AI-Based DDoS Attack Detection and Mitigation

Using SDN
Mrs. Soumya N G Sangeetha S Vanitha J
Assistant Professor, Dept. of CSE Dept. of CSE Dept. of CSE
RNS Institute of Technology RNS Institute of Technology RNS Institute of Technology
Bengaluru, India Bengaluru, India Bengaluru, India
[Link]@[Link] [Link]@[Link] [Link]@[Link]

Yadushree E Sharanya Vasanthi

Dept. of CSE Dept. of CSE
RNS Institute of Technology RNS Institute of Technology
Bengaluru, India Bengaluru, India
[Link]@[Link] [Link]@[Link]

Abstract—DDoS (Distributed Denial of Service) attacks are a finance, and public infrastructure.
recurring and evolving threat in modern computer networks,
capable of overwhelming servers and disrupting critical ser- Conventional defense mechanisms, including firewalls
vices. The traditional mitigation methods often lack adaptability
and fail to respond effectively to large-scale and intelligent and signature-based intrusion detection systems (IDS),
[Link] Defined Networking (SDN) is a promising plat- have served as foundational elements in network security.
form for dynamic and scalable DDoS detection and mitigation However, these traditional solutions are increasingly proving
since it provides a programmable and centralized control mech- inadequate in the face of modern DDoS attacks, which
anism. . In recent years, Artificial Intelligence (AI), particu- are more complex, varied, and dynamic than ever before.
larly Machine Learning (ML) and Deep Learning (DL), has
demonstrated significant success in identifying abnormal traffic Attackers frequently modify tactics, use botnets comprising
behavior with high accuracy. It categorizes and analyzes peer- thousands of compromised devices, and exploit application-
reviewed literature published in the last five years based on layer vulnerabilities that bypass static or reactive defenses.
methodology, datasets used, performance, and practical appli- Furthermore, the static nature of traditional solutions makes
cability. The paper highlights current trends, identifies major them slow to adapt to changing attack vectors, especially in
research gaps, and discusses the challenges associated with
deploying intelligent defense mechanisms in SDNs. The study highly dynamic environments such as cloud data centers or
concludes by outlining future research directions that aim to large-scale enterprise networks.
build more robust, adaptive, and real-time defense systems.
For researchers and practitioners looking to comprehend and Software Defined Networking (SDN) offers a promising
advance the developing subject of AI-driven DDoS defense in paradigm shift to address these limitations. SDN decouples
SDNs, this study is an invaluable resource.
Index Terms—DDoS, Software Defined Networking (SDN), Ar- the control plane from the data plane, enabling centralized
tificial Intelligence (AI), Machine Learning (ML), Deep Learning network management, dynamic traffic routing, and fine-
(DL), Cybersecurity, Mitigation grained control over network policies. This architectural
flexibility allows for enhanced visibility and programmability
I. I NTRODUCTION across the entire network, making it easier to implement
The explosive growth of internet-connected devices, cloud adaptive security mechanisms. However, while SDN enables
computing, and data-driven applications has significantly more intelligent network control, it also introduces new
expanded the scale and complexity of modern network security challenges and potential points of failure if not
infrastructures. As organizations increasingly rely on digital adequately protected.
connectivity, the surface for potential cyber threats also grows
wider. Among these threats, Distributed Denial of Service To further strengthen SDN’s capability in detecting and
(DDoS) attacks stand out as some of the most disruptive mitigating DDoS attacks, researchers have explored the
and persistent challenges faced by network administrators integration of Artificial Intelligence (AI) techniques. AI,
and service providers. By overwhelming target systems particularly Machine Learning (ML) and Deep Learning
with massive volumes of traffic, DDoS attacks degrade or (DL), provides the means to analyze complex traffic patterns,
completely deny access to legitimate users, resulting in severe detect anomalies, and make real-time decisions based on
financial losses, reputational damage, and in some cases, evolving attack behaviors. These data-driven models can learn
disruption of critical services in sectors such as healthcare, from historical network data and adapt to new forms of attacks
without relying on manually crafted signatures or static rules. The flow of traffic monitoring, anomaly detection, and
When applied in conjunction with SDN’s centralized control mitigation is visually separates the data plane from the control
and programmable logic, AI can significantly improve the plane. It makes centralized control and programmability
accuracy, speed, and efficiency of DDoS mitigation. possible, enabling network managers to quickly react to
threats or changes to the network, apply custom policies, and
This survey paper aims to explore recent advancements dynamically regulate traffic flows.
in the integration of AI-based approaches with SDN to
defend against DDoS attacks. It reviews the current literature,
categorizes existing methodologies based on the type of
AI technique used, and evaluates their effectiveness and
limitations. In addition, the paper highlights emerging trends,
identifies research gaps, and outlines potential directions for
future work in this evolving field.

