Measurement: Sensors 24 (2022) 100580

Contents lists available at ScienceDirect

Measurement: Sensors
journal homepage: www.sciencedirect.com/journal/measurement-sensors

Network intrusion detection in software defined networking with

self-organized constraint-based intelligent learning framework
Anurag Bhardwaj a, Ritu Tyagi b, Neha Sharma c, *, Akhilendra Khare d, Manbir Singh Punia e,
Vikash Kumar Garg f
a
Senior Software Engineer, Apisero, INC, Delhi, India
b
City College, Jayanagar, Bengaluru, India
c
Chitkara University Institute of Engineering & Technology, Chitkara University, Rajpura, Punjab, India
d
Department of Computer Science & Engineering, Galgotias University, Greater Noida, Uttar Pradesh, India
e
Department of IT, Homi Bhabha Cancer Hospital, Sangrur, Punjab, India
f
Department of Computer Science & Engineering, SLIET, Longowal, Punjab, India

A R T I C L E I N F O A B S T R A C T

Keywords: With the advent of internet and communication system, a huge number of opportunities have been presented to
Intrusion detection system humans, however, its vision will not be easy and comfortable. Instead the current network systems are filled up
Software defined network with slew of problems that must be addressed on timely basis. One of the prominent concerns in IoT is security. A
Distributed denial of service attack
number of security methods have been proposed but they are still in their lowest levels and needs upgrade. One
Denial of service attack
Internet of things
such solution is Software defined network (SDN). Although SDN is anticipated to provide a favorable atmosphere
Security, Network infrastructure for different security activities in IoT, there is still so much progress to be made because SDN cannot solve se­
curity challenges on its own. Furthermore, the SDN inherently imposes additional security flaws. Because of the
large susceptibility area in SDN-based IoT systems, a wide range of faults like DOS, DDOS, U2R etc., are directed
against them. In addition to this, majority of the current IDS were based on machine learning techniques,
however, the problem with such methods was that they generated high false rates and were not producing
effective results when datasets were non-linear. Moreover, overfitting caused by the noisy data also hindered the
performance of ML based systems. Therefore, the objective is to review and provide an effective and efficient
intrusion detection techniques that solves the issues addressed.

1. Introduction that make our lives easier. Such explosive growth symbolizes not only
technological progress, but also the ability for hackers to exploit this
Ever since 1990s, internet and communication technologies (ICT) exceptional architecture to exploit a large number of network systems
have advanced, making Internet as one of the leading network systems and data assets. Furthermore, while considering the huge quantities of
around the globe. As per the report, it is estimated that over 50% of the data created by IoT, it is clear that traditional wireless devices will be
world’s population utilizes the internet facility with 85% users in Europe unable to meet the quality of service (QoS) needs of these varied use
and 95% users in North America. Throughout the last few years, the total cases [2] (see Table 1).
number of devices linked to the internet is exploding continuously via Online companies made possible by Internet technology have
internet of things (IoT). As per the Cisco, there would be roughly 27.1 become essential components of our daily lives. Networking architec­
billion network devices on the globe by the end of 2021 [1]. Owing to tures are essential in making those programs widely accessible and
advances in the area of cellular networks, big data, and cloud services, responsive to people’s wants and demands. With the pace of innovation
the number of linked devices along with the Internet of Things (IoT) in the communication network, a new design referred as software-
application scenarios has been steadily expanding. Home automation defined network (SDN) has emerged, that can fulfil the expanding ex­
systems, automated vehicles, surveillance systems, smart buildings, and pectations of users [33]. SDN is an evolving design which is flexible,
online medical facilities are some of the few examples with IoT scenarios controllable, cost-effective and adaptive, hence, making it more suitable

* Corresponding author.
E-mail address: [email protected] (N. Sharma).

https://doi.org/10.1016/j.measen.2022.100580
Received 31 October 2022; Accepted 19 November 2022
Available online 21 November 2022
2665-9174/© 2022 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-
nc-nd/4.0/).
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

Table 1 Table 1 (continued )

Comparison and overview to the current NIDS in SDN. Author name and Findings Journal
Author name and Findings Journal year
year
information transmission to
Jose, Ancy Proposed an attack detection Revista Geintec-Gestao increase the network
Sherin et al. and mitigation system in Inovacao E Tecnologias through put by 13%, 39%
[3], (2021) which different classification data drop ration, 11% data
methods and feature latency.
extraction techniques were Sarica AK et al. Offered a real-time intrusion Sensors (Basel).
used along with ANOVA F- [13], (2020) detection and prevention
Test statistical method. approach for SDN by using
Ibrahim, Omar Suggested a new framework Journal of Physics: Conference Random forest classifier. It
Jamal et al. for detecting intrusions in Series was capable of detecting and
[4], (2021) which SVM was used along mitigating threats in SDN-
with the grid search managed IoT networks in
approach method which real time and with high
achieved an accuracy of accuracy.
99.8%. Gong, Bei et al. Focused on building a trust Wireless Communications and
Hakiri, Akram Proposed a new blockchain- Proceedings of the 2021 ACM [14], (2021) routing method for self- Mobile Computing 2021
et al. [5], based network architecture International Workshop on organizing the networks so
(2021) in which Software Defined Software Defined Networks & that network traffic is
Network (SDN) and Network Network Function balanced and transmission
Function Virtualization Virtualization Security. delays are reduced.
(NFV) was used for securing Zheng, Guiping Presented a dynamic Wireless Communications and
the network. The proposed et al. [15], network security technique Mobile Computing 2021
architecture has low latency (2021) for recognizing the
rate and high throughput unfamiliar nodes in the
Alzahrani, A.O Proposed an intrusion Future Internet 2021 network efficiently and
et al. [6], detection method that was precisely while guaranteeing
(2021) based on tree based ML the network’s proper
approaches like, DT, RF and functioning. The model
XGBoost for identifying achieved high accuracy also
attacks like DDOS, OROBE, eliminated the risk of rogue
R2L and U2R with 95.95% nodes serving as
accuracy. administration nodes,
Manso, Pedro Proposed a SDN based IDS Information decrease node energy usage
et al. [7], that can detect the attacks Esubalew M. Proposed and developed a Journal of Computer Networks
(2019) like DDOS and alerts SDN Zeleke et al. centralized signature-based and Communications
controller when it detects [16], (2021) IDS that was based on RF
any. classifier. The model
F. A. Yaseen et al. Proposed a unique MN’s tag 2019 Sixth International achieved an accuracy of
[8], (2019) that may be utilized as a non- Conference on Internet of 99.713% on CICDS2017
standard identification for Things: Systems, Management database.
directing and transporting and Security (IOTSMS), Mehmood, Proposed a IDS in which Cmc-Computers Materials &
internet traffic on software- Mavra, et al. min-max was used for ore- Continua
defined networking (SDN) [17], (2022) processing, RF recursive
systems method was used for
Thomas Rincy N Proposed a hybrid NID- Wireless Communications and extracting features and
et al. [9], shield NIDS along with Mobile Computing ANFIS was used for
(2021) CAPPER technique in which classifying attacks U2R, R2U
different ML based methods and DDOS attacks using
were trained on UNSW- SVM. The model achieved
NB15 and NSL-KDD 99.3% accuracy
databases. It yields a better Goodgion, Suggested an Active Host Active Response Using Host-
accuracy rate with low FPR Jonathon S based network security Based Intrusion Detection
Taehoon Eom Proposed a real time Security and Communication [18], (2017) response (AHNSR) which is System and Software-Defined
et al. [10], intrusion response in SDN Networks basically a model that Networking
(2020) that used precomputations incorporates the HIDS and
to assess the probability of SDN to improve the security
attacks that can occur. The system by enabling the
suggested method can be dynamic active response and
leveraged to provide rebuilding from a global
efficient real-time mitigation network architecture
solutions for SDN security. standpoint.
Otor, Samera Proposed a novel IDS Cogent Engineering Wang, Li, and suggested a real time-based International Conference on
Uga et al. [11], technique that was based on Dinghao Wu network protection Security and Privacy in
(2021) foraging behavior of social [19], (2017) architecture, named as Communication Systems.
spider by using conventional SecControl in which current Springer, Cham,
NSL-KDD and real network security and SDN techniques
traffic OAUnet databases. It were sued to create a safe
yielded high accuracy, and and secure SDN
low false rate. environment. It provided
Haseeb, K et al. Suggested a ML approach Electronics 2021 effective defense responses
[12], (2021) along with the SDN-enabled over SDN-enables networks
security to anticipate Lobato et al. Developed an intrusion Universidade Federal do Rio de
network resource utilization [20], (2013) prevention system in the Janeiro-GTA/COPPE-Rio de
and also optimized sensor Future Internet Testbed with Janeiro, Brazil
Security (FITS) environment
(continued on next page)

