by sniffing password and then
Session- Shallow ML [148] exploiting flaws in the system to receive a super user's right, e.g.,
based DL [187] numerous buffer overflow attacks.
HBM Log-based Shallow ML [84], [88], [133], [171]
Probe: In probing, the attacker scans a network, a process
[111], [134], [144], [159], [167],
Shallow ML
[170]–[172], [226], [235] called reconnaissance, to gain access to data or discover security
Statistical DL [190], [196] flaws or identify the machines' deficiencies. These fraudulent
DBM ABM Analysis-
based RL [181] activities conducted by Metasploit, a penetration testing software
Ensemble [239]
or the Nmap tools provide the intruders with knowledge about
the possible targets of the attacks, e.g., port scanning, version
namely Normal, Probe, U2R, DoS, and R2L [275]. One of the
scanning, vulnerability scanning etc.
limitations of this dataset is the existence of raw packets, as it
The attack categories, along with their names, related services,
cannot be applied explicitly to customary ML algorithms.
mechanisms of the attacks, existing in the most commonly used
DARPA1998, KDD99, and NSL-KDD dataset for IDS is
KDD’99: The most popular IDS evaluation dataset at present
presented in Table XIII.
is the KDD99 dataset [277]. KDD99 was developed to solve the
TABLE XIII
limitations of the DARPA1998 dataset. Its compilers derived LIST OF ATTACK CATEGORIES WITH THEIR CORRESPONDING SERVICES AND
forty-one (41) distinguishing features signifying the MECHANISM PRESENTED IN THE DARPA1998, KDD’99, AND NSL-KDD
distinctiveness of network connections. The KDD99 labels are DATASETS.
the same as the DARPA1998 labels. In KDD’99, there are four Type Name of the Attack Services Mechanism

kinds of features: primary, content, host-based statistical aspect DoS Neptune, Pod, Teardrop, HTTP, TCP, Bug, Misuse of
Apache2, Back, Mailbomb, ICMP, Syslog, the feature.
and statistical aspects dependent on time. However, The KDD’99 UDP storm, Smurf, Land, Echo.
is an imbalanced dataset with duplicate data, which brings a bias Process table, Arp poison,
Self ping, TCP reset, Ping of
factor in the result set. The significant amount of data replication death, Dos nuke, SSH
prohibits detection methods from providing precise accuracy in process table, SYN flood,
Crashiis, and Syslogd.
attacks like R2L and U2R.
R2L Sendmail, Multihop, Guess Telnet, Pop, Misuse of the
password, Spy, Xsnoop, Phf, FTP, rlogin, feature, Bug,
NSL-KDD: In the NSL-KDD dataset [278], data records of Imap, Snmpguess, Worm, IMAP, HTTP, Misconfiguration
Warezmaster, Warezclient, SMTP, DNS.
various groups are balanced, which eliminates the issue of bias Xlock, Ftpwrite, ncftp,
problems in the classification task. Data records of NSL-KDD netbus, netcat, ppmacro,
sshtrojan, and named.
were taken from KDD99 without duplication. There are basically Probe Satan, Mscan, Saint, SNMP, ICMP, Misuse of the
four types of features presented in NSL-KDD dataset, namely Portsweep, resetscan, queso, TCP, HTTP. feature.
IPsweep, Insidesniffer,
Basic, Content, Time-based, and Host-based features. Major
Mscan, Ntinfoscan, and Is
drawback of this dataset is that it does not comprise any novel domain.
data items, and its data items are backdated to some extent and U2R HTTP tunnel, Load module, User Session. Buffer overflow,
SQL attack, Rootkit, Perl, Bad management
do not match the present network scenario. Thus, attacks like Xterm, Buffer overflow, ps, of Temporary
DoS can be detected smoothly, however, attacks like R2L and yaga, Eject, anypw, casesen, file.
sechole, ntfsdos, and Xterm.
U2R presents a considerable FAR.
33
 UNSW-NB15: This dataset includes nine diverse categories profiles: B-profiles and M-profiles. The B- profiles include user
of attacks and a wide category of regular activities in practical behavior such as distribution of packet sizes, number of packets
life. Training set contains 175,341 records, and 82,332 records in each flow, patterns and size of the payload, and request time
present in the test set collected from various forms, attacks, and distribution of protocols including FTP, HTTP, HTTPS, IMAP,
regular records [279]. This dataset solves many of the problems POP3, SMTP, and SSH. An M-Profile, on the other hand,
faced by researchers using previous datasets resulting in a higher unambiguously depicts a security attack scenario. The
detection rate as well as faster training of the model. dataset includes attack scenarios for security threats such brute-
force, web attacks, botnets, and DDoS. With 80 features, it also
ISCX 2012: To generate the dataset the authors used the contains each machine's log and collected network traffic [5].
concept of profiling [280]. The authors used two profiles: named
Alpha and Beta. Alpha is used to generate traffic related to attack CTU-13: This dataset was generated in CTU University,
and Beta is used to generate regular traffic flow. DoS and Brute Czech Re-public [287]. It is one of the most comprehensive
force attacks are two main attack types presented in this dataset. labeled datasets accessible, containing botnet traffic as well as
It has two formats: packet and flow. It contains data traffic regular and background labeled data [259]. The dataset includes
containing an entire packet payload of the protocols: HTTP, botnet traffic as well as regular and background communication
SSH, IMAP, SMTP, FTP, and Post Office Protocol 3. traffic. The traffic capture procedure comprises 13 separate
Nevertheless, the features that were extracted from ISCX 2012 scenarios of different botnet samples.
dataset are not quite enough for ML algorithm’s proper
evaluation. However, only HTTP traffic is included in the InSDN: The InSDN dataset [228] is regarded as one of the
dataset, which does not represent modern traffic, in which most first to build a comprehensive dataset for evaluating IDSs
existing Internet traces are focused on HTTPS traffic [281]. specific to SDN paradigm. The InSDN dataset's regular traffic
includes standard application services, including HTTP, HTTPS,
CIC-IDS 2017: In [281], the authors proposed a new modern- FTP, DNS, Email, and SSH. DoS, DDoS, Probe, Botnet,
day network traffic-based dataset named CICIDS2017. It spans Exploitation, Password-Guessing, and Web attacks are among
over 80 features of the network traffic. It contains two types of the attack types this dataset addresses. Furthermore, these attacks
network traffic: normal and attack for five days in eight different come from a variety of internal and external sources to mimic
files collecting attack types such as brute force, Botnet, PortScan, real-world attack scenarios. The dataset contains a total of
XSS, Infiltration, SQL injection, along with normal traffic. It 361317 occurrences of normal and attack traffic, where 68424
contains whole packet payload with labeled flows in a PCAP occurrences are normal traffic and 292893 occurrences
format. One major drawback of CICIDS2017 dataset is that it has are attack-oriented traffic [228].
class imbalance issues [282]. The number of benign instances is
way too much than other attack categories, which is almost CIC-DDoS-2019: CIC-DoS-2019 is a novel dataset that
83.34%. Thus, opens up the bias issue towards the benign traffic includes a wide range of DDoS attacks. This dataset includes 28
of the ML-DL-based IDS models in SDN. typical network behaviors as well as the most recent prevalent
forms of DDoS attacks [206]. The data has been divided into two
CIDDS-001: CIDDS-001 [283], [284] is a flow-based labeled sections, one for training and the other for testing. For Training,
dataset. It comprises of three log files: attack logs, client WebDDoS, NetBIOS, LDAP, MSSQL, SNMP, UDP-Lag, DNS,
configuration, client logs, also uses two servers, OpenStack SYN, SSDP, NTP, UDP, and TFTP DDoS attacks were executed
server (e.g. mail, web, etc.) and External server (e.g. file and for testing they have executed the SYN, NetBIOS, MSSQL,
synchronization, web server, etc.) [285] for data collection. DoS, LDAP, UDP, UDP-Lag and PortScan attacks. Some other
PortScan, and Brute Force attacks are carried out on an emulated notable datasets that are used in SDN-IDS research are CAIDA,
business network using the OpenStack environment to generate Hogzilla, and ISOT.
malicious traffic flow.
A summary of the aforementioned public benchmark datasets
CSE-CIC-IDS2018: CSE-CIC-IDS2018 [286] is the newest is presented in Table XIV. The comparison was done based on
dataset made accessible by the Canadian Institute for the data collection process, labeling, formatting, number of
Cybersecurity in 2018/2019. The concept profiling was used to features, attack variant and their class balance issues of the
form this dataset [281]. This dataset takes into account profiles collected data
for human operators or agents responsible for creating network Table XV summarizes the reviewed studies that used the
traffic events for numerous network protocols with varying benchmark public datasets discussed in section X and the
topologies. In the dataset, two profiles were categorized, and five assessment criteria/metrics listed in Table X to evaluate the
distinct attack mechanisms were applied. It employs two sorts of efficacy of their proposed solutions.
34
 TABLE XIV
SUMMARY OF THE PUBLIC BENCHMARK DATASETS UTILIZED IN IDS: (✓: YES, x: NO)
Dataset Number of Feature Label Metadata Format Attack Number and Name of Traffic + Balanced Instances Year
Features Extraction Tool Diversity Available Attack Types Network Type Training Testing
DARPA TCP Raw files ✓ x Data, ✓ 4 x Not 201 1998
Connections Features need to Packet, DoS, Probe, U2R, and Mentioned
& High- be extracted by Logs R2L.
level the researchers.
Features.
KDD99 41 Pre-processed ✓ x Other ✓ 4 x 4898431 311029 1998
DoS, Probe, U2R, and Emulated
R2L. Traffic
NSL-KDD 41 Pre-processed ✓ x Other ✓ 4 + x 125973 22544 2009
DoS, Probe, U2R, and Small-Scale
R2L. Network
UNSW- 49 Argus and Bro- ✓ x Packet ✓ 9 x 175341 82332 2015
NB15 IDS Tools [288] + Other Fuzzers, Analysis,
Backdoors, DoS,
Exploits, Generic,
Reconnaissance, Worms,
and Shellcode.
ISCX 2012 20 Not Mentioned ✓ ✓ Packet x 4 Realistic x 1167479 629274 2012
+ Flow Brute Force, SSH, network traffic
Infiltrating, HTTP DoS, + Small-Scale
and DDoS. Network
CIC- 83 CICFlow-Meter ✓ ✓ Packet ✓ 7 Realistic x 2830743 2017
IDS2017 [289] + Flow Web based, Brute force, network traffic
DoS, DDoS, Infiltration, + Small-Scale
Heart-bleed, Bot, and Network
PortScan.
CIDDS-001 14 Not Mentioned ✓ ✓ Flow ✓ 4 Both Emulated x 31959267 2017
PortScan, PingScan, and Realistic
Brute-Force, and DoS. network Traffic
+
Small-Scale
Network
CSE–CIC- 83 CICFlow-Meter ✓ x Packet ✓ 7 Realistic x 4525399 2018
IDS2018 +Flow Web based, Brute force, network traffic
DoS, DDoS, Infiltration, +
Heart-bleed, Bot, and Small-Scale
PortScan. Network
CTU-13 Flow-based Argus [290] ✓ ✓ Packets ✓ 8 Realistic x 2821636 2014
Features IRC, SPAM, CF, PS, network traffic
HTTP, DDoS, P2P +
Botnet, and US. [291] Small-Scale
Network
InSDN 83 CICFlow-Meter ✓ ✓ Packet ✓ 7 Realistic x 343939 2020
+Flow U2R, Web attack, Probe, network traffic
Password guessing, DoS +
(HULK, TorshHammer, Small-Scale
HTTP-Flood), DDoS, Network
and Botnet.
CIC- 87 CICFlow-Meter ✓ ✓ Packets ✓ 12 Realistic x 50063112 2019
DDoS2019 +Flow WebDDoS, NetBIOS, network traffic
LDAP, MSSQL, SNMP, +
UDP-Lag, DNS, SYN, Small-Scale
SSDP, NTP, UDP, and Network.
TFTP.

TABLE XV
SUMMARY OF THE DATASETS AND ASSESSMENT/EVALUATION METRICS UTILIZED IN REVIEWED STUDIES IN SDN-IDS: (✓: YES)
Datasets Assessment/Evaluation Metrics
NSLKDD – NK, KDD CUP’99 – KD, UNSWNB15 – UN, InSDN – IN, CICIDS2017 – C7, Accuracy – ACC, Precision – PR, F-Measure – F1, Recall – RC, Receiver Operating
CSECICIDS2018 – C8, ISCX 2012 – IS, DARPA1998 – DA, CIDDS001 – C1, CTU13 – Characteristic – ROC, Precision Recall Curve – PRC, Area Under the Curve – AUC,
Ref. C9, CICDDoS – C10, Self-Collected/Simulated – SC, Others – OT (HogZilla, ISOT, Fitness – FT, True Positive Rate – TPR, False Alarm Rate – FAR, Others – OT (Mean
CAIDA etc.) Absolute Error, Reward, Root Mean Squared Error, CPU Utilization, Bandwidth
Involvement etc.)