The rest of the paper is structured as follows: Section

2 introduces foundational concepts such as SDN architecture,
DDoS attack taxonomy, and AI techniques relevant to network
security.
Section 3 presents a comprehensive classification of existing
research based on applied methodologies.
Section 4 provides a critical analysis of selected approaches
and compares their performance. Fig. 1. Flowchart illustrating the AI-based DDoS detection and mitigation
Section 5 discusses the key challenges and open issues that system in SDN.
remain unaddressed.
Section 6 concludes the paper by summarizing key insights The flow of traffic monitoring, anomaly detection, and
and potential future developments. mitigation is visually summarized in Figure 1.

II. BACKGROUND AND F UNDAMENTAL C ONCEPTS C. Artificial Intelligence in Network Security

This section provides the essential background required Artificial Intelligence (AI), including Machine Learning
to understand AI-based DDoS detection and mitigation (ML) and Deep Learning (DL), plays a critical role in
in Software Defined Networks (SDNs). It introduces core detecting and mitigating network threats.
concepts such as Distributed Denial of Service (DDoS) These models can learn from network traffic patterns and
attacks, Software Defined Networking, and the role of identify anomalies that may indicate an ongoing DDoS
Artificial Intelligence (AI) in network security. attack. AI-driven systems offer adaptive, real-time analysis
and decision-making capabilities, which are essential for
scalable and proactive defense.
A. DDoS Attacks
By bombarding a targeted server or network with an
excessive number of unauthorized requests, a Distributed D. Why Combine AI with SDN?
Denial of Service (DDoS) attack seeks to interfere with Why AI with SDN?
regular traffic.
These attacks are carried out by numerous infected systems, The combination of AI and SDN creates a robust cybersecurity
frequently as a component of a botnet, making them hard to architecture. AI makes it possible to detect and mitigate threats
detect and mitigate with traditional defense mechanisms. intelligently, while SDN provides centralized visibility and
control. When combined, they create a scalable and flexible
defense system that can outperform conventional systems in
B. Software Defined Networking (SDN) thwarting changing attack tactics.
Software Defined Networking, or SDN, is a contemporary
network design that decouples the control plane from the data III. C LASSIFICATION OF E XISTING R ESEARCH
plane. It enables centralized control and programmability, An emerging area of study is the combination of Artificial
allowing network administrators to dynamically manage Intelligence (AI) and Software-Defined Networking (SDN)
traffic flows, put custom policies into place, and react quickly for the detection and prevention of Distributed Denial
to threats or changes in the network. of Service (DDoS) attacks. This body of work may be
SDN provides better visibility into the network and supports categorized according to various factors, including response
integration with advanced security applications. methods, data sources, performance metrics, attack type, SDN
 TABLE I
C OMPARISON OF AI- BASED DD O S D ETECTION T ECHNIQUES IN SDN

Research Paper Detection Technique AI Model Mitigation Approach Dataset Used

Arora et al. (2024) [?] Anomaly-based RNN, GRU Flow rule updates Custom + CICDDoS
Gadze et al. (2021) Anomaly-based Deep Learning Dynamic blocking CAIDA
[?]
Chahal et al. (2021) Hybrid (ML + Rule- ML + Rule-Based Honeypot redirection NSL-KDD
[?] Based)
Panggabean et al. Anomaly-based GRU, NTM Flow rule updates UNSW-NB15, BoT-
(2025) [?] IoT
Kanthimathi et al. Hybrid Self-Attention CNN Ensemble detection CICDDoS2019
(2024) [?] + XGBoost, LSTM,
RF
Elsayed et al. (2020) Anomaly-based RNN, Autoencoder Flow rule updates CICDDoS2019
[?]
Zhang et al. (2021) Anomaly-based GAN Adversarial training CICDDoS2019
[?]
Bannour et al. (2023) Anomaly-based SVM, ANN Flow rule updates NSL-KDD
[?]
Alamri et al. (2020) Anomaly-based XGBoost Bandwidth control Custom
[?]

