1862 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO.

4, DECEMBER 2022

A Flow-Based Anomaly Detection Approach

With Feature Selection Method Against
DDoS Attacks in SDNs
Mahmoud Said El Sayed , Nhien-An Le-Khac , Senior Member, IEEE,
Marianne A. Azer , and Anca D. Jurcut

Abstract—Software Defined Networking (SDN) is an emerging management. If the IT operators need to configure any high-
network platform, which facilitates centralised network manage- level network policies, such as Quality of Service (QoS)
ment. The SDN enables the network operators to manage the or routing policy, they have to access the network devices
overall network consistently and holistically, regardless the com-
plexity of infrastructure devices. The promising features of the (e.g., routers and switches) separately using the vendor-
SDN enhance network security and facilitate the implementa- specific commands, which increases the overall complexity
tion of threat detection systems through software applications of the network. Additionally, the IP-based network devices
using open APIs. However, the emerging technology creates new are vertically integrated. The control plane (responsible for
security concerns and new threats that do not exist in the cur- the decision-making) and the data plane (which decides how
rent traditional networks. Distributed Denial of Service attacks
(DDoS) are one of the most rampant attacks that can interrupt to forward the network traffic according to the instructions
the functionality of the network and make most of the network from the control plane) are embedded into the same network
services unreachable for network users. The efficient identifica- device. Coupling the control and data planes can hamper the
tion of DDos attacks on SDN environments in literature is still innovation of the network infrastructure and reduce the flex-
a challenge because of the number of network features taken ibility of the network for any change or update. Besides,
into account and the overhead of applying machine learning
based anomaly detection techniques. Hence, in this paper, we aim the rapid growth of networking can increase maintenance
to use two popular feature selection methods, i.e., Information costs and significantly reduce network innovation in traditional
Gain (IG) and Random Forest (RF) in order to analyse the networks. Therefore, developing a new routing algorithm could
most comprehensive relevant features of DDoS attacks in SDN take 5 to 10 years and would practically be very costly [1].
networks. Using the most relevant features will improve the accu- Moreover, since all devices are widespread through the entire
racy of the anomaly detection system and reduce the false alarm
rates. Moreover, we propose a Deep Learning (DL) technique network, there is an increase in the number of middle-boxes
based on Long Short Term Memory (LSTM) and Autoencoder devices such as firewalls, load balancers, detection and defense
to tackle the problem of DDoS attacks in SDNs. We perform our systems, etc. According to Kreutz et al. [1], 57 of network
analysis and evaluation on three different datasets, i.e., InSDN, enterprises reported that the number of middle-boxes devices
CICIDS2017 and CICIDS2018. We also measure the overhead has significantly increased and reached the same number of
of the proposed DL model on the SDN controller and test the
network performance in terms of network throughput and end- other mandatory network devices like routers.
to-end latency. The results validate that the DL approach can To address many of the traditional IP network limitations,
efficiently identify DDoS attacks in SDN environments without the emerging network architecture, which is often known as
any significant degradation in the controller performance. Software Defined Networking (SDN), offers faster failover and
Index Terms—Anomaly detection, autoencoder, DDoS, deep enables the network to be centrally controlled. The key idea
learning, LSTM, InSDN dataset, SDN, traditional network. behind the SDN is to abolish vertical integration by splitting
the underlying infrastructure devices from the control plane.
The key feature of SDN versus traditional network is shown in
I. I NTRODUCTION Fig. 1. Decoupling the two plane layers increases the network
HE TRADITIONAL IP networks, which are widely flexibility and facilitates network management with the aid of
T applied today have become complex and difficult in their centralised controller. The new paradigm allows the operators
to manage the entire network using software APIs connected
Manuscript received 8 October 2021; revised 25 February 2022 and 18 with the SDN controller through the northbound interface
April 2022; accepted 19 June 2022. Date of publication 28 June 2022; date regardless of the underlying network technology. The global
of current version 9 December 2022. The Research Funding is University
Collage Dublin (UCD). The associate editor coordinating the review of this visibility introduced by the SDN system encourages many
article and approving it for publication was M. Chen. (Corresponding author: business enterprises such as Google, Huawei, Microsoft to
Mahmoud Said El Sayed.) implement the new paradigm in their network data centre [2].
Mahmoud Said El Sayed, Nhien-An Le-Khac, and Anca D. Jurcut
are with the School of Computer Science, University College Dublin, Despite all benefits offered by SDN, security is one of the
Dublin, D04 V1W8 Ireland (e-mail: [email protected]; significant challenges, which can slow down its widespread
[email protected]; [email protected]). adoption and deployment over different networks. Since the
Marianne A. Azer is with the National Telecommunication Institute, Nile
University, Cairo 12677, Egypt (e-mail: [email protected]). centralised controller is the heart of the network, it is vulnera-
Digital Object Identifier 10.1109/TCCN.2022.3186331 ble to a single point of failure. In case the attacker successfully
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1863

Fig. 2. Methods for Feature Selection.

overfitting problem. Thus, removing significant noisy and use-

less features has gained the attention of many researchers to
use feature selection strategies in many cybersecurity intelli-
gence solutions to achieve a high model performance using
ML/DL tasks [8], [9].
The feature selection can be categorised into three general
methods: filter, wrapper and embedded methods. Some exam-
Fig. 1. Traditional vs SDN architecture. ples of each method is shown in Fig. 2. The interested reader
may refer to [10], [11] for more details regarding the different
exploits the controller system, he can hinder or manage the approaches of the feature selection methods.
entire network based on his aspiration. DDoS is one of the Although several feature selections with ML models have
most critical threats in SDN networks. Unfortunately, all SDN been proposed to detect DDoS attacks [8], [12], [13], the
layers, i.e., data, control, and application planes are targets to existing mechanisms to prevent DDoS attacks are ineffective
DDoS attacks. Besides, the communication channels between on SDNs. However, one of the significant limitations associ-
the data plane devices and the control plane have become a ated with the aforementioned work is the lack of the intrusion
potential target for DDoS attacks. Some mitigation techniques, dataset for the SDN network. The researchers widely used
as described in [3] suggested a secondary controller to reduce a dataset generated based on the conventional network, i.e.,
the damage resulted from DDoS attacks. However, using a not the SDN architecture. However, this adaptation may not
secondary controller is not a practical solution to solve the be close enough to a real detection techniques in SDNs [14].
problem since it can also be susceptible to DoS/DDoS attacks. SDN has brought its own security threats, and the nature of
Intrusion Detection Systems (IDSs) are standard security these threats is different from those commonly affecting legacy
solutions to monitor and detect malicious activities inside networks. For example, all unmatched flows at the open flow
an organisational network. If the observed traffic from the switches are triggered to the SDN controller for the policy
incoming or outgoing network is matched with suspicious request. The intruder can send huge amount of unmatched
activity, an alarm is generated, referring to a detected attack. flows to overwhelm the controller resources creating a new
Therefore, the development of IDSs is a vital direction for kind of DDoS attack. In addition, the attack traffic mimics the
many researchers [4], [5] since the security challenges are same normal behavior since the normal and malicious traf-
among the most critical issues facing SDNs. The statistical, fic is forwarded to the SDN controller for decision making.
Machine Learning (ML) and DL techniques are widely applied Therefore, the relevant features of DDoS attacks based on con-
for anomaly-based detection1 solutions [6]. The centralised ventional networks are not necessarily related to DDoS class
control plane architecture in SDN provides new opportuni- on the SDN network. Moreover, using a weak feature selection
ties to defeat against DDoS attacks. Motivated by this fact, algorithms will omit the most relevant parameters and this can
we apply the DL techniques to temper the problem of DDoS waste significant data information.
attacks in SDNs. Experiencing with the success of DL in several domain
On the other hand, feature selection methods are one of the areas, a combination of SDN and DL can improve the
significant pre-processing phase to success the anomaly detec- performance of intrusion detection systems and then secure
tion models [7]. Such techniques can eradicate the irrelevant the network better. However, as network speed becomes faster,
and redundant features, retaining only the most representa- there is an emerging need for IDS to be lightweight with high
tive characteristics from the original dataset. Using optimised detection rates. Therefore, feature selection is a significant
subset features not only improves the accuracy and detection issue and plays a crucial role in intrusion detection to achieve
rate of the classifier, but also reduces the execution time. So, maximal performance. The efficient feature subset can improve
using less number of features can help to develop a lightweight the training and testing time that helps to build lightweight IDS
model able to detect malicious attacks in real time network guaranteeing high detection rates and making IDS suitable for
with low computational resources and prediction latency. In real-time and online detection of attacks. In this context, we
addition, avoiding the curse of dimensionality through the evaluate the most relevant features of DDoS attacks with the
feature selection methods makes the model less prone to ranked top 10 features obtained by using two common feature
selection methods: Information Gain (IG) and RF strategies.
1 In this article, we use intrusion detection and anomaly-based detection Several experiments based on three different datasets have
systems interchangeably to refer for the same concept. been taken to look at the impact of feature selections on
1864 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