NK KD UN IN DA IS C C C C C OT SC ACC PR F1 RC ROC PRC AUC TPR FAR FT OT
1 7 8 9 10
[67] ✓ ✓ ✓
[121] ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
[122] ✓ ✓ ✓ ✓
[127] ✓ ✓ ✓ ✓ ✓
[128] ✓ ✓ ✓ ✓ ✓
[129] ✓ ✓ ✓ ✓ ✓ ✓ ✓

35
[130] ✓ ✓ ✓ ✓ ✓
[131] ✓ ✓ ✓ ✓ ✓ ✓
[132] ✓ ✓ ✓ ✓
[133] ✓ ✓ ✓ ✓
[134] ✓ ✓ ✓ ✓ ✓
[135] ✓ ✓
[136] ✓ ✓
[137] ✓ ✓ ✓ ✓ ✓
[139] ✓ ✓ ✓ ✓ ✓
[141] ✓ ✓ ✓
[142] ✓ ✓ ✓ ✓ ✓
[143] ✓ ✓ ✓ ✓ ✓
[144] ✓ ✓ ✓ ✓ ✓ ✓
[146] ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
[147] ✓ ✓ ✓ ✓ ✓ ✓
[148] ✓ ✓ ✓ ✓ ✓
[149] ✓ ✓ ✓ ✓
[150] ✓ ✓
[151] ✓ ✓ ✓ ✓
[152] ✓ ✓ ✓
[153] ✓ ✓
[159] ✓ ✓ ✓ ✓
[220] ✓ ✓ ✓ ✓ ✓ ✓
[154] ✓ ✓ ✓
[163] ✓ ✓ ✓
[155] ✓ ✓ ✓ ✓ ✓
[169] ✓ ✓ ✓
[170] ✓ ✓ ✓
[171] ✓ ✓
[167] ✓ ✓
[172] ✓ ✓ ✓ ✓
[164] ✓ ✓ ✓
[178] ✓ ✓
[179] ✓ ✓
[180] ✓ ✓
[181] ✓ ✓ ✓
[184] ✓ ✓
[185] ✓ ✓ ✓ ✓ ✓ ✓
[186] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[187] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[188] ✓ ✓ ✓ ✓ ✓ ✓
[189] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[190] ✓ ✓
[191] ✓ ✓ ✓ ✓ ✓ ✓
[193] ✓ ✓ ✓
[194] ✓ ✓ ✓ ✓
[195] ✓ ✓ ✓ ✓ ✓ ✓
[196] ✓ ✓ ✓ ✓
[197] ✓ ✓ ✓
[198] ✓ ✓ ✓ ✓ ✓ ✓
[199] ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

36
[202] ✓ ✓ ✓ ✓ ✓
[203] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[216] ✓ ✓ ✓ ✓
[204] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[205] ✓ ✓ ✓ ✓
[206] ✓ ✓ ✓ ✓ ✓
[208] ✓ ✓ ✓ ✓ ✓ ✓
[209] ✓ ✓ ✓
[218] ✓ ✓ ✓ ✓ ✓ ✓
[221] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[214] ✓ ✓ ✓ ✓ ✓ ✓
[225] ✓ ✓ ✓ ✓ ✓ ✓
[226] ✓ ✓ ✓ ✓
[227] ✓ ✓ ✓ ✓ ✓
[228] ✓ ✓ ✓ ✓ ✓
[229] ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
[230] ✓ ✓ ✓ ✓ ✓ ✓
[234] ✓ ✓ ✓
[239] ✓ ✓ ✓ ✓ ✓
[240] ✓ ✓ ✓ ✓ ✓ ✓ ✓
[232] ✓ ✓ ✓ ✓
[243] ✓ ✓ ✓ ✓
[244] ✓ ✓ ✓ ✓ ✓
[245] ✓ ✓
[246] ✓ ✓ ✓ ✓
[248] ✓ ✓ ✓
[249] ✓ ✓ ✓ ✓ ✓
[250] ✓ ✓ ✓ ✓
[231] ✓ ✓ ✓ ✓
[251] ✓ ✓ ✓ ✓ ✓ ✓
[252] ✓ ✓ ✓ ✓
[233] ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
[217] ✓ ✓ ✓ ✓ ✓ ✓ ✓

the network policies' reliability. The solution of how a single

XI. CHALLENGES, ISSUES, INSIGHTS AND FUTURE controller can maintain network information effectively and
RESEARCH DIRECTIONS consistently in the event of control packet loss remains an open
issue [292]. By delivering unknown packets to OF-based
Many researchers in SDN paradigm have explored Machine
switches, SDN controllers might be overloaded. When a packet
Learning and Deep Learning-based IDS solution in the past few
reaches an OF-based switch, it is forwarded according to the rule
years. However, many important issues remain unexplored. In
defined in the OpenFlow switches' flow table. The packet is
this section, we address some of the challenges that are faced
passed to the controller for further action if no matching flow
while developing an efficient ML-DL-based IDS in SDN.
entry is detected. The controller then selects how to deal with the
packet and, if necessary, adds a new rule to the OF-based switch.
Single Controller Issue
Vast volumes of such traffic directed at SDN controllers might
A centralized control layer is included in the SDN design for
take the controller down and consume a large amount of
increased network control, programmability, and management.
bandwidth on the communication link between switches and
However, the lack of a robust and secure controller platform
controllers in the SDN paradigm [68]. The majority of the studies
makes this centralization vulnerable to various attacks [68]. The
have deployed only a single controller in the SDN topology, such
controller is the principal target of the attackers. Since network
as NOX, POX, ONOS, RYU, OpenDayLight, [128], [132],
congestion might cause buffer overflows in OF switches, SDN
[181], [220], [248], [251]. Plus, managing the network through
may encounter control packet loss. Control packet loss impairs
37
this centralized controller creates a considerable overhead for the However, we have found an apparent lack of study in all the
control plane in SDN. Thus, to reduce this overhead, multiple research papers, especially IDSs that are DL based and did not
controllers in the control plane can be an option for future IDS mention much about the hyper-tuning parameters to train the
solutions in SDN to distribute the overhead among controllers, model. Some papers [147], [152], [186], [189], [203], [221]
thus minimizing the overhead. Some studies have adopted this mentioned finding the useful hyperparameters using the grid
multi-controller technique in the control plane of SDN search technique. Though feature selection significantly
architecture [293]–[296], nevertheless, maintaining a well- influences IDS' performance, only a few researchers use it as the
organized synchronization among the controllers is also a primary component of their studies. When constructing an IDS
research gap that needs addressing. However, a pool of for SDN, most researchers overlook the feature selection process.
controllers may be accessed by applications from multiple As per our study, although SDN presents the opportunity for
networks. If an adversary impersonates the controllers or many more features to be extracted from the network traffic or
applications associated with it, it can easily access network the applied dataset, the most notable features used in various
resources and eventually disrupt network operations. The attack detection systems in SDN are the number of packets per
adversary may misconfigure the controllers, causing network flow, number of hosts, protocol, source, and destination port
performance to suffer, reducing the degree of reliability, that is number, number of bytes per flow, flow duration, server
another open research area [297]–[299]. Communication links count, entropy of the source, and destination IP addresses, and
between switches and controllers must be protected in the same entropy of source, and destination ports, and flags, which are
way. Any attack on the controller-to-switch communication link selected based on the researchers' individual choice,
has the potential to inflict significant network damage [300]. experience or simply being encouraged from previous studies.
Most of the datasets used by the researchers do not adequately
Bottleneck Creation Due to Lack of Scalability, Evaluation represent the actual flow-based architecture of SDN. Although
and Testing some studies performed feature selection and discussed about its
SDN was initially designed for a low-scaled network, but with significance in the development of ML-DL-based IDS [181],
increasing network architecture size over time, the controller [234], [281], to enhance the effectiveness and scalability of IDS,
could face significant problems in a large number of incoming dynamic selection and continuous updating of SDN-based
and outgoing flow statistics, thus creating a bottleneck. With the features are still a necessity.
increased network size, there is always a chance for congestion
and attacks between the controllers and switches. This lack of Lack of SDN Specific Dataset for Model Training
SDN scalability might prove costly for an automated ML-DL- Utilizing non-specific SDN datasets may result in a
based IDSs operation. Hence, it is important to associate security compatibility issue because the deployment of attack vectors
and scalability in SDN to create secure SDN-based architectures. must take into account the network's new architecture [301].
Furthermore, fellow researchers set up their suggested Most of the researchers have used publicly available datasets like
experimental settings on a single machine, which is an obstacle KDD99, NSL-KDD, UNSW-NB15, etc. The attacks presented in
in evaluating and verifying security measures. As a result, those datasets are not adequately suited for SDN architecture.
another open issue is using multiple physical computers to Most of the attacks are outdated, and attack types suffers
evaluate suggested security measures in the SDN paradigm. The imbalance issue, majority of the traffic is labeled as normal, as
Mininet emulator was used to replicate and test the majority of shown in Table XIII. Thus, ML-DL-based IDS trained on those
the reviewed ML-DL-based IDS solutions, such as [167], [171], datasets shows a high FAR due to its inefficiency in detecting
[189], [191], [234], [246]. On the one hand, a Mininet simulator novel attack patterns. Cyber hackers are continually attempting
makes prototyping an SDN easier and may be used to illustrate to infiltrate in a new and more effective way, which may not
the concept of the proposed system. However, it does place prove fruitful with ML- DL-based IDS models trained on
restrictions on network designs, sizes, and functionalities, which historical datasets. A potential strategy to fix the problem by
brings the discussion about the scalability issue. Compared to the creating new attacks is the GAN. Self-collected network traffic
Mininet environment, deploying such a solution in real-life data used by researchers are generated using a synthetic network
network infrastructure is costly, time-consuming, and paradigm, thus lacking real-time efficacy, and brings the
challenging. A hardware-based IDS implementation, on the discussion about biases in the datasets as the tools used to create
other hand, is another method of analyzing and verifying the those synthetic datasets cannot replicate real network traffic. A
proposed IDS mechanism. research gap in the present research work is the training of
machines with accurate normal behavior-based traffic data. Data
Scarcity of Proper Model Selection Study collection and processing feature selection plays an essential role
To create any ML-DL-based model, it is necessary to hyper- in any ML-DL-based IDS model to train better and reduce the
tune the model to find the best parameters for effective training. overall complexity. Features collected from the publicly
38
available datasets are not SDN specific. Feature extraction and detection approach, such as [129], [144], [147], [188], [205],
selection is one of the most important part of any ML-based [249], but there is a clear lack of studies which discussed about
solutions, however, this core part of ML was not mentioned by the prevention mechanism along with the detection and
many reviewed papers in this survey, such as [133], [144], [171], mitigation. We think that preventing the attack and keeping the
[178], [180]. One noticeable point of the review is the lack of SDN-based system functional while under attack is more critical
established reasoning regarding data collection, feature than detecting or mitigating the attack. In the prevention phase,
extraction, and feature selection and their suitability with SDN the attack is prevented from expanding into the network before it
in papers where synthetic network data was used. As a result, consumes network resources and necessitates detection and
more study is needed in generating public datasets specific to mitigation procedures. The prevention mechanism provides
SDN regarding consistent and precise IDS solution. fairness among the connected hosts regarding proper bandwidth
allocation, energy consumption, and request handling. Thus,
Lack of Diverse Attack Detection and Additional Focus more studies and required to prevent the attack in SDN-enabled
Towards Detection Rather Than Mitigation and Prevention infrastructure rather than detection and mitigation only [15].
