Arabian Journal for Science and Engineering

https://doi.org/10.1007/s13369-023-08075-2

RESEARCH ARTICLE-COMPUTER ENGINEERING AND COMPUTER SCIENCE

A Comprehensive Analysis of Machine Learning- and Deep

Learning-Based Solutions for DDoS Attack Detection in SDN
Naziya Aslam1 · Shashank Srivastava1 · M. M. Gore1

Received: 2 February 2023 / Accepted: 13 June 2023

© King Fahd University of Petroleum & Minerals 2023

Abstract
Software-defined networking (SDN) provides programmability, manageability, flexibility and efficiency compared to tradi-
tional networks. These are owing to the SDN’s mutual independence or separation of the control and data planes. Decoupling
two planes and the centralised nature of SDN enhance DDoS attack protection by facilitating easy implementation of net-
work device policies. The controller’s ability to filter network traffic and detect malicious flows is attributed to its global
network view. Control and data plane separation brought numerous benefits, but it also introduced a new challenge in terms
of its susceptibility to DDoS attack. DDoS attacks are one of the most severe threats to SDN, where the perpetrator disrupts
the services of regular users. Machine learning (ML) and deep learning (DL) have emerged as good solutions compared to
statistical or policy-based solutions to detect DDoS attack. We have created a detailed taxonomy of DDoS defense solutions.
We have surveyed 260 research articles, of which 132 articles are selected based on ML- and/or DL-based solutions to detect
DDoS attack in SDN. We discuss the existing works which have applied feature selection algorithms on the dataset to select
the best and optimal features for detecting DDoS attack. We present the features of various DDoS datasets available publicly.
We also argue for the need to create SDN-specific datasets and then apply feature selection algorithms that may help in better
detection of DDoS attack. Finally, we present the research challenges in SDN security that can help the researchers to carry
out further research and develop new methods to secure SDN.

Keywords SDN · DDoS attack · Machine learning · Deep learning

1 Introduction disturbing the Internet, mainly the service providers. The year
2013 governed the first ever 100 Gbps DDoS attack [109].
Distributed denial of service (DDoS) attack overwhelms a In 2016, within a time span of 3 years, the impact of high-
server with Internet traffic, making it inaccessible to regular est DDoS attack evolved up to 1 Tbps [110], disrupting the
users. It restricts users’ network access, possibly halting the communication of a large number of devices. In February
entire network. This attack has evolved into a severe danger 2023, an HTTP DDoS attack with 71 million requests per
over the last decade due to its high intensity and severity of second was launched during USA-based NFL Super Bowl
its effect on the network. First-ever large-scale DDoS attack weekend [144]. Table 1 lists the DDoS attacks that have hap-
emerged in 1999 [185], disrupting the network at the Uni- pened in the past. We can see from Table 1 the severity of
versity of Minnesota. Since then, DDoS attacks have kept DDoS attacks is progressively increasing each year, lead-
ing to a vast disruption of network services. A few factors
boosting the scales of these attacks are the evolution of IoT
B Naziya Aslam
naziyaaslam29@gmail.com devices in mass, high availability of upload bandwidth, and
readily available attack source codes. The threatening action
Shashank Srivastava
shashank12@mnnit.ac.in of DDoS attack has forced industries and academia to come
up with innovative solutions to safeguard Internet infrastruc-
M. M. Gore
gore@mnnit.ac.in ture.
In traditional/conventional networks, the forwarding
1 Department of Computer Science and Engineering, Motilal behaviour of network devices and packet control logic are
Nehru National Institute of Technology Allahabad, Prayagraj,
linked strongly. This decreases flexibility, hinders innovation,
Uttar Pradesh 211004, India

123
 Arabian Journal for Science and Engineering

Table 1 DDoS attacks of the past

S. Refs. Year Attack target Attack rate Description

no.

1 [144] Feb 2023 USA-based NFL Super Bowl weekend 71 million rps Dozens of hyper-volumetric DDoS attack
with 71 million requests per second was
launched during USA-based NFL Super
Bowl weekend
2 [17] June 2022 Cloud Armor customer 46 million rps A DDoS attack with 46 million requests
per second was launched against a Cloud
Armor client
3 [81] June 2022 Customer website 26 million rps A HTTP DDoS attack of 26 million
targeting the customer websites was
mitigated by Cloudflare
4 [250] August 2021 Azure customer 2.4 Tbps DDoS attack of 2.4 Tbps affected Azure
cloud computing service’s customer that
lasted for 10 min
5 [1] February Customer of AWS 2.3 Tbps One of the customers of Amazon Web
2020 Services suffered a massive DDoS attack
of 2.3 Tbps
6 [205] April 2019 Client of Imperva 580 pps One of the clients of Imperva faced DDoS
attack peaked at 580 million packets per
second
7 [233] March 2018 USA-based wired telecommunication 1.7 Tbps USA-based company wired
carrier telecommunication carrier was affected
by DDoS traffic of 1.7 Tbps
8 [189] March 2018 Website of Russian Defense Ministry 10,000 rps Russian Defense Ministry’s website was hit
by seven DDoS attacks sending tens of
thousands of requests per second
9 [119] February GitHub 1.35 Tbps Using the Memcached-based technique,
2018 GitHub was subjected to an amplification
attack of 1.35 Tbps through 126.9 million
packets per second
10 [33] November Boson Globe website – DDoS attack affected the company’s
2017 website and servers bringing down the
newspaper’s telephone and editing
systems
11 [225] October Website of Czech parliamentary – During the vote counting in the Czech
2017 Election parliament’s lower house election, a
DDoS attack took down the Czech
statistical office’s website
12 [49] September UK National Lottery – A DDoS attack on the UK National Lottery
2017 website prevented people from
purchasing tickets
13 [26] April 2017 Melbourne IT – Domain name registrar named Melbourne
IT and its subsidiaries were hit by a
DDoS attack, rendering cloud hosting
and email services inaccessible
14 [252] October Dyn server 1.2 Tbps Servers of Dyn company was brought down
2016 by Mirai botnet. The attack involved
around 1,00,000 malicious endpoints
creating a DDoS attack of 1.2 Tbps
15 [172] June 2016 Website of jewellery shop 35,000 HTTP A jewellery shop website in the USA was
rps attacked by a DDoS attack comprising
25,000 CCTV botnets. The site was hit by
25,000 HTTP requests per second

123
Arabian Journal for Science and Engineering

Table 1 (continued)

S. Refs. Year Attack target Attack rate Description

no.

16 [239] May 2016 Bank of Greece website – Servers of Bank of Greece website was
brought down for 6 h by launching DDoS
attack
17 [171] January HSBC Internet banking – HSBC’s Internet banking facility was
2016 disrupted by DDoS attack for several
hours
18 [94] January Website of Irish government – A DDoS attack knocked off many Irish
2016 government websites
19 [24] December BBC website 500 Gbps DDoS attack of 500 Gbps bandwidth
2015 occurred
20 [228] October Thai government websites – DDoS attack targeted several Thai
2015 government websites bringing them down
for several hours
21 [156] February Client of Cloudflare 400 Gbps One of the clients of Cloudflare was hit by
2014 DDoS attack peaking at 400 Gbps
22 [251] March 2013 Spamhaus website 300 Gbps The Spamhaus website was targeted by
DNS reflection attack with a bandwidth
of more than 300 Gbps

and incurs increased operational costs. These drawbacks of via various Application Programming Interfaces (APIs), such
traditional networks make it difficult to prevent DDoS attacks as Java APIs for data transmission or REST APIs for distant
on the network. Consequently, the key network properties of communication [132]. The OpenFlow protocol exchanges
integrity, information availability, non-repudiation, confiden- information across the data and control planes. The controller
tiality, and authentication are becoming increasingly difficult is placed centrally and has a broad view of the network. It can
to maintain. Many researchers and companies have focused optimise flow management, offer high bandwidth utilisation,
on developing resilient, scalable, and secure networks. The flexibility and scalability using global information.
innovation of software-defined networking (SDN) in 2008 With the arrival of SDN, many research proposals for
[146] has boosted the research for identifying network DDoS detecting and mitigating DDoS attacks were presented just
attacks. It is a step towards establishing network’s dynamic in a short time. SDN protects against DDoS attack as poli-
and centralised structure as opposed to the traditional net- cies might be easily enforced on network devices. Due to its
works. broad network view, the controller can filter network traffic
Data, control, and application planes make up SDN. The to detect malicious flows. Control and data plane separa-
data plane consists of switches and routers. They are in charge tion brought numerous benefits, but it also introduced a new
of carrying network user data, forwarding the data, and gath- challenge in terms of its susceptibility to DDoS attacks. The
ering statistics. The middle plane is the control plane, which controller being centrally placed, acts as a solitary point of
plays a role in managing the data plane. The control plane is in failure. Any mishap to the SDN controller may result in net-
charge of routing decisions and managing switches, routers, work failure, making it an appealing target for attackers [97].
and hosts available on the data plane. The controller on the Defending SDN controllers from DDoS attacks is complex
control plane has a broad centralised view of the network. and resource-intensive. It restricts network management effi-
The controller establishes the flow rules to ensure packets ciency. The attacker can target any of the SDN planes. A
are forwarded to the desired location. The topmost plane is thorough understanding of SDN features is necessary for any
the application plane. It comprises network services, appli- effort to defend SDN infrastructure from DDoS attacks. The
cations, and orchestration tools that communicate with the fundamental characteristics of network traffic define DDoS
control plane. The application plane is primarily in charge attack behaviours in SDN. 2017 has been marked as the
of network traffic management. Unlike traditional networks, period of widespread SDN adoption and DDoS attack miti-
SDN separates a network device’s forwarding and control gation by Turner [234]. Jose and Kurian [98] stated in their
logic. The control logic is logically centralised at the net- research that the essential network traffic features can be
work controller, while the forwarding logic is kept at the utilised as indicators to identify DDoS attacks. Detecting
network device. The applications connect with the controller

123
 Arabian Journal for Science and Engineering

and mitigating DDoS attacks is a challenging issue that has analysis of public DDoS datasets and analysis of various fea-
emerged as a popular study topic. ture selection techniques for DDoS attack detection. These
The notion of DDoS attack is becoming more prevalent. research gaps motivated us to write this survey. Apart from
The major concern is to detect the attack at early stages of the survey articles, we have reviewed 260 research articles
its commencement so that the network administrator can take related to DDoS attacks in SDN. Out of the 260 research
effective actions against the attack to protect regular network articles, we have considered 132 research articles related to
operations. An innovative solution that provides efficient DDoS defense solutions based on ML and/or DL algorithms
safeguards for the network from DDoS attack is required. in SDN. These 132 papers are divided into three categories
From the emergence of SDN to now, researchers have pre- based on the types of ML methods (supervised, unsuper-
sented various solutions for detecting DDoS attacks. These vised, and ensemble algorithms) and/or DL algorithms used
methods are classified into statistical-based, policy-based, to identify DDoS assaults in SDN.
ML-based and DL-based methods. In statistical analysis- In this paper, we have created a detailed taxonomy
based detection method, DDoS attacks are identified using of DDoS defense solutions based on classification by the
observation of threshold for specific statistical patterns. creation of detection and mitigation applications for dif-
Policy-based methods detect DDoS attack on the exploitation ferent controllers, classification based on dataset used for
of certain pre-defined policies. ML- and DL-based solutions identifying DDoS attacks, classification based on different
detect DDoS attack by feeding network features to the detec- ML/DL-based solutions, classification based on different fea-
tion model trained by machine/deep learning algorithms. A ture selection techniques, based on attack target and based
DDoS detection method is considered efficient if it accu- on the testing environment. We compared our survey to other
rately classifies the DDoS traffic from legitimate traffic. A surveys based on the number of research works referred over
high volume of legal network traffic may trigger false detec- a range of years and whether a detailed analysis of ML- and
tion alarms for statistical analysis-based and policy-based DL-based solutions, public datasets, SDN-based applications
detection methods. Therefore, our survey focuses on ML- and feature selection algorithms is presented. We have done
and DL-based solutions for DDoS attack detection. Our work a deep analysis of different datasets available publicly. Fea-
does not include statistical or policy-based solutions. Inter- ture selection techniques have been elaborated, and the most
ested readers can go through the research works of [5, 30, efficient features researchers use for DDoS attack detection
35, 44, 60, 59, 66, 70, 82, 85, 89, 102, 107, 114, 115, 121, are listed. The merits and limitations of various ML- and
139, 142, 143, 153, 166, 192, 196, 204, 247, 246, 253, 268] DL-based solutions for DDoS attack detection are analysed,
that focus on statistical and policy-based methods for DDoS which opens the path for more study in this area. A list of
attack detection. Table 2 lists the acronyms used throughout applications created for DDoS attack detection and mitiga-
the article. tion is presented. Finally, we talk about existing gaps and
SDN network management has benefited from ML- and future research directions that will be useful to researchers
DL-based solutions. ML methods are utilised in several to propose effective solutions for DDoS attack detection.
domains to tackle challenging issues [178]. DDoS attacks are
detected using these algorithms, and they have been shown 1.1 Scope and Contributions
to outperform signature-based detection methods [31]. ML
and DL classifiers can be trained to detect abnormal traffic Analysing all the studies presented by researchers following
on the network more accurately. SVM, HMM, DT, ASVM, are the findings and contributions:
KNN, NB, RT, LR, and RF are extensively used ML clas-
sifiers, while LSTM, CNN, GRU and RNN are some of the • Past survey analysis: We have examined previous surveys
DL-based algorithms. ML- and DL-based solutions provide on the detection of DDoS assaults in SDN and com-
effective and dynamic SDN security and management solu- pared our survey based on several research works, whether
tions. detailed analysis of ML-based and DL-based solutions is
We have reviewed 24 survey articles from the year 2014 done, description of public DDoS datasets, creation of
to 2023. The surveys focused on various parameters such SDN-based application and analysis of feature selection
as DDoS attacks in SDN, different DDoS attacks that can algorithms.
affect the layers of SDN, and how SDN can act like a victim • Detailed analysis of DDoS datasets: We analysed a num-
and threat to DDoS attacks. The surveys also depict differ- ber of datasets and presented a detailed explanation of
ent defense solutions in the SDN network for identifying various datasets available for DDoS attack detection, as
and mitigating DDoS attacks. We discovered none of the none of the researchers surveyed public datasets in detail.
surveys thoroughly analysed ML- and DL-based solutions We also specify the need to generate an SDN-based dataset.
for DDoS attack detection. Also, the surveys lacked detailed • Feature engineering: Our survey presents the feature
selection techniques researchers use to select the best and

123
 Table 2 List of Abbreviations

Acronym Full name Acronym Full name Acronym Full name Acronym Full name

SDN Software-Defined Networking NB Naive Bayes IDS Intrusion Detection System NSL-KDD Network Security
Laboratory—Knowledge
Discovery in Databases
DDoS Distributed denial of service RT Random Trees DPI Deep Packet Inspector CAIDA Cooperative Association
for Internet Data
Analysis
ML Machine Learning LR Logistic Regression QoS Quality of Service TCP Transmission Control
Arabian Journal for Science and Engineering

Protocol
DL Deep Learning RF Random Forest CAM Content Addressable Memory R2L Remote-to-Local
API Application Programming LSTM Long Short-Term Memory DrDoS Distributed Reflection Denial of U2R User-to-Root
Interface Service
SVM Support Vector Machine AWS Amazon Web Service FTP File Transfer Protocol IMAP Internet Messaging
Access Protocol
HMM Hidden Markov Model HTTP Hyper Text Transfer Protocol DoS Denial of Service SMTP Simple Mail Transfer
Protocol
DT Decision Tree CNN Convolutional Neural SNMP Simple Network Management POP3 Post Office Protocol
Network Protocol
ASVM Advanced SVM GRU Gated Recurrent Unit IRC Internet Relay Chat SiDDoS SQL Injection DDoS
KNN K-nearest neighbours RNN Recurrent Neural Network DSN Data Source Name PCAP Packet Capture
LDAP Lightweight Directory Access NTP Network Time Protocol ANN Artificial Neural Network SOM Self-Organising Map
Protocol
PCA Principal Component Analysis NCA Neighbourhood Component ANOVA Analysis of Variance SMCA Semantic Multilinear
Analysis Component Analysis
LASSO Least Absolute Shrinkage and RBF Radial Basis Function FPR False Positive Rate MLP Multi-layer Perceptron
Selection Operator
IG Information Gain GR Gain Ratio BPNN Back Propagation Neural SMO Sequential Minimal
Network Optimisation
NN Neural Network PSO Particle Swarm Optimisation TPR True Positive Rate FAR False Alarm Rate
ELM Extreme Learning Machine LDA Linear Discriminant Analysis REP Tree Reduced Error Pruning Tree DNN Deep Neural Network
GNB Gaussian Naïve Bayes QDA Quadratic Discriminant CART Classification And Regression CAD CUSUM Abnormal
Analysis Tree Detection
SAE Sparse Autoencoder ET Extra Trees GBDT Gradient Boost Decision Tree SSAE Stacked Sparse
Autoencoder
ACO Ant Colony Optimisation AUC Area Under the ROC Curve RL Reinforcement Learning RBM Restricted Boltzmann
Machine

123
 Arabian Journal for Science and Engineering

optimal feature set from either their own generated or pub-

lic datasets. We focus on the need to create SDN specific
dataset and then apply feature selection algorithms that
may help better detect DDoS attacks in the context of a
real-world network.
• Analysis of Machine learning-based solutions for DDoS
attack detection: We present a detailed analysis of dif-
ferent ML algorithms, such as supervised, unsupervised,
and ensemble learning algorithms used by researchers as
a solution to detect DDoS attacks. Our scope of work is
limited to DDoS attack detection.
• Analysis of Deep learning-based solutions for DDoS
attack detection: Deep learning algorithms have become
popular and outperformed ML algorithms in identifying
DDoS attacks in recent years. A detailed analysis of DL-
based solutions to detect DDoS attack has not been done
till now. As a result, our research presents a comprehensive
review of DL-based solutions for DDoS detection.
• Detection and Mitigation Application: Timely identifying
and reducing DDoS assaults is a challenge. An SDN appli-
cation deployed at the application layer that communicates
with the controller and performs DDoS attack detection
and mitigation will be useful. We present the research
works that have created applications to detect and mitigate
DDoS attacks. We also emphasise the need to develop an Fig. 1 Structure of the paper
SDN-based application for DDoS attack detection and mit-
igation to recognise and handle attacks efficiently, hence
averting massive harm to legitimate users. attacks in an SDN environment. This section is classified
• Highlights of future research directions: Our study into supervised, unsupervised, and ensemble ML-based solu-
addresses research issues and pinpoints potential possibil- tions. Section 9 overviews the various DL-based solutions for
ities for DDoS attack detection in SDN systems, offering detecting DDoS attacks in SDN. Section 10 lists the applica-
insightful information and assisting in creating effective tions created by researchers for the detection and mitigation
detection tools. of DDoS attack. Section 11 explains the different research
challenges in SDN security that can help researchers conduct
further research and develop new methods to secure SDN.
1.2 Organisation of Paper The last Sect. 12 presents the conclusion followed by future
work.
The survey article is organised into twelve sections. Section 2 Figure 1 represents the structure of this paper section-wise.
gives a recap of the related surveys for DDoS attack detec-
tion in SDN environment. A comparison of our survey with
related surveys based on certain parameters is presented in 2 Related Surveys
this section. Section 3 presents the primary purpose of con-
ducting this survey. Section 4 gives an overview of SDN and Jay Turner has declared 2017 the year of broad SDN imple-
its benefits. It explains the architecture of SDN and how SDN mentation and DDoS attack mitigation [234]. SDN adoption
is better than conventional networks. Section 5 explains the and usage have increased rapidly since then. A similar anal-
DDoS attacks and how they can affect the different layers ysis by MarketsandMarkets estimates that SDN demand will
of SDN architecture. Section 6 presents a detailed descrip- increase from $ 13.7 billion in 2020 to $ 32.7 billion in 2025
tion of different datasets available publicly that can be used [190]. The demand for a sophisticated network administra-
for DDoS attack detection. Section 7 presents the different tion system capable of handling the growing network traffic
feature selection methods for creating the best and optimal and complexity is a key driver in the market. However, the
feature dataset, which can aid in better detection of DDoS increased usage of networking devices has posed threats to
attacks. Section 8 presents the detailed literature survey of SDN networks. The primary threat faced by SDN is DDoS
the ML algorithms used by researchers for detecting DDoS attack. SDN is an obvious target for DDoS attackers due to

123
Arabian Journal for Science and Engineering

the centralised management and dumb forwarding charac- installs rules in SDN switches to delete or block harmful
teristics of switches. DDoS attacks are devastating as they traffic. However, because of the centralised controller and
disrupt the services of servers and deny access to legitimate dumb switches, SDN is prone to DDoS attacks. The cen-
users. This could affect users primarily as their essential work tralised SDN controller becomes the primary target as the
might be interrupted, and they may be unable to access the attackers can downgrade the entire network by overwhelm-
service if the attack rate is high. Some of the major DDoS ing the control plane. Furthermore, because the forwarding
attacks of the past are summarised in Table 1. DDoS attacks devices lack intelligence, they must send every new packet
have become common in disrupting servers by attacking at a to the controller for judgement. As a result, the controller’s
rate as high as 2.4 Tbps. This shows a dire need to get rid of memory, processor, and network resources are depleted. Fur-
DDoS attacks. thermore, forwarding devices are vulnerable to DDoS attacks
Getting rid of DDoS attacks is a challenge that has led to because they have limited memory.
increased research in finding solutions for detection and mit- DDoS attacks in SDN and cloud environments were
igation of DDoS attacks. After reviewing existing research, explained by Dong et al. [68]. Singh and Bhandari [211] pro-
we found studies focusing on DDoS defense mechanisms in vided a taxonomy of novel flow-based SDN-targeted DDoS
SDN. Ashraf and Latif [18], in their review work, analysed attacks and several protection strategies to counteract them.
different ML techniques to cope with intrusion detection and Singh and Behal [210] categorised the DDoS protection
DDoS attacks in SDN. Yan et al. [259] offered a complete solutions based on the type of detection mechanisms. They
assessment of DDoS defense methods employing SDN in thoroughly evaluated 70 different DDoS detection and mit-
cloud computing and explained how SDN could protect itself igation strategies. These 70 mechanisms are grouped into
from DDoS attacks. The network’s security is necessary so four sections: Artificial neural network-based approaches,
that SDN-based cloud can be formed smoothly and free from ML-based methods, information theory-based methods, and
the fear of DDoS attacks. Bawany et al. [28] presented the others. They also discussed this topic’s concerns, research
SDN characteristics and how it can help detect DDoS attacks gaps, and challenges encountered while designing a detec-
compared to traditional networks. They explained various tion system. Ubale and Jain [236] explained the solutions
DDoS detection techniques (entropy, machine learning, con- for buffer saturation, flow table overflow, controller satura-
nection rate, traffic pattern analysis, SNORT, and OpenFlow tion, and control data channel congestion for tackling DDoS
integrated) for SDN. Some of the mitigation techniques used attacks in SDN. Another brief review by Al-Adaileh et al. [9]
by researchers to prevent DDoS attack are also presented and Gupta and Grover [80] explained some detection tech-
in their study. They also proposed their SDN-based DDoS niques for detecting DDoS attacks on SDN controllers. A
detection and mitigation model for smart cities. Another sur- survey by Pajila and Julie [173], Kaur et al. [106], and Val-
vey by Dayal et al. [58] presented various security issues on dovinos et al. [240] also presented different DDoS defense
various layers of SDN architecture. Xu et al. [255], Kalkan solutions in SDN. In their work, Cui et al. [50] offered a
et al. [103], Fajar and Purboyo [72] and Joëlle and Park [100] detailed analysis of DDoS attack in SDN and classified it into
also presented some of the defense solutions to protect SDN attacks targeted at service providers and SDN layers. They
architecture from DDoS attacks. In their study, Imran et al. also survey different DDoS detection techniques in SDN
[93] presented the various mitigation techniques for DDoS based on ML-based, statistical and threshold-based solutions.
attack prevention in SDN. Sahoo et al. [191] explained the Table 3 compares previous survey articles with our survey.
SDN security issues, possible DDoS attacks on SDN layers The comparison is based on the number of research works
and different detection techniques for securing SDN against referred over a range of years and whether a detailed analysis
DDoS attacks. They also proposed an information distance- of ML- and DL-based solutions, public datasets, SDN-based
based flow discriminator framework for distinguishing DDoS applications and feature selection algorithms is presented.
traffic during flash events in the SDN network environment.
Their simulation experiment used CAIDA [37] and FIFA
World Cup datasets to detect DDoS attacks. Swami et al.
[218] studied the DDoS attacks in detail. They looked at 3 Survey Methodology
the contradictory relationship between DDoS attacks and
SDN. SDN is utilised to guard against DDoS attacks owing This section describes how the survey was carried out. The
to its benefits of centralised traffic control, dynamic flow fundamental causes that prompted this study and the tech-
rule updation, and network programmability. The centralised nique used to conduct the review are explained.
controller can handle network traffic more efficiently than The survey articles and research articles listed in our
traditional networks because it can access all network data. survey have been taken from various sources. Numerous
Furthermore, when a controller detects any unusual conges- research publications were read, research questions were
tion in the network, a control plane protection technique created, and various databases were searched as part of