2
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

Table 1 (continued ) Table 1 (continued )

Author name and Findings Journal Author name and Findings Journal
year year

for testing and validating Amanowicz M from attackers’ activities,

Next-generation Internet et al. [31], which takes full advantage
protocols. (2021) of SDNs’ inherent
Xing, Tianyi, Developed a novel IDPS 10th International Conference capabilities and also used
et al. [21], framework which relied on on Network and Service data mining methods to
(2014) the Snort-based IDS and Management (CNSM) and identify and classify harmful
Open vSwitch (OVS). The Workshop. IEEE, 2014. events in the SDN data layer.
suggested scheme was more Q. Schueller Integrated the benefits of 28th International
feasible and efficient than et al. [32], both a flow-based and a Telecommunication Networks
traditional techniques. (2018) packet-based IDS to deliver a and Applications Conference
ElSayed, Suggested a novel hybrid Journal of Network and high detection accuracy (ITNAC),
Mahmoud Said Deep Learning based Computer Applications 191 without compromising
et al. [22], strategy for classifying the network speed and used
(2021) network traffic into normal SVM for classifying atatcks.
and malicious categories by
using CNN.
Derhab A et al. Offered a security Sensors (Basel). 2019 for currently used high-bandwidth, complex applications. The purpose
[23], (2020) framework which combined of SDN is to generate a logically centralized center for internet and
Blockchain and SDN
techniques in which RSL-
networking architects and managers so that they can adapt swiftly to
KNN (hybridization of evolving customer requirements. Basically, SDN refers to a group of
Random Subspace Learning communication networks that are aimed at making the network
(RSL) and KNN) was used to increasingly adaptable in order to accommodate the advanced data
deal with forged commands
agency’s virtual computing and storage infrastructures. In other words,
and Blockchain based
integrity checking System it can be defined as a method to architecting, establishing, and main­
(BICS) for preventing taining connections which separated the network control and trans­
misrouting attacks. mitting planes which allows communication network to become easily
Singh, A soft-computing-based International Journal of configurable and the underlying hardware to be retrieved for system and
Parminder, strategy was used by Distributed Sensor Networks
et al. [24], researchers to lower the 15.10
network assistance [34].
(2019) false-positive rate (FPR) of One of the main features of the SDN is its ability to separate the
anomaly-based IDS with control plane from the data plane. Managers can shape traffic in a SDN
hierarchical data by suing software by configuring the controllers at the control and data planes
RNN method.
without disrupting network components like switches at the data layer.
Alrajeh, Nabil Ali Examined the application of International Journal of
et al. [25], GAs, artificial immune Distributed Sensor Networks The data is transmitted from transmitter to the receiver via flow rules
(2013) systems and artificial neural 9.10 which are created by the centralized controller in the control plane.
networks (ANN) in wireless These packages are handled by the data plane according to flow rules,
sensor networks (WSN). which comprises of various networking devices. The centralized
Rizwan, Ramsha, Offered a bioinspired International journal of
et al. [26], approach for detecting distributed sensor networks
controller is also responsible for managing each and every flow entry at
(2015) abnormalities in WSNs by 11.10 the switch level. SDN is used to address concerns faced by cloud vendors,
utilizing the AIS’s Negative like shifting load traffic, increased bandwidth requirements, and safety
Selection Algorithm (NSA). and sustainability issues [35]. Enterprisers and organizations utilize
The suggested technique was
OpenFlow that relied on SDN for managing and controlling traffic, op­
tested on a huge database
and the results demonstrate timizes bandwidth requirements and implement scaling policies. Several
that it is very accurate in firms have already embraced software-defined networking (SDN) tech­
detecting anomalies. nologies for their operations, especially cloud and telecommunication
Jahan, Aafreen, Proposed a ML based IDS for International Journal of companies. Because old methods are incapable of addressing their pre­
et al. [27], selecting features and Advanced Research in
(2017) classifying the attacks by Computer Science 8.5
sent business difficulties, today ‘s network strategies are software-based.
using NSL-KDD dataset. Service provider firms like Amazon, Rackspace, and IBM SoftLayer use
Abdallah, Proposed a novel IDS by The 16th International SDN principles, while the telecoms industry is also researching software
Mahmoud, merging the CNN and LSTM Conference on Availability, network techniques.
et al. [28], together. Also, they applied Reliability and Security
(2021) L2 regularization () and
dropout method to avoid 1.1. SDN framework
overfitting methods. 96.32%
of accuracy was achieved.
Alhaidari, Fahd, Proposed a virtualized Intelligent software-defined A typical SDN structure consists of three layers, those are; control
et al. [29], architecture, ISDN network for cognitive routing layer, infrastructure layer and application layer. The very first layer is
(2021) (Intelligent software defined optimization using deep application layer or plane which exposes several services like task
networks) that used Deep extreme learning machine scheduling, traffic control and safety of the system. This application
extreme Learning Machine approach
(DELM) for cognitive routing
plane is also responsible for conveying its needs and intended network
Optimization (CRO) information to the control plane via Northbound interface (NBI).
Abubakar, Atiku Proposed a flow based 2017 seventh international SDN’s control plane includes a centralized conceptual controller that
et al. [30], anomaly detection system, conference on emerging converts application layer needs into SDN data pathways and gives an
(2017) based on ML algorithms. The security technologies (EST).
idealistic picture of the system to SDN applications. These controllers
model achieved high IEEE,
detection rate of 97%. incorporate control logic and also enables the data layer assets to be
Developed a complete Sensors (Basel). controlled and managed. On the other hand, there are various network
method for securing SDNs components present in the data layer of SDN which is also called as the
forwarding plane or switches. Conventional devices disclose the

3
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

below;

a. NOX: it is a C++ based controller that processes and threads the data
packets in the network as well as interacting with the open Flow APIs
and OF switches.
b. POX: it is another controller that is python based and helps in aiding
in discovering paths and architectures.
c. Flood Light: Big Switch Networks provides a controller that can
readily coordinate the activities of the actual underlying infrastruc­
ture by giving instruction on how to treat messages.
d. RYU: it is yet another python-based controller that is utilized to
satisfy the developer individual need. It also has built-in extensibility
like Cluster and Architectural, similarly setup replicas and supports
for Open Flow, NETCONF, OF-Config, and partial support for P4
which makes it better suited for scientific work.

