Hybrid Deep Learning

Approach for
Automatic DoS/DDoS
Attacks Detection in
Software-Defined
Networks
Authors: Hani Elubeyd, Derya
Yiltas-Kaplan | Published:
March 2023 | Applied Sciences
(Basel)
Sharoon Masih (23F-CS-
20)
Nasir Mehmood (23F-CS-
32)
Kanwar Lal (23F-CS-40)
-- Applied Sciences
 ABSTRACT
This paper proposes a hybrid deep learning algorithm for
detecting and defending against DoS/DDoS attacks in
software-defined networks (SDNs). SDNs are becoming
increasingly popular due to their centralized control and
flexibility, but this also makes them a target for
cyberattacks. Detecting DoS/DDoS attacks in SDNs is a
challenging task due to the complex nature of the
network traffic. To address this problem, we developed a
hybrid deep learning approach that combines
three types of deep learning algorithms. Our approach
achieved high accuracy rates of 99.81% and 99.88% on
two different datasets, as demonstrated through both
reference-based analysis and practical experiments. Our
work provides a significant contribution to the field of
network security, particularly in the area of SDN. The Problem Statement
proposed algorithm has the potential to enhance the
security of SDNs and prevent DoS/DDoS attacks. This is
important because SDNs are becoming increasingly Research
important in today’s network infrastructure, and Solution
protecting them from attacks is crucial to maintaining the
integrity and availability of network resources. Overall, Key
our study demonstrates the effectiveness of a hybrid Achievements
deep learning approach for detecting DoS/DDoS attacks
in SDNs and provides a promising direction for future -- Applied Sciences
research in this area. (Basel)

Keywords: hybrid deep learning; DoS/DDoS attacks; software-defined networks (SDNs); cyberattacks
INTRODUCTION
Understanding DoS/DDoS Attacks
Example
Definition
DoS attacks aim to disrupt network resource availability, In 2020, AWS faced a 2.3 Tbps DDoS
making servers or services inaccessible to legitimate users. attack amplified 70 times using
hijacked CLDAP servers.
Attack techniques Such attacks can paralyze critical
services, causing financial and
• Flooding servers with high-volume requests reputational damage to organizations.
• Sending large, invalid data packets
• Spoofing or using invalid IP addresses -- Applied Sciences
(Basel)
 Introduction

SDN Vulnerabilities
and Detection
Challenges
SDN Overview Vulnerabilities
Separates control and data Centralized control creates
planes, enabling centralized, a single point of failure
programmable network vulnerable to DDoS attacks
management. disrupting essential
services.
Detection Challenges Necessity
Both volumetric and stealthy Effective, intelligent detection
low-rate attacks threaten SDNs, mechanisms are crucial for
with complex environments network resilience and service
making detection difficult. continuity.
-- Applied Sciences
(Basel)
 Existing
Approaches and
Research Gaps
TRADITIONAL METHOD MACHINE DEEP LEARNING
LEARNING
Packet entropy, time-based SVM, KNN, Naïve CNN, RNN, LSTM, and
techniques, and statistical Bayes improve hybrid models show
analysis struggle with detection but face higher accuracy (up to
accuracy and adaptability. high false positives 99.63%) but often lack
and overfitting issues. robustness against
evolving attacks.

-- Applied Sciences
(Basel)
 Research
Contribution and
Novelty REAL-WORLD
HYBRID MODEL APPLICABILITY
Integrates CNN, GRU, and Designed to handle
DNN algorithms for complex, variable SDN
comprehensive detection traffic with up to 99.81%
of DoS/DDoS attacks. accuracy, outperforming
single-model approaches.
DUAL ATTACK
FOCUS

Detects both volumetric

and low-rate attacks,
addressing gaps in prior
research.
-- Applied Sciences
(Basel)
METHODOLO
GY
-- Applied Sciences
(Basel)
 Methodology

Data Collection
and 01. Dataset
Preprocessing
Dataset
CICDDoS2019 dataset includes benign and
various DDoS attack traffic types (TCP, UDP,
ICMP). 02 Feature
Feature Extraction Data . Extraction
Extracted features include packet size, Collection
flow duration, inter-arrival times, and and
protocol type. Preprocessi 03 Handling Categorical
Handling Categorical Features ng . Features
Missing categorical values imputed with
the most frequent category for
consistency.
Standardization 04. Standardizatio
Numerical features scaled to mean 0 and n
standard deviation 1 for uniform model
training input.