Approach
With the advancement of technology along with the increasing Lack of Low-Rate DDoS Attack Detection
number of malicious hackers, more and more different types of One noticeable point from this survey is that most current
attacks are being generated. In SDN, whenever a switch cannot research aims to detect high-rate DDoS attacks. A minor amount
find a flow that matches a specific packet, it sends a “packet_in” of study has been done on detecting low-rate DDoS attacks. A
instruction for the packet to the SDN controller. Attackers can low-rate DDoS attacker makes use of TCP's congestion-control
create loads of packets with new flows and attack the network by vulnerability by frequently sending burst attack packets over
flooding it with these packets, creating a DoS attack. Current short periods or continually sending attack packets at a low rate
SDN specific IDSs inspect the first packet of every flow and [302]. A low-rate DDoS attack would deliver a smaller number
proceeds with the same decision for the next packets in the same of packets than a high-rate DDoS attack; as a result, features that
flow. An attacker could exploit this characteristic by sending may represent a high-rate DDoS attack will be inappropriate for
malicious packets after the first one. If any attacker attacks by identifying a low-rate DDoS attack [16]. As a result, detecting a
combining two different types of attack in a single packet, the low-rate DDoS attack is still challenging and needs more
controller might match only with the known attack types, the attention. Though some studies [147], [169], [226], [303] have
unknown one might be undetected. One evident shortcoming of tried to detect low-rate DDoS in SDN using ML-based
some of the reviewed papers [84], [128]–[130], [136], [152], approaches, more research is needed in this area.
[190], [240], [243] is their binary attack detection mode. Most of
them can only identify between normal flow and DDoS attack Lesser Exploration of Unsupervised DL approaches
like TCP SYN Flood, ICMP Flood, etc. However, new attack Most of the fellow researchers focused on supervised ML-
categories are affecting SDN architecture. Aside from typical DL algorithms to build an IDS solution for SDN environment,
DDoS attacks, new forms of DDoS attacks are emerging all the such as [121], [130], [148], [189], [221]. Unsupervised DL
time. These new kinds of DDoS attacks utilize a different algorithms such as GAN, VAE, SAE, and Sparse AutoEncoder
approach than regular DDoS attacks. For example, the link have not been extensively explored in the IDS solution in the
flooding attack, which seeks to flood network links rather than SDN paradigm. It is confounding to generate attack signatures,
servers, and the Crossfire attack targets the servers around the definitions, states, or even IDS policies relevant to the dynamic
target server rather than the target server itself. Many forms are nature of SDN. GAN networks are particularly good at forming
taken by these DDoS attacks in the network, which implies that adversarial examples that can trick IDS models in SDN. Hence,
typical DDoS detection techniques may be unable to identify investigation regarding unsupervised DL method GAN, SAE,
them [16]. Even though some researchers have made efforts to VAE, Sparse, and Denoising AutoEncoder should be explored
identify DDoS and MITM attacks quickly and early in the more to generate synthetic attack signatures and train the SDN to
process, such as [65], [148], additional study on developing distinguish diverse attack categories of different kinds. There is
DDoS and MITM detection mechanisms to detect attacks early a shortage of SDN-specific datasets in the literature, and the
is needed. GAN and Variational Auto Encoders (VAE) can be procedure of obtaining SDN-specific labeled data is costly and
implemented to augment the dataset to increase the diversity of requires manual labeling by network professionals. As a result,
the intrusion in DL based IDS. Hence, more research and in- research into the development of unsupervised learning
depth study are needed to detect novel attack types in SDN using algorithms for intrusion detection systems is worthwhile.
ML-DL-based IDS. Another point is that, most of the ML-DL- Another noticeable point is that, most of the ML-DL-based IDS
based solutions focused on the intrusion detection approach only, solution are evaluated using the conventional accuracy,
few have discussed about the mitigation approach along with the precision, and F-measure metrics. However, only a few studies
39
[131], [226], [229], [304] have highlighted the throughput, resolve the problems and move forward. We strongly believe that
bandwidth involvement, energy consumption, and CPU this survey will help future researchers using ML-DL methods to
utilization of the SDN controller. build IDS solutions as a guideline to secure the SDN paradigm.

XII. CONCLUSIONS REFERENCES

[1] H. J. Liao, C. H. Richard Lin, Y. C. Lin, and K. Y. Tung, “Intrusion

Traditional networking control is shifted from hardware to detection system: A comprehensive review,” J. Netw. Comput. Appl.,
software with the utilization of SDN-enabled infrastructure. The vol. 36, no. 1, pp. 16–24, 2013.
[2] “Software Defined Networking Market Size, Share and Global Market
network operations and management are simplified as a result of Forecast to 2025 | COVID-19 Impact Analysis,”
this adjustment. Network designers' focus turns away from Marketsandmarkets.com, 2020. [Online]. Available: 14 Feb 2021.
[3] D. Kreutz, F. M. V. Ramos, P. E. Verissimo, C. E. Rothenberg, S.
coding related to the low-level device configurations and toward Azodolmolky, and S. Uhlig, “Software-defined networking: A
developing a software-based solution that allows for network comprehensive survey,” Proc. IEEE, vol. 103, no. 1, pp. 14–76, 2015.
[4] W. Xia, Y. Wen, C. H. Foh, D. Niyato, and H. Xie, “A Survey on
administration and troubleshooting. On the negative side, SDN's
Software-Defined Networking,” IEEE Commun. Surv. Tutorials, vol.
decoupled design through the separation of data plane and 17, no. 1, pp. 27–51, 2015.
control plane has added to the network's security issues. SDN [5] S. W. Lee et al., “Towards secure intrusion detection systems using
deep learning techniques: Comprehensive analysis and review,” J.
introduces new areas of threats and attacks due to its Netw. Comput. Appl., vol. 187, no. December 2020, p. 103111, 2021.
programming capabilities and centralization of the controller. [6] H. Liu and B. Lang, “Machine learning and deep learning methods for
intrusion detection systems: A survey,” Appl. Sci., vol. 9, no. 20, 2019.
This survey provides a comprehensive overview of the studies [7] P. Mishra, V. Varadharajan, S. Member, and U. Tupakula, “A Detailed
conducted on developing automated IDS utilizing various ML- Investigation and Analysis of using Machine Learning Techniques for
Intrusion Detection,” IEEE Commun. Surv. Tutorials, vol. 21, no. 1,
DL algorithms in the SDN paradigm. Due to the centralized pp. 686-728., 2018.
control of the entire SDN, security carries a greater significance. [8] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey of
Integration of a large number of novel attacks makes this intrusion detection systems: techniques, datasets and challenges,”
Cybersecurity, vol. 2, no. 1, 2019.
centralized control a point of significant vulnerability too. Hence, [9] Z. Ahmad, A. Shahid Khan, C. Wai Shiang, J. Abdullah, and F. Ahmad,
necessary security measures are needed to identify attacks in the “Network intrusion detection system: A systematic study of machine
learning and deep learning approaches,” Trans. Emerg. Telecommun.
SDN. From our review, it is clear that the DoS attacks are Technol., vol. 32, no. 1, pp. 1–29, 2021.
considered the most noteworthy extrinsic threats in SDN. Since [10] N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad, “Survey on SDN
based network intrusion detection system using machine learning
the attacks essence is dynamic, numerous aspects should be approaches,” Peer-to-Peer Netw. Appl., vol. 12, no. 2, pp. 493–501,
considered when implementing IDS in SDN. As a result, the 2019.
[11] J. Xie et al., “A survey of machine learning techniques applied to
detection process must be adaptable to the varying attack types.
software defined networking (SDN): Research issues and challenges,”
Numerous ML-DL-based methods are extensively used in IEEE Commun. Surv. Tutorials, vol. 21, no. 1, pp. 393–430, 2019.
developing IDS by training a model to distinguish normal [12] J. Singh and S. Behal, “Detection and mitigation of DDoS attacks in
SDN: A comprehensive review, research challenges and future
activities and intrusions. directions,” Comput. Sci. Rev., vol. 37, p. 100279, 2020.
This survey evaluates the SDN paradigm's challenges, issues, [13] T. Jafarian, M. Masdari, A. Ghaffari, and K. Majidzadeh, “A survey
and classification of the security anomaly detection mechanisms in
and future research prospects by reviewing current ML-DL- software defined networks,” Cluster Comput., vol. 1, 2020.
based IDS studies and provides a direction of references to other [14] Y. Hande and A. Muddana, “A survey on intrusion detection system
for software defined networks (SDN),” Int. J. Bus. Data Commun.
researchers performing meticulous investigations. In this survey, Netw., vol. 16, no. 1, pp. 28–47, 2020.
we have provided an overview of these methods and provided a [15] L. F. Eliyan and R. Di Pietro, “DoS and DDoS attacks in Software
comparative analysis of the studies conducted based on their Defined Networks: A survey of existing solutions and research
challenges,” Futur. Gener. Comput. Syst., vol. 122, pp. 149–171, 2021.
learning category, datasets used in the study, feature selection [16] Y. Cui et al., “Towards DDoS detection mechanisms in Software-
process, utilized controller, attack classification types, and Defined Networking,” J. Netw. Comput. Appl., vol. 190, no. July, p.
103156, 2021.
achieved performance in detecting attacks in SDN. SDN related [17] “Open Networking Foundation. 2021. Software-Defined Networking
research challenges, issues, and future research directions were (SDN) Definition - Open Networking Foundation. [online],” Open
Networking Foundation, 2013. [Online]. Available:
also briefly analyzed and examined. Most of the researches are https://searchnetworking.techtarget.com/definition/software-defined-
based on utilizing SL-based ML-DL algorithms for developing networking-SDN. [Accessed: 08-Feb-2021].
[18] W. Braun and M. Menth, “Software-Defined Networking Using
IDS solution in SDN. The attacks are evolving day by day. With
OpenFlow: Protocols, Applications and Architectural Design
the lack of SDN specific datasets, the field of UL-based methods Choices,” Futur. Internet, vol. 6, no. 2, pp. 302–336, 2014.
is a clear scope of further research to deal with unknown attack [19] “Open vSwitch.” [Online]. Available: https://www.openvswitch.org/.
[Accessed: 07-Nov-2021].
types. Finally, we discussed some research problems and [20] “Pantou - OpenFlow 1.3 for OpenWRT.” [Online]. Available:
obstacles for prospective researchers working on a new SDN- https://github.com/CPqD/openflow-openwrt. [Accessed: 07-Nov-
2021].
based IDS solution. The field of applying ML-DL algorithms to [21] “Indigo - Core OpenFlow agent and infrastructure modules.” [Online].
SDN is vast, and there are numerous challenges ahead. Available:
https://floodlight.atlassian.net/wiki/spaces/Indigo/overview.
Nonetheless, it is in the network community's best interests to
40
 [Accessed: 07-Nov-2021]. Networking Storage and Analysis, SCC 2012, 2012, pp. 1617–1624.
[22] A. Voellmy and P. Hudak, “Nettle: Functional Reactive Programming [45] R. Trestian, G. M. Muntean, and K. Katrinis, “MiceTrap: Scalable
of OpenFlow Networks,” in YALE UNIV NEW HAVEN CT DEPT traffic engineering of datacenter mice flows using OpenFlow,” Proc.
OF COMPUTER SCIENCE, 2010. 2013 IFIP/IEEE Int. Symp. Integr. Netw. Manag. IM 2013, pp. 904–
[23] J. W. Lockwood et al., “NetFPGA-an open platform for gigabit-rate 907, 2013.
network switching and routing,” in IEEE International Conference on [46] R. Bennesby, P. Fonseca, E. Mota, and A. Passito, “An inter-AS
Microelectronic Systems Education (MSE’07), 2007, p. 177. routing component for software-defined networks,” Proc. 2012 IEEE
[24] G. Lu et al., “Serverswitch: a programmable and high performance Netw. Oper. Manag. Symp. NOMS 2012, pp. 138–145, 2012.
platform for data center networks,” USENIX Symp. Networked Syst. [47] H. Zhang and J. Yan, “Performance of SDN Routing in Comparison
Des. Implement., vol. 11, pp. 1–14, 2011. with Legacy Routing Protocols,” Proc. - 2015 Int. Conf. Cyber-
[25] M. B. Anwer, M. Motiwala, M. Bin Tariq, and N. Feamster, Enabled Distrib. Comput. Knowl. Discov. CyberC 2015, pp. 491–494,
“SwitchBlade: A platform for rapid deployment of network protocols 2015.
on programmable hardware,” in Proceedings of the ACM SIGCOMM [48] R. R. Fontes, S. Afzal, S. H. B. Brito, M. A. S. Santos, and C. E.
2010 conference, pp. 183–194. Rothenberg, “Mininet-WiFi: Emulating software-defined wireless
[26] A. Ben Letaifa, SSIM and ML based QoE enhancement approach in networks,” Proc. 11th Int. Conf. Netw. Serv. Manag. CNSM 2015, pp.
SDN context, 1st ed., vol. 114. Elsevier Inc., 2019. 384–389, 2015.
[27] S. Gao, Z. Li, B. Xiao, and G. Wei, “Security Threats in the Data Plane [49] P. Jakma and D. Lamparter, “Introduction to the Quagga Routing
of Software-Defined Networks,” IEEE Netw., vol. 32, no. 4, pp. 108– Suite,” IEEE Netw., vol. 28, no. 2, pp. 42–48, 2014.