Originally, the open flow was created for innovative studies such that
a network operator may quickly implement the new methods. Never­
theless, it is clearly an important component of the Software-Defined
Network. The Control plane and the Data plane can readily interact in
order to send and receive messages and commands. Through intro­
ducing flow entries to the flow table, the controller regulates the flow
tables and network traffic. Three components make to a flow entrance
those are, condition, Action and statistics. The condition is utilized to
compare packets, priority values and the majority packet header infor­
mation. Whereas, action determines how to treat the data packet if it
matches with the field or not. On the other hand, statistics determine the
packet counts, match data packets in bytes and total time left till the
Fig. 1. Architecture of SDN
entry terminates.
Proactive and reactive methods are used to establish flow table on
switch. Whenever the system starts accepting network activity, the
proactively method controller sets incoming packets to linked switching
based on evidence from its devices connected. PACKET IN signals would
not cause it to become overwhelmed. Reactive method controllers, on
the other side, begin inserting incoming packets in the flow table
whenever the networks begin to receive packets [37]. Because the Open
Flow interface is such an important aspect of SDN, much safety study
focuses on it. During interaction, Open Flow employs the TLS standard
to independently authorize the switches and the controllers. Neverthe­
less, because there isn’t a single well-defined norm for it, manufacturers
have their own self-defined norm. Owing to the unavailability of
established rules for TLS usage in Open flow, the risk of a rule’s injection
assault underneath the guise of a DOS assault, also known as a Flood
Fig. 2. Example of DDOS attack.
attack, is very significant in the SDN network.

communication route and send network activity across the system. 1.3. Security issues in SDN
Switches in the SDN network are simpler modules that are used for
transferring packets with the help of rules provided by the controller. The SDN controller is among the most reliable security methods for
The southbound interface of the SDN constitutes the SDN control plane protecting systems from attackers. Nevertheless, as the number of cus­
and data plane whose responsibility is to manage all the forwarding’s tomers and network traffic grows, the likelihood of possible security
programmatically [36]. The decoupling of the control plane and data vulnerabilities grows as well. Furthermore, there’s been no efficient way
plane allows network administrators to simply adapt security policy, to identify limited DDoS attacks with high precision and low false pos­
allowing them to build a versatile, flexible networks by managing itive rate; therefore, because the control system is the important and
business needs via software instead of hardware. interictal aspect of SDN, any fault that occurs at the controllers might
impair or perhaps even crumble the existing network. As a result, several
1.2. SDN and open flow studies investigating the privacy challenges of SDN design have sug­
gested various proposals or possible solutions to alleviate a few of the
In any traditional network device, control module and the informa­ concerns. One of the drawbacks of SDN controller’s bad performance is
tion management module are fundamental operations, however, in case that it gets overloaded when it receives a large number of data packets,
of the SDN the controlling plane is decoupled from the data layer. This fluxes which we return prevents the controllers from processing
controller is attached to various networking devices that identify the incoming traffic. The subject about how to increase the productivity of
architecture of the network. Moreover, the flow stat command allows the SDN controller will almost probably require more research (see
the system manager to adjust the path of the communication and erases Fig. 1).
dangerous flow entries. Customization, capacity, contention, and other Other issue is the efficiency of detecting attacks, which is difficult to
difficulties can all be resolved using an SDN controller. There are achieve as attackers are constantly modifying their assault behavior,
number of controllers that are used in SDN, some of them are mentioned primarily whenever the assault traffic is disguised as regular traffic and

4
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

• Control plane: The hacker makes a high number of orders from faked
IP addresses, that causes the Control Plane to execute a substantial
percentage of Packet in data which ultimately causes the authorized
user’s request to be delayed or denied.
• Interaction link between control and data layers: The intruder could
target the network connectivity between control and data planes
thereby, reducing the total bandwidth available.
• Data plane: An intruder could target the data plane by overflowing
the device’s flow table which results in a flow-table overflowing
attack [39].

1.4. SDN based intrusion detection systems

SDN security is a serious challenge due to the great diversity of va­

rieties of SDN implementations. As a result, an effective network
intrusion detection system (NIDS) is required. An intrusion detection
system or IDS can be defined as the hardware or software system which
examines the incoming and outgoing traffic in real time scenario. It
scans the infrastructure for harmful activity and, if it detects any, no­
tifies the operator. Also, it keeps a record of whether or not network
packets are being exploited. The block diagram of the intrusion detec­
tion system in SDN is illustrated in Fig. 3 [40].
Fig. 3 illustrates how the current intrusion detection system observes
the network traffic and accordingly informs the controller about it. The
controller is responsible for adding the new rules in the system whenever
Fig. 3. Block diagram of IDS in SDN.
the system finds the need to alter the current ongoing traffic rules.
Infiltration detecting is the practice of observing and analyzing activities
in a system or device for evidence of anomaly. Anomalies are the names
given to such evidence of interference which can be classified into three
groups of point anomalies, collective anomalies and contextual
anomalies.

• Point anomaly: It can be defined as the piece of data which is clearly

distinguishable from those other pieces of data.
• Collective anomaly: When a group of related items is identified as an
anomaly when compared to certain other items, it is referred to as a
collective anomaly. Independently, they may appear to be regular.

Contextual anomaly: when an object appears odd when seen in a

specific context for instance, a temporal or spatial feature.
Possible break, masquerade attempts, infiltration of the protection
control scheme, leaking, denial of service, and malevolent person are the
Fig. 4. Overview of IDS six forms of assaults. Fig. 4 depicts an IDS in its entirety.
The intrusion detection system (IDS) are basically classified into two
thus difficult to identify. The exploit seeks to overload specific network types, one is network IDS and the other is Host IDS. While discussing
capabilities by overwhelming the SDN-switch with a large volume of about the Host based IDS, application is either deployed on the isolated
mismatched messages, as previously stated. Additional areas of security, host or on the network device for monitoring the behavior of every host
including as malware attacks, data manipulation, errors difficulties, and which include, integrity, file modifications, traffic patterns, and event
denial of service, are also challenges for SDN [38]. A DDoS assault could logs. The HIDS have the ability to access the information on the host
overburden the controller by replicating messages and flooding it with device which makes the attack judgements more accurate and precise.
fresh ones, or by faking the originating location. Every packet with no Unfortunately, this approach can enhance the overheads in the host’s
matched item in the routing table will be forwarded to the controllers for throughput which affects the performance of entire system. On the other
some further evaluation. This requires the administrator to issue a new hand, when we talk about the Network based IDS, all the incoming
command to the switches in order to handle following arriving packets. traffic is analyzed and examined in order to detect the intrusion signal. It
However, if the volume of new received traffic exceeds the bandwidth aims to predict harmful activity like DoS, DDoS, as well as other security
and controller’s capacity to process these, the entire infrastructure will breaches. A network-based IDS consists of a series of sensors for package
be brought to a halt. Fig. 2, showcases the example of distributed DOS traffic monitoring and an amount of storage for network administration.
attacks. The attacker’s purpose in a DDOS assault is to overload the On the basis of how data is processed in the system, IDS is further
targeted host’s bandwidth in order to disrupt the benign system. The divided into two types, one is signature based and other is anomaly
following sections illustrate how a DDoS attack in SDN can occur at detection. In signature-based detection treats infiltration activity as se­
several design planes: quences and builds a signature database around them. To identify
intrusion, this technique watches and compares the consumer identity to
• Attack on application layer: in this approach, the intrusion is carried the dataset. This method detects known assaults well and has a false
out via the application plane’s apps. The rogue app requires up all of alarm. This approach, on the other hand, is unable to recognize zero-day
the bandwidth, putting normal users at risk. assaults, that are fresh and undiscovered. While as, in case of anomaly-
based intrusion detection systems establishes a reference model of

