The following section reviews recent and relevant works on intrusion detection in SDN using deep learning approaches, highlighting their methodologies, datasets, performance, and limitations. This review provides a foundation for the proposed hybrid CNN-GRU model and positions it within the current research landscape.
Yousuf and Mir8 introduced DALCNN, a DDoS detection algorithm for IoT networks leveraging an RNN-based model integrated into a SDN environment. Their solution employed a three-tier architecture with a novel activation function to enhance classification accuracy. Tested on 177 attack instances using Mininet and Wireshark, the model achieved a remarkable 99.98% accuracy and nearly perfect scores across all key evaluation metrics. Furthermore, they conducted a comparative performance analysis of popular SDN controllers, concluding that OpenDayLight delivered superior results in throughput, latency, and controller responsiveness.
Wang et al.9 addressed the complexity of DDoS detection in SDN by proposing ARSAE-QGRU, a deep hybrid model that integrates attention mechanisms and residual connections into a stacked autoencoder architecture. These enhancements enable the model to preserve and propagate critical information during training, while the addition of a GRU component improves the model’s ability to learn temporal dependencies in traffic patterns. The model achieved accuracy rates up to 99.8% in SDN environments and also performed strongly on benchmark datasets like CICIDS2017 and CICDDoS2019, demonstrating its robustness in handling high-dimensional and temporally complex traffic data.
Wahab et al.10 introduced SDN-enabled hybrid DL framework for ID in IoT-based environments. The system leverages cognitive intelligence to interpret and react to traffic patterns while being optimized for lightweight deployment on resource-constrained IoT devices. The model achieved high classification accuracy (99.86%), outperforming previous hybrid models like Cu-GRU + LSTM and Cu-GRU + DNN. This work demonstrates the potential of integrating cognitive computing and SDN with deep learning to enhance IoT security without overwhelming device resources.
Razib et al.11 presented DNNLSTM, a DL-based SDN for securing IoT networks against both frequent and rare cyber threats. Their model combines the capabilities of deep neural networks with LSTM units to capture complex temporal patterns in network traffic. Trained on the CICIDS2018 dataset, the model achieved strong performance, with an accuracy of 99.55% , outperforming baseline models like DNNGRU and BLSTM as well as several existing solutions from prior studies. This work demonstrates the value of combining SDN and deep sequence learning techniques for scalable and intelligent IoT threat detection.
Javeed et al.12 proposed an efficient SDN-integrated DL framework for threats detection in IoT networks. Their model leverages CUDA-accelerated neural network architectures, including Cu-DNNGRU and Cu-BLSTM, to ensure both accuracy and computational efficiency. Trained on the CICIDS2018 dataset and validated using tenfold CV, the model achieved 99.87% accuracy. Compared to other hybrid architectures such as Cu-GRULSTM and Cu-DNNLSTM.
Alghazzawi et al.13 proposed a CNN-BiLSTM model for DDoS detection, aiming to overcome the shortcomings of traditional ML/DL methods that often struggle with suboptimal feature selection and neglect sequence information. Their model integrates convolutional layers to extract spatial features and BiLSTM layers to retain bidirectional temporal context. The approach employs a feature ranking technique to select the most informative inputs from the CIC-DDoS2019 dataset. The model achieved 94.52% accuracy, showing improved performance over standalone classifiers and traditional feature encoding approaches in detecting DDoS attacks.
Cui et al.14 introduced CNNA-BiLSTM, a hybrid DL model that combines CNN and attention-enhanced bidirectional LSTM for multi-class intrusion detection in SDN environments. Addressing the shortcomings of existing DDoS-focused detection systems, their model incorporates a feature selection mechanism to reduce dimensionality and focus on high-impact attributes. It is designed to classify eight types of attacks from the InSDN dataset, and achieved 99.86% accuracy in binary classification and 99.31% in multi-class scenarios. Notably, CNNA-BiLSTM outperformed standard models in detecting rare attack types such as Botnet, Web, and U2R, highlighting its robustness in handling imbalanced and complex SDN traffic.