113, 2018. [50] M. Hata, M. Soylu, S. Izumi, T. Abe, and T. Suganuma, “SDN based
[28] D. B. Rawat and S. R. Reddy, “Software defined networking end-to-end inter-domain routing mechanism for mobility management
architecture, security and energy efficiency: A survey,” Softw. Defin. and its evaluation,” Sensors (Switzerland), vol. 18, no. 12, 2018.
Netw. Archit. Secur. Energy Effic. A Surv., vol. 19, no. 1, pp. 325– [51] S. A. Mehdi, J. Khalid, and S. A. Khayam, “Revisiting Traffic Anomaly
346, 2017. Detection Using Software Defined Networking,” in RAID 2011:
[29] “RYU Controller.” [Online]. Available: https://ryu-sdn.org/. Recent Advances in Intrusion Detection, 2011, pp. 161–180.
[Accessed: 25-Dec-2020]. [52] N. Ankur, R. Alex, F. Nick, and C. Russ, “Resonance: Dynamic Access
[30] L. R. Prete, A. A. Shinoda, C. M. Schweitzer, and R. L. S. De Oliveira, Control for Enterprise Networks,” in WREN ’09: Proceedings of the
“Simulation in an SDN network scenario using the POX Controller,” 1st ACM workshop on Research on enterprise networking, 2009, no.
in 2014 IEEE Colombian Conference on Communications and 9783662530924, pp. 11–18.
Computing, COLCOM 2014 - Conference Proceedings, 2014, no. [53] C. Yu Hunag, T. Min Chi, C. Yao Ting, C. Yu Chieh, and C. Yan Ren,
June, pp. 1–6. “A novel design for future on-demand service and security,” Int. Conf.
[31] N. Gude et al., “NOX: towards an operating system for networks,” Commun. Technol. Proceedings, ICCT, pp. 385–388, 2010.
ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 3, pp. 105– [54] N. . M. Chowdhury and R. Boutaba, “A Survey of Network
110, 2008. Virtualization,” Comput. Networks, vol. 54, no. 8, pp. 862–876, 2010.
[32] “Opendaylight Controller.” [Online]. Available: [55] Q. Duan, N. Ansari, and M. Toy, “Software-defined network
https://www.opendaylight.org/about/platform-overview. [Accessed: virtualization: An architectural framework for integrating SDN and
28-Dec-2020]. NFV for service provisioning in future networks,” IEEE Netw., vol.
[33] FloodLight Controller, “FloodLight Controller.” [Online]. Available: 30, no. 5, pp. 10–16, 2016.
https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/overvi [56] A. D. Ferguson, A. Guha, C. Liang, R. Fonseca, and S. Krishnamurthi,
ew. [Accessed: 27-Dec-2020]. “Hierarchical policies for software defined networks,” HotSDN’12 -
[34] “ONOS Controller.” [Online]. Available: Proc. 1st ACM Int. Work. Hot Top. Softw. Defin. Networks, pp. 37–
https://opennetworking.org/onos/. [Accessed: 27-Dec-2020]. 42, 2012.
[35] A. Dawoud, S. Shahristani, and C. Raun, “Deep learning and software- [57] P. Manso and J. Moura, “SDN-Based Intrusion Detection System for
defined networks: Towards secure IoT architecture,” Internet of Early Detection and Mitigation of DDoS Attacks,” Inf., vol. 10, no. 3,
Things, vol. 3–4, pp. 82–89, 2018. pp. 1–17, 2019.
[36] A. Yazdinejadna, R. M. Parizi, A. Dehghantanha, and M. S. Khan, “A [58] A. Garg and P. Maheshwari, “A Hybrid Intrusion Detection System: A
kangaroo-based intrusion detection system on software-defined Review,” in International Conference on (ISCO) Intelligent Systems
networks,” Comput. Networks, vol. 184, p. 107688, 2021. and Control, 2016, pp. 1–5.
[37] P. Dong, X. Du, H. Zhang, and T. Xu, “A detection method for a novel [59] L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and
DDoS attack against SDN controllers by vast new low-traffic flows,” D. D. Wolber, “A network security monitor,” in Proceedings of the
in 2016 IEEE International Conference on Communications, ICC Symposium on Security and Privacy, 1990, pp. 296–304.
2016, 2016. [60] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking
[38] “OpenFlow Switch Specification Version 1.3.5 ( Protocol version 0x04 (SDN) and distributed denial of service (DDOS) attacks in cloud
),” 2015. [Online]. Available: https://opennetworking.org/wp- computing environments: A survey, some research issues, and
content/uploads/2014/10/openflow-switch-v1.3.5.pdf. [Accessed: 19- challenges,” IEEE Commun. Surv. Tutorials, vol. 18, no. 1, pp. 602–
Dec-2021]. 622, 2016.
[39] “‘Openflow – The Workflow Introduction’. SDN For You, 2020,” [61] S. Madhawa, P. Balakrishnan, and U. Arumugam, “Data driven
Openflow – The Workflow Introduction, 2015. [Online]. Available: intrusion detection system for software defined networking enabled
https://sdnforyou.wordpress.com/2015/08/12/openflow-the- industrial internet of things,” J. Intell. Fuzzy Syst., vol. 34, no. 3, pp.
workflow-introduction/. [Accessed: 19-Nov-2020]. 1289–1300, 2018.
[40] A. Bahnasse, F. E. Louhab, H. Ait Oulahyane, M. Talea, and A. Bakali, [62] P. Wang, L. T. Yang, X. Nie, Z. Ren, J. Li, and L. Kuang, “Data-driven
“Novel SDN architecture for smart MPLS Traffic Engineering- software defined network attack detection: State-of-the-art and
DiffServ Aware management,” Futur. Gener. Comput. Syst., vol. 87, perspectives,” Inf. Sci. (Ny)., vol. 513, no. xxxx, pp. 65–83, 2020.
pp. 115–126, 2018. [63] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E.
[41] S. Agarwal, K. Murali, and L. T.V, “Traffic Engineering in Software Vázquez, “Anomaly-based network intrusion detection: Techniques,
Defined Networks,” in Proceedings IEEE INFOCOM, 2013, pp. 2211– systems and challenges,” Comput. Secur., vol. 28, no. 1–2, pp. 18–28,
2219. 2009.
[42] D. M. F. Mattos et al., “OMNI: OpenFlow MaNagement [64] B. Mantur, A. Desai, and K. S. Nagegowda, “Centralized Control
Infrastructure,” 2011 Int. Conf. Netw. Futur. NOF 2011 - Proc., pp. 52– Signature-Based Firewall and Statistical-Based Network Intrusion
56, 2011. Detection System (NIDS) in Software Defined Networks (SDN),” in
[43] Y. Minlam, J. Lavanya, and M. Rui, “Software Defined Traffic Emerging Research in Computing, Information, Communication and
Measurement with OpenSketch,” in USENIX Symposium on Applications, 2015.
Networked Systems Design and Implementation (NSDI ’13), 2013, pp. [65] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks
29–42. against SDN controllers,” in nternational Conference on Computing,
[44] R. Van Der Pol et al., “Multipathing with MPTCP and open flow,” in Networking and Communications, ICNC, 2015, pp. 77–81.
Proceedings - 2012 SC Companion: High Performance Computing, [66] R. Sahay et al., “Towards autonomic DDoS mitigation using Software
41
 Defined Networking,” in SENT 2015: NDSS workshop on security of OpenFlow,” in 11th International Conference on Availability,
emerging networking technologies. Internet society, 2015. Reliability and Security, ARES, 2016, pp. 147–156.
[67] S. Jevtic, H. Lotfalizadeh, and D. S. Kim, “Toward network-based [87] M. Xie and J. Hu, “Evaluating host-based anomaly detection systems:
DDoS detection in software-defined networks,” in 12th International A preliminary analysis of ADFA-LD,” in Proceedings of the 2013 6th
Conference on Ubiquitous Information Management and International Congress on Image and Signal Processing, CISP 2013,
Communication, 2018. 2013, vol. 3, no. Cisp, pp. 1711–1716.
[68] N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS Attack Detection [88] D. Y. Yeung and Y. Ding, “Host-based intrusion detection using
and Mitigation Using SDN: Methods, Practices, and Solutions,” Arab. dynamic and static behavioral models,” Pattern Recognit., vol. 36, no.
J. Sci. Eng., vol. 42, no. 2, pp. 425–441, 2017. 1, pp. 229–243, 2003.
[69] S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson, [89] X. Xu and T. Xie, “A reinforcement learning approach for host-based
“Fresco: Modular composable security services for software-defined intrusion detection using sequences of system calls,” Adv. Intell.
networks,” in 20th Annual Network & Distributed System Security Comput. ICIC 2005. Lect. Notes Comput. Sci., vol. 3644 LNCS, pp.
Symposium. Ndss, 2013, no. February. 995–1003, 2005.
[70] R. Jin and B. Wang, “Malware detection for mobile devices using [90] A. Chawla, B. Lee, S. Fallon, and P. Jacob, “Host Based Intrusion
software-defined networking,” in Proceedings - 2013 2nd GENI Detection System with Combined CNN/RNN Model,” in ECML
Research and Educational Experiment Workshop, GREE, 2013, pp. PKDD 2018 Workshops. ECML PKDD 2018. Lecture Notes in
81–88. Computer Science, 2019, vol. 11329 LNAI, pp. 149–158.
[71] M. Zuzčák and M. Zenka, “Expert system assessing threat level of [91] H. Y. Gyuwan Kim, J. Lee, Y. Paek, and S. Yoon, “LSTM-based
attacks on a hybrid SSH honeynet,” Comput. Secur., vol. 92, p. 101784, system-call language modeling and robust ensemble method for
2020. designing host-based intrusion detection system,”
[72] A. K. Ghosh, A. Schwartzbard, and M. Schatz, “Learning program arXiv:1611.01726v1, pp. 1–12, 2016.
behavior profiles for intrusion detection,” in Proceedings of the [92] D. H. Lee, D. Y. Kim, and J. Il Jung, “Multi-stage intrusion detection
Workshop on Intrusion Detection and Network Monitoring, 1999, pp. system using hidden Markov model algorithm,” in Proceedings of the
1–13. International Conference on Information Science and Security, ICISS
[73] Q. Niyaz, W. Sun, A. Y. Javaid, and M. Alam, “A deep learning 2008, 2008, pp. 72–77.
approach for network intrusion detection system,” in Eai Endorsed [93] T. M. Chen and P. J. Walsh, “Guarding Against Network Intrusions,”
Transactions on Security and Safety, 2016, vol. 3, no. 9. in Network and System Security: Second Edition, 2014, pp. 57–82.
[74] A. Le, P. Dinh, H. Le, and N. C. Tran, “Flexible Network-Based [94] M. A. Aydin, A. H. Zaim, and K. G. Ceylan, “A hybrid intrusion
Intrusion Detection and Prevention System on Software-Defined detection system design for computer network security,” Comput.
Networks,” in Proceedings - 2015 International Conference on Electr. Eng., vol. 35, no. 3, pp. 517–526, 2009.
Advanced Computing and Applications, ACOMP 2015, 2016, pp. [95] T. Ha et al., “Suspicious traffic sampling for intrusion detection in
106–111. software-defined networks,” Comput. Networks, vol. 109, pp. 172–
[75] Y. J. Chew, S. Y. Ooi, K.-S. Wong, and Y. H. Pang, “Decision Tree 182, 2016.
with Sensitive Pruning in Network-based Intrusion Detection System,” [96] O. Depren, M. Topallar, E. Anarim, and M. K. Ciliz, “An intelligent
in Computational Science and Technology. Lecture Notes in Electrical intrusion detection system (IDS) for anomaly and misuse detection in
Engineering, 2020, vol. 603, no. August, pp. 425–433. computer networks,” Expert Syst. Appl., vol. 29, no. 4, pp. 713–722,
[76] N. Thapa, Z. Liu, D. B. Kc, B. Gokaraju, and K. Roy, “Comparison of 2005.
machine learning and deep learning models for network intrusion [97] K. Giotis, G. Androulidakis, and V. Maglaris, “Leveraging SDN for
detection systems,” Futur. Internet, vol. 12, no. 10, pp. 1–16, 2020. efficient anomaly detection and mitigation on legacy networks,” Proc.
[77] N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki, - 2014 3rd Eur. Work. Software-Defined Networks, EWSDN 2014, no.
“Network Intrusion Detection for IoT Security Based on Learning i, pp. 85–90, 2014.
Techniques,” IEEE Commun. Surv. Tutorials, vol. 21, no. 3, pp. 2671– [98] M. T. Ali A. Ghorbani, Wei Lu, “Network Intrusion Detection and
2701, 2019. Prevention Advances in Information Security,” vol. 47, 2010.
