1. Introduction

2. Software-Defined Networks (SDN)

2.2. SDN Security Features

As it is commonly known, software has essential features in its design and implementation, often referred to as architecture. SDN has several features that correspond to these modules. The design characteristics of SDN make it a distinct approach from typical network architecture. SDN features enhance network security, enabling greater flexibility and efficiency. However, SDNs can also be vulnerable by design, susceptible to threats that exploit their weak points and overhead [11]. Hence, the descriptions of SDN design features have been approached from two perspectives. The first one focuses on the components that safeguard the SDN framework against various threats. The second aspect relates to the features that can potentially make it vulnerable.

2.2.1. To achieve resilience of the SDN infrastructure to several attacks

SDN offers many strategic features to deal with, for example:

(1)

Centralising the monitoring of malformed flow: The controller manages the network's data. Hence, the controller is able to observe all the suspicious activity throughout the network [12].

(2)

Programmable configuration: An essential advantage covered by SDN is the programmable features. When any malicious behaviour in the network is detected, the new configuration of a program acts instantaneously to deal with the identified anomalies [11].

2.2.2. Features that make the SDN environment vulnerable to various attacks

SDN’s design has vulnerabilities that make it weak against various security threats.

(1) The Separation of the planes: The separation of planes causes vulnerabilities to various attacks. Both planes start transferring the data between each other by employing the OpenFlow protocol. Therefore, an intruder can take advantage of attacking the channel by executing DoS, DDoS, and saturation attacks. Thus, congestion will occur at the channel bandwidth between the switch and the controller [10].

(2) The controller suffers from cascading and single-point failures: In any SDN-based infrastructure, the controller is the primary target for intruders. When the SDN design relies on a centralized entity, it becomes vulnerable to a single point of failure. If the controller crashes, most network functionalities, including traffic monitoring, will be disrupted, and security measures will be compromised [8]. The nature of a single controller makes it ineffective in handling significant network traffic. To address this issue, multiple controllers can be deployed. However, this approach may impact the authenticity, scalability, and consistency of privacy rules within each controller domain. This behaviour can lead to a cascading failure of more than one controller.

(3) A limited TCAM: The OpenFlow switches retain the flow rules in order to store the received packets within the flow tables. SDN switches utilise the Ternary Content Addressable Memory table (TCAM) technology to store the flow rules [9]. TCAM is a memory that enables fast searching within used applications. However, SDN switches have a limitation in terms of storage capacity in their flow tables. As a result, the network becomes susceptible to various attacks [10].

Figure 3. The architecture of SDN when using security applications.

Figure 3. The architecture of SDN when using security applications.

3. Intrusion Detection Systems (IDS) in SDN

4. Attacks in SDN

5. Methods of Intrusion Detection System in SDN

5.2. Anomaly - Based Detection

This detection method can be categorised as behaviour-based, statistical anomaly-based, or baselining. It involves collecting data on the normal behaviour of users during a specific period [6]. Statistical tests are then used to efficiently determine whether a user is exhibiting normal behaviour or being attacked, using Machine Learning techniques. Within Machine Learning type of detection, there are two sub-categories: non-DL-based approaches, and DL-based approaches, which are both belong to Machine Learning approaches [23].

Non-DL-based approaches: Non-deep learning (DL) based approaches refer to machine learning techniques other than deep learning algorithms. These approaches include traditional machine learning algorithms such as decision trees, random forests, support vector machines, and naive Bayes classifiers. Non-DL-based approaches are often used in behaviour-based and statistical anomaly-based detection methods. They are effective in detecting known attack patterns but may struggle with detecting complex or evolving attack techniques [19].

DL-based approaches: DL-based approaches utilise deep learning algorithms, such as artificial neural networks, convolutional neural networks (CNNs), or recurrent neural networks (RNNs). These approaches have the ability to automatically learn complex patterns and features from data, making them suitable for detecting sophisticated and evolving attack techniques. DL-based approaches are particularly effective in identifying unknown or zero-day attacks. However, they often require a large amount of labelled training data and computational resources [20].

Overall, both non-DL-based and DL-based approaches are part of the broader category of machine learning approaches used for intrusion detection. The choice of approach depends on the specific requirements of the system, the available data, and the types of attacks to be detected.

Table 2. Comparison of non-DL and DL Techniques in IDS within SDNs: Pros and Cons.

Table 2. Comparison of non-DL and DL Techniques in IDS within SDNs: Pros and Cons.

Aspect	non-DL Approaches within IDS in SDNs	Deep Learning (DL) Approaches within IDS in SDNs
Pros	- Interpretability and Explainability: Non-DL models offer explicit rules, aiding in understanding decision-making [24]. - Efficiency with Moderate-Sized Datasets: Techniques like SVMs perform well without excessive computational demands [22]. - Adaptive Learning: non-DL models can adapt to changing behaviours effectively [17]. - Availability of Off-the-Shelf Algorithms: A wide range of established non-DL algorithms are available.	- Complex Feature Extraction: DL architectures excel in extracting intricate features from raw data [24]. - Superior Accuracy in Complex Scenarios: DL models often achieve higher accuracy [23].- Adaptability to Diverse Data Structures: DL methods can process diverse data formats without explicit feature engineering [19]. - Potential for Real-Time Decision-Making: Optimised DL architectures enable rapid decisions [11].
Cons	- Struggles with Complex Data Patterns: Traditional non-DL methods might struggle to discern intricate attack patterns. - Limited Scalability: Some non-DL models face challenges in handling large-scale SDNs effectively [9]. - Dependency on Feature Engineering: Some non-DL techniques require manual feature engineering [11].	- High Computational Demands: DL models require substantial computational resources [4]. - Black-Box Nature and Interpretability: DL architectures often result in opaque models [8]. - Data Dependency and Overfitting Risks: DL models are highly data-dependent and prone to overfitting [11].

Table 3 provides an overview of the advantages and disadvantages of the classifiers that are widely used for anomaly detection.

The non-DL and DL based approaches need a dataset to train and test the models to be ready for attack detection. There are two methods to train such models, which are simulation-based and public datasets-based.

The simulation-based mechanism uses a simulation method to generate the dataset in order to train and test the non-DL classifiers. These classifiers categorise the traffic into abnormal or normal. Figure 4 shows sequential stages in creating a simulation dataset. In these specific methods, the researchers built a network topology that included regular hosts to generate normal traffic and other bot hosts to generate abnormal traffic. Scapy and Wireshark are open-source tools that were used by researchers to simulate and generate DDoS, DoS, Prob, Portscan, U2R, and R2L attacks. The features, such as protocol type, source IP address speed, source port rate, and flow packets, will be extracted from normal and abnormal traffic. After pre-processing these features, they will be stored in a CSV file as the raw data, which will train the proposed models [36]. After learning the model, it will be ready to apply non-DL algorithms to classify the normal and malicious packets in the SDN environment accordingly.

The proposed work in the public datasets-based method utilises public datasets to train and test models. The selection of these datasets is crucial for achieving efficient and accurate Intrusion Detection Systems (IDS). However, it should be noted that most publicly available datasets are not realistic and lack the inclusion of most types of attacks. Consequently, this can have a negative impact on the accuracy and performance of IDS [37]. The main reasons behind the inadequacy of these datasets are related to privacy and legal concerns. Additionally, these datasets tend to be outdated and may not encompass the latest behaviours. Furthermore, such datasets often contain many duplicate records. Consequently, using such datasets achieves low accuracy and performance [37]. The public datasets that are currently available were gathered from conventional networks rather than the SDN network. These datasets contain certain characteristics that cannot be accessed in SDN networks [37]. Numerous published datasets also incorporate various attacks like KDD'99 NSL-KDD, CICIDS2017, ISCX2012, Kyoto, and CSE-CIC-IDS2018 [37].