123
 Arabian Journal for Science and Engineering

Table 3 Comparison of our work to related surveys

References Research Range of year Presented detailed analysis of

works
ML-based DL-based Public SDN-based Feature
solutions solutions datasets application selection
algorithms

Ashraf and 35 1991–2014  × × × ×

Latif [18]
Yan et al. [259] 131 2000–2015 Few × × × ×
Xu et al. [255] 45 2003–2017 Few × × × ×
Bawany et al. 101 1999–2016 Few × × × ×
[28]
Dayal et al. [58] 120 2002–2015 Few × × × ×
Kalkan et al. 15 2009–2016 Few × × × ×
[103]
Fajar and 34 2000–2017 × × × × ×
Purboyo [72]
Joëlle and Park 79 2003–2018 Few × × × ×
[100]
Imran et al. [93] 54 2008–2018 × × × × ×
Sahoo et al. 162 2003–2018 Few × × × ×
[191]
Swami et al. 92 1994–2018 Few Few × × ×
[218]
Dong et al. [68] 124 2001–2019 × × × × ×
Pajila and Julie 51 2003–2018 Few × × × ×
[173]
Ubale and Jain 54 2004–2018 × × × × ×
[236]
Singh and 103 1990–2020 Few Few × × ×
Bhandari
[211]
Singh and 161 1994–2020  Few × × ×
Behal [210]
Al-Adaileh 70 2004–2020 Few × × × ×
et al. [9]
Han et al. [86] 177 1995–2019 Few × × × ×
Gupta and 20 2015–2021  Few × × ×
Grover [80]
Kaur et al. [106] 170 2007–2021  Few × × ×
Valdovinos 173 2003–2020  Few × × ×
et al. [240]
Cui et al. [50] 216 2002–2021   × × ×
Alhijawi et al. 30 2013–2020 Few Few × × ×
[11]
Alashhab et al. 121 1990–2022 Few Few × × ×
[10]
Our work 268 1994–2023     

this review approach. The approach used for this survey We have reviewed 24 survey articles from 2014 to 2023.
included searching several databases, i.e. Springer, Sci- The surveys focused on various parameters such as DDoS
ence Direct, IEEE Explore, Elsevier, ACM Digital Library, attacks in SDN, different DDoS attacks that can affect
Google Scholar, and DBLP, for related works. the layers of SDN, and how SDN can act like a victim

123
Arabian Journal for Science and Engineering

Fig. 2 Taxonomy of DDoS defense solutions

and threat to DDoS attacks. The surveys also depict other approaches to addressing difficulties. The design of the SDN
defense solutions for DDoS attack detection and mitiga- environment, which separates the control plane from the for-
tion in SDN environment. Apart from the survey articles, warding plane, provides unique security solutions to protect
we have reviewed 260 research articles related to DDoS networks from attackers. It offers dynamic network man-
attack in SDN. Out of the 260 research articles, we have agement using a logical and centralised control system that
considered 132 research articles related to DDoS defense instructs the data layer to channel network traffic. On the
solutions based on ML and/or DL algorithms in SDN. These other hand, the centralised control function may be a draw-
132 articles are classified according to the different types back since it creates a risk of a single point of failure due to the
of ML algorithms (supervised, unsupervised, and ensemble network’s reliance on it. As a result, the centralised SDN con-
ML algorithms) and/or DL algorithms used to detect DDoS troller appears to be an appealing prospect for DDoS assaults,
attacks in SDN. Figure 2 depicts a detailed taxonomy of with a major attack possibly causing network damage or even
DDoS defense solutions. Table 4 compares our work with catastrophic collapse. Attackers also take advantage of data
State-of-the-Art taxonomy methods. plane switch constraints, such as memory capacity. The main
Also, Fig. 3 represents the percentage-wise distribution of purpose of a DDoS attack on an SDN controller is to overload
articles that have used ML and/or DL algorithms as a solution and exhaust its resources, typically by flooding the network
to get rid of DDoS attacks in SDN. with fake IP packets, resulting in an overload that interrupts
or fails the network. Simultaneously, a centralised SDN con-
troller might act as a virtualised network, making the network
4 Software-Defined Networking (SDN) flexible and easy to operate. The controller collects network
information from incoming packets and identifies network
SDN is an improved network architecture that manages devices that interact with it. By exploiting its programma-
network traffic flows while allowing for better network bility and flexibility, the SDN controller might also help to
administration. Researchers have been striving to develop enhance network performance. Since the control plane is dis-
strategies to protect networks against cyber attacks for years. integrated from the data plane, all data packets that do not fit
However, their efforts have been hampered by efficiency, any of the flow table rules are routed to the controller. In other
scalability, dependability, and security problems. The intro- words, by dealing with two types of objects, the controller
duction of SDN technology fascinates the research and enhances network traffic flow monitoring. The first object is
security sectors because it offers innovative and alternative

123
 Arabian Journal for Science and Engineering

Table 4 Comparison of our work with State-of-the-Art taxonomy meth-

ods

References Year Taxonomy method

[211] 2020 Based on classification by switch

vulnerabilities, attack type, attack
impact and attack strength
[240] 2021 Based on different DDoS detection and
mitigation strategies: statistical, machine
learning, SDN architecture, blockchain,
network function virtualisation,
honeynets, network slicing and moving
target defense
[106] 2021 Based on attack targets, DDoS defense
approaches, testing environment and
traffic generation mechanism
[105] 2022 Based on different DDoS mitigation
techniques on communication
interfaces, application, control, and data
plane of SDN
[158] 2023 Based on detection methods using deep
learning techniques: discriminative
learning, generative learning, hybrid
learning
[12] 2023 Based on different detection techniques
for DDoS attacks: statistical analysis,
blockchain, machine learning, network
function virtualisation
Fig. 4 SDN architecture
Our work 2023 Classification based on application,
dataset, ML solutions, DL solutions,
feature selection methods, attack target,
4.1 SDN Versus Traditional Networks
and testing environment. Also created a
taxonomy of different ML and DL
algorithms The essential notion of SDN architecture is decoupling the
data plane from the control plane, which opens up immense
potential for network design innovation. The mutual inde-
pendence of the two planes promotes programmability in
SDN networks. As a result, network traffic management
and the configuration of SDN-enabled network devices have
enhanced. Control logic is included in traditional network
devices. If the policy needs to be modified, the logic on
each device must be manually updated according to vendor-
specific rules, which takes time. On the other hand, SDN
isolates control logic and allows administrators to alter con-
trol logic via southbound APIs with centralised monitoring
remotely. Adopting new creative rules in traditional switches
is difficult since they are vendor-specific with restricted hard-
ware capabilities. In addition to the centralised controller,
policy changes are a relatively quick procedure in SDN. The
Fig. 3 Distribution of articles based on type of algorithms conventional network offers only a restricted region for test-
ing new policies, but SDN offers significantly more testing
options than the traditional network.
network management, consisting of switch table packet for-
warding policies. The second object is network observation 4.2 SDN Architecture
which enables network traffic behaviour analysis. Figure 4
depicts SDN architecture consisting of application, control Our society is becoming increasingly linked as information
and data planes. and communication technology progresses. However, our

123
Arabian Journal for Science and Engineering

traditional networks have limits, such as scalability, secu- used to define it further. The device employs OpenFlow
rity, operating expenses, manageability, and personalisation. as a Southbound interface and an abstraction for storing
There has been much buzz in the academic and practitioner flow rule entries in flow tables. It also stores flow rules
sectors to create a new SDN architecture to solve these in either CAM or Ternary CAMs.
restrictions while delivering new networking improvements.
SDN may be an extension of prior notions, such as recon-
figurable networks and interfaces. Decoupling the control
and data planes in networking devices is a fundamental ele- 5 DDoS Attack in SDN
ment in the SDN design. Plane separation lets each layer
grow virtually independently, allowing for more creativity, A distributed denial of service (DDoS) attack is a cyberat-
faster deployment, acceptance of new features and services, tack where the attacker disrupts the services of the machine or
and improved management and security. The second con- the network. Attack traffic exhausts the system’s resources,
cept is transparency, which states that consumers should be either temporarily or indefinitely. Consequently, systems are
unable to distinguish between traditional networks and SDN. unable to provide service to the intended users. In DDoS
The third concept is automation and real-time deployment, attack, a malicious agent controls distributed systems to bring
which centralises a control plane logically and adds customis- down the hosts. The increasing frequency of this attack is
able entities. This functionality allows for the development threatening the networks and needs to be addressed at the ear-
of advanced networking applications that improve network liest. Identifying the source of DDoS attack and preventing
efficiency, administration, and management. the attackers from causing harm to the network is necessary.
This has motivated the research industry to devise an efficient
1. Application plane: The application or infrastructure solution to eliminate DDoS attacks. Due to the disintegration
plane consists of applications and services such as IDS, of the SDN control plane and data plane, it has become easy
load balancer and DPI. These services help to perform for attackers to target any plane. Detecting the attack on these
decision-making in traffic engineering, routing, QoS dif- planes and mitigating them has become essential.
ferentiation and monitoring. The Northbound API allows DDoS attack on data plane: The data plane of SDN con-
applications to interact with the controller. This API may sists of several forwarding devices (OpenFlow switches).
be implemented as either REST API or Java and Python Each switch consists of a flow table with a limited capacity
APIs. for storing the rules. It lacks the processing ability to handle
2. Control plane: The control plane manages core forward- mismatched packets. The data plane has become vulnerable
ing devices by making decisions based on global network to intruders due to flow table overflow and buffer saturation.
information. The Northbound interface connects with DDoS attack on control plane: The control plane of SDN
the application plane to deliver critical information to comprises a controller which controls the forwarding devices
apps. The controller converts the requirements of net- and makes routing decisions. As the controller manages the
work applications that run on top of it into low-level flow whole network, it is vulnerable to DDoS attacks. The attacker
rules communicated with SDN devices for deployment can affect the controller by overloading its network resources.
via the Southbound interface. The controller performs The controller processes the unmatched packets and installs
topology administration, which stores data about the con- flow rules in the switches. This process involves all the con-
nection of devices among end-users. It also performs flow troller resources, such as memory, buffer and CPU. If the
management by managing the flows currently in the net- controller remains busy for a significant period in processing
work to ensure effective synchronisation between SDN the packets, then the network’s performance is slowed down.
devices. Device management enabling is also done by the This causes congestion in the network. As a result, legitimate
controller, which detects end-user and network elements users are denied services.
that compose the network’s infrastructure. A centralised DDoS attack on application plane: The attackers can
controller is capable of handling massive quantities of affect the application layer of SDN by launching application-
network traffic. As the number of SDN devices and traffic layer DDoS attacks or exhausting northbound API. These
flow rises, the controller may become a network bottle- attacks are caused by targeting the application by sending
neck. resource incentive requests. As a result of this attack, the web
3. Data plane: This plane comprises network devices, servers are affected. Examples of application-layer attacks
commonly referred to as SDN devices, that are in are Slowloris and HTTP flooding attacks.
charge of flow-rule-based packet forwarding. The con-
trol and data plane connection are accomplished using
an open, vendor-independent Southbound interface. An
SDN device’s software and hardware elements can be

123
 Arabian Journal for Science and Engineering

6 Description of Public Datasets out of which 14 are shared with KDD dataset. Regular
traffic was created alongside malicious traffic by estab-
To detect DDoS attacks, a proper and standard SDN dataset is lishing a second server in the same honeypot network
required. We have surveyed various public datasets for DDoS to provide a more real dataset. As the traffic data was
detection. gathered via honeypot servers and the great majority of
this data is malignant, the uneven class distribution of
1. KDD-CUP99 Dataset, 1999 [101, 215]: It is a well- the dataset is regarded as the fundamental shortcoming
known dataset commonly utilised in evaluating intru- of Kyoto 2006+. In addition, the attack types provided
sion detection systems. This updated dataset version in the dataset are undocumented. When utilising this
was created as part of an IDS initiative at MIT’s Lincoln dataset, the inability to differentiate attack types leads to
Laboratory in 1998 and 1999. The DARPA-funded pro- a biased image of intrusion detection performance. Fur-
gramme resulted in the DARPA98 dataset. The KDD thermore, in Kyoto 2006+, regular traffic included only
CUP 99 dataset was created by processing this dataset the email and DSN traces. The fraction of regular traffic
to be used in the International Knowledge Discovery in the sample, which ranges between 3 and 4% of the
and Data Mining Tools Competition. This dataset was total, does not depict Internet activity. Furthermore, reg-
generated using DARPA packet traces. The dataset in ular and malignant traffic was generated in two contexts,
tcpdump format was collected over five weeks from resulting in an artificial and uncorrelated dataset [83].
a simulated military-like environment. It includes 41 Despite the fact that Kyoto 2006+ dataset was created
traffic characteristics classified into three groups: con- using real-world traffic information, it does not include
tent, fundamental, and traffic features. In addition to any data on the attack types. Therefore, determining the
the standard statistics, the dataset provides four assault effect of these attacks on SDN Internet infrastructure
categories: DoS, User to Root (U2R), Remote to Local can be challenging.
(R2L), and probe attacks. One challenge of the KDD’99 4. CAIDA DDoS2007 [36]: Cooperative Association
dataset is the presence of duplicate entries, which of Internet Data Analysis developed three different
reached 78% in the training set and roughly 75 per- datasets. Firstly, The CAIDA OC48 dataset [38] com-
cent in the testing set. The significant degree of data prises various kinds of data witnessed over an OC48
redundancy makes it difficult for detection methods to link in San Jose over approximately 100 GB of unpro-
provide high accuracy for low attacks: R2L and U2R. As cessed data traffic. Second, the CAIDA DDoS dataset
a result, detection algorithms are skewed towards high- consists of one hour of DDoS assault traffic split into
volume recordings, such as denial-of-service attacks. five-minute pcap files. Finally, the 2016 CAIDA Inter-
2. DARPA Dataset, 1999 [125]: Lincoln Laboratory devel- net traces dataset provides inert traffic evidence from
oped the DARPA dataset on a simulation network for CAIDA’s Equinix-Chicago monitor via the fast Inter-
assessing the performance of intrusion detection sys- net infrastructure. The vast bulk of CAIDA’s datasets
tems in 1998 and 1999. It consisted of two parts: are tailored to specific attacks and are disguised with
real-time evaluation and an offline examination. Offline protocol data, payload, and destination. Due to various
testing of intrusion detection systems was performed difficulties, they are inefficient benchmarking datasets
using traffic on a network and audit records obtained on [207].
a simulated network. The systems analysed these data 5. NSL-KDD Dataset, 2009 [226]: The NSL-KDD dataset
in batch mode, which tried to identify assault activi- is a revised form of the KDD’99 dataset built by Taval-
ties throughout routine operations. IRC, email, surfing, laee et al. It was created to address certain inherent flaws
FTP, Telnet, and SNMP events are all included in this with the KDD’99 dataset, like data redundancy. NSL-
dataset. It includes Rootkit, remote FTP, DoS, Buffer KDD is split into two sections: training and testing.
overflow, Syn flood, and Nmap threats. This dataset Attack distribution in the test set is more significant than
somehow does not accurately depict genuine network in the train set, with an estimated 17 assaults missing
traffic and has flaws, such as a lack of false positives. from the training dataset. Despite the fact that KDD’99
Furthermore, the dataset seems outdated for appropriate and NSL-KDD have been utilised in various intrusion
IDS assessment on current networks, including Internet detection studies, both datasets are unreal for represent-
infrastructure and attack types. Also, it lacks real assault ing present network traffic as they were developed 20
datasets [34]. years ago and cannot reflect new attack patterns. In addi-
3. Kyoto Dataset 2006+: [214] The dataset was gathered tion, the initial DARPA dataset was constructed using
via honeypot servers at Kyoto University. It comprises previous TCP protocol version. Using the outdated TCP
the actual network traffic from November 2006 to version renders the header field IPv4 ToS obsolete,
August 2009. Kyoto has 24 statistical characteristics, according to contemporary standards [145]. Aside from

123
Arabian Journal for Science and Engineering

the drawbacks of the KDD’99 and NSL KDD datasets dataset consists of 80 flow-based features, whereas
for IDS evaluation, they also contain many irrelevant ISCX2012 contains just 20 packet features. Further-
attributes to SDN networks. Some prior efforts [223, more, the HTTPS Beta profile was included in the
224] used six of the 41 characteristics while implement- CICIDS 2017 dataset to support the continued expan-
ing the NSL-KDD dataset in an SDN environment. Both sion of HTTPS use on the Internet. However, because
studies concentrated on a subset of properties that may of their inherent complexity, adopting the concept of
be obtained directly from the OpenFlow protocol. How- profiling may be difficult [117]. Similarly, Panigrahi
ever, the classifier model’s performance predicts a poor et al. identified several faults and defects in the CICIDS
detection rate and a high FAR since the features cannot 2017 data [174]. The dataset has 288,602 empty class
identify suspicious behaviour in hostile traffic. Further- labels and 203 incomplete data pieces. Furthermore, the
more, most previous attempts in SDN networks relied CICIDS 2017 dataset is massive and comprises sev-
primarily on the KDD’99 and NSL-KDD datasets to eral duplicate entries that appear redundant for any IDS
detect DoS attacks. This is due to additional attack traf- training.
fic, such as R2L and U2R, is contained in packet data, 9. CSE-CIC-IDS2018 Dataset [43]: A cooperation
and content features are essential to detect these attacks. between the Communications Security Establishment
The content features, however, are not readily available (CSE) and the Canadian Institute for Cybersecurity
via the OpenFlow protocol. (CIC) resulted in the creation of the dataset. CICIDS
6. ISCX2012 Dataset [207]: Shiravi et al. generated data 2018 was same as CICIDS 2017, with over 80 flow-
flow using two profiles based on simulated network. based features retrieved from captured traffic via
Alpha-profiles generate assault traffic, whereas Beta- CICFlowMeter-V3. The profiles are used to produce the
profiles generate regular traffic. It covers network traffic dataset methodically. This dataset comprises two broad
for IMAP, SMTP, HTTP, SSH, FTP and POP3 protocols classifications of profiles: B-profiles for regular traffic
and their whole packet payload. The dataset includes 20 and M-profiles for irregular or assault traffic. The attack
packet attributes of two network attacks: denial of ser- scenarios covered in this dataset are the same as those
vice and brute force. However, the variety of DoS attack in the CICIDS 2017 dataset. However, the dataset faces
in data is somewhat restricted, and it does not address same intrinsic flaws as CICIDS 2017.
the vulnerability at multiple OSI layers. The dataset con- 10. CIC DDoS 2019 Dataset [39]: Canadian Institute for
tains only HTTP traffic, which is not representative of Cybersecurity developed DDoS attack dataset in 2019.
actual traffic because the great majority of modern Inter- CICDDoS2019 delivers regular and up-to-date com-
net traces are based on HTTPS traffic [206]. The number mon DDoS attacks close to real-world data (PCAPs).
of features collected via the OpenFlow protocol, like the It also provides the findings of a network monitoring
KDD’99 and NSL-KDD datasets, is inadequate for ML performed using CICFlowMeter-V3 that extracted 80
evaluation. features apart from labelled flows. The features con-
7. Dataset by Alkasassbeh et al. [15]: They developed a sidered are the source and destination IPs, protocols,
modern DDoS attack dataset having 21,60,668 records timestamp, source and destination ports, and type of
and 27 features. The dataset included HTTP, UDP, attack. An abstract behaviour of 25 users was created
Smurf, and SiDDoS attacks. Several researchers have for this dataset using the FTP, HTTP, SSH, HTTPS, and
used their dataset to detect DDoS attacks in SDN envi- email protocols, including a variety of current DDoS
ronments using ML algorithms [194, 193]. assaults in this dataset, including LDAP, NTP, PortMap,
8. CICIDS 2017 Dataset [206]: Sharafaldin et al. gen- MSSQL, NetBIOS, UDP-Lag UDP, SYN, SNMP, and
erated this dataset based on six attack profiles: Brute DNS.
Force Attack, Web Attack, Botnet, Heartbleed Attack, 11. SDNTrafficDS Dataset, 2019 [159]: Myint et al. pro-
DoS Attack, DDoS Attack, and Infiltration Attack. This posed dataset for SDN traffic environment. UDP and
dataset includes a variety of threat scenarios that ear- SYN flood attacks have been collected along with nor-
lier datasets did not. It also has the same quantity of mal traffic in their dataset from the OpenFlow switches
recorded flow-based characteristics. Despite the fact over the OpenDaylight controller. Five features were
that the CICIDS 2017 dataset is recognised as one extracted from the experimental SDN testbed.
of the most prominent datasets that enable many aca- 12. Kaggle DDoS 2019 Dataset [67]: Several DDoS attack
demics to design and test new models, it has various datasets generated by researchers are available on Kag-
defects and challenges. The CICIDS 2017 dataset is gle publicly. One such DDoS dataset by Prasad et al.
based on ISCX2012, released in 2012. The total number [67, 183] is generated by extracting flows from three
of retrieved features represents the significant differ- publicly available open datasets of intrusion detection
ence between the two datasets. The CICIDS 2017 system by CIC Canada [96, 206]. The resultant DDoS