plane facilities the deployment of several applications and

services through northbound programming interfaces (APIs).
For example, applications such as IDS, monitoring, QoS, load-
balancer, and many other applications that define the network
behavior or offer services for end users can be implemented
easily as API. The control plane facilitates the management
of the network from a centralised location. The last layer, i.e.,
data plane layer or underlying network infrastructure contains
the forwarding network devices, e.g., OpenFlow switches. The
controller is separated from the under-layer devices, and the
communication between the two layers is established using
Southbound Interface. The OpenFlow protocol has become the
de facto protocol for communication mechanisms between the
controller and underlying switches. For any incoming flow,
the switch will search if there is any matching entity in one
of its flow tables to handle this flow accordingly. In case
of matching, the flow traffic will be directed to the corre-
sponding destination. Otherwise, the switch will extract the
packet header, encapsulate it in the format of Packet-In
Fig. 3. DDoS Modeling with Feature Selection Process. message and send it to the controller for further process-
ing. The controller takes decisions on the incoming flows
the classifier accuracy, execution times. The DDoS modeling (e.g., flow forwarding or dropping) with the assistance of
process is depicted in Fig. 3. API programming and returns the flow rule to the switch
The key contribution of this work can be summarised as in the format of Packet-Out message. Then, the switch
follows: takes the corresponding action according to rules/policies
• Two popular feature selection methods (IG and RF) assigned by the controller. The new rules will be cached in
are used to find the most relevant DDoS attack fea- the flow table to match any similar flow for a period of
tures in each dataset individually. The proposed feature time.
selection method is tested on three benchmark flow
based datasets, i.e., InSDN [14], CICIDS2017 [15] and
CICIDS2018 [15]. B. DDoS Attack Overview
• A DL based IDS process (Fig. 3) to detect DDoS The DDoS attack is an explicit attempt to prevent legitimate
in SDN. This process includes an extension of our users from accessing the network services. The emergence of
previous DDoSnet model [16] and our feature selection the DDoS attacks typically does not occur suddenly, but the
approaches. The results show that using selected fea- onset of an attack on a target system produces from a series
ture methods with the proposed system helps in reducing of preparatory steps by the adversary that we can identify
model complexity without any effect on the accuracy of and measure. The operation of DDoS attacks follows sev-
the model. eral consecutive phases as shown in Fig. 4 [18]. The intruder
• Analysis the network performance of the DL model on initially starts to compromise multiple agent machines that
the SDN controller.The result analysis shows that the DL are widely distributed geographically by scanning the vul-
approach does not significantly degrade the performance nerabilities in these devices. Once an intruder successfully
of the controller. identifies some system vulnerabilities, he can compromise
The rest of this article is organised as follows: Section II these machines using a malicious program such as Trojan
briefly provides a theoretical background about SDN opera- Horse. By replicating the malicious file in multiple agents,
tion and some of the security challenges of the new paradigm. the intruder has the capability to control many devices that
Related work and various detection and defense techniques can reach several thousand or millions (commonly referred to
against DDoS attacks in SDNs are discussed in Section III. as bots) to initiate DDoS attacks without the awareness of the
Section IV introduces the methodology, the datasets and the device’s rightful owner. The discovery of vulnerabilities and
DL model used in this work. The experimental and evaluation exploitation process of the agents are usually performed auto-
results are presented in Section V. The network evaluation matically, for instance, by sending e-mail messages with the
is discussed in Section VI. Finally, an overall discussion attack code attachment. The groups of bots, known as a bot-
of the results obtained and the conclusion are presented in net can get orders remotely from an intruder, i.e., bot-master.
Sections VII and VIII, respectively. The bot-master can perform large-scale DDoS attacks to flood
a legitimate service or network by sending a control com-
mand to the botnet agents to generate useless traffic without
II. BACKGROUND T HEORY
getting noticed. Consequently, the victim resources become
A. SDN Operation overwhelmed with a crushing volume of traffic in a short dura-
The SDN network comprises three functional planes: the tion, which significantly slows down the system service or the
application, control, and data planes [17]. The application network ability to respond to the legitimate users.
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1865

Fig. 4. Adversarial Tactics in DDoS Attacks [18].

C. DDoS Attack in SDN time. When there is no buffer space, the legitimate pack-
Although there are significant benefits of SDN in several ets are unable to buffer too, resulting in buffer saturation
application domains, several security issues in SDNs remain attacks.
unaddressed. Indeed, the security in SDN is a double edge • Flow Table Overflow [22]: The switch flow tables
sword. The centralised location of the controller can improve are stored in a memory, known as Ternary Content
the overall network security using new security tools with Addressable Memory (TCAM). Each entity rule associ-
the help of the northbound APIs. However, splitting the con- ated with it is defined with two times, i.e., idle time-
trol plane from the data plane produces new weaknesses out and hard timeout to address the limited space of
that lead to attacks which did not exist before in the IP- OpenFlow switches. The idle timeout is referred to the
based networks. Examples of these attacks include attacks amount of time in seconds when the flow is removed from
against the SDN controller or the attacks on the communica- the flow tables in case no flow is matching it. The hard
tion links between the controller and underlying infrastructure timeout determines how long this flow will stay in the
devices [14], [19]. In addition, all reported attacks in the flow table before being removed, whether or not the flows
current networks can also target the SDN network (e.g., appli- match it. The attacker can use this feature and send a large
cation attacks). However, the consequences of the attacks in number of the unmatched flow. After a while, all flow
SDN networks are very significant and can cause crucial dam- entities will be replaced by fake flows and the memory
age. On the other hand, the influences of the same attacks gets full with useless rules. Simultaneously, the switch
in traditional networks are mild or moderate, since only a will fail to handle any legitimate users and all received
small part of the network is being affected (likely for the flow will be dropped. However, the switch can handle
same vendor devices) [19]. When the intruder needs to extend a limited number of incoming packets, since the TCAM
his attacks against new subnets, additional privileges or new memory has limited space. This is because the TCAM
attacks are required for these purposes. cost can reach 400 times or over the RAM cost and its
One of the most serious attacks in SDN is the DDoS. usage power reaches 100 times that RAM consumes [23].
The attacker can easily generate a high volume of traffic • Link Flooding Attack (LFA) [24]: The flow switches
from spoofed IPs, causing heavy damages to the network communicate with the SDN controller using southbound
and making the controller unreachable for the legitimate links. In case the intruder generates numerous fake pack-
users. Unfortunately, all SDN layers are susceptible to DDoS ets and no buffer space in the switches, the full packet
attacks [20], and these attacks have different intuition from will be delivered to the SDN controller, and this can
those reported in the traditional networks, even from the ones quickly overload the bandwidth, creating a bottleneck for
that are categorised under the DDoS class. In the following the legitimate traffic.
paragraphs, we will emphasise some of the DDoS attacks that • Controller Saturation [25]: The controller is an appli-
are specific for the SDN networks. cation installed on a virtual machine and has limited
• Buffer Saturation Attacks [21]: When the switch receives resources, such as RAM and processing power. When
a new packet with no matching entry, the switch extracts the controller handles a large number of fake packets,
the packet header and sends it to the control plane to the extensive processing can degrade its resources. The
request a new flow rule. At this time, the packet payload controller saturation attack has a critical affect on the
is temporarily buffered in the memory until new instruc- SDN controller, since any breakdown or failure for the
tions are being received from the controller. In case the controller causes that the entire network to be lost.
buffer memory becomes full and has not enough space to The SDN controller is highly targeted by DDoS attacks
store new data, the switch will send the full packet size and can quickly become a bottleneck if it handles a large
to the control plane. The attacker can exploit this gap by amount of incoming flow. Since all unmatched packets are
generating a vast number of fake packets with forged IP relayed to the controller for drawing the new rules, then receiv-
addresses to run out the buffer memory within a short ing a high number of flows can run out its resources very
1866 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

characteristics from the collected data. The extracted fea-

tures are essential to discriminate between normal and
DDoS malicious traffic.
• Identification Module: This is the core of the framework
and comprises the trained detection module, e.g., IDS.
This module performs the identification on the attributes
extracted from the previous step in order to distinguish
whether the incoming flow is malicious or normal. The
IDSs are widely classified into two different classes:
signature-based and anomaly-based [28]. The signature-
based systems (e.g., Snort) match the signature of attacks
with some rules stored in an acknowledge database. Such
techniques achieve high accuracy (i.e., can reach over
99%), but unfortunately, their performance is abysmal
in detecting zero-day attacks. The attacker can easily
bypass the functionality of signature-based techniques
without being notified if s/he successfully manipulates
Fig. 5. Anomaly detection and mitigation Framework in SDN. the attack signature (even for small amendments). On
the other side, anomaly-based techniques have received
a significant attention from the research community in
fast, regardless the effectiveness of the controller. The over- the last decade, since they theoretically have the capa-
whelming of the controller can cause the utmost damages and bility to detect new attacks by observing any deviation
may crash the entire SDN network. Therefore, protecting the from the normal traffic pattern. However, the anomaly-
network resources from DDoS attacks has become a crucial based detection solutions suffer from high false alarms,
aspect for the researchers in recent years. which can slow down their implementation on network
productions or commercial products. The quality of any
anomaly detection system relies on the quality of the
D. Flow-Based IDS in SDN training dataset. Therefore, the dataset should be updated
The effective detection approaches are running on top of the periodically in order to include the new attack patterns.
controller as a REST API. The centralised behavior of the SDN The DDoS detection module will analyse each received
architecture allows the controller to take the corresponding packet before the controller processes it. If the received
action according to detecting results. Figure 5 represents the packet is normal, the controller will instruct the switch
SDN framework to discriminate benign traffic from ordinary to install a new flow rule, while the malicious traffic will
DDoS attacks. The architecture of the framework consists of be sent to the next mitigation management module to
three major modules as follows: handle it.
• Flow Collection and Extractor Module: This unit gath- • Mitigation Management Module: Whenever a malicious
ers flow statistics from the incoming packets using query flow is identified by the identification module, the con-
rules initiated by the controller every periodic interval. troller utilises the corresponding attack defense measures
The controller requests the switch to send the flow statis- as soon as possible to avoid any damage to the network.
tics for analysis through a standard OFPT_FLOW_MOD Various mitigation strategies are broadly applied to deal
message. The time interval plays an important role on the with the incoming malicious traffic. The most popular
efficiency of the detecting module. If the time interval is solution is to block the attack flows by activating a
very long, it can raise the workload on the controller new flow entry in SDN switches with the action field
and switches, since a huge number of flows are pro- set as Drop. Another mitigation solution, introduced by
cessed. Besides, the detection module can take a long Alshamrani et al. [29] is to move all the excessive
time to respond, giving the attacker a good chance to malicious flows to another honeypot server for further
harm the network with aggressive fake traffic without detection as shown in Fig. 6 [29] shows that the SDN
being detected. In contrast, when the trigger time is very controller receives a large amount of traffic packets at the
short, the controller will initiate the detection module beginning of DDoS attacks, while the amount of received
very fast, and this can increase the computational cost and packets at the honeypot is significantly low. Once the
increase the controller resource occupation. Additionally, detection module identifies the attacks, all traffic is redi-
a high volume of traffic will be transferred between rected to the honeypot server for further investigation.
the controller and switches, and this may consume the Thus, the amount of received packets at the controller
links bandwidth in a short time. To solve the aforemen- decreases with time, while the honeypot receives a large
tioned problem, few works were conducted [26], [27] amount of traffic size. Therefore, the high false alarms of
to improve the mechanism for the flow data collection, the detection module can be avoided and its performance
to avoid the overhead and high computational cost on in unknown attacks will be enhanced. Additionally, it is
the control plane. The controller will extract the specific also important to remove the malicious flow entries from
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1867

