Enhancing SDN Controller Resilience to DDoS Attacks with IAT-Based Detection on CICIoT2023
Article Sidebar
Published
Aug 31, 2025
Main Article Content
Abstract
This study addresses the vulnerability of Software-Defined Networking (SDN) controllers to Distributed Denial of Service (DDoS) attacks, a critical issue for secure smart city and e-government applications. Using the CICIoT2023 dataset. Methods: We employed Random Forest with Recursive Feature Elimination and Cross-Validation (RFECV) to identify critical features for DDoS detection, validated through simulations in a Mininet/ONOS environment. Results reveal Inter-Arrival Time (IAT) as the most significant feature (importance score: 0.3200), with Controller Resources being the most vulnerable component (vulnerability score: 0.9048). DDoS-ICMP_Flood was the most effective attack (vulnerability score: 1.00), while Controller Distribution achieved a mitigation effectiveness of 0.9048. This research introduces a novel temporal feature-based detection approach, outperforming volume-based methods, and proposes adaptive mitigation strategies for SDN resilience. These findings enhance secure SDN deployment in dynamic IoT-driven environments.
Downloads
Download data is not yet available.
Article Details
How to Cite
[1]
M. A. Nugroho and R. Kartadie, “Enhancing SDN Controller Resilience to DDoS Attacks with IAT-Based Detection on CICIoT2023”, INFOTEL, vol. 17, no. 3, pp. 584-611, Aug. 2025.
Section
Informatics
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work
References
[1] S. Kaur, K. Kumar, and N. Aggarwal, “Enhancing DDoS defense in SDN using hierarchical machine learning models,” Journal of Network and Computer Applications, vol. 239, p. 104168, Jul. 2025, doi: 10.1016/j.jnca.2025.104168.
[2] J. Arevalo-Herrera, J. Camargo Mendoza, J. I. Martínez Torre, T. Zona-Ortiz, and J. M. Ramirez, “Assessing SDN Controller Vulnerabilities: A Survey on Attack Typologies, Detection Mechanisms, Controller Selection, and Dataset Application in Machine Learning,” Wireless Pers Commun, vol. 140, no. 1–2, pp. 739–775, Jan. 2025, doi: 10.1007/s11277-025-11748-w.
[3] L. Boukraa, S. Essahraui, K. El Makkaoui, I. Ouahbi, Y. Maleh, and R. Esbai, “Enhancing DDoS attack detection in software-defined networking: a comparative study of machine learning algorithms using benchmark datasets,” EDPACS, pp. 1–20, Mar. 2025, doi: 10.1080/07366981.2025.2478706.
[4] H. Li and G. Xiang, “Research on DDoS Attack Detection Based on SDN Architecture”, in Proceedings of the 2025 4th International Conference on Cryptography, Network Security and Communication Technology, Zhengzhou China: ACM, Jan. 2025, pp. 75–79. doi: 10.1145/3723890.3723903.
[5] H. Wang, X. Yang, and N. Jia, “DDoS attack detection method based on improved convolutional long short-term memory and three-way decision in SDN,” PLoS One, vol. 20, no. 5, p. e0322839, May 2025, doi: 10.1371/journal.pone.0322839.
[6] M. Yue, H. Yan, R. Han, and Z. Wu, “A DDoS attack detection method based on IQR and DFFCNN in SDN,” Journal of Network and Computer Applications, vol. 240, p. 104203, Aug. 2025, doi: 10.1016/j.jnca.2025.104203.
[7] W. Hill et al., “DDoS in SDN: a review of open datasets, attack vectors and mitigation strategies,” Discov Appl Sci, vol. 6, no. 9, Aug. 2024, doi: 10.1007/s42452-024-06172-x.
[8] C. Fan, N. M. Kaliyamurthy, S. Chen, H. Jiang, Y. Zhou, and C. Campbell, “Detection of DDoS Attacks in Software Defined Networking Using Entropy,” Applied Sciences, vol. 12, no. 1, p. 370, Dec. 2021, doi: 10.3390/app12010370.
[9] Z. Fatehi and A. Montazerolghaem, “DDoS Detection in SDN using Deep Learning,” in 2024 8th International Conference on Smart Cities, Internet of Things and Applications (SCIoT), Mashhad, Iran, Islamic Republic of: IEEE, May 2024, pp. 201–206. doi:10.1109/sciot62588.2024.10570129.
