One method for detecting DDoS attacks relies on statistical techniques. In [20], researchers introduced a statistics-based approach to identify DDoS attacks by assessing the entropy of packet payloads. They harnessed machine learning to evaluate entropy values and categorize traffic as normal or malicious. However, this approach neglected the stateful nature of SD-IoT networks, posing challenges in detecting attacks spanning multiple packets. Zhang et al. [21] proposed a method to detect low-rate (LR) DoS attacks using Power Spectral Density (PSD). In this context, distinct PSD entropy limits were established for normal and attack groups. Their non-AI-based intrusion detection system (IDS) exhibited a trade-off between accuracy and detection rates. Another strategy involves flow-based mechanisms for DDoS detection. Xie et al. [22] leveraged traffic-flow patterns to discern DDoS attacks, demonstrating effective detection with relatively low overhead compared to other methods. However, this approach proves less effective in high network traffic scenarios, necessitating the adoption of more advanced security measures. In [23], authors introduced a flow-based technique to uncover DDoS attacks in SDN. By employing OpenFlow switches to gather flow statistics and detect abnormal traffic patterns, this method did not account for the dynamic nature of SD-IoT networks, where devices frequently join and depart. Approaching the issue uniquely, ref. [24] introduced an innovative approach to actively detect attacks in resource-constrained cyber-physical systems, focusing on thwarted actuation attacks. These attacks disrupt communication between controllers and actuators. The proposed system comprises two core elements: (1) detection and (2) control. The detection module employs parallel detectors crafted through a multiple-model adaptive estimation strategy to identify attack occurrences and targeted actuators. The control unit employs a constrained optimization technique to compute optimal control inputs that satisfy both control and detection goals. A probabilistic framework was adopted to formulate detection and control objectives, capitalizing on available a priori information. To underscore the approach’s effectiveness, a simulation study was conducted on an irrigation channel, yielding demonstrative outcomes.

To address the limitations inherent in statistical and flow-based methodologies, recent research endeavors have proposed an amalgamation of machine and deep learning techniques with SDN to enhance DDoS detection in IoT environments. For instance, a DDoS detection solution tailored to SDN-based IoT networks, known as LEDEM, was introduced in [25]. However, LEDEM’s effectiveness is hindered by its rigid reliance on a single classification method, rendering it inadequate for combating diverse DDoS attack types. In a similar vein, Yin et al. [26] outlined a comprehensive architecture for SD-IoT, intending to scrutinize IoT network traffic and detect DDoS attacks through network attribute analysis. Regrettably, this model’s potential is curtailed due to limitations in its ML-based categorization algorithms. Taking an innovative approach, researchers in [27] put forth a novel framework comprised of two integral components: DoS/DDoS detection and DoS/DDoS mitigation. This novel approach facilitates precise identification of attack types and associated packet types, thereby enabling targeted application of mitigation strategies. Operating as a multi-class classifier based on the “Looking-Back” concept, the proposed DoS/DDoS detection component was evaluated using the Bot-IoT dataset, culminating in an impressive 99.81% accuracy rate with a Looking-Back-enabled Random Forest classifier. Ullah et al. [28] contributed an anomaly-based detection system for IoT networks, featuring a multiclass classification technique employing a convolutional neural network (CNN) algorithm. Despite its commendable performance, ML approaches are the preferred choice for intrusion detection systems (IDSs) necessitating robust security capabilities [29]. In [29], an exploration of diverse ML models revealed that the XGBoost technique consistently yielded superior performance outcomes compared to other classifiers. While the performance results were drawn from two test cases, it was acknowledged that the dataset’s scope was inadequate for comprehensively analyzing IoT network traffic behavior. To bridge the gap, Yousuf et al. [30] introduced DALCNN, leveraging OpenDayLight (ODL) as a suitable SDN controller to identify DDoS attacks in IoT. A notable limitation was observed, wherein the RNN algorithm’s training using the NSL-KDD dataset did not align with the intricacies of IoT network traffic characteristics. Another noteworthy approach involved a Deep Neural Network (DNN) method proposed in [31] to identify DDoS attacks in SDN scenarios. Test results demonstrated the efficacy of the Deep IDS system with minimal network load, and without impacting the functionality of the POX controller. Yet, refinement is warranted to enhance detection rates and minimize false alarms across multiple OpenFlow Controllers. Shifting the focus to [32], authors introduced a framework for DDoS detection in SDN-IoT incorporating machine learning and stateful packet processing. A novel Double-Check Mapping Function (DCMF) was proposed to process packets and extract features at the data plane level. While machine learning techniques were employed to analyze the extracted features and classify traffic, the approach neglected the potential of a hierarchical, logically distributed multi-controller architecture to enhance scalability and reliability. A distinctive deep reinforcement learning (DRL)-based approach for detecting low-rate DDoS attacks in SDN was introduced by [33]. This approach embraced features such as traffic monitoring, traffic flow sampling, and a lightweight intrusion prevention system (IPS) for swift mitigation. However, the approach fell short in addressing the scalability nuances of SD-IoT networks. In a different vein, [34] proposed a novel DL approach intertwining CNN with the SD-Reg method to classify flow traffic as normal or attack. While effective in enhancing NIDSs’ ability to detect unseen intrusion events, this stateless approach necessitated testing across diverse datasets encompassing various attack scenarios. Similarly, a CNN-based system was proposed in [35] for detecting DDoS attacks in IoT networks, focusing on blocking attacks at the source. However, the evaluation on the CIC-DDoS2019 dataset highlighted its limitations in effectively analyzing IoT network traffic behavior. Lastly, a study conducted by the authors of [36] harnessed an AutoML intrusion detection framework to identify suitable supervised classifiers, subsequently crafting an optimal ensemble strategy via soft voting. The proposed framework exhibited high accuracy in detecting intrusions; however, it was recognized that the datasets employed were not the most up-to-date and did not comprehensively encompass all types of attack intrusions. Furthermore, network stateful cases were not considered.