TABLE I
S UMMARY OF THE S TATE - OF -A RT S OLUTIONS AGAINST DD O S ATTACKS IN SDN S

A. Statistical Information Entropy Based Solutions

Kumar et al. [31] introduced a SAFETY scheme to mitigate
TCP SYN flooding attacks in the SDN by using an entropy-
based detection mechanism. Only few attributes of TCP flags
and destination IP were used to calculate the value of the
entropy. The proposed technique avoided the static threshold
by employing an adaptive threshold during the detection pro-
cess. However, the proposed approach was dedicated only for
TCP SYN attack, without considering various types of DDoS
that can occur in the network.
Kalkan et al. [32] utilised a joint entropy for DDoS detec-
Fig. 6. Traffic burst at SDN controller vs Honeypot [29]. tion under the SDN context. Similar to [31], the IP and
TCP attribute flags are used to find the value of the entropy.
the switches to release the memory space and to avoid However, the utilised method provided acceptable results only
any latency process for normal traffic. In practice, the for known attacks and failed to provide a desirable accuracy
controller sends OFPFC_DELETE message to open flow for any types of unfamiliar attacks.
switches to delete the flow entries that consume large Yu et al. [33] combined the entropy scheme with the ensem-
storage space resources. ble learning techniques for DDoS attacks detection in SDNs.
A lightweight model based on entropy strategy was adopted
at the edge switches to calculate the information entropy of
III. R ELATED W ORK destination IP. In case of suspected anomalies, another detec-
In recent years, several defense and mitigation techniques tion technique based on Random Forest (RF) will be initiated
have been proposed to tackle the problem of DDoS attacks in on the controller for further detection. However, the authors
SDNs. Although the centralised controlling point of SDN can employed the open flow switches for detection tasks, which is
combat the problem and facilitate the detection of attacks, it against the core functionality of SDN, to avoid any decision
can also create new attack vectors that are being reported in making in the underlying forwarding devices.
traditional networks. In our previous work [30], we demon- Mishra et al. [34] used Shannon entropy to recognise and
strated that the intruder could quickly degrade the network mitigate DDoS attacks in SDN networks. Three thresholds
performance or deplete its resources by generating a large were employed to reduce the false alarm rate. The authors
number of flows toward the controller with the help of only claimed that the proposed method achieved an accuracy of
few hosts under his/her control. Thus, securing the SDN over 98.2% with a false-positive rate of 0.04%.
networks from DDoS attacks is essential to keep the network Sahoo et al. [35] proposed a Generalized Entropy (GE)
running and avoid any crash to the network services or based metric to detect the low rate DDoS attack on the control
equipments. layer. The experimental results showed that the Generalized
In this section, we explore the most comprehensive solution Entropy achieved better performance compared to Shannon
to debate the DDoS attacks under the context of SDNs. Several metric and with other information distance metrics.
techniques have been proposed to tackle this problem; either Although all mechanisms based on entropy are
(1) implemented statistical information entropy, (2) machine lightweight [36], fast in their calculation and consume
learning algorithms, and (3) deep learning based solutions. The less amount of computational resources, these techniques
summary of these different techniques is depicted in Table I. broadly depend on the security researchers’ experience
1868 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

B. Machine Learning Based Solutions

In recent days, ML based anomaly detection techniques are
efficiently used for DDoS attacks detection in SDN networks.
The ML has the capability to learn and identify patterns
from data automatically with the help of the training data.
These techniques have the capability to detect the abnor-
mal behaviour of the network data and provide a better
performance than the signature based techniques.
Tan et al. [27] introduced a novel detection and mitigation
Fig. 7. Visualisation result of NSl-KDD dataset. The t-SNE algorithm is framework to defend DDoS attacks in SDNs. The frame-
used to understand the distribution of data intuitively. work combined the K-Means and KNN algorithms together
for a detection mechanism. 5-tuples entries were employed
to identify the DDoS attacks. A new trigger mechanism was
developed to reduce the controller workload and to overcome
the computational overhead on the communication channels
by avoiding periodic traffic collection. However, the authors
used the Scapy tool to simulate the legitimate and DDoS
attacks for creating the training dataset. The simulated traffic
lacked the attack variety and was free from any application
DDoS attacks. Nonetheless, the application attacks have a high
degree of similarity with normal traffic and are not easy to
detect using the traditional ML algorithms. In addition, the
performance of the detection model was further evaluated on
the outdated NSL-KDD dataset, which was generated based
on traffic traces from two decades ago.
Dong and Sarem [39] introduced an improved KNN based
model for DDoS detection in SDNs. Few attributes (i.e., flow
Fig. 8. Visualisation result of InSDN dataset. rate, flow size, flow duration, flow length) were used for
model training. The dataset was generated using SDN topol-
ogy, contained one server and ten virtual machines. However,
to define beforehand the threshold value. However, the the simulated traces lacked the diversity of DDoS attacks that
network traffic is dynamic and is not consistent all the can occur on different layers of OSI model, such as application
time. For example, the size of traffic is relativity high layer attacks.
during the production time, while it becomes less in the Yang and Zhao [40] introduced a detection and mitigation
evening or on weekend days. Therefore, selecting the optimal framework for DDoS attacks and performed traffic analysis
threshold value needs several calculations and requires the based on SVM algorithm. The detection model was evaluated
past observation of network behaviour. Also, the nature of on KDD’99 dataset using only eight features that are easy to
network traffic is changed continuously over time, i.e., new obtain from the SDN network. However, the KDD’99 dataset
protocols are developed frequently, while other protocols are is outdated since it was generated two decades ago and is
no longer used. Consequently, the modern network traffic lacking modern traffic data. In addition, it has a high number
is very complex since the intruder can easily create new of redundancy records, and this can increase the likelihood of
attack traffic with a high degree of similarity with normal overfitting problem.
traffic (e.g., Low-Rate DDoS attack), which is hard to be Yu et al. [41] designed an efficient platform for DDoS
identified using the threshold-based method. We discussed attacks detection by adopting SVM classification algorithm.
this issue in our previous research work [37], [38]. Selecting The authors utilised the rate of PACKET_IN message per time
a sub-optimal threshold value is reliable for old network as a trigger mechanism to initiate the classifier model in the
data, which was produced long time ago since the cluster of SDN controller. The normal traffic in the dataset is based on
normal and attack traffic are spatially separated from each traces of real traffic collected between Japan and the United
other, as shown in Fig. 7. While the clusters of modern traffic States. The DDoS attacks traffic was simulated using Scapy
data are spatially combined (Figure 8), tuning the threshold and Hping3 tools. Eight features were extracted for the attack
substantially leads to higher false-alarm instances, since the detection process. However, the number of records that are
mitigation module is not able to discriminate between normal used for training and testing the data are significantly small
and malicious instances. Hence, threshold-based methods are (i.e., 1200 samples for training and 1700 for testing). Using
not significantly conceived for detection and classification only few amounts of samples can lead to underfitting problem
applications. Therefore, valid and reliable security solutions since the less number of samples are not enough for the
are still needed to efficiently secure the networks from model to extract the discriminatory information from the input
malicious traffic. data.
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1869

Pérez-Díaz et al. [42] applied six ML algorithms, REP Li et al. [47] built an efficient security defense mech-
Tree, SVM, MLP, RF, J48 and Random Tree for DDoS attack anism using DL algorithms against DDoS attacks in SDN
detection under the SDN context. The CIC-DDoS2019 dataset, networks. Three DL algorithms, i.e., CNN, LSTM and RNN
was used to validate the performance of proposed approaches. were used for the proposed model and the proposed model
Once the attacks are detected by one of the used ML algo- was evaluated on the ISCX dataset. Their model successfully
rithms, a mitigation strategy is started to block the malicious achieved an accuracy of 99%, and 98% in training and test
traffic before crashing the entire network. The IDS module was data, respectively.
installed on a separate platform and connected to the controller Another study [48] employed four ensemble DL approaches
through an Identification API. Although the implementation of against DDoS attacks in the SDN network. The results showed
the IDS on an individual platform can reduce the controller that the deep convolutional neural network (CNN) based
workload, it also increases the required resources, which can model achieved the highest accuracy of 99.45% compared
increase the total cost of the IDS framework. to other hybrid state-of-the-art algorithms. The CICIDS2017
Abdulrahman and Ibrahem [43] applied four ML algorithms, dataset was used to evaluate all proposed DL models.
i.e., C4.5, NB, SVM and RF to solve the problem of DDoS Novaes et al. [49] used Generative Adversarial Network
attacks. The IG feature selection method was used in the first (GAN) framework to alleviate the impact of DDoS attacks
stage to select the best 10 features of the CICIDS2017 dataset. in SDNs. The emulated and the public dataset, i.e., CIC-
Bindra and Sood [44] used different feature selec- DDoS2019 were used for experiments evaluations. The authors
tion methods, i.e., Recursive Feature Elimination (RFE), compared the obtained results from the GAN framework with
’SelectPercentile’, ’SelectFromModel’, and Principal different DL algorithms, e.g., LSTM, CNN, MLP.
Component Analysis (PCA) to find the most relevant Although the DL techniques can significantly solve the
features of DDos attacks using CICIDS2017 dataset. The size inherent problems of traditional ML techniques, most of the
of best-selected features is in the range of 12 to 15 in most existing studies validated their models using a dataset pro-
feature selection methods. Six ML techniques were used in duced based on traditional IP networks and not on SDN
the classification phase to test each method separately. The platforms. However, the characteristics and the operation
RF and KNN provided the highest performance, while LR behaviour of SDNs are largely different from the cur-
and NB have the lowest accuracy. rent networks. Besides, the SDN uses new protocols (e.g.,
The aforementioned approaches [27], [39]–[44] are based OpenFlow) that are different from those used in traditional
on traditional ML techniques and categorised under shallow networks. The OpenFlow protocol encounters new vulnerabil-
learning algorithms. Although these methods are often used ities, and this can motivate the attacker to easily create new
and successfully achieve high performance in various applica- attacks, causing confusion for IDSs in the SDN. Adding to
tions and domain areas, they have a low ability in the network these factors, many studies are still using outdated datasets,
flow traffic. The shallow learning techniques are sustained with such as KDDCup-‘99’ and NSL-KDD. These datasets are not
high false alarms and low detection rates, since they cannot only produced based on traces of two decades ago, but they
meet the requirements to detect complex malicious attacks. also lack the current Internet traffic. However, the modern
On the other hand, these approaches achieve reasonable results intrusion attack types are constantly growing and are becom-
when the dataset size has low amount of samples. On the con- ing more sophisticated, i.e., not easy to identify. On the other
trary, they fail to provide significant results when applied on side, the previous studies, which emulated the SDN network to
large traffic data. create a new dataset for evaluation process, only included few
types of DDoS attacks, without considering the attacks that
can target all layers. Moreover, the generated attacks were pro-
C. Deep Learning Based Solutions duced using simple tools, e.g., Scapy or Hping3, and targeted
Nowadays, Deep Learning (DL) approaches play a vital role only the network layer of the OSI model, without including
in anomaly detection techniques. Such techniques have the the attacks against the application layer. However, the DDoS
capability to capture the deep structure from the input data attacks against the application layer are not easy to detect
automatically without any human intervention. However, only since they are very similar to normal traffic. On the contrary,
few works utilised the DL for DDoS attacks in SDN networks. the DDoS attacks at the network layer are largely deviated
Ahuja et al. [45] compared the performance of Artificial from normal traffic and are easy to be detected using simple
Neural Network (ANN) with various classical ML algorithms algorithms.
for DDoS attacks detection in SDNs. A DDoS dataset was
created in an emulated environment with the help of mininet
and Ryu controller. The results demonstrated the potential of IV. M ETHODOLOGY
ANN for attack detection with an accuracy that reached 98.2%. This section discusses in detail our experimental setup, the
A DL approach [46] based on Gated Recurrent Unit (GRU) datasets used for our experiment evaluation, the feature selec-
was introduced to solve the problem of DDoS attacks in tion methods, and the DDoS detection approach. We explore
SDN networks. Only six selected features from the NSL-KDD the potential of DL techniques for DDoS attack detection in
dataset have been employed for DDoS attack classification. the SDN environments. The detailed process of the proposed
The authors claimed that their proposed model achieved an framework is summarised in Fig. 9. At the first stage, the
accuracy reached 89% . SDN-specific features are selected manually from three input
1870 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