123
 Arabian Journal for Science and Engineering

flows are combined with normal flows retrieved individ-

ually from the same dataset to construct a large dataset.
The dataset contains 84 features of different DoS and
DDoS attacks performed by various attack tools. Sim- Fig. 5 Filter-based feature selection method
ilarly, other DDoS attack datasets [123, 138, 241, 242]
are also available for use by researchers in their work.
13. InSDN Dataset, 2020 [71]: Elsayed et al. created an
SDN-specific dataset to validate the intrusion detec-
tion system. It comprises the benign and diverse attack
types which can arise in the SDN paradigm. Various
attack tools were used to capture attack traffic for dif-
ferent threat classes like Exploitation, DDoS, Probe
attacks, DoS, Password-Guessing, Web attacks, and
Botnet. The dataset had over 80 characteristic features;
48 were extracted for the SDN environment. Usual
traffic comprises DNS, Email, FTP, HTTP, SSH, and Fig. 6 Wrapper-based feature selection method
HTTPS, among other essential application services.
Though this dataset addresses the concerns with exist-
ing freely accessible datasets, it is not intrinsic data and DDoS attacks can be detected with the best and optimal
has not been tested on controllers other than the ONOS feature set. Increased time in detecting DDoS attacks is a
controller. disadvantage as it would cause much impact on legitimate
users. Therefore, selecting the best features among a subset
Discussion: From the publicly available datasets, it can be of features is highly necessary to detect attacks in less time
inferred that majority of the public datasets are traditional without disrupting services to legitimate users. To select opti-
network datasets. SDNTrafficDS and InSDN are the only mum features, Polat et al. [179] described three techniques:
two SDN-based dataset available publicly. There is a lack of embedded, wrapper, and filter-based. Figures 5, 6, and 7 rep-
proper and standard SDN datasets. Applying ML algorithms resent the three feature selection methods.
to this dataset to detect DDoS attacks can prove fruitful to Filter-based method: The filter-based method focuses
legitimate users in the real networking world. Traditional on the features’ inherent properties. They serve as a pre-
network datasets must be converted to flow-based for SDN processing phase. Rather than ML algorithms, statistical
networks. This may not always be helpful since the dataset techniques are used to choose the best features. Statistical
may not precisely describe SDN behaviour during a DDoS experiments are used to select the best and fewest attributes.
attack. This is a significant disadvantage that has arisen as a As model training is not required, filter-based techniques
challenge. Creating SDN-specific datasets is encouraged for are quicker than other methods. The fisher score, infor-
better detection of DDoS attacks. mation gain, variance threshold, correlation coefficient and
chi-square test are all calculated using this method.
Wrapper-based method: The wrapper-based approach
7 Analysis of Feature Selection Techniques evaluates how the features will benefit the classifier’s perfor-
mance. The wrapper-based technique trains ML classifiers
ML and DL methods have proved beneficial for DDoS attack on a subset of features. The process is finished when an ideal
detection. The literature presents numerous ML and DL subset of features is selected, and a dataset with fewer char-
solutions used by researchers for DDoS attack detection. acteristics is created. In terms of time and speed, this model
According to continuing research to identify these assaults, is computationally expensive. It has been proven to be more
there is no ideal technique for classification. The literature effective than statistical approaches. Backward and recursive
shows that SVM, ANN, SOM, LSTM, and NB models have feature removal and forward feature selection are two exam-
performed better than other DDoS detection solution algo- ples of wrapper-based feature selection algorithms.
rithms. Embedded based method: The embedded method
The datasets used for training the ML algorithms can con- enhances result prediction by combining the qualities of
tain many features. Not all the features contribute to DDoS filter-based and wrapper-based methods. Each feature selec-
attack detection. Some features may have no or just a little tion method is coupled with a different algorithm, which
impact on the outcome. Having many features for detecting helps achieve the goals. Algorithms with built-in feature
DDoS attacks can prove beneficial by providing higher accu- selection strategies implement it. The features are chosen
racy, but it also increases the training time of ML algorithms. by selecting those that improve the model’s accuracy. It

123
Arabian Journal for Science and Engineering

performed offline testing of their model. The performance

of their work during online implementation cannot be pre-
dicted. Li et al. [130] also used SVM classifier in their work
for detecting DDoS attacks. They improved their work by
applying a genetic algorithm to SVM and obtained true neg-
ative of 0.35% and false negative of 0%. This was done to
increase the performance, but the genetic algorithm learns
quite slowly, prolonging the model’s training period.
Meitei et al. [148] performed the detection of DNS ampli-
Fig. 7 Embedded-based feature selection method fication attacks using DT, MLP, NB, and SVM algorithms.
DT performed best with high accuracy, true positive rate and
FPR of 99.3%, all of the same value. Feature selection algo-
performs feature selection and classification operations con- rithms such as the Chi-Square test, IG, and GR are applied
currently [155]. L1 (LASSO) regularisation and DT are two to obtain a reduced feature set of the dataset. It is observed
examples of this approach. that when ML algorithms are applied on a reduced set, then
Discussion: Various researchers have used feature selec- performance is slightly declined. Cui et al. [52] detected
tion algorithms such as IG, PCA, genetic, greedy, and DDoS attack using neural network. They performed their
Chi-square test to obtain a reduced feature set. Table 5 experiment using a mininet emulator and RYU controller.
presents the State-of-the-Art feature selection algorithms Their model obtained CPU utilisation ratio of 5.5% and mean
performed on a public dataset or self-generated dataset to response time of 1 s, thereby decreasing the load on the con-
select best features for DDoS attack detection. It can be troller. However, it was found that the TFN2K tool used to
inferred from the table that most of the researchers have generate traffic is not in use nowadays. Similarly, Barki et al.
used features from the public dataset for applying feature [27] used NB, K-means, KNN, and K-medoids algorithms
selection algorithms. In contrast, only two researchers have to identify DDoS attack traffic. NB performed best with high
used self-generated SDN-based datasets. Applying feature accuracy of 94%, but its training time is 11.8 s, which is
selection algorithms on SDN-based datasets is essential in higher than other algorithms.
detecting DDoS attacks. As presented in Sect. 6, there is a A technique named FADM by Hu et al. [90] for protect-
dire need to generate SDN-based dataset due to its less avail- ing against DDoS attacks was presented. FADM exhibits
ability. The challenge is to have the best feature set obtained high performance and lightweight qualities. Detection and
from SDN-based dataset so that detection of DDoS attacks mitigation by creating an application in the POX controller.
can be done in less time with higher accuracy. Therefore, The SDN controller analyses the network traffic data in
generating an SDN-based dataset based on certain features FADM by the sFlow approach. The suggested method col-
and then applying feature selection algorithms to obtain the lects enough information to maintain the desired accuracy.
best and optimal feature set would prove beneficial to the For large traffic rates, it cannot acquire all of the information.
researchers in detecting DDoS attacks. Detection features The obtained data is used to extract network characteristics.
used by researchers for their work are presented in Table 6. The mitigation module is reliant on the migration of traf-
fic and white-list. An entropy-based technique is used for
assessing network characteristics, and SVM is used to detect
8 DDoS Detection Solutions Using Machine DDoS assaults. Combining the suggested methodology with
Learning the other approaches can improve the responsiveness and
efficiency of threat detection. The results of the experimen-
8.1 Supervised Machine Learning Solutions tal assessment show that their method can efficiently perform
detection at a rate of 100%. Furthermore, FADM can restore
ML algorithms for detecting DDoS attacks have been proven the network in relatively less time. However, SYN flood
efficient by various researchers. This section analyses various attacks take longer to recover than other flooding attacks.
supervised ML algorithms to detect DDoS attacks. Table 7 Meti et al. [149] used three ML methods, SVM, NB, and
summarises the different supervised ML solutions for DDoS Neural network, to detect TCP SYN flood attacks. They
attack detection. calculated accuracy, precision, and recall for all three algo-
Kokila et al. [116] in their work used SVM classifier on rithms. SVM performed best with accuracy, precision and
DARPA [56] dataset for the detection of DDoS attacks. They recall of 80%, all of the same value. However, their method
compared their work with other NB, Bagging, RF, J48, and demands high computation overhead at the controller. Chen
RBF classifiers and found that SVM gives high accuracy et al. [45] developed an SDN-based detection method for
of 95.11% and a low FPR of 0.008. However, they have

123
 Arabian Journal for Science and Engineering

Table 5 Analysis of feature selection algorithms performed on dataset

Year and Refs. Dataset used No. of features Feature selection Reduced features for attack
algorithms detection

2016, [148] SimpleWeb [209], CAIDA [38] 8 IG, Gain Ratio, Chi-Square 4
test
2017, [16] NSL-KDD [226] 41 Genetic 16
Ranker 17
Greedy 11
Proposed Algorithm 25
2018, [260] KDD-Cup99 [101] 41 Based on OpenFlow 8
characteristics
2018, [154] NSL-KDD [226] 41 Genetic, Ranker, Greedy 25
2018, [126] NSL-KDD [226] 41 PCA 9
2020, [137] CIC-IDS2018 [43] 84 Chi-Square test 67
2021, [198] Kaggle-DDoS attack network logs [241] 28 Chi-Square test 2
2021, [263] CICDoS2017 [40], CICDDoS2019 [39] 20 PCA 15 of both datasets
2021, [229] Dataset by [162] 22 NCA 14
2021, [99] self-generated 7 ANOVA-F test 2
2021, [7] self-generated 31 Genetic 11
2021, [180] self-generated 42 Autoencoder –
2021, [188] KDD-Cup99 [101] 41 SMCA 9
2021, [120] CICDDoS2019 [39] 84 Correlation coefficient 18
2022, [200] InSDN [71], CIC-IDS2017 [41], 48 IG, RF 10
CIC-IDS2018 [43]

DRDoS attack. The SDN controller is deployed with a detec- Liu et al. [134] used a C-SVM classifier to detect IP
tion module to detect the attack. This module includes a spoofing by attackers and obtained an accuracy of 96.5%.
traffic surveillance tool as well as an ML classifier. Netmate The attack flows are dropped based on the IP address of the
tool collects network traffic, and SVM categorises traffic attacker or by observing their previous activity. However, in
into malicious or benign. The classifier provides high accu- source spoofing, such IP-based source identification is inef-
racy of 99.99% in detecting the attacks. However, they did fective. Similarly, Guozi et al. [79] used KNN for DDoS
not discuss performance based on FPR and processing over- attacks and flash events detection. Their model performed
head. Similar work was done by Oo et al. [170] with the with low FPR of 0.021 and high detection rate of 0.921 as
ASVM algorithm for detecting DDoS attacks. They tested compared to SVM algorithm. However, they considered only
their approach using hierarchical task analysis and obtained a few features for their detection, and their solution works
a quicker detection rate of 100% and low FAR of 0.65 com- with data that are not from the same network.
pared to the SVM technique. They did not, however, test on Yang and Zhao’s [260] detected DDoS attacks using SVM
SDN network. classifier, and it was implemented as a DDoS detection mod-
Alshamrani et al. [16] proposed their best subset feature ule on the campus network’s emulated SDN network. Their
selection method for selecting a reduced feature subset of method produced an accuracy of 99.8%. However, the pro-
a dataset and compared the performance with other feature posed system must be retrained when any new flow cannot
selection methods such as greedy, genetic, and Ranker’s algo- be determined, which is time-consuming. Similarly, DDoS
rithm. Their method selected 25 features from NSL-KDD assaults (UDP, ICMP, HTTP, TCP and Smurf) were detected
dataset, which had 41 features [226]. They detected DDoS in SDN networks by Dayal and Srivastava [61] using the
attacks using three classification algorithms SMO, J48, and RBF-PSO approach. They detected attacks with reduced
NB. SMO performed with high detection accuracy of 99.4% training time using a self-generated dataset. Claranet topol-
as compared to other algorithms. They also mitigated two ogy was used to generate the dataset comprising six features.
new attacks: a newflow attack and a misbehaviour attack. They obtained 99.83% accuracy for their proposed approach.
However, the ease of use of the features is not considered in Mohammed et al. [154] created a server application for the
the SDN network. mitigation of SYN flood attacks. Their application consists

123
Arabian Journal for Science and Engineering

Table 6 Researchers’ methods for spotting DDoS attacks include the following

Refs. Features taken for detection

[90] Source IP address, source port number, destination IP address, and destination port number entropy
[261] The features include source IP addresses/unit time, source ports/unit time, flow packet standard deviation, flow byte standard
deviation, flow entries/unit time, and interactive flow entry ratio to total flow entries
[147] The features consist of entropy values for source IP address, source port number, destination IP address, packet type, and destination
port number, along with the occurrence rate of packet types and the number of packets
[229] The features encompass packets per flow, bytes per flow, packet rate, packet_in message count, total duration, bytes received on the
switch port, bytes transferred from the switch port, packet count, total flow entries, data transfer rate, data receiving rate, port
bandwidth, duration in seconds, byte count, switch ID, duration in nanoseconds, source IP, destination IP, port number, and
monitoring interval
[187] Total amount of packets received, total amount of bits, source port, destinations port, source IP address, destination IP address
[4] datapath-id, source and destination IP addresses, packet and byte counts, duration in seconds, packetins, port number, and the
number of bytes delivered on a particular switch port, Protocol, packet rate, A switch’s overall number of flows
duration—time during which the flow remains in the switch
total duration—total sum of dur_sec and dur_nsec
tx_kbps—kilobytes transferred per second
rx_kbps—kilobytes received per second
tot_kbps—bandwidth of a switch port
Average Packet count per flow
Average Byte count per flow
Port bandwidth—sum of received bytes rx_bytes (r) and transmitted bytes tx_bytes (t)
[19] The features include packet length, average bytes per flow, frames per second, flows per second, entropy of destination IP addresses
per second, entropy of source IP addresses per second, entropy of IP protocol per second, packet variation in flow, packet count per
source, and byte count per source

of three modules. The authorisation module verifies the con- [69, 231, 230] have utilised the benefits of the KNN clas-
troller’s ability to submit requests to the server, the prediction sifier for the detection of DDoS attacks and compared their
module uses NB classifier to predict attacks, and the wrap- performance with other classifiers.
per module implements wrappers in different programming Chen et al. [46] employed XGBoost classifier on KDD-
languages. NSL-KDD dataset [226] was taken for training CUP99 dataset [101] to detect flooding attacks. They com-
the NB classifier. They used three feature selection meth- pared the performance of the XGBoost classifier with other
ods, genetic, greedy, and Ranker algorithms, to select optimal classifiers SVM, GBDT and RF. XGBoost outperforms all
dataset features. They obtained 98% accuracy, precision and other classifiers with 98.53% accuracy, 11.07 s training time
recall for their work. However, they did not mention the train and false-positive rate of 0.008. Shafi et al. [203] used MLP,
and test split ratio taken for classification with the NB algo- RNN and Alternate DT classifiers on the UNSW-NB15 [235]
rithm. intrusion detection dataset for identification of attack. They
Sahoo et al. [194] applied seven ML classifiers, KNN, performed their experiment on the RYU controller. For 1000
NB, LR, RF, DT, ANN, on the dataset created by Alka- packets, collocated fog showed 0 packet delay compared to
sassbeh et al. [15] for the prediction of UDP and ICMP cloud network.
flood attacks. Linear Regression performed well with high Myint Oo et al. [159], in their work, used the ASVM tech-
accuracy of 98.65% among the seven classifiers, while NB nique to detect malicious (UDP and SYN Flood) and normal
performed with 97.64% accuracy. However, better results flows in the network and obtained 97% accuracy. They cre-
could be obtained for UDP and Smurf attacks. Due to its high ated their testbed using Mininet and OpenDaylight controller
accuracy and detection rate, many researchers have widely and collected the traffic data, naming it SDNTrafficDS. Their
used the SVM classifier over recent years to detect DDoS work faired better with less training time of 50 s and testing
attacks on different datasets. The research works of [7, 14, time of 55 s, but they were threatened by bandwidth satura-
21, 45, 51, 90, 104, 118, 122, 124, 134, 147, 188, 193, 62, tion.
249, 258, 260, 261] all have used SVM classifier in their work The RYU controller was used to handle DDoS attack by
to detect DDoS attacks. Similarly, some researchers such as Rahman et al. [186]. They employed the J48 classification
method, directing the controller to block the specified port.

123
 Arabian Journal for Science and Engineering

Fig. 8 Taxonomy of different ML and DL algorithms

J48 obtained an accuracy of 100% when compared to other achieved the highest accuracy of 98.3% with the wrapper-
classifiers. However, the port is disabled for only 30 s making based feature selection strategy and the KNN classifier.
the network vulnerable. Furthermore, the time necessary to However, testing time evaluation of the algorithms in relation
identify attacks has increased, adding to the system’s com- to obtained accuracy was not done by them.
plexity. Luong et al. [137] performed detection of DDoS attacks
Santos et al. [199] designed an SDN testbed for generat- using SVM, NB, DT, RF classifiers and deep neural network.
ing attack traffic for assessing the efficacy of multiple ML They used the Chi-Square test feature selection method for
algorithms, including RF, SVM, DT, and MLP. To simulate selecting 67 features out of 84 features of the CIC-IDS2018
the SDN network, Mininet and POX controller were utilised. dataset [43]. However, more feature selection methods could
Best results are obtained with RF achieving high accuracy of be performed to get the best feature dataset. DT gave an
100%, and less processing time of 10 s is obtained with DT accuracy of 99.97% but during the simulation, DT was
in detecting bandwidth attack, controller attack, and flow- unable to detect abnormal traffic. The results obtained by
table attack. Similarly, Perez-Diaz et al. [175] tackled low SVM and DNN outperform other classifiers during simula-
rate DDoS attack in SDN environment. They trained IDS tion in detecting attack traffic. Similar work was performed
using ML algorithms J48, REP tree, MLP, RF, SVM and by Cheng et al. [47] for DDoS attack detection using RF,
RT. They used the Mininet emulator and ONOS controller to NB, SVM and KNN classifiers. RF classifier performed best
perform their experiment on the CICDoS2017 dataset [40]. with accuracy of 91%, precision of 95%, recall of 94% and
MLP algorithm performed best with an accuracy of 95%. f 1-score of 94%.
Polat et al. [179] performed DDoS attack detection using Work by Abou El Houda et al. [2] detects and mitigates
NB, KNN, SVM and ANN algorithms. They chose the best DNS amplification attack using Bayes classifier effectively
features from a set of 12 using three feature selection strate- with high detection rate of 100%, less FPR of 21%, and low
gies: filter, wrapper and embedded-based techniques. They

123
Arabian Journal for Science and Engineering

Table 7 Supervised machine learning solutions for DDoS attack detection in SDN

S. no. Refs. Attack Dataset Detection algorithms Scope Performance metrics

plane used

1 Kokila et al. [116] Control DARPA [56] SVM Detection Accuracy, FPR,
Training time
2 Mihai-Gabriel and Data Self-generated BPNN Mitigation Risk assessment
Victor-Valeriu [151]
3 Li et al. [130] – DARPA-IDS [55] SVM Detection True Negative, False
Negative
4 Meitei et al. [148] Data SimpleWeb [209], DT, MLP, NB, SVM Detection Accuracy, TPR, FPR
CAIDA [38]
5 Cui et al. [52] Data Self-generated BPNN Detection, Response time,
Mitigation utilisation ratio,
network load
6 Barki et al. [27] Data Self-generated NB, K-means, KNN, Detection Detection rate,
K-medoids Processing time
7 Wang et al. [249] Data KDD1999 [101] SVM Detection, Accuracy
Mitigation
8 da Silva et al. [62] Data Self-generated SVM Detection, Accuracy,
Mitigation Processing time,
F-measure,
Sensitivity,
Specificity
9 Nanda et al. Data LongTail [136] C4.5, BayesNet, DT, Detection Accuracy
[161] NB
10 Hu et al. [90] Data Self-generated SVM Detection, Detection rate, FAR
Mitigation
11 Meti et al. [149] Data Public dataset SVM, NB, Neural Detection Accuracy, Precision,
Network Recall
12 Chen et al. [45] Data Self-generated SVM Detection Accuracy, Detection
time
13 Oo et al. [170] – Self-generated ASVM Detection FAR, Detection rate,
Training and
Testing time
14 Alshamrani et al. [16] Data NSL-KDD [226] SMO, J48, NB Detection, Precision, Recall,
Mitigation F1 score
15 Liu et al. [134] – DARPA 1999 [125], SVM Detection Accuracy
CAIDA 2007 [36]
16 He et al. [88] Data KDDCUP99 [101] SVM, DT, RF, Extra Detection, Accuracy
Trees, AdaBoost Mitigation
17 Gharvirian and Data Self-generated NN Detection Accuracy, Detection
Bohlooli [78] rate, FAR
18 Guozi et al. [79] Data Self-generated KNN Detection TPR, FPR, F1 Score
19 Yang and Zhao [260] Data KDDCUP99 [101] SVM Detection Accuracy
20 Dayal and Srivastava, Data Self-generated RBF-PSO Detection, Network load
[61] Mitigation
21 Mohammed et al. Data NSL-KDD [226] NB Detection, Precision, Recall,
[154] Mitigation F1 Score, CPU
usage
22 Sahoo et al. [194] Data Dataset by Alkasassbeh KNN, NB, SVM, Detection Accuracy, Precision,
et al. [15] LR, RF, DT, ANN Recall
23 Ye et al. [261] Data Self-generated SVM Detection Detection rate, FAR

123
 Arabian Journal for Science and Engineering

Table 7 (continued)

S. no. Refs. Attack Dataset Detection algorithms Scope Performance metrics

plane used

24 Chen et al. [46] Data KDDCUP99 [101] XGBoost Detection Accuracy, FPR,
Training time
25 Gao et al. [77] Data DARPA IDS [55] Bayesian network Detection, CPU usage,
Mitigation Accuracy
26 Cui et al. [53] Data – BPNN Detection Accuracy, Recall
27 Prakash and Data Self-generated NB, KNN, SVM Detection Accuracy, Precision,
Priyadarshini [182] Recall, F-score
28 Singh et al. [212] Data Self-generated SVM, DT, Gradient Detection Accuracy, TPR, FPR
boosting, RF,
KNN, LR, NB, NN
29 Latah and Toker [126] Data NSL-KDD [226] DT, ELM, NB, LDA, Detection Accuracy, FAR,
NN, SVM, RF, Precision, Recall,
KNN, AdaBoost, F-measure,
RUSBoost, Execution time,
LogitBoost, McNemar’s test
BaggingTrees
30 Shafi et al. [203] Data UNSW-NB15 [235] MLP, RNN, DT Detection, Network delay,
Mitigation Throughput,
Fairness
31 Myint Oo et al. [159] Data SDNTrafficDS [159] ASVM Detection FAR, Detection rate,
Accuracy
32 Rahman et al. [186] Data Self-generated J48, RF, SVM, KNN Detection, Accuracy,
Mitigation Specificity,
Sensitivity, Kappa,
Precision, Recall,
F1 Score, Training
and Testing time
33 Dong and Sarem Data Self-generated KNN Detection TPR, FPR,
[69] Precision, Recall,
F1 Score
34 Cui et al. [51] Data CAIDA DDoS [36] SVM Detection Detection rate, FPR
35 Tuan et al. [231] Data CAIDA DDoS [36] KNN Detection, Accuracy, Precision,
Mitigation Recall, F1 Score
36 Mehr and – Self-generated SVM Detection, Throughput
Ramamurthy [147] Mitigation
37 Wang et al. [244] Control Self-generated BPNN Detection, Controller response
Mitigation time, Flow setup
time, CPU usage
rate
38 Liu et al. [133] Data Self-generated NN Detection FAR, Detection rate
39 Zhijun et al. [267] Data CAIDA DDoS [36] Factorisation Detection Accuracy, Precision,
Machine Recall, Training
time
40 Santos et al. [199] Data Self-generated SVM, MLP, DT, RF Detection, Accuracy,
Mitigation Processing time
41 Perez-Diaz et al. [175] Data CICDoS2017 [40] J48, MLP, SVM, RF, Detection, Accuracy, Recall,
REP Tree, RT Mitigation Precision,
F-measure, FAR