• The KDD'99 is a widely used data set for the evaluation of anomaly detection methods. Some pitfalls and problems of KDD'99 led to the creation of the NSL-KDD, which is a refined version of the KDD'99 dataset.
• CICIDS2017: Another dataset from the Canadian Institute for Cybersecurity, this dataset is much newer and includes modern attack behaviours. It is highly regarded for having a balance of multiple types of network intrusions and normal behaviours which allows for a comprehensive evaluation of IDS.
• ISCX2012: Created by the Information Security Centre of Excellence (ISCX), this dataset is recognized for its extensive coverage of both normal and attack traffic.
• Kyoto: The Kyoto University’s Honeypot datasets are some of the most comprehensive ones for IDS as well. These datasets include a wide variety of attacks, including fewer common ones, making them quite useful for intrusion detection research.
• CSE-CIC-IDS2018: This dataset is another product of the Canadian Institute for Cybersecurity, and it is one of the most recent and comprehensive datasets for developing and training IDS. It contains a wide array of updated attacks which provide researchers with a current 'snapshot' of internet traffic to assist in IDS development and training.

Table 4. A summary of the used datasets in IDS approaches.

Table 4. A summary of the used datasets in IDS approaches.

Dataset	Year	No. of Features	Notable Attack types	Method of Data Collection
KDD'99	1999	41	U2R, R2L, DoS, Probe	Simulated network traffic
NSL-KDD	2009	41	U2R, R2L, DoS, Probe	Improved version of KDD'99 with unnecessary duplicates removed
CICIDS2017	2017	80	Brute Force, DoS, Heartbleed, Web Attack, Infiltration, Botnet	Real network traffic
ISCX2012	2012	283	HTTP, DoS, scanning, infiltration	Simulated network traffic
Kyoto	2006	Depends on varied releases	Wide array, including less common and recent attacks	Honeypots and real network traffic
CSE-CIC-IDS2018	2018	78-85 depending on the scenario	Brute Force, DoS, Heartbleed, Infiltration, Web Attacks	Real network traffic

5.2.1. non-Deep Learning-based Approaches

Non-Deep Learning (non-DL) approaches refer to machine learning techniques that do not involve deep learning algorithms [31]. These approaches are often based on traditional machine learning algorithms, which are shallower models with fewer layers [32]. Here are some examples of non-DL approaches in the context of intrusion detection systems (IDS):

1. Decision Trees: Decision trees are a type of non-DL approach used in IDS. They work by recursively splitting the data into subsets based on the feature values, creating a tree-like structure. The leaves of the tree represent decisions, and the path from the root to a leaf represents a classification or prediction. Decision trees can be used for both anomaly detection and signature-based detection, where they can classify network traffic or user activities based on predefined rules or patterns [29].

2. Random Forests: Random forests are an ensemble learning method that builds multiple decision trees and combines their predictions to improve the overall accuracy and robustness of the model. They are effective in IDS due to their ability to handle high-dimensional data and different feature types. Random forests can be used for both anomaly detection and signature-based detection, as well as for predicting the severity of detected threats [28].

3. Support Vector Machines (SVM): SVMs are a powerful non-DL approach for classification and regression tasks. They work by finding the optimal hyperplane that separates different classes of data points. In the context of IDS, SVMs can be used to classify network traffic or user activities based on known attack patterns or features. SVMs are known for their effectiveness and efficiency in handling large datasets and high-dimensional feature spaces [33].

4. Naive Bayes Classifiers: Naive Bayes classifiers are a family of probabilistic classifier algorithms based on Bayes' theorem. They are "naive" because they assume that the features are conditionally independent, given the class label. Naive Bayes classifiers are often used in IDS for both anomaly detection and signature-based detection. They are known for their simplicity, efficiency, and effectiveness in handling high-dimensional data and text data, such as logs or network traffic [34].

5. K-Nearest Neighbours (KNN): K-Nearest Neighbours (KNN) is a non-DL approach that is used for classification and regression tasks. KNN works by finding the k-nearest data points (neighbours) to a given data point and assigning the majority class label or predicting the mean value based on these neighbours. In the context of intrusion detection systems, KNN can be used for anomaly detection or signature-based detection by comparing the features of known attack patterns or network traffic/user activities to known normal or malicious patterns [26,30].

6. Linear Regression: Linear regression is a non-DL approach used for predicting the relationship between a dependent variable and one or more independent variables. In the context of intrusion detection systems, linear regression can be used to model the relationship between different features of network traffic or user activities and the likelihood of an attack. This can be useful for detecting anomalous behaviour or predicting the severity of detected threats. Although linear regression is not typically used for anomaly detection, it can still be applied to other aspects of intrusion detection systems [27].

The paper in [24] presents an approach to identify non-DL-based attacks. The system is a flow-based IDS designed with the limitations of signature-based IDS in mind. The controller uses a neural network algorithm to classify each packet. The proposed IDS uses the NSL-KDD public dataset for implementation and training, aiming to define DOS, U2R, R2L, and Probes. The model has achieved a Detection Rate of 97.4%. However, during the training stage, using a small database negatively impacts the detection accuracy of real tests. The features are extracted solely from the header packet, lacking coverage of attack behaviours. Moreover, the dataset used contains redundant records. Implementing non-DL approaches with IDS poses the challenge of a bottleneck and single point of failure in the controller due to the processing operation for each packet. Additionally, the proposed model requires a feature selection method to choose effective features during an attack.

The researchers in reference [36] conducted a comprehensive analysis of the existing non-DL approaches for detecting malicious traffic in SDN environments. The evaluation involved identifying the limitations of each algorithm and performing experiments using a publicly available database. The algorithms analysed included Support Vector Machine (SVM), Naïve Bayes, K-Nearest Neighbours (KNN), Adaptive Support Vector Machine (ASVM), Hidden Markov Model (HMM), K-means, Random Forest, Bayesian Networks, Decision Tables, K-medoids, and fuzzy control models. These algorithms were assessed based on previous research, considering their features, classes, datasets, and sizes. However, it should be noted that the comparison of these algorithms is not entirely fair, as each algorithm has its own advantages and disadvantages in different areas. For instance, the paper fails to mention the specific use case of K-means in clustering compared to SVM in classification. These algorithms cannot be directly compared because K-means is effective at separating datasets based on patterns, whereas SVM excels at separating data with predefined patterns, thereby facing the challenge of proper selection. Principal Component Analysis (PCA) is used to reduce the number of parameters required for algorithms that necessitate manual parameter analysis, although it does not address this challenge. The evaluation process for these algorithms involves measuring precision, recall, F-score, and accuracy. However, the scores attained by each algorithm do not necessarily imply the same advantages and disadvantages across the board. Unfortunately, the paper lacks an in-depth analysis of these differences. Lastly, the paper mentions that deep learning (DL) is the most effective method for detecting unknown attacks. However, only non-DL algorithms were tested, and DL algorithms were not considered. Among the non-DL algorithms tested, the J48 algorithm achieved the highest accuracy of 81.5%. The authors did not provide a technique to mitigate the overhead caused by the Intrusion Detection System (IDS) when installed on the controller.

The authors in [38] used the SVM algorithm to identify DDoS attacks in the SDN architecture. The methodology includes the implementation of a system called "Flow Status Collection," but there is no explanation of how this system works. The algorithms are briefly described, but there is no code provided for analysing the implementation, creating uncertainty. Despite being a learning model designed for training with limited data, it is necessary to implement a feature selection method to achieve better results for this type of attack. The results show that the highest detection rate achieved is 98%. However, since this approach yields some non-real values, these false positives can be concerning. If the false positive rate is not 5.88%, it could be up to 7 or 8 times higher due to the type of infrastructure, which is known to have the aforementioned issues. This method faces the challenge of implementing solutions to DDoS attacks. Although successful, it lacks various datasets for a better training model. Integration with datasets from multiple frameworks and public trials for research purposes is already missing.

