Software-defined Networking (SDN) is a modern network management paradigm that decouples the data and control planes. The centralized control plane offers comprehensive control and orchestration over the network infrastructure. Although SDN provides better control over traffic flow, ensuring network security and service availability remains challenging. This paper presents an anomaly-based intrusion detection system (IDS) for monitoring and securing SDN networks. The system utilizes deep learning models to identify anomalous traffic behavior. When an anomaly is detected, a mitigation module blocks suspicious communications and restores the network to its normal state. Three versions of the proposed solution were implemented and compared: the traditional Generative Adversarial Network (GAN), Deep Convolutional GAN (DCGAN), and Wasserstein GAN with Gradient Penalty (WGAN-GP). These models were incorporated into the system’s detection structure and tested on two benchmark datasets. The first is emulated, and the second is the well-known CICDDoS2019 dataset. The results indicate that the IDS adequately identified potential threats, regardless of the deep learning algorithm. Although the traditional GAN is a simpler model, it could still efficiently detect when the network was under attack and was considerably faster than the other models. Additionally, the employed mitigation strategy successfully dropped over 89% of anomalous flows in the emulated dataset and over 99% in the public dataset, preventing the effects of the threats from being accentuated and jeopardizing the proper functioning of the SDN network.

Similar content being viewed by others
Data availability
All datasets are public and freely available.
Yurekten, O., Demirci, M.: Sdn-based cyber defense: a survey. Futur. Gener. Comput. Syst. 115, 126–149 (2021). https://doi.org/10.1016/j.future.2020.09.006
Shahriyar, M.M., Saha, G., Bhattacharjee, B., Reaz, R.: Deft: distributed, elastic, and fault-tolerant state management of network functions. In: 2023 19th International Conference on Network and Service Management (CNSM), pp. 1–7 (2023). https://doi.org/10.23919/CNSM59352.2023.10327813
Coelho, B.L., Schaeffer-Filho, A.E.: Crossbal: data and control plane cooperation for efficient and scalable network load balancing. In: 2023 19th International Conference on Network and Service Management (CNSM), pp. 1–9 (2023). https://doi.org/10.23919/CNSM59352.2023.10327790
Chiaro, C., Monaco, D., Sacco, A., Casetti, C., Marchetto, G.: Latency-aware scheduling in the cloud-edge continuum. In: NOMS 2024-2024 IEEE Network Operations and Management Symposium, pp. 1–5 (2024). https://doi.org/10.1109/NOMS59830.2024.10575183
Zhang, P., He, F., Zhang, H., Hu, J., Huang, X., Wang, J., Yin, X., Zhu, H., Li, Y.: Real-time malicious traffic detection with online isolation forest over sd-wan. IEEE Trans. Inf. Forensics Secur. 18, 2076–2090 (2023). https://doi.org/10.1109/TIFS.2023.3262121
Scaranti, G.F., Carvalho, L.F., Barbon, S., Proença, M.L.: Artificial immune systems and fuzzy logic to detect flooding attacks in software-defined networks. IEEE Access 8, 100172–100184 (2020). https://doi.org/10.1109/ACCESS.2020.2997939
Linhares, T., Patel, A., Barros, A.L., Fernandez, M.: Sdntruth: innovative ddos detection scheme for software-defined networks (sdn). J. Netw. Syst. Manage. 31(3), 55 (2023). https://doi.org/10.1007/s10922-023-09741-4
CloudGoogle. https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/. Accessed 12 Oct 2023
Theverge. https://www.theverge.com/2023/10/10/23911186/ddos-http2-vulnerability-blocked-amazon-aws-cloudflare-google-cloud/. Accessed 12 Oct 2023
