Deep Learning Approaches For Distributed Denial Of Service (DDOS) Attack Detection In Software-Defined Networking: A Systematic Literature Review
DOI:
https://doi.org/10.71200/nexural.v1.i1.263Keywords:
Systematic Literature Review, DDoS Attack Detection, Deep Learning, Software-Defined Networking, Convolutional Neural Network, Network Security, PRISMA 2020Abstract
Software-Defined Networking (SDN) has emerged as a foundational paradigm for programmable, centrally-managed networks, but its logically centralised control plane is highly attractive to Distributed Denial of Service (DDoS) adversaries. Traditional signature- and threshold-based defences struggle against polymorphic and low-rate attack patterns, motivating a rapid migration toward Deep Learning (DL) based detection. This Systematic Literature Review (SLR), conducted in accordance with the PRISMA 2020 guideline and a PICOC framework, identifies, classifies, and analyses 62 primary studies published between January 2020 and February 2026 on DL-based DDoS detection in SDN. Three research questions are answered, covering publication venues, the most active researchers, and the architectures, datasets, and evaluation metrics employed. The findings reveal that Convolutional Neural Networks (38.7%), hybrid CNN-LSTM models (24.2%), and Transformer/Graph Neural Networks (14.5%) dominate recent designs, while the InSDN and CIC-DDoS2019 datasets are the de-facto benchmarks. Macro-averaged accuracy across high-quality studies exceeds 99%, yet real-time deployment, explainability, and cross-dataset generalisability remain open challenges. The review provides a consolidated knowledge map and an empirically grounded research agenda for the next generation of intelligent SDN defences
References
D. Kreutz, F. M. V. Ramos, P. E. Verissimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig, "Software-defined networking: A comprehensive survey," Proc. IEEE, vol. 103, no. 1, pp. 14–76, Jan. 2015, doi: 10.1109/JPROC.2014.2371999.
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: Enabling innovation in campus networks," ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69–74, Apr. 2008, doi: 10.1145/1355734.1355746.
A. A. Barakabitze, A. Ahmad, R. Mijumbi, and A. Hines, "5G network slicing using SDN and NFV: A survey of taxonomy, architectures and future challenges," Comput. Netw., vol. 167, p. 106984, Feb. 2020, doi: 10.1016/j.comnet.2019.106984.
J. Wang, M. Bewong, and L. Zheng, "SD-WAN: Hybrid edge cloud network between multi-site SDDC," Comput. Netw., vol. 250, p. 110509, 2024, doi: 10.1016/j.comnet.2024.110509.
S. Scott-Hayward, S. Natarajan, and S. Sezer, "A survey of security in software-defined networks," IEEE Commun. Surveys Tuts., vol. 18, no. 1, pp. 623–654, 2016, doi: 10.1109/COMST.2015.2453114.
T. Han, S. R. U. Jan, Z. Tan, M. Usman, M. A. Jan, R. Khan, and Y. Xu, "A comprehensive survey of security threats and their countermeasures in modern SDN," Cluster Comput., vol. 23, pp. 2887–2919, 2020, doi: 10.1007/s10586-020-03060-y.
K. S. Sahoo, B. Sahoo, R. Dash, and M. Tiwary, "Signature-based malware detection for unknown attacks in distributed environments," J. Netw. Comput. Appl., vol. 124, pp. 197–206, 2018, doi: 10.1016/j.jnca.2018.09.017.
N. Z. Bawany, J. A. Shamsi, and K. Salah, "DDoS attack detection and mitigation using SDN: Methods, practices, and solutions," Arab. J. Sci. Eng., vol. 42, no. 2, pp. 425–441, 2017, doi: 10.1007/s13369-017-2414-5.
Y. Cui, Q. Qian, C. Guo, G. Shen, Y. Tian, H. Xing, and L. Yan, "Towards DDoS detection mechanisms in software-defined networking," J. Netw. Comput. Appl., vol. 190, p. 103156, 2021, doi: 10.1016/j.jnca.2021.103156.
Cloudflare, "DDoS threat report for Q4 2024," Cloudflare Research, San Francisco, CA, USA, Tech. Rep., Jan. 2025.
M. Antonakakis et al., "Understanding the Mirai botnet," in Proc. USENIX Security Symp., 2017, pp. 1093–1110.
K. Singh, P. Singh, and K. Kumar, "Application layer HTTP-GET flood DDoS attacks: Research landscape and challenges," Comput. Secur., vol. 65, pp. 344–372, 2017, doi: 10.1016/j.cose.2016.10.005.
