DDoS classification of network traffic in software defined networking SDN using a hybrid convolutional and gated recurrent neural network.

Journal: Scientific reports
Published Date: Aug 9, 2025

Abstract

Deep learning (DL) has emerged as a powerful tool for intelligent cyberattack detection, especially Distributed Denial-of-Service (DDoS) in Software-Defined Networking (SDN), where rapid and accurate traffic classification is essential for ensuring security. This paper presents a comprehensive evaluation of six deep learning models (Multilayer Perceptron (MLP), one-dimensional Convolutional Neural Network (1D-CNN), Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Recurrent Neural Network (RNN), and a proposed hybrid CNN-GRU model) for binary classification of network traffic into benign or attack classes. The experiments were conducted on an SDN traffic dataset initially exhibiting class imbalance. To address this, Synthetic Minority Over-sampling Technique (SMOTE) was applied, resulting in a balanced dataset of 24,500 samples (12,250 benign and 12,250 attacks). A robust preprocessing pipeline followed, including missing value verification (no missing values were found), feature normalization using StandardScaler to standardize numerical values, reshaping the data into 3D format to fit temporal models like CNN and GRU, and stratified train-test split (80% training, 20% testing) to maintain class distribution. The CNN-GRU model integrates a 1D convolutional layer for spatial pattern extraction and a GRU layer for temporal sequence learning, followed by dense layers with dropout regularization. The model was trained using the Adam optimizer with early stopping to prevent overfitting. Among all models, the CNN-GRU hybrid achieved perfect test performance, with 100% accuracy, 1.0000 precision, recall, and F1-score, and an ROC AUC of 1.0000. It also demonstrated exceptional generalization, achieving a mean cross-validation (CV) accuracy of 99.70% ± 0.09% and a mean AUC of 1.0000 ± 0.0000 across 5-fold stratified cross-validation. While individual models such as GRU, 1D-CNN, and LSTM also showed strong performance, the CNN-GRU hybrid consistently outperformed them in both accuracy and stability. These results validate the effectiveness of combining convolutional and recurrent architectures, augmented with data balancing via SMOTE, for highly accurate SDN-based intrusion detection.

Authors

  • Ahmed M Elshewey
    Department of Computer Science, Faculty of Computers and Information, Suez University, P. O. Box 43221, Suez, Egypt.
  • Safia Abbas
    Department of Computer Science, Faculty of Computer and Information Sciences, Ain Shams University, Cairo, Egypt.
  • Ahmed M Osman
    Department of Information Systems, Faculty of Computers and Information, Suez University, P.O.Box:43221, Suez, Egypt.
  • Eman Abdullah Aldakheel
    Department of Computer Sciences, College of Computer and Information Sciences, Princess Nourah Bint Abdulrahman University, 11671, Riyadh, Saudi Arabia.
  • Yasser Fouad
    Department of Computer Science, Faculty of Computers and Information, Suez University, P.O.Box: 43221, Suez, Egypt. Yasser.ramadan@suezuni.edu.eg.

Keywords

No keywords available for this article.

External Resources

Popular Topics
Recent Journals