In this paper [39], the researchers created a simulation platform using Mininet in the SDN network in order to identify DDoS attacks. They employed an SVM classifier to classify each incoming packet. The flow table collection was subjected to extraction of characteristic values in order to provide input for the classifier during the attack detection process. However, this flow table collection did not undergo a feature selection process, which means that certain features could impact the performance and accuracy of the classifier. This presents a challenge concerning the appropriate selection method. Another challenge addressed was the efficient processing of packets, as DDoS attacks involve processing large volumes of data within short periods. However, these particular features were not covered by the practices employed for detecting DDoS attacks. Consequently, while the detection results may be helpful, the performance could be insufficient depending on the testing environment, potentially resulting in a bottleneck at the controller. Based on the results, the highest accuracy rate was achieved through testing using a dataset consisting of 600 TCP packets, resulting in an accuracy of 96.83%. The overall best results were obtained for the TCP protocol compared to UDP and ICMP, as the TCP protocol provides more network fields for classification. Conversely, UDP offers fewer fields but is more representative in terms of the analysed application. Lastly, ICMP exhibits distinctive characters in the payload which allow for individual behaviour during attacks. The proposed system achieved a detection accuracy rate of 95.24% and a false alarm rate of 1.26%.

The authors in [40] have designed a detection model for the SDN network. They used an improved version of SVM to identify DDoS attacks. However, there are still some challenges that have not been solved. These challenges include performance degradation and efficient packet processing. In this model, packets go through the entire SDN network, including OpenFlow switches flow entries, Open Daylight, and finally the API of ASVM. This allows ASVM to classify the packet as an attack or not. The testing process faces the challenge of using realistic datasets or environments. The testing was done with 1000 packets, which is an average number under normal conditions. However, a DDoS attack is not a normal condition. It is the worst condition where the infrastructure is heavily stressed. Additionally, latency increases significantly, although it is considered to be 0.1 seconds under typical conditions in the testing scenario. Furthermore, the model does not consider obfuscated information, which is a technique attackers use to bypass security controls' fingerprinting process. The accuracy of the model was around 97% with training with the minimum required time. However, this does not mean that the algorithm was optimal. More features related to improvements over SVM and a comparison with a normal implementation of SVM and ASVM are missing. The goal of the study was to achieve better results than using a regular version.

In the study in [41], the authors introduced a management framework that combines techniques from information theory with non-DL algorithms. The objective of this research is to address the categorization of traffic analysis. The main challenge lies in efficiently processing packets, so the authors proposed a comprehensive approach to understanding SDN networks. The problem starts with the involvement of human intervention, as using SDN is manageable at a broad level but not at a detailed level. Moreover, extracting network traffic profiles requires significant memory usage, which introduces the issue of selecting appropriate features when dealing with large amounts of data. On a different note, the authors implemented K-means for clustering and SVM (Support Vector Machine) for variety in the classification of abnormal traffic. However, since a clustering algorithm was used to create subsets, there might be an impact on performance. In the testing phase, the authors described the behaviour of DDoS (Distributed Denial-of-Service) and port scanning attacks. The results achieved an accuracy of 88.7% and a precision of 82.3%, which is considered low compared to previous works. However, the cause of this low accuracy percentage is not discussed. Nevertheless, one could speculate that the main issue lies in integrating directives from a user-friendly interface executed in a technical and low-level environment, even when the collection and analysis time is only 0.075 in a topology involving 100 switches.

The authors of the paper in [42] focused on the essential requirement and presented a solution called Eunoia. The proposed model is an IDS based on non-DL in the SDN network. Eunoia aims to monitor, detect, and control any malicious or suspicious traffic in SDN that could harm its internal operations, resulting in network intrusion. The presented solution consists of three subprocesses: data pre-processing (filtering irrelevant data traffic to provide valuable data), data modelling (applying chosen algorithms to predict new audit data), and decision-making and response (helping SDN respond to analysis results through an active learning process and reactive routing in SDN). However, it faces numerous challenges, such as the need for sufficient computational power to handle and process the large amount of data entering the SDN-based network intrusion system as malicious traffic. The features extracted in the model filter valuable data from non-valuable data. The active learning and reactive routing data further examine the analysis results and store the implemented results. Another relevant challenge could be efficient packet processing to avoid causing bottlenecks and deteriorating the system, leading to crashes, or going on standby.

The authors in reference [43] enhanced the SVM (Support Vector Machine) by adopting a behaviour-based approach to integrate the learning algorithm's functionality for monitoring and categorizing threads. The feature extraction method was based on an information gain approach, which described each variable accordingly. However, the process and selection of variables were not defined. While the selection method was described as based on top-ranked features, setting a proper feature selection remains a significant challenge for NIDS (Network Intrusion Detection System). The SVM algorithm mentioned its hyperparameters but did not explain why they were set within specific ranges. This presents a challenge for NIDS, as it aims to ensure consistent and accurate evaluations. The SVM implementation was neither optimized frameworks nor custom-made modifications to other implementations. The main objective of this paper was to identify various attacks, yet the tests conducted focused solely on DoS (Denial of Service) attacks. Consequently, the algorithm demonstrated a high accuracy rate of 97.63% in identifying such attacks. However, the proposed model may not be suitable for large-scale networks and requires an efficient method for processing each packet. Furthermore, this model needs to incorporate a feature selection technique that captures the behaviours of the selected attack.

In this research paper [44], the researchers presented a model designed to ensure that the SDN structure is self-adaptive while responding to network events. This is done by analysing misbehaviour and new flow attacks. The analysis is conducted using non-DL algorithms to classify such behaviours. The proposal has multiple strategic points where analysis needs to be performed. The first one is when the traffic is new, it must be determined if it is an attack or not. The second point is when the traffic is unknown, it needs to be analysed in detail. However, the challenge of waiting for the client to request the resource in a timely manner is not addressed in the paper. Efficient packet processing is essential, especially during DDoS attacks that generate large amounts of abnormal traffic. The algorithm's performance can be impacted if the attack lasts for several hours. The paper mentions that there are 41 features, which brings up the issue of how to properly select these features. Unfortunately, this aspect is not covered in the paper. Consequently, it affects the performance of the algorithm and its execution for each incoming sample from the network traffic. On another note, only 20% of the total samples were used for training, while typically 60% and 40% are used for testing. However, the paper does not provide any analysis of the 20% that were not used. Despite this, the SMO classification achieves an accuracy of 99.4%, which is impressive. Finally, the equation used to identify misbehaviour attacks is simply a calculation of distances between values. Therefore, there is no in-depth analysis of correlation or variance.

The authors in [45] introduced an inference-based IDS to DoS attacks in SDN. The proposed IDS is responsible for managing the separation of network structure information from the control panel. The proposed approach is based on Graph Theory, which focuses on the relationship of context to predict attacks. The authors used the CAIDA dataset and a specific dataset containing labels per connection to test the system. They evaluated this IDS using Precision, Recall, and F-score measurements, with respective results of 0.84, 0.78, and 0.81. This method can also help mitigate the effects of DoS attacks in SDN. However, this approach uses a large amount of data and requires packet processing, which can impact the performance of the controller. Furthermore, the features extracted were taken from the header information, and some of these features were not relevant or used to identify the DoS attack, such as the Node type. Additionally, the selected features do not cover the behaviours of a DoS attack. As a result, an attacker can easily evade this model when initiating an attack.

In this paper [46], the researchers presented a method for detecting network-based attacks such as DoS and Probe attacks in SDN. The proposed system used the Decision Tree approach with the C4.5 algorithm and the 1999 Darpa dataset. The C4.5 algorithm prevented overfitting of the data and dealt with missing attribute values in the training data. The researchers claim that this method can effectively mitigate the impact of DoS and Probe attacks in SDN. They evaluated the model using Precision and Recall measurements, achieving results of 0.989 and 0.964 for the DoS attack, and 0.984 and 0.921 for the Probe attack, respectively. However, their use of the 1999 Darpa dataset for training is questionable since it does not include features related to new types of DoS attacks. Attackers frequently come up with new behaviours for DoS and Probe attacks. The integration of the SDN controller and the IDPS requires a large number of control packets to monitor traffic, which poses another challenge that needs to be addressed in their work.