M. Almiani, A. AbuGhazleh, A. Al-Rahayfeh, S. Atiewi, and A. Razaque, "Deep recurrent neural network for IoT intrusion detection system," Simul. Model. Pract. Theory, vol. 101, p. 102031, 2020, doi: 10.1016/j.simpat.2019.102031.
Y. LeCun, Y. Bengio, and G. Hinton, "Deep learning," Nature, vol. 521, no. 7553, pp. 436–444, 2015, doi: 10.1038/nature14539.
S. Hochreiter and J. Schmidhuber, "Long short-term memory," Neural Comput., vol. 9, no. 8, pp. 1735–1780, 1997, doi: 10.1162/neco.1997.9.8.1735.
A. Vaswani et al., "Attention is all you need," in Proc. NeurIPS, 2017, pp. 5998–6008.
T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho, "Deep recurrent neural network for intrusion detection in SDN-based networks," in Proc. IEEE NetSoft, 2018, pp. 202–206.
Y. Li and J. Wu, "A deep learning based DDoS detection system in software-defined networking," EAI Endorsed Trans. Secur. Saf., vol. 4, no. 11, p. e2, 2018, doi: 10.4108/eai.28-12-2017.153515.
M. S. Aladaileh, M. Anbar, I. H. Hasbullah, Y. W. Chong, and Y. K. Sanjalawe, "Detection techniques of distributed denial of service attacks on software-defined networking controller: A review," IEEE Access, vol. 8, pp. 143985–144011, 2020, doi: 10.1109/ACCESS.2020.3013998.
M. P. Singh, M. Anbar, S. Manickam, M. S. Aladaileh, and B. A. Tayyeh, "A systematic literature review on machine learning and deep learning approaches for detecting DDoS attacks in software-defined networking," Sensors, vol. 23, no. 9, p. 4441, 2023, doi: 10.3390/s23094441.
A. Adadi and M. Berrada, "Peeking inside the black-box: A survey on explainable artificial intelligence (XAI)," IEEE Access, vol. 6, pp. 52138–52160, 2018, doi: 10.1109/ACCESS.2018.2870052.
A. D. Wiranata, Sunardi, and I. Riadi, "Tinjauan sistematis quality of service pada layanan jaringan software defined networking," INFOTECH: J. Technol. Inf., vol. 11, no. 2, pp. 247–252, Nov. 2025, doi: 10.37365/jti.v11i2.422.
M. J. Page et al., "The PRISMA 2020 statement: An updated guideline for reporting systematic reviews," BMJ, vol. 372, p. n71, 2021, doi: 10.1136/bmj.n71.
F. Chiti, R. Picchi, and L. Pierucci, "A survey on non-terrestrial quantum networking: Challenges and trends," Comput. Netw., vol. 252, p. 110668, 2024, doi: 10.1016/j.comnet.2024.110668.
J. R. Landis and G. G. Koch, "The measurement of observer agreement for categorical data," Biometrics, vol. 33, no. 1, pp. 159–174, 1977, doi: 10.2307/2529310.
M. S. Elsayed, N.-A. Le-Khac, and A. D. Jurcut, "InSDN: A novel SDN intrusion dataset," IEEE Access, vol. 8, pp. 165263–165284, 2020, doi: 10.1109/ACCESS.2020.3022633.
M. S. Aladaileh, M. Anbar, A. J. Hintaw, I. H. Hasbullah, A. A. Bahashwan, T. A. Al-Amiedy, and D. R. Ibrahim, "Effectiveness of an entropy-based approach for detecting low- and high-rate DDoS attacks against the SDN controller," Sensors, vol. 23, no. 12, p. 5648, 2023, doi: 10.3390/s23125648.
M. S. Elsayed, N.-A. Le-Khac, M. A. Albahar, and A. Jurcut, "A novel hybrid model for intrusion detection systems in SDNs based on CNN and a new regularization technique," J. Netw. Comput. Appl., vol. 191, p. 103160, 2021, doi: 10.1016/j.jnca.2021.103160.
A. Albasheer, M. Anbar, S. Manickam, et al., "A federated CNN-LSTM model for DDoS detection in SDN," Electronics, vol. 13, no. 6, p. 1098, 2024, doi: 10.3390/electronics13061098.
A. Alanazi and K. Aljuaid, "Federated deep learning for DDoS detection in SDN-IoT," Sensors, vol. 24, no. 4, p. 1252, 2024, doi: 10.3390/s24041252.
