Rikie Kartadie; Danny Kriestanto; Muhammad Agung Nugroho; Chuan-Ming Liu

Hybrid LSTM-attention Model for DDoS Attack Detection in Software-defined Networking

PDF (956KB), PP.133-147

Views: 0 Downloads: 0

Author(s)

Rikie Kartadie ^1,* Danny Kriestanto ² Muhammad Agung Nugroho ³ Chuan-Ming Liu ⁴

1. Department of Computer Engineering, Universitas Teknologi Digital Indonesia, Yogyakarta, Indonesia

2. Department of Informatics Engineering, Universitas Teknologi Digital Indonesia, Yogyakarta, Indonesia

3. Informatics Engineering Study Program, Telkom University, Purwokerto Campus, Central Java, Indonesia

4. Department of Computer Science and Information Engineering National Taipei University of Technology (Taipei Tech), Taipei 106344, Taiwan, China

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2025.06.09

Received: 7 Jun. 2025 / Revised: 22 Aug. 2025 / Accepted: 30 Sep. 2025 / Published: 8 Dec. 2025

Index Terms

DDoS Detection, Software-defined Networking (SDN), Deep Learning, LSTM-attention, Network Security

Abstract

Distributed Denial of Service (DDoS) attacks threaten Software-Defined Networking (SDN) environments, requiring effective real-time detection. This study introduces a hybrid LSTM-Attention model to improve DDoS detection in SDN, combining Long Short-Term Memory (LSTM) networks for temporal pattern recognition with an attention mechanism to prioritize key traffic features like packet and byte counts per second. Trained on 15,000 balanced samples from the SDN DDoS dataset, the model achieved 96.90% accuracy, 100% recall for DDoS instances, and a 0.97 F1-score, outperforming statistical (88.5%), machine learning (94.0%), and other deep learning (95.0%) methods. Attention weight visualization confirmed its focus on critical features. With a two-hour training time on modest hardware (Google Colab, 12 GB RAM) and an AUC of 0.99, the model is efficient and robust for real-time use. It offers a scalable, interpretable framework for network security, providing actionable insights for administrators and supporting future detection of slow-rate attacks and insider breaches. As a proof-of-concept, a subsampled slow-rate DDoS simulation (10% of volumetric spikes) achieved 89.5% accuracy with tuned attention weights, suggesting potential for rate adjustments. Preliminary tests on UNSW-NB15 subsets, focusing on behavioral features, yielded 85.2% recall, indicating that integrating user profiling could enhance real-world detection.

Cite This Paper

Rikie Kartadie, Danny Kriestanto, Muhammad Agung Nugroho, Chuan-Ming Liu, "Hybrid LSTM-attention Model for DDoS Attack Detection in Software-defined Networking", International Journal of Computer Network and Information Security(IJCNIS), Vol.17, No.6, pp.133-147, 2025. DOI:10.5815/ijcnis.2025.06.09