traffic diversity, and are unreliable for modern attack detec-

tion techniques. Using non-compatible datasets can create a
rigid model and may cause a mismatch between the model
and the new technology, since the network traffic is dynamic
and the enterprises can change the used protocols continu-
ously. For example, the Flash and Silverlight protocols were
widely used until 2010 for the most popular video enterprises,
i.e., YouTube and Netflix. Currently, they have been replaced
with the HTML5 protocol [51]. Therefore, several research
works have been proposed to simulate new datasets for the
research purpose. The Canadian Institute for Cybersecurity
(UNB) is one of the significant centers over the world, that
it has contributed to generate reliable and validated datasets.
The UNB created intrinsic and publicly available datasets
using network typologies that mimic the real network data-
centers. Although the produced datasets by UNB are widely
used in many research works in SDNs, they were created
based on conventional or traditional IP networks, i.e., not
from SDNs. However, as previously discussed in Section II,
the IP-traditional network and SDN are significantly differ-
ent in their operation. In addition, decoupling the data plane
from the control plane makes the network susceptible to new
attack vectors, different from those reported in traditional IP
networks. For example, decoupling the SDN controller from
the network devices increases the attacker chances to carry
out various types of attacks in data communications systems
or on the SDN controller itself. However, such attacks are
hard to be detected since the attacker is connected to the vic-
tim server in an authorised way. Thus, using a non-suitable
dataset can mislead the detection system and create high false
alarms. In addition to the aforementioned problem, to our best
knowledge, there is no publicly available dataset for testing
and evaluation of IDS in SDNs environment. The majority
Fig. 9. The flow diagram of the DDoS Detection module. of anomaly detection work in SDNs has implemented stan-
dard datasets generated based on the conventional network. To
tackle all of these problems, we used our InSDN dataset [14]
datasets. Then, various preprocessing steps, as described in to test the performance of the proposed DL models. In addi-
Section IV-C are used to fit the input data for the DL model. tion, the CICIDS2017 and CICIDS2018 datasets are also used
Additionally, We apply two feature selection methods to find in this work for further evaluation. The description of the three
the most relevant features for the DDoS attacks in each dataset. different datasets is discussed, as follows:
In this work, several experiments are executed to validate the • InSDN [14]: The InSDN dataset considers the new struc-
capability of the DL approach for DDoS attacks detection. ture of the SDN network. It was created using four virtual
Machines (VMs). One VM acted as an SDN controller,
i.e., ONOS, while the second VM was used to act as
A. Dataset Description an Open Virtual switch (OVS). The third VM, i.e., Kali
The quality of the training datasets plays an essential role in Linux was used to represent the intruder machine, while
building an efficient anomaly detection-based IDS. However, several venerable applications (i.e., Metasploitable2) were
the availability of high quality datasets for intrusion detec- installed on the last VM. Additionally, four internal vir-
tion and network traffic, in general, is a significant problem. tual hosts were created using a mininet emulator tool
In different application domains, such as language translation to represent the normal users and some inside mali-
and computer vision, a bunch of various datasets with high cious hosts. Therefore, the dataset simulated a variety of
quality are available for the public online. On the contrary, attack classes from inside and outside the SDN network.
the network data can contain sensitive customer information, The normal traffic in the InSDN dataset reflected several
and it is illegal or against privacy to reveal such data to the application services, such as HTTPS, DNS, SSH, FTP,
public. Hence, we can find the most real datasets for intru- email, etc. For this purpose, some internal hosts are
sion detection are anonymised payload data, which largely allowed to access the Internet and collect intrinsic traffic
alter the performance of the classifier models [50]. In addi- from different websites, such as YouTube, Facebook,
tion, the majority of the available datasets are outdated, lack SKYPE, etc., to mimic the real-world traffic. The total
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1871

TABLE II
number of instances in InSDN dataset is 361,317, where T HE E XTRACTED T RAFFIC F EATURES F ROM SDN C ONTROLLER [53]
the size of samples for normal and attack classes is 68,424
and 292,893, respectively.
• CICIDS2017 [15]: The dataset contained network traffic
of five days, generated in the period between Monday,
July 3, and Friday, July 7, 2017. The CICIDS2017 was
created using a complete network topology with several
devices such as routers, switches, firewalls, and differ-
ent operating systems platforms. The authors used the
concept of profiles to create the normal traffic in the TABLE III
datasets. The dataset was publicly available online in both T HE E XTRA T RAFFIC F EATURES [53]
PCAP and .CSV formats. The CICIDS2017 includes a
total number of instances equal to 2,830,743, where the
size of attacks represented 19.7% of the total data.
• CICIDS2018 [15]: The authors of [15] extended the
CICIDS2017 project to create a new realistic dataset in a
scalable manner. The CICIDS2018 traces were gathered
in 10 days with a total number of instances 16,233,002,
where the size of attacks represented 17% of the entire
data. The same concept of profiles was used to create
the normal and attack classes, but the authors used the TABLE IV
Amazon Web Services (AWS) platform instead of the old T HE 48 E XTRACTED S UBSET F EATURES IN SDN S
network infrastructure.
The three dataset features are generated using the
CICFlowMeter tool [52] and have more than 80 network flow
features in the format of .CSV file. The three datasets contain
a variety of attack classes. This work only focuses on DDoS
attacks, so the other attack classes are excluded from our study.
However, the size of the InSDN dataset is significantly small
compared to other datasets, so we take all labels categorised
under normal and DDoS classes. Nonetheless, only the Friday
afternoon (July 7) file is picked from CICIDS2017 for our
experiments, while Wednesday (February 21) file is used in
the case of the CICIDS2018 dataset.

B. SDN Specific Features

This section explains some representative features that can
be derived in SDN networks. The features of the three datasets
were obtained using the open source CICFlowMeter tool
[52]. The CICFlowMeter generates more than 84 flow fea-
tures. However, not all of these features can be extracted
inside the SDN environment. In SDN, only statistical features
can be extracted from the SDN controller through OpenFlow from our experiments. The two attributes may be changed
calls to the SDN switches (e.g., flow duration, number of from one network to another; besides, the attacker can use the
packets, number of bytes). For this goal, we use the same same IP address of legitimate users. Thus, training the clas-
framework of [53] to find the sub-features, which are easily sifier model using such features can make the model biased
retrieved directly by the SDN controller quarries or by com- toward those socket features, causing the overfitting problem.
petition calculation of the flow statistics. For example, we can The obtained features in SDNs are depicted in Table IV.
use manual computational to calculate some features such as
standard deviation (Std), Min, Max, and mean of the flow fea-
tures. Table II represents the corresponding mapping between C. Data Preparation
derived features from the SDN environment to the InSDN Data preprocessing is a crucial step taken on the input
dataset features. In addition, Table III shows extra features that data before the model training to build an accurate detection
can be calculated from the manual competition. Nonetheless, system. The original data is not suitable for building and train-
the original framework [53] utilised a subset of 50 features for ing ML/DL models; hence some steps are taken to transform
their research objective. In this article, a subset of 48 features the input dataset into an understandable and readable format
is only used, as the source and destination IPs are excluded as follow:
1872 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

TABLE V
T HE S IZE OF S AMPLES IN DATASETS

• The CICIDS2017 and CICIDS2018 datasets contain a

huge amount of infinity and missing (nan) values. The
first step to build an accurate model is to clean the
data. In practice, two different methods can be taken to
handle the missing and infinity values in any particu-
lar column, which has the missing values. We can either
remove these values or calculate the mean and replace
them with the results. In this article, since the two datasets Fig. 10. The LSTM-autoecoder for DDoS attacks detection [16].
have adequate samples, we drop all null and infinity val-
ues without causing any significant effect on the model
efficiency. to solve more complex problems, which are difficult for solv-
• ML/DL techniques are based on mathematical equa- ing using a linear function. The DL techniques can address
tions, so the categorical data are converted into numerical the limitation of traditional ML algorithms since the tradi-
values to keep only numbers in the equations. The tional methods often require complex feature engineering,
OneHotEncoder class is used to replace the text of while the DL techniques have the capability to extract the
the labeled column with number. In these experiments, features from input data automatically without human inter-
only binary classification is employed to classify normal vention. The performance of DL is significantly high at dealing
or DDoS attacks. Thus, the normal traffic takes the value with high non-linearity degrees of data points. Therefore, it is
of 0 and DDoS attacks are encoded to the value of 1. expected to improve cybersecurity trends, such as IDSs. This
• The dataset features have different scales, and this can section represents the DL approach to tackle the problem of
cause some issues in the DL model. For example, DDoS attacks in SDN networks.
some dataset columns or features have a small range 1) The proposed DL Model: We use our previous model,
of values, while other columns take a large range of i.e., DDoSnet [16], which composites from autoencoder and
values, i.e., higher than the value in another column. Recurrent Neural Network (RNN). The proposed model effec-
We limit the range of variables by using feature tively detected DDoS attacks with great performance and low
scaling, so the common ground can be used for the false alarms in comparison with traditional ML algorithms.
comparison. There are two different methods of scal- However, in this article, we enhance the model performance
ing: normalization and standardisation. The by using LSTM, which is a specific type of RNN, instead of
normalization scales the features between 0 and simple RNN in order to avoid the problem of vanishing gradi-
1, while the standardisation converts the input ent. Gradients are used to update the weight values of a neural
attributes into a new scale, which has a zero mean (μ) and network, as shown in equation (2). However, when a gradi-
a standard deviation (σ) of 1. In this work, we applied the ent value becomes extremely small, it does not contribute too
standardisation method for all datasets according much learning as it back propagates through time. The RNN
to Eq. (1). suffers from small gradient updates, especially in the earlier
layers. Thus, it is unable to keep the information for the long
x (i ) − μ(x (i ))
x (i ) = . (1) sequences.
σ(x (i ))
New weight = weight − learning rate ∗ gradient. (2)
• We split the dataset into a 70:30 ratio using
test_train_split from the sklearn library, The overall structure of the DL approach is illustrated
which means that 70% of the dataset are utilised for train- in Fig. 10. The model has two phases: (1) Pertaining
ing, while the remaining 30% are reserved for the model phase, which uses unsupervised learning; (2) fine-tuning phase
test to check how accurately we can predict it. The total and uses supervised learning. The unsupervised learning is
number of training and testing samples for all datasets is employed in the first stage without any labels to extract the dis-
depicted in Table V. criminatory features of the raw data. The autoencoder takes the
represented information in the original space and transforms
it into another space. Each dense layer in the original autoen-
D. Deep Learning Classifier coder is replaced with an LSTM layer to improve the model
Recently, DL techniques have gained popularity on a broad performance. The nature of the network traffic is the key idea
variety of tasks, e.g., speech recognition, computer vision, lan- behind the using of LSTM in DL approach since the temporal
guage translation. DL techniques use multiple hidden layers correlation of the input data generates sequential traffic. Thus,
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1873