5
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

acceptable behavior before attempting to find any deviations from that 2. Literature review
model. As a result, this approach is capable of detecting zero-day as­
saults. Signature-based IDSs make up the bulk of contemporary NIDSs. As detecting intrusions and attacks in the network is a hot research
The high false alarm rate, difficulties getting valid data for training, and area and a number of scholars have been working in this domain. Over
network dynamics are all causes for this unwillingness to move. the past few years, a significant number of Intrusion detection systems
In order to secure the software defined networks, a significant (IDS) were proposed by different researchers for software defined net­
number of ML algorithms were suggested. ML systems learn non-linear works (SDNs) in order to avoid any major data loss or security breaches.
trends of training data from a large number of training data and after­ Jose, Ancy Sherin et al. [3], the authors of this paper focused on the
wards identify threats within SDNs. Stochastic, probabilistic or Support development and deployment of anattack detection and mitigation
Vector Machine techniques can be used. Machine learning algorithms method for detecting flooding DDoS assaults via SDN network activity,
employed in intrusion detection have some drawbacks, due to their including TCP SYN flooding attacks, HTTP request flooding attacks, UDP
increasing accuracy and consistency in other applications. The flooding attacks, and ICMP flooding threats. In order to identify traffic as
complexity in identifying the discriminator, the lack of labelled datasets regular or hostile, the suggested scheme employed a variety of classifi­
for categorization and assessment, the increased price of errors, and the cation techniques. Using a features extraction tool along with the
heterogeneity of network activity are only a few of them. Several studies ANOVA (Analysis of Variance) F-Test statistical approach, the extracted
have investigated machine learning for intrusion detection in SDN sys­ features for categorization were determined. The effectiveness of every
tems in recent years. Nevertheless, these methods frequently result in a one of the classifiers was evaluated utilizing evaluation metrics for the
high percentage of false positives, which is a major worry for actual three selected features generated from the feature selection unit, and the
NIDSs. To overcome the limitations of the ML algorithms, Deep Learning outcomes were summarized. Ibrahim, Omar Jamal et al. [4], took the
(DL) is a relatively new technique that has had rich heritage in voice advantage of SDN’s abilities and proposed a new software enabled IDS
recognition, image processing, and natural language processing. framework that took SDN into account. The authors combined the
Because DL can dynamically systems are integrated in original data, it characteristics of the ML algorithms with the IDS so that high classifi­
can accelerate the level of intrusion detection. Experts expanded this cation accuracy can be attained and network can be defended against
research trend to a DL-based intrusion detection solution for the SDN threats. The Mininet emulator was used to construct a virtual network
environment, driven by the advancement of DL. Experts anticipate that using the Python code. Moreover, it’s also been deployed as an SDN
DL is a potential technology for intrusion detection in the future. They controller deployed on a Google cloud using OpenDaylight technology.
can apply DL and thereby achieve a high detection rate. SDNs’ circula­ In order to recognize attack anomalies, the suggested IDS employed a
tion and customizable design also makes the construction of NIDSs GridSearch approach combined with a Support Vector Machine (SVM).
easier. Furthermore, the databases UNSW-NB15 and NSL-KDD were used to
train the present project. According to the findings, the recommended
1.5. Research motivation method has high detection accuracy. The suggested machine learning
approach increases the detection performance to further over 99.8%
It has been observed that deploying NIDS (Network intrusion accuracy. The findings reveal that in an SDN-based cloud architecture,
detection systems) a better and powerful security mechanism is pro­ practically all conceivable network threats can be detected. Hakiri,
vided for identifying intrusions at the network entry points, than using Akram et al. [5], the forthcoming 5G mobile operator is a leading
SDN. Over the years, a number of researchers have implemented and technology for tackling the Internet of Things (IoT) connectivity diffi­
studied the Network based IDS in order to achieve optimum efficacy. It culties. With the advancement in the technology it is believed that the
refers to a program or technology which monitors network activity for low powered IoT devices will generate the mammoth size data which
potentially malicious behavior that violates policy. Some of the promi­ needs to be delivered through the ultra-reliable and low latency wireless
nent examples of attacks are, DDOS, security breaches, malware attacks, communication systems with 5G. Unfortunately, these IoT devices go
unauthentic users and so on. In order to identify these attacks effec­ through a number of security and privacy challenges in order to prevent
tively, network-based IDS are used, which is basically a network the unauthorized and unauthentic access to these nodes. To fix these
anomaly detection method that focuses on spotting unusual network problems, the experts of this study proposed a unique blockchain-based
activity or behavior in the network. Its effectiveness means that network framework for securing IoT interactions which makes use of Software
anomaly detection is properly deployed as part of the security archi­ Defined Network (SDN) and Network Function Virtualization (NFV). For
tecture. Because preventing potential attacks is practically difficult, boosting the flexibility and scalability of IoT environments, an enhanced
NIDS will facilitate timely detection and prevention. Unfortunately, security solution in the form of Virtualized Network Functions (VNFs) is
because most approaches currently rely on less competent signature- presented. Furthermore, to identify and report suspicious IoT nodes and
based methods, the development in NIDS has not inspired enough minimize malicious activity, the researchers offered a novel consensus
trust amongst professionals. protocol. Also, they assessed and compared the suggested method to
Inspired from this the current study aims to provide an IDS system three well-known consensus mechanisms, which are Proof of Work
especially in domain of SDN that will be capable to cope up with the (PoW), Proof of Elapsed Time (PoET), and Proof of Stake (PoS). The
limitation of current ML based approaches. From literature, it is results showed that the suggested method delivers much lower latency,
observed that there are different types of datasets available for the higher throughputand reliable IoT connection. Alzahrani, A. O et al. [6],
analyzing the IDS systems before implementing them to the real world highlighted the application of various ML techniques so that they can
scenarios. But there are certain research questions those researchers monitor the network traffic continuously and detect the suspected
have to put forward, like: what type of dataset will be appropriate for behavior in the system as the component of NIDS in the SDN controller.
SDN network they are focusing on? Which category of machine learning In order to detect the attacks, a number of standard and sophisticated
approaches will be appropriate to handle the size of datasets they are tree-based ML approaches such as, DT, RF and XGBoost were employed.
using? It is also observed from the study that most of the studies are Moreover, the suggested model was trained and tested by suing the
focusing on the ML based detection systems, very rare studies are NSL-KDD database. The database is subjected to a number of innovative
available those are using DL algorithms. In order to identify the reason preprocessing procedures in order to obtain the optimal shape of the
why DL are not much gaining popularity in this research domain it is information which results in exceptional results when compared to other
required to understand that whether such techniques are facing any is­ methods. Furthermore, a multi-class categorization task is carried out to
sues or less adaptive because of their complexity etc. These research recognize different attacks like DDoS, PROBE, R2L, and U2R were
gaps form the motivation for the review presented in this paper. detected by using only five features out of the available 42 features of

6
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

Fig. 5. Expected Research Design of proposed framework under ML.