[78] L. Nicholas, S. Y. Ooi, Y. H. Pang, S. O. Hwang, and S.-Y. Tan, “Study [99] F. Ali and B. Hamid, “Development of Host Based Intrusion Detection
of long short-term memory in flow-based network intrusion detection System for Log Files,” in IEEE Symposium on Business, Engineering
system,” J. Intell. Fuzzy Syst., vol. 35, no. 6, pp. 5947–5957, 2018. and Industrial Applications (ISBEIA), 2011, pp. 281–285.
[79] A. R. Mohammed, S. A. Mohammed, and S. Shirmohammadi, [100] Y. Lin, Y. Zhang, and Y. J. Ou, “The design and implementation of
“Machine Learning and Deep Learning Based Traffic Classification host-based intrusion detection system,” 3rd Int. Symp. Intell. Inf.
and Prediction in Software Defined Networking,” in 2019 IEEE Technol. Secur. Informatics, IITSI 2010, pp. 595–598, 2010.
International Symposium on Measurements and Networking, M and N [101] Y. Yu, J. Long, and Z. Cai, “Session-based network intrusion detection
2019 - Proceedings, 2019. using a deep learning architecture,” in International Conference on
[80] Y. Zeng, H. Gu, W. Wei, and Y. Guo, “Deep-Full-Range: A Deep Modeling Decisions for Artificial Intelligence, 2017, no. October, pp.
Learning Based Network Encrypted Traffic Classification and 144–155.
Intrusion Detection Framework,” IEEE Access, vol. 7, pp. 45182– [102] S. Ponomarev and T. Atkison, “Session Duration Based Feature
45190, 2019. Extraction for Network Intrusion Detection in Control System
[81] C. Zhang et al., “A Novel Framework Design of Network Intrusion Networks,” in Proceedings - 2016 International Conference on
Detection Based on Machine Learning Techniques,” Secur. Commun. Computational Science and Computational Intelligence, CSCI 2016,
Networks, vol. 2021, 2021. 2017, pp. 892–896.
[82] P. Lichodzijewski, A. N. Zincir-Heywood, and M. I. Heywood, “Host- [103] B. D. Caulkin, J. Lee, and M. Wang, “Packet- vs. session-based
based intrusion detection using self-organizing maps,” in Proceedings modeling for intrusion detection systems,” in International Conference
of the International Joint Conference on Neural Networks, 2002, vol. on Information Technology: Coding and Computing, ITCC, 2005, vol.
2, pp. 1714–1719. 1, pp. 116–121.
[83] I. Khalkhali, R. Azmi, M. Azimpour-kivi, and M. Khansari, “Host- [104] M. F. Umer, M. Sher, and Y. Bi, “Flow-based intrusion detection:
based Web Anomaly Intrusion Detection System , an Artificial Techniques and challenges,” Comput. Secur., vol. 70, pp. 238–254,
Immune System Approach,” J. Comput. Sci., vol. 8, no. 5, pp. 14–24, 2017.
2011. [105] A. Qayyum, M. H. Islam, and M. Jamil, “Taxonomy of statistical based
[84] E. W. and B. Y. Saurav Nanda, Faheem Zafari, Casimer DeCusatis, anomaly detection techniques for intrusion detection,” in Proceedings
“Predicting Network Attack Patterns in SDN using Machine Learning - IEEE 2005 International Conference on Emerging Technologies,
Approach,” in IEEE Conference on Network Function Virtualization ICET 2005, 2005, vol. 2005, pp. 270–276.
and Software Defined Networks (NFV-SDN), 2016, pp. 261–266. [106] Bavani K, R. M. P, and E. S. G. S. R, “Statistical Approach Based
[85] G. Serpen and E. Aghaei, “Host-based misuse intrusion detection using Detection of Distributed Denial of Service Attack in a Software
PCA feature extraction and kNN classification algorithms,” Intell. Data Defined Network,” in 6th International Conference on Advanced
Anal., vol. 22, no. 5, pp. 1101–1114, 2018. Computing & Communication Systems (ICACCS), 2020.
[86] M. Nobakht, V. Sivaraman, and R. Boreli, “A host-based intrusion [107] A. Sperotto, R. Sadre, and A. Pras, “Anomaly characterization in flow-
detection and mitigation framework for smart home IoT using based traffic time series,” in IP Operations and Management. IPOM
42
 2008. Lecture Notes in Computer Science, 2008, vol. 5275 LNCS, pp. classification, and mitigation in SDN,” Proc. NOMS 2016 - 2016
15–27. IEEE/IFIP Netw. Oper. Manag. Symp., no. Noms, pp. 27–35, 2016.
[108] G. Fernandes, J. J. P. C. Rodrigues, and M. L. Proença, “Autonomous [130] H. Peng, Z. Sun, X. Zhao, S. Tan, and Z. Sun, “A Detection Method
profile-based anomaly detection system using principal component for Anomaly Flow in Software Defined Network,” IEEE Access, vol.
analysis and flow analysis,” Appl. Soft Comput. J., vol. 34, pp. 513– 6, pp. 27809–27817, 2018.
525, 2015. [131] N. Satheesh et al., “Flow-based anomaly intrusion detection using
[109] C. Zhang, Z. Cai, W. Chen, X. Luo, and J. Yin, “Flow level detection machine learning model with software defined networking for
and filtering of low-rate DDoS,” Comput. Networks, vol. 56, no. 15, OpenFlow network,” Microprocess. Microsyst., vol. 79, p. 103285,
pp. 3417–3431, 2012. 2020.
[110] H. A. Nguyen, T. Van Nguyen, D. Il Kim, and D. Choi, “Network [132] A. Abubakar and B. Pranggono, “Machine Learning Based Intrusion
Traffic Anomalies Detection and Identification with Flow Detection System for Software Defined Networks,” Int. Conf. Emerg.
Monitoring,” in 5th IFIP International Conference on Wireless and Secur. Technol., pp. 138–143, 2015.
Optical Communications Networks (WOCN’08), 2008. [133] Q. Schueller, K. Basu, M. Younas, M. Patel, and F. Ball, “A
[111] T. Naqash, S. H. Shah, and M. N. U. Islam, “Statistical Analysis Based Hierarchical Intrusion Detection System using Data Center,” in 2018
Intrusion Detection System for Ultra-High-Speed Software Defined 28th International Telecommunication Networks and Applications
Network,” Int. J. Parallel Program., vol. 0, pp. 1–26, 2021. Conference (ITNAC), 2018, pp. 1–6.
[112] L. Boero, M. Marchese, and S. Zappatore, “Support Vector Machine [134] G. A. Ajaeiya, N. Adalian, I. H. Elhajj, A. Kayssi, and A. Chehab,
Meets Software Defined Networking in IDS Domain,” Proc. 29th Int. “Flow-based Intrusion Detection System for SDN,” in Proceedings -
Teletraffic Congr. ITC 2017, vol. 3, pp. 25–30, 2017. IEEE Symposium on Computers and Communications, 2017, pp. 787–
[113] G. Li, M. Dong, K. Ota, J. Wu, J. Li, and T. Ye, “Deep Packet 793.
Inspection based Application-Aware Traffic Control for Software [135] P. Wang, K. M. Chao, H. C. Lin, W. H. Lin, and C. C. Lo, “An Efficient
Defined Networks,” in IEEE Global Communications Conference Flow Control Approach for SDN-Based Network Threat Detection and
(GLOBECOM), 2016. Migration Using Support Vector Machine,” Proc. - 13th IEEE Int.
[114] G. Schaffrath and B. Stiller, “Conceptual integration of flow-based and Conf. E-bus. Eng. ICEBE 2016 - Incl. 12th Work. Serv. Appl. Integr.
packet-based network intrusion detection,” in FIP International Collab. SOAIC 2016, pp. 56–63, 2017.
Conference on Autonomous Infrastructure, Management and Security, [136] L. Yang and H. Zhao, “DDoS attack identification and defense using
2008, vol. 5127 LNCS, pp. 190–194. SDN based on machine learning method,” in Proceedings - 2018 15th
[115] B. Andreas, J. Dilruksha, E. McCandless, S. Chakrabarty, and O. International Symposium on Pervasive Systems, Algorithms and
Youssef, “Flow-Based and Packet-Based Intrusion Detection Using Networks, I-SPAN 2018, 2019, pp. 174–178.
BLSTM,” SMU Data Sci. Rev., vol. 3, no. 3, 2020. [137] A. Alshamrani, A. Chowdhary, S. Pisharody, D. Lu, and D. Huang, “A
[116] Q. Dang, “Studying machine learning techniques for intrusion defense system for defeating DDoS attacks in SDN based networks,”
detection systems,” in International Conference on Future Data and in MobiWac 2017 - Proceedings of the 15th ACM International
Security Engineering, 2019, pp. 411–426. Symposium on Mobility Management and Wireless Access, Co-
[117] Willi Richert and Luis Pedro Coelho, Building Machine Learning located with MSWiM 2017, 2017, pp. 83–92.
Systems with Python. 2013. [138] M. A. Hall, “Correlation-based Feature Selection for Machine
[118] K. S.B., “Supervised Machine Learning: A Review of Classification Learning,” 1999.
Techniques,” Informatica, vol. 31, pp. 249–268, 2007. [139] V. Vetriselvi, P. S. Shruti, and S. Abraham, “Two-level intrusion
[119] Lowd Daniel and D. Pedro, “Naive Bayes models for probability detection system in SDN using machine learning,” in Proceedings of
estimation.pdf,” in International Conference on Machine Learning, the International Conference on Communications and Cyber Physical
2005, pp. 529–536. Engineering, 2018, pp. 449–461.
[120] P.-Y. Zhou and K. C. C. Chan, “A Model-Based Multivariate Time [140] X. S. Yang and A. H. Gandomi, “Bat algorithm: A novel approach for
Series Clustering Algorithm Pei-Yuan,” in PAKDD 2014: Trends and global engineering optimization,” Eng. Comput. (Swansea, Wales),
Applications in Knowledge Discovery and Data Mining, 2014, pp. vol. 29, no. 5, pp. 464–483, 2012.
805–817. [141] J. Li, Z. Zhao, R. Li, and H. Zhang, “AI-based two-stage intrusion
[121] Q. Cheng et al., “Machine learning based malicious payload detection for software defined IoT networks,” IEEE Internet Things J.,
identification in software-defined networking,” J. Netw. Comput. vol. 6, no. 2, pp. 2093–2102, 2019.
Appl., vol. 192, p. 103186, 2021. [142] A. M. Fatih, G. Cengiz, and K. Enis, “Usage of Machine Learning
[122] C. Yu, J. Lan, J. C. Xie, and Y. Hu, “QoS-aware traffic classification Algorithms for Flow Based Anomaly Detection System in Software
architecture using machine learning and deep packet inspection in Defined Networks,” in Intelligent and Fuzzy Techniques: Smart and
SDNs,” Procedia Comput. Sci., vol. 131, pp. 1209–1216, 2018. Ennovative Solutions, 2021, pp. 1156–1163.
[123] Z. Zhou and M. Li, “Tri-Training : Exploiting Unlabeled Data Using [143] M. S. Elsayed, N. A. Le-Khac, S. Dev, and A. D. Jurcut, “Machine-
Three Classifiers,” IEEE Trans. Knowl. Data Eng., vol. 17, no. 11, pp. Learning Techniques for Detecting Attacks in SDN,” in Proceedings
1529–1541, 2005. of IEEE 7th International Conference on Computer Science and
[124] Y. D. Lin, P. C. Lin, C. H. Yeh, Y. C. Wang, and Y. C. Lai, “An Network Technology, ICCSNT 2019, 2019, pp. 277–281.
extended SDN architecture for network function virtualization with a [144] N. N. Tuan, P. H. Hung, N. D. Nghia, N. Van Tho, T. Van Phan, and
case study on intrusion prevention,” IEEE Netw., vol. 29, no. 3, pp. N. H. Thanh, “A DDoS attack mitigation scheme in ISP networks using
48–53, 2015. machine learning based on SDN,” Electron., vol. 9, no. 3, pp. 1–19,
[125] T. C. Jr and X. Mountrouidou, “Selective Packet Inspection to Detect 2020.
DoS Flooding Using Software Defined Networking ( SDN ),” in IEEE [145] “Goldstein, M., 2021. Markus-Go/bonesi. [online] GitHub. Available
35th international conference on distributed computing systems at: <https://github.com/Markus-Go/bonesi> [Accessed 15 February
workshops., 2015. 2021].” .