TABLE VI
LSTM-AUTOENCODER S PECIFICATIONS employed to update network weights iterative. We trained the
model using 100 epochs and 128 for the batch size.

E. Feature Selection Algorithms

This section utilises the feature selection techniques to find
the relevant features of DDoS attacks in each dataset sepa-
rately. The feature selection methods explore the most relevant
features for each class label while ignoring the redundant
or irrelevant features. Therefore, training the detection model
using few features can help to build a lightweight classifier,
less prone to overfitting. Further, the lightweight model can
be deployed easily in the network platform without causing
any significant computational cost on the system resources [8].
building the DL model with such techniques will eliminate the While the strategy of finding the importance features is dif-
loss, as the output of any layer does not only depend on the ferent from one feature selection algorithm to another, we
current input but also based on the previous output. used two different methods, i.e., Random Forest (RF) and
2) Experimental Setting: Tuning hyper-parameters values Information Gain (IG).
is one of the significant challenges in DL training due to the 1) Information Gain (IG): Is one of the most popular algo-
lack of theoretical foundation. Unfortunately, there is no secret rithms to compute how much each variable is contributing to
rule for choosing the optimal values of hyper-parameter. So, the decision. It comes under the category of filter methods and
several experiments and combinations based on trial and error identifies the importance of features based on the concept of
have been conducted to find the best number of network lay- information theory. A common measure for the information
ers, number of neurons in each layer, number of iteration, is Shannon entropy. The entropy quantifies the uncertainty of
batch size, etc. To demonstrate the best values of hyper- each feature according to its relevance in determining different
parameters, we analyse the performance of the DL model by classes. We can calculate the entropy for specific attack class
testing different values of learning rate (λ), i.e., 0.0001, 0.001, H(C) using the following equation:
0.01, and 0.1. For each value of λ, we examine the model n

performance on other different parameters. For example, we H (C ) = − ρ(i )logρ(i ). (3)
test the impact of hidden layer numbers, size of channels in i=0
each layer, iteration, and the activation function on the entire
The IG used a simple attribute rank by measuring
performance of the DL approach. The best classifier accuracy
information weight of each feature and eliminating the irrele-
is obtained when the number of hidden layers is equal to three.
vant features for each class label. A feature that has a small
Repeating experiments several times, the results have shown
information gain, has also a low affect on the data classifica-
that for the given data, the highest performance was obtained
tion and can be ignored without any degradation on the model
when we used the hyper-parameters as shown in Table VI. The
performance. The IG for each individual input feature F in the
value of hyper-parameters can be changed from one dataset to
dataset is obtained by calculating the reduction in the entropy
another. For simplicity, we used the same hyper-parameters as
according to the following equation:
described in Table VI for all datasets since the variation in the
results can be ignored. IG(C ; F ) = H (C ) − H (C |F ) (4)
At the encoder phase, the input dimensions are reduced to
32, 16, and 8 through the three hidden layers, respectively. where IG(C;F) is information gain of the feature F, taking
The final output of the encoding phase is compressed input into account the class features C, and H(C|F) is the average
data. The decoded step is a reverse order of the encoded phase conditional entropy of C.
with the following number of channels: 8, 16, and 32, respec- 2) Random Forest (RF) [54]: Is widely used to solve the
tively. After building the model and finding the best values problem of individual Decision Trees (DTs) with a good
of weight and bias, the hierarchical features are obtained from predictive performance and less prone to overfitting. It is cat-
unlabeled data. In the second stage, fine-tuning is used to opti- egorised under Embedded methods, which combines the filter
mise the network and train the highest layers of the network and wrapper techniques. The key idea behind the RF is to
using labeled data (i.e., supervised learning). Finally, the out- measure how much each feature contributes on the prediction.
put of the model is obtained by adding the softmax function If the change is large, this is an important variable. Similarly,
at the output layer. The softmax layer generates an output when the change is small, this means the feature does not
in the range of (0, 1) for each output class, where all classes provide a significant information. The RF is a combination of
probability is equal to 1. In this work, we only examined sam- several hundreds of decision trees (Fig. 11) which are built
ples from normal and DDoS attacks. So, binary classification based on random observation from the dataset and random
is used to assign a digit 0 for normal and 1 for malicious extraction of the features. The number of features can vary
or DDoS attacks. The categorical cross-entropy is from one tree to another, and this immunes the model from
used with the softmax layer, while the Adam optimiser is overfitting since the trees are de-correlated. The RF calculates
1874 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

the SDN platform has different characteristics and operations

functionality than the traditional network. In addition, separat-
ing the control plane from the data plane produces new DDoS
attacks, which have different behaviour from those reported in
other networks.
On the other side, not only the importance of the features
varies from one network to another, but the identity of these
features can also vary from one environment to another. For
example, the flow duration in conventional networks indicates
the length of connections in seconds between the source and
destination hosts, while the flow duration in SDN networks
indicates the time during which the flow entry remains in the
Fig. 11. The general architecture of random forest.
switch flow table [45]. Therefore, we can see the duration
TABLE VII feature is more specific for DDoS attacks in SDNs. During the
T HE B EST S UB S ELECTED F EATURES BY RF AND IG DDoS attacks, the malicious flow spends a long duration in the
switch flow table compared to the legitimate traffic [45]. Thus,
the flow, which remains active for a larger duration, is a good
indicator for malicious DDoS attacks. Moreover, the attacker
can flood the SDN network with a high amount of useless
flows using spoofed IP addresses. Thus, the average number of
packets per flow will decrease during the DDoS attacks since
the attacker aims to flood the flow switches, consuming its flow
tables space without sending data packets. So, some attributes
like ’Flow_IAT_Max’ are important features to identify the
malicious DDoS traffic. Such attributes will decrease in case
the importance of each variable using two ways. The first mea-
of attacks, while it has a high value for normal traffic.
sure is based on the decrease of Gini impurity when a variable
is chosen to split a node. The second measure is based on how
much the accuracy decreases when the variable is excluded. V. E XPERIMENTAL R ESULTS AND F INDINGS
A. The Evaluation Metrics
F. Feature Selection Process The performance of the model is evaluated using the most
Although the datasets hold the same number of features, popular performance measures like the accuracy, precision,
the importance of these features is different from one dataset recall, and F-score metrics and are computed as the following
to another. Table VII shows that there are 7 common features equations.
(i.e., 3, 5, 7, 8, 10, 23, 31) between the CICIDS2017 and TP + TN
Accuracy = (5)
CICIDS2018 in case of using the RF algorithm. However, TP + TN + FP + FN
the InSDN dataset has only 1 common feature (i.e., feature TP
Precision = (6)
number 5) with the CICIDS2017, while it is combined with TP + FP
CICIDS2018 in 4 features (i.e., 5, 26, 31, 33). Similarly, in TP
Recall = (7)
the case of using the IG algorithm, the CICIDS2017 and TP + FN
CICIDS2018 have five common features (i.e., 8, 10, 12, 31, 2 × Precision × Recall
F-score = (8)
32), while the InSDN dataset has only one common feature Precision + Recall
(i.e., 32) with other two datasets. Additionally, the RF and IG where, True Positive (TP) and True Negative (TN) represent
are common for CICIDS2017 on five features (i.e., 3, 8, 10, the correctly predicted values, while False Positive (FP) and
22, 31), while they are combined on six features (i.e., 5, 7, False Negative (FN) indicate misclassified events.
8, 10, 21, 31) in case of CICIDS2018. In a similar way, six
features (i.e., 1, 2, 15, 18, 32, 34) are common between RF B. Analysis Tools
and IG for the InSDN dataset.
The common features between the RF and IG indicate that We evaluated the performance of the DDoS attack detec-
the CICIDS2017 and CICIDS2018 have participated on three tion model with Python programming language using Keras
features (i.e., 8, 10, 31), while they have not shared any fea- Library with Tensorflow backend. The testbed hardware and
ture with the InSDN dataset. This is due to the fact that both software parameters are depicted in Table VIII.
CICIDS2017 and CICIDS2018 datasets were generated from
the same infrastructure behaviour, i.e., the two environments C. Experimental Results
are based on conventional networks. Thus, some features, This section discusses the experimental results of the
which are more related to DDoS attacks are still common proposed approach. Table IX shows the percentage of
between the two datasets since the behaviour of the attack Precision, Recall and f1-score for datasets with a different sub-
is similar in the two network environments. On the contrary, set of features. The model provided the highest results when
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1875

TABLE VIII
E XPERIMENTAL E NVIRONMENT

Fig. 13. Execution time.