architecture, and methodology. • Distributed SDN Architecture: Multiple controllers

manage different network segments, improving resilience
and scalability.
A. Methodology-Based Classification • Hybrid SDN Architecture: AI functions at both local
AI methods used for DDoS detection in SDN settings and central levels, balancing efficiency and scalability.
include ensemble techniques, hybrid models, deep learning
(DL), and machine learning (ML). D. Classification Based on Response Strategy
• Machine Learning (ML): Traditional techniques such • Reactive Mitigation: AI responds after attack detection
as Support Vector Machines (SVM) and Random For- by rerouting or blocking malicious flows.
est (RF) are computationally efficient but less effective • Proactive Mitigation: Predictive models use AI to an-
against novel attack vectors. ticipate and prevent attacks before they occur.
• Deep Learning (DL): Techniques like Convolutional • Collaborative Mitigation: Involves cooperation between
Neural Networks (CNNs) and Long Short-Term Memory firewalls, intrusion detection systems, and SDN con-
(LSTM) networks effectively recognize complex attack trollers for integrated defense.
patterns, though they demand significant computational
E. Classification Based on Data Sources
resources.
• Hybrid and Ensemble Models: These combine the • Flow-Level Data: Uses NetFlow or sFlow to analyze
efficiency of ML with the deep pattern recognition ca- aggregated statistics and detect anomalies.
pabilities of DL to improve accuracy, albeit at a higher • Packet-Level Data: Applies AI models like CNNs or
computational cost. RNNs to detailed packet analysis for granular detection.
• Hybrid Data Methods: Combines flow and packet-level
B. Classification Based on Attack Type data for comprehensive identification.
• Flooding Attacks: These overwhelm targets with traf-
fic (e.g., UDP or SYN floods). SDN mitigates this by F. Classification Based on Performance Metrics
rerouting or dropping malicious traffic, while AI identifies • Detection Accuracy: Balances high true positive rates
anomalies. with low false positives.
• Amplification Attacks: These leverage network proto- • Real-Time Detection: Emphasizes quick AI responses to
cols like DNS to magnify attack volume. AI models minimize damage from fast-moving attacks.
detect these via pattern analysis in traffic data. • Scalability: AI models must scale to handle the large
• Application Layer Attacks: AI detects subtle behaviors data volumes generated in SDN environments without
such as session hijacking and rate-limit evasion in HTTP performance degradation.
requests.
G. Classification Based on Research Approach
C. Classification Based on SDN Architecture • Empirical Studies: Focus on evaluating AI models using
• Centralized SDN Architecture: A single controller han- real-world or simulated datasets such as CICIDS 2019
dles traffic monitoring and mitigation, but may suffer and CAIDA. These studies assess accuracy, robustness,
from performance bottlenecks. and real-time applicability in practical scenarios.
 • Theoretical Studies: Aim to advance the field by propos- sub-500 ms response times, yet few works measure the
ing novel algorithms or enhancing existing methods. impact on legitimate flows or controller CPU utilization under
These works often introduce hybrid AI models or inte- sustained load.
grate ML/DL techniques with SDN to improve detection
efficiency and precision.
B. Common Limitations
• Comparative Studies: Analyze and compare the effec-
tiveness of various detection techniques, such as tra- Despite these advances, several persistent limitations
ditional ML vs. DL methods. These studies highlight temper enthusiasm:
performance trade-offs in different SDN environments
and often show DL methods offering superior accuracy a) Generalization to Unseen Environments: Models
in complex attack scenarios. tuned to a particular network topology or traffic mix often
fail when deployed on different hardware or under new usage
IV. C RITICAL A NALYSIS AND D ISCUSSION patterns. Transfer learning and domain adaptation techniques
are scarcely explored.
The growing adoption of AI for DDoS detection in SDN
environments marks a clear shift toward intelligent, adaptive
b) False Alarm Trade-Offs: Anomaly detectors must
security. Yet, while numerous studies report impressive offline
balance sensitivity (catching stealth floods) against specificity
results, integrating these solutions into real-world networks
(avoiding false positives during benign traffic surges). Only
uncovers a host of challenges. In this section, we dissect the
a handful of works rigorously quantify this trade-off over
major research trends, unpack common shortcomings, and
diverse traffic traces.
highlight fertile ground for future exploration.
c) Resource and Latency Constraints: Deep
A. Emerging Trends in Research architectures (LSTM, CNN) achieve high accuracy but
incur inference delays and require GPUs for real-time
Research in SDN-based DDoS defense has coalesced
operation. Lightweight alternatives (e.g., decision trees,
around several key innovations:
logistic regression) have been tested, but with notable drops
in detection rate.
a) Behavioral Anomaly Detection: Early systems relied
on static signatures, which quickly become obsolete against
d) Interpretability and Operator Trust: Network
novel attack variants. Modern approaches leverage ML/DL
operators are hesitant to deploy black-box models that offer
to model “normal” traffic behaviors—packet inter arrival
no insight into why a flow was marked malicious. Explainable
times, flow duration histograms, TCP flag distributions—and
AI (XAI) methods—feature attribution, rule extraction—are
trigger alerts when deviations exceed learned thresholds.
virtually absent from current SDN defense research.
This paradigm excels at spotting zero-day and polymorphic
attacks but hinges on high-quality, representative training data.
e) Data Imbalance and Preprocessing Overhead:
Attack traffic is often rarer or more bursty than benign flows,
b) Tight Coupling with SDN Controllers: SDN’s
leading to imbalanced training sets and biased classifiers.
centralized control plane is ideal for rapid mitigation. Recent
Moreover, real-time feature extraction (entropy, flow statistics)
works embed trained AI models directly into controllers
can overwhelm controller resources if not optimized.
such as Ryu and POX, enabling sub-second rule updates and
dynamic flow rerouting. Some architectures even cascade
multiple controllers to handle scale, though inter-controller C. Gaps in Research
coordination remains an open challenge. Key directions remain under-explored:

c) Customized Dataset Generation: Public datasets like a) Hybrid Multi-Technique Frameworks: Very few
CICDDoS2019 and NSL-KDD lack SDN-specific metadata systems systematically evaluate combinations of rate limiting,
(e.g., OpenFlow counters, switch IDs). To address this, honeypots, and flow rerouting within a unified SDN controller.
researchers simulate Mininet topologies, inject both legitimate Comparative studies of hybrid pipelines could reveal synergies
and attack traffic, and extract rich feature sets including port and optimal mitigation sequences.
utilization and switch buffer usage. These bespoke datasets
improve model relevance but reduce comparability across b) Adaptive Learning via Reinforcement and Federated
studies. Methods: Reinforcement Learning (RL) promises self-tuning
policies that adjust thresholds and actions based on reward
d) End-to-End Automation: Beyond detection, the most signals (e.g., minimizing false alarms). Federated learning
advanced prototypes form closed-loop pipelines: An anomaly could enable model sharing across domains without exposing
triggers an SDN API call that installs drop rules or diverts raw traffic data.
traffic to a honeypot. Early proofs-of-concept demonstrate
 TABLE II
C OMPARISON OF AI M ODELS FOR DD O S D ETECTION

Model Accuracy (%) Strength Limitation

LSTM 96.8 Effectively learns flow-level temporal dependencies Requires substantial compute resources
CNN 94.2 Captures spatial correlations among features Suboptimal on long sequences
Random Forest 91.5 Fast inference and interpretable outcomes Tends to overfit under noisy conditions

c) Cross-Domain Transfer and Benchmarking: There 1. Limitations of the Dataset and Generalization
is no agreed-upon benchmark for SDN-based DDoS research. A large number of existing models (such as CICIDS, KDD,
Establishing a public corpus with standardized feature sets and NSL-KDD) are trained and validated using limited
and evaluation metrics would greatly enhance reproducibility or out-of-date datasets. These datasets frequently don’t
and fair comparison. capture the changing DDoS assault patterns observed in
contemporary real-world situations. As a result, models
d) Real-World Field Trials: Almost all evaluations exhibit low generalization in real deployments yet excellent
remain in emulated or lab-scale environments. Pilot accuracy during testing.
deployments in campus or enterprise networks, with
controlled attack injection, are crucial to validate performance 2. Elevated False Positives and False Negatives
under realistic conditions. The clear differentiation between genuine traffic surges,
such as sudden influxes of visitors, and real DDoS
incidents remains a challenge. Even the most carefully
D. Visualizing Model Performance
developed models may experience incorrect alerts, resulting
Various AI models have been benchmarked across multiple in unwarranted interruptions in service or overlooked threats.
studies. As shown in Figure 2, LSTM leads in detection
accuracy, highlighting its strength in capturing temporal 3. Real-time constraints and latency
patterns. Accurate and timely decisions are necessary for real-time
detection. However, unless performance-optimized, machine
learning algorithms—particularly deep learning models—can
be computationally demanding, rendering them inappropriate
for low-latency applications.