[126] K. Cabaj, M. Gregorczyk, and W. Mazurczyk, “Software-defined [146] A. Banitalebi Dehkordi, M. R. Soltanaghaei, and F. Z. Boroujeni, “The
networking-based crypto ransomware detection using HTTP traffic DDoS attacks detection through machine learning and statistical
characteristics,” Comput. Electr. Eng., vol. 66, pp. 353–368, 2018. methods in SDN,” J. Supercomput., vol. 77, no. 3, pp. 2383–2415,
[127] G. Cusack, O. Michel, and E. Keller, “Machine learning-based 2020.
detection of ransomware using SDN,” SDN-NFVSec 2018 - Proc. 2018 [147] J. A. Perez-Diaz, I. A. Valdovinos, K. K. R. Choo, and D. Zhu, “A
ACM Int. Work. Secur. Softw. Defin. Networks Netw. Funct. Flexible SDN-Based Architecture for Identifying and Mitigating Low-
Virtualization, Co-located with CODASPY 2018, vol. 2018-Janua, pp. Rate DDoS Attacks Using Machine Learning,” IEEE Access, vol. 8,
1–6, 2018. pp. 155859–155872, 2020.
[128] C. Song, Y. Park, K. Golani, Y. Kim, K. Bhatt, and K. Goswami, [148] A. Sebbar, K. Zkik, Y. Baddi, M. Boulmalf, and M. D. E. C. El Kettani,
“Machine-learning based threat-aware system in software defined “MitM detection and defense mechanism CBNA-RF based on machine
networks,” 2017 26th Int. Conf. Comput. Commun. Networks, ICCCN learning for large-scale SDN context,” J. Ambient Intell. Humaniz.
2017, 2017. Comput., vol. 11, no. 12, pp. 5875–5894, 2020.
[129] A. Santos Da Silva, J. A. Wickboldt, L. Z. Granville, and A. Schaeffer- [149] J. Aiken and S.-H. Sandra, “Investigating Adversarial Attacks against
Filho, “ATLANTIC: A framework for anomaly traffic detection, Network Intrusion Detection Systems in SDNs,” in IEEE Conference
43
 on Network Functions Virtualization and Software Defined Networks, [172] D. Jankowski and M. Amanowicz, “On Efficiency of Selected Machine
2019, pp. 1–7. Learning Algorithms for Intrusion Detection in Software Defined
[150] S. Lee, J. Kim, S. Shin, P. Porras, and V. Yegneswaran, “Athena: A Networks,” Int. J. Electron. Telecommun., vol. 62, no. 3, pp. 247–252,
Framework for Scalable Anomaly Detection in Software-Defined 2016.
Networks,” in Proceedings - 47th Annual IEEE/IFIP International [173] D. E. Moriarty, A. C. Schultz, and J. J. Grefenstette, “Evolutionary
Conference on Dependable Systems and Networks, DSN 2017, 2017, Algorithms for Reinforcement Learning,” J. Artif. Intell. Res., vol. 11,
pp. 249–260. pp. 241–276, 1999.
[151] N. Meti, D. G. Narayan, and V. P. Baligar, “Detection of distributed [174] C. J. C. H. WATKINS and P. DAYA, “Q-Learning,” Mach. Learn.,
denial of service attacks using machine learning algorithms in software vol. 8, pp. 279–292, 2020.
defined networks,” in 2017 International Conference on Advances in [175] V. Mnih et al., “Human-level control through deep reinforcement
Computing, Communications and Informatics, ICACCI, pp. 1366– learning,” Nature, vol. 518, no. 7540, pp. 529–533, 2015.
1371. [176] J. Schulman, F. Wolski, P. Dhariwal, A. Radford, and O. Klimov,
[152] R. Santos, D. Souza, W. Santo, A. Ribeiro, and E. Moreno, “Machine “Proximal Policy Optimization Algorithms,” arXiv:1707.06347v2
learning algorithms to detect DDoS attacks in SDN,” Concurr. [cs.LG], pp. 1–12, 2017.
Comput. Pract. Exp., vol. 32, no. 16, pp. 1–14, 2020. [177] C. C.-Y. Hsu, C. Mendler-Dünner, and M. Hardt, “Revisiting Design
[153] P. Hadem, D. K. Saikia, and S. Moulik, “An SDN-based Intrusion Choices in Proximal Policy Optimization,” arXiv:2009.10897v1
Detection System using SVM with Selective Logging for IP [cs.LG], 2020.
Traceback,” Comput. Networks, vol. 191, no. September 2020, p. [178] L. S. R. Sampaio, P. H. A. Faustini, A. S. Silva, L. Z. Granville, and A.
108015, 2021. Schaeffer-Filho, “Using NFV and Reinforcement Learning for
[154] D. Hu, P. Hong, and Y. Chen, “FADM : DDoS Flooding Attack Anomalies Detection and Mitigation in SDN,” in Proceedings - IEEE
Detection and Mitigation System in Software-Defined Networking,” in Symposium on Computers and Communications, 2018, pp. 432–437.
GLOBECOM 2017-2017 IEEE Global Communications Conference., [179] M. Zolotukhin, S. Kumar, and T. Hamalainen, “Reinforcement
2017, pp. 1–7. learning for attack mitigation in SDN-enabled networks,” in
[155] H. Polat and O. Polat, “Detecting DDoS Attacks in Software-Defined Proceedings of the 2020 IEEE Conference on Network Softwarization:
Networks Through Feature Selection Methods and Machine Learning Bridging the Gap Between AI and Network Softwarization, NetSoft
Models,” sustainability, vol. 12, no. 3,1035, 2020. 2020, 2020, pp. 282–286.
[156] T. Kohonen, “Essentials of the self-organizing map,” Neural Networks, [180] I. Akbari, E. Tahoun, M. A. Salahuddin, N. Limam, and R. Boutaba,
vol. 37, pp. 52–65, 2013. “ATMoS: Autonomous Threat Mitigation in SDN using
[157] “CTU-BOTNET.” [Online]. Available: https://mcfp.weebly.com/. Reinforcement Learning,” in Proceedings of IEEE/IFIP Network
[Accessed: 20-Oct-2021]. Operations and Management Symposium 2020: Management in the
[158] “Malware Traffic Analysis,” Malware-Traffic-Analysis.net, 2018. Age of Softwarization and Artificial Intelligence, NOMS 2020, 2020,
[Online]. Available: https://www.malware-traffic-analysis.net/. pp. 1–9.
[Accessed: 21-Jan-2021]. [181] T. V Phan, T. M. R. Gias, and S. T. Islam, “Q-MIND : Defeating
[159] G. Sun, W. Jiang, Y. Gu, D. Ren, and H. Li, “DDoS Attacks and Flash Stealthy DoS Attacks in SDN with a Machine-learning based Defense
Event Detection Based on Flow Characteristics in SDN,” in Framework,” in IEEE Global Communications Conference
Proceedings of AVSS 2018-15th IEEE International Conference on (GLOBECOM), 2019, pp. 1–6.
Advanced Video and Signal-Based Surveillance, 2018, pp. 1–6. [182] P. T. Dinh and M. Park, “BDF-SDN: A Big Data Framework for DDoS
[160] P. Phaal, S. Panchen, and N. McKee, “Traffic Monitoring using Attack Detection in Large-Scale SDN-Based Cloud,” in IEEE
sFlow,” RFC3176 InMon Corp. sFlow A Method Monit. Traffic Conference on Dependable and Secure Computing, DSC, 2021, pp. 1–
Switch. Routed Networks, 2001. 8.
[161] L. Van Der Maaten, “Accelerating t-SNE using tree-based algorithms,” [183] P. Wette, A. Schwabe, F. Wallaschek, M. H. Zahraee, and H. Karl,
J. Mach. Learn. Res., vol. 15, pp. 3221–3245, 2015. “MaxiNet : Distributed Emulation of Software-Defined Networks,” in
[162] “Faucet controller.” [Online]. Available: https://faucet.nz/. [Accessed: IFIP Networking Conference. IEEE, 2014.
20-Feb-2021]. [184] S. Kim and S. Member, “Deep Reinforcement Learning-Based Traffic
[163] M. M. Oo, S. Kamolphiwong, and T. Kamolphiwong, “The Design of Sampling for Multiple Traffic Analyzers on Software-Defined
SDN Based Detection for Distributed Denial of Service (DDoS) Networks,” IEEE Access, vol. 9, pp. 47815–47827, 2021.
Attack,” ICSEC - 21st Int. Comput. Sci. Eng. Conf., vol. 6, pp. 258– [185] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
263, 2018. “Deep learning approach for Network Intrusion Detection in Software
[164] T. M. Nam et al., “Self-organizing map-based approaches in DDoS Defined Networking,” in International Conference on Wireless
flooding detection using SDN,” in International Conference on Networks and Mobile Communications, WINCOM 2016: Green
Information Networking, 2018, pp. 249–254. Communications and Networking, 2016, pp. 258–263.
[165] M. Almi, A. A. Ghazleh, A. Al-rahayfeh, and A. Razaque, “Intelligent [186] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
intrusion detection system using clustered self organized map,” in “Deep Recurrent Neural Network for Intrusion Detection in SDN-
International Conference on Software Defined Systems, 2018, no. 1, based Networks,” in 4th IEEE Conference on Network Softwarization
pp. 138–144. and Workshops, NetSoft, 2018, pp. 462–469.
[166] H. Gunes Kayacik, A. Nur Zincir-Heywood, and M. I. Heywood, “A [187] S. Maeda, A. Kanai, S. Tanimoto, T. Hatashima, and K. Ohkubo, “A
hierarchical SOM-based intrusion detection system,” Eng. Appl. Artif. Botnet Detection Method on SDN using Deep Learning,” in IEEE
Intell., vol. 20, no. 4, pp. 439–451, 2007. International Conference on Consumer Electronics, ICCE, 2019, pp. 1–
[167] T. Hurley, J. E. Perdomo, and A. Perez-Pons, “HMM-based intrusion 6.
detection system for software defined networking,” in 15th IEEE [188] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, M. Ghogho, and
International Conference on Machine Learning and Applications, F. El Moussa, “DeepIDS: Deep learning approach for intrusion
ICMLA 2016, 2017, pp. 617–621. detection in software defined networking,” Electron., vol. 9, no. 9, pp.
[168] T. Guelzim and M. S. Obaidat, Formal methods of attack modeling and 1–18, 2020.
detection. Elsevier Inc., 2015. [189] M. A. Albahar, “Recurrent Neural Network Model Based on a New
[169] W. Wang, X. Ke, and L. Wang, “A HMM-R approach to detect L- Regularization Technique for Real-Time Intrusion Detection in SDN
DDoS attack adaptively on SDN controller,” Futur. Internet, vol. 10, Environments,” Secur. Commun. Networks, 2019.
no. 9, 2018. [190] L. Chuanhuang, W. Yan, Y. Xiaoyong, S. Zhengjun, and W. Weiming,
[170] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack “Detection and defense of DDoS attack–based on deep learning in
detection using NOX/OpenFlow,” in Proceedings - 35th Annual IEEE OpenFlow‐based SDN,” Int. J. Commun. Syst., vol. 31, no. 5, pp. 1–
Conference on Local Computer Networks, LCN, 2010, pp. 408–415. 15, 2017.
[171] L. Barki, A. Shidling, N. Meti, D. G. Narayan, and M. M. Mulla, [191] S. Boukria and M. Guerroumi, “Intrusion detection system for SDN
“Detection of distributed denial of service attacks in software defined network using deep learning approach,” in International Conference on
networks,” in 2016 International Conference on Advances in Theoretical and Applicative Aspects of Computer Science, ICTAACS,
Computing, Communications and Informatics, ICACCI 2016, 2016, 2019, pp. 1–6.
pp. 2576–2581. [192] “Open Networking Foundation. 2021. Open Network Operating
44
 System (ONOS) SDN Controller for SDN/NFV Solutions. [online].” IEEE International Conference on Communications Workshops, ICC
[Online]. Available: https://opennetworking.org/onos/. [Accessed: 15- Workshops, 2020, pp. 2–7.
Feb-2021]. [215] M. Berman et al., “GENI: A federated testbed for innovative network
[193] I. Letteri, G. Della Penna, and G. De Gasperis, “Botnet detection in experiments,” Comput. Networks, vol. 61, no. 2014, pp. 5–23, 2014.
software defined networks by deep learning techniques,” in [216] A. AlEroud and G. Karabatis, “SDN-GAN: Generative adversarial
International Symposium on Cyberspace Safety and Security, 2018, pp. deep NNs for synthesizing cyber attacks on software defined
49–62. networks,” in OTM Confederated International Conferences" On the
[194] I. I. Kurochkin and S. S. Volkov, “Using GRU based deep neural Move to Meaningful Internet Systems". Springer, Cham, 2019., 2019,
network for intrusion detection in software-defined networks,” IOP vol. 11878 LNCS, pp. 211–220.