Reference

[1]K. Nisar, E. R. Jimson, M. H. A. Hijazi, I. Welch, R. Hassan, A. H. M. Aman, A. H. Sodhro, S. Pirbhulal, and S. Khan, “A survey on the architecture, application, and security of software defined networking: Challenges and open issues,” Internet of Things, vol. 12, p. 100289, 2020. doi: https://doi.org/10.1016/j.iot.2020.100289. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2542660520301219
[2]N. M. Yungaicela-Naula et al., “Sdn/nfv-based framework for autonomous defense against slow-rate ddos at- tacks by using reinforcement learning,” Future Gener. Comput. Syst., vol. 149, pp. 637–649, 2023. doi: 10.1016/j.future.2023.08.007
[3]Y. Wang et al., “A ddos attack detection method based on information entropy in sdn,” IEEE Access, vol. 7, pp. 18 016–18 026, 2019. doi: 10.1109/ACCESS.2019.2895581
[4]M. Q. Syahputra et al., “Deteksi dan mitigasi serangan ddos pada software defined network menggunakan algoritma decision tree,” Jurnal Repositor, vol. 2, no. 11, 2024. doi: 10.22219/repositor.v2i11.30964
[5]R. Kokila et al., “Ddos detection and analysis in sdn-based environment using support vector machine classifier,” pp. 1–5, 2023. doi: 10.1109/ICCCI.2023.6654105
[6]M. Kavitha et al., “Machine learning techniques for detecting ddos attacks in sdn,” pp. 634–638, 2022. doi: 10.1109/ICACRS55517.2022.10029110
[7]A. Alsufyani et al., “Hybrid deep learning approach for enhanced detection and mitigation of ddos attack in sdn networks,” Int. J. Netw. Secur. & Its Appl., vol. 16, no. 6, pp. 77–93, 2024. doi: 10.5121/ijnsa.2024.16605
[8]X. Liu et al., “Ddos attack detection based on hybrid model of cnn and lstm in sdn,” IEEE Access, vol. 8, pp. 173 563–173 572, 2020. doi: 10.1109/ACCESS.2020.3025079
[9]S. Muthukumar and A. K. A. Ahamed, “A novel framework of ddos attack detection in network using hybrid heuristic deep learning approaches with attention mechanism,” J. High Speed Netw., vol. 30, no. 2, pp. 251–277, 2024. doi: 10.3233/JHS-230142
[10]S. Wang et al., “An attention-based lstm model for ddos attack detection in sdn,” IEEE Access, vol. 8, pp. 13 059– 13 072, 2020. doi: 10.1109/ACCESS.2020.2966374
[11]M. S. Ataa et al., “Intrusion detection in software defined network using deep learning approaches,” Sci. Rep., vol. 14, no. 1, p. 29159, 2024. doi: 10.1038/s41598-024-79001-1
[12]S. A. Christila and R. Sivakumar, “Multi-layer ensemble deep reinforcement learning based ddos attack detection and mitigation in cloud-sdn environment,” pp. 451–455, 2022. doi: 10.1109/I4C57141.2022.10057641
[13]Y. Wei et al., “Reconstruction-based lstm-autoencoder for anomaly-based ddos attack detection over multivariate time-series data,” arXiv preprint arXiv:2305.09475, 2023. doi: 10.48550/arXiv.2305.09475
[14]R. B. Said and I. Askerzade, “Attention-based cnn-bilstm deep learning approach for network intrusion detection system in software defined networks,” pp. 1–5, 2023. doi: 10.1109/PCI60110.2023.10325985
[15]S. Faezi and A. Shirmarz, “A Comprehensive Survey on Machine Learning using in Software Defined Networks (SDN),” Human-Centric Intelligent Systems, vol. 3, no. 3, pp. 312–343, Jun. 2023. doi: 10.1007/s44230-023-00025-3. [Online]. Available: https://link.springer.com/10.1007/s44230-023-00025-3
[16]J. Cui, J. Zhang, J. He, H. Zhong, and Y. Lu, “DDoS detection and defense mechanism for SDN controllers with K-Means,” in 2020 IEEE/ACM 13th International Conference on Utility and Cloud Computing (UCC). Leicester, UK: IEEE, Dec. 2020, pp. 394–401. doi: 10.1109/UCC48980.2020.00062. [Online]. Available: https://ieeexplore.ieee.org/document/9302786/
[17]H. Wang and Y. Li, “Overview of ddos attack detection in software-defined networks,” IEEE Access, vol. 12, pp. 38 351–38 381, 2024. doi: 10.1109/ACCESS.2024.3375395
[18]M. Li et al., “A ddos attack detection method based on deep learning two-level model cnn-lstm in sdn network,” pp. 282–287, 2022. doi: 10.1109/CBASE57816.2022.00062
[19]B. Ravinarayanan and H. R. Nagesh, “A hybrid model for ddos attack detection using lstm-rnn,” vol. 283, pp. 281– 294, 2022. doi: 10.1007/978-981-16-9705-0 28
[20]D. M. Rajan and D. J. Aravindhar, “Detection and mitigation of ddos attack in sdn environment using hybrid cnn- lstm,” Migration Letters, vol. 20, no. S13, pp. 407–419, 2023. doi: 10.33182/ml.v20iS13.377
[21]A. V. Kachavimath and D. G. Narayan, “A hybrid deep learning model with consensus-based feature se- lection for ddos attacks detection in sdn,” Procedia Comput. Sci., vol. 252, pp. 643–652, 2025. doi: 10.1016/j.procs.2025.01.024
[22]A. Bhardwaj, D. Ansari, P. G. Mohanty, and S. T.v, “Ddos attack detection using genetic algorithm-based feature selection: A study based on the cic-ids 2017 dataset,” in Proceedings of the 6th International Conference on Information Management & Machine Intelligence, ser. ICIMMI ’24. New York, NY, USA: Association for Computing Machinery, 2025. doi: 10.1145/3745812.3745891. [Online]. Available: https://doi.org/10.1145/3745812.3745891
[23]F. Alanazi et al., “Ensemble deep learning models for mitigating ddos attack in software-defined network,” Intelligent Automation & Soft Computing, vol. 33, no. 2, pp. 923–938, 2022. doi: 10.32604/iasc.2022.024668. [Online]. Available: https://doi.org/10.32604/iasc.2022.024668
[24]A. Al-Khayyat and O. Ucan, “A multi-branched hybrid perceptron network for ddos attack detection using dynamic feature adaptation and multi-instance learning,” IEEE Access, vol. 12, pp. 192 618–192 638, 2024. doi: 10.1109/access.2024.350802. [Online]. Available: https://doi.org/10.1109/access.2024.3508028
[25]M. Talukder et al., “Machine learning-based network intrusion detection for big and imbalanced data using oversampling, stacking feature embedding and feature extraction,” Journal of Big Data [Preprint], 2024. [Online]. Available: https://arxiv.org/html/2401.12262v1
[26]A. Vibhute et al., “Network anomaly detection and performance evaluation of convolutional neural networks on unsw-nb15 dataset,” Procedia Computer Science, vol. 235, pp. 2227–2236, 2024. doi: 10.1016/j.procs.2024.04.211. [Online]. Available: https://doi.org/10.1016/j.procs.2024.04.211
[27]R. Menten et al., “Deep learning for ddos detection in software-defined networking,” IEEE Access, vol. 10, pp. 12 345–12 356, 2022. doi: 10.1109/ACCESS.2022.3145678
[28]L. Zhang et al., “Deepo-glcnac: A web server for prediction of protein o-glcnacylation sites using deep learning combined with attention mechanism,” Frontiers in Cell and Developmental Biology, vol. 12, p. 1456728, 2024. doi: 10.3389/fcell.2024.1456728
[29]X. Guo et al., “Cluster-based deep ensemble learning for emotion classification in internet memes using attention- based lstm,” Journal of Information Science, vol. 51, no. 1, pp. 265–283, 2025. doi: 10.1177/01655515221136241
[30]D. Lim et al., “Mob-net: A mobile-oriented bidirectional lstm with attention for real-time anomaly detection,” International Journal of Robotics Research, vol. 44, no. 1, pp. 96–128, 2025. doi: 10.1177/02783649241260428
[31]J. Yin et al., “Modeling behavioral dynamics in digital content consumption with attention-enhanced lstm,” Market- ing Science, vol. 44, no. 1, pp. 220–239, 2025. doi: 10.1287/mksc.2020.0180

International Journal of Computer Network and Information Security (IJCNIS)