[10] T. V. Phan and M. Park, “Efficient Distributed Denial-of-Service Attack Defense in SDN-Based Cloud,” IEEE Access, vol. 7, pp. 18701–18714, 2019, doi: 10.1109/ACCESS.2019.2896783.
[11] Y. Yang, Z. Pan, and Z. Su, “Deep-transfer learning framework in SDN for gateway ports security,” Optik, vol. 270, p. 170038, Nov. 2022, doi: 10.1016/j.ijleo.2022.170038.
[12] J. P. Mohan, N. Sugunaraj, and P. Ranganathan, “Cyber Security Threats for 5G Networks,” in 2022 IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA: IEEE, May 2022, pp. 446–454. doi: 10.1109/eit53891.2022.9813965.
[13] B. P. R. Killi and S. V. Rao, “Controller placement in software defined networks: A Comprehensive survey,” Computer Networks, vol. 163, p. 106883, Nov. 2019, doi: 10.1016/j.comnet.2019.106883.
[14] L. Dridi and M. F. Zhani, “SDN-Guard: DoS Attacks Mitigation in SDN Networks,” in 2016 5th IEEE International Conference on Cloud Networking (Cloudnet), Pisa, Italy: IEEE, Oct. 2016. doi: 10.1109/cloudnet.2016.9.
[15] S. Mehmood, R. Amin, J. Mustafa, M. Hussain, F. S. Alsubaei, and M. D. Zakaria, “Distributed Denial of Services (DDoS) attack detection in SDN using Optimizer-equipped
CNN-MLP,” PLoS ONE, vol. 20, no. 1, p. e0312425, Jan. 2025, doi: 10.1371/journal.pone.0312425.
[16] J. Cui, J. Zhang, J. He, H. Zhong, and Y. Lu, “DDoS detection and defense mechanism for SDN controllers with K-Means,” in 2020 IEEE/ACM 13th International Conference on Utility and Cloud Computing (UCC), Leicester, UK: IEEE, Dec. 2020, pp. 394–401. doi: 10.1109/ucc48980.2020.00062.
[17] A. A. Alashhab et al., “Enhancing DDoS Attack Detection and Mitigation in SDN Using an Ensemble Online Machine Learning Model,” IEEE Access, vol. 12, pp. 51630–51649, 2024, doi: 10.1109/access.2024.3384398.
[18] S. Kumar et al., “DDoS Detection in SDN using Machine Learning Techniques,” Computers, Materials & Continua, vol. 71, no. 1, pp. 771–789, 2022, doi: 10.32604/cmc.2022.021669.
[19] M. A. Al-Shareeda, A. Abdullah Alsadhan, H. H. Qasim, and S. Manickam, “Software defined networking for internet of things: review, techniques, challenges, and future directions,” Bulletin EEI, vol. 13, no. 1, pp. 638–647, Feb. 2024, doi: 10.11591/eei.v13i1.6386.
[20] N. Z. Bawany and J. A. Shamsi, “SEAL: SDN based secure and agile framework for protecting smart city applications from DDoS attacks,” Journal of Network and Computer Applications, vol. 145, p. 102381, Nov. 2019, doi: 10.1016/j.jnca.2019.06.001.
[21] A. A. Diro and N. Chilamkurti, “Distributed attack detection scheme using deep learning approach for Internet of Things,” Future Generation Computer Systems, vol. 82, pp. 761–768, May 2018, doi: 10.1016/j.future.2017.08.043.
[22] J. Bhayo, S. A. Shah, S. Hameed, A. Ahmed, J. Nasir, and D. Draheim, “Towards a machine learning-based framework for DDOS attack detection in software-defined IoT (SD-IoT) networks,” Engineering Applications of Artificial Intelligence, vol. 123, p. 106432, Aug. 2023, doi: 10.1016/j.engappai.2023.106432.
[23] T.-K. Luong, T.-D. Tran, and G.-T. Le, “DDoS attack detection and defense in SDN based on machine learning,” in 2020 7th NAFOSTED Conference on Information and Computer Science (NICS), Ho Chi Minh City, Vietnam: IEEE, Nov. 2020, pp. 31–35. doi: 10.1109/nics51282.2020.9335867.
[24] C. Singh and A. K. Jain, “A comprehensive survey on DDoS attacks detection & mitigation in SDN-IoT network,” e-Prime - Advances in Electrical Engineering, Electronics and Energy, vol. 8, p. 100543, Jun. 2024, doi: 10.1016/j.prime.2024.100543.