Conf. Ser. Mater. Sci. Eng., vol. 927, no. 1, 2020. [217] M. V. O. Assis, L. F. Carvalho, J. Lloret, and M. L. Proença, “A GRU
[195] M. P. Novaes, L. F. Carvalho, J. Lloret, and M. L. Proenca, “Long deep learning system against attacks in software defined networks,” J.
short-term memory and fuzzy logic for anomaly detection and Netw. Comput. Appl., vol. 177, p. 102942, 2021.
mitigation in software-defined network environment,” IEEE Access, [218] M. Abdallah, N.-A. Le-Khac, H. Jahromi, and A. Delia Jurcut, “A
vol. 8, pp. 83765–83781, 2020. Hybrid CNN-LSTM Based Approach for Anomaly Detection Systems
[196] J. D. Gadze, A. A. Bamfo-Asante, J. O. Agyemang, H. Nunoo-Mensah, in SDNs,” in 6th International Conference on Availability, Reliability
and K. A.-B. Opare, “An Investigation into the Application of Deep and Security, 2021, pp. 1–7.
Learning in the Detection and Mitigation of DDOS Attack on SDN [219] M. S. Elsayed, N. A. Le-Khac, and A. D. Jurcut, “InSDN: A novel SDN
Controllers,” Technologies, vol. 9, no. 1, p. 14, 2021. intrusion dataset,” IEEE Access, vol. 8, pp. 165263–165284, 2020.
[197] A. Ali and M. M. Yousaf, “Novel Three-Tier Intrusion Detection and [220] M. Latah and L. Toker, “An efficient flow-based multi-level hybrid
Prevention System in Software Defined Network,” IEEE Access, vol. intrusion detection system for software-defined networks,” CCF Trans.
8, pp. 109662–109676, 2020. Netw., vol. 3, no. 3, pp. 261–267, 2019.
[198] J. Kim, J. Kim, H. Kim, M. Shim, and E. Choi, “CNN-based network [221] J. Malik, A. Akhunzada, I. Bibi, M. Imran, A. Musaddiq, and S. W.
intrusion detection against denial-of-service attacks,” Electron., vol. 9, Kim, “Hybrid Deep Learning: An Efficient Reconnaissance and
no. 6, pp. 1–21, 2020. Surveillance Detection Mechanism in SDN,” IEEE Access, vol. 8, pp.
[199] S. K. Dey and R. M. Mahbubur, “Effects of Machine Learning 134695–134706, 2020.
Approach in Flow-Based Anomaly Detection on Software-Defined [222] A. Vaswani et al., “Attention Is All You Need,” in 31st Conference on
Networking,” Symmetry (Basel)., vol. 12, no. 7, pp. 1–21, 2019. Neural Information Processing Systems (NIPS 2017), 2017, pp. 5998–
[200] P. Baldi, “Autoencoders, Unsupervised Learning, and Deep 6008.
Architectures,” ICML Unsupervised Transf. Learn., pp. 37–50, 2012. [223] H. Y. He, Z. G. Yang, and X. N. Chen, “PERT: Payload Encoding
[201] F. Asja and I. Christian, “An introduction to restricted Boltzmann Representation from Transformer for Encrypted Traffic
machines,” in CIARP 2012: Progress in Pattern Recognition, Image Classification,” in ITU Kaleidoscope: Industry-Driven Digital
Analysis, Computer Vision, and Applications, 2012, pp. 14–36. Transformation (ITU K), 2020.
[202] Q. Niyaz, W. Sun, and A. Y. Javaid, “A Deep Learning Based DDoS [224] R. F. Bikmukhamedo and A. F. Nadeev, “Generative transformer
Detection System in Software-Defined Networking (SDN),” ICST framework for network traffic generation and classification,” T-Comm,
Trans. Secur. Saf., vol. 4, no. 12, p. 153515, 2017. vol. 14, no. 11, pp. 64–71, 2020.
[203] R. M. A. Ujjan, Z. Pervez, K. Dahal, A. K. Bashir, R. Mumtaz, and J. [225] H. Wang and W. Li, “DDosTC: A transformer-based network attack
González, “Towards sFlow and adaptive polling sampling for deep detection hybrid mechanism in SDN,” Sensors (Switzerland), vol. 21,
learning based DDoS detection in SDN,” Futur. Gener. Comput. Syst., no. 15, 2021.
vol. 111, pp. 763–779, 2020. [226] T. V. Phan and M. Park, “Efficient Distributed Denial-of-Service
[204] A. Dawoud, S. Shahristani, and C. Raun, “Unsupervised Deep Attack Defense in SDN-Based Cloud,” IEEE Access, vol. 7, pp.
Learning for Software Defined Networks Anomalies Detection,” 18701–18714, 2019.
Trans. Comput. Collect. Intell. XXXIII. Springer, Berlin, Heidelberg, [227] P. Ding, J. Li, L. Wang, M. Wen, and Y. Guan, “HYBRID-CNN: An
2019. 167-178., vol. 11610, pp. 167–178, 2019. Efficient Scheme for Abnormal Flow Detection in the SDN-Based
[205] B. Han and X. Yang, “OverWatch : A Cross-Plane DDoS Attack Smart Grid,” Secur. Commun. Networks, vol. 2020, 2020.
Defense Framework with Collaborative Intelligence in SDN,” Secur. [228] M. S. ElSayed, N. A. Le-Khac, M. A. Albahar, and A. Jurcut, “A novel
Commun. Networks, vol. 2018, 2018. hybrid model for intrusion detection systems in SDNs based on CNN
[206] M. P. Novaes, L. F. Carvalho, J. Lloret, and M. L. Proença, and a new regularization technique,” J. Netw. Comput. Appl., vol. 191,
“Adversarial Deep Learning approach detection and defense against no. July, p. 103160, 2021.
DDoS attacks in SDN environments,” Futur. Gener. Comput. Syst., [229] S. Garg, N. Kumar, J. J. P. C. Rodrigues, and J. J. P. C. Rodrigues,
vol. 125, pp. 156–167, 2021. “Hybrid deep-learning-based anomaly detection scheme for suspicious
[207] B. Hartpence, “The RIT SDN Testbed and GENI,” Rochester Inst. flow detection in SDN: A social multimedia perspective,” IEEE Trans.
Technol., 2015. Multimed., vol. 21, no. 3, pp. 566–578, 2019.
[208] J. Shu, L. Zhou, W. Zhang, X. Du, and M. Guizani, “Collaborative [230] S. Khan and A. Akhunzada, “A hybrid DL-driven intelligent SDN-
Intrusion Detection for VANETs: A Deep Learning-Based Distributed enabled malware detection framework for Internet of Medical Things
SDN Approach,” IEEE Trans. Intell. Transp. Syst., vol. 22, no. 7, pp. (IoMT),” Comput. Commun., vol. 170, no. February, pp. 209–216,
4519–4530, 2021. 2021.
[209] P. Mohanapriya and S. M. Shalinie, “Restricted Boltzmann Machine [231] L. Jiaqi, Z. Zhifeng, and L. Rongpeng, “Machine learning‐based IDS
based detection system for DDoS attack in Software Defined for software‐defined 5G network,” IET Networks, vol. 7, no. 2, pp. 53–
Networks,” in 4th International Conference on Signal Processing, 60, 2017.
Communication and Networking, ICSCN, 2017, pp. 14–19. [232] V. Deepa, K. M. Sudar, and P. Deepalakshmi, “Design of Ensemble
[210] “Controller Benchmark-Cbench,” 2013. [Online]. Available: Learning Methods for DDoS Detection in SDN Environment,” in
https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/pages/ International Conference on Vision Towards Emerging Trends in
1343657/Cbench+New. Communication and Networking (ViTECoN), 2019, pp. 1–6.
[211] D. Erickson, “The Beacon OpenFlow controller,” HotSDN 2013 - [233] D. Javeed, T. Gao, and M. T. Khan, “Sdn-enabled hybrid dl-driven
Proc. 2013 ACM SIGCOMM Work. Hot Top. Softw. Defin. Netw., pp. framework for the detection of emerging cyber threats in iot,”
13–18, 2013. Electron., vol. 10, no. 8, pp. 1–16, 2021.
[212] “CIC-DDOS 2019.” [Online]. Available: [234] L. Tan, Y. Pan, J. Wu, J. Zhou, H. Jiang, and Y. Deng, “A New
https://www.unb.ca/cic/datasets/ddos-2019.html. [Accessed: 20-Feb- Framework for DDoS Attack Detection and Defense in SDN
2020]. Environment,” IEEE Access, vol. 8, pp. 161908–161919, 2020.
[213] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, [235] K. Muthamil Sudar and P. Deepalakshmi, “A two level security
“Developing realistic distributed denial of service (DDoS) attack mechanism to detect a DDoS flooding attack in software-defined
dataset and taxonomy,” in International Carnahan Conference on networks using entropy-based and C4.5 technique,” J. High Speed
Security Technology (ICCST),IEEE., 2019, pp. 1–8. Networks, vol. 26, no. 1, pp. 55–76, 2020.
[214] T. H. Lee, L. H. Chang, and C. W. Syu, “Deep learning enabled [236] D. Opitz and R. Maclin, “Popular Ensemble Methods: An Empirical
intrusion detection and prevention system over SDN networks,” in Study,” J. Artif. Intell. Res., vol. 11, pp. 169–198, 1999.
45
[237] G. Biau, “Analysis of a random forests model,” J. Mach. Learn. Res., [260] T. Chin, X. Mountrouidou, X. Li, and K. Xiong, “An SDN-supported
vol. 13, no. 1, pp. 1063-1095., 2013. collaborative approach for DDoS flooding detection and containment,”
[238] Peter Bühlmann, “Bagging, Boosting and Ensemble Methods,” in in Proceedings - IEEE Military Communications Conference
Handbook of Computational Statistics: Concepts and Methods: Second MILCOM, 2015, pp. 659–664.
Edition, Springer, 2012, pp. 985–1022. [261] N. Sampath, “Intrusion Detection in Software Defined Networking
[239] D. Ahmed, S. A. Kaan, and A. Pelin, “ProtÉdge- A few‐shot ensemble Using Snort and Mirroring,” Int. J. Psychosoc. Rehabil., vol. 23, no. 4,
learning approach to software‐defined networking‐assisted edge pp. 1699–1710, 2019.
security,” Emeging Telecommun. Technol., pp. 1–27, 2020. [262] A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies using traffic
[240] S. Rochak, D. Mayank, and R. Virender, “Voting‐based intrusion feature distributions,” CACM SIGCOMM Comput. Commun. Rev.,
detection framework for securing software‐defined networks,” vol. 35, no. 4, pp. 217–228, 2005.
Concurr. Comput. Pract. Experence., vol. 32, no. 24, pp. 1–16, 2019. [263] Y. Shen, C. Wu, D. Kong, and M. Yang, “TPDD: A Two-Phase DDoS
[241] “The CAIDA ‘DDoS Attack 2007’ Dataset,” 2007. [Online]. Detection System in Software-Defined Networking,” in IEEE
Available: https://www.caida.org/catalog/datasets/ddos- International Conference on Communications, 2020, vol. June, p. 107.
20070804_dataset/. [Accessed: 29-Oct-2021]. [264] C. Birkinshaw, E. Rouka, and V. G. Vassilakis, “Implementing an
[242] “IoT-23 - A labeled dataset with malicious and benign IoT network intrusion detection and prevention system using software-defined
traffic.” [Online]. Available: https://www.stratosphereips.org/datasets- networking: Defending against port-scanning and denial-of-service
iot23. [Accessed: 29-Oct-2021]. attacks,” J. Netw. Comput. Appl., vol. 136, pp. 71–85, 2019.
[243] S. Haider, A. Akhunzada, G. Ahmed, and M. Raza, “Deep Learning [265] Q. Yan, Q. Gong, and F. A. Deng, “Detection of DDoS attacks against
based Ensemble Convolutional Neural Network Solution for wireless SDN controllers based on the fuzzy synthetic evaluation
Distributed Denial of Service Detection in SDNs,” in UK/China decision-making model,” Ad-Hoc Sens. Wirel. Networks, vol. 33, no.
Emerging Technologies, UCET 2019, 2019, pp. 1–4. 1–4, pp. 275–299, 2016.