both datasets is largely reduced, but the decline is signifi-

cantly huge for InSDN compared to CICIDS2018. The model
failed to identify any DDoS entity for InSDN dataset. The
overall accuracy is 88.21% and 36.22% for CICIDS2018 and
InSDN dataset in the case of the RF method, while the overall
accuracy is 89.09% and 32.94% when the IG method is used.
To further evaluate the performance of the model and to
indicate the effect of the feature selection process, we represent
Fig. 12. Accuracy of the Trained Model by CICIDS2017 on InSDN and the execution time of the model for all datasets, as shown in
CICIC2018. Fig. 13. The graph shows that the execution time of the model
is relativity high for CICIDS2018, while it is low for InSDN.
This is due to the fact that the size of samples in CICIDS2018
48 sub-features are used in the training process, while the is very large compared to other datasets. It is also noticed that
performance of the model is slightly declined when only 10 the model spent a long time for training when all 48 sub-
sub-features are used for both RF and IG algorithms. However, features are used, while the execution time is relativity small
the decline in the performance can be ignored, so we can build in the case of RF but slightly higher for IG.
a lightweight model with less number of features. Building a
lightweight model will consume less amount of resources and D. Comparative Analysis With State-of-the-Art
make it more suitable for the SDN platform. It can also be 1) Comparative Analysis With DDoSnet: We further eval-
noticed that the overall performance of the IG algorithm is uate the model with our previous DDoSnet [16] approach.
slightly higher than the RF method. In [16], the DDoSnet was compared with several ML algo-
We also validate our reclaim and demonstrate how the rithms, such as Naive-Bayes (NB),Logistic Regression (LR),
model performance can be significantly decreased when we DT, RF, and SVM. The obtained results for different methods
evaluate it on different datasets produced from different are depicted in Table XI. The results show the potential of the
environments. DL techniques for DDoS attack detection compared with the
In the training phase, we train the proposed DL approach traditional algorithms. However, using the LSTM in the cur-
using CICIDS2017 dataset, but we analyse its performance rent model provides a high accuracy compared to the simple
on the test portion of InSDN and CICIDS2018 datasets. We RNN algorithm.
firstly train and test the model using all 48 sub features, We additionally estimate the performance of our model by
and later we only use the best 10 features from RF and calculating the lower and upper bounds of the confidence
IF, which were selected earlier from the perspective of the interval. The confidence interval is a way of quantifying the
CICIDS2017 dataset. The obtained results are described on uncertainty of an estimate [55]. The lower and upper bounds
Table X and Fig. 12. The results show that when we test within which the statistic can vary are usually referred to as
the model performance on CICIDS2018 dataset using sub the margin of error. It provides a very clear understanding of
of 48 features, the evaluation metrics are significantly high how the true result may differ from the estimated results and
and greatly near to those reported in Table IX. However, how much more or less than the stated percentage the real-
the performance is sharply declined on InSDN dataset. The ity might be. The experimental results showed that the lower
reported accuracy for both CICIDS2018 and InSDN datasets and upper bounds on the model’s classification accuracy are
are 99.61% and 55.18%, respectively. Moreover, when the 0.001, 0.002, respectively. While, the lower and upper bounds
model is trained on only 10 features, the performance for on the previous DDoSnet classification accuracy are 0.002,
1876 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

TABLE IX
E VALUATION M ETRICS OF 48 AND 10 S UB -S ET F EATURES

TABLE X
R ESULTS OF THE T RAINED M ODEL BY CICIDS2017 ON I N SDN AND CICIDS2018

TABLE XI
C OMPARISON TO DD O S NET M ODEL [16] throughput and latency. The Cbench tool2 is utilised to evalu-
ate the performance of the controller with various numbers of
OpenFlow switches. The Cbench tool is used to evaluate the
overheads of the DL model on the SDN controller. It provides
two different options to test the throughput and latency as the
follow:
1) In the throughput mode, Cbench generates a stream
of packet-In message to the SDN controller and
then records the packet-Out message that have been
received in a period of time. Calculating the sending and
receiving stream provides a good indication of the aver-
0.003, respectively. Therefore, the classification error of the
age number of flows that the controller can handle for
represented classifier is less than the error described in the
each switch per second.
DDoSnet, which indicates the high efficiency of the proposed
2) In the latency mode, the Cbench sends a packet-In
model.
message to the controller and waits for the response
2) Comparative Analysis on CICIDS2017 Dataset: We fur-
before sending the next packet. Hence, we can find aver-
ther carried out a comparative analysis with two different
age number of milliseconds that a flow consumes to be
studies [44] and [43] on CICICI2017. Table XII represents
installed in each switch.
a comparative analysis of the two studies with the proposed
The model is written in Python programming language and
model. In [44] and [43], several ML algorithms have been
embedded on top of the SDN controller as an application layer.
employed with the feature selection methods. It is noticed
We compare our model performance in terms of throughput and
that our DL approach provided the highest accuracy compared
latency on the Ryu controller after training it on three various
to other work. The reported accuracy of the proposed model
datasets. The experiments are conducted on a Linux virtual
with IG and RF selection methods is 99.50% and 98.76%,
machine running 64-bit Ubuntu 18.04 LTS, 8 GB of RAM,
respectively.
Core-i7 CPU, and installed on a VMware workstation 15 Pro.

VI. N ETWORK P ERFORMANCE A NALYSIS A. Throughput Results

This section provides a detailed analysis of the proposed The throughput represents the size of the packets that the
DL approach on the performance of the SDN controller. We controller can handle per second. The throughput size is varied
used the same framework of [46] to evaluate the impact of
the proposed model on the network performance in terms of 2 https://github.com/trema/cbench
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1877

TABLE XII
C OMPARATIVE A NALYSIS ON CICIDS2017 DATASET

Fig. 14. Throughput Evaluation. Fig. 15. Latency Evaluation.

from one SDN controller to another. For simplicity, we test the B. Latency Evaluation
effect of the detection model on the Ryu controller. Figure 14 The latency test is represented in Fig. 15. Similar to the
illustrates the throughput of the controller with our model aforementioned throughput results, the latency increases with
using different datasets. The graph shows that the through- the increase of the topology size. The standalone controller has
put of the running standalone Ryu controller is limited at less latency compared to the embedded model, regardless the
3800 packet/s, which is very low compared to other con- dataset used. Integrating the security model with the controller
trollers [56], [57]. However, the standalone Ryu Controller can quite increase the controller latency. However, the model
provides a high throughput compared to the embedded DL with InSDN dataset experienced a small latency, followed by
model. Therefore, we take it as a baseline for evaluating the CICIDS2018, while the trained model on CICIDS2017 has the
detection model. The throughput of the Ryu controller and the highest latency, almost for all networks typologies.
embedded model are declined with increasing the number of The above results indicate that there is a trade-off between
switches. However, the performance of the model is varied network performance and security. Implementing security can
according to the used dataset. The decline in the through- comprehensively decrease network performance. Therefore,
put can be ignored in small network typologies when the tuning the network relies on the IT operations to find the best
model is trained on InSDN or CICIDS2018, while the drop is adjustments based on their requirements, either by enhancing
significantly high for the CICIDS2017. the network security with a little delay or keep it fast [58].
The throughput of the model in the case of using the InSDN
dataset is dropped by about 2.86% and 3.1% when the number
of switches increases from 32 to 256, respectively. Compared VII. D ISCUSSION AND L IMITATION
with the CICIDS2018, the throughput decreases by 3.7 and Although the SDN is a promising solution for anomaly
4.1% and is significantly reduced by 2.8% and 6.37% for detection systems, the SDN itself can be a target for several
CICIDS2017. It can noticed that the training dataset not only attack threats. Unfortunately, all SDN layers are susceptible
plays a vital role in the potential of the classifier capability; to DDoS attacks, which can easily consume its resources
but it is also effective in determining the performance of the and prevent or even delay the network services for legiti-
model inside the network. We can see that the model with mate users. Therefore, eliminating the impact of these attacks
InSDN data provides less overhead on the controller compared has gained significant attention from the research commu-
to other datasets. nity in the last decade. Instantaneously, there is an increasing
1878 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

direction of using machine and deep learning techniques for • In this article, we employed the DL model to produce
anomaly detection systems to solve the problem of DDoS a lightweight model against DDoS attacks. Despite the
attacks in SDNs. However, the quality of the training dataset DDoS attacks being one of the most dangerous attacks
is a key pillar of any model efficiency. in the SDN, the SDN is vulnerable to many other attacks
On the other hand, one of the main challenges, which seri- that can compromise its normal operation. In the near
ously hinder the performance of the ML/DL models is the future, we will train the DL model to consider new attacks
problem of overfitting. The model can effectively perform very in the SDN. In addition, a new experimental test should
well during the training but fails to display a good tendency be used to classify the data categories into normal or
with the unseen data. There are many reasons that can cause attack classes, i.e., using multi-classification instead of
this problem such as, the complexity of the model and the low binary classification.
amount of data used to create a suitable approach. Thus, the • The adversaries can actively adapt and modify their
best practice to test the efficacy of intrusion detection mod- threat models to learn the decision boundary of the
els is to evaluate how it can work with new data that have anomaly detector. They aim to compromise the integrity
never been seen before during the training. This is what we of anomaly detectors by reducing the confidence and
investigated and successfully achieved in this work. modifying the input (an anomalous sample) in order to
Nonetheless, the majority of the current anomaly detection output (nominal class) by the detector [62]. Therefore,
techniques in SDNs have been evaluated using a dataset gen- understanding the adversary threat model will help avoid
erated based on IP-traditional networks and not from SDNs. mistakes and reduce the false positive alarms of the
However, the SDN platform generates new attack vectors that anomaly detectors. However, the attack methodology,
did not exist before in traditional networks. Thus, training the which adversarial examples reside is beyond the scope
detection model using an improper dataset can deceive the of this paper. The interested reader can refer to [62]–[65]
classifier model and make it easily prone to overfitting. In for more information regarding the general strategies that
addition, the behaviour of the attacks is different from one an attacker can use against any anomaly detector.
environment to another. For example, the attacker can exploit
the operation of the SDN and employ some existing attacks
such as “Port scan” and “IP sweep” to overwhelm the con- VIII. C ONCLUSION
troller with a heavy volume of unknown traffic, creating a Training the network intrusion detection system using a
new DDoS attack vector [59]. However, conventional detec- high-dimensional dataset increases the complexity of proposed
tion systems can easily identify “Port scan” and “IPsweep”, classifier, which result in excessive training and classification
but the functionality of these attacks are different in SDNs, i.e., time. The pre-processing feature selection methods play an
work as DDoS. Moreover, DDoS attacks are rapidly evolving essential role in identifying the important features from the
threat and can cause a crucial impact on the performance of original dataset, and this would help to improve the classi-
network services running over SDN [60]. Hence, the avail- fication accuracy and avoid the curse of high computational
ability and response time of SDN services are significantly complexity. The aim of this work is to reduce the redundant or
degraded at presence of attacks. In this article, we demon- irrelevant features without any significant impact on the classi-
strate how the importance of features is being changed from fication accuracy. We have selected 10 features out of available
one dataset to another, regardless of the fact that the used 48 features using two common feature selection methods IG
datasets have the same attack classes or a similar number of and RF. A modified DL model based on LSTM-Autoencoder
features. However, some of attributes that are widely used for was used for experimental purposes, while the DDoS attacks
model classifiers on IP based networks can have less impact were considered as a case study. Our approach provides a
in the SDN and vice versa [61]. Based on the analysis and high detection rate and presents a more efficient better time
the above results, we showed that the behaviour and operation to build the model. We further tested the trained model on the
of the SDNs are varied from other networks. Thus, the struc- performance of the SDN controller to evaluate how the used
ture of the new platform should be taken due to the design of dataset can impact on the performance of the SDN controller.
anomaly detection systems. The results showed that the proposed approach does not dete-
Likewise, our proposed model is experienced to some riorate the network performance. In our future work, we will
limitations which are listed below: analyse new attack classes for the test evaluation. Also, we
• We test the performance of the model using only one plan to apply our proposed model on real SDN network in
SDN controller; however, the throughput and latency are order to understand how this IDS can handle the intrusion in
varied from one controller to another. Thus, several con- real-time.
trollers should be examined for fair awareness and to
represent how the embedded model can work efficiently
with other controllers. R EFERENCES
• We trained and evaluated the DL model in offline mode [1] D. Kreutz, F. M. Ramos, P. E. Verissimo, C. E. Rothenberg,
using virtual simulation without implementing a physical S. Azodolmolky, and S. Uhlig, “Software-defined networking: A com-
SDN networks. However, the detection of attacks online prehensive survey,” Proc. IEEE, vol. 103, no. 1, pp. 14–76, Jan. 2015.
[2] W. Xia, Y. Wen, C. H. Foh, D. Niyato, and H. Xie, “A survey on
is very important to understand how this IDS can handle software-defined networking,” IEEE Commun. Surveys Tuts., vol. 17,
the intrusion in real-time. no. 1, pp. 27–51, 1st Quart., 2015.
EL SAYED et al.: FLOW-BASED ANOMALY DETECTION APPROACH WITH FEATURE SELECTION METHOD 1879