123
Arabian Journal for Science and Engineering

Table 7 (continued)

S. no. Refs. Attack Dataset Detection algorithms Scope Performance metrics

plane used

42 Polat et al. [179] Data Self-generated SVM, KNN, NB, Detection Accuracy,
ANN Sensitivity,
Specificity,
Precision, F1
Score
43 Tuan et al. [230] Data Self-generated KNN Detection, Accuracy, Precision,
Mitigation Recall, F1 Score
44 Kumar Singh [122] Data Self-generated SVM Detection, Accuracy, Detection
Mitigation rate
45 Luong et al. [137] Data CIC-IDS2018 [43] SVM, NB, DT, RF, Detection, Accuracy, Precision,
DNN Mitigation Recall, F1 Score
46 Kyaw et al. [124] Data KDD-CUP99 [101] SVM Detection Accuracy, FAR,
Detection rate,
Precision
47 Cheng et al. [47] Data Self-generated RF, SVM, KNN Detection Accuracy, Precision,
Recall, F1 Score
48 Ali et al. [14] – DARPA [54, 56] SVM Detection Accuracy, Training
time, FPR
49 Aslam et al. [21] – Environment-specific SVM Detection, Accuracy, F1 Score
dataset Mitigation
50 Sahoo et al. [193] Data Dataset by Alkasassbeh SVM Detection, Accuracy, Precision,
et al. [15] Mitigation Recall
51 Abou El Houda et al. Data Self-generated Bayes Network Detection, Detection rate, FPR
[2] Mitigation
52 Le et al. [127] Data Self-generated RF, DT, NB, SVM, Detection Accuracy,
MLP, KNN Processing time
53 Musumeci et al. [157] Data Self-generated RF, KNN, SVM Detection Accuracy, Testing
time, Training
time
54 Shohani and Data Public dataset LR Detection Entropy
Mostafavi [208]
55 Hannache and Data Self-generated NN Detection, Accuracy, Recall,
Batouche [87] Mitigation Precision, F-score
56 Dehkordi et al. [66] Data CIC-IDS2017 [41], BayesNet, J48, RT, Detection Accuracy, Precision,
CTU-13 [42], ISOT LR, REPTree Recall, F1 Score,
[92] TPR, FPR
57 Yungaicela-Naula Data CIC-DoS2017 [40], SVM, KNN, RF Detection Accuracy, Precision,
et al. [263] CIC-DDoS2019 [39] Recall, F1 Score
58 Sanjeetha et al. [198] Data Kaggle-DDoS attack Catboost, XGBoost, Detection, Accuracy, Precision,
network logs [241] LR, GNB, DT Mitigation Recall, Training
time
59 Jose et al. [99] Data Self-generated LR, NB, LDA, Detection Accuracy, Recall,
KNN, RF, SVM Precision, F1
score
60 Sangodoyin et al. Data Self-generated GNB, QDA, k-NN, Detection Accuracy, Recall,
[197] CART Training time
61 Khashab et al. [111] Data Self-generated SVM, LR, KNN, Detection, Accuracy, Recall,
DT, NB, RF Mitigation Specificity,
Precision

123
 Arabian Journal for Science and Engineering

Table 7 (continued)

S. no. Refs. Attack Dataset Detection algorithms Scope Performance metrics

plane used

62 Ahuja et al. [4] Data Self-generated SVC-RF Detection Accuracy,

Sensitivity,
Specificity,
Precision,
F1-score
63 Banerjee and Data Kaggle dataset [67] NB, KNN, K-means, Detection, Efficiency
Chakraborty [25] Linear Regression Mitigation
64 Tan et al. [222] Data Self-generated RF Detection, Accuracy, Detection
Mitigation rate, FAR
65 Swami et al. [220] Data Self-generated DT, RF, AdaBoost, Detection Accuracy, Precision,
MLP, LR Recall, F1 Score,
FPR
66 Pradeepa and Data Self-generated CAD, SAE, SVM Detection, Accuracy
Pushpalatha [181] Mitigation
67 Gadallah et al. [75] – Self-generated SVM, NB, KNN, Detection, Accuracy, Recall,
DT, RF Mitigation F1 Score, FPR,
Precision
68 Tonkal et al. [229] Data Dataset by Nisha Ahuja KNN, DT, ANN, Detection Accuracy,
[162] SVM Sensitivity,
Specificity,
Precision, F1
Score
69 Yadav et al. [258] Data, Self-generated SVM Detection, Accuracy
Control Mitigation
70 Kotb et al. [118] Data Self-generated SVM Detection Delay, Bandwidth,
Accuracy
71 Tayfour and Marsono Data InSDN2020 [71], Ensemble of NB, Detection, Accuracy, Precision,
[227] CICIDS2017 [41], KNN, DT, ET Mitigation Recall, TPR, FPR,
NSL-KDD [226], F1 Score
UNSW-NB15 [235]
72 Nurwarsito and Data Self-generated RF Detection, CPU usage,
Nadhif [169] Mitigation Accuracy, FPR,
Detection time,
Mitigation time
73 Revathi et al. [188] Data KDDCUP99 [101] SVM Detection, Accuracy, Precision,
Mitigation Recall, F-measure
74 Aslam et al. [20] Data Environment specific SVM, NB, KNN, Detection, Accuracy, Precision,
dataset RF, LR, Ensemble Mitigation Recall, F-measure
voting
75 Khedr et al. [112] Data Edge-IIoTset [73] SVM, GNB, KNN, Detection, Accuracy, Recall,
RF, DT, Binomial Mitigation F-measure
LR

overhead. However, their method collects a significant quan- Yungaicela-Naula et al. [263] in their work used super-
tity of recurring and normal traffic. The sampling strategy vised ML classification algorithms such as SVM, RF, and
may overlook vital traffic data, leading to late detection and KNN and DL algorithms to detect application layer and
reaction to an assault. Dehkordi et al. [66] deployed ML transport layer DDoS attacks. Their experiment was car-
algorithms such as BayesNet, REP tree and RT on ISOT ried out using an ONOS controller and a Mininet emulator.
[92], UNB-ISCX [235] and CTU-13 [42] datasets to detect They worked on the CICDoS2017 [40] and CICDDoS2019
DDoS attacks. Their proposed method gave highest accuracy [39] datasets containing 76 features. The ML models gave an
of 99.12% on CTU-13 dataset. accuracy of more than 90%, and DL models gave an accuracy

123
Arabian Journal for Science and Engineering

of around 98% for both datasets. However, their work did not compared to other classifiers. However, they did not use fea-
perform better when the network topology was modified. ture selection methods to reduce the features of four datasets
Sanjeetha et al. [198] proposed a detection and miti- taken to increase detection accuracy.
gation application on the RYU controller to tackle UDP Swami et al. [220] identified TCP-SYN flood attacks on
flood attacks. They considered two features, packet_rate and their self-generated dataset. LR, DT, MLP, RF and AdaBoost
byte_rate after the feature extraction process from Kaggle- algorithms were used in their work. At different traffic rates,
DDoS attack network logs [241] dataset containing 26 the impact of the assault on the controller’s CPU was inves-
features. The detection was performed using several ML tigated. The findings revealed that the packet arrival rate was
algorithms, out of which CatBoost algorithms performed bet- closely related to the controller’s CPU use. The proposed
ter with 98% accuracy and training time of 119 s. However, methodology achieved 0% FPR with 99.9% accuracy.
the two features taken do not qualify for attack detection as Gadallah et al. [75] proposed a detection and mitigation
more features can affect the performance. Their experiment mechanism for detecting a DDoS attack. The model was
performs for only RYU controller and UDP flood attack. trained using the kernel radial basis function of SVM clas-
The results might change when the controller and attack are sifier. The results were compared with other classifiers NB,
changed. KNN, DT, and RF and the results showed that SVM per-
Jose et al. [99] performed feature selection method by formed best among with 99.84% accuracy and false-positive
ANOVA-F test method on seven features to choose the rate of 0.21. The authors collect attack traffic using the Scapy
two best features for DDoS detection using LR, NB, LDA, tool but have not performed results on any particular DDoS
KNN, SVM, and RF classifiers on their own generated SDN attack apart from IP spoofing.
dataset. The results obtained by SVM and LDA outperform Tonkal et al. [229] used KNN, DT, SVM, and ANN clas-
other classifiers in detecting DDoS attacks with an accu- sifiers to detect ICMP, UDP and TCP flooding attacks. SDN
racy of 99.98% and 99.87%, respectively. However, only two dataset generated by [162] was used in their work. The results
features selected alone do not qualify for detecting DDoS demonstrate that DT outperforms the others with 99.82%
attacks. Similarly, Sangodoyin et al. [197] also detected accuracy. They utilised the NCA method to choose 14 fea-
DDoS attacks using GNB, CART, QDA and KNN classifiers. tures from a dataset of 22 features. The experiment, however,
CART algorithm performs best in terms of 98% accuracy and might be carried out with various attacks.
12.4 ms training time in detecting attacks. However, feature To identify flooding attacks, Kotb et al. [118] introduced
selection methods could have been used for better results. SGuard (secure guard). They employed a five-tuple fea-
Prakash and Priyadarshini [182], Le et al. [127] and Khashab ture with an SVM classifier to categorise attack traffic and
et al. [111] also used supervised ML algorithms such as KNN, obtained average accuracy of around 99%. Another work by
LR, SVM, DT, RF and NB classifiers for the detection of Pradeepa and Pushpalatha [181] used Intelligent Proactive
DDoS attack. They performed their work on a self-generated Routing (IPR) model for the detection and mitigation of UDP
dataset. flood and SYN flood attacks. They compared their model’s
Ahuja et al. [4] detected DDoS attacks by proposing a performance to that of other detection models such as SVM,
hybrid ML model of SVM and RF classifiers (SVC-RF). CUSUM abnormal Detection (CAD) and Stacked Autoen-
They created their SDN traffic dataset containing 23 features coder (SAE). The IPR model performed with less detection
to identify the traffic. The proposed method performs with time and obtained an accuracy of 99% compared to SAE,
high accuracy of above 98% and less FPR of 0.020. Banerjee SVM and CAD. Aslam et al. [20] utilised SVM, NB, RF,
and Chakraborty [25] also proposed IDS to identify attackers KNN, LR and ensemble voting classifiers in their proposed
using NB, K-means clustering, KNN and Linear regression framework to detect DDoS attack on an environment specific
algorithms. KNN performs best with high detection rate of dataset. Ensemble voting classifier fared best with accuracy
96.65%. of 98.5%, precision of 98%, f -score of 95% and recall of
Tayfour and Marsono [227] used a voting classifier to cre- 96.5% for 30,000 test flows. Khedr et al. [112] detected DDoS
ate an ensemble of NB, KNN, DT, and ET for DDoS attacks attack on Edge-IIoTset [73] dataset using SVM, KNN, Bino-
detection on four publicly available datasets [71, 206, 226, mial LR, GNB, DT and RF classifiers. RF performed best
235]. They also performed simulations on SDN traffic using with 99.79% accuracy, 99.77% recall and 99.43% f -score.
mininet and RYU controller and evaluated the results. They They performed their experiment on IoT network topology
used Redis Simple Message Queue (RSMQ) technique to and POX controller.
minimise the load on a single controller and increase detec- Discussion: The research works of the past 8 years listed
tion and mitigation performance on multi-controllers. ET in this section employs supervised algorithms mainly SVM,
classifier obtained high TPR of 0.985 and low FPR of 0.008 KNN, MLP, NB, RF, DT, ANN, K-means, J48, RBF-PSO,
AdaBoost, ET, XGBoost, LR, and Gradient Boosting to
detect DDoS attack in SDN networks. It is observed that

123
 Arabian Journal for Science and Engineering

SVM has been applied by most of the researchers while shift-based method and proved that their method was effec-
during result analysis MLP and RF outperformed other tive in mitigating DNS-based DDoS attacks. However, they
algorithms in detecting DDoS attacks. It is also observed obtained an accuracy of 75%. Similarly, Nam et al. [160] used
that most of the researchers focused only on accuracy for self-organising maps and KNN for DDoS attacks detection.
result analysis. Very few research works have done test- They experimented on CAIDA DDoS 2007 [36] dataset and
ing time analysis of DDoS attacks. Some of the research POX controller. SOM performed better in their work with
works perform offline testing on publicly available datasets low processing time of 0.004 ms.
such as CAIDA, DARPA, KDD-CUP99, LongTail, Sim- KMeans++ and fast K-nearest neighbours were used to
pleWeb, UNSW-NB15, SDNTrafficDS, CICDoS2017, CIC- develop a detecting system named K-FKNN in the RYU con-
IDS2018, CTU-13, CICDDoS2019, Kaggle, InSDN, and troller by Xu et al. [254]. K-FKNN algorithm yields high
CICIDS2017 to perform detection using ML algorithms. precision of 97% compared to other algorithms. The results
Due to the lack of standard datasets available for SDN net- of their experiments reveal that their proposed approach is
works, many researchers have generated their datasets and successful and that detection is quite stable. However, clas-
performed detection using ML algorithms. Figure 8 gives a sifying and detecting the attack takes a long time, placing
comprehensive insight into the distribution of different ML a heavy burden on the SDN resources. Similarly, AlMomin
and DL algorithms considered in this survey. and Ibrahim [8] and Ramprasath and Seethalakshmi [187]
used combination of two techniques to detect DDoS attacks.
8.2 Unsupervised Machine Learning Solutions The former work uses entropy-PCA, while the latter uses the
PSO-ACO technique and obtained 85% precision. They have
Lee et al. [128] detected DDoS attacks using hierarchical compared their work with other ML algorithms and found
cluster analysis. They used DARPA 2000 intrusion detection that their work effectively detected and mitigated DDoS
dataset [56] for their work and identified six clusters con- attacks compared to other works.
sidering nine features. Their proposed clustering outcome is Polat et al. [180] applied ensemble model of softmax
dependent on the initial working feature vector, which can- classifier and stacked sparse autoencoder (SSAE) to detect
not be altered throughout the clustering process after it has DDoS attack on SDN-based VANETs. Using the SUMO
been calculated. In reality, each feature’s contribution to the simulator, they performed their experiment on a POX con-
clustering outcome may differ, and there may be a mutual troller and generated vehicular topology. They compared
effect among the characteristics. In response to a specific their results with SVM, KNN and DT classifiers and found
DDoS assault, if the functional feature vector is optimised that four-layer SSAE-Softmax classifiers yield better results
by deleting repeated features, the potential disruption among with 96.9% accuracy than the remaining classifiers. Similarly
features is avoided, and the performance of the clustering Scaranti et al. [201] detected DDoS attacks using clustering
method is increased by lowering dimensionality and elimi- approach by simulating 48 datasets. Their experiment yielded
nating unnecessary data. f -measure of 99.6%.
Braga et al. [32] used a popular method known as self- Table 8 summarises the unsupervised ML solutions for
organising Maps for DDoS attacks detection in the NOX DDoS attack detection.
controller SDN environment. They have collected six traffic Discussion: It is observed that compared to supervised
flow features using the flow collector module. A flow col- ML algorithms, unsupervised ML algorithms are emerg-
lector module collects the characteristics and then provides ing slowly in detecting DDoS attacks. From the year 2008
them to the classifier module to identify fraudulent flows. to 2023 we have listed 12 works of researchers that have
For flow analysis, a self-organising map is employed. The applied SOM, graph-based clustering, entropy-PCA, SSAE,
approach incurs negligible overhead compared to conven- and PSO-ACO on either self-generated datasets or public
tional alternatives since it takes advantage of SDN’s potential datasets such as DARPA, ISCX2012, CTU-13, CAIDA, and
for software-based traffic monitoring. Nonetheless, this study NSL-KDD to detect DDoS attack in SDN environment.
reveals that DDoS assaults may be detected with high detec-
tion rate of 98.61% and low FAR of 0.59. Furthermore, the 8.3 Ensemble Machine Learning Solutions
flow collector module overlooked the controller overhead
produced by accumulating the flow table entries for each Many researchers have used a combination of supervised
switch. Similarly, Xu and Liu, 2016 [257] also used self- and unsupervised ML techniques or two or more supervised
organising Maps to detect DDoS attack. ML techniques to detect DDoS attacks. Table 9 presents the
Ahmed et al. [3] proposed the Dirichlet process mixture ensemble ML solutions for DDoS attack detection in SDN.
model clustering method for distinguishing between normal Deepa et al. [64] designed a hybrid ML technique to
and malicious DDoS traffic for mitigating DNS amplification safeguard the network against DDoS attacks. Their hybrid
attacks. They compared their work with the traditional mean approach outperforms simple ML models in terms of high

123
Arabian Journal for Science and Engineering

Table 8 Unsupervised machine learning solutions for DDoS attack detection in SDN

S. no. Refs. Attack Dataset Detection algorithms Scope Performance

plane used metrics

1 Lee et al. [128] Data DARPA [56] Cluster Analysis Detection Partitioning of
cluster
2 Braga et al. [32] Data Self-generated SOM Detection Detection
rate, FAR
3 Xu and Liu [257] Data Self-generated SOM Detection Accuracy
4 Ahmed et al. [3] Data ISCX2012 [207] Clustering Detection, Accuracy
Mitigation
5 Chowdhury et al. [48] Data CTU-13 [42] Graph-based Detection Bot detection
clustering
6 Nam et al. [160] Data CAIDA DDoS 2007 [36] SOM, KNN Detection, FPR,
Mitigation Detection
rate,
Processing
time
7 Xu et al. [254] Data NSL-KDD [226] K-Means++, Detection, Precision,
K-FKNN Mitigation Recall,
F-measure,
Detection
time
8 AlMomin and Data Self-generated Entropy-PCA Detection Accuracy
Ibrahim [8]
9 Ramprasath and Data Self-generated PSO-ACO Detection, Precision,
Seethalakshmi Mitigation Recall,
[187] F-measure,
FPR
10 Polat et al. [180] Data Self-generated SSAE-Softmax Detection Accuracy,
Sensitivity,
Specificity,
Precision,
F-measure
11 Zhao et al. [265] – DDoS Attack 2007 [36] SOM Detection Accuracy,
Processing
time
12 Scaranti et al. [201] Data Self-generated Clustering Detection Accuracy,
Recall,
Precision,
F-measure

accuracy of 96.77%, low FAR of 0.032%, and high detection SVM, and KNN. In comparison to the previous KNN tech-
rate of 90.45%. They used SVM and Self-Organising Maps. nique, they suggested a unique hybrid strategy that employed
By routing traffic through the SOM module, their model iden- artificial neural networks and SVM to mitigate these threats
tified the attacks. To identify new sorts of assaults, traffic from with better precision. The KDDCUP99 data [101] examined
the SVM module is sent again via the SOM module. When the clustered real-time data for the normal and abnormal flow.
an attack is detected, the individual connection is terminated, The average was determined to monitor the accuracy of the
and the table’s rules are modified. packet flow, and the growing complexity proved to be an
Singh and Jayakumar [213] developed an ML-based ideal strategy that could be used even with noisy data. On the
“twin security model” that combines different information to KDD dataset, it employs parameters such as accuracy, time
achieve security in terms of DDoS attack detection in SDN. duration, packet flow, and precision rate.
The detection is accomplished by combining SOM with an Deepa et al. [65] suggested an ensemble technique for
NB classifier, which forecasts attacks based on features. Kaur detecting abnormal network traffic behaviour in the SDN
and Gupta [108] also employed Bayesian Network, Wavelets, controller. SOM, NB, KNN and SVM are used in the ensem-
ble to improve efficiency. They used Mininet to validate their

123
 Arabian Journal for Science and Engineering

Table 9 Ensemble Machine Learning solutions for DDoS attack detection in SDN

S. no. Refs. Attack Dataset Detection Scope Performance metrics

plane algorithms used

1 Deepa et al. [64] Data Self-generated SVM, SOM Detection Accuracy, FAR,
Detection rate
2 Singh and Data Self-generated SOM, NB Detection –
Jayakumar [213]
3 Kaur and Gupta Data KDDCUP99 [101] SVM, ANN Detection Accuracy, Precision
[108]
4 Deepa et al. [65] Data CAIDA [37] KNN-SOM, Detection Accuracy, Detection
NB-SOM, rate, FAR
SVM-SOM
5 Phan and Park [176] Data CAIDA [37] SVM-SOM Detection, Accuracy, Detection
Mitigation rate, FAR
6 Firdaus et al. [74] Data InSDN [71] K-Means++, RF Detection Accuracy, Precision,
Recall, F-measure
7 Sen et al. [202] Data Self-generated AdaBoost Detection Accuracy, Precision,
Recall, F-measure
8 Tan et al. [221] Data NSL-KDD [226] K-Means-KNN Detection Accuracy, Precision,
Recall, FAR
9 Swami et al. [219] Data UNSW-NB15 [235], Voting-CMN, Detection Accuracy, Precision,
CICIDS2017 [41], Voting-RKM, Recall, F-measure
NSL-KDD [226] Voting-CKM
10 Ahuja et al. [4] Data Self-generated SVM-RFC Detection Accuracy, Precision,
FAR, Specificity,
F-measure
11 Tufa et al. [232] Data Self-generated AdaBoost Detection Accuracy, Detection
rate, FPR
12 Wang and Wang Data CIC-IDS2017 [41], CNN-ELM Detection, Accuracy
[245] InSDN [71] Mitigation

technique. The authors integrated SVM-SOM, KNN-SOM, By integrating KMeans with KNN Tan et al. [221] devel-
and NB-SOM and discovered that SVM-SOM had a greater oped a DDoS detection system. It constituted a training data
accuracy of 98.14% and detection rate of 97.14%. processing module based on KMeans and a traffic detection
Phan et al. [176] created a one-of-a-kind DDoS assault module based on KNN. The traffic is classified as malignant
defender that uses a hybrid ML approach and an upgraded or benign based on the labels of the k points nearest to the
History-based IP Filtering (eHIPF) technique rather than measured instance. The simulation results suggest that their
HIPF to enhance detection accuracy and traffic categorisa- strategy outperformed the entropy approach and distributed
tion speed. As eHIPF initiates a threat, the mitigation system SOM with precision of 99.03%, recall of 98.35% and FAR
sends a flow mod signal with a drop action, causing all of 1.27%.
packets at the cloud’s edge to be dropped. They put up an Ahuja et al. [4] developed the SDN dataset with the
experimental setting on the laboratory network to test their required characteristics for identifying attack traffic. The
method. controller constructs the dataset by collecting port and flow
Firdaus et al. [74] also developed ensemble ML information from OpenFlow switches and then applies a
approaches for DDoS attack detection. They suggested a hybrid ML approach SVM-RF to discriminate between legit-
KMeans++ and RF ensemble to identify DDoS attacks on the imate and malignant traffic. The suggested approach achieves
InSDN dataset [71]. Their results achieved 100% accuracy. excellent accuracy (98.8%) while having a low false-positive
Another work by Sen et al. [202] employed the Adaboost rate (0.020).
algorithm to identify DDoS attacks in an SDN context. When Wang and Wang [245] employed hybrid CNN-ELM
compared against J48, BayesNet, NB, MLP, SVM, and RF model to detect and mitigate DDoS attacks. Their proposed
classifiers, the AdaBoost method fared best in good accuracy model obtained 98.92% accuracy on CIC-IDS2017 [41]
of 93% and low FPR. dataset and 99.91% on the InSDN dataset [71].