4. Trust and Interpretability of the Model

Security experts are frequently hesitant to depend on ”black
box” machine learning algorithms. Debugging, establishing
trust, and responding to incidents are made more challenging
by decision-making that lacks interpretability and openness.

5. Model Robustness and Adversarial Attacks

Adversarial inputs, or deliberately constructed data, can lead
to AI/ML models misclassifying traffic. This is a serious risk
since attackers may be able to manipulate inputs to avoid
Fig. 2. Accuracy comparison of different AI models used for DDoS attack detection.
detection.

V. O PEN C HALLENGES AND F UTURE D IRECTIONS Future Research Directions In order to overcome these
Unresolved Issues in the Field Real-time DDoS detection issues some of the research areas have been considered like:
systems driven by AI/ML have made significant strides, but
there are still a number of issues that need to be addressed. 1. Adaptive and Continual Learning
The implementation of highly effective and scalable detection Future technologies should utilize ongoing or real-time
mechanisms is hampered by a number of technological, learning methods that adjust to shifting traffic trends and
operational, and architectural problems. changing attack techniques as they develop. This approach
would lessen reliance on fixed datasets and enhance the
effectiveness of models over the long term.
 incorporating collaborative security frameworks in distributed
2. Transfer Learning and Cross-Domain Models SDN settings could greatly improve overall defense strategies.
Employing transfer learning can enhance models that have
been trained in one context, allowing them to excel in Future studies should similarly focus on the ethical
different environments with little additional training. This is implications of AI-driven security systems, ensuring
especially beneficial in cloud environments or multi-tenant transparency, fairness, and accountability in automated
software-defined networking setups. decision making. Broadening the scope to include AI-
powered adaptive self-healing networks could reshape the
3. Federated Learning for Privacy-Preserving Detection upcoming generation of cyber-defense methodologies.
Given that network information can be sensitive, federated
learning enables distributed training across several nodes In summary, while the integration of AI and SDN has
without the need to transmit raw data. This method boosts achieved significant advancements in DDoS protection,
privacy while still facilitating collaborative improvements in ongoing interdisciplinary collaboration, real-world testing,
detection models. and innovative design strategies are crucial to fully harness
its potential and develop resilient, future-ready network
4. Explainable AI (XAI) for Better Transparency infrastructures.
Utilizing XAI methods can shed light on the reasons behind
the classification of specific traffic flows as harmful. This VII. R EFERENCES
increases trust and allows for quicker reactions to incidents
and troubleshooting within operational environments. [1] M. A. Msaad, R. A. Saed, and A. M. Sllame, “A Simulation Based
Analysis Study for DDoS Attacks on Computer Networks,” in Proc. of
the 2021 IEEE 1st International Maghreb Meeting of the Conference
5. Lightweight Models for Edge Deployment on Sciences and Techniques of Automatic Control and Computer
Creating models that are lightweight and resource-friendly Engineering (MI-STA), Tripoli, Libya, May 2021, pp. 1–6.
allows for implementation on SDN edge devices or IoT
gateways. This transition toward intelligence at the edge [2] S. Arora, P. Khare, and S. Gupta, “AI-Driven DDoS Mitigation at the
ensures quick detection and prompt response near the attack’s Edge: Leveraging Machine Learning for Real-Time Threat Detection
and Response,” in Proc. of the 2024 International Conference on Data
origin. Science and Network Security (ICDSNS), New Delhi, India, 2024, pp.
1–6.

