Deep Neural Network (DNN) Solution for Real-time Detection of Distributed Denial of Service (DDoS) Attacks in Software Defined Networks (SDNs)


Software-Defined Network (SDN) has emerged as the new big thing in networking. The separation of the control plane from the data plane and application plane gives SDN an edge over traditional networking. With SDN, the devices are configured at the control plane which makes it easier to manage network devices from one central point. However, decoupled architecture creates a single point of failure. A single point of failure attracts cyber-attacks, such as Distributed Denial of Service (DDoS) attacks. Attackers have recently been using multi-vector attacks from single-vector attacks. The need for real-time detection as a countermeasure is of paramount importance. The attackers using sophisticated techniques to launch DDoS attacks dictates the need for a sophisticated intrusion detection system. This paper proposes a Deep Neural Network (DNN) solution for real-time detection of DDoS attacks in SDN. The proposed IDS produced a detection accuracy of 97.59% using fewer resources and less time.


Software-Defined Network (SDN) offers a great shifting platform from a traditional network to a flexible, programmability, and open flow platform [1]. The ever-expanding web, emerging of Internet of Things (IoT) and the rise of social media require reliable, flexible, and scalable network [2]. Public and private network traffic is growing every day which has complexity during implementation, hence the requirement of programmability and central management network architecture [3]. As the name SDN suggests, it is a computer network implemented and centrally managed by software through programming [4]. The increase of interconnected devices has affected network performance.

Today’s networks have become complex and require efficient technology to manage it. The flow-based architecture enables the network to acquire information in real time [2]. SDN enables devices to be interconnected and this interconnection enables devices to communicate across the globe. This great interconnection brings challenges that can bring the whole network to a standstill. SDN is predicted to take over the networking world because of its decoupled architecture and programmability ability which allows the network to be managed from one central point [1].

The SDN decoupled architecture separates the control plane from data and application planes have a centralized architecture that manages the whole network from a central management control panel [4]. Whenever they are innovative, attackers always try to stay in the loop by inventing new attack methods that are directed to the innovation. Attackers have changed their attacking methods from single-vector attacks to multi-vector attacks [3]. The central programmability also comes with new cyber-attacks challenges because of a single point of failure. Attackers can target the controller by flooding it with a huge amount of attack to make it unavailable for legitimate users [3].

Distributed Denial of Service (DDoS) attacks proved to be one of the cybersecurity challenges of SDN [3]. They are different mechanisms and technology to protect SDN from DDoS attacks. According to [2], Deep Learning can be used to predict the DDoS attack in SDN. Canadian Institute of Cybersecurity Intrusion Detection (CICIDS 2017) is a flow-based dataset that has more than 11 major network attacks. Training intrusion detection system with CICIDS 2017 dataset can produce high accuracy in DDoS attack detection.

This paper focuses on Deep Neural Network (DNN) Intrusion detection system for SDN. The paper extracts its summary from the full study that was focusing on the design of a Deep Neural Network Intrusion detection system that can detect DDoS attacks in an SDN environment.

The outline of the rest of the paper is as follows: “Background and Related Work” covers the background and related work, “Methodology” details the methodology, “Results” summarises the results and discussion then followed by a conclusion in “Conclusion”.

Background and Related Work

In the past, researchers have deployed machine-based algorithms to detect DDoS in SDN [5]. These studies have produced very impressive results but showed some limitations. This is because they were designed for traditional networks, moreover, a lot of features is those algorithms could not be applied to SDN [6]. Both traditional networks and SDN are vulnerable to abnormal traffic that can put the whole network system at a standstill [7]. Migrating from a traditional network to SDN has a lot of advantages. However, a single point of failure is the weakest point of SDN for network attacks. According to [2], the controller has become a target of DDoS attacks. Attackers can flood the controller with a huge amount of requests which can be launched from a network of zombies to make the controller unavailable to legitimate network users [8].

Software-Defined Network

SDN architecture separates the control plane from the data plane and application plane [9]. According to [9], the control plane uses the northbound Application Programming Interface (API) to communicate with the application plane and the southbound API to communicate with the data plane. Network devices, such as switches, routers, and hubs, are found in the data plane [1]. Security devices, resource monitoring, and application management tools are found in the application plane [10]. While the brain of the network is the control plane, that is where all the configurations and programming of network devices are done [5]. This great network architecture is nothing without security. DDoS attacks have proven to be one of the major threats to SDN architecture. According to [6], SDN control planes are prone to DDoS attacks because of a single point of failure. Attackers can attack routers and switches which are found in the data plane. Security devices, such as firewalls, can also be target by attackers.