In this paper [47], the authors presented an IDS that identifies DDoS attacks in SDN networks using traffic data. The proposed system utilises the NOX controller. The main concept is to use a Flow Collector to retrieve traffic information from the flow table. A Self-Organizing Maps (SOM) algorithm is employed for classifying the traffic as normal or malicious. The system's performance is evaluated based on Detection Rate and False Alarm rate measurements, which yield results of 98.61% and 0.59 respectively. However, it is worth noting that the training stage utilizes a small dataset size, which negatively impacts the accuracy of real tests. Furthermore, the extracted features considered only the packet header, failing to capture the complete behaviour of DDoS attacks. Consequently, attackers can easily bypass the system by modifying the header information to resemble a regular packet. Moreover, it is important to extend the scope of the research to include other attack types such as Prob and U2R. Additionally, the authors did not provide any method for preventing the detected attacks.

The authors in [48] proposed an Intrusion Detection System (IDS) on SDN using the Support Vector Machine (SVM) algorithm. They used a kernel function to classify network traffic into normal and abnormal. These kernel functions are commonly used to transform the dataset into a higher dimension and support linear classification. The proposed system is capable of detecting IPsweep, Probe, and DDoS attacks in the control plane. To evaluate the system, the authors used 1998 DARPA and 2000 DARPA datasets for training and testing. Each dataset contains different types of attacks. The system achieved a 94.81% accuracy rate and a 0.11% false alarm rate. However, the number of extracted features is insufficient for understanding attack behaviours, and some features are unrelated to attack practices. Additionally, the SVM classifier takes longer during the training stage. Furthermore, the controller needs to examine all pass-through packets to properly classify them. This process can overwhelm the controller, leading to flooding and congestion.

This paper [49] presents a detection method that is based on an anomaly. This method functions by integrating with the OpenFlow switch. The proposed model helps to prevent and detect both known and unknown attacks in SDN networking. The J48-tree algorithm, which is a variant of the C4.5 decision tree designed for classification purposes, has been utilized. The implementation of the proposed model has been done using the NetFPGA10G board. The system achieved a 91.81% detection rate and a 0.55% false alarm rate. The training and test stage employed the KDD'99 public dataset. However, the authors failed to consider the large amount of data present in the extensive network, which requires significant time and energy for efficient processing. This can result in overloading the controller and the switches, as the OpenFlow switches inspect each incoming packet and send it to the controller for appropriate action, leading to flooding. Moreover, the proposed system extracts an excessive number of features during the investigation stage, thereby consuming the network's resources.

The researchers in [50] have implemented five Intrusion Detection System (IDS) models in an SDN network using various non-DL algorithms. These algorithms include Self-Organizing Maps (SOM) and Learning Vector Quantization (LVQ1), along with their modified versions. The non-DL algorithms utilised in this study are as follows: Self-Organizing Maps (SOM), Multi-pass Self-Organizing Maps (M-SOM), Learning Vector Quantization (LVQ1), Multi-pass Learning Vector Quantization (M-LVQ1), and Hierarchical Learning Vector Quantization (H-LVQ1). These approaches are considered types of Artificial Neural Networks (ANN). The proposed models aim to detect multi-level attacks such as Prop, U2R, R2L, and DoS by classifying each network traffic. All the implemented models have shown successful results, with an average True Positive Rate of 94%. However, the authors have created a dataset containing features that are highly specific and easily extracted from the packet header. As a result, these implemented models may not be effective in detecting real network attacks or capturing their behaviours. Furthermore, the authors have not taken into consideration the challenges of handling large-scale networks with a high volume of packet processing flows. Moreover, the integration of the SDN controller and the IDS introduces an overhead on the controller, leading to controller flooding. This issue poses another challenge that needs to be addressed.

The researchers in [51] introduced a method to handle the dynamic nature of SDNs in order to detect DDoS attacks in the application plane. They accomplished this by classifying the incoming traffic using non-DL algorithms. The specific algorithms employed were Naive Bayes, KNN, K-means, and K-medoids. For the experiment, a private dataset was utilised, taken from a real network’s traced file to train and test the models. The accuracy of the implemented algorithms was measured using the Detection Rate metric, with the results being 94%, 90%, 86%, and 88% respectively. However, in order to train and test the models, 50 features were utilized, which in turn requires substantial memory and leads to a lengthy process. As a result, when an attack begins shortly after, the controller will experience a significant overhead.

Lataha and Toker [52] conducted an analysis to demonstrate that SDN can be utilized as a solution for DoS attacks. Their proposed model consists of two phases: intrusion detection. The first phase is flow-based, while the second phase is packet-based. A drawback of this approach is the high utilization of resources, particularly when filtering and analysing packets in two states, resembling a stateful and stateless firewall. These challenges lead to performance degradation during periods of high incoming data rates. The proposed intrusion detection system detects malicious flows by comparing them to legitimate flows using the Knn approach. However, due to the presence of SDN in the environment, the management at a higher level restricts the manipulation of features. On the other hand, the detection of malicious packets is performed through neural networks, which successfully classify both legitimate and malicious traffic. Nonetheless, this algorithm excels mainly at separating the two classes, as suggested. Since the flow-based detection already classified the malicious traffic, the packet detection should utilize the previous algorithm and consider additional properties not accounted for in the layers. As a result, the proposed approach achieved an accuracy of 91.27% and a precision of 0.99%, outperforming other algorithms such as Knn using the NSL-KDD dataset, as well as neural networks and others, under the same circumstances. Although the false positive rate improved, the processing time did not, as it still had to handle packet processing and the controller's bottleneck.

The authors in [53] proposed an IDS in the SDN environment. Their model is based on Artificial Intelligence (AI) and consists of two stages of processing. In the first stage, the authors utilised the Random Forest algorithm to classify the network traffic. For the features selection stage, they employed a Bat algorithm with swarm division and binary differential mutation. This proposed system can identify various types of attacks, including DoS, Probe, DDoS, U2R, and R2L. To evaluate the system's performance and effectiveness, the authors used the KDD Cup 1999 dataset for both training and testing purposes. The results showed that the system achieved an accuracy rate of 96.3%. However, it is worth noting that the proposed classifier requires more time during the training stage. Additionally, the controller in the system needs to examine all the packets passing through it for classification, resulting in increased overhead and creating a bottleneck for the controller. Moreover, the limited size of the raw dataset used for training negatively impacts the algorithm's ability to achieve high detection accuracy, highlighting the need for a larger and more diverse dataset.

The researchers in [54] presented an IDS using an Artificial Intelligence (AI) algorithm. The IDS is implemented in the context of SDN to detect Distributed Denial-of-Service (DDoS) attacks in Home and Small Office/Home Office (SOHO) networks. This approach utilizes the TRW-CB and Rate Limiting techniques to classify real-time traffic. The authors collected the dataset from three locations: Home Network, SOHO, and Internet Service Provider (ISP) using the Mergepcap tool. Once these datasets are collected, they will be used to train the model. The proposed model focuses on extracting essential features from the packet headers for classification, which are obtained at the SDN controller. The NOX controller has been used in conjunction with this model. In the experiment, a detection rate accuracy of 90% was achieved with a 70% false positive rate. However, the limited number of extracted features hinders the detection efficiency, as they do not cover all possible attack behaviours. Attackers can easily bypass the IDS by modifying the packet headers to resemble regular traffic. Additionally, the authors did not consider the bottleneck of the controller in a large-scale network, where its functionalities are not performed efficiently. Therefore, there is a need for a lightweight and efficient method to process packets in the system.

The researchers in [55] proposed a non-DL approach in the SDN 5G environment to identify DDoS, DoS, U2R, and R2L attacks in the SDN controller. The K-means++ and AdaBoost algorithms were used for traffic classification, while the Random Forest (RF) algorithm was employed for feature selection. The authors evaluated the proposed system using the widely used KDD Cup 1999 dataset for IDS. The model achieved an average classification accuracy of 84%. However, the RF algorithm failed to select relevant features that cover U2R and R2L attack behaviours, resulting in low detection accuracy for these attacks. Similar to the previous study, the selected features were extracted from the packet headers and were insufficient to adequately characterize attack behaviours. The authors also did not address the controller's bottleneck in large-scale networks, where its functionalities are not performed efficiently. Thus, there is a need for a lightweight and efficient packet processing method in the system.