the utilized database with an accuracy of 95.95%. Manso, Pedro et al. be processed. Additionally, by using the created tag rather than the
[7], discussed various network security flaws presented by connected Destination IP to route packets, the proposed alternative improved the
devices in the burgeoning Internet of Things (IoT) framework. More­ quality of the SDN architecture. As a result, the mobile nodes can
over, immediate ought to ameliorate the adverse effects of certain forms maintain the continuation of its connections while travelling amongst
of Distributed Denial of Service (DDoS) threats which attempt to exploit some of the APs of the associated system with the shortest possible delay
those security flaws. They created and deployed a Software-Defined time to guide the data stream to the target MN.
Intrusion Detection System which detects and mitigates assaults at Thomas Rincy N et al. [9], proposed a unique hybrid NIDS which
their source while guaranteeing regular function at the networking in­ classifies the information as per the distinct attack types to overcome
frastructure’s. The suggested concept includesan IDS which automati­ this challenge. Moreover, the assault names discovered in known attacks
cally identifies various DDoS attacks and alerts a Software Defined are categorized independently, which aids in forecasting the suscepti­
Networking (SDN) controller as soon as one is discovered. In addition to bility of particular attacks in distinct networks significantly. The hybrid
this, the present system also downloads some useful traffic routing de­ NID-Shield NIDS used both CAPPER, an effective feature subset selection
cision from the existing SDN controller to network devices. According to methodologyand other ML techniques. The measures were evaluated
the findings of the study, the present scheme identified many forms of using the UNSW-NB15 and NSL-KDD databases and ML techniques were
cyber-attacks centered on DDoS in real time thereby ameliorates its used to train the decreased precise and extremely valued feature subsets
adverse effects on network quality, and guarantees that regular traffic that were acquired from CAPPER. Furthermore, the shortened charac­
data is delivered correctly. The researchers also highlighted the impor­ teristics were then evaluated using the cross-validation approach. On the
tance of coding over an abstracted view of network architecture in UNSW-NB15 and NSL-KDD databases, different performance indicators
detecting Botnet exploitation, mitigating harmful traffic at its origin, revealed that the hybrid NID-Shield NIDS used with the CAPPER tech­
and protecting benign data. F. A. Yaseen et al. [8], a unique MN’s tag nique yields a better accuracy rate with low FPR, as well as decent
that may be utilized as a non-standard identification for directing and performance whenever assessed with different approaches found in
transporting internet traffic on software-defined networking (SDN) previous published studies. Taehoon Eom et al. [10], proposed a real
systems was proposed. A logical procedure which incorporates the time intrusion response in SDN that used precomputations to assess the
subscriber identity module (SIM) card info and the media access control probability of attacks that can occur. The authors also conducted a se­
(MAC) address generates the MN tag. Furthermore, the suggested curity audit using numerous SDN elements that were not present while
method directs the data packets as per the produced tag utilized by the merely tackling the elements of a current network. The experiments
connected devices as the MN identification. The findings revealed that indicated that the proposed model anticipates potential attack vectors of
SDN systems surpassed conventional approaches in terms of managing an active attack instantaneously and neutralize it, as well as it provides
link integrity and also minimized the time required for inbound data to safety parameters which are dependent on the flow chart, including SDN

7
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

Fig. 6. Expected Research Design of proposed framework M-D-Learning.

element. Therefore, the suggested method can be leveraged to provide faulty packages. Sarica AK et al. [13], In this research, a real-time
efficient real-time mitigation solutions for SDN security. Otor, Samera intrusion detection and prevention approach for SDN was offered,
Uga et al. [11], the experts in this paper proposed a novel IDS technique with the goal of providing automated security in high-traffic IoT net­
that was inspired from the foraging behavior of social spider. The au­ works in current 5G and far beyond systems whilealso maintaining a
thors utilized the signal transmission parameters like vibration fre­ high level of understandability by human analysts. At the SDN appli­
quency to create a system which can analyze real-world signals sent by cation layer, the suggested technique based on automatic flow extrac­
pcs and computing equipment in cyberspace to identify intrusion. tion of features and flow categorization utilized random forest classifier.
Moreover, the experts used the conventional NSL-KDD and real network To validate the supremacy of the recommended technique, the authors
traffic OAUnet databases to evaluate the suggested intrusion detection analyzed the accuracy results of the IDS in presence and absence of the
system. The suggested IDSs effectiveness was assessed and validated by suggested security approach using an SDN dataset that was created
comparing it with current classifiers employing performance criteria particularly for IoT. The extensive experiments showed that the sug­
such as accuracy rate, sensitivity, and specificity. Moreover, proposed gested security strategy was capable of detecting and mitigating threats
design performed better in terms off-measure and low false-positive rate in SDN-managed IoT networks in real time and with high accuracy.
as well. This demonstrated that the spider model is a reliable computing Gong, Bei et al. [14], focused on building a trust routing method for
strategy for improving intrusion detection with a low percentage of false self-organizing the networks. The suggested approach enhances the
positives in cyberspace. Haseeb, K et al. [12], provided a ML approach effectiveness of the entire system of suggested self-organized network
along with the SDN-enabled security to anticipate network resource through minimizing the performance usage of isolated self-organized
utilization and also optimized sensor information transmission. It also node and balancing the traffic on the network. This was based on an
included a centralized-based software define network (SDN) structure extensive assessment of data transfer rate, transmission delay, and other
for overcoming network risks amongst various sensors at a low cost of things relevant to the procedure status of the self-organized network.
maintenance. Initially, the ML approach was utilized that reduced the Zheng, Guiping et al. [15], the experts in this paper, presented a dy­
total number of communication overheads in the network. After this, a namic network security technique for recognizing the unfamiliar nodes
dynamic measurementwas used to anticipate the link status and refined in the network efficiently and precisely and also guarantee the network’s
its tactics by utilizing the SDN framework. Finally, the SDN controller proper functioning. For this, the direct trust value of the node was
employed a security mechanism to effectively regulate the usage of IoT determined by its behavior during the regional information exchange.
nodes while also protecting them against unknown events. When Subsequently, based on the trust recommendation value and power
compared with the standard HUNA and CMMA strategies, the suggested evaluation value of additional high trust nodes, the complete trust value
model enhanced system performance by 13% in terms of network is determined. Ultimately, management nodes and node integrity were
throughput, 39% in data drop ratio, 11% in data latency, and 46% in updated regularly. Furthermore, to maintain the system’s dynamic,