Ain et al.15 proposed a hybrid DL for DDoS threat detection in IoT networks, integrating CNNs, LSTMs, and Autoencoders to address both feature extraction and dimensionality reduction challenges. The model was trained and tested on the CICIOT2023 dataset and achieved 96.78% training accuracy and 96.60% validation accuracy, outperforming individual deep learning approaches. Despite its strong performance, the authors acknowledged limitations in detecting low-frequency attacks and recommended future improvements through advanced techniques for managing class imbalance.
Chaganti et al.16 proposed an LSTM-based DL to detect and classify network attacks in SDN-IoT environments, where traditional IDSs often fall short due to protocol diversity and centralized architectures. The model was evaluated on two specialized SDN-IoT datasets and achieved a classification accuracy of 97.1% in multiclass attack scenarios. The study also utilized embedding visualizations to better interpret the dataset characteristics and the learned features. Their findings reinforce the suitability of LSTM for modeling temporal dependencies in network traffic and its effectiveness in IoT-based attack classification.
Despite significant advancements in ID using machine learning and DL within SDN and IoT environments, existing approaches still face notable challenges. These include high false positive rates, insufficient handling of data imbalance, difficulty in detecting rare or evolving attack types, and limited ability to capture both spatial and temporal patterns in complex network traffic. While hybrid models such as CNN-LSTM, CNN-BiLSTM, and attention-based architectures have shown promising results across various benchmark datasets, many lack robustness in multiclass classification or real-time adaptability within SDN-IoT architectures. Furthermore, most approaches focus either on spatial or sequential aspects in isolation, rather than integrating both effectively. Motivated by these limitations, this study proposes model that combines CNN and GRU to enhance detection accuracy, generalization, and response capability in SDN-based DDoS attack detection.
Kirubavathi et al.17 proposed a novel transformer-based deep learning framework named SAINT (Self-Attention and Intersample Attention Transformer) to improve detection of TCP-based DDoS attacks in cloud environments. Unlike traditional models such as CNNs or RNNs, SAINT integrates dual attention mechanisms (self-attention) for capturing intra-flow dependencies and intersample attention for modeling relationships across different traffic flows. Additionally, the model incorporates Sparse Logistic Regression to enhance interpretability and efficiency. Evaluated on the large-scale BCCC-cPacket-Cloud-DDoS-2024 dataset (700,000 flows across 17 advanced attack types), SAINT achieved strong performance with 97% accuracy and 96% F1-score.
Alshdadi et al.18 addressed growing security challenges in the IoT ecosystem by proposing an advanced detection framework that integrates a Split-Attention ResNeSt model, enhanced through the Jaya optimization algorithm and augmented with a GRU. The proposed RSG-MJ model was evaluated on several benchmark datasets, including NSL-KDD, CIC-IDS2017, ToN_IoT, and UNSW-NB15, demonstrating its robustness and versatility. The hybrid model achieved a 15% improvement in computational efficiency and an accuracy of 98.45%, outperforming traditional models in terms of early DDoS detection and processing speed.
Sumathi and Rajesh19 proposed an advanced intrusion detection system tailored for cloud computing environments, which are increasingly vulnerable to DDoS attacks. The study introduced a hybrid ANN-based GBS model, integrating GWO, BPN, and Self-Organizing Map (SOM) to enhance detection accuracy and reduce false positives. The system employs a correlation-based hybrid feature selection method and Stratified tenfold cross-validation (STCV), followed by GWO-based hyperparameter tuning to optimize model performance. Validated using the UNSW-NB15 dataset, the model achieved a detection accuracy of 99.40%, a false positive rate of just 0.00389, and a low error rate of 0.001, with rapid prediction times.
Sokkalingam and Ramakrishnan20 explored the limitations of conventional DDoS detection methods in cloud computing environments and addressed them through a hybrid machine learning-based IDS. Their proposed model utilizes tenfold cross-validation for robust feature selection and employs multiple classifiers (SVM, KNN, and C4.5) to evaluate detection performance. The study found that SVM outperformed other classifiers in accuracy and robustness when identifying DDoS traffic. To further enhance performance, SVM was optimized using HHO, PSO, and a hybrid HHO-PSO approach. The SVM-HHO-PSO configuration achieved the best results, with a detection accuracy of 97.05%, precision of 97.62%, and F1-score of 97.67%, demonstrating its effectiveness over classical techniques.