Sathya and Thangarajan in [56] focused on security violations in the SDN environment and how the model can be identified to prevent attacks using anomaly-based detection methods. The authors advocate the use of an Intrusion Detection System (IDS) to recognise the Denial of Service (DoS), Probe, User to Root (U2R), and Remote-to-Local (R2L) attacks. The proposed model utilizes the NSL-KDD dataset, which includes four types of attack packets: DoS, Probe, U2R, and R2L. The Feature Selection stage has selected 27 features for the DoS attack, 26 features for the U2R attack, 33 features for the Probe attack, and 33 features for the R2L attack. The system achieved detection rates of 90.9%, 91.1%, 80.2%, and 98.1%, and false alarm rates of 0.111%, 0.249%, 0.69%, and 0.887%, for DoS, Probe, R2L, and U2R attacks, respectively. However, this system did not achieve the highest accuracy and minimum false alarms compared to other approaches. This system failed to minimize the number of extracted features selected by the Binary Bat algorithm, resulting in excessive processing time and memory usage at the controller.

In [57], the authors proposed an effective IDS in SDN environments to identify DDoS attacks using a Sequential Probability Ratio Test (SPRT). The proposed IDS was tested with datasets from the Defence Advanced Research Projects Agency (DARPA) for intrusion detection and compared against other techniques. However, this algorithm requires datasets with the same features as the environment, which can be a problem due to the fast technological changes that render the DARPA dataset obsolete. The attacks used to test the SDN environment include DDoS, Neptune, smurf, ipsweep, and port sweep, but not all of them are targeted specifically at SDN. The SPRT parameters were set manually, and further testing under different parameter combinations is necessary to improve performance. The main problem with this paper is its inability to accurately identify DDoS attacks in the SDN controller using an acceptable threshold. Additionally, the proposed method is ineffective for detecting DDoS attacks against a host, as it generates false positives due to differences in attack rules. This shows that the proposed method is ineffective for expected flows over distributed environments. In [69], the authors presented a novel system called HFS-LGBM IDS for SDN attack detection. The HFS model combines the benefits of correlation-based feature selection and Random Forest Recursive Feature Elimination. The NSL-KDD dataset and Mininet were used to evaluate and test the system. However, the NSL-KDD dataset was found to be outdated and not representative of real-world network traffic, which negatively impacted the accuracy of the system. Moreover, the system only considered eight features as significant, making it unable to accurately predict the flows. Integrating the SDN controller and the IDS resulted in a high volume of required flows to check traffic, causing overload on the controller, and posing another challenge that needs to be addressed.

In [58], the researchers presented the OpenFlowSIA security system in the SDN context. The proposed system utilises an SVM classifier and Idle-timeout Adjustment (IA) algorithms to secure the controller and OpenFlow switches from DDoS attacks. The IDS consists of five modules: Flow Collector, Feature Extractor, SVM, Policy Enforcement, and IA Algorithm. The system collects traffic from the flow tables of OpenFlow switches, processes it to extract features, classifies the traffic using the SVM based on the protocol type, and ultimately determines if the packet is normal or malignant using the Policy Enforcement and IA algorithm. The CAIDA datasets were used for training and testing. However, the proposed system was found to consume a significant amount of CPU usage and memory, leading to congestion, and affecting response time. The system lacks a feature selection method to cover the behaviours of DDoS attacks, and the authors did not use evaluation metrics to assess the detection rate or accuracy of the model.

Table 5. IDSs-based non-Deep Learning.

Table 5. IDSs-based non-Deep Learning.

Ref and authors	Approach	Number of Features	Detected Attack	Controller	Dataset	Accuracy/False Alarm
[39]	SVM	6	DDoS	SDN controller	Simulation datasets	Detection Rate of 95.24% and False Alarm of 1.26%
[40]	ASVM	5	DDoS	POX controller	Simulation datasets	Accuracy 97%
[43]	SVM	29	DoS	OpenDaylight	KDD99 dataset	Accuracy of 97.63%
[44]	SMO, Naive Bayes, and J48	41	DDoS	SDN controller	NSL dataset	Accuracy of 99.4% for SMO
[36]	The analysed algorithms were SVM, Naïve Bayes, KNN, ASVM, HMM, K-means, Random Forest, Decision tables, K-medoids, and fuzzy	5	DDoS	POX controller	NSL-KDD dataset	The highest accuracy is 81.5% for the J48 algorithm
[45]	Graph Theory	Statistics Flow	DoS	POX controller	CAIDA dataset	The precision of 0.84, Recall of 0.78, and F-score of 0.81
[46]	C4.5	52	DoS and Prob attacks	SDN controller	1999 Darpa dataset	The precision of 0.989 and recall of 0.964
[47]	SOM	4	DDoS	NOX controller	1999 Darpa dataset	Detection Rate of 98.61% and False Alarm of 0.59%
[48]	SVM algorithm with a kernel function	8	IPsweep, Probe, and DDoS	SDN controller	1998 DARPA and 2000 DARPA	Accuracy Rate of 94.81% and False Alarm of 0.11%
[49]	J48-tree	41	known and unknown attacks	NetFPGA10G	KDD'99	Detection Rate of 91.81% and False Alarm of 0.55%
[51]	Naive Bayes, KNN, K-means and K-mediods	52	DDoS	POX controller	privet dataset	Detection Rates of 94%, 90%, 86% and 88%
[24]	NN	6	DOS, U2R, R2L, and Probes	SDN controller	NSL-KDD	Detection Rate of 97.4%
[52]	KNN	23	DoS	SDN controller	NSL-KDD	Accuracy Rate of 91.27% and 0.99% of precision
[53]	Random Forest	5	DOS	NOX controller	Specific dataset	Detection Rate of 90% and False Alarm of 70%
[54]	TRW-CB and Rate Limiting	4	DoS, Probe, DDoS, U2R, and R2L	NOX controller	KDD Cup 1999 dataset	Accuracy Rate of 96.3%
[55]	K-means++, AdaBoost, and Random Forest (RF)	6	DDoS, DoS, U2R, and R2L	SDN controller	KDD Cup 1999 dataset	Accuracy Rate of 84%
[56]	J48 algorithm	41	DoS, Probe, U2R, and R2L	SDN controller	NSL-KDD	Detection Rate of 90.9% for DoS
[57]	Bernoulli random	2	DDoS	SDN controller	DARP 1999 dataset	None
[58]	Idle-timeout Adjustment (IA) & SVM	The six Basic features	DDoS	OpenFlow controller	CAIDA	None

5.2.3. Deep Learning-based Approaches

Deep Learning (DL) is an approach that belongs to the neural network algorithm, where the nodes can be considered as devices built for defence. DL algorithms are a modern update to artificial neural networks that utilise swarming and reasonable computation. DL allows an algorithmic program to learn an illustration of data with varying levels of generalisation. These methods are applied to visual perception, object detection, network intrusion, and many other domains. A DL algorithmic program can be trained as either supervised or unsupervised. Deep learning algorithms include Convolutional Neural Networks (CNN) and Artificial Neural Networks (ANN), which are generally trained and supervised. CNN is currently the benchmark model for computer vision purposes [59]. Here are some examples of DL approaches in the context of intrusion detection systems (IDS):

1. Artificial Neural Networks (ANN): ANNs are a type of deep learning-based approach that is inspired by the structure and function of the human brain. ANNs consist of interconnected nodes (neurons) organized in layers, including input, hidden, and output layers. They are designed to learn and recognize patterns in data by adjusting the weights of the connections between neurons. ANNs have been widely used in various applications, including intrusion detection systems, where they can be employed for anomaly detection or signature-based detection [60].