VI. C ONCLUSION
[3] K. Deepthika, T. Vanaja, S. Keerthika, and P. S. N., “AI-Enabled DDoS
This survey emphasizes the considerable progress made Detection and Mitigation in the Software Defined Network,” in Proc. of
in the detection and mitigation of AI-based DDoS attacks the 2024 5th International Conference on Electronics and Sustainable
Communication Systems (ICESC), Bangalore, India, 2024, pp. 1–6.
through SDN, highlighting their ability to combat the doi: 10.1109/ICESC60852.2024.10689743.
increasing danger of DDoS attacks in contemporary networks.
Crucial findings from the survey indicate that AI, especially
[4] D. A. and P. Nithyanandam, “An Effective Mechanism to Regenerate
machine learning and deep learning, can successfully HTTP Flooding DDoS Attack Using Real-Time Data Set,” in Proc. of
identify intricate attack patterns and offer adaptive real-time the 2017 International Conference on Intelligent Computing, Instrumen-
responses. The combination of SDN contributes to scalability tation and Control Technologies (ICICICT), Chennai, India, 2017, pp.
1–6.
and flexibility in the approach, facilitating dynamic traffic
[5] R. Aliyev, “DDoS Simulation: Empowering Targets Through Simulated
management and more effective mitigation techniques. Attacks,” Khazar University, School of Science and Engineering, Baku,
Azerbaijan, 2024.
However, challenges such as excessive computational
demands, model precision, data imbalance, and scalability [6] J. K. Chahal, P. Kaur, and A. Sharma, “Distributed Denial of Service
persist. These concerns underscore the need for ongoing (DDoS) Attacks in Software-defined Networks (SDN),” Chitkara
research to refine AI models, enhance performance, and create University Institute of Engineering and Technology, Punjab, India, Dec.
2021.
more effective solutions for vast, real-time environments.
Furthermore, the absence of standardized datasets and
practical deployment cases presents additional obstacles for [7] J. Tamayo, L. I. Barona López, and Á. L. Valdivieso Caraguay,
“Detection of Distributed Denial of Service Attacks Carried Out by
researchers and developers. Botnets in Software-Defined Networks,” Dept. of Informatics and
Computer Science, Escuela Politécnica Nacional, Quito, Ecuador, pp.
The collaboration between AI and SDN holds promise, 1–22.
but further research into hybrid models, intelligent load
balancing, federated learning, and context-aware detection [8] P. Manso, J. Moura, and C. Serrão, “SDN-Based Intrusion Detection
is crucial. There is also an increasing requirement to create System for Early Detection and Mitigation of DDoS Attacks,”
Information, vol. 10, no. 3, pp. 1–18, 2019.
lightweight, explainable AI models that can function with
limited resources while maintaining accuracy. In addition,
 [9] M. Chouikik, M. Ouaissa, M. Ouaissa, Z. Boulouard, and M. Kissi,
“Detection and mitigation of DDoS attacks in SDN based intrusion
detection system,” Bull. Electr. Eng. Inform., vol. 13, no. 4, pp.
2750–2757, Aug. 2024, doi: 10.11591/eei.v13i4.7570.

[10] T. V. Phan, T. M. R. Gias, S. T. Islam, T. T. Huong, N. H. Thanh,

and T. Bauschert, “Q-MIND: Defeating stealthy DoS attacks in SDN
with a machine-learning based defense framework,” in Proc. IEEE
GLOBECOM, 2019, accepted for publication.

[11] J. D. Gadze, A. A. Bamfo-Asante, J. O. Agyemang, H. Nunoo-Mensah,

and K. A.-B. Opare, “An investigation into the application of deep
learning in the detection and mitigation of DDoS attack on SDN
controllers,” Technologies, vol. 9, no. 1, pp. 1–22, Feb. 2021, doi:
10.3390/technologies9010014.

[12] M. S. Elsayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, “DDoSNet:

A deep-learning model for detecting network attacks,” in Proc. IEEE
Int. Conf. Comput. Sci. Netw. Technol. (ICCSNT), 2020, pp. 1–8, doi:
10.1109/ICCSNT50779.2020.00010.

[13] A. Victor and A. Temitope, “AI for detecting and mitigating Distributed
Denial of Service (DDoS) attacks in cloud networks,” ResearchGate,
Mar. 2025. [Online].

[14] A. Arora et al., “AI-Based DDoS Detection in SDN using RNN and
GRU,” *Proc. IEEE ICC*, 2024.

[15] E. Panggabean et al., “NTM-GRU based DDoS Detection for SDN,”

*Future Gen. Comput. Syst.*, vol. 150, pp. 245–255, 2025.

[16] S. Kanthimathi et al., “Hybrid Deep Learning Classifiers for DDoS

Attack Detection in SDN,” *IEEE Trans. Netw. Serv. Manag.*, 2024.

[17] Z. Zhang et al., “GAN-Based Adversarial Learning for DDoS Detection

in SDN,” *Future Gen. Comput. Syst.*, vol. 117, pp. 70–83, 2021.

[18] M. Bannour et al., “Comparative Study of ML Models for Intrusion

Detection in SDN,” *Procedia Comput. Sci.*, vol. 217, pp. 132–139,
2023.

[19] A. Alamri et al., “AI-Driven Bandwidth Management for DDoS Mit-

igation in SDN,” *Int. J. Eng. Trends Technol.*, vol. 71, no. 2, pp.
140–145, 2020.