[3] S. Shin and G. Gu, “Attacking software-defined networks: A first feasi- [26] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and
bility study,” in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. V. Maglaris, “Combining OpenFlow and sFlow for an effective and
Defined Netw., 2013, pp. 165–166. scalable anomaly detection and mitigation mechanism on SDN envi-
[4] Ö. Kasim, “An efficient and robust deep learning based network anomaly ronments,” Comput. Netw., vol. 62, pp. 122–136, Apr. 2014.
detection against distributed denial of service attacks,” Comput. Netw., [27] L. Tan, Y. Pan, J. Wu, J. Zhou, H. Jiang, and Y. Deng, “A new framework
vol. 180, Oct. 2020, Art. no. 107390. for DDoS attack detection and defense in SDN environment,” IEEE
[5] N. Garcia, T. Alcaniz, A. González-Vidal, J. B. Bernabe, D. Rivera, Access, vol. 8, pp. 161908–161919, 2020.
and A. Skarmeta, “Distributed real-time SlowDoS attacks detection over [28] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey
encrypted traffic using artificial intelligence,” J. Netw. Comput. Appl., of intrusion detection systems: Techniques, datasets and challenges,”
vol. 173, Jan. 2021, Art. no. 102871. Cybersecurity, vol. 2, no. 1, pp. 1–22, 2019.
[6] B. B. Zarpelão, R. S. Miani, C. T. Kawakani, and S. C. de Alvarenga, [29] A. Alshamrani, A. Chowdhary, S. Pisharody, D. Lu, and D. Huang, “A
“A survey of intrusion detection in Internet of Things,” J. Netw. Comput. defense system for defeating DDoS attacks in SDN based networks,”
Appl., vol. 84, pp. 25–37, Apr. 2017. in Proc. 15th ACM Int. Symp. Mobility Manage. Wireless Access, 2017,
[7] K. Bouzoubaa, B. Nsiri, and Y. Taher, “Predicting DOS-DDOS attacks: pp. 83–92.
Review and evaluation study of feature selection methods based on wrap- [30] M. S. El Sayed, N.-A. Le-Khac, and A. D. Jurcut, “Dealing with
per process,” Int. J. Adv. Comput. Sci. Appl., vol. 12, no. 5, pp. 131–145, COVID-19 network traffic spikes [cybercrime and forensics],” IEEE
2021. Security Privacy, vol. 19, no. 1, pp. 90–94, Jan./Feb. 2021.
[8] D. Kurniabudi, D. Stiawan, M. Y. B. Idris, A. M. Bamhdi, and [31] P. Kumar, M. Tripathi, A. Nehra, M. Conti, and C. Lal, “SAFETY:
R. Budiarto, “CICIDS-2017 dataset feature analysis with information Early detection and mitigation of TCP SYN flood utilizing entropy in
gain for anomaly detection,” IEEE Access, vol. 8, pp. 132911–132921, SDN,” IEEE Trans. Netw. Service Manag., vol. 15, no. 4, pp. 1545–1559,
2020. Dec. 2018.
[9] A. Bommert, X. Sun, B. Bischl, J. Rahnenführer, and M. Lang, [32] K. Kalkan, L. Altay, G. Gür, and F. Alagöz, “JESS: Joint entropy-based
“Benchmark for filter methods for feature selection in high-dimensional DDoS defense scheme in SDN,” IEEE J. Sel. Areas Commun., vol. 36,
classification data,” Comput. Stat. Data Anal., vol. 143, Mar. 2020, no. 10, pp. 2358–2372, Oct. 2018.
Art. no. 106839. [33] S. Yu, J. Zhang, J. Liu, X. Zhang, Y. Li, and T. Xu, “A cooperative
[10] J. Tang, S. Alelyani, and H. Liu, “Feature selection for classification: A DDoS attack detection scheme based on entropy and ensemble learning
review,” in Data Classification: Algorithms Applications. Boca Raton, in SDN,” EURASIP J. Wireless Commun. Netw., vol. 90, no. 1, pp. 1–21,
FL, USA: CRC Press, 2014, p. 37. 2021.
[11] H. Polat, O. Polat, and A. Cetin, “Detecting DDoS attacks in software- [34] A. Mishra, N. Gupta, and B. Gupta, “Defense mechanisms against
defined networks through feature selection methods and machine DDoS attack based on entropy in SDN-cloud using POX controller,”
learning models,” Sustainability, vol. 12, no. 3, p. 1035, 2020. Telecommun. Syst., vol. 77, no. 1, pp. 47–62, 2021.
[12] M. Suresh and R. Anitha, “Evaluating machine learning algorithms for [35] K. S. Sahoo, D. Puthal, M. Tiwary, J. J. Rodrigues, B. Sahoo, and
detecting DDoS attacks,” in Proc. Int. Conf. Netw. Security Appl., 2011, R. Dash, “An early detection of low rate DDoS attack to SDN based
pp. 441–452. data center networks using information distance metrics,” Future Gener.
[13] E. Balkanli, A. N. Zincir-Heywood, and M. I. Heywood, “Feature Comput. Syst., vol. 89, pp. 685–697, Dec. 2018.
selection for robust backscatter DDoS detection,” in Proc. IEEE
[36] R. Wang, Z. Jia, and L. Ju, “An entropy-based distributed DDoS
40th Local Comput. Netw. Conf. Workshops (LCN Workshops), 2015,
detection mechanism in software-defined networking,” in Proc. IEEE
pp. 611–618.
Trustcom/BigDataSE/ISPA, vol. 1, 2015, pp. 310–317.
[14] M. S. El Sayed, N.-A. Le-Khac, and A. D. Jurcut, “InSDN: A novel SDN
[37] M. S. El Sayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, “Detecting
intrusion dataset,” IEEE Access, vol. 8, pp. 165263–165284, 2020.
abnormal traffic in large-scale networks,” in Proc. Int. Symp. Netw.
[15] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating
Comput. Commun. (ISNCC), 2020, pp. 1–7.
a new intrusion detection dataset and intrusion traffic characterization,”
[38] M. Said El Sayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, “Network
in Proc. ICISSP, 2018, pp. 108–116.
anomaly detection using LSTM based autoencoder,” in Proc. 16th ACM
[16] M. S. El Sayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, “DDoSNet:
Symp. QoS Security Wireless Mobile Netw., 2020, pp. 37–45.
A deep-learning model for detecting network attacks,” in Proc. IEEE
21st Int. Symp. World Wireless Mobile Multimedia Netw. (WoWMoM), [39] S. Dong and M. Sarem, “DDoS attack detection method based on
2020, pp. 391–396. improved KNN with the degree of DDoS attack in software-defined
[17] J. C. C. Chica, J. C. Imbachi, and J. F. B. Vega, “Security in SDN: networks,” IEEE Access, vol. 8, pp. 5039–5048, 2019.
A comprehensive survey,” J. Netw. Comput. Appl., vol. 159, Jun. 2020, [40] L. Yang and H. Zhao, “DDoS attack identification and defense using
Art. no. 102595. SDN based on machine learning method,” in Proc. 15th Int. Symp.
[18] H. Griffioen, K. Oosthoek, P. van der Knaap, and C. Doerr, “Scan, Pervasive Syst., Algorithms Netw. (I-SPAN), 2018, pp. 174–178.
test, execute: Adversarial tactics in amplification DDoS attacks,” in [41] Y. Yu, L. Guo, Y. Liu, J. Zheng, and Y. Zong, “An efficient SDN-
Proc. 2021 ACM SIGSAC Conf. Comput. Commun. Security, 2021, based DDoS attack detection and rapid response platform in vehicular
pp. 940–954. networks,” IEEE Access, vol. 6, pp. 44570–44579, 2018.
[19] M. S. El Sayed, N.-A. Le-Khac, M. A. Albahar, and A. Jurcut, “A novel [42] J. A. Pérez-Díaz, I. A. Valdovinos, K.-K. R. Choo, and D. Zhu, “A
hybrid model for intrusion detection systems in SDNs based on CNN flexible SDN-based architecture for identifying and mitigating low-
and a new regularization technique,” J. Netw. Comput. Appl., vol. 191, rate DDoS attacks using machine learning,” IEEE Access, vol. 8,
Oct. 2021, Art. no. 103160. pp. 155859–155872, 2020.
[20] N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS attack detection and [43] A. A. Abdulrahman and M. K. Ibrahem, “Evaluation of DDoS attacks
mitigation using SDN: Methods, practices, and solutions,” Arab. J. Sci. detection in a CICIDS2017 dataset based on classification algorithms,”
Eng., vol. 42, no. 2, pp. 425–441, 2017. IRAQI J. Inf. Commun. Technol., vol. 1, no. 3, pp. 49–55, 2018.
[21] T. Ubale and A. K. Jain, “Taxonomy of DDoS attacks in software- [44] N. Bindra and M. Sood, “Evaluating the impact of feature selection
defined networking environment,” in Proc. Int. Conf. Futuristic Trends methods on the performance of the machine learning models in detecting
Netw. Commun. Technol., 2018, pp. 278–291. DDoS attacks,” Sci. Technol., vol. 23, no. 3, pp. 250–261, 2020.
[22] Y. Qian, W. You, and K. Qian, “Openflow flow table overflow attacks [45] N. Ahuja, G. Singal, D. Mukhopadhyay, and N. Kumar, “Automated
and countermeasures,” in Proc. Eur. Conf. Netw. Commun. (EuCNC), DDOS attack detection in software defined networking,” J. Netw.
2016, pp. 205–209. Comput. Appl., vol. 187, Aug. 2021, Art. no. 103108.
[23] J. Singh and S. Behal, “Detection and mitigation of DDoS attacks [46] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
in SDN: A comprehensive review, research challenges and future “Deep recurrent neural network for intrusion detection in SDN-based
directions,” Comput. Sci. Rev., vol. 37, Aug. 2020, Art. no. 100279. networks,” in Proc. 4th IEEE Conf. Netw. Softwarization Workshops
[24] R. U. Rasool, U. Ashraf, K. Ahmed, H. Wang, W. Rafique, and (NetSoft), 2018, pp. 202–206.
Z. Anwar, “Cyberpulse: A machine learning based link flooding attack [47] C. Li et al., “Detection and defense of DDoS attack–based on deep
mitigation system for software defined networks,” IEEE Access, vol. 7, learning in OpenFlow-based SDN,” Int. J. Commun. Syst., vol. 31, no. 5,
pp. 34885–34899, 2019. 2018, Art. no. e3497.
[25] Z. Li, W. Xing, S. Khamaiseh, and D. Xu, “Detecting saturation attacks [48] S. Haider et al., “A deep CNN ensemble framework for efficient DDoS
based on self-similarity of OpenFlow traffic,” IEEE Trans. Netw. Service attack detection in software defined networks,” IEEE Access, vol. 8,
Manag., vol. 17, no. 1, pp. 607–621, Mar. 2020. pp. 53972–53983, 2020.
1880 IEEE TRANSACTIONS ON COGNITIVE COMMUNICATIONS AND NETWORKING, VOL. 8, NO. 4, DECEMBER 2022