2. Convolutional Neural Networks (CNNs): CNN is a specific type of deep learning-based approach that is particularly effective for processing grid-like data, such as images or network traffic matrices. CNNs are built on a grid-like structure and use convolution operations to scan and analyse local patterns in data. They consist of multiple layers, including convolutional layers, pooling layers, and fully connected layers. CNNs have been successfully applied to network traffic analysis for detection purposes, where they can identify patterns or features related to known attack signatures or detect anomalous traffic patterns [61].

3. Recurrent Neural Networks (RNNs): RNNs are another type of deep learning-based approach designed to process sequential data, such as time series data or text data. RNNs have a unique feature called "long short-term memory" (LSTM) that allows them to maintain information about previous time steps, making them suitable for detecting patterns, trends, and anomalies in time-series data. In intrusion detection systems, RNNs and LSTMs can be used for anomaly detection and signature-based detection, especially in cases where network traffic or user activities have a sequential relationship [62].

4. Gated Recurrent Units (GRUs): GRUs are a variant of Recurrent Neural Networks (RNNs) that were introduced to address some limitations of the traditional RNN architecture. GRUs are a type of deep learning-based approach that also processes sequential data, such as time series data or text data, making them suitable for detecting patterns, trends, and anomalies in such data [61,62,63].

B. Sarra and G. Mohamed in [60] proposed a DL approach in the SDN context to identify the DDoS and DoS attacks between the controller and end-user devices. Using the Relu and Softmax functions, the traffic will be classified as malignant or normal inside the SDN controller. The CICIDS2017 public dataset has been used in the experiment in the training and testing stages. The authors used the logarithm function, which uses the Min/Max scalar technique to normalise the extracted features for the classification step. The proposed model used five basic features in the classification, and these features will be extracted for each packet at the SDN controller in real-time. The model has achieved an accuracy of 99.6%. However, the limited number of the extracted features will be caused by the low efficiency in the detection. These features have been extracted from the packet's basic header information and are not enough to cover the attack's behaviours; therefore, the attacker can easily avoid the IDS by modifying the header packet to seem like regular traffic. Also, the authors did not consider the controller’s bottleneck, where the controller at the extensive network will not be able to do the functionalities efficiently. Hence, the system needs a lightweight method to process the packet efficiently.

In this paper [61], the researchers presented a DL-based method for detecting DDoS attacks in the SDN environment, specifically focusing on multi-vector attacks. The system examines each packet at the SDN controller and extracts features from them, classifying them as normal or malicious. The proposed model utilizes the POX controller. The authors collected the dataset from a home wireless network using tools like tcpdump and hping3 to generate DDoS traffic. They divided the collected traffic into training and testing datasets. The proposed system extracts 68 features from each packet for classification, achieving an accuracy of 95.65%. However, the extraction of these features requires significant memory and processing time, causing a bottleneck in the controller. Additionally, many of these extracted features are not relevant to DDoS attack practices.

In another study [62], the authors employed a deep neural network approach to recognize DDoS attacks in SDN networks. They utilised the NSL-KDD public dataset for training and testing. The proposed model used six basic features for classification, extracting them in real time for each flow at the SDN controller. The model achieved an accuracy of 75.75%. However, the limited number of extracted features resulted in low detection accuracy during the detection stage. These features were extracted from basic statistics information and were insufficient to cover the behaviours of attacks, making it easy for attackers to evade the intrusion detection system (IDS). The authors suggested that the controller periodically requests flow table entries from OpenFlow switches and that each flow in the switches should be classified every time. This approach adds complexity and overhead to the controller, requiring an efficient and lightweight method to handle traffic processing.

In [63], the authors presented a DL model based by using the Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) to classify traffic as either a DDoS attack or not in SDN. They used the NSL-KDD public dataset for training and testing, extracting six basic features for each flow at the SDN controller in real time. The POX controller was utilized in this model, achieving a detection rate of 89%. However, the limited number of extracted features resulted in low efficiency in detection, as they did not cover the full range of DDoS attack behaviours. Additionally, the authors did not address the bottleneck issue of the controller in handling large networks, requiring a lightweight traffic processing method.

In [64], the authors proposed a hybrid system called SD-Reg, which combines convolutional neural network (CNN) and SD-Reg to detect SDN attacks. They used the InSDN dataset for training and testing the CNN classifier. The model achieved high accuracies of 99.28% and 98.92% for binary and multi-class classifications, respectively. However, relying solely on the InSDN dataset for training might not cover all high-risk attacks and could lead to poor test results' validity. Additionally, the approach did not address the issue of CPU consumption and generated overhead on the controller when merging CNN and SD-Reg.

In [65], the authors proposed a flow-based anomaly detection approach for the OpenFlow controller using deep neural network (DNN) algorithms. The model, called GRU-LSTM DNN, used 52 features extracted in real-time from each flow at the SDN controller using the ANOVA F-TEST method. The NSL-KDD public dataset was used for training and testing. The model achieved an accuracy of 87% with a false alarm rate of 0.76%. However, the issue of the controller's bottleneck was not addressed.

Y. Hande and A. Muddana [66] addressed the development of Anomaly-based Network Intrusion Detection Systems (NIDS) in SDN networks. They utilized a CNN model to identify various types of attacks in SDN network traffic, with the sniffer IDS module feeding the detector. However, the paper lacks details regarding the selection and extraction of features, as well as the critical components' design for the detector. The authors did not explain why they chose to have two layers in the CNN model or why manually selected features were used instead of an unsupervised CNN approach. The sensing module did not provide information about the classes it had or how it detected unknown attacks. The paper also mentioned setting a boundary value for the IDS based on a threshold to describe the correct behaviour of network traffic. The authors suggested installing the system in the controller, which poses a significant challenge due to the processing and overhead it would introduce. Lastly, the CNN algorithm was not suitable for large-scale networks due to its high computational complexity.

Table 6. IDSs-based Deep Learning.

Table 6. IDSs-based Deep Learning.

Ref & Author	Approach	Features	Attack Detected	Controller	Dataset	Limitations	Accuracy/False Alarm
[60]	Relu and Softmax function	5	DDoS and DoS	ONOS	CICIDS2017	Must reduce the bottleneck controller and low number of used features	99.6
[62]	Deep NN	6	DoS	OpenFlow Controller	KDD	The accuracy must be increased. Must reduce the bottleneck controller	75.75%
[61]	SAE	TCP, UDP features	DDoS	POX	Traffic Dataset	Must reduce the bottleneck controller	95.65%
[63]	Recurrent Neural Network.	6	DoS	POX	NSL-KDD	Model optimisation is required in feature selection and extraction	89%
[65]	GRU-LSTM DNN	52	Prop, U2R, R2L and DoS	POX	NSL-KDD	Model optimisation required	87%
[64]	CNN	48 and 9	Prop, U2R, R2L, DoS, etc.	OpenFlow	InSDN	Model optimisation required	98.92%

6. Evaluation Metrics

7. Testing and Implementation Tools

• Wireshark: Wireshark is a software network protocol analyser commonly used in network analysis, troubleshooting, and collecting packets and flows from connected devices [75]. Wireshark is an open-source packet sniffer tool. It authorises administrators and researchers to catch and analyse network traffic in real-time. This software's advanced abilities and comprehensive characteristics make it a useful tool in academic and professional settings. It is available online on [76].

Table 8. The summary of the testing and implementation tools.