[25] K. A. Taher, B. Mohammed Yasin Jisan, and Md. M. Rahman, “Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection,” in 2019 International Conference on Robotics, Electrical and Signal Processing Techniques (ICREST), Dhaka, Bangladesh: IEEE, Jan. 2019, pp. 643–646. doi:10.1109/icrest.2019.8644161.
[26] E. C. P. Neto, S. Dadkhah, R. Ferreira, A. Zohourian, R. Lu, and A. A. Ghorbani, “CICIoT2023: A real-time dataset and benchmark for large-scale attacks in IoT environment,” 2023.
[27] S. G. K. Patro and K. K. Sahu, “Normalization: A Preprocessing Stage,” International Advanced Research Journal in Science, Engineering and Technology, pp. 20–22, Mar. 2015, doi: 10.17148/IARJSET.2015.2305.
[28] D. M. W. Powers, “Evaluation: From precision, recall and F-measure to ROC, informedness, markedness & correlation,” J of Mach Lear Tech.
[29] J. Singh and S. Behal, “A Novel Approach for the Detection of DDoS Attacks in SDN using Information Theory Metric,” 2021.
[30] S. Kaur, K. Kumar, N. Aggarwal, and G. Singh, “A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions,” Computers & Security, vol. 110, p. 102423, Nov. 2021, doi: 10.1016/j.cose.2021.102423.
[31] A. Hirsi et al., “Comprehensive Analysis of DDoS Anomaly Detection in Software-Defined Networks,” IEEE Access, vol. 13, pp. 23013–23071, 2025, doi: 10.1109/ACCESS.2025.3535943.
[32] K. Wang, Y. Fu, X. Duan, and T. Liu, “Detection and mitigation of DDoS attacks based on multi-dimensional characteristics in SDN,” Sci Rep, vol. 14, no. 1, Jul. 2024, doi: 10.1038/s41598-024-66907-z.
[33] H. El-Sofany, S. A. El-Seoud, O. H. Karam, and B. Bouallegue, “Using machine learning algorithms to enhance IoT system security,” Sci Rep, vol. 14, no. 1, p. 12077, May 2024, doi: 10.1038/s41598-024-62861-y.
[34] A. F. Abdullah, F. M. Salem, A. Tammam, and M. H. Abdel Azeem, “Performance Analysis and Evaluation of Software Defined Networking Controllers against Denial of Service Attacks,” J. Phys.: Conf. Ser., vol. 1447, no. 1, p. 012007, Jan. 2020, doi: 10.1088/1742-6596/1447/1/012007.
[35] S. Jiang and L. Yang, “A Blockchain-Based Consensus Slicing Mechanism for Distributed SDN Control Plane,” IJCI, vol. 12, no. 2, pp. 121–135, Mar. 2023, doi: 10.5121/ijci.2023.120210.
[36] A. Xiong et al., “A Distributed Security SDN Cluster Architecture for Smart Grid Based on Blockchain Technology,” Security and Communication Networks, vol. 2021, pp. 1–9, Nov. 2021, doi: 10.1155/2021/9495093.
[2] J. Arevalo-Herrera, J. Camargo Mendoza, J. I. Martínez Torre, T. Zona-Ortiz, and J. M. Ramirez, “Assessing SDN Controller Vulnerabilities: A Survey on Attack Typologies, Detection Mechanisms, Controller Selection, and Dataset Application in Machine Learning,” Wireless Pers Commun, vol. 140, no. 1–2, pp. 739–775, Jan. 2025, doi: 10.1007/s11277-025-11748-w.
[3] L. Boukraa, S. Essahraui, K. El Makkaoui, I. Ouahbi, Y. Maleh, and R. Esbai, “Enhancing DDoS attack detection in software-defined networking: a comparative study of machine learning algorithms using benchmark datasets,” EDPACS, pp. 1–20, Mar. 2025, doi: 10.1080/07366981.2025.2478706.
[4] H. Li and G. Xiang, “Research on DDoS Attack Detection Based on SDN Architecture”, in Proceedings of the 2025 4th International Conference on Cryptography, Network Security and Communication Technology, Zhengzhou China: ACM, Jan. 2025, pp. 75–79. doi: 10.1145/3723890.3723903.
[5] H. Wang, X. Yang, and N. Jia, “DDoS attack detection method based on improved convolutional long short-term memory and three-way decision in SDN,” PLoS One, vol. 20, no. 5, p. e0322839, May 2025, doi: 10.1371/journal.pone.0322839.