Thanh, N.H., Tuan, N.N., Khoa, D.A., Tuan, L.C., Kien, N.T., Dung, N.X., Thu, N.Q., Wamser, F.: On profiling, benchmarking and behavioral analysis of sdn architecture under ddos attacks. J. Netw. Syst. Manage. 31(2), 43 (2023). https://doi.org/10.1007/s10922-023-09732-5
Fouladi, R.F., Ermiş, O., Anarim, E.: A ddos attack detection and countermeasure scheme based on dwt and auto-encoder neural network for sdn. Comput. Netw. 214, 109140 (2022). https://doi.org/10.1016/j.comnet.2022.109140
Ravi, V., Chaganti, R., Alazab, M.: Recurrent deep learning-based feature fusion ensemble meta-classifier approach for intelligent network intrusion detection system. Comput. Electr. Eng. 102, 108156 (2022). https://doi.org/10.1016/j.compeleceng.2022.108156
Fausto, A., Gaggero, G., Patrone, F., Marchese, M.: Reduction of the delays within an intrusion detection system (ids) based on software defined networking (sdn). IEEE Access 10, 109850–109862 (2022). https://doi.org/10.1109/ACCESS.2022.3214974
Quezada, V., Astudillo-Salinas, F., Tello-Oquendo, L., Bernal, P.: Real-time bot infection detection system using dns fingerprinting and machine-learning. Comput. Netw. 228, 109725 (2023). https://doi.org/10.1016/j.comnet.2023.109725
Diaba, S.Y., Elmusrati, M.: Proposed algorithm for smart grid ddos detection based on deep learning. Neural Netw. 159, 175–184 (2023). https://doi.org/10.1016/j.neunet.2022.12.011
Xiong, W.D., Luo, K.L., Li, R.: Aidtf: adversarial training framework for network intrusion detection. Comput. Secur. 128, 103141 (2023). https://doi.org/10.1016/j.cose.2023.103141
Cherian, S.L.: Mimiand Varma: Secure sdn-iot framework for ddos attack detection using deep learning and counter based approach. J. Netw. Syst. Manage. 31(3), 54 (2023). https://doi.org/10.1007/s10922-023-09749-w
Novaes, M.P., Carvalho, L.F., Lloret, J., Proença, M.L.: Adversarial deep learning approach detection and defense against ddos attacks in sdn environments. Futur. Gener. Comput. Syst. 125, 156–167 (2021). https://doi.org/10.1016/j.future.2021.06.047
Mustapha, A., Khatoun, R., Zeadally, S., Chbib, F., Fadlallah, A., Fahs, W., El Attar, A.: Detecting ddos attacks using adversarial neural network. Comput. Secur. 127, 103117 (2023). https://doi.org/10.1016/j.cose.2023.103117
Rust-Nguyen, N., Sharma, S., Stamp, M.: Darknet traffic classification and adversarial attacks using machine learning. Comput. Secur. 127, 103098 (2023). https://doi.org/10.1016/j.cose.2023.103098
Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., Bengio, Y.: Generative adversarial nets. In: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems, vol. 27. Curran Associates, Inc., Cambridge, MA (2014). https://proceedings.neurips.cc/paper_files/paper/2014/file/5ca3e9b122f61f8f06494c97b1afccf3-Paper.pdf
Radford, A., Metz, L., Chintala, S.: Unsupervised representation learning with deep convolutional generative adversarial networks. In: Bengio, Y., LeCun, Y. (eds.) 4th International Conference on Learning Representations, ICLR 2016, San Juan, Puerto Rico, May 2–4, 2016, Conference Track Proceedings (2016)
Gulrajani, I., Ahmed, F., Arjovsky, M., Dumoulin, V., Courville, A.: Improved training of Wasserstein Gans. In: Proceedings of the 31st International Conference on Neural Information Processing Systems. NIPS’17, pp. 5769–5779. Curran Associates Inc., Red Hook, NY (2017)
Zhang, X., Cui, L., Wei, K., Tso, F.P., Ji, Y., Jia, W.: A survey on stateful data plane in software defined networks. Comput. Netw. 184, 107597 (2021). https://doi.org/10.1016/j.comnet.2020.107597
Wabi, A.A., Idris, I., Olaniyi, O.M., Ojeniyi, J.A.: Ddos attack detection in sdn: method of attacks, detection techniques, challenges and research gaps. Comput. Secur. 139, 103652 (2024). https://doi.org/10.1016/j.cose.2023.103652
Mhamdi, L., Isa, M.M.: Securing sdn: hybrid autoencoder-random forest for intrusion detection and