Distributed Denial of Service Attack (DDoS)

Distributed service attack can be launched from different computers controlled by one command center [11]. A group of computers called zombies can be used to launch a DDoS attack on the SDN network [11]. No doubt SDN is a great networking architecture, however, DDoS attacks can bring the whole network down if the network is not secured. SDN is a flow-based network which enables it to handle huge volumes of network traffic managed from a central point. Attackers have also changed the attack methods from a single-vector attack to a multi-vector attack where they can launch DDoS attack from different computers in a network [12].

Deep Learning

Deep learning is a supervised or unsupervised learning method that can be used to predict DDoS attacks in an SDN environment [7]. According to [9], deep learning-based Convolution Neural Network (CNN) intrusion detection system can be used to predict DDoS attacks in SDN. Malik et al. [3] state that the CNN model trained using the NSL-KDD dataset can be deployed in an SDN environment and produce a detection accuracy of 70%. Garg et al. [2] states that deep learning Restricted Boltzmann Machine (RBM) and KDD 99 dataset can detect anomalies in real-time. This model was tested in SDN and produced 99.02% accuracy. Hybrid deep learning models can also be used to detect DDoS attacks in the SDN environment. According to [3], Long Short-Term Memory (LSTM) and Convolution Neural Network (CNN) hybrid deep learning intrusion detection system trained using CICIDS 2017 dataset were deployed in SDN environment and produced 98.79% accuracy DDoS attack detection.

Polat et al. [6] proposed, K-Nearest Neighbour (KNN) which produced an accuracy of 94%. Latah and Toker [13] suggest KNN and NSL-KDD models for anomaly detection. The model produced 98.23% accuracy. However, the dataset used has a lot of redundant features. Latah and Toker [13] proposed a Multi-Vector DDoS attack detection mechanism. The mechanism produced 95.65% accuracy DDoS attack detection (Fig. 1).

Fig. 1

IDS placement

Figure 2 below shows the IDS placement. The IDS placement must be in a strategic position where it can be able to monitor all the network traffic both outbound and inbound.

Fig. 2

Proposed model semantic

Without proper safeguard, the network can be attacked at any time and the security goals which are Confidentiality, Integrity, and Availability (CIA) can be compromised. In terms of detecting DDoS attacks [14] indicates that, there are two methods of doing that, the first one is to inspect packets and the other one is to inspect the entry of flows. Software-Defined Network is an emerging network with a promising architecture where the whole network is managed from one central point. SDN architecture separates the control plane from the data plane and the application plane. Studies have shown that SDN is vulnerable to attacks [3].

Signature-based detection has been vulnerable to the new anomaly attack methods. Signature-based detection cannot detect an attack that is not in the signature database. Recurrent Neural Network (RNN) is regarded as one of the proposed models [15] which produce high accuracy in DDoS attack detection in SDN environments. However, it used an outdated dataset and the model produced 89% accuracy. Moreover, the SDN is a flow-based architecture and NSL-KDD 99 is not a flow-based dataset [16]. Multi-Layer Perception (MLP) is another model that can produce high-accuracy detection, but this model used the CTU-13 dataset. CTU-13 is mostly a botnet dataset and it is not a flow-based dataset (Table 1).

Table 1 Hardware and software used


This section discusses the complete methodology used in proposed model: Data definition, dataset processing, and the experiment part of the study. The proposed model used flow-based dataset (CICIDS 2017) and produced have-accuracy detection shown in comparison table in Table 2.

Table 2 Comparison table

The first step was collecting the CICIDS 2017 dataset which has 86 features. We used literature referencing to select for best features. We then split the data into 80% training set and 20% testing set. After splitting the data, the model was then trained and tested. After testing the decision tree, the results can decide whether it is a benign attack or DDoS traffic. Confusion matrix standard evaluation parameters are used to evaluate the model. The algorithm is defined as:




For a dataset to be considered for intrusion detection training and testing, it must have some features which are related to attacks. According to [17], if the classification category of a dataset is not evenly distributed, that dataset is imbalanced. NSL-KDD is Network Security Laboratory Knowledge Discovery Dataset designed for intrusion detection systems [15]. Kreutz et al. [18] state that NSL-KDD is not a flow-based dataset so it is difficult to train a flow-based intrusion detection system with a dataset that is not a flow-based. Moreover, the dataset is outdated.

Canadian Institute of Cybersecurity Intrusion Detection System (CICIDS) 2017 Dataset

CICIDS 2017 is a flow-based dataset with 3.1 million traffic flow records [13]. This dataset is a 5-day dataset with more than 11 different network attacks. The 5-day dataset is divided into eight files where Monday, Tuesday, and Wednesday have one file each while, Thursday and Friday have two files each divided as morning and afternoon files [5]. According to [18], the dataset fulfils all the requirements of an intrusion detection dataset, such as protocols, metadata, different attacks, etc. However, the dataset has some flaws. Below are some of the flaws of the CICIDS 2017 dataset:

  1. i.