[6] M. Yue, H. Yan, R. Han, and Z. Wu, “A DDoS attack detection method based on IQR and DFFCNN in SDN,” Journal of Network and Computer Applications, vol. 240, p. 104203, Aug. 2025, doi: 10.1016/j.jnca.2025.104203.
[7] W. Hill et al., “DDoS in SDN: a review of open datasets, attack vectors and mitigation strategies,” Discov Appl Sci, vol. 6, no. 9, Aug. 2024, doi: 10.1007/s42452-024-06172-x.
[8] C. Fan, N. M. Kaliyamurthy, S. Chen, H. Jiang, Y. Zhou, and C. Campbell, “Detection of DDoS Attacks in Software Defined Networking Using Entropy,” Applied Sciences, vol. 12, no. 1, p. 370, Dec. 2021, doi: 10.3390/app12010370.
[9] Z. Fatehi and A. Montazerolghaem, “DDoS Detection in SDN using Deep Learning,” in 2024 8th International Conference on Smart Cities, Internet of Things and Applications (SCIoT), Mashhad, Iran, Islamic Republic of: IEEE, May 2024, pp. 201–206. doi:10.1109/sciot62588.2024.10570129.
[10] T. V. Phan and M. Park, “Efficient Distributed Denial-of-Service Attack Defense in SDN-Based Cloud,” IEEE Access, vol. 7, pp. 18701–18714, 2019, doi: 10.1109/ACCESS.2019.2896783.
[11] Y. Yang, Z. Pan, and Z. Su, “Deep-transfer learning framework in SDN for gateway ports security,” Optik, vol. 270, p. 170038, Nov. 2022, doi: 10.1016/j.ijleo.2022.170038.
[12] J. P. Mohan, N. Sugunaraj, and P. Ranganathan, “Cyber Security Threats for 5G Networks,” in 2022 IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA: IEEE, May 2022, pp. 446–454. doi: 10.1109/eit53891.2022.9813965.
[13] B. P. R. Killi and S. V. Rao, “Controller placement in software defined networks: A Comprehensive survey,” Computer Networks, vol. 163, p. 106883, Nov. 2019, doi: 10.1016/j.comnet.2019.106883.
[14] L. Dridi and M. F. Zhani, “SDN-Guard: DoS Attacks Mitigation in SDN Networks,” in 2016 5th IEEE International Conference on Cloud Networking (Cloudnet), Pisa, Italy: IEEE, Oct. 2016. doi: 10.1109/cloudnet.2016.9.
[15] S. Mehmood, R. Amin, J. Mustafa, M. Hussain, F. S. Alsubaei, and M. D. Zakaria, “Distributed Denial of Services (DDoS) attack detection in SDN using Optimizer-equipped
CNN-MLP,” PLoS ONE, vol. 20, no. 1, p. e0312425, Jan. 2025, doi: 10.1371/journal.pone.0312425.
[16] J. Cui, J. Zhang, J. He, H. Zhong, and Y. Lu, “DDoS detection and defense mechanism for SDN controllers with K-Means,” in 2020 IEEE/ACM 13th International Conference on Utility and Cloud Computing (UCC), Leicester, UK: IEEE, Dec. 2020, pp. 394–401. doi: 10.1109/ucc48980.2020.00062.
[17] A. A. Alashhab et al., “Enhancing DDoS Attack Detection and Mitigation in SDN Using an Ensemble Online Machine Learning Model,” IEEE Access, vol. 12, pp. 51630–51649, 2024, doi: 10.1109/access.2024.3384398.
[18] S. Kumar et al., “DDoS Detection in SDN using Machine Learning Techniques,” Computers, Materials & Continua, vol. 71, no. 1, pp. 771–789, 2022, doi: 10.32604/cmc.2022.021669.
[19] M. A. Al-Shareeda, A. Abdullah Alsadhan, H. H. Qasim, and S. Manickam, “Software defined networking for internet of things: review, techniques, challenges, and future directions,” Bulletin EEI, vol. 13, no. 1, pp. 638–647, Feb. 2024, doi: 10.11591/eei.v13i1.6386.
[20] N. Z. Bawany and J. A. Shamsi, “SEAL: SDN based secure and agile framework for protecting smart city applications from DDoS attacks,” Journal of Network and Computer Applications, vol. 145, p. 102381, Nov. 2019, doi: 10.1016/j.jnca.2019.06.001.