-- Applied Sciences
(Basel)
Methodology
Methodology

AFDL (ADAPTIVE
FEATURE
DIMENSIONALITY
LEARNING)
Purpose Benefits
Reduces high dimensionality Improves computational
by selecting the most efficiency, reduces training
relevant features time by 40%, and maintains
dynamically. high detection accuracy.

Process Adaptivity
Selects 15-20 critical features Ensures model effectiveness
from over 80 using statistical and as attack strategies evolve
learning-based methods, over time.
adapting to new attack patterns.
-- Applied Sciences
(Basel)
 Methodology

Hybrid Deep
Learning Model 1D Convolutional Neural
Architecture
CNN
Network (CNN)

Extracts spatial patterns and

local feature correlations from Gated Recurrent Unit
input data. (e.g., packet size (GRU)
trends) Deep
Learning
GRU Models
Dense Neural Network
Captures temporal dependencies (DNN)
and sequential changes in
network traffic.

DNN Integration & Training

Performs final classification, Combines outputs for robust
outputting benign or attack detection; trained on 80% of
labels.
dataset, validated on 20% to
-- prevent overfitting.
Applied Sciences
(Basel)
Methodology
Methodology

Real-Time
Detection and
Alerting
Continuous Traffic Instantaneous Automated Alert Rapid Mitigation
Monitoring Attack Generation Response
Identification
The system monitors all The hybrid deep learning Upon detecting suspicious or The SDN controller, upon
incoming and outgoing model processes traffic malicious activity, the system receiving an alert, can execute
network traffic in real time, features on-the-fly, allowing automatically generates predefined mitigation
collecting flow statistics and for immediate detection of alerts. strategies.
packet-level data from SDN abnormal patterns indicative
switches. of DoS/DDoS attacks.
RESULT

-- Applied Sciences
(Basel)
 Result

Results –
Performance 01. Accuracy
Evaluation
Accuracy
Achieved 99.81% and 99.88% on two
different datasets, demonstrating high
reliability. 02 False Alarm
False Alarm Rate . Rate
Performan
Less than 0.1%, indicating minimal false ce
positives.
Evaluation
03 Detection Time
Detection Time .
Less than 2 milliseconds per flow, suitable
for real-time SDN environments.

Comparison 04. Comparison

Outperformed previous models (CNN, RNN,
KNN) and traditional methods in both
accuracy and efficiency. Previous best (KNN
+ wrapper): 98.3% accuracy; this model:
99.81%
-- Applied Sciences
(Basel)
 Result

Results –
Detailed
Analysis
Attack Type Live SDN Testing Generalizability Resource
Detection Efficiency
Successfully identified both Integrated with SDN Reduced computational Model performed well on
high-volume (volumetric) and controllers, tested on real overhead due to AFDL, unseen attack types,
stealthy (low-rate) DDoS network traffic, and validated enabling deployment on demonstrating adaptability to
attacks. on networks with 100 to resource-constrained SDN evolving threats
10,000+ nodes. controllers.
Scalability
Effective on networks ranging from 100 to over 10,000 nodes,
validating robustness and scalability
Result
 Future
Recommendation
s
Model Integration Cloud-based Resource
Enhancement Detection Optimization
Incorporate Develop APIs for Extend to Further reduce
transformer-based seamless distributed/cloud computational
architectures and deployment with environments for requirements for
reinforcement various SDN broader coverage. large-scale, high-
learning for even controllers (e.g., traffic SDN
better adaptability. OpenDaylight, deployments
ONOS).

-- Applied Sciences
(Basel)
 CONCLUSION
As a fourth-semester BSCS students, We find this research particularly significant as
it demonstrates the practical application of deep learning in network security. The
hybrid approach combining CNN, GRU, and DNN represents an innovative solution to
the critical challenge of DDoS detection in modern networks.

What impressed us most was how the researchers achieved remarkable accuracy
(99.80%) by leveraging multiple neural network architectures rather than relying on
a single model. This highlights the importance of understanding various AI
techniques and their complementary strengths.

The methodology demonstrates excellent practical thinking - preprocessing steps are

clearly defined, feature selection is thoughtfully implemented, and the evaluation
metrics are comprehensive. This provides an excellent template for how security
systems should be developed and evaluated.

For our future studies and career in cybersecurity, this paper illustrates how
theoretical concepts learned in classrooms translate to solving real-world security
challenges in critical infrastructure. It inspires us to further explore the intersection
of machine learning and network security as potential specialization areas.
-- Applied Sciences
(Basel)
THANKS FOR
YOUR
ATTENTION!

-- Applied Sciences
(Basel)