A precondition to examining DDoS attacks in software-defined networks (SDNs) is establishing a DDoS attack definition. The foundational level classified a denial of service (DoS) attack as an attack against a network structure that causes a server to be disabled from servicing its clients
[1]. The researchers argue that DoS attacks can send a high volume of requests to a server to slow it down, with sizeable invalid data packets, or send spoofed or invalid IP address requests to ensure the flood server. Ref.
[2] supported Tang and
[1] by revealing that the main objective of launching a DoS attack is to disrupt the availability of network resources for legitimate users through one of several possible strategies. For instance, attackers send messages to exploit vulnerabilities leading to paralysis of the network systems, or attackers send a high volume of regular messages to a single node that exhausts the system resources and, as such, crashes the entire system
[2]. The most recent DDoS attack was against Amazon Web Services (AWS) in 2020, but that attack was mitigated, although it involved up to 2.3 Tbps of data
[3]. Another study
[4] supported
[3] by revealing that the DDoS attack involved hijacked Connectionless Lightweight Directory Access Protocol (CLDAP) servers, which amplified the attack by up to 70 times its size.
In recent years, software-defined networking (SDN) has emerged as a promising approach for improving network efficiency and flexibility. However, SDN-based networks have also been subject to DDoS attacks, which can disrupt the delivery of essential services to customers. DDoS attacks involve overwhelming a network with traffic from multiple sources, rendering it unavailable to legitimate users. This has serious consequences for organizations and businesses that rely on networked systems for their operations and highlights the need to design and implement effective security measures to detect the risk of DDoS attacks on SDN networks.
2. Individual Deep Learning Algorithms Implementation
Other researchers have focused on comparing how different deep learning algorithms performed in DDoS attack detection in SDNs. A case in point was
[5]. They reached the simple neural network, CNN, and RNN in DDoS attack detection in the CSE-CIC-IDS2018 dataset, which simulated diverse attack scenarios, including brute-force, DoS, infiltration, DDoS, Heartbleed, and botnet attacks. Findings from the study revealed that simple neural networks outperformed CNN and RNN, attributed to the detection of malware by generating an accuracy of 82% and a precision of 42%. The authors argued that the more popular RNN and CNN could have performed better due to the challenges of overfitting, which led to high false positives and negative rates
[5]. In another study, Ref.
[6] also compared the performance of several algorithms to facilitate the detection of DDoS attacks in SDN environments. In particular, it was also considering the Support Vector Machine (SVM), Naïve Bayes (NB), Artificial Neural Network (ANN), and K-Nearest Neighbor (KNN) classification models. In addition, the researchers adopted feature selection techniques to simplify the models used in the experiments to ensure model simplification, enhance their interpretation, and facilitate a shorter training time
[6]. Findings reported showed that wrapper feature selection combined with the KNN classifier generated the highest score of 98.3% accuracy in DDoS-attack detection. Analytically, the results underscored the performance improvement associated with combining deep learning with feature selection techniques when detecting DDoS attacks to facilitate reduced load processing times
[6]. Furthermore, there has been critical research
[7]; the authors proposed an approach against DDoS attacks by adopting the Gated Recurrent Units (GRU) method and compared it with other deep learning algorithms by explaining how their approach outperforms.
Findings from the study showed that the GRU-RNN did not adversely affect network performance and led to high accuracy performances of 99% and 89% for the CICIDS2017 and NSL-KDD datasets (Tang et al., 2019). In previous research, Ref.
[8] reported an accuracy of 99.63% for the CNN-RF model and 99.58% for the RF-MLP using the same dataset—CICIDS2017. Analytically, the comparison of
[1][8] revealed, using the same dataset, different hybrid deep learning algorithms that generated similar performances—99% for both the CNN-RF and GRU-RNN in both cases. Such insights are essential in the current study, as they reveal that differences in implementation of the hybrid deep learning algorithms did not vary significantly despite using different deep learning algorithms.
3. Hybrid Deep Learning Techniques
Efficient Hybridization Technique for Intrusion Detection Systems has become a critical technology to safeguard against malicious threats in cyberspace. Many soft computing approaches have been employed to enhance the effectiveness of Intrusion Detection Systems (IDS). However, the high dimensionality of network traffic data, dynamic attack patterns, and the need for multiple classifiers to detect various forms of attacks remain significant challenges
[9][10][11]. To address these challenges, this research proposes a hybridization technique that combines supervised and unsupervised learning techniques. K-means clustering is used to classify the data into normal and attack classes, and wrapper feature selection with a genetic algorithm is employed to address the high dimensionality of the data. The input data are then classified with a support vector machine (SVM)
[9]. Another proposed technique for feature selection involves the use of the metaheuristic Bat algorithm and PCA
[10]. Lastly, a combination of blockchain technology and machine learning techniques was used to manage datasets and detect network communications for intrusion detection systems
[11]. The proposed techniques were shown to achieve high accuracy and low false alarm rate, with promising benefits of robustness, low computational cost, and generalization by reducing possible overfitting.