[49] M. P. Novaes, L. F. Carvalho, J. Lloret, and M. L. Proença, Jr., Nhien-An Le-Khac (Senior Member, IEEE)
“Adversarial deep learning approach detection and defense against DDoS received the Ph.D. degree in computer science from
attacks in SDN environments,” Future Gener. Comput. Syst., vol. 125, the Institut National Polytechnique de Grenoble,
pp. 156–167, Dec. 2021. France, in 2006. He is a Lecturer with the School
[50] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A of Computer Science, University College Dublin
survey of network-based intrusion detection data sets,” Comput. Security, (UCD), Ireland. He is currently the Programme
vol. 86, pp. 147–167, Sep. 2019. Director of UCD M.Sc. programme in Forensic
[51] M. T. A. Abdullah, J. Lloret, A. Cánovas Solbes, and L. García-García, Computing and Cybercrime Investigation, an inter-
“Survey of transportation of adaptive multimedia streaming service in national programme for the law enforcement officers
Internet,” Netw. Protocols Algorithms, vol. 9, nos. 1–2, pp. 85–125, specializing in cybercrime investigations. To date,
2017. more than 1000 students from 60 countries in five
[52] G. Draper-Gil, A. H. Lashkari, M. S. I. Mamun, and A. A. Ghorbani, continents have graduated from this FCCI programme. He is also the Co-
“Characterization of encrypted and VPN traffic using time-related,” Founder of UCD-GNECB Postgraduate Certificate in fraud and e-crime
in Proc. 2nd Int. Conf. Inf. Syst. Security Privacy (ICISSP), 2016, investigation. He was a Research Fellow with Citibank, Ireland (Citi). His
pp. 407–414. research interests span the area of cybersecurity and digital forensics, machine
[53] P. Krishnan, S. Duttagupta, and K. Achuthan, “VARMAN: Multi-plane learning for security, fraud and criminal detection, cloud security and privacy,
security framework for software defined networks,” Comput. Commun., and high-performance computing. Since 2013, he has collaborated on many
vol. 148, pp. 215–239, Dec. 2019. research projects as a principal/co-PI/funded investigator. He has published
[54] L. Breiman, “Random forests,” Mach. Learn., vol. 45, no. 1, pp. 5–32, more than 150 scientific papers in peer-reviewed journal and conferences in
2001. related research fields. He is an active chair as well as a reviewer for many
[55] J. H. Steiger and R. T. Fouladi, “Noncentrality interval estimation key conferences and journals in related disciplines.
and the evaluation of statistical models,” in What If There Were no
Significance Tests. London, U.K.: Routledge, 2016, pp. 197–229.
[56] A. T. Tang, “Software defined networking: Network intrusion detection
system,” Ph.D. dissertation, Dept. Electron. Elect. Eng., Univ. Leeds,
Leeds, U.K., 2019. Marianne A. Azer received the B.Sc., M.Sc., and
[57] M. M. Isa and L. Mhamdi, “Native SDN intrusion detection using Ph.D. degrees from the Faculty of Engineering,
machine learning,” in Proc. IEEE 8th Int. Conf. Commun. Netw. Electronics and Communications Department, Cairo
(ComNet), 2020, pp. 1–7. University. She is an Associate Professor with
[58] M. A. Albahar, “Recurrent neural network model based on a new the National Telecommunication Institute, Nile
regularization technique for real-time intrusion detection in SDN University, Cairo, Egypt. She is also the Director of
environments,” Security Commun. Netw., vol. 2019, Nov. 2019, the Information Center, National Telecommunication
Art. no. 8939041. Institute. Her research interests include network
[59] M. Conti, A. Gangwal, and M. S. Gaur, “A comprehensive and effective security, security in wireless networks, Internet of
mechanism for DDoS detection in SDN,” in Proc. IEEE 13th Int. Conf. Things privacy and security, and cloud security and
Wireless Mobile Comput. Netw. Commun. (WiMob), 2017, pp. 1–8. privacy. She has been a Board Member of the
[60] Q. Niyaz, W. Sun, and M. Alam, “Impact on SDN powered network Financial Regulatory Authority since May 2021. She is a former mem-
services under adversarial attacks,” Procedia Comput. Sci., vol. 62, ber of the Egyptian Parliament and a former advisor to the Ministry of
pp. 228–235, Aug. 2015. Communication and Information Technology for strategic initiatives. She has
[61] R. Santos, D. Souza, W. Santo, A. Ribeiro, and E. Moreno, “Machine been the Vice President of Information Systems Audit and Control Association
learning algorithms to detect DDoS attacks in SDN,” Concurrency (ISACA) Board in Egypt since 2019. Throughout her career, she held several
Comput. Pract. Exp., vol. 32, no. 16, 2020, Art. no. e5402. positions, either academic or managerial in several universities and organi-
[62] A. Kuppa, S. Grzonkowski, M. R. Asghar, and N.-A. Le-Khac, “Black zations. To mention a few, the Ministry of Communication and Information
box attacks on deep anomaly detectors,” in Proc. 14th Int. Conf. Avail. Technology, the National Telecommunication Institute, Nile University, Cairo
Rel. Security, 2019, pp. 1–10. University, The American University in Cairo, French University, the Arab
[63] B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of Academy for Science and Technology, and Maritime Transport. She was the
adversarial machine learning,” Pattern Recognit., vol. 84, pp. 317–331, President of ISACA Board in Egypt 2018–2020, a member of the Global
Dec. 2018. Advisory Board on Emerging Technologies (ISACA) 2020–2021, and also a
[64] Q. Liu, P. Li, W. Zhao, W. Cai, S. Yu, and V. C. Leung, “A survey on member of the Global Advisory Board for Facebook Community Leadership
security threats and defensive techniques of machine learning: A data Program 2018–2019. She received many awards and recognitions both on the
driven view,” IEEE Access, vol. 6, pp. 12103–12117, 2018. international and national levels. She is a member of international and national
[65] N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation organizations in diverse fields, such as telecommunications, politics, women,
as a defense to adversarial perturbations against deep neural networks,” science, technology, culture, angel investment, and governance.
in Proc. IEEE Symp. Security Privacy (SP), 2016, pp. 582–597.

Anca D. Jurcut received the B.Sc. degree in

computer science and mathematics from the West
University of Timisoara, Romania, in 2007, and
Mahmoud Said El Sayed received the B.E. degree the Ph.D. degree in security engineering from the
in electronics and communication engineering from University of Limerick (UL), Ireland, in 2013
Zagazig University, Zagazig, Egypt, in 2007, the funded by the Irish Research Council for Science
M.E. degree in information security from Nile Engineering and Technology. She has been an
University, Cairo, Egypt, in 2018, and the first Assistant Professor with the School of Computer
Diploma degree in management of innovation from Science, University College Dublin (UCD), Ireland,
the DIT Institute, Dublin, Ireland, and the second since 2015. She worked as a Postdoctoral Researcher
Diploma degree in networking from the ITI Institute, with UL as a member of the Data Communication
Cairo. He is currently pursuing the Ph.D. degree Security Laboratory and as a Software Engineer with IBM, Dublin, Ireland, in
with the School of Computer Science, UCD, Dublin. the area of data security and formal verification. Her research interests include
Besides, a set of international professional certifi- security protocols design and analysis, automated techniques for formal verifi-
cates in the computer networks, security, and IT fields from Cisco, IBM, cation, network security, attack detection and prevention techniques, security
Huawei, and VMware systems. He has worked for several years in the industry for the Internet of Things, and applications of blockchain for security and
through Huawei and IBM Company in area of computer network and security. privacy. She has several key contributions in research focusing on detection
His research interests include, but not limited to computer networks, cyber- and prevention techniques of attacks over networks, the design and analysis of
security, cyber threat and attacks for android, artificial intelligence, routing security protocols, automated techniques for formal verification, and security
protocols, security for the Internet of Things, and software-defined networks. for mobile-edge computing. More Info: https://people.ucd.ie/anca.jurcut.