123
Arabian Journal for Science and Engineering

Discussion: Combining two or more algorithms yields RADAR system. The RADAR system consists of a collec-
better results than applying single algorithms. To detect tor, detector and locator. In real time, the RADAR can detect
DDoS attacks effectively, researchers created an ensemble threats such as DNS amplification attacks, crossfire assaults,
of either two supervised ML algorithms or two unsupervised SYN and UDP flood attacks with 90% detection rate. The
ML algorithms or a combination of both supervised and unsu- findings demonstrate that the suggested system can detect
pervised ML algorithms. We have listed down some of the DDoS more effectively, with low latencies and reasonable
works of past years that used ensemble algorithms such as overhead.
SVM-SOM, SOM-NB, KNN-SOM, K-Means-KNN, SVM- Li et al. [129] build a DL-based DDoS defense module
RF, and AdaBoost for detecting DDoS attacks using either using RNN, CNN and LSTM. Their model has an accuracy
public dataset or self-generated dataset created in SDN envi- of 99% in the training phase. In DDoS defense architecture,
ronment. there are a feature extraction module, DL DDoS detection
module, information statistics module, model updater and
flow packets coming to open flow switches and constructing
9 Deep Learning-Based Solutions for DDoS a feature matrix. The DL-based DDoS detection module uses
Attack Detection in SDN the resulting feature matrix as input. Deep learning is used
to train the DDoS detection module to retrieve the features
Xu et al. [256] presented hidden Markov models (HMMs) to from the features matrix. The information statistics module
identify DDoS attacks. The HMM approach detects DDoS collects attack features and their frequency. The flow table
attacks by the origin IP invigilator in a single detection generator produces flow rules for attack traffic based on feed-
algorithm with a higher detection rate of 79.2%. In real- back from the information statistics module. For training and
world applications, several identification operators address creation of the attack dataset, the authors utilised the ISCX
the challenges of information preparation bottleneck and dataset [207]. Spirent C1 tool performs DDoS attacks like
single-point failure. As a result, the distributed location sys- Ping of death, ARP flood, UDP flood, Smurf and SYN flood.
tem is combined with the HMM-based discovery approach However, their proposed DL-based model achieved a signif-
that uses source IP observation. icant performance accuracy of 99%, but they did not discuss
Niyaz et al. [163] proposed stack autoencoder-based DL how training is performed on the ISCX dataset in the SDN
technique for feature reduction. The authors took a large set environment.
of features and then applied a stack autoencoder scheme to Liu et al. [135] developed a DDoS mitigation architec-
reduce the feature set. In this work, an application for DDoS ture that includes an information collecting module and a
detection is built upon a POX controller to defend from TCP, DDoS mitigation module. The SDN controller receives net-
UDP and ICMP flood attacks. The authors created a lab setup work traffic data in the information collection module. The
of 12 network devices for normal traffic collections. A pri- DDoS mitigation module used deep reinforcement learning
vate network of ten DDoS attackers and five victim hosts techniques to learn the features of assault traffic. A deep rein-
is established. Hping3 is used to perform different kinds of forcement learning agent is placed at the application layer
attacks to create attack traffic. The authors did not compare in this module, which aids in generating flow rules to pre-
their approach with the state-of-the-art approach or other ML vent and mitigate DDoS attacks. The suggested architecture
and DL techniques in this paper. In addition, the paper mainly protects against multiple DDoS flooding attacks (TCP SYN,
focuses on detecting DDoS attacks. Although their proposed UDP and ICMP). The authors employed the RYU controller
model achieved an accuracy of 95.65%, the attack’s mitiga- and Mininet to build an SDN system.
tion is not being considered. Phan et al. [177] proposed Q-Mind defense model for
Yuan et al. [262] modelled the DDoS detection problem as DDoS attack. This framework can mitigate slow-rate DDoS
a sequence classification. The deep defense applies DL-based attacks using Q-learning-based reinforcement learning. They
models like CNN, RNN, GRU, and LSTM. The error rate perform experiments on the Maxinet emulator and ONOS
is reduced from 7.517% to 2.103%. The authors compared controller. After identifying the attack, the ONOS controller
different RNN models on ISCX 2012 [207] dataset, but the installs flow rules to block malevolent IPs and achieves 99.5%
authors did not utilise SDN here to support DDoS detection. accuracy.
Zheng et al. [266] created a system Reinforcing Anti- Haider et al. [84] proposed a CNN-based DDoS defense
DDoS Actions in real time known as RADAR to protect model in SDN. The proposed architecture is evaluated on
against DDoS attacks using adaptive correlation analysis. CICDDoS 2017 dataset [40] and achieved an accuracy of
The system is based on commercial off-the-shelf switches 99.48%. However, the CICDDoS dataset is Flow-based, but
known as COTS that serve as SDN switches. It is the first the author did not validate their result in a real or emulated
DDoS detection and recognition system built on commod- SDN environment. Authors selected features, i.e. average
ity switches. The Floodlight controller is used to build the

123
 Arabian Journal for Science and Engineering

packet size, flow duration, and packet length standard devi- with an accuracy of 99.78%. Similarly, Nugraha et al. [168]
ation for DDoS detection. applied DL models CNN-LSTM and MLP to detect flood-
Priyadarshini and Barik [184] proposed a source-based ing attacks on two adversarial datasets. One of the datasets
DDoS detection approach. It uses SDN to build a DDoS is derived from SDN emulated dataset, and the other is
defense module on an SDN controller trained with LSTM. generated synthetically using Tabular GAN. They perform
For training the DL module, the CTU-13 [42] dataset is used experiments on the Maxinet emulator and ONOS SDN con-
for attack traffic and the ISCX-2012 dataset [207] is used for troller. The results show that adding more adversarial cases
normal traffic. The authors obtained an accuracy of 98.88% to the training dataset increases the resilience of the MLP
for their proposed model. model. Their suggested model achieves 99% result for all per-
Liang and Znati [131] proposed an LSTM-based DDoS formance parameters, including accuracy, precision, recall,
detection approach, they did not do feature engineering, and f -measure.
but only packet header information is used for analysis. To Jia Min et al. [152] performed DDoS detection by combin-
identify DDoS attacks, LSTM examines a brief sequence ing SVM with an optimised LSTM DL model and obtained
of network packets. Authors claimed their approach could 99.77% accuracy. The SDN controller extracts the flow table
capture the dynamic behaviour of attack traffic, which ML statistics and creates a feature vector in this approach. SVM
algorithms do not identify easily. In this scenario, analysing a takes the feature vector for abnormal traffic detection. If the
limited number of network packets is adequate. The authors traffic is detected as abnormal, it is sent to the LSTM model
compared their approach with ANN, DT, and SVM and found along with traffic information of the previous time. Finally,
LSTM slightly better on CICDDoS 2017 [40] dataset with LSTM decides the abnormality of traffic. The authors per-
around 99% of precision, recall and f -measure. formed their experiment in a small topology. How normal
Nugraha and Murthy [167] proposed an ensemble model traffic is generated is not discussed in detail. Information
of LSTM and CNN for slow-rate DDoS attack detection. related to the dataset and controller used is not elaborated.
This hybrid model outperforms other approaches like MLP, Gadze et al. [76] proposed a DDoS detection approach
and one-class SVM and achieves 99% accuracy. The authors based on RNN LSTM and CNN model. In this paper, the
concluded that DL models faired better than ML models for authors claimed RNN LSTM outperformed other linear-
a large dataset. The Hping3 tool generates regular traffic, based classification models like Linear regression, Naïve
and Slowloris generates attack traffic. The authors took the Bayes and SVM with an accuracy of 89.63%. Work was
ONOS controller and two switches for evaluation. The limi- emulated using the Mininet emulator and Floodlight con-
tation of the work is its small network topology. troller to evaluate their approach. The Hping3 tool is used
Ujjan et al. [237] detected DDoS attack using DL model for traffic generation. The proposed approach performs and
in SDN with snort IDS. Anomalous traffic is identified using detects UDP, TCP, and ICMP attacks. The major limitation
sFlow and measured traffic checking at the data plane. Their of this approach is the small dataset. The authors collected
method reduced the controller load to handle the data plane only 10,031 data for traffic analysis which is very small for
layer. SAE and Snort IDS are used to achieve an accuracy of the DL approach.
95% and a low FPR of 4%. Yungaicela-Naula et al. [263] tested various ML/DL mod-
Novaes et al. [164] proposed a modular DDoS detection els on two well-known datasets, namely CICDDoS2017 [40]
and mitigation approach. The defense system comprises three and CICDDoS2019 [39]. The authors deployed the model on
modules. The first module characterises the network traf- an SDN emulation environment using Mininet and ONOS
fic using LSTM. DDoS attack is identified using a fuzzy SDN controller. This paper investigates attacks like SYN,
inference system in the second module. The third module is UDP, and HTTP Get flood attacks. The proposed setup con-
responsible for DDoS mitigation. The authors experimented sists of a flow collector, preprocessing, detection, and flow
using a Mininet-based emulation environment and Flood- manager module. The CICFlow meter is used for the net-
light controller. The authors also used CICDDoS 2019 [39] work traffic flow generator in the flow collector module. The
dataset to test their approach. They obtained 93.13% accu- flow collector module collects flows with 76 features. Various
racy when compared to KNN, SVM, MLP, and LSTM-2. In ML models like KNN, SVM, RF, and different DL models
their other work [165], the authors detected a DDoS attack like MLP, CNN, GRU, and LSTM are used in the detection
using the Adversarial Deep Learning Anomaly Detection module. The authors achieved 98% detection accuracy for
approach. Adversarial training is used in this technique using transport layer DDoS assaults and 95% detection accuracy
the GAN (generative adversarial network) architecture. The for application layer DDoS attacks, respectively.
experimental setup was the same as in their previous work. Sudar et al. [216] also proposed a four-layer DNN model
The performance of GAN was compared with LSTM, CNN for DDoS detection. The authors used CIC-IDS2017 [41]
and MLP algorithms. Compared to other algorithms, the dataset for evaluating their model. After feature selection,
GAN framework did the best in identifying DDoS attacks,

123
Arabian Journal for Science and Engineering

the authors selected six features for DDoS detection and According to Table 11, very few applications have been
achieved an accuracy of 97.59%. developed to detect and mitigate DDoS attacks. Both Chen
Ahuja et al. [6] detected DDoS attack from normal traffic et al. [45] and Oo et al. [170] created an application for ONOS
using an ensemble of DL algorithms CNN-LSTM, SVC- controller, although the former did not provide an applica-
SOM and SAE-MLP algorithms. They applied the algorithms tion for detection and mitigation. We developed an OFD
on the dataset and compared them based on accuracy, recall, (ONOS Flood Defender) application [19] in SDN-based
precision, and f -score. SAE-MLP algorithm performed best infrastructure due to a lack of apps for ONOS controllers.
with an accuracy of 99.75%. Similarly, Makuvaza et al. This application comprises main method, detection, mitiga-
[140] detected DDoS attacks using deep neural network on tion and flow rule generation modules, all of which work
CICIDS2017 [41] dataset. They compared their results with together to handle DDoS attacks and remove them from the
other algorithms, RBM-SVM, GRU-RNN and GRU-LSTM, network.
based on the accuracy. Their proposed DNN model per- Discussion: As we can see from the preceding sections,
formed best with 97.25% accuracy. researchers have put forth a lot of effort in recent years to
Yungaicela et al. [264] employed deep reinforcement create various architectures for tackling DDoS attacks. How-
learning for DDoS prevention in SDN networks. They ever, an SDN-based application for tackling DDoS attacks is
worked on self-generated dataset using ONOS controller, required to detect and mitigate attacks efficiently, preventing
mininet and Apache Web server. Their experiment yielded massive harm to genuine users.
98% and 30% detection and flow sampling rates, respec-
tively, and effectively mitigated slow-rate DDoS attacks. Ali
et al. [13] also detected low-rate DDoS attack using three 11 Research Challenges and Future
ANN algorithms Levenberg–Marquardt, Scaled Conjugate Directions
Gradient, and Bayesian regularisation. They performed their
experiment on CAIDA [37] dataset and obtained an accuracy This section discusses the current issues for all research
of 98.85%, sensitivity of 98.13%, F1-Score of 94.21%, and publications providing DDoS detection and mitigation tech-
misclassification rate of 1.15%. niques. As a result, researchers inspired by this field may
Discussion: As per the State-of-the-Art, there are two raise the issues and suggest appropriate solutions for DDoS
schools of thought for intelligent DDoS attack detection attack detection.
using SDN. One thought is based on ML technique, and SDN has several benefits that can prove fruitful to the
another is based on the DL-based solution. The foremost world. However, apart from the advantages, SDN also faces
requirement for deep learning is a large dataset applied several issues. The data and control plane separation in SDN
in vision processing, speech recognition and applications has posed security threats. SDN planes have become vulner-
where feature dimension is very high, having unknown fea- able to DDoS attacks. The attacker can now attack any plane
tures. Deep learning is a technique for extracting features of SDN. Protecting SDN from these attacks is a significant
from data. DL algorithms perform better in detecting DDoS issue that must be handled so legitimate users can access the
attacks than ML approaches. We have listed some of the services without disruption or delay. This is also necessary
research works of past years where the researchers have so that the benefits of SDN can be utilised to a full extent.
applied DL algorithms such as CNN, RNN, LSTM, GRU, and We outline some of the problems that researchers might use
stack autoencoder on large datasets DARPA99, ISCX2012, to do more study and build new approaches to secure SDN.
CTU-13, CICIDS2017, CICDDoS2019, CICDoS2017 and
CICIDS2018 to recognise DDoS attacks in SDN network 1. Standard SDN dataset for DDoS research
environment. Table 10 summarises the DL solutions for One major challenge is having standard SDN dataset.
DDoS detection in SDN. Applying ML and DL algorithms to this dataset to detect
DDoS attacks can prove fruitful to legitimate users in
the real networking world. We have found that there
10 Detection and Mitigation Application are a lot of public datasets available such as NSL-KDD
for DDoS attack [101], CAIDA [37], DARPA [56], CICDDoS2017 [40]
and CIC-DoS2019 [39] for detecting DDoS attacks. The
It is difficult to detect and mitigate DDoS attacks in real time. researchers have used these datasets to detect attacks,
It will be advantageous to have an application deployed at the but none are SDN-specific. They must be updated to be
SDN application layer that communicates with the controller flow-based in SDN networks. This is not always possi-
and detects and mitigates DDoS attack. DDoS detection ble since the dataset may not accurately describe SDN
applications for POX, ONOS, Floodlight, OpenDaylight, behaviour during DDoS assaults. This is a major dis-
and RYU controllers have been developed by researchers. advantage and has emerged as a challenge. Creating

123
 Arabian Journal for Science and Engineering

Table 10 Deep learning solutions for DDoS attack detection in SDN

S. no. Refs. Attack plane Dataset Detection Scope Performance

algorithms used metrics

1 Xu et al. [256] Data DARPA99 [125] HMM Detection Detection rate,

communication
frequency
2 Hurley et al. [91] – Self-generated HMM Detection Accuracy
3 Niyaz et al. [163] Data, Control Self-generated Stack autoencoder Detection Accuracy,
Precision, Recall,
F-measure
4 Yuan et al. [262] Data ISCX2012 [207] CNN, RNN, LSTM, Detection Error rate,
GRU Accuracy,
Precision, Recall,
F-measure, AUC
5 Aziz and Okamura Data Dataset from DL, DT Detection, Packet drop
[23] Malware Capture Mitigation
Facility Project
6 Zheng et al. [266] Data Self-generated RL Detection, Accuracy, Delay,
Mitigation Overhead
7 Li et al. [129] Data ISCX2012 [207] CNN, RNN, LSTM Detection Accuracy
8 Liu et al. [135] Data Self-generated Deep RL Mitigation –
9 Sahoo et al. [195] Data – Learning Automata Detection Connection delay,
failure rate,
packet drop
10 Phan et al. [177] Data Self-generated Q-Learning Detection, Precision, Recall,
Mitigation F-measure,
Detection rate,
FAR
11 Haider et al. [84] Data CICDDoS2017 [40] CNN Detection Accuracy,
Precision, Recall,
F-measure
12 Priyadarshini and Data CTU-13 [42], LSTM Detection Accuracy
Barik [184] ISCX-2012 [207]
13 Liang and Znati [131] Data CICIDS2017 [41] LSTM Detection Precision, Recall,
F-measure
14 Sun et al. [217] Data Self-generated BiLSTM-RNN Detection CPU utilisation,
Accuracy
15 Haider et al. [84] Data ISCX 2017 [41] CNN Detection Accuracy,
Precision, Recall
16 Nugraha and Murthy Data Self-generated CNN, LSTM Detection Accuracy,
[167] Precision, Recall,
F-measure,
Specificity
17 Ujjan et al. [237] Data Self-generated SAE Detection Accuracy,
Precision, Recall,
F-measure
18 Novaes et al. [164] Data Self-generated LSTM Detection, Accuracy,
Mitigation Precision, Recall,
F-measure
19 Wang and Liu [248] Data CICIDS2017 [41] CNN Detection Accuracy,
Precision, Recall,
F-measure,
Training time

123
Arabian Journal for Science and Engineering

Table 10 (continued)

S. no. Refs. Attack plane Dataset Detection Scope Performance

algorithms used metrics

20 Benzaïd et al. [29] Application CICIDS2017 [41] DL-MLP Detection, Response time,
Mitigation Server load
21 Mhamdi et al. [150] Data CICIDS2017 [41] SAE-1SVM Detection Accuracy,
Precision, Recall,
F-measure
22 Malik et al. [141] Control CICIDS2017 [41] LSTM-CNN Detection Accuracy,
Precision, Recall,
F-measure,
Testing time
23 de Assis et al. [63] Data CICDDoS2019 [39] CNN Detection, Accuracy,
Mitigation Precision, Recall,
F-measure
24 Novaes et al. [165] Data CICDDoS2019 [39] Adversarial Deep Detection, Accuracy,
Learning Mitigation Precision, Recall,
F-measure
25 Nugraha et al. [168] Data Self-generated CNN-LSTM, MLP Detection Accuracy,
Precision, Recall,
F-measure
26 Min et al. [152] Data Self-generated SVM-LSTM Detection Accuracy
27 Makuvaza et al. [140] Data CICIDS2017 [41] DNN Detection Accuracy,
Precision, Recall,
F-measure
28 Sudar et al. [216] Data CICIDS2017 [41] DNN Detection Accuracy,
Precision, Recall,
F-measure
29 Gadze et al. [76] Data Self-generated RNN, LSTM, CNN Detection, Accuracy, Recall,
Mitigation Detection time,
Mitigation time
30 Yungaicela-Naula Data CICDDoS2017 [40], MLP, CNN, LSTM, Detection, Accuracy,
et al. [263] CICDDoS2019 GRU Mitigation Precision, Recall,
[39] F-measure
31 Ahuja et al. [6] Data Dataset by Leading CNN, LSTM, Detection Accuracy,
India Project CNN-LSTM, Precision, Recall,
SVC-SOM, F-measure
SAE-MLP
32 Ujjan et al. [238] Data Self-generated SAE, CNN Detection, Accuracy,
Mitigation Precision, Recall,
F-measure
33 Dake et al. [57] Data Self-generated Deep RL Detection, Packet loss,
Mitigation Network delay,
Jitter, Bandwidth
utilisation
34 Wan et al. [243] – UNSW-NB15 [235] SSAE-BiLSTM Detection Accuracy,
F-measure, FAR
35 Javeed et al. [95] Control CICDDoS2019 [39] CuDNNLSTM, Detection Accuracy,
CuDNNGRU F-measure,
Precision, Recall
36 Assis et al. [22] Control CICDDoS2019 [39], GRU Detection, Accuracy,
CICIDS2018 [43] Mitigation F-measure,
Precision, Recall
37 Yungaicela-Naula Data Self-generated LSTM Detection, Detection rate,
et al. [264] Mitigation Flow sampling
rate

123
 Arabian Journal for Science and Engineering

Table 10 (continued)

S. no. Refs. Attack plane Dataset Detection Scope Performance

algorithms used metrics

38 Ali et al. [12] Control CAIDA [37] ANN Detection, Accuracy,

Mitigation Sensitivity,
Specificity,
F1-Score, FPR

Table 11 Comparative analysis of detection and mitigation applications

Refs. Controller Application created Detection Mitigation Detection technique

Chen et al. [45] ONOS ×   SVM

Oo et al. [170] ONOS   × ASVM
Hu et al. [90] POX    SVM
Chen et al. [46] POX ×  × XGBoost
Yang et al. [260] RYU ×  × SVM
Myint et al. [159] OpenDaylight   × ASVM
Polat et al. [179] POX ×  × SVM, KNN, NB, ANN
Swami et al. [220] OpenDaylight ×  × DT, RF, AdaBoost, MLP, LR
Akanji et al. [7] RYU ×  × SVM
Yungaicela et al. [264] ONOS ×   LSTM
Aslam et al. [19] ONOS    MLP, KNN, SVM, XGBoost,
Adaboost, RF, Bagging, Gradient
Boosting
Khedr et al. [112] POX    SVM, KNN, DT, RF