In terms of hybrid deep learning, two main ideas addressed include the integration of more than one deep learning algorithm to detect attack traffic and the combination of the algorithms with other network security solutions such as IDS and IPS devices. To begin with, Ref.
[12] argued that deep learning techniques are essential in detecting DDoS attacks within SDNs to identify the attacks as anomalies within legitimate traffic. Therefore, in discussing the importance of deep learning in securing SDNs, there is a need to view the attacks as anomalies that result in traffic generation. The study by
[12] proposed a deep learning approach that regarded the implementation of Convolution Neural Network (CNN) and Long Short-Term Memory (LSTM) algorithms to detect slow DDoS attacks in SDNs. In the research, datasets to emulate the slow DDoS attack traffic flow were generated and leveraged the ability of SDN switches to detect traffic flow statistics. The training was performed for the CNN-LSTM model and was validated while also undertaking hyperparameter tuning. The performance of the CNN-LSTM was compared against a MultiLayer Perceptron (MLP) and 1-Class Support Vector Machine (1-SVM). The generated results revealed that the CNN-LSTM outperformed the MLP and 1-SVM in terms of accuracy, precision, recall, and specificity
[12].
Another study
[8] supported
[13] by revealing that combining several deep learning algorithms such as RF, CNN, and MLP methods improved DDoS attack detection in IoT networks and devices. In the research, Ref.
[8] reported a higher accuracy of 99.63% for the hybrid model combining the Random Forests and Convolutional Neural Networks compared to 99.58% accuracy obtained from the combination of Random Forests and the Multilayer Perceptron. Such insights underscored the value of CNN-RF hybrid models in outperforming other variants in DDoS detection in SDN networks.
Other researchers, such as
[14], combined the CNN deep learning algorithm with information entropy to detect DDoS attacks in SDNs to distinguish between legitimate and attack traffic. The outcomes from the research indicated that the hybrid model generated high performance in detecting traffic anomalies. In the study, Ref.
[14] argued that combining CNN and information entropy was essential to leverage their advantages in DDoS attack detection. The low-complexity advantages of information entropy were combined with the high accuracy of the CNN algorithms, thereby facilitating DDoS attack detection in the SDN controller and guaranteeing the security of the SDN network. Ref.
[15] also conducted a similar study to
[14], whereby information entropy was combined with a CNN algorithm to detect DDoS attacks. In their study, Ref.
[15] used information entropy to see suspicious ports and components in coarse granularity, whereas CNN was adopted to distinguish legitimate and attack traffic. Findings from the research revealed high accuracy in detecting the anomaly traffic at 98.98%, which underscored the robustness of combining information entropy and CNN techniques in detecting attack traffic. Therefore, a similarity between
[14][15] emerged from the fact that both studies advocated combining information entropy with CNNs to detect attack traffic within SDNs. As a result, there was better performance and accuracy regarding mitigating DDoS attacks. Further analysis, however, indicated that the shortcoming of reliance on deep learning algorithms on their own arose from high training costs and low efficiency despite their high accuracy. Analytically, such findings indicate a need to identify more alternative solutions to reduce the disadvantages of deep learning algorithms.
Ref.
[16] reiterated
[17] by demonstrating that integrating a deep learning algorithm enhanced IDS systems. Ref.
[18] further demonstrated the effectiveness of the Stacked Autoencoders (SAE) deep learning algorithm combined with a Snort IDS in optimizing the detection accuracy of DDoS attack detection within SDN environments. By implementing the hybrid algorithm, the study observed a high accuracy of 95%.
Additionally, hybrid deep learning algorithms have shown promising results in detecting low-rate DDoS attacks in software-defined networks (SDNs). These attacks are characterized by a low volume of traffic but a high frequency, making them difficult to detect using traditional approaches such as threshold-based systems
[3]. Another hybrid deep learning method is the integration of a CNN with a deep belief network (DBN), as presented by
[19]. This approach achieved a detection rate of 96.7% and a false positive rate of 1.2% on a simulated SDN dataset.
Finally, the analysis also indicated that deep learning algorithms could better detect DDoS attacks in SDN environments
[5][6][7][8][9][10][11][12][13][14][20][21][22]. The research emerged that deep learning techniques outperformed classical machine learning algorithms, as they did not involve human interaction to improve their performance but instead relied on artificial neural networks
[23]. The evaluation also demonstrated that hybrid deep learning techniques outperformed single algorithms even in scenarios where the models comprised deep learning algorithms.