8
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

secureand dependable operation, malicious nodes were recognized and Testbed with Security (FITS) environment. The FITS platform was used
disconnected based on their trustworthiness. The simulation findings for testing and validating Next-generation Internet protocols. Xing,
revealed that the nodes trust value determined by this approach clearly Tianyi, et al. [21], there are number of challenges that are faced in Cloud
represents its credibility. In terms of ensuring reliable connection computing systems, one of them is security. In order to improve the
functioning, the technique may successfully identified suspicious nodes security in CC system, a significant number of researchers have used
with a greater detection accuracy and also eliminated the risk of rogue Intrusion detection and prevention systems (IDPS). Additionally, many
nodes serving as administration nodes, decrease node energy usage and experts have used SDN technique in their work for enhancing security in
defend against Assaults in wireless sensor networks. Esubalew M. Zeleke cloud systems. Yet, neither of the previous approaches developed a
et al. [16], proposed and developed a centralized signature-based comprehensive IPS solution that can dynamically alter the cloud
intrusion detection system (IDS). The model was trained using the network infrastructure to combat harmful assaults. Keeping this in mid,
Random Forest (RF) classifier. Also, the ML models were trained and the authors of this paper developed an intrusion detection and preven­
validated using CICIDS2017 which is one of the prominent and current tion systems that was based on SDN, namely as, SDNIPSfor cloud sys­
reference databases. On Wednesday’s publication of the database, just tems. The experts developed a novel IDPS framework which relied on
12 features were used to get a 99.968% accurate results. Taking the the Snort-based IDS and Open vSwitch (OVS). In order to improve the
actual CICIDS2017 database into account, the outcome was greater than preventative versatility of the cloud systems, the authors formulated the
that of the accuracy findings of comparable researches. In addition to functionalities of Network Reconfiguration (NR) and also implemented
this, a highest cross-validated accuracy score of 99.713% was reached them based on the POX controllers. Ultimately, SDNIPS evaluations
on the very same release of the database. Those models were constructed showed that the suggested scheme was more feasible and efficient than
to suit the basic requirements of a supervised IDS framework for smart traditional techniques. ElSayed, Mahmoud Said et al. [22], suggested a
surroundings that can be used in a variety of IoT service situations. novel hybrid Deep Learning based strategy for classifying the network
Mehmood, Mavra, et al. [17], provided a unique hybrid approach for traffic into normal and malicious categories by using CNN. Moreover,
detecting intrusions and categorizing attacks. In order to mitigate the the researchers used the novel regularizer technique called as, SD-Reg in
high false positive rate and low false negative rate in IDS, the current order to solve the issue of overfitting which in return increased the
method consists of three parts. The information is preprocessed in the capability of the NIDS for detecting intrusions. The SD-reg was based on
first stage using the data processing methodology and the min-max the SD of the weight matrix. The proposed SD-Reg surpassed the con­
approach. At the second stage, RF recursive feature elimination ventional regularizer approaches as per the findings. Furthermore, when
method was utilized to find the best features which helped the model to compared with the non-hybridized DL models, the suggested hybrid
perform well. In the very next stage, Adaptive neuro fuzzy system method performed better in all evaluation measures. For training eth
(ANFIS) was applied to classify various types of attacks including U2R, testing the suggested system, the authors used several databases which
R2U and DDOS attacks using SVM. The protocol was approved using included InSDN as well. In addition to this, they also proposed a light­
Fine Gaussian SVM (FGSVM) that has a 99.3% accuracy for the binary weight NIDS that involved training CNN based systems with least fea­
class. The Mean Square Error (MSE) for training examples is 0.084964, tures without affecting the performance of the model. Derhab A et al.
0.0855203 for testing, and 0.084964 for multiclass classification vali­ [23], the authors offered a security framework which combined Block­
dation. Goodgion, Jonathon S [18], suggested an Active Host based chain and SDN techniques. The suggested security mechanism basically
network security response (AHNSR) which is basically a model that focused on two issues. In order to deal with the forged commands, the
incorporates the HIDS and SDN to improve the security system by authors of this paper developed an IDS called as RSL-KNN that was
enabling the dynamic active response and rebuilding from a global basically a hybridization of Random Subspace Learning (RSL) and KNN.
network architecture standpoint. SDN gives new programmatic options Also, the authors proposed the Blockchain based integrity checking
which address the inflexible topologies of older networks, which is System (BICS) for preventing misrouting attacks that compromise with
critical to the functional design. SDN-software systems provide more the OpenFlow rules of SDN based IoT networks. The evaluation findings
adaptable security measures for both virtualized and enterprise systems, demonstrated that the suggested security solution was efficient and
which is critical in an age of fast-growing attacks which requires productive. Singh, Parminder, et al. [24], in this paper, a
specialized and adaptable security measures. Such SDN security rules soft-computing-based strategy was used by researchers to lower the
were intended to grant access to authorized users, defend networks from false-positive rate (FPR) of anomaly-based IDS with hierarchical data.
assaults, and provide prevention or remedies in the event of an attack. They used the RNN technique for identifying and categorizing normal
Wang, Li, and Dinghao Wu [19], suggested a real time-based network and anomaly data. The suggested scheme doesn’t need any assumptions
protection architecture, named as SecControl in which current security or information about the data structure which makes it more practical.
and SDN techniques were sued to create a safe and secure SDN envi­ On the KDDCup’99 and NSL-KDD sets of data, numerous attacks were
ronment. The proposed SecControl method was able to actively sense evaluated experimentally. The suggested scheme improved the IDS by
real-time security threats and also changed the secured communication allowing them to operate with the data which had both dependent and
network by leveraging the capabilities of existing security technologies. independent characteristics. Moreover, this strategy was advantageous
The model can be simply expanded to include a variety of approaches for in real-life settings when attacks are rare. Alrajeh, Nabil Ali et al. [25], in
handling a variety of security concern. The authors developed a security network security, intrusion detection systems (IDS) play a significant
framework for SDN with the help of SecControl that was compatible role. To build IDSs for particular situations and users, a variety of
with standard security tools. Moreover, the authors used OpenFlow to methodologies were employed. AI approaches were frequently
create a SecControl prototype and also assed the efficacy and perfor­ employed in the detection of dangers. This research examined the
mance. After conducting extensive experiments, it was found that the application of GAs, artificial immune systems and artificial neural net­
suggested SecControl method interfaced with a number of standard se­ works (ANN) in wireless sensor networks (WSN). Rizwan, Ramsha, et al.
curity protocols and also provided effective defense responses over [26], in this research, the researchers offered a bioinspired approach for
SDN-enables networks. Lobato et al. [20], security is considered as one detecting abnormalities in WSNs by utilizing the AIS’s Negative Selec­
of the biggest threats that the current and future networks are facing. It tion Algorithm (NSA). For this, the experts upgraded NSA and created a
is forecasted that majority of the future networks will be relied on the detector set which exclusively keeps anomalous packets. The random
virtualization which allows multiple networks to share the same phys­ packets then were checked and compared to the detector set and ab­
ical structure. To do so, the authors need to adopt the programmability normalities were found. Anomalous data packets were developed to
of SDN for developing an intrusion prevention system. In this paper, the determine particular anomalies through further analysis. The number of
authors developed an intrusion prevention system in the Future Internet wormholes, packets delayed and packets lost can all be estimated and