Sumathi et al.21 proposed an advanced DDoS intrusion detection system designed for cloud computing environments, leveraging deep learning and metaheuristic optimization to address shortcomings in existing IDS models. To overcome issues like slow convergence, local stagnation, and suboptimal feature selection, the authors developed a hybrid model based on LSTM recurrent neural networks combined with an autoencoder-decoder structure. The model incorporates a novel hybrid optimization algorithm that fuses HHO with PSO for fine-tuning the network’s weight vectors and bias coefficients, as well as for optimal feature selection. Experimental results confirmed that the proposed HHO-PSO-LSTM model outperformed conventional models, achieving a high accuracy of 98.53%, validating its capability to detect complex DDoS traffic with precision and reliability.
Sumathi et al.22 tackled the challenge of detecting progressive DDoS attacks, which are notoriously difficult to identify due to their evolving nature. The study developed multiple machine learning-based IDS models, using C4.5, SVM, and KNN classifiers, validated on the NSL-KDD benchmark dataset. Feature selection was performed using a tenfold cross-validation technique, and ten independent trial runs were conducted to mitigate bias. Among individual models, SVM showed the highest accuracy, while C4.5 outperformed others in terms of precision and sensitivity. The research further proposed a hybrid strategy where features selected by the C4.5 algorithm were fed into SVM and KNN classifiers. This hybrid approach, particularly C4.5 + SVM, achieved superior performance with an accuracy of 96.04%, outperforming all other configurations.
Sumathi et al.23 addressed the persistent challenge of DDoS attacks in cloud computing by developing an optimized ANN-based IDS that combines BPN and MLP architectures. To enhance detection efficiency and reduce model complexity, the authors introduced a novel hybrid Harris Hawks Optimization–Particle Swarm Optimization (HHO-PSO) algorithm. The preprocessed dataset was normalized using min–max scaling, and training was performed using tenfold cross-validation with the number of hidden neurons determined via the thumb rule. The hybrid models achieved strong results, with F1-scores of 0.9743 for BPN and 0.9800 for MLP, confirming their effectiveness.
Sumathi et al.24 conducted a comparative analysis of machine learning techniques for detecting TCP SYN flood DDoS attacks, one of the most prevalent and disruptive types of denial-of-service threats in internet networks. The study evaluated multiple algorithms (One-R (OR), Decision Stump (DS), and PART) using the CAIDA dataset, which contains real-world traffic traces of SYN flood scenarios. Each model was assessed based on standard performance metrics including false positive rate (FPR), precision, recall, F1-score, and ROC curve. Among the evaluated methods, One-R exhibited the best FPR (0.05) and a recall of 0.95, Decision Stump achieved a high precision (0.93), and PART outperformed others in F1-score (0.91). A comprehensive comparison of recent hybrid and attention-based models for DDoS detection is presented and summarized in Table 1.
Compared to closely related models such as CNN-LSTM13, CNN-BiLSTM14, and transformer-based attention models like SAINT17, the proposed CNN-GRU hybrid offers a streamlined yet highly effective architecture for DDoS detection in SDN environments. While LSTM and BiLSTM layers provide deep temporal modeling, they often incur higher computational costs and longer training times. In contrast, GRU units are more parameter-efficient, enabling faster convergence without sacrificing temporal learning capability. Furthermore, transformer-based models such as SAINT achieve competitive performance but require large training resources and complex attention modules, making them less suitable for real-time SDN deployment. Our CNN-GRU model, by contrast, achieves perfect test performance (100% accuracy, F1-score, and AUC) on a balanced SDN dataset with 99.70% ± 0.09% cross-validation accuracy, outperforming other hybrid architectures evaluated under similar conditions. These results demonstrate that the proposed approach not only achieves state-of-the-art accuracy but also provides a practical, lightweight solution for deployment in live network environments.