SDN-specific datasets is encouraged for better DDoS reduced dataset improves model accuracy and reduces
detection and network traffic management. overfitting. As a result, selecting the best and most lim-
2. Feature Engineering in SDN-based DDoS detection ited feature set is critical and has proven challenging for
Despite the fact that feature selection has a significant researchers. Table 5 presents the feature selection meth-
influence on DDoS detection performance, only a few ods used by the researchers in their work for detecting
systems employ it as the primary method. When building DDoS attacks. However, to increase the efficiency of
DDoS detection techniques, most researchers overlook DDoS detection techniques, features must be dynami-
feature selection methodologies. cally selected and updated. We analysed that researchers
DDoS attacks can be identified using specific features. have applied feature selection methods to their dataset.
Analysing and using these features to create a dataset However, none of them has applied feature selection
can help detect attacks better. Several essential features methods on SDN-specific datasets, which is a sign of
are studied by Braga et al. [32], Myint et al. [159], and concern. Our analysis might encourage the researchers
Xu and Liu [257] for DDoS attack detection. Accord- to create an SDN-specific dataset based on essential fea-
ing to our survey, some of the most common features tures and then apply feature selection methods to detect
extracted from SDN are the duration of flows, the entropy attacks better. Moreover, finding a better subset of fea-
of source/destination IP address, the number of packets tures for DDoS attack detection needs to be researched.
per flow, the number of bytes per flow and the entropy 3. Low-rate DDoS detection
of source/destination ports. Having useful features is We discovered that most research is based on spotting
essential, but having the best and reduced feature set for high-rate DDoS attack. There are very few works that
detection is also essential. Feature selection methods do detect low-rate DDoS attacks. One recent attack on AWS
this. Methods for selecting features help us choose the [113] suggests that DDoS attacks are moving towards
best and fewest characteristics for the dataset. It speeds more stealthy low-rate attacks from high-volume DDoS
up the training of ML algorithm. The model’s complex- attacks. Low-rate DDoS attacks can cause severe dam-
ity is lowered, making it easier to comprehend. Using a age if not detected timely. The average traffic volume

123
Arabian Journal for Science and Engineering

of low-rate DDoS attacks is nearly the same as regular network. Most researchers employed a simple topology
traffic flow, so they are challenging to detect. As these with a single controller and two hosts to test their meth-
attacks send fewer packets than high-rate attacks, the ods. As a result, a significant amount of effort is necessary
characteristics that can detect high-rate attacks will not to build thorough and up-to-date test criteria that allow
detect low-rate attacks. As a result, these attacks must SDN to detect and mitigate DDoS attacks in real-world
not be overlooked because they can potentially disrupt network environments.
benign traffic over time. Several research papers, includ- 7. DDoS detection and mitigation in hybrid network envi-
ing [177, 192], have provided detection strategies for ronment
low-rate DDoS assaults. Finding the characteristics of If SDN is integrated with other traditional networks, such
these attacks and devising a detection system with low as the Internet of Things or computing concepts, such as
FPR and high true positive rate is a challenge that needs edge computing, then the efficiency of DDoS detection
to be addressed. methods can be increased. In case of IoT, the detec-
4. Timely mitigation of DDoS attack with low impact on tion system installed on the IoT gateway device reduces
legitimate requests the response time of DDoS attack by collecting detec-
It is vital to recognise the DDoS attack as soon as fea- tion data. Similarly, the edge nodes detect DDoS attacks
sible and delete the malicious flows from the network. effectively in edge computing. The characteristics of both
Even if the attacks are identified, administrators cannot networks can be combined with SDN, which can increase
counteract them within the time limit. Regular users will the performance of DDoS detection methods. However, it
continue to get services without interruption if DDoS may also happen that the computing power of IoT devices
attacks are recognised early, and proper countermeasures and edge nodes can make it difficult to deploy highly
are implemented. Real-time mitigation of these attacks complex detection methods. As a result, researchers have
might lessen the impact on genuine users. Creating an faced significant challenges in researching and designing
effective mitigation mechanism is a challenge to the DDoS detection and mitigation systems by integrating
researchers for increasing users’ productivity in the SDN SDN and other traditional networks.
environment. 8. Controller and OpenFlow switch overhead analysis
5. Detection and Mitigation in multi-controller SDN WAN Using a single controller to deploy DDoS detection
network and mitigation methods may overburden it, lowering its
As the network capacity is expanding daily, lack of operating efficiency. It is also possible that the single con-
stable and secure SDN controller is a challenge. There- troller will serve as the network’s single point of failure.
fore, implementing ML/DL-based detection methods for As a result, the use of DDoS detection methods in a multi-
DDoS attacks on a single controller may overwhelm controller system is required, which can help to balance
it, lowering its operational efficiency. A single con- the load between different devices. Similarly, in case of
troller might potentially be a vulnerability for the whole OpenFlow switches, the switch may overload due to its
network. Implementing DDoS security solutions in a restricted memory and stop working if the attacker loads
multi-controller environment might be beneficial since the flow table with malign flows. This disrupts the net-
it can distribute traffic load amongst devices and per- work services. If the DDoS detection method is applied in
form load balancing as needed. Priority should be given OpenFlow switches, the computational load on the con-
to the stability and scalability of multi-controllers for troller is reduced, but the complexity of the hardware is
SDN WAN networks. The root controller has a glob- increased, incurring an additional expense. As a result, it
alised network view in a multi-controller setup, whereas is challenging to implement security modules in switches
the other local controllers only have network informa- without causing an overhead on the controller and Open-
tion. The challenge of synchronising these controllers in Flow switches.
a multi-controller system must be addressed. Designing 9. Application for DDoS attack detection and mitigation
an effective ML-based/DL-based DDoS attack detec- To detect and mitigate DDoS attacks simultaneously,
tion method on large-scale networks in a multi-controller creating an application for an SDN controller would
environment is a challenge for the researchers. prove beneficial. We have analysed that few researchers
6. Real Implementation instead of Simulation have created applications to identify and mitigate DDoS
According to our survey, most of the research works attacks. Most have created only detection applications
have implemented their detection/mitigation methods in for controllers such as OpenDaylight, Floodlight, POX,
a simulation environment only. Although the simulation NOX, ONOS and RYU. It is necessary to mitigate the
results are satisfactory for research. The methods’ perfor- attack properly so legitimate users are unaffected. An
mance can be evaluated more accurately and effectively if application capable of detecting and mitigating the attack
the same procedures are used and evaluated on a real SDN simultaneously is highly necessary.

123
 Arabian Journal for Science and Engineering

11.1 Summary designing an effective ML/DL-based DDoS attack detection

method on large-scale SDN WAN networks in a multi-
This survey presents a detailed taxonomy of DDoS defense controller environment is a promising research direction
solutions. The taxonomy is classified based on application, for the researchers. Sixth, implementing detection/mitigation
DDoS dataset, ML/DL solutions, feature selection methods, techniques on a real SDN network scenario is highly required
attack target and testing environment. In this article, we have to validate the performance of methods. Seventh, researchers
explained the works of researchers during the past years who can further design a DDoS detection and mitigation sys-
have proposed a solution for DDoS attack detection and mit- tem using SDN and other conventional networks to boost
igation using different ML and DL techniques. The different detection/mitigation efficiency. Eighth, analysing controller
DDoS datasets available publicly are also explained in detail. and OpenFlow switch overhead while implementing secu-
We observed that although researchers have given many rity modules for attack detection is a further research scope.
solutions for detecting and mitigating DDoS attack in SDN. Lastly, researchers can build an efficient application deployed
There is still no universal solution for all the challenges at the SDN application layer to identify and get rid of the
faced during DDoS attack detection and mitigation. Owing attack simultaneously. These research directions can help the
to the enormous rise of DDoS attacks in the last few years, researchers conduct further research and develop new meth-
as mentioned in Table 1, we can expect a greater diversity ods to secure SDN.
of emerging technologies to mitigate the damage caused by
DDoS attacks to legitimate users. There is still a huge scope Funding This research is supported by the Department of Sci-
ence and Technology (DST)-Interdisciplinary Cyber-Physical Systems
of research for emerging researchers to come up with inno- (ICPS) initiative, with the research grant number DST/ICPS/CPS-
vative solutions to safeguard SDN infrastructure. Individual/2018-490 (G).

Availability of data and materials As this is a survey paper, no datasets

12 Conclusion were created throughout the research.

SDN has a vast future in the networking world. The security

of SDN is one of the significant concerns which needs to
be addressed. DDoS attacks are increasing, which has gen- References
erated concern among users. Attackers attack the services
more frequently to bring the servers down each year. Timely 1. AWS Shield.: Aws shield threat landscape report - q1
handling of DDoS attacks is a significant challenge. Apart 2020 (2020). https://aws-shield-tlr.s3.amazonaws.com/2020-Q1_
AWS_Shield_TLR.pdf. Accessed 11 Sept 2022
from detecting and mitigating, it is also vital to ensure that
2. Abou El Houda, Z.; Khoukhi, L.; Hafid, A.S.: Bringing intelli-
the server load is not raised and mitigation is done immedi- gence to software defined networks: mitigating DDoS attacks.
ately without causing a massive loss to the users. We have IEEE Trans. Netw. Serv. Manag. 17(4), 2523–2535 (2020)
surveyed 24 survey articles from the year 2014 to 2023. Apart 3. Ahmed, M.E.; Kim, H.; Park, M.: Mitigating DNS query-based
DDoS attacks with machine learning on software-defined net-
from this, we have also reviewed 260 research articles related
working. In: MILCOM 2017–2017 IEEE Military Communica-
to DDoS attacks in SDN. Out of the 260 research articles, we tions Conference (MILCOM), pp. 11–16. IEEE (2017)
have selected 132 research articles related to DDoS defense 4. Ahuja, N.; Singal, G.; Mukhopadhyay, D.; et al.: Automated
solutions based on ML and/or DL algorithms in SDN. DDoS attack detection in software defined networking. J. Netw.
Comput. Appl. 187(103), 108 (2021)
There are various potential future research directions. 5. Ahuja, N.; Singal, G.: DDoS attack detection & prevention in
First, the unavailability of standard SDN-specific datasets SDN using OpenFlow statistics. In: 2019 IEEE 9th International
may not prove fruitful in correctly identifying DDoS attacks. Conference on Advanced Computing (IACC) , pp. 147–152. IEEE
Creating SDN-specific datasets is encouraged for better (2019)
6. Ahuja, N.; Singal, G.; Mukhopadhyay, D.: DLSDN: Deep learning
detection of DDoS attacks and network traffic management. for DDoS attack detection in software defined networking. In:
Second, although many researchers have given DDoS attack 2021 11th International Conference on Cloud Computing, Data
detection solutions, only some have applied feature selec- Science & Engineering (Confluence), pp. 683–688. IEEE (2021)
tion algorithms on SDN datasets. Finding better feature 7. Akanji, O.S.; Abisoye, O.A.; Iliyasu, M.A.: Mitigating slow
hypertext transfer protocol distributed denial of service attacks
subsets for DDoS detection needs to be further researched. in software defined networks. J. Inf. Commun. Technol. 20(3),
Third, Finding the characteristics of low-rate DDoS attacks 277–304 (2021)
and devising a detection system with low FPR and high 8. AlMomin, H.; Ibrahim, A.A.: Detection of distributed denial
TPR is a potential area of research. Fourth, creating an of service attacks through a combination of machine learning
algorithms over software defined network environment. In: 2020
effective mitigation mechanism to counteract DDoS attacks International Congress on Human–Computer Interaction, Opti-
within the time limit is a future scope for researchers to mization and Robotic Applications (HORA), pp. 1–4. IEEE
increase users’ productivity in the SDN environment. Fifth, (2020)

123
Arabian Journal for Science and Engineering

9. Aladaileh, M.A.; Anbar, M.; Hasbullah, I.H.; et al.: Detec- 28. Bawany, N.Z.; Shamsi, J.A.; Salah, K.: DDoS attack detection and
tion techniques of distributed denial of service attacks on mitigation using SDN: methods, practices, and solutions. Arab. J.
software-defined networking controller—a review. IEEE Access Sci. Eng. 42(2), 425–441 (2017)
8, 143,985-143,995 (2020) 29. Benzaïd, C.; Boukhalfa, M.; Taleb, T.: Robust self-protection
10. Alashhab, A.A.; Zahid, M.S.M.; Azim, M.A.; et al.: A survey of against application-layer (D) DoS attacks in SDN environment.
low rate DDoS detection techniques based on machine learning In: 2020 IEEE Wireless Communications and Networking Con-
in software-defined networks. Symmetry 14(8), 1563 (2022) ference (WCNC), pp. 1–6. IEEE (2020)
11. Alhijawi, B.; Almajali, S.; Elgala, H.; et al.: A survey on 30. Bhushan, K.; Gupta, B.B.: Distributed denial of service (DDoS)
DoS/DDoS mitigation techniques in SDNs: classification, com- attack mitigation in software defined network (SDN)-based cloud
parison, solutions, testing tools and datasets. Comput. Electr. Eng. computing environment. J. Ambient. Intell. Humaniz. Comput.
99(107), 706 (2022) 10(5), 1985–1997 (2019)
12. Ali, T.E.; Chong, Y.W.; Manickam, S.: Machine learning tech- 31. Bindra, N.; Sood, M.: Detecting DDoS attacks using machine
niques to detect a DDoS attack in SDN: a systematic review. Appl. learning techniques and contemporary intrusion detection dataset.
Sci. 13(5), 3183 (2023) Autom. Control. Comput. Sci. 53(5), 419–428 (2019)
13. Ali, M.N.; Imran, M.; din, M.S.; et al.: Low rate DDoS detection 32. Braga, R.; Mota, E.; Passito, A.: Lightweight DDoS flooding
using weighted federated learning in SDN control plane in IoT attack detection using nox/openflow. In: IEEE Local Computer
network. Appl. Sci. 13(3), 1431 (2023) Network Conference, pp. 408–415. IEEE (2010)
14. Ali, J.; Roh, B.h.; Lee, B.; et al.: A machine learning frame- 33. Bray, H.: Boston globe hit by denial of service attacks (2017).
work for prevention of software-defined networking controller https://rb.gy/7fyzzi. Accessed 25 Sept 2022
from DDoS attacks and dimensionality reduction of big data. In: 34. Brown, C.; Cowperthwaite, A.; Hijazi, A.; et al.: Analysis of the
2020 International Conference on Information and Communica- 1999 darpa/lincoln laboratory ids evaluation data with netadhict.
tion Technology Convergence (ICTC), pp. 515–519. IEEE (2020) In: 2009 IEEE Symposium on Computational Intelligence for
15. Alkasassbeh, M.; Al-Naymat, G.; Hassanat, A.; et al.: Detecting Security and Defense Applications, pp. 1–7. IEEE (2009)
distributed denial of service attacks using data mining techniques. 35. Buragohain, C.; Medhi, N.: Flowtrapp: An SDN based architec-
Int. J. Adv. Comput. Sci. Appl. 7(1), 436–445 (2016) ture for DDoS attack detection and mitigation in data centers.
16. Alshamrani, A.; Chowdhary, A.; Pisharody, S.; et al.: A defense In: 2016 3rd International Conference on Signal Processing and
system for defeating DDoS attacks in SDN based networks. In: Integrated Networks (SPIN), pp. 519–524. IEEE (2016)
Proceedings of the 15th ACM International Symposium on Mobil- 36. CAIDA DDoS Attack Dataset (2007). https://www.caida.org/
ity Management and Wireless Access, pp. 83–92. ACM (2017) catalog/datasets/DDoS-20070804_dataset/. Accessed 11 Sept
17. Anand, P.: Record for the largest ever https DDoS attack smashed 2022
once again (2022). https://t.ly/df6Z. Accessed 11 Sept 2022 37. CAIDA DDoS Dataset: Caida the cooperative association for
18. Ashraf, J.; Latif, S.: Handling intrusion and DDoS attacks in soft- internet data analysis (2021). https://www.caida.org/. Accessed
ware defined networks using machine learning techniques. In: 11 Sept 2022
2014 National software engineering conference, pp 55–60. IEEE 38. CAIDA OC48: The caida oc48 peering point traces (2008).
(2014) https://www.caida.org/catalog/datasets/passive_oc48_dataset/.
19. Aslam, N.; Srivastava, S.; Gore, M.: Onos flood defender: an intel- Accessed 11 Sept 2022
ligent approach to mitigate DDoS attack in SDN. Trans. Emerg. 39. CIC-DDoS2019: DDoS evaluation dataset (2019). https://www.
Telecommun. Technol. 33, e4534 (2022) unb.ca/cic/datasets/DDoS-2019.html. Accessed 11 Sept 2022
20. Aslam, M.; Ye, D.; Tariq, A.; et al.: Adaptive machine learning 40. CIC-DoS2017 (2017) Cic dos dataset (2017). https://www.unb.
based distributed denial-of-services attacks detection and mitiga- ca/cic/datasets/dos-dataset.html. Accessed 11 Sept 2022
tion system for SDN-enabled IoT. Sensors 22(7), 2697 (2022) 41. CIC-IDS2017: Intrusion detection evaluation dataset (CIC-
21. Aslam, M.; Ye, D.; Hanif, M.; et al.: Machine learning based IDS2017) (2017). https://www.unb.ca/cic/datasets/ids-2017.
SDN-enabled distributed denial-of-services attacks detection and html. Accessed 11 Sept 2022
mitigation system for internet of things. In: International Con- 42. CTU-13 Dataset: A labeled dataset with botnet, normal and back-
ference on Machine Learning for Cyber Security, pp 180–194. ground traffic (2011). https://www.stratosphereips.org/datasets-
Springer (2020) ctu13. Accessed 11 Sept 2022
22. Assis, M.V.; Carvalho, L.F.; Lloret, J.; et al.: A GRU deep learn- 43. Canadian Institute for Cybersecurity: Cse-cic-ids2018 on aws
ing system against attacks in software defined networks. J. Netw. (2018). https://www.unb.ca/cic/datasets/ids-2018.html. Accessed
Comput. Appl. 177(102), 942 (2021) 11 Sept 2022
23. Aziz, M.Z.A.; Okamura, K.: Leveraging SDN for detection and 44. Chen, W.; Xiao, S.; Liu, L.; et al.: A DDoS attacks traceback
mitigation smtp flood attack through deep learning analysis tech- scheme for SDN-based smart city. Comput. Electr. Eng. 81(106),
niques. Int. J. Comput. Sci. Netw. Secur. 17(10), 166–172 (2017) 503 (2020)
24. BBC website attack: web attack knocks BBC websites offline 45. Chen, C.C.; Chen, Y.R.; Lu, W.C.; et al.: Detecting amplification
(2015). http://bbc.com/news/technology-35204915. Accessed 11 attacks with software defined networking. In: 2017 IEEE Confer-
Sept 2022 ence on Dependable and Secure Computing, pp. 195–201. IEEE
25. Banerjee, S.; Chakraborty, P.S.: To detect the distributed denial- (2017)
of-service attacks in SDN using machine learning algorithms. In: 46. Chen, Z.; Jiang, F.; Cheng, Y.; et al.: Xgboost classifier for DDoS
2021 International Conference on Computing, Communication, attack detection and analysis in SDN-based cloud. In: 2018 IEEE
and Intelligent Systems (ICCCIS), pp. 966–971. IEEE (2021) International Conference on Big Data and Smart Computing (Big-
26. Barbaschow, A.: Melbourne it confirms DDoS attack behind DNS Comp), pp. 251–256. IEEE (2018)
outage (2017). https://t.ly/R93y. Accessed 11 Sept 2022 47. Cheng, H.; Liu, J.; Xu, T.; et al.: Machine learning based low-
27. Barki, L.; Shidling, A.; Meti, N.; et al.: Detection of distributed rate DDoS attack detection for SDN enabled IoT networks. Int. J.
denial of service attacks in software defined networks. In: 2016 Sensor Netw. 34(1), 56–69 (2020)
International Conference on Advances in Computing. Communi- 48. Chowdhury, S.; Khanzadeh, M.; Akula, R.; et al.: Botnet detec-
cations and Informatics (ICACCI), pp. 2576–2581. IEEE (2016) tion using graph-based feature clustering. J. Big Data 4(1), 1–23
(2017)