8. The Findings and Research Gaps

9. Conclusion

Data Statement

References

1. Palanikumar, R.; Ramasamy, K. Software defined network based self-diagnosing faulty node detection scheme for surveillance applications. Computer Communications 2020, 152, 333–337. [Google Scholar] [CrossRef]
2. Yuki, G.; Bryan, N.; Seah, W.K.; Takahashi, Y. Queueing analysis of software defined network with realistic OpenFlow–based switch model. Computer Networks 2019, 164. [Google Scholar]
3. Herrera, J.A.; Camargo, J.E. A survey on machine learning applications for software defined network security. in In International Conference on Applied Cryptography and Network Security, Cham, 2019.
4. Arash, S.; Kaafar, M.A.; Buyya, R.; Jha, S. Software-defined network (SDN) data plane security: issues, solutions, and future directions. Handbook of Computer Networks and Cyber Security 2020, 341–387. [Google Scholar]
5. Shaghaghi, A.; Kanhere, S.S.; Kaafar, M.A.; Jha, S. Gwardar: Towards protecting a software-defined network from malicious network operating systems. in In 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA), 2018.
6. Neghabi, A.A.; Navimipour, N.J.; Hosseinzadeh, M.; Rezaee, A. Nature-inspired meta-heuristic algorithms for solving the load balancing problem in the software-defined network. International Journal of Communication Systems 2019, 32, e3875. [Google Scholar] [CrossRef]
7. Hauser, F.; Häberle, M.; Merling, D.; Lindner, S.; Gurevich, V.; Zeiger, F.; Frank, R.; Menth, M. A survey on data plane programming with p4: Fundamentals, advances, and applied research. Journal of Network and Computer Applications 2023, 212, 103561. [Google Scholar] [CrossRef]
8. Bhowmik, C.D.; Gayen, T. Traffic aware dynamic load distribution in the Data Plane of SDN using Genetic Algorithm: A case study on NSF network. Pervasive and Mobile Computing 2022, 88, 101723. [Google Scholar] [CrossRef]
9. Bhuiyan, Z.A.; Islam, S.; Islam, M.M.; Ullah, A.A.; Naz, F.; Rahman, M.S. On the (in) Security of the Control Plane of SDN Architecture: A Survey. IEEE Access 2023, 11. [Google Scholar] [CrossRef]
10. Sarmiento, D.E.; Lebre, A.; Nussbaum, L.; Chari, A. Decentralized SDN control plane for a distributed cloud-edge infrastructure: A survey. IEEE Communications Surveys & Tutorials 2021, 23, 256–281. [Google Scholar]
11. Pradhan, M.; Nayak, C.K.; Pradhan, S.K. Intrusion detection system (IDS) and their types. Securing the Internet of Things: Concepts, Methodologies, Tools, and Applications - IGI Global 2020, 481–497. [Google Scholar]
12. Swami, R.; Dave, M.; Ranga, V. Software-defined networking-based ddos defense mechanisms. ACM Computing Surveys (CSUR) 2019, 52, 1–36. [Google Scholar] [CrossRef]
13. Hanselmann, M.; Strauss, T.; Dormann, K.; Ulmer, H. CANet: An unsupervised intrusion detection system for high dimensional CAN bus data. IEEE Access 2020, 8, 58194–58205. [Google Scholar] [CrossRef]
14. Santhana, K.R.; Golden, J.E.; Harold, R.Y.; Kumar, R.; Son, L.H.; Tuan, T.A.; Long, H.V. Modified zone based intrusion detection system for security enhancement in mobile ad hoc networks. Wireless Networks 2020, 26, 1275–1289. [Google Scholar]
15. Weizhi, M.; Tischhauser, E.W.; Wang, Q.; Wang, Y.; Han, J. When intrusion detection meets blockchain technology: a review. IEEE Access 2018, 6, 10179–10188. [Google Scholar]
16. Ali, T.E.; Chong, Y.-W.; Manickam, S. Machine Learning Techniques to Detect a DDoS Attack in SDN: A Systematic Review. Applied Sciences 2023, 13, 3183. [Google Scholar] [CrossRef]
17. Karnani, S.; Agrawal, N.; Kumar, R. A comprehensive survey on low-rate and high-rate DDoS defense approaches in SDN: taxonomy, research challenges, and opportunities. Multimedia Tools and Applications 2023, 1–54. [Google Scholar] [CrossRef]
18. Ahmad, I.; Namal, S.; Ylianttila, M.; Gurtov, A. Security in software defined networks: A survey. IEEE Communications Surveys & Tutorials 2015, 17, 2317–2346. [Google Scholar]
19. Lent, D.M.B.; Novaes, M.P.; Carvalho, L.F.; Lloret, J.; Rodrigues, J.J.; Proença, M.L. A gated recurrent unit deep learning model to detect and mitigate distributed denial of service and portscan attacks. IEEE Access 2022, 10, 73229–73242. [Google Scholar] [CrossRef]
20. Alotaibi, F.M.; Vassilakis, V.G. Toward an SDN-Based Web Application Firewall: Defending against SQL Injection Attacks. Future Internet 2023, 15, 170. [Google Scholar] [CrossRef]
21. He, D.; Dai, J.; Liu, X.; Zhu, S.; Chan, S.; Guizani, M. Adversarial Attacks for Intrusion Detection Based on Bus Traffic. IEEE Network 2022, 36, 203–209. [Google Scholar] [CrossRef]
22. Lin, H.T.; Wang, P.C. TCAM-based packet classification for many-field rules of SDNs. Computer Communications 2023, 203, 89–98. [Google Scholar] [CrossRef]
23. Santos, R.; Souza, D.; Santo, W.; Ribeiro, A.; Moreno, E. Machine learning algorithms to detect DDoS attacks in SDN. Concurrency and Computation: Practice and Experience 2020, 32, 16. [Google Scholar] [CrossRef]
24. Abubakar, A.; Pranggono, B. Machine learning based intrusion detection system for software defined networks. in In 2017 seventh international conference on emerging security technologies (EST), 2017.
25. Awad, M.; Khanna, R. Support vector machines for classification- Efficient Learning Machines. Springer 2015, 39–66. [Google Scholar]
26. Divya, T.; Agarwal, S. A survey on Data Mining approaches for Healthcare. International Journal of Bio-Science and Bio-Technology 2013, 5, 241–266. [Google Scholar]
27. Xindong, W.; Kumar, V.; Quinlan, J.R.; Ghosh, J.; Yang, Q.; Motoda, H.; McLachlan, G.J. op 10 algorithms in data mining. Knowledge and information systems 2008, 14, 1–37. [Google Scholar]
28. Javed, A.; Seemab, L. Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques. in In 2014 National Software Engineering Conference, 2014.
29. Irina, R. An empirical study of the naive Bayes classifier. in In IJCAI 2001 workshop on empirical methods in artificial intelligence, 2001.
30. Jadhav, S.D.; Channe, H.P. Comparative study of K-NN, naive Bayes and decision tree classification techniques. International Journal of Science and Research (IJSR) 2016, 5, 1842–1845. [Google Scholar]
31. Ting, S.L.; Ip, W.H.; Tsang, A.H. Is Naive Bayes a good classifier for document classification. nternational Journal of Software Engineering and Its Applications 2011, 5, 37–46. [Google Scholar]
32. Pal, M. Random forest classifier for remote sensing classification. International journal of remote sensing 2005, 26, 217–222. [Google Scholar] [CrossRef]
33. Kim, J.; Kim, J.; Kim, H.; Shim, M.; Choi, E. CNN-based network intrusion detection against denial-of-service attacks. Electronics 2020, 9, 916. [Google Scholar] [CrossRef]
34. Hershey, S.; Chaudhuri, S.; Ellis, D.P.; Gemmeke, J.F.; Jansen, A.; Moore, R.C.; Plakal, M. CNN architectures for large-scale audio classification. in In 2017 ieee international conference on acoustics, speech and signal processing (icassp), 201.
35. Jin, X.-B.; Yang, N.-X.; Wang, X.-Y.; Bai, Y.-T.; Su, T.-L.; Kong, J.-L. Hybrid deep learning predictor for smart agriculture sensing based on empirical mode decomposition and gated recurrent unit group model. Sensors 2020, 20, 1334. [Google Scholar] [CrossRef]
36. Elsayed, M.S.; Le-Khac, N.-A.; Dev, S.; Jurcut, A.D. Machine-learning techniques for detecting attacks in SDN. in 2019 IEEE 7th International Conference on Computer Science and Network Technology (ICCSNT), Dalian, China, 2019.
37. Elsayed, M.S.; Le-Khac, N.-A.; Jurcut, A.D. InSDN: A Novel SDN Intrusion Dataset. IEEE Access 2020, 8, 165263–165284. [Google Scholar] [CrossRef]
38. Li, D.; Yu, C.; Zhou, Q.; Yu, J. Using SVM to Detect DDoS Attack in SDN Network. in In IOP Conference Series: Materials Science and Engineering, 2018.