In [37], DDoS attack detection using P4 is addressed by implementing a hash value calculation of the source IP and MAC address in the data plane switch, which is then compared to the previously stored hash value. The detection of an attack occurs when there is no match and the time difference between the last attack and the current packet is less than 5 s. However, this method has some limitations such as increased CPU consumption at switches, inability to detect complex attack patterns, and failure to differentiate between flash and attack traffic. Febro et al. [38] proposed a source-based DDoS defense solution that detects attacks close to the source to save computational and bandwidth resources. In this approach, P4-enabled edge switches count the number of packets sent by the hosts connected to each port, and the controller compares these values with a static threshold. Once the threshold is exceeded, the controller sends a command to the P4 switch to drop all subsequent packets from the same ingress port. However, this method cannot differentiate between legitimate traffic and attack traffic, as it relies on a static threshold value. Lastly, a study conducted by the authors of [39] delved into the potential of AI and ML algorithms for automating the detection of Transmission Control Protocol (TCP) flood attacks. A comparison between Standalone and Correlated DDoS attack detection (DAD) architectures was conducted, whereby traffic feature collection and attack detection were performed locally at network switches or controllers. However, the approach failed to account for the nuanced features of IoT traffic and was confined to detecting a single type of DDoS attack. Furthermore, comprehensive dataset testing was lacking.

Existing solutions for detecting ARP attacks involve methods such as analyzing traffic patterns, utilizing cryptographic solutions, creating flow graphs, or applying statistical techniques. However, these approaches can be time-consuming, computationally intensive, or complex in terms of processing power. Additionally, some of these methods rely on threshold-based analysis of only one parameter.

Hong et al. [40] proposed a detection mechanism that collects dynamic information about the network’s topology, including the switches, flow paths, IP addresses, and MAC addresses. By analyzing these features, the attack can be detected. Sebbar et al. [41] focused on detecting Man-in-the-Middle (MITM) and traffic redirection attacks. They check the state of a new node connecting to the controller and drop the connection if it is not labeled as “New”, indicating a potential malicious node. Additionally, suspicious delays in host responses are monitored, and responses exceeding a specific threshold are considered possible delay attacks. Zhang et al. [42] detect MITM attacks by calculating packet delays in TCP connections. They compare the mean delay of a session with predefined reference values. If the delay exceeds the threshold, it is flagged as a suspicious outlier and reported to the monitoring module. Deng et al. [43] tackle controller attacks by validating the legitimacy of Packet-In messages. When a new packet_in arrives at the controller, it is compared to the MAC addresses in the Mac-Port mapping table. If a match is found, the packet is processed; otherwise, it is dropped. Kaur [44] presented three distinct approaches for detecting ARP spoofing attacks, namely a signature-based method, a manual Wireshark packet analysis method, and a machine learning method. Among these, the Naive Bayes algorithm demonstrated the highest accuracy of 93% and the lowest false alarm rate (FAR).

Ma et al. [45] introduced a Bayesian method to calculate the probability of an attack and employed various ML algorithms for attack detection. Despite utilizing only four features and lacking experimental data verification, the author acknowledged detecting the attack. In [46], the utilization of ML was evident in their endeavor to identify ARP attacks within SDN. They constructed a Python application within the SDN controller via Mininet, tasked with gathering and recording the requisite attack-detection features into a designated file referred to as the traffic dataset. This dataset was subsequently harnessed for both model training and attack detection purposes. The amalgamated Convolutional Neural Network-Long Short Term Memory (CNN-LSTM) model demonstrated superior performance compared to other ML models. Overall, while some works have proposed effective methods for DDoS and ARP detection in SDN or IoT networks, there is still a need for a comprehensive framework that takes into account the stateful nature of SD-IoT networks, the dynamic topology, and the need for consistency, scalability, and reliability.