123
 Arabian Journal for Science and Engineering

49. Cluley, G.: Uk national lottery knocked offline by DDoS 68. Dong, S.; Abbas, K.; Jain, R.: A survey on distributed denial of ser-
attack (2017). https://www.welivesecurity.com/2017/10/02/uk- vice (DDoS) attacks in SDN and cloud computing environments.
national-lottery-DDoS-attack/. Accessed 11 Sept 2022 IEEE Access 7, 80,813-80,828 (2019)
50. Cui, Y.; Qian, Q.; Guo, C.; et al.: Towards DDoS detection mech- 69. Dong, S.; Sarem, M.: DDoS attack detection method based on
anisms in software-defined networking. J. Netw. Comput. Appl. improved KNN with the degree of DDoS attack in software-
190(103), 156 (2021) defined networks. IEEE Access 8, 5039–5048 (2019)
51. Cui, J.; Wang, M.; Luo, Y.; et al.: DDoS detection and defense 70. Dridi, L.; Zhani, M.F.: SDN-guard: DoS attacks mitigation in SDN
mechanism based on cognitive-inspired computing in SDN. Futur. networks. In: 2016 5th IEEE International Conference on Cloud
Gener. Comput. Syst. 97, 275–283 (2019) Networking (Cloudnet), pp. 212–217. IEEE (2016)
52. Cui, Y.; Yan, L.; Li, S.; et al.: SD-anti-DDoS: fast and efficient 71. Elsayed, M.S.; Le-Khac, N.A.; Jurcut, A.D.: InSDN: a novel SDN
DDoS defense in software-defined networks. J. Netw. Comput. intrusion dataset. IEEE Access 8, 165,263-165,284 (2020)
Appl. 68, 65–79 (2016) 72. Fajar, A.P.; Purboyo, T.W.: A survey paper of distributed denial-
53. Cui, J.; He, J.; Xu, Y.; et al.: Tddad: time-based detection and of-service attack in software defined networking (SDN). Int. J.
defense scheme against DDoS attack on SDN controller. In: Appl. Eng. Res. 13(1), 476–82 (2018)
Australasian Conference on Information Security and Privacy, 73. Ferrag, M.A.; Friha, O.; Hamouda, D.; et al.: Edge-IIoTset:
pp. 649–665. Springer (2018) a new comprehensive realistic cyber security dataset of IoT
54. DARPA IDS: Darpa intrusion detection evaluation dataset (1998). and IIoT applications for centralized and federated learning.
https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion- IEEE Access 10, 40,281-40,306 (2022). https://doi.org/10.1109/
detection-evaluation-dataset. Accessed 11 Sept 2022 ACCESS.2022.3165809
55. DARPA IDS: Darpa intrusion detection evaluation (1999). https:// 74. Firdaus, D.; Munadi, R.; Purwanto, Y.: DDoS attack detection in
archive.ll.mit.edu/ideval/docs/attackDB.html. Accessed 11 Sept software defined network using ensemble k-means++ and random
2022 forest. In: 2020 3rd International Seminar on Research of Informa-
56. DARPA IDS: Darpa intrusion detection scenario specific datasets tion Technology and Intelligent Systems (ISRITI), pp. 164–169.
(2000). https://t.ly/6vJf. Accessed 11 Sept 2022 IEEE (2020)
57. Dake, D.K.; Gadze, J.D.; Klogo, G.S.: DDoS and flash event 75. Gadallah, W.G.; Omar, N.M.; Ibrahim, H.M.: Machine learning-
detection in higher bandwidth SDN-IoT using multiagent rein- based distributed denial of service attacks detection technique
forcement learning. In: 2021 International Conference on Com- using new features in software-defined networks. Int. J. Comput.
puting. Computational Modelling and Applications (ICCMA), Netw. Inf. Secur. (IJCNIS) 13(3), 15–27 (2021)
pp. 16–20. IEEE (2021) 76. Gadze, J.D.; Bamfo-Asante, A.A.; Agyemang, J.O.; et al.: An
58. Dayal, N.; Maity, P.; Srivastava, S.; et al.: Research trends in secu- investigation into the application of deep learning in the detection
rity and DDoS in SDN. Secur. Commun. Netw. 9(18), 6386–6411 and mitigation of DDoS attack on SDN controllers. Technologies
(2016) 9(1), 14 (2021)
59. Dayal, N.; Srivastava, S.: SD-wan flood tracer: tracking the entry 77. Gao, D.; Liu, Z.; Liu, Y.; et al.: Defending against packet-in mes-
points of DDoS attack flows in wan. Comput. Netw. 186(107), sages flooding attack under SDN context. Soft. Comput. 22(20),
813 (2021) 6797–6809 (2018)
60. Dayal, N.; Srivastava, S.: Analyzing behavior of DDoS attacks 78. Gharvirian, F.; Bohlooli, A.: Neural network based protection of
to identify DDoS detection features in SDN. In: 2017 9th Inter- software defined network controller against distributed denial of
national Conference on Communication Systems and Networks service attacks. Int. J. Eng. 30(11), 1714–1722 (2017)
(COMSNETS), pp. 274–281. IEEE (2017) 79. Guozi, S.; Jiang, W.; Yu, G.; et al.: DDoS attacks and flash event
61. Dayal, N.; Srivastava, S.: Leveraging SDN for early detection and detection based on flow characteristics in SDN. In: 2018 15th
mitigation of DDoS attacks. In: International Conference on Com- IEEE International Conference on Advanced Video and Signal
munication Systems and Networks, pp. 52–75. Springer (2018) Based Surveillance (AVSS), pp. 1–6. IEEE (2018)
62. da Silva, A.S.; Wickboldt, J.A.; Granville, L.Z.; et al.: Atlantic: A 80. Gupta, S.; Grover, D.: A comprehensive review on detection of
framework for anomaly traffic detection, classification, and miti- DDoS attacks using ml in SDN environment. In: 2021 Interna-
gation in SDN. In: NOMS 2016-2016 IEEE/IFIP Network Oper- tional Conference on Artificial Intelligence and Smart Systems
ations and Management Symposium, pp. 27–35. IEEE (2016) (ICAIS), pp. 1158–1163. IEEE (2021)
63. De Assis, M.V.; Carvalho, L.F.; Rodrigues, J.J.; et al.: Near 81. Guru: Largest https DDoS attack on record—26 million request
real-time security system applied to SDN environments in IoT net- per second (2022). https://cybersecuritynews.com/largest-https-
works using convolutional neural network. Comput. Electr. Eng. DDoS-attack/. Accessed 11 Sept 2022
86(106), 738 (2020) 82. Gurusamy, U.; MSK, M.: Detection and mitigation of UDP flood-
64. Deepa, V.; Sudar, K.M.; Deepalakshmi, P.: Detection of DDoS ing attack in a multicontroller software defined network using
attack on SDN control plane using hybrid machine learning tech- secure flow management model. Concurr. Comput. Pract. Exp.
niques. In: 2018 International Conference on Smart Systems and 31(20), e5326 (2019)
Inventive Technology (ICSSIT), pp. 299–303. IEEE (2018) 83. Haider, W.; Hu, J.; Slay, J.; et al.: Generating realistic intrusion
65. Deepa, V.; Sudar, K.M.; Deepalakshmi, P.: Design of ensem- detection system dataset based on fuzzy qualitative modeling. J.
ble learning methods for DDoS detection in SDN environment. Netw. Comput. Appl. 87, 185–192 (2017)
In: 2019 International Conference on Vision Towards Emerging 84. Haider, S.; Akhunzada, A.; Ahmed, G.; et al.: Deep learning based
Trends in Communication and Networking (ViTECoN), pp. 1–6. ensemble convolutional neural network solution for distributed
IEEE (2019) denial of service detection in SDNs. In: 2019 UK/China Emerging
66. Dehkordi, A.B.; Soltanaghaei, M.; Boroujeni, F.Z.: The DDoS Technologies (UCET), pp. 1–4. IEEE (2019)
attacks detection through machine learning and statistical methods 85. Hameed, S.; Ahmed Khan, H.: SDN based collaborative scheme
in SDN. J. Supercomput. 77(3), 2383–2415 (2021) for mitigation of DDoS attacks. Future Internet 10(3), 23 (2018)
67. Devendra: DDoS dataset (2019). https://www.kaggle.com/ 86. Han, T.; Jan, S.R.U.; Tan, Z.; et al.: A comprehensive survey
devendra416/DDoS-datasets. Accessed 11 Sept 2022 of security threats and their mitigation techniques for next-
generation SDN controllers. Concurr. Comput. Pract. Exp. 32(16),
e5300 (2020)

123
Arabian Journal for Science and Engineering

87. Hannache, O.; Batouche, M.C.: Neural network-based approach 107. Kaur, A.; Bhandari, A.: Detection and mitigation of spoofing
for detection and mitigation of DDoS attacks in SDN environ- attacks by using SDN in LAN. In: Proceedings of Sixth Inter-
ments. Int. J. Inf. Secur. Privacy (IJISP) 14(3), 50–71 (2020) national Conference on Soft Computing for Problem Solving,
88. He, D.; Chan, S.; Ni, X.; et al.: Software-defined-networking- pp. 240–247. Springer (2017)
enabled traffic anomaly detection and mitigation. IEEE Internet 108. Kaur, G.; Gupta, P.: Hybrid approach for detecting DDoS attacks
Things J. 4(6), 1890–1898 (2017) in software defined networks. In: 2019 Twelfth International Con-
89. Hong, K.; Kim, Y.; Choi, H.; et al.: SDN-assisted slow http DDoS ference on Contemporary Computing (IC3), pp. 1–6. IEEE (2019)
attack defense method. IEEE Commun. Lett. 22(4), 688–691 109. Kerner, S.M.: The 100 Gbps DDoS attack that no one
(2017) saw (2013). https://www.silicon.co.uk/workspace/the-100gbps-
90. Hu, D.; Hong, P.; Chen, Y.: FADM: DDoS flooding attack detec- DDoS-attack-that-no-one-saw-128565. Accessed 10 May 2023
tion and mitigation system in software-defined networking. In: 110. Khandelwal, S.: World’s largest 1 Tbps DDoS attack launched
GLOBECOM 2017-2017 IEEE Global Communications Confer- from 152,000 hacked smart devices (2016). https://t.ly/CZPA. .
ence, pp. 1–7. IEEE (2017) Accessed 10 May 2023
91. Hurley, T.; Perdomo, J.E.; Perez-Pons, A.: HMM-based intrusion 111. Khashab, F.; Moubarak, J.; Feghali, A.; et al.: DDoS attack detec-
detection system for software defined networking. In: 2016 15th tion and mitigation in SDN using machine learning. In: 2021 IEEE
IEEE International Conference on Machine Learning and Appli- 7th International Conference on Network Softwarization (Net-
cations (ICMLA), pp. 617–621. IEEE (2016) Soft), pp. 395–401. IEEE (2021)
92. ISOT: Datasets (2010). https://www.uvic.ca/ecs/ece/isot/datasets/ 112. Khedr, W.I.; Gouda, A.E.; Mohamed, E.R.: FMDADM: a multi-
index.php. Accessed 11 Sept 2022 layer DDoS attack detection and mitigation framework using
93. Imran, M.; Durad, M.H.; Khan, F.A.; et al.: Toward an optimal machine learning for stateful SDN-based IoT networks. IEEE
solution against denial of service attacks in software defined net- Access 11, 28,934-28,954 (2023)
works. Future Gener. Comput. Syst. 92, 444–453 (2019) 113. Khooi, X.Z.; Csikor, L.; Kang, M.S.; et al.: In-network defense
94. Irish government website attack: Irish government websites tem- against AR-DDoS attacks. In: Proceedings of the SIGCOMM’20
porarily offline due to cyber-attack (2016). https://www.bbc.com/ Poster and Demo Sessions, pp. 18–20. ACM (2020)
news/world-europe-35379817. Accessed 11 Sept 2022 114. Kim, S.; Lee, S.; Cho, G.; et al.: Preventing DNS amplification
95. Javeed, D.; Gao, T.; Khan, M.T.: SDN-enabled hybrid dl-driven attacks using the history of DNS queries with SDN. In: Euro-
framework for the detection of emerging cyber threats in IoT. pean Symposium on Research in Computer Security, pp. 135–152.
Electronics 10(8), 918 (2021) Springer (2017)
96. Jazi, H.H.; Gonzalez, H.; Stakhanova, N.; et al.: Detecting http- 115. Klymash, M.; Shpur, O.; Peleh, N.; et al.: Concept of intelli-
based application layer dos attacks on web servers in the presence gent detection of DDoS attacks in SDN networks using machine
of sampling. Comput. Netw. 121, 25–36 (2017) learning. In: 2020 IEEE International Conference on Problems
97. Jiang, Y.; Zhang, X.; Zhou, Q.; et al.: An entropy-based DDoS of Infocommunications. Science and Technology (PIC S &T),
defense mechanism in software defined networks. In: Interna- pp. 609–612. IEEE (2020)
tional Conference on Communications and Networking in China, 116. Kokila, R.; Selvi, S.T.; Govindarajan, K.: DDoS detection and
pp. 169–178. Springer (2016) analysis in SDN-based environment using support vector machine
98. Jose, T.; Kurian, J.: Survey on SDN security mechanisms. Int. J. classifier. In: 2014 Sixth International Conference on Advanced
Comput. Appl. 132(14), 0975–8887 (2015) Computing (ICoAC), pp. 205–210. IEEE (2014)
99. Jose, A.S.; Nair, L.R.; Paul, V.: Towards detecting flooding DDoS 117. KoronIoTis, N.; Moustafa, N.; Sitnikova, E.; et al.: Towards the
attacks over software defined networks using machine learn- development of realistic botnet dataset in the internet of things
ing techniques. Rev. Geintec Gestao Inov. E Tecnolog.. 11(4), for network forensic analytics: Bot-IoT dataset. Future Gener.
3837–3865 (2021) Comput. Syst. 100, 779–796 (2019)
100. Joëlle, M.M.; Park, Y.H.: Strategies for detecting and mitigat- 118. Kotb, S.E.; El-Dien, H.A.T.; Eldien, A.S.T.: SGuard: Machine
ing DDoS attacks in SDN: a survey. J. Intell. Fuzzy Syst. 35(6), learning-based distrbuted denial-of-service detection scheme
5913–5925 (2018) for software defined network. In: 2021 International Mobile,
101. KDD-Cup99 Dataset (1999). http://kdd.ics.uci.edu/databases/ Intelligent, and Ubiquitous Computing Conference (MIUCC),
kddcup99/kddcup99.html. Accessed 11 Sept 2022 pp. 251–257. IEEE (2021)
102. Kalkan, K.; Altay, L.; Gür, G.; et al.: Jess: joint entropy-based 119. Kottler, S.: February 28th DDoS incident report (2018).
DDoS defense scheme in SDN. IEEE J. Sel. Areas Commun. https://github.blog/2018-03-01-DDoS-incident-report/. Accessed
36(10), 2358–2372 (2018) 11 Sept 2022
103. Kalkan, K.; Gur, G.; Alagoz, F.: Defense mechanisms against 120. Kousar, H.; Mulla, M.M.; Shettar, P.; et al.: Detection of DDoS
DDoS attacks in SDN environment. IEEE Commun. Mag. 55(9), attacks in software defined network using decision tree. In: 2021
175–179 (2017) 10th IEEE International Conference on Communication Systems
104. Karan, B.; Narayan, D.; Hiremath, P.: Detection of DDoS attacks and Network Technologies (CSNT), pp. 783–788. IEEE (2021)
in software defined networks. In: 2018 3rd International Confer- 121. Kumar, P.; Tripathi, M.; Nehra, A.; et al.: SAFETY: early detection
ence on Computational Systems and Information Technology for and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE
Sustainable Solutions (CSITSS), pp. 265–270. IEEE (2018) Trans. Netw. Serv. Manag. 15(4), 1545–1559 (2018)
105. Karnani, S.; Shakya, H.K.: Mitigation strategies for distributed 122. Kumar Singh, V.: DDoS attack detection and mitigation using
denial of service (DDoS) in SDN: a survey and taxonomy. Inf. statistical and machine learning methods in SDN. PhD thesis,
Secur. J. Glob. Perspect. 7, 1–25 (2022) Dublin, National College of Ireland, Ireland (2020)
106. Kaur, S.; Kumar, K.; Aggarwal, N.; et al.: A comprehensive 123. Kumbam, Y.R.: Apa-DDoS dataset (2020). https://www.kaggle.
survey of DDoS defense solutions in SDN: taxonomy, research com/yashwanthkumbam/apaDDoS-dataset. Accessed 11 Sept
challenges, and future directions. Comput. Secur. 110(102), 423 2022
(2021) 124. Kyaw, A.T.; Oo, M.Z.; Khin, C.S.: Machine-learning based DDoS
attack classifier in software defined network. In: 2020 17th
International Conference on Electrical Engineering/Electronics.

123
 Arabian Journal for Science and Engineering

Computer, Telecommunications and Information Technology International Conference on Trust, Security and Privacy in Com-
(ECTI-CON), pp. 431–434. IEEE (2020) puting and Communications/12th IEEE International Conference
125. Laboratory, L.: 1999 darpa intrusion detection evaluation on Big Data Science and Engineering (TrustCom/BigDataSE),
dataset (1999). https://www.ll.mit.edu/r-d/datasets/1999-darpa- pp. 237–243. IEEE (2018)
intrusion-detection-evaluation-dataset. Accessed 11 Sept 2022 144. Masolo, C.: Cloudflare detects a record 71 million request-per-
126. Latah, M.; Toker, L.: Towards an efficient anomaly-based intru- second DDoS attack (2023). https://www.infoq.com/news/2023/
sion detection for software-defined networks. IET Netw 7(6), 02/cloudflare-DDoS-attack/. Accessed 10 May 2023
453–459 (2018) 145. McHugh, J.: Testing intrusion detection systems: a critique of the
127. Le, D.; Dao, M.; Nguyen, Q.: Comparison of machine learn- 1998 and 1999 darpa intrusion detection system evaluations as
ing algorithms for DDoS attack detection in SDN. Inf. Con- performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur.
trol Syst./Informazionno-Upravlyaushie Sistemy 106(3), 59–70 (TISSEC) 3(4), 262–294 (2000)
(2020) 146. McKeown, N.; Anderson, T.; Balakrishnan, H.; et al.: Openflow:
128. Lee, K.; Kim, J.; Kwon, K.H.; et al.: DDoS attack detec- enabling innovation in campus networks. ACM SIGCOMM Com-
tion method using cluster analysis. Expert Syst. Appl. 34(3), put. Commun. Rev. 38(2), 69–74 (2008)
1659–1665 (2008) 147. Mehr, S.Y.; Ramamurthy, B.: An SVM based DDoS attack detec-
129. Li, C.; Wu, Y.; Yuan, X.; et al.: Detection and defense of DDoS tion method for Ryu SDN controller. In: Proceedings of the 15th
attack–based on deep learning in OpenFlow-based SDN. Int. J. International Conference on Emerging Networking Experiments
Commun Syst 31(5), e3497 (2018) and Technologies, pp. 72–73. ACM (2019)
130. Li, X.; Yuan, D.; Hu, H.; et al.: DDoS detection in SDN switches 148. Meitei, I.L.; Singh, K.J.; De, T.: Detection of DDoS DNS amplifi-
using support vector machine classifier. In: Proceedings of the cation attack using classification algorithm. In: Proceedings of the
2015 Joint International Mechanical, Electronic and Information International Conference on Informatics and Analytics, pp. 1–6.
Technology Conference, pp. 1–5. Atlantis Press (2015) ACM (2016)
131. Liang, X.; Znati, T.: A long short-term memory enabled frame- 149. Meti, N.; Narayan, D.; Baligar, V.: Detection of distributed
work for DDoS detection. In: 2019 IEEE Global Communications denial of service attacks using machine learning algorithms in
Conference (GLOBECOM), pp. 1–6. IEEE (2019) software defined networks. In: 2017 International Conference
132. Lin, C.H.; Li, C.Y.; Wang, K.: Setting malicious flow entries on Advances in Computing, Communications and Informatics
against SDN operations: attacks and countermeasures. In: 2018 (ICACCI), pp. 1366–1371. IEEE (2017)
IEEE Conference on Dependable and Secure Computing (DSC), 150. Mhamdi, L.; McLernon, D.; El-moussa, F.; et al.: A deep learning
pp. 1–8. IEEE (2018) approach combining autoencoder with one-class SVM for DDoS
133. Liu, Z.; He, Y.; Wang, W.; et al.: DDoS attack detection scheme attack detection in SDNs. In: 2020 IEEE Eighth International Con-
based on entropy and PSO-BP neural network in SDN. China ference on Communications and Networking (ComNet), pp. 1–6.
Commun. 16(7), 144–155 (2019) IEEE (2020)
134. Liu, J.; Lai, Y.; Zhang, S.: Fl-guard: A detection and defense 151. Mihai-Gabriel, I.; Victor-Valeriu, P.: Achieving DDoS resiliency
system for DDoS attack in SDN. In: Proceedings of the 2017 in a software defined network by intelligent risk assessment based
International Conference on Cryptography, Security and Privacy, on neural networks and danger theory. In: 2014 IEEE 15th Interna-
pp. 107–111. ACM (2017) tional Symposium on Computational Intelligence and Informatics
135. Liu, Y.; Dong, M.; Ota, K.; et al.: Deep reinforcement learning (CINTI), pp. 319–324. IEEE (2014)
based smart mitigation of DDoS flooding in software-defined net- 152. Min, J.; Yuejie, S.; Qing, G.; et al.: DDoS attack detection method
works. In: 2018 IEEE 23rd International Workshop on Computer for space-based network based on SDN architecture. ZTE Com-
Aided Modeling and Design of Communication Links and Net- mun. 18(4), 18–25 (2021)
works (CAMAD), pp. 1–6. IEEE (2018) 153. Mishra, A.; Gupta, N.; Gupta, B.: Defense mechanisms against
136. LongTail: Longtail log analysis (2021). http://longtail.it.marist. DDoS attack based on entropy in SDN-cloud using pox controller.
edu/honey/. Accessed 10 May 2023 Telecommun. Syst. 77(1), 47–62 (2021)
137. Luong, T.K.; Tran, T.D.; Le, G.T.: DDoS attack detection and 154. Mohammed, S.S.; Hussain, R.; Senko, O.; et al.: A new machine
defense in SDN based on machine learning. In: 2020 7th NAFOS- learning-based collaborative DDoS mitigation mechanism in
TED Conference on Information and Computer Science (NICS), software-defined network. In: 2018 14th International Conference
pp. 31–35. IEEE (2020) on Wireless and Mobile Computing. Networking and Communi-
138. M.S.: DDoS botnet attack on IoT devices (2020) . https:// cations (WiMob), pp. 1–8. IEEE (2018)
www.kaggle.com/siddharthm1698/DDoS-botnet-attack-on-IoT- 155. Mowla, N.I.; Doh, I.; Chae, K.: CSDSM: cognitive switch-based
devices. Accessed 11 Sept 2022 DDoS sensing and mitigation in SDN-driven CDNi word. Com-
139. Mahrach, S.; Haqiq, A.: DDoS flooding attack mitigation in soft- put. Sci. Inf. Syst. 15(1), 163–185 (2018)
ware defined networks. Int. J. Adv. Comput. Sci. Appl. 11(1), 156. Musil, S.: Record-breaking DDoS attack in Europe hits 400Gbps.
693–700 (2020) (2014). https://t.ly/AdUK. Accessed 11 July 2022
140. Makuvaza, A.; Jat, D.S.; Gamundani, A.M.: Deep neural network 157. Musumeci, F.; Ionata, V.; Paolucci, F.; et al.: Machine-learning-
(DNN) solution for real-time detection of distributed denial of assisted DDoS attack detection with p4 language. In: ICC 2020-
service (DDoS) attacks in software defined networks (SDNs). SN 2020 IEEE International Conference on Communications (ICC),
Comput. Sci. 2(2), 1–10 (2021) pp. 1–6. IEEE (2020)
141. Malik, J.; Akhunzada, A.; Bibi, I.; et al.: Hybrid deep learning: an 158. Mwanza, N.P.; Kalita, J.: Detecting DDoS attacks in software
efficient reconnaissance and surveillance detection mechanism in defined networks using deep learning techniques: a survey. Int. J.
SDN. IEEE Access 8, 134,695-134,706 (2020) Netw. Secur. 25(2), 360–376 (2023)
142. Manso, P.; Moura, J.; Serrão, C.: SDN-based intrusion detection 159. Myint Oo. M.; Kamolphiwong. S.; Kamolphiwong, T.; et al.:
system for early detection and mitigation of DDoS attacks. Infor- Advanced support vector machine-(ASVM-) based detection for
mation 10(3), 106 (2019) distributed denial of service (DDoS) attack on software defined
143. Mao, J.; Deng, W.; Shen, F.: DDoS flooding attack detection based networking (SDN). J. Comput. Netw. Commun. (2019)
on joint-entropy with multiple traffic features. In: 2018 17th IEEE 160. Nam, T.M.; Phong, P.H.; Khoa, T.D.; et al.: Self-organizing
map-based approaches in DDoS flooding detection using SDN.