I. Riadi, A. W. Muhammad, and Sunardi, "Neural network-based DDoS detection regarding hidden layer variation," J. Theor. Appl. Inf. Technol., vol. 95, no. 15, pp. 3684–3691, 2017.
A. W. Muhammad, I. Riadi, and Sunardi, "DDoS detection using artificial neural network regarding variation of training function," Adv. Sci. Lett., vol. 24, no. 12, pp. 9163–9167, 2018, doi: 10.1166/asl.2018.13075.
Sunardi, I. Riadi, and M. H. Akbar, "Penerapan metode static forensics untuk ekstraksi file steganografi pada bukti digital menggunakan framework DFRWS," J. RESTI, vol. 4, no. 3, pp. 576–583, 2020, doi: 10.29207/resti.v4i3.1906.
M. H. Akbar, Sunardi, and I. Riadi, "Analysis of steganographic on digital evidence using general computer forensic investigation model framework," Int. J. Adv. Comput. Sci. Appl., vol. 11, no. 11, pp. 553–560, 2020, doi: 10.14569/IJACSA.2020.0111166.
S. Haider, A. Akhunzada, I. Mustafa, T. B. Patel, A. Fernandez, K. K. R. Choo, and J. Iqbal, "A deep CNN ensemble framework for efficient DDoS attack detection in software defined networks," IEEE Access, vol. 8, pp. 53972–53983, 2020, doi: 10.1109/ACCESS.2020.2976908.
R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. Martinez-del-Rincon, and D. Siracusa, "Lucid: A practical, lightweight deep learning solution for DDoS attack detection," IEEE Trans. Netw. Service Manag., vol. 17, no. 2, pp. 876–889, 2020, doi: 10.1109/TNSM.2020.2971776.
M. V. de Assis, L. F. Carvalho, J. Lloret, and M. L. Proença, "Near real-time security system applied to SDN environments in IoT networks using convolutional neural network," Comput. Electr. Eng., vol. 86, p. 106738, 2020, doi: 10.1016/j.compeleceng.2020.106738.
J. Cui, J. Long, E. Min, Q. Liu, and Q. Li, "Comparative study of CNN and RNN for deep learning based intrusion detection system," in Proc. CSS, 2018, pp. 159–170.
H. Polat, M. Turkoglu, O. Polat, and A. Şahin, "A novel approach for accurate detection of the DDoS attacks in SDN-based SCADA systems based on deep recurrent neural networks," Expert Syst. Appl., vol. 197, p. 116748, 2022, doi: 10.1016/j.eswa.2022.116748.
H. Wang, L. Li, J. Zhao, and F. Wang, "DDosTC: A transformer-based network attack detection hybrid mechanism in SDN," Sensors, vol. 21, no. 15, p. 5047, 2021, doi: 10.3390/s21155047.
K. Hu, Y. Li, and L. Shi, "TransDDoS: A transformer-based DDoS attack detection framework for software-defined networks," Comput. Netw., vol. 245, p. 110350, 2024, doi: 10.1016/j.comnet.2024.110350.
I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, "Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy," in Proc. IEEE Int. Carnahan Conf. Security Technol. (ICCST), 2019, pp. 1–8, doi: 10.1109/CCST.2019.8888419.
R. Doshi, N. Apthorpe, and N. Feamster, "Machine learning DDoS detection for consumer Internet of Things devices," in Proc. IEEE Security Privacy Workshops, 2018, pp. 29–35, doi: 10.1109/SPW.2018.00013.
K. M. Sudar, P. Deepalakshmi, and P. M. Kumar, "DDoS attack detection in software-defined networks using machine learning algorithms," Wireless Pers. Commun., vol. 122, pp. 3017–3040, 2022, doi: 10.1007/s11277-021-09005-x.
M. Ibrahim, F. Khan, A. Khan, and M. Asif, "An adversarial robustness study of deep learning-based DDoS detectors in SDN," Comput. Secur., vol. 138, p. 103686, 2024, doi: 10.1016/j.cose.2024.103686.
M. T. Ribeiro, S. Singh, and C. Guestrin, "Why should I trust you?: Explaining the predictions of any classifier," in Proc. ACM KDD, 2016, pp. 1135–1144, doi: 10.1145/2939672.2939778.
M. F. Khan, A. Anjum, A. Saghar, et al., "Federated learning for intrusion detection in SDN-IoT: A privacy-preserving framework," Sensors, vol. 23, no. 11, p. 5018, 2023, doi: 10.3390/s23115018.