    Big files—the dataset has big files which can be difficult to process using a computer with minimum resources (Small Random-Access Memory (SRAM) and small processor).

  2. ii.

    Missing values—Missing values are another problem of the dataset. Some features have missing values. Using features with missing values have negative results for the IDS. It is either a feature with missing values that can be dropped, or it can be replaced by calculating the average of the missing values which is another tiresome process.

  3. iii.

    Different files—the dataset has eight different files. Combining them requires a very good processor. Moreover, the file becomes very large after combining it.

  4. iv.

    high-class imbalance—CICIDS 2017 has a high-class imbalance where when used to train the classifier and the classifier will return biased results in favour of the majority class.

To come up with accurate results, all the problems need to be corrected before training the classifier.

Data Definition

CICIDS 2017 is an intrusion detection dataset which has 86 features. To understand all the 86 features, data definition was conducted where every feature was defined. This is a critical step for feature selection.

Dataset Processing and Feature Selection

Our dataset was having 86 features and for our proposed model to be efficient enough, dataset processing was conducted and features with missing values were dropped from the dataset. Moreover, our proposed model inputs numeric values, so the conversion of non-numeric to numeric values was also conducted.

Data normalization was conducted to improve the quality of our dataset. All values were scaled in ranges from 0 to 1 using the MiniMaxScaler formula. After that, we then used a literature review to conduct our feature selection. According to [3], the four best features are as follows:

  • Backward packet length (B. packet Len) Standard deviation (Std)

  • Flow Duration

  • Average Packet Size

  • Flow Inter Arrival Time (IAT) Standard deviation (Std).

Proposed Deep Learning Model

For efficient DDoS detection in SDN, this research work proposes a deep neural network model. Below is the layout of our DNN model.

Hardware and Software Used in the Experiment

Proposed model is a four-layer DNN model where four selected features are fed into the input layer. The input layer has? and 4. The question mark (?) represents any number between 0 and four and 4 represents the maximum number of inputs. The first layer has 128 neurons where the output of the input layer is then processed. The output of our input layer is 4. So, each output is then processed in the next layer which has 128 neurons. The output of our first layer is 128. 128 is then processed by the second layer and produced 64 neurons. The 64 neurons are then processed in the third layer and produced 32 neurons. 32 neurons are then processed by the fourth layer and produced 16 neurons. The 16 neurons are then processed by the output layer and produce a result that is either benign or DDoS traffic which is represented by (? 1) where the question mark is a 0. This is demonstrated by the steps below (Fig. 3):

Fig. 3

DNN model



  • True positive—correctly identified DDoS attack [3].

  • True negative—correctly identified benign records [15].

  • False-positive—incorrectly predicted DDoS attacks [3].

  • False-negative—incorrectly predicted benign traffic [3].

For evaluation, we used the following evaluation parameters:

  • Accuracy

  • Precision

  • Recall

  • F1-Score


This section shows how the results of the prosed model were calculated and interpreted (Fig. 4).

Fig. 4

DNN model loss


According to [15], loss is a predicting error of our DNN model. Figure 5 represents proposed model predicting error.

Fig. 5



Accuracy is the ability of the model to detect or perform DDoS attack detection in an SDN environment [3]. The control-based deep learning DDoS attack detection for SDN accuracy is represented in a graph below.

Figure 6 above shows the accuracy of our model. Our DNN model achieved 97.59% accuracy. The calculation of our model's accuracy will be demonstrated below confusion matrix.

Fig. 6

Confusion matrix

  1. i.

    Accuracy—shows the ability of the model to detect DDoS attacks [1].

    $$\mathrm{Accuracy} \left(A\right)=\frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{TN}+\mathrm{FP}+\mathrm{FN}}*100,$$
    $$\mathrm{Accuracy} \left(A\right)=\frac{19448+12724}{19448+12724+558+541}*100,$$
    $$\mathrm{Accuracy} \left(A\right)=96.67\%.$$
  2. ii.

    Precision—number of accurately anticipated records [15]

    $$\mathrm{Precision} =\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}*100,$$
  3. iii.

    Recall—number of effectively anticipated records out of absolute records [3].

    $$\mathrm{Recall} =\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}*100,$$
    $$\mathrm{Recall} =\frac{19448}{19448+541}*100,$$
    $$\mathrm{Recall} =97.29\%.$$
  4. iv.

    F1-Score—the average between recall and precision [13].

    $$F1-\mathrm{Score} =\frac{2*\mathrm{TP}}{2*\mathrm{TP}+\mathrm{FP}+\mathrm{FN}}*100,$$

Figure 7 is a summary in graphical representation of the calculations (i)–(iv) above, which are the evaluation parameters used in this work.

Fig. 7

Comparison bar graph

The comparison table below compares the results of the proposed model with other state-of-the-art models.


To show the performance of proposed model, it used the standard evaluation parameters based on the confusion matrix results. Control plane-based deep learning model detect DDoS attacks correctly and accuracy was primary evaluation matric. The detection accuracy, precision, recall and F1 score of proposed models are 96.67%, 97.21%, 97.29% and 97.25%, respectively.


  1. 1.

    Akhunzada A, Ahmed E, Gani A, Khan MK, Imran M. Securing software defined networks. IEEE Commun Mag. 2015;53:36–44.

    Article  Google Scholar 

  2. 2.

    Garg S, Kumar N, Rodrigues JJPC, Rodrigues JJPC. Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN: a social multimedia perspective. IEEE Trans Multimed. 2019;21(3):566–78.

    Article  Google Scholar 

  3. 3.

    Malik J, Akhunzada A, Bibi I, Imran M, Musaddiq A, Kim SW. Hybrid deep learning: an efficient reconnaissance and surveillance detection mechanism in SDN. IEEE Access. 2020;8:134695–706.

    Article  Google Scholar 

  4. 4.

    Li C, et al. Detection and defense of DDoS attack–based on deep learning in OpenFlow-based SDN. Int J CommunSyst. 2018;31(5):1–15.

    Article  Google Scholar 

  5. 5.

    Kim H, Feamster N. Improving network management with software defined networking. IEEE Commun Mag. 2013.

    Article  Google Scholar 

  6. 6.

    Polat H, Polat O, Cetin A. Detecting DDoS attacks in software-defined networks through feature selection methods and machine learning models. Sustain. 2020.

    Article  Google Scholar 

  7. 7.

    Manukian H, Traversa FL, Di Ventra M. Accelerating deep learning with memcomputing. Neural Networks. 2019;110:1–7.

    Article  MATH  Google Scholar 

  8. 8.

    Diego K, Fernando MVR, Paulo EV, Christian ER, Azodolmolky S, Steve U. Software-Defined Networking: a comprehensive survey. Ecum Rev. 2015;17(3):219–23.

    Article  Google Scholar 

  9. 9.

    Rehman AU, Aguiar RL, Barraca JP. Fault-tolerance in the scope of Software-Defined Networking (SDN). IEEE Access. 2019;7:124474–90.

    Article  Google Scholar 

  10. 10.

    Xia W, Wen Y, Foh CH, Niyato D, Xie H. A Survey on Software-Defined Networking. IEEE CommunSurv Tut. 2015.

    Article  Google Scholar 

  11. 11.

    Hwang RH, Peng MC, Huang CW, Lin PC, Nguyen VL. An unsupervised deep learning model for early network traffic anomaly detection. IEEE Access. 2020;8:30387–99.

    Article  Google Scholar 

  12. 12

    Su SC, Chen YR, Tsai SC, Lin YB. Detecting P2P Botnet in Software Defined Networks. SecurCommunNetw. 2018.

    Article  Google Scholar 

  13. 13.

    Latah M, Toker L. Towards an efficient anomaly-based intrusion detection for software-defined networks. IET Netw. 2018;7(6):453–9.

    Article  Google Scholar 

  14. 14.

    Cui Y, et al. SD-Anti-DDoS: fast and efficient DDoS defense in software-defined networks. J NetwComputAppl. 2016;68:65–79.

    Article  Google Scholar 

  15. 15.

    Jamadar RA. Network intrusion detection system using machine learning. Indian J SciTechnol. 2018;11(48):1–6.

    Article  Google Scholar 

  16. 16.

    Shone N, Ngoc TN, Phai VD, Shi Q. A deep learning approach to network intrusion detection. IEEE Trans Emerg Top ComputIntell. 2018;2(1):41–50.

    Article  Google Scholar 

  17. 17.

    Yulianto A, Sukarno P, Suwastika NA. Improving AdaBoost-based Intrusion Detection System (IDS) performance on CIC IDS 2017 dataset. J Phys ConfSer. 2019;1192(1):2019.

    Article  Google Scholar 

  18. 18.

    Kreutz D, Ramos FMV, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S. Software-defined networking: a comprehensive survey. Proc IEEE. 2015.

    Article  Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Auther Makuvaza.

Ethics declarations

Conflict of Interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Cyber Security and Privacy in Communication Networks” guest edited by Rajiv Misra, R K Shyamsunder, Alexiei Dingli, Natalie Denk, Omer Rana, Alexander Pfeiffer, Ashok Patel and Nishtha Kesswani.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Makuvaza, A., Jat, D.S. & Gamundani, A.M. Deep Neural Network (DNN) Solution for Real-time Detection of Distributed Denial of Service (DDoS) Attacks in Software Defined Networks (SDNs). SN COMPUT. SCI. 2, 107 (2021).

Download citation


  • Deep Neural Network
  • Distributed Denial of Service attack
  • Software-Defined Network