123
Arabian Journal for Science and Engineering

In: 2018 International Conference on Information Networking 178. Pitropakis, N.; Panaousis, E.; Giannetsos, T.; et al.: A taxonomy
(ICOIN), pp. 249–254. IEEE (2018) and survey of attacks against machine learning. Comput. Sci. Rev.
161. Nanda, S.; Zafari, F.; DeCusatis, C.; et al.: Predicting network 34(100), 199 (2019)
attack patterns in SDN using machine learning approach. In: 2016 179. Polat, H.; Polat, O.; Cetin, A.: Detecting DDoS attacks in
IEEE Conference on Network Function Virtualization and Soft- software-defined networks through feature selection methods and
ware Defined Networks (NFV-SDN), pp. 167–172. IEEE (2016) machine learning models. Sustainability 12(3), 1035 (2020)
162. Nisha Ahuja DMGaurav Singal.: DDoS attack SDN dataset 180. Polat, H.; Turkoglu, M.; Polat, O.: Deep network approach with
(2020). https://data.mendeley.com/datasets/jxpfjc64kr/1. stacked sparse autoencoders in detection of DDoS attacks on
Accessed 11 Sept 2022 SDN-based VANET. IET Commun. 14(22), 4089–4100 (2021)
163. Niyaz, Q.; Sun, W.; Javaid, A.Y.: A deep learning based DDoS 181. Pradeepa, R.; Pushpalatha, M.: IPR: Intelligent Proactive Routing
detection system in software-defined networking (SDN) (2016). model toward DDoS attack handling in SDN. J. Supercomput.
arXiv preprint arXiv:1611.07400 77(11), 12,355-12,381 (2021)
164. Novaes, M.P.; Carvalho, L.F.; Lloret, J.; et al.: Long short-term 182. Prakash, A.; Priyadarshini, R.: An intelligent software defined net-
memory and fuzzy logic for anomaly detection and mitigation in work controller for preventing distributed denial of service attack.
software-defined network environment. IEEE Access 8, 83,765- In: 2018 Second International Conference on Inventive Communi-
83,781 (2020) cation and Computational Technologies (ICICCT), pp. 585–589.
165. Novaes, M.P.; Carvalho, L.F.; Lloret, J.; et al.: Adversarial deep IEEE (2018)
learning approach detection and defense against DDoS attacks in 183. Prasad, M.D.; Babu, V.P.; Amarnath, C.: Machine learning DDoS
SDN environments. Future Gener. Comput. Syst. 125, 156–167 detection using stochastic gradient boosting. Int. J. Comput. Sci.
(2021) Eng. 7(4), 157–16 (2019)
166. Nugraha, M.; Paramita, I.; Musa, A.; et al.: Utilizing OpenFlow 184. Priyadarshini, R.; Barik, R.K.: A deep learning based intelligent
and sFlow to detect and mitigate SYN flooding attack. J. Korea framework to mitigate DDoS attack in fog environment. J. King
Multimedia Soc. 17(8), 988–994 (2014) Saud Univ. Comput. Inf. Sci. 34, 825–831 (2019)
167. Nugraha, B.; Murthy, R.N.: Deep learning-based slow DDoS 185. Radware: DDoS attacks history (2017). https://www.radware.
attack detection in SDN-based networks. In: 2020 IEEE Confer- com/security/DDoS-knowledge-center/DDoS-chronicles/DDoS-
ence on Network Function Virtualization and Software Defined attacks-history/. Accessed 10 May 2023
Networks (NFV-SDN), pp. 51–56. IEEE (2020) 186. Rahman, O.; Quraishi, M.A.G.; Lung, C.H.: DDoS attacks detec-
168. Nugraha, B.; Kulkarni, N.; Gopikrishnan, A.: Detecting adver- tion and mitigation in SDN using machine learning. In: 2019 IEEE
sarial DDoS attacks in software-defined networking using deep World Congress on Services (SERVICES), pp. 184–189. IEEE
learning techniques and adversarial training. In: 2021 IEEE Inter- (2019)
national Conference on Cyber Security and Resilience (CSR), 187. Ramprasath, J.; Seethalakshmi, V.: Improved network monitor-
pp. 448–454. IEEE (2021) ing using software-defined networking for DDoS detection and
169. Nurwarsito, H.; Nadhif, M.F.: DDoS attack early detection and mitigation evaluation. Wirel. Pers. Commun. 116(3), 2743–2757
mitigation system on SDN using random forest algorithm and Ryu (2021)
framework. In: 2021 8th International Conference on Computer 188. Revathi, M.; Ramalingam, V.; Amutha, B.: A machine learning
and Communication Engineering (ICCCE), pp. 178–183. IEEE based detection and mitigation of the DDoS attack by using SDN
(2021) controller framework. Wirel. Pers. Commun. 1–25 (2021)
170. Oo, M.M.; Kamolphiwong, S.; Kamolphiwong, T.: The design 189. Russian Website attack: Russian Defense Ministry’s website suf-
of SDN based detection for distributed denial of service (DDoS) fers DDoS attacks during poll for new weapons names (2018).
attack. In: 2017 21st International Computer Science and Engi- https://tass.com/defense/995686. Accessed 11 Sept 2022
neering Conference (ICSEC), pp. 1–5. IEEE (2017) 190. SDN Report: Software-defined networking market (2020).
171. Osborne, H.: Hsbc suffers online banking cyber-attack https://www.marketsandmarkets.com/Market-Reports/software-
(2016). https://www.theguardian.com/money/2016/jan/29/hsbc- defined-networking-SDN-market-655.html. Accessed 11 Sept
online-banking-cyber-attack. Accessed 11 Aug 2022 2022
172. Paganini, P.: Sucuri spotted a large botnet of CCTV 191. Sahoo, K.S.; Panda, S.K.; Sahoo, S.; et al.: Toward secure
devices involved in DDoS attacks (2016). https://securityaffairs. software-defined networks against distributed denial of service
co/wordpress/48807/IoT/cctv-devices-DDoS.html. Accessed 16 attack. J. Supercomput. 75(8), 4829–4874 (2019)
Aug 2022 192. Sahoo, K.S.; Puthal, D.; Tiwary, M.; et al.: An early detection of
173. Pajila, P.B.; Julie, E.G.: Detection of DDoS attack using SDN in low rate DDoS attack to SDN based data center networks using
IoT: A survey. In: Intelligent Communication Technologies and information distance metrics. Future Gener. Comput. Syst. 89,
Virtual Mobile Networks, pp. 438–452. Springer (2019) 685–697 (2018)
174. Panigrahi, R.; Borah, S.: A detailed analysis of CICIDS2017 193. Sahoo, K.S.; Tripathy, B.K.; Naik, K.; et al.: An evolutionary SVM
dataset for designing Intrusion detection systems. Int. J. Eng. model for DDoS attack detection in software defined networks.
Technol. 7(3.24), 479–482 (2018) IEEE Access 8, 132,502-132,513 (2020)
175. Perez-Diaz, J.A.; Valdovinos, I.A.; Choo, K.K.R.; et al.: A flexible 194. Sahoo, K.S.; Iqbal, A.; Maiti, P.; et al.: A machine learn-
SDN-based architecture for identifying and mitigating low-rate ing approach for predicting DDoS traffic in software defined
DDoS attacks using machine learning. IEEE Access 8, 155,859- networks. In: 2018 International Conference on Information Tech-
155,872 (2020) nology (ICIT), pp. 199–203. IEEE (2018)
176. Phan, T.V.; Park, M.: Efficient distributed denial-of-service attack 195. Sahoo, K.S.; Tiwary, M.; Sahoo, S.; et al.: A learning automata-
defense in SDN-based cloud. IEEE Access 7, 18,701-18,714 based DDoS attack defense mechanism in software defined
(2019) networks. In: Proceedings of the 24th Annual International Con-
177. Phan, T.V.; Gias, T.R.; Islam, S.T.; et al.: Q-MIND: defeating ference on Mobile Computing and Networking, pp. 795–797.
stealthy DoS attacks in SDN with a machine-learning based ACM (2018)
defense framework. In: 2019 IEEE Global Communications Con- 196. Sahri, N.; Okamura, K.: Protecting DNS services from IP spoof-
ference (GLOBECOM), pp. 1–6. IEEE (2019) ing: SDN collaborative authentication approach. In: Proceedings

123
 Arabian Journal for Science and Engineering

of the 11th International Conference on Future Internet Technolo- 215. Stolfo, S.J.; Fan, W.; Lee, W.; et al.: Cost-based modeling for
gies, pp. 83–89. ACM (2016) fraud and intrusion detection: Results from the jam project. In:
197. Sangodoyin, A.O.; Akinsolu, M.O.; Pillai, P.; et al.: Detection Proceedings DARPA Information Survivability Conference and
and classification of DDoS flooding attacks on software-defined Exposition. DISCEX’00, pp. 130–144. IEEE (2000)
networks: a case study for the application of machine learning. 216. Sudar, K.M.; Beulah, M.; Deepalakshmi, P.; et al.: Detection of
IEEE Access 9, 122,495-122,508 (2021) distributed denial of service attacks in SDN using machine learn-
198. Sanjeetha, R.; Raj, A.; Saivenu, K.; et al.: Detection and mitigation ing techniques. In: 2021 International Conference on Computer
of botnet based DDoS attacks using catboost machine learning Communication and Informatics (ICCCI), pp. 1–5. IEEE (2021)
algorithm in SDN environment. Int. J. Adv. Technol. Eng. Explor. 217. Sun, W.; Li, Y.; Guan, S.: An improved method of DDoS attack
8(76), 445 (2021) detection for controller of SDN. In: 2019 IEEE 2nd International
199. Santos, R.; Souza, D.; Santo, W.; et al.: Machine learning algo- Conference on Computer and Communication Engineering Tech-
rithms to detect DDoS attacks in SDN. Concurr. Comput. Pract. nology (CCET), pp. 249–253. IEEE (2019)
Exp. 32(16), e5402 (2020) 218. Swami, R.; Dave, M.; Ranga, V.: Software-defined networking-
200. El Sayed, M.S.; Le-Khac, N.A.; Azer, M.A.; et al.: A flow-based based DDoS defense mechanisms. ACM Comput. Surv. (CSUR)
anomaly detection approach with feature selection method against 52(2), 1–36 (2019)
DDoS attacks in SDNs. IEEE Trans. Cogn. Commun. Netw. 8(4), 219. Swami, R.; Dave, M.; Ranga, V.: Voting-based intrusion detec-
1862–1880 (2022) tion framework for securing software-defined networks. Concurr.
201. Scaranti, G.F.; Carvalho, L.F.; Junior, S.B.; et al.: Unsupervised Comput. Pract. Exp. 32(24), e5927 (2020)
online anomaly detection in software defined network environ- 220. Swami, R.; Dave, M.; Ranga, V.: Detection and analysis of TCP-
ments. Expert Syst. Appl. 191(116), 225 (2022) SYN DDoS attack in software-defined networking. Wirel. Pers.
202. Sen, S.; Gupta, K.D.; Ahsan, M.; et al.: Leveraging machine learn- Commun. 118(4), 2295–2317 (2021)
ing approach to setup software-defined network (SDN) controller 221. Tan, L.; Pan, Y.; Wu, J.; et al.: A new framework for DDoS
rules during DDoS attack. In: Proceedings of International Joint attack detection and defense in SDN environment. IEEE Access
Conference on Computational Intelligence, pp. 49–60. Springer 8, 161,908-161,919 (2020)
(2020) 222. Tan, J.; Jing, S.; Guo, L.; et al.: DDoS detection method based
203. Shafi, Q.; Qaisar, S.; Basit, A.: Software defined machine learning on gini impurity and random forest in SDN environment. In:
based anomaly detection in fog based IoT network. In: Interna- 2021 International Conference on Security, Pattern Analysis, and
tional Conference on Computational Science and Its Applications, Cybernetics (SPAC), pp. 601–606. IEEE (2021)
pp. 611–621. Springer (2019) 223. Tang, Mhamdi, L.; McLernon, D.; et al.: Deep recurrent neural
204. Shahzad, F.; Khan, M.A.; Khan, S.A.; et al.: AutoDrop: automatic network for intrusion detection in SDN-based networks. In: 2018
DDoS detection and its mitigation with combination of Open- 4th IEEE Conference on Network Softwarization and Workshops
flow and Sflow. In: International Conference on Future Intelligent (NetSoft), pp. 202–206. IEEE (2018)
Vehicular Technologies, pp. 112–122. Springer (2016) 224. Tang, T.A.; Mhamdi, L.; McLernon, D.; et al.: Deep learning
205. Shani, T.: Updated: This DDoS attack unleashed the most packets approach for network intrusion detection in software defined net-
persecond ever. here’s why that’s important (2019) https://rb.gy/ working. In: 2016 international conference on wireless networks
t4cg9v. Accessed 11 Sept 2022 and mobile communications (WINCOM), pp. 258–263. IEEE
206. Sharafaldin, I.; Lashkari, A.H.; Ghorbani, A.A.: Toward gen- (2016)
erating a new intrusion detection dataset and intrusion traffic 225. Tannam, E.: DDoS attack takes down two election web-
characterization. ICISSp 1, 108–116 (2018) sites in czech republic (2017). https://www.siliconrepublic.com/
207. Shiravi, A.; Shiravi, H.; Tavallaee, M.; et al.: Toward developing a enterprise/czech-election-DDoS. Accessed 11 Sept 2021
systematic approach to generate benchmark datasets for intrusion 226. Tavallaee, M.; Bagheri, E.; Lu, W.; et al.: A detailed analysis of the
detection. Comput. Secur. 31(3), 357–374 (2012) kdd cup 99 data set. In: 2009 IEEE symposium on computational
208. Shohani, R.B.; Mostafavi, S.A.: Introducing a new linear regres- intelligence for security and defense applications, pp. 1–6. IEEE
sion based method for early DDoS attack detection in SDN. In: (2009)
2020 6th International Conference on Web Research (ICWR), 227. Tayfour, O.E.; Marsono, M.N.: Collaborative detection and mit-
pp. 126–132. IEEE (2020) igation of DDoS in software-defined networks. J. Supercomput.
209. SimpleWeb. Trace-simplewiki-the simpleweb (2010). https:// 1–25 (2021)
www.simpleweb.org/wiki/index.php/Traces. Accessed 11 Sept 228. Thai government websites attack: Thai government websites hit
2022 by denial-of-service attack (2015). https://www.bbc.com/news/
210. Singh, J.; Behal, S.: Detection and mitigation of DDoS attacks world-asia-34409343. Accessed 11 Sept 2022
in SDN: a comprehensive review, research challenges and future 229. Tonkal, Ö.; Polat, H.; Başaran, E.; et al.: Machine learning
directions. Comput. Sci. Rev. 37(100), 279 (2020) approach equipped with neighbourhood component analysis for
211. Singh, M.P.; Bhandari, A.: New-flow based DDoS attacks in SDN: DDoS attack detection in software-defined networking. Electron-
taxonomy, rationales, and research challenges. Comput. Com- ics 10(11), 1227 (2021)
mun. 154, 509–527 (2020) 230. Tuan, N.N.; Hung, P.H.; Nghia, N.D.; et al.: A DDoS attack miti-
212. Singh, P.K.; Jha, S.K.; Nandi, S.K.; et al.: ML-based approach gation scheme in ISP networks using machine learning based on
to detect DDoS attack in V2I communication under SDN archi- SDN. Electronics 9(3), 413 (2020)
tecture. In: TENCON 2018-2018 IEEE Region 10 Conference, 231. Tuan, N.N.; Hung, P.H.; Nghia, N.D.; et al.: A robust TCP-SYN
pp. 0144–0149. IEEE (2018) flood mitigation scheme using machine learning based on SDN.
213. Singh, S.; Jayakumar, S.: Twin security model—a machine In: 2019 International Conference on Information and Commu-
learning-based approach for DDoS attack detection in SDN. In: nication Technology Convergence (ICTC), pp. 363–368. IEEE
International Conference on Soft Computing and Signal Process- (2019)
ing. Springer, pp. 53–62 (2019) 232. Tufa, S.W.; Mengstie, M.; Gebregziabher, H.; et al.: Detecting
214. Song, J.; Takakura, H.; Okabe, Y.: Description of kyoto uni- DDoS attack using adaptive boosting with software defined net-
versity benchmark data (2006). http://www.takakura.com/Kyoto_ work in cloud computing environment. Rev. Geintec Gestao Inov.
data/BenchmarkData-Description-v5.pdf. Accessed 15 Mar 2016 E Tecnolog.. 11(4), 3485–3494 (2021)

123
Arabian Journal for Science and Engineering

233. Tung, L.: New world record DDoS attack hits 1.7 tbps days after com/technology/2016/oct/26/DDoS-attack-dyn-mirai-botnet.
landmark github outage (2018). https://t.ly/EJ1L. Accessed 11 Accessed 25 Oct 2021
Sept 2022 253. Xing, X.; Luo, T.; Li, J.; et al.: A defense mechanism against
234. Turner, J.: 2017: The year of widespread SDN adoption and DDoS the dns amplification attack in SDN. In: 2016 IEEE International
attack mitigation (2017). https://t.ly/tv0C. Accessed 11 Sept 2022 Conference on Network Infrastructure and Digital Content (IC-
235. UNSW-NB15 Dataset (2017). https://research.unsw.edu.au/ NIDC), pp. 28–33. IEEE (2016)
projects/unsw-nb15-dataset. Accessed 11 Sept 2022 254. Xu, Y.; Sun, H.; Xiang, F.; et al.: Efficient DDoS detection based
236. Ubale, T.; Jain, A.K.: Survey on DDoS attack techniques and on k-fknn in software defined networks. IEEE Access 7, 160,536-
solutions in software-defined network. In: Gupta BB, Perez GM, 160,545 (2019)
Agrawal DP, Gupta D (eds.) Handbook of Computer Networks 255. Xu, X.; Yu, H.; Yang, K.: DDoS attack in software defined net-
and Cyber Security, pp. 389–419. Springer (2020) works: a survey. ZTE Commun. 15(3), 13–19 (2017)
237. Ujjan, R.M.A.; Pervez, Z.; Dahal, K.; et al.: Towards sFlow and 256. Xu, X.; Sun, Y.; Huang, Z.: Defending DDoS attacks using hid-
adaptive polling sampling for deep learning based DDoS detection den markov models and cooperative reinforcement learning. In:
in SDN. Future Gener. Comput. Syst. 111, 763–779 (2020) Pacific-Asia Workshop on Intelligence and Security Informatics,
238. Ujjan, R.M.A.; Pervez, Z.; Dahal, K.; et al.: Entropy based features pp. 196–207. Springer (2007)
distribution for anti-DDoS model in SDN. Sustainability 13(3), 257. Xu, Y.; Liu, Y.: DDoS attack detection under SDN context. In:
1522 (2021) IEEE INFOCOM 2016-the 35th Annual IEEE International Con-
239. Uzunovic, A.: Anonymous target bank of greece website ference on Computer Communications, pp. 1–9. IEEE (2016)
with massive DDoS attack (2016). https://www.hackread.com/ 258. Yadav, A.; Kori, A.S.; Shettar, P.; et al.: A hybrid approach for
anonymous-DDoS-attack-bank-greece-website-down/. Accessed detection of DDoS attacks using entropy and machine learning
01 Aug 2021 in software defined networks. In: 2021 12th International Confer-
240. Valdovinos, I.A.; Pérez-Díaz, J.A.; Choo, K.K.R.; et al.: Emerging ence on Computing Communication and Networking Technolo-
DDoS attack detection and mitigation strategies in software- gies (ICCCNT), pp. 1–7. IEEE (2021)
defined networks: taxonomy, challenges and future directions. J. 259. Yan, Q.; Yu, F.R.; Gong, Q.; et al.: Software-defined networking
Netw. Comput. Appl. 187, 103093 (2021) (SDN) and distributed denial of service (DDoS) attacks in cloud
241. van Steyn, J.: DDoS attack network logs (2019). https:// computing environments: a survey, some research issues, and
www.kaggle.com/jacobvs/DDoS-attack-network-logs/version/1. challenges. IEEE Commun. Surv. Tutor. 18(1), 602–622 (2015)
Accessed 11 Sept 2022 260. Yang, L.; Zhao, H.: DDoS attack identification and defense
242. Verma, A.: A comprehensive dataset for DDoS attack (2021). using SDN based on machine learning method. In: 2018 15th
https://www.kaggle.com/amanverma1999/a-comprehensive- International Symposium on Pervasive Systems. Algorithms and
dataset-for-DDoS-attack. Accessed 11 Sept 2022 Networks (I-SPAN), pp. 174–178. IEEE (2018)
243. Wan, L.; Wang, Q.; Zheng, S.: Deep SSAE-BiLSTM model for 261. Ye, J.; Cheng, X.; Zhu, J.; et al.: A DDoS attack detection method
DDoS detection In SDN. In: 2021 2nd International Conference based on SVM in software defined network. Secur. Commun.
on Computer Communication and Network Security (CCNS), Netw. (2018)
pp. 1–4. IEEE (2021) 262. Yuan, X.; Li, C.; Li, X.: Deepdefense: identifying DDoS attack via
244. Wang, Y.; Hu, T.; Tang, G.; et al.: Sgs: safe-guard scheme for deep learning. In: 2017 IEEE International Conference on Smart
protecting control plane against DDoS attacks in software-defined Computing (SMARTCOMP), pp. 1–8. IEEE (2017)
networking. IEEE Access 7, 34,699-34,710 (2019) 263. Yungaicela-Naula, N.M.; Vargas-Rosales, C.; Perez-Diaz, J.A.:
245. Wang, J.; Wang, L.: SDN-Defend: a lightweight online attack SDN-based architecture for transport and application layer
detection and mitigation system for DDoS attacks in SDN. Sen- DDoS attack detection by using machine and deep learning.
sors 22(21), 8287 (2022) IEEE Access 9, 108495–108512 (2021). https://doi.org/10.1109/
246. Wang, J.; Wen, R.; Li, J.; et al.: Detecting and mitigating target ACCESS.2021.3101650
link-flooding attacks using SDN. IEEE Trans. Dependable Secure 264. Yungaicela-Naula, N.M.; Vargas-Rosales, C.; Pérez-Díaz, J.A.;
Comput. 16(6), 944–956 (2018) et al.: A flexible SDN-based framework for slow-rate DDoS attack
247. Wang, H.; Xu, L.; Gu, G.: Floodguard: A dos attack prevention mitigation by using deep reinforcement learning. J. Netw. Com-
extension in software-defined networks. In: 2015 45th Annual put. Appl. 205(103), 444 (2022)
IEEE/IFIP International Conference on Dependable Systems and 265. Zhao, K., Lu, B., Shi, H., et al.: A DDoS attack detection and
Networks, pp. 239–250. IEEE (2015) defense mechanism based on the self-organizing mapping in SDN.
248. Wang, L.; Liu, Y.: A DDoS attack detection method based on Internet Technol Lett. e305 (2021)
information entropy and deep learning in SDN. In: 2020 IEEE 4th 266. Zheng, J.; Li, Q.; Gu, G.; et al.: Realtime DDoS defense using
Information Technology, Networking, Electronic and Automation cots SDN switches via adaptive correlation analysis. IEEE Trans.
Control Conference (ITNEC), pp. 1084–1088. IEEE (2020) Inf. Forensics Secur. 13(7), 1838–1853 (2018)
249. Wang, P.; Chao, K.M.; Lin, H.C.; et al.: An efficient flow control 267. Zhijun, W.; Qing, X.; Jingjie, W.; et al.: Low-rate DDoS attack
approach for SDN-based network threat detection and migration detection based on factorization machine in software defined net-
using support vector machine. In: 2016 IEEE 13th International work. IEEE Access 8, 17,404-17,418 (2020)
Conference on e-Business Engineering (ICEBE), pp. 56–63. IEEE 268. Zi, L., Yearwood, J., Wu, X.W.: Adaptive clustering with feature
(2016) ranking for DDoS attacks detection. In: 2010 Fourth International
250. Warren, T.: Microsoft says it mitigated one of the largest DDoS Conference on Network and System Security, pp. 281–286. IEEE
attacks ever recorded (2021). https://www.theverge.com/2021/ (2010)
10/12/22722155/microsoft-azure-biggest-DDoS-attack-ever-2-
4-tbps. Accessed 11 Sept 2022
251. Wong, F.; Tan, C.X.: A survey of trends in massive DDoS attacks Springer Nature or its licensor (e.g. a society or other partner) holds
and cloud-based mitigations. Int. J. Netw. Secur. Appl. 6(3), 57 exclusive rights to this article under a publishing agreement with the
(2014) author(s) or other rightsholder(s); author self-archiving of the accepted
252. Woolf, N.: DDoS attack that disrupted internet was largest of manuscript version of this article is solely governed by the terms of such
its kind in history, experts say (2016). https://www.theguardian. publishing agreement and applicable law.

123