S. Truex, N. Baracaldo, A. Anwar, T. Steinke, H. Ludwig, R. Zhang, and Y. Zhou, "A hybrid approach to privacy-preserving federated learning," in Proc. ACM AISec, 2019, pp. 1–11, doi: 10.1145/3338501.3357370.
Y. Safitri, I. Riadi, and Sunardi, "Mobile forensic for body shaming investigation using association of chief police officers framework," MATRIK J. Manaj. Teknik Inform. Rekayasa Komput., vol. 22, no. 3, pp. 651–664, 2023, doi: 10.30812/matrik.v22i3.3052.
K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments," Comput. Netw., vol. 62, pp. 122–136, 2014, doi: 10.1016/j.comnet.2013.10.014.
R. Mohammadi, R. Javidan, and M. Conti, "SLICOTS: An SDN-based lightweight countermeasure for TCP SYN flooding attacks," IEEE Trans. Netw. Service Manag., vol. 14, no. 2, pp. 487–497, 2017, doi: 10.1109/TNSM.2017.2701549.
L. Liu, J. Xu, X. Li, and L. Liu, "A DDoS detection method based on feature engineering and machine learning in software-defined networks," Sensors, vol. 23, no. 13, p. 6176, 2023, doi: 10.3390/s23136176.
M. R. Anwar, I. Ahmad, and S. M. Khan, "An entropy and machine learning based approach for DDoS attacks detection in software defined networks," Sci. Rep., vol. 14, p. 17789, 2024, doi: 10.1038/s41598-024-67984-w.
S. Kaur, J. Singh, and N. Kaur, "Optimizing DDoS detection in SDNs through machine learning models," arXiv preprint arXiv:2505.13493, 2025.
J. K. Samriya, R. Tiwari, J. J. P. C. Rodrigues, and R. Vijay, "Distributed denial of services (DDoS) attack detection in SDN using optimizer-equipped CNN-MLP," PLOS ONE, vol. 19, no. 12, p. e0312425, 2024, doi: 10.1371/journal.pone.0312425.
A. D. Wiranata, R. Pribadi, and F. N. Hasan, "Penggunaan figma dan metode design thinking dalam user interface dan user experience untuk website e-commerce pasar grosir tradisional," J. Inf. Syst. Res. (JOSH), vol. 5, no. 3, pp. 870–880, 2024, doi: 10.47065/josh.v5i3.5210.
A. D. Wiranata, F. N. Hasan, and Z. Munawar, Teknologi Informasi: Konsep Dasar dan Aplikasi. Klaten, Indonesia: Kaizen Media Publishing, 2024.
A. D. Wiranata, S. Hanief, W. T. Saputro, and Muchlas, "Pelatihan mikrokontroler dasar Arduino UNO dan simulasi Tinkercad pada siswa rekayasa perangkat lunak SMK," J. Pengabdi. Masy. Inform., vol. 4, no. 1, pp. 11–18, 2026, doi: 10.30591/jpmi.v4i1.5841.
A. Wijayanto, I. Riadi, and Y. Prayudi, "TAARA method for processing on the network forensics in the event of an ARP spoofing attack," Edumatic: J. Pendidik. Inform., vol. 7, no. 1, pp. 195–204, 2023, doi: 10.29408/edumatic.v7i1.13197.
I. Riadi, A. Yudhana, and G. P. I. Fanani, "Mobile forensic on MiChat messenger services using IDFIF V2 framework," Indonesian J. Electr. Eng. Comput. Sci., vol. 33, no. 1, pp. 612–621, 2024, doi: 10.11591/ijeecs.v33.i1.pp612-621.
A. Yudhana, Z. Y. Rivai, and I. Riadi, "Assessing digital evidence availability in Discord phishing using ISO/IEC 27037 and anti-forensics analysis," Int. J. Adv. Data Inf. Syst., vol. 7, no. 1, pp. 22–34, 2026, doi: 10.25008/ijadis.v7i1.1518.
A. D. Wiranata and F. N. Hasan, "Implementasi business intelligence dashboard untuk monitoring data penjualan UMKM," J. Sistem Inform. Manaj. Berbasis Komput. Cerdas, vol. 2, no. 4, pp. 1118–1128, 2023, doi: 10.55903/sinkron.v8i4.12923.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Ade Davy Wiranata (Author); Intan Murniasih, Rudy Ansari (Translator)
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
