A hybrid deep learning model for detection and mitigation of distributed denial of service attacks in software-defined networks

Abstract

The increasing adoption of Software-Defined Networking (SDN) has introduced flexibility and programmability in modern networks but has also exposed the SDN controller to Distributed Denial of Service (DDoS) attacks that exploit its centralized architecture. Existing intrusion detection approaches largely focus on detection without providing effective mitigation, and many rely on outdated or non-SDN datasets, limiting their real-world applicability. Furthermore, models based on single deep learning architectures often fail to capture both the spatial and temporal characteristics of DDoS traffic, leading to high false positive and false negative rates. This study proposes a hybrid deep learning model that integrates Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks for the detection and mitigation of DDoS attacks in SDN environments. The CNN component extracts spatial correlations among flow features, while the LSTM component captures temporal dependencies, thereby enhancing spatio-temporal learning. The model was trained and evaluated using the LR-HR DDoS 2024 dataset, an SDN specific dataset containing both low-rate and high-rate attacks. Data preprocessing included exploratory analysis, feature normalization, and class balancing using Synthetic Minority Oversampling Technique (SMOTE). The model was implemented in TensorFlow and deployed in a simulated SDN environment using Mininet and the OpenDaylight controller, where detected attacks were mitigated through dynamic flow rule enforcement. Experimental results show that the hybrid CNN–LSTM model achieved an accuracy of 98.7%, a precision of 0.987, a recall of 0.987, and an F1-score of 0.987, outperforming standalone CNN and LSTM models. The model further attained ROC-AUC and PR-AUC values of 0.995 and 0.993 respectively, with confusion matrix analysis confirming reduced misclassification rates. Although the hybrid model required slightly higher computational resources, 3.2 million parameters, an average training time of 47 minutes per epoch, and an inference latency of 3.1 milliseconds, it remained practical for real-time SDN deployment. Limitations include reliance on a single dataset, evaluation within a simulated testbed, and the exclusion of additional contextual features such as topology data. Future work should focus on validating the model with multiple real-world datasets, integrating attention mechanisms or transformer architectures, optimizing for lightweight deployment, and testing resilience against adversarial attack strategies.