39. Jin, Y.; Cheng, X.; Jian, Z.; Feng, L.; Ling, S. A DDoS attack detection method based on SVM in software defined network. Security and Communication Networks 2018. [Google Scholar]
40. Oo, M.M.; Kamolphiwong, S.; Kamolphiwong, T.; Vasupongayya, S. Advanced Support Vector Machine-(ASVM-) Based Detection for Distributed Denial of Service (DDoS) Attack on Software Defined Networking (SDN). Journal of Computer Networks and Communications, 2019. [Google Scholar]
41. Silva, D.; Santos, A.; Wickboldt, J.A.; Granville, L.Z.; Schaeffer-Filho, A. ATLANTIC: A framework for anomaly traffic detection, classification, and mitigation in SDN. in In NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium, 2016.
42. Song, A.; Younghee, P.; Keyur, G.; Youngsoo, K.; Kalgi, B.; Kunal, G. Machine-learning based threat-aware system in software defined networks. in In 2017 26th international conference on computer communication and networks (ICCCN), 2017.
43. Wang, P.; Chao, K.-M.; Lin, H.-C.; Lin, W.-H.; Lo, C.-C. An efficient flow control approach for SDN-based network threat detection and migration using support vector machine. in In 2016 IEEE 13th International Conference on e-Business Engineering (ICEBE), 2016.
44. Alshamrani, A.; Chowdhary, A.; Pisharody, S.; Lu, D.; Huang, D. A defense system for defeating DDoS attacks in SDN based networks. in In Proceedings of the 15th ACM International Symposium on Mobility Management and Wireless Access, 2017. [Google Scholar]
45. AlEroud, A.; Alsmadi, I. Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach. Journal of Network and Computer Applications, 2017; 80, 152–152. [Google Scholar]
46. L., A; Dinh, P.; Le, H.; Cuong, T.N. Flexible network-based intrusion detection and prevention system on software-defined networks. in In 2015 International Conference on Advanced Computing and Applications (ACOMP), 2015.
47. Braga, R.; Mota, E.; Passito, A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. in In IEEE Local Computer Network Conference, 2010.
48. K. RT, S. T. DDoS detection and analysis in SDN-based environment using support vector machine classifier. in In 2014 Sixth International Conference on Advanced Computing (ICoAC), 2014.
49. Van, N.T.; Bao, H.; Thinh, T.N. An anomaly-based intrusion detection architecture integrated on openflow switch. in In Proceedings of the 6th International Conference on Communication and Network Security, 2016.
50. Jankowski, A.; Amanowicz, M. On efficiency of selected machine learning algorithms for intrusion detection in software defined networks. International Journal of Electronics and Telecommunications 2016, 62, 247–252. [Google Scholar] [CrossRef]
51. Barki, L.; Shidling, A.; Meti, N.; Narayan, D.G.; Mulla, M.M. Detection of distributed denial of service attacks in software defined networks. in In 2016 International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2016.
52. Majd, L.; Toker, L. Minimizing false positive rate for DoS attack detection: A hybrid SDN-based approach. CT Express 2020, 6, 125–127. [Google Scholar]
53. Jiaqi, L.; Zhifeng, Z.; Li, R.; Zhang, H. Ai-based two-stage intrusion detection for software defined iot networks. IEEE Internet of Things Journal 2018, 6, 2093–2102. [Google Scholar]
54. Akbar, M.S.; Khalid, J.; Khayam, S.A. Revisiting traffic anomaly detection using software defined networking.. in In International workshop on recent advances in intrusion detection, Berlin, Heidelberg, 2011.
55. Jiaqi, L.; Zhao, Z.; Li, R. Machine learning-based IDS for software-defined 5G network. ET Networks 2017, 7, 53–60. [Google Scholar]
56. Sathya, R.; Thangarajan, R. Efficient anomaly detection and mitigation in software defined networking environment. in In 2015 2nd international conference on electronics and communication systems (ICECS), 2015.
57. Dong, P.; Du, X.; Zhang, H.; Xu, T. A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows. in In 2016 IEEE International Conference on Communications (ICC), 2016.
58. Phan, T.V.; Toan, T.V.; Tuyen, D.V.; Huong, T.T.; Thanh, N.H. Openflowsia: An optimized protection scheme for software-defined networks from flooding attacks. in In 2016 IEEE Sixth International Conference on Communications and Electronics (ICCE), 2016.
59. Scott-Hayward, S.; Natarajan, S.; Sezer, S. A survey of security in software defined networks. IEEE Communications Surveys & Tutorials 2015, 18, 623–654. [Google Scholar]
60. Boukria, S.; Guerroumi, M. Intrusion detection system for SDN network using deep learning approach. in In 2019 International Conference on Theoretical and Applicative Aspects of Computer Science (ICTAACS), 2019.
61. Niyaz, Q.; Sun, W.; Javaid, A.Y. A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN). Cornell University, vol. arXiv 2016." arXiv preprint arXiv:1611.07400, 2016.
62. Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep learning approach for network intrusion detection in software defined networking. in In 2016 international conference on wireless networks and mobile communications (WINCOM), 2016.
63. Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep recurrent neural network for intrusion detection in sdn-based networks. in In 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), 2018.
64. ElSayed, M.S.; Le-Khac, N.-A.; Albahar, M.A.; Jurcut, A. A novel hybrid model for intrusion detection systems in SDNs based on CNN and a new regularization technique. Journal of Network and Computer Applications 2021, 191. [Google Scholar] [CrossRef]
65. Dey, S.K.; Rahman, M.M. Flow based anomaly detection in software defined networking: A deep learning approach with feature selection method. in In 2018 4th International Conference on Electrical Engineering and Information & Communication Technology (iCEEiCTP), 2018.
66. Hande, Y.; Muddana, A. Intrusion Detection System Using Deep Learning for Software Defined Networks (SDN). in In 2019 International Conference on Smart Systems and Inventive Technology (ICSSIT), 2019.
67. Scapy. Scapy. 2023. [Online]. Available: https://scapy.net/. [Accessed 21 07 2019].
68. Ma, H.; Luo, X.; Xu, D. Intelligent queue management of open vSwitch in multi-tenant data center. Future Generation Computer Systems 2023, 144, 50–62. [Google Scholar] [CrossRef]
69. vSwitch. Open vSwitch. 2023. [Online]. Available: https://www.openvswitch.org/download/. [Accessed 20 12 2021].
70. Alsharabi, N.; Alqunun, M.; Murshed, B.A.H. Detecting Unusual Activities in Local Network Using Snort and Wireshark Tools. Journal of Advances in Information Technology 2023, 14. [Google Scholar] [CrossRef]
71. Snort. Snort. 2023. [Online]. Available: https://www.snort.org/downloads. [Accessed 12 06 2021].
72. Tiwari, A.; Saraswat, S.; Dixit, U.; Pandey, S. Refinements In Zeek Intrusion Detection System. in 8th International Conference on Advanced Computing and Communication Systems (ICACCS), 2022.
73. Zeek. Zeek. 2023. [Online]. Available: https://docs.zeek.org/en/master/install.html. [Accessed 14 September 2023].
74. Yaltirakli, G. Github. 2015. [Online]. Available: https://github.com/gkbrk/slowloris. [Accessed 12 08 2022].
75. Jawaharan, R.; Mohan, P.M.; Das, T.; Gurusamy, M. Empirical evaluation of sdn controllers using mininet/wireshark and comparison with cbench. in 27th international conference on computer communication and networks (ICCCN), 201.
76. Wireshark. Wireshark. 2022. [Online]. Available: https://www.wireshark.org/. [Accessed 12 July 2022].
77. Kumar, G.; Alqahtani, H. Machine Learning Techniques for Intrusion Detection Systems in SDN-Recent Advances, Challenges and Future Directions. CMES-Computer Modeling in Engineering & Sciences 2023, 134. [Google Scholar]