9
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

detected in this manner. The suggested technique was tested on a huge other systems in terms of detecting and classifying harmful traffic. Q.
database and the results demonstrate that it is very accurate in detecting Schueller et al. [32], the suggested approach integrated the benefits of
anomalies. The effectiveness of the suggested method was also analyzed both a flow-based and a packet-based IDS to deliver a high detection
by comparing it with the Clonal Selection Algorithm (CSA) on the very accuracy without compromising network speed. The current anomaly
same dataset. The results revealed that the suggested NSA outperforms detection technique of the flow-based IDS, relied on the SVM and was
the CSA in the majority of circumstances. Jahan, Aafreen, et al. [27], in trained with the DARPA database. This initial line of defense identifies
the suggested approach, classification and feature selection were used any network attacks. Whenever a harmful traffic was discovered, it was
for developing an IDS. The researchers created an Intrusion Detection replicated to a packet-based IDS for further analysis and response. The
System framework to describe cyberattacks and used the data collected findings showed that this technique achieves high detection rates and
to enhance the system. In the suggested scheme, the size of NSLKDD performance with little additional overhead.
database was reduced which in return improved the intrusion detection
process by using feature selection strategy. Additionally, they developed 3. Research gaps
an intrusion detection system using ML approaches to boost the number
unknown threats. They can learn about security personnel’ inclinations After analyzing and reviewing the literature, we found few research
and show them the types of notifications that have piqued their interest gaps in traditional IDS models, which are mentioned as follows;
in the past. Abdallah, Mahmoud, et al. [28], the authors of this article
proposed a novel IDS by merging the CNN and LSTM together. The • Firstly, many scholars recently have used ML based algorithms in
proposed approach was capable of recording the network traffic’s their work for detecting intrusions but the problem with such ap­
spatial and temporal characteristics. Moreover, to tackle the overfitting proaches is that they tend to produce a large rate of false positives,
problem the experts used two regularization techniques, those were, L2 which is a big concern for real NIDS.
regularization () and dropout method. The suggested scheme increased • Overfitting is yet another major concern for researchers when
the performance of zero-day intrusion detection. The suggested model dealing with the ML based IDS. This issue typically arises whenever
was tested and evaluated using the InSDN database, which is the most the algorithm attempts to understand noisy data which does not
current dataset for SDN architecture. The findings demonstrated that accurately represent the true features of regular patterns.
when CNN and LSTM were combined, the performance of the IDS also • Furthermore, the significant non-linearity in the data, adds to the
increases with an accuracy of 96.32%. The projected accuracy was complexity of ML techniques as they do not operate well with such
greater than the accuracy achieved in the single models. Furthermore, as high degree data.
compared to the traditional CNN, the regularization strategies enhance • Deep learning is gaining momentum in the field of intrusion detec­
the efficacy of the CNN methods in identifying new incursions. The tion, and the approach has already been applied to many aspects of
result of this research aided in the creation of reliable IDS solutions for the field and is not restricted to intrusion detection. However, deep
use in an SDN context. learning approaches have still yet to achieve a high level of efficiency
Alhaidari, Fahd, et al. [29], in this article, a virtualized architecture, in attack detection domain while as, ML techniques has achieved
ISDN (Intelligent software defined networks) that used Deep extreme accuracy levels in between 90 and 95%.
Learning Machine (DELM) for cognitive routing Optimization (CRO)
was proposed. The suggested process relied on the use of progressive 4. Hypothesis
DELM techniques notably probabilistic generative systems for
framework-wide learning, exhibiting, improving, and describing The main points that are covered under this review are given below:
knowledge. The suggested ISDN-CRO-DELM further recommended that
this learning framework can be integrated with the ISDN for CRO and 1) The foremost and important phase of the proposed model will be to
reconfiguration methodologies at the system level. For DELM analysis, provide a tunable detection scheme that will be capable to tune the
MATLAB 2019a was employed and the improved results indicated the ML approach automatically in order to achieve better training
efficacy of the proposed framework. Abubakar, Atiku et al. [30], in this outcome and less errors. This will assist the design framework to
work, the authors developed a virtual testbed which mimics the activ­ provide better classification results to detect intrusion in SDN.
ities of a real distributed environment, where a star topology was a. The suggestive ML technique categories that will be taken into
designed with hosts and servers connected to an OpenFlow OVS-switch. consideration for the proposed work will be 1 from tree based ML
Through replicating the traffic destination to the servers, the researchers approaches.
implemented a signature-based Snort IDS for monitoring the network 2) Other main focus of the proposed model should be to work on
traffic and detecting threats. The risk analysis indicated that potential different datasets available for NIDS in SDN in order to cope up with
assaults threats exist in the network design which were successfully the issues related to adaptively of conventional NIDS on variable
handled by Snort IDS, with the exception of a few for whom protection data inputs. This could assist the proposed model to present its
suggestions were offered. A flow-based IDS model was designed to allow effectiveness with variability over the data and promote its adapt­
scalable threat detection in the framework. In order to circumvent the ability in real time scenario.
limitations of signature-based IDS, a flow-based anomaly detection was 3) As one of our goals, we’re focusing on addressing flaws with tradi­
created by utilizing ML. The study revealed that the suggested pattern tional ML approaches by introducing the concept of auto-tuning, but
recognition neural network for ML utilizing trained model improves it’s worth noting that DL-based techniques are also highly recom­
detection of practically all conceivable assaults in the SDN environment mended due to their certain advantages over ML approaches.
by over 97%. Amanowicz M et al. [31],a complete method for securing
SDNs from attackers’ activities was offered, which takes full advantage The suggestive methods could also focus on designing a DL and ML
of SDNs’ inherent capabilities and also used data mining methods to based collaborative framework such that the problem of low accuracy in
identify and classify harmful events in the SDN data layer. Moreover, the case of DL can be improved by combining the features of ML in it and
system’s framework and mechanics were discussed, with a focus on flow proposed model can attain a high accuracy.
rule generation and classification. The notion was tested in an SDN
testbed which replicated conventional SDN flows. Also, the research 5. Methodology
demonstrated that the system may be successfully applied in SDNs to
reduce vulnerabilities posed by various hostile intruder actions. The The research process that should be adopted is as follows in order to
results revealed that the hybrid data mining approaches outperforms address the research gaps identified:

10
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

1) The first step toward the research will be doing a literature survey in Declaration of competing interest
order to understand various issues those are faced by different ML
and DL based approaches. This will also assist the current research to The authors declare that they have no known competing financial
theoretically and conceptually understanding the working processes interests or personal relationships that could have appeared to influence
and challenges of current NIDS in SDNs. the work reported in this paper.
2) Next step will be to figure out the different datasets available or used
by various researchers and finding out the challenges related to the References
features, classes, labels etc.
3) The third step should focus on designing the proposed framework for [1] Pedro Manso, José Moura, Carlos Serrão, SDN-based intrusion detection system for
early detection and mitigation of DDoS attacks, Information (2019) 106, 10.3.
developing a reliable NIDS system. The main focus of this step will be
[2] M. Ja’afreh, H. Adhami, A.E. Alchalabi, et al., Toward integrating software defined
firstly research the availability of the analyzed datasets, tools for the networks with the Internet of Things: a review, Cluster Comput. (2021), https://
development phase and other requirements required for develop­ doi.org/10.1007/s10586-021-03402-4.
ment. Other than this, we will also develop certain algorithms, flow [3] Ancy Sherin Jose, Latha R. Nair, Paul Varghese, Towards detecting flooding DDOS
attacks over software defined networks using machine learning techniques, Rev.
diagrams, mathematical calculation so that a clear picture can be Geintec-Gestao Inovacao E Tecnol. 11 (4) (2021) 3837–3865.
there for the development phase. [4] Omar Jamal Ibrahim, Wesam S. Bhaya, Intrusion detection system for cloud based
4) The next step should be development phase under which all the software-defined networks, in: Journal of Physics: Conference Series, vol. 1804,
IOP Publishing, 2021, 1.
phase of the designing framework such as preprocessing, extracting [5] Akram Hakiri, Behnam Dezfouli, Towards a blockchain-SDN architecture for secure
out the useful information from the shortlisted datasets and and trustworthy 5G massive IoT networks, in: Proceedings of the 2021 ACM
designing the network for the training and testing phases as per the International Workshop on Software Defined Networks & Network Function
Virtualization Security, 2021.
proposed framework. An analytical study will also be done under this [6] A.O. Alzahrani, M.J.F. Alenazi, Designing a network intrusion detection system
step in order to check the effectiveness of proposed model. based on machine learning for software defined networks, Future Internet 13
5) Fifth step is to focus of developing the framework similarly as done in (2021) 111, https://doi.org/10.3390/fi13050111.
[7] Pedro Manso, José Moura, Carlos Serrão, SDN-based intrusion detection system for
step 3. But in this phase the main focus will be on DL based meth­
early detection and mitigation of DDoS attacks, Information (2019) 106, 10.3.
odologies. An algorithm will be finally given that will provide a [8] F.A. Yaseen, H.S. Al-Raweshidy, A novel mobile node’s identifier for beyond 5G
combined decision of ML and DL approach given in the proposed SDN-based networks, in: 2019 Sixth International Conference on Internet of
Things: Systems, Management and Security (IOTSMS), 2019, pp. 203–208, https://
framework to increase the overall accuracy of the system.
doi.org/10.1109/IOTSMS48152.2019.8939165.
6) Final step will be to test and evaluate the proposed frameworks and [9] N. Thomas Rincy, Roopam Gupta, Design and development of an efficient network
their comparison with existing state of art techniques. intrusion detection system using machine learning techniques, Wireless Commun.
Mobile Comput. 2021 (2021), https://doi.org/10.1155/2021/9974270. Article ID
9974270, 35 pages.
[10] Taehoon Eom, Jin B. Hong, SeongMo An, Jong Sou Park, Dong Seong Kim,
A framework for real-time intrusion response in software defined networking using
5.1. Research design precomputed graphical security models, Secur. Commun. Network. 2020 (2020),
https://doi.org/10.1155/2020/7235043. Article ID 7235043, 15 pages.
[11] Otor, Samera Uga, et al., An improved bio-inspired based intrusion detection model
To make a clear vision toward the flow of the proposed framework an for a cyberspace, Cogent Eng. 8 (1) (2021), 1859667.
expected design of both the phases of proposed research are presented as [12] K. Haseeb, I. Ahmad, I.I. Awan, J. Lloret, I. Bosch, A machine learning SDN-enabled
follows: big data model for IoMT systems, Electronics 10 (2021) 2228, https://doi.org/
10.3390/electronics10182228.
[13] A.K. Sarica, P. Angin, Explainable security in SDN-based IoT networks, Sensors 20
5.1.1. Model A: NIDS for SDNs (tunable ML based approach) (24) (2020) 7326, https://doi.org/10.3390/s20247326. Published 2020 Dec 20.
Fig. 5 represents the ML based approach that will work on tunable [14] Bei Gong, Jingxuan Zhu, Yubo Wang, Construction of trusted routing based on trust
computation, in: Wireless Communications and Mobile Computing 2021, 2021.
concept in order to reduce the training errors in the network and im­ [15] Guiping Zheng, Bei Gong, Yu Zhang, Dynamic network security mechanism based
proves the detection accuracy in the testing phase. The test will be on trust management in wireless sensor networks, Wireless Commun. Mobile
conducted in order to analyze the impact of the variations done in the Comput. (2021) 2021.
[16] Esubalew M. Zeleke, Henock M. Melaku, Fikreselam G. Mengistu, Efficient
proposed scheme using simulation tool. The expected simulation tools intrusion detection system for SDN orchestrated internet of things, J. Comput.
for the proposed scheme can be MATLAB or Python. Netw. Commun. 2021 (2021), https://doi.org/10.1155/2021/5593214. Article ID
In Fig. 6, is the combined scheme using both ML and DL based 5593214, 14 pages.
[17] Mavra Mehmood, et al., A hybrid approach for network intrusion detection, Cmc
framework is given. Both the proposed ML and DL based architectures
Comput. Mater. Continua 70 (1) (2022) 91–107.
will be working in parallel in order to reduce the complexity and pro­ [18] Jonathon S. Goodgion, Active Response Using Host-Based Intrusion Detection
cessing time in order to avoid the issue related series based convention System and Software-Defined Networking, 2017.
[19] Li Wang, Dinghao Wu, Seccontrol: bridging the gap between security tools and sdn
hybrid modelling reviewed in the literature. The outcomes of the pro­
controllers, in: International Conference on Security and Privacy in
posed model will be combined at final stage in order to get a combined Communication Systems, Springer, Cham, 2017.
decision for the intrusion existence in the network. [20] Lobato Antonio Gonzalez Pastana, Ulisses da Rocha Figueiredo, O.C.M. Duarte, An
Architecture for Intrusion Prevention Using Software Defined Networks,
Universidade Federal do Rio de Janeiro-GTA/COPPE-Rio de Janeiro, Brazil, 2013.
5.1.2. Model B: NIDS for SDNs (M-D-learning approach) [21] Tianyi Xing, et al., SDNIPS: enabling software-defined networking based intrusion
prevention system in clouds, in: 10th International Conference on Network and
Service Management (CNSM) and Workshop, IEEE, 2014.
[22] Mahmoud Said ElSayed, et al., A novel hybrid model for intrusion detection
6. Conclusion and future scope systems in SDNs based on CNN and a new regularization technique, J. Netw.
Comput. Appl. 191 (2021), 103160.
[23] A. Derhab, M. Guerroumi, A. Gumaei, et al., Blockchain and random Subspace
In this paper, we reviewed a process to design a tunable and hybrid learning-based IDS for SDN-enabled industrial IoT security, Sensors 19 (14) (2019)
deep learning attack detection framework to handle security concerns in 3119, https://doi.org/10.3390/s19143119. Published 2019 Jul 15.
SDN. The future scope is to provide a NIDS system effective enough to [24] Parminder Singh, et al., Soft-computing-based false alarm reduction for
hierarchical data of intrusion detection system, Int. J. Distributed Sens. Netw. 15
detect the intrusion in different scenarios such as considering multiple
(10) (2019), 1550147719883132.
dataset for the evaluation for the proposed scheme. This will help its [25] Nabil Ali Alrajeh, Jaime Lloret, Intrusion detection systems based on artificial
easy adaptability in real time scenarios. Other than this the focuse on intelligence techniques in wireless sensor networks, Int. J. Distributed Sens. Netw.
both (ML and DL) the feature models of today’s trending technology that 9 (10) (2013), 351047.
[26] Ramsha Rizwan, et al., Anomaly detection in wireless sensor networks using
is artificial intelligence. The proposed model is expected to be a best immune-based bioinspired mechanism, Int. J. Distributed Sens. Netw. 11 (10)
solution for security in current SDN based systems. (2015), 684952.

11
A. Bhardwaj et al. Measurement: Sensors 24 (2022) 100580

[27] Aafreen Jahan, M. Afshar Alam, Intrusion detection systems based on artificial [34] Mutaz HH. Khairi, et al., A review of anomaly detection techniques and distributed
intelligence, Int. J. Adv. Res. Comput. Sci. 8 (2017) 5. denial of service (DDoS) on software defined network (SDN), Eng. Technol. Appl.
[28] Mahmoud Abdallah, et al., A hybrid CNN-LSTM based approach for anomaly Sci. Res. 8 (2) (2018) 2724–2730.
detection systems in SDNs, in: The 16th International Conference on Availability, [35] Diego Kreutz, et al., Software-defined networking: a comprehensive survey, Proc.
Reliability and Security, 2021. IEEE 103 (1) (2014) 14–76.
[29] Fahd Alhaidari, et al., Intelligent Software-Defined Network for Cognitive Routing [36] Yogita Hande, Akkalashmi Muddana, Santosh Darade, Software-defined network-
Optimization Using Deep Extreme Learning Machine Approach, 2021. based intrusion detection system, in: Innovations in Electronics and
[30] Atiku Abubakar, Bernardi Pranggono, Machine learning based intrusion detection Communication Engineering, Springer, Singapore, 2018, pp. 535–543.
system for software defined networks, in: 2017 Seventh International Conference [37] T. Naqash, S.H. Shah, M.N.U. Islam, Statistical analysis based intrusion detection
on Emerging Security Technologies (EST), IEEE, 2017. system for ultra-high-speed software defined network, Int. J. Parallel Program.
[31] M. Amanowicz, D. Jankowski, Detection and classification of malicious flows in (2021), https://doi.org/10.1007/s10766-021-00715-0.
software-defined networks using data mining techniques, Sensors 21 (9) (2021) [38] Mohammad A. Aladaileh, et al., Detection techniques of distributed denial of
2972, https://doi.org/10.3390/s21092972. Published 2021 Apr 23. service attacks on software-defined networking controller-a review, IEEE Access 8
[32] Q. Schueller, K. Basu, M. Younas, M. Patel, F. Ball, A hierarchical intrusion (2020) 143985–143995.
detection system using support vector machine for SDN network in cloud data [39] Nisha Ahuja, et al., Automated DDOS attack detection in software defined
center, in: 2018 28th International Telecommunication Networks and Applications networking, J. Netw. Comput. Appl. 187 (2021), 103108.
Conference (ITNAC), 2018, pp. 1–6, https://doi.org/10.1109/ [40] S. Smys, A. Basar, H. Wang, Hybrid intrusion detection system for internet of
ATNAC.2018.8615255. Things (IoT), J. ISMAC 2 (4) (2020) 190–199.
[33] Abbas Yazdinejadna, et al., A kangaroo-based intrusion detection system on
software-defined networks, Comput. Network. 184 (2021), 107688.

12