[244] S. Zwane, P. Tarwireyi, and M. Adigun, “Ensemble Learning [266] D. Gao, Z. Liu, Y. Liu, C. H. Foh, T. Zhi, and H. C. Chao, “Defending
Approach for Flow-based Intrusion Detection System,” in IEEE against Packet-In messages flooding attack under SDN context,” Soft
AFRICON Conference, 2019, pp. 1–8. Comput., vol. 22, no. 20, pp. 6797–6809, 2018.
[245] S. Zwane, P. Tarwireyi, and M. Adigun, “A Flow-based IDS for SDN- [267] T. Dang-Van and H. Truong-Thu, “A Multi-Criteria based Software
enabled Tactical Networks,” in International Multidisciplinary Defined Networking System Architecture for DDoS-Attack
Information Technology and Engineering Conference, IMITEC, 2019. Mitigation,” REV J. Electron. Commun., vol. 6, no. 3–4, pp. 50–60,
[246] L. Yang, Y. Song, S. Gao, B. Xiao, and A. Hu, “Griffin: An Ensemble 2017.
of AutoEncoders for Anomaly Traffic Detection in SDN,” in IEEE [268] N. An, I. I. Detection, A. Aleroud, and I. Alsmadi, “Identifying Cyber-
Conference and Exhibition on Global Telecommunications Attacks on Software Defined Networks : An Inference-based Intrusion
(GLOBECOM), 2020, pp. 1–6. Detection Approach,” J. Netw. Comput. Appl., 2016.
[247] Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, “Kitsune: An [269] I. Aliyu, M. C. Feliciano, S. Van Engelenburg, D. O. Kim, and C. G.
ensemble of autoencoders for online network intrusion detection,” Lim, “A Blockchain-Based Federated Forest for SDN-Enabled In-
arXiv Prepr. arXiv1802.09089, no. February, 2018. Vehicle Network Intrusion Detection System,” IEEE Access, vol. 9,
[248] Z. Chen, F. Jiang, Y. Cheng, X. Gu, W. Liu, and J. Peng, “XGBoost pp. 102593–102608, 2021.
Classifier for DDoS Attack Detection and Analysis in SDN-Based [270] W. Li, J. Tan, and Y. Wang, “A Framework of Blockchain-Based
Cloud,” in IEEE International Conference on Big Data and Smart Collaborative Intrusion Detection in Software Defined Networking,”
Computing, BigComp, 2018, pp. 251–256. in International Conference on Network and System Security., 2020.
[249] S. Sen, K. D. Gupta, and M. Manjurul Ahsan, “Leveraging Machine [271] I. H. Abdulqadder, S. Zhou, I. T. Aziz, D. Zou, X. Deng, and S. M.
Learning Approach to Setup Software-Defined Network(SDN) Abrar Akber, “An Effective Lightweight Intrusion Detection System
Controller Rules During DDoS Attack,” in International Joint with Blockchain to Mitigate Attacks in SDN/NFV Enabled Cloud,” in
Conference on Computational Intelligence, 2019, pp. 49–60. 6th International Conference for Convergence in Technology, I2CT.,
[250] N. Van Thanh, H. Bao, and T. N. Thinh, “An anomaly-based intrusion 2021, pp. 1–8.
detection architecture integrated on openflow switch,” in ACM [272] J. Kim and S. Shin, “Software-Defined HoneyNet: Towards Mitigating
International Conference Proceeding Series, 2016, pp. 96–100. Link Flooding Attacks,” in Proceedings - 47th Annual IEEE/IFIP
[251] H. A. Alamri and V. Thayananthan, “Bandwidth Control Mechanism International Conference on Dependable Systems and Networks
and Extreme Gradient Boosting Algorithm for Protecting Software- Workshops, DSN-W 2017, pp. 99–100.
Defined Networks Against DDoS Attacks,” IEEE Access, vol. 8, pp. [273] S. Kyung, W. Han, N. Tiwari, V. H. Dixit, and L. Srinivas, “HONEY
194269–194288, 2020. PROXY : Design and Implementation of Next-Generation Honeynet
[252] A. O. Alzahrani and M. J. F. Alenazi, “Designing a network intrusion via SDN,” in IEEE Conference on Communications and Network
detection system based on machine learning for software defined Security (CNS), 2004.
networks,” Futur. Internet, vol. 13, no. 5, 2021. [274] A. M. Zarca, J. B. Bernabe, A. Skarmeta, and J. M. Alcaraz Calero,
[253] C. B. Zerbini, L. F. Carvalho, T. Abrão, and M. L. Proença, “Wavelet “Virtual IoT HoneyNets to mitigate cyberattacks in SDN/NFV-
against random forest for anomaly mitigation in software-defined Enabled IoT networks,” IEEE J. Sel. Areas Commun., vol. 38, no. 6,
networking,” Appl. Soft Comput. J., vol. 80, pp. 138–153, 2019. pp. 1262–1277, 2020.
[254] M. Conti, A. Gangwal, and M. S. Gaur, “A comprehensive and [275] “DARPA1998 Dataset.,” 1998. [Online]. Available:
effective mechanism for DDoS detection in SDN,” in International http://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusiondetection-
Conference on Wireless and Mobile Computing, Networking and evaluation-dataset. [Accessed: 28-Sep-2020].
Communications, 2017, vol. October. [276] S. Zwane, P. Tarwireyi, and M. Adigun, “Performance analysis of
[255] R. F. Fouladi, O. Ermiş, and E. Anarim, “A DDoS attack detection and machine learning classifiers for intrusion detection,” in international
defense scheme using time-series analysis for SDN,” J. Inf. Secur. Conference on Intelligent and Innovative Computing Applications,
Appl., vol. 54, no. August, p. 102587, 2020. ICONIC 2018, 2019, pp. 1–5.
[256] D. Yin, L. Zhang, and K. Yang, “A DDoS Attack Detection and [277] “KDD99 Dataset.,” 1999. [Online]. Available:
Mitigation with Software-Defined Internet of Things Framework,” http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. [Accessed:
IEEE Access, vol. 6, pp. 24694–24705, 2018. 28-Sep-2020].
[257] A. Aleroud and I. Alsmadi, “Identifying DoS attacks on software [278] “NSL-KDD99 Dataset.,” 2009. [Online]. Available:
defined networks: A relation context approach,” in Proceedings of the https://www.unb.ca/cic/datasets/nsl.html. [Accessed: 28-Sep-2020].
NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management [279] N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for
Symposium, 2016, pp. 853–857. network intrusion detection systems (UNSW-NB15 network data set),”
[258] B. Wang, Y. Zheng, W. Lou, and Y. T. Hou, “DDoS attack protection 2015 Mil. Commun. Inf. Syst. Conf. MilCIS 2015 - Proc., no.
in the era of cloud computing and software-defined networking,” in December, 2015.
Proceedings - International Conference on Network Protocols, ICNP, [280] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward
2014, pp. 624–629. developing a systematic approach to generate benchmark datasets for
[259] S. Chowdhury et al., “Botnet detection using graph-based feature intrusion detection,” Comput. Secur., vol. 31, no. 3, pp. 357–374, 2012.
clustering,” J. Big Data, vol. 4, no. 1, 2017. [281] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward
46
 generating a new intrusion detection dataset and intrusion traffic [303] W. Zhijun, X. Qing, W. Jingjie, Y. Meng, and L. Liang, “Low-Rate
characterization,” in 4th International Conference on Information DDoS Attack Detection Based on Factorization Machine in Software
Systems Security and Privacy, ICISSP, 2018, pp. 108–116. Defined Network,” IEEE Access, vol. 8, pp. 17404–17418, 2020.
[282] R. Panigrahi and S. Borah, “A detailed analysis of CICIDS2017 dataset [304] W. Chen, S. Xiao, L. Liu, X. Jiang, and Z. Tang, “A DDoS attacks
for designing Intrusion Detection Systems,” Int. J. Eng. Technol., vol. traceback scheme for SDN-based smart city,” Comput. Electr. Eng.,
7, no. 3.24 Special Issue 24, pp. 479–482, 2018. vol. 81, p. 106503, 2020.
[283] “CIDDS-001 dataset.” [Online]. Available: https://www.hs-
coburg.de/forschung-kooperation/forschungsprojekte-
oeffentlich/ingenieurwissenschaften/cidds-coburg-intrusion-
detection-data-sets.html. [Accessed: 20-Feb-2021].
[284] M. Ring, S. Wunderlich, D. Grüdl, D. Landes, and A. Hotho, “Flow-
based benchmark data sets for intrusion detection,” Eur. Conf. Inf.
Warf. Secur. ECCWS, pp. 361–369, 2017.
[285] A. Verma and V. Ranga, “Statistical analysis of CIDDS-001 dataset for
Network Intrusion Detection Systems using Distance-based Machine
Learning,” in Procedia Computer Science, 2018, vol. 125, pp. 709–
716.
[286] “CSE-CIC-IDS2018 on AWS - A collaborative project between the
Communications Security Establishment (CSE) & the Canadian
Institute for Cybersecurity (CIC),” 2018. [Online]. Available:
https://www.unb.ca/cic/datasets/ids-2018.html. [Accessed: 26-Oct-
2021].
[287] S. García, M. Grill, J. Stiborek, and A. Zunino, “An empirical
comparison of botnet detection methods,” Comput. Secur., vol. 45, pp.
100–123, 2014.
[288] “Bro-IDS -An open-source software framework for analyzing network
traffic,” 2018. [Online]. Available: https://bricata.com/blog/what-is-
bro-ids/. [Accessed: 26-Oct-2021].
[289] “CICFlowMeter (ISCXFlowMeter)- A network traffic flow generator
and analyser.” [Online]. Available:
https://www.unb.ca/cic/research/applications.html#CICFlowMeter.
[Accessed: 26-Oct-2021].
[290] “Argus, Netflow, Flow Tools, Sflow and Jflow.” [Online]. Available:
https://qosient.com/argus/argusnetflow.shtml. [Accessed: 26-Oct-
2021].
[291] R. U. Khan, X. Zhang, R. Kumar, A. Sharif, N. A. Golilarz, and M.
Alazab, “An adaptive multi-layer botnet detection technique using
machine learning classifiers,” Appl. Sci., vol. 9, no. 11, 2019.
[292] I. F. Akyildiz, A. Lee, P. Wang, M. Luo, and W. Chou, “Research
challenges for traffic engineering in software defined networks,” IEEE
Netw., vol. 30, no. 3, pp. 52–58, 2016.
[293] Y. Wang, T. Hu, G. Tang, J. Xie, and J. Lu, “SGS: Safe-Guard Scheme
for Protecting Control Plane Against DDoS Attacks in Software-
Defined Networking,” IEEE Access, vol. 7, no. 1, pp. 34699–34710,
2019.
[294] T. Hu, Z. Guo, P. Yi, T. Baker, and J. Lan, “Multi-controller Based
Software-Defined Networking: A Survey,” IEEE Access, vol. 6, pp.
15980–15996, 2018.
[295] G. Li, X. Wang, and Z. Zhang, “SDN-Based Load Balancing Scheme
for Multi-Controller Deployment,” IEEE Access, vol. 7, pp. 39612–
39622, 2019.
[296] L. Zhang, Y. Wang, W. Li, X. Qiu, and Q. Zhong, “A survivability-
based backup approach for controllers in multi-controller SDN against
failures,” in 19th Asia-Pacific Network Operations and Management
Symposium: Managing a World of Things, APNOMS 2017, 2017, pp.
100–105.
[297] S. Scott-Hayward, C. Kane, and S. Sezer, “OperationCheckpoint: SDN
application control,” in Proceedings - International Conference on
Network Protocols, ICNP, 2014, pp. 618–623.
[298] S. Saraswat, V. Agarwal, H. P. Gupta, R. Mishra, A. Gupta, and T.
Dutta, “Challenges and solutions in Software Defined Networking: A
survey,” J. Netw. Comput. Appl., vol. 141, no. March, pp. 23–58, 2019.
[299] S. Matsumoto, S. Hitz, and A. Perrig, “Fleet: Defending SDNs from
malicious administrators,” in Proceedings of the third workshop on Hot
topics in software defined networking., 2014, pp. 103–108.
[300] D. Kreutz, F. M. V. Ramos, and P. Verissimo, “Towards secure and
dependable software-defined networks,” in Proceedings of the second
ACM SIGCOMM workshop on Hot topics in software defined
networking, 2013, no. August, pp. 55–60.
[301] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A
Survey of Network-based Intrusion Detection Data Sets,” Comput.
Secur., vol. 86, pp. 147–167, 2019.
[302] L. Zhou, M. Liao, C. Yuan, and H. Z. School, “Low-Rate DDoS Attack
Detection Using Expectation of Packet Size,” Secur. Commun.
Networks, 2017.
47