[21] A. A. Diro and N. Chilamkurti, “Distributed attack detection scheme using deep learning approach for Internet of Things,” Future Generation Computer Systems, vol. 82, pp. 761–768, May 2018, doi: 10.1016/j.future.2017.08.043.
[22] J. Bhayo, S. A. Shah, S. Hameed, A. Ahmed, J. Nasir, and D. Draheim, “Towards a machine learning-based framework for DDOS attack detection in software-defined IoT (SD-IoT) networks,” Engineering Applications of Artificial Intelligence, vol. 123, p. 106432, Aug. 2023, doi: 10.1016/j.engappai.2023.106432.
[23] T.-K. Luong, T.-D. Tran, and G.-T. Le, “DDoS attack detection and defense in SDN based on machine learning,” in 2020 7th NAFOSTED Conference on Information and Computer Science (NICS), Ho Chi Minh City, Vietnam: IEEE, Nov. 2020, pp. 31–35. doi: 10.1109/nics51282.2020.9335867.
[24] C. Singh and A. K. Jain, “A comprehensive survey on DDoS attacks detection & mitigation in SDN-IoT network,” e-Prime - Advances in Electrical Engineering, Electronics and Energy, vol. 8, p. 100543, Jun. 2024, doi: 10.1016/j.prime.2024.100543.
[25] K. A. Taher, B. Mohammed Yasin Jisan, and Md. M. Rahman, “Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection,” in 2019 International Conference on Robotics, Electrical and Signal Processing Techniques (ICREST), Dhaka, Bangladesh: IEEE, Jan. 2019, pp. 643–646. doi:10.1109/icrest.2019.8644161.
[26] E. C. P. Neto, S. Dadkhah, R. Ferreira, A. Zohourian, R. Lu, and A. A. Ghorbani, “CICIoT2023: A real-time dataset and benchmark for large-scale attacks in IoT environment,” 2023.
[27] S. G. K. Patro and K. K. Sahu, “Normalization: A Preprocessing Stage,” International Advanced Research Journal in Science, Engineering and Technology, pp. 20–22, Mar. 2015, doi: 10.17148/IARJSET.2015.2305.
[28] D. M. W. Powers, “Evaluation: From precision, recall and F-measure to ROC, informedness, markedness & correlation,” J of Mach Lear Tech.
[29] J. Singh and S. Behal, “A Novel Approach for the Detection of DDoS Attacks in SDN using Information Theory Metric,” 2021.
[30] S. Kaur, K. Kumar, N. Aggarwal, and G. Singh, “A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions,” Computers & Security, vol. 110, p. 102423, Nov. 2021, doi: 10.1016/j.cose.2021.102423.
[31] A. Hirsi et al., “Comprehensive Analysis of DDoS Anomaly Detection in Software-Defined Networks,” IEEE Access, vol. 13, pp. 23013–23071, 2025, doi: 10.1109/ACCESS.2025.3535943.
[32] K. Wang, Y. Fu, X. Duan, and T. Liu, “Detection and mitigation of DDoS attacks based on multi-dimensional characteristics in SDN,” Sci Rep, vol. 14, no. 1, Jul. 2024, doi: 10.1038/s41598-024-66907-z.
[33] H. El-Sofany, S. A. El-Seoud, O. H. Karam, and B. Bouallegue, “Using machine learning algorithms to enhance IoT system security,” Sci Rep, vol. 14, no. 1, p. 12077, May 2024, doi: 10.1038/s41598-024-62861-y.
[34] A. F. Abdullah, F. M. Salem, A. Tammam, and M. H. Abdel Azeem, “Performance Analysis and Evaluation of Software Defined Networking Controllers against Denial of Service Attacks,” J. Phys.: Conf. Ser., vol. 1447, no. 1, p. 012007, Jan. 2020, doi: 10.1088/1742-6596/1447/1/012007.
[35] S. Jiang and L. Yang, “A Blockchain-Based Consensus Slicing Mechanism for Distributed SDN Control Plane,” IJCI, vol. 12, no. 2, pp. 121–135, Mar. 2023, doi: 10.5121/ijci.2023.120210.
[36] A. Xiong et al., “A Distributed Security SDN Cluster Architecture for Smart Grid Based on Blockchain Technology,” Security and Communication Networks, vol. 2021, pp. 1–9, Nov. 2021, doi: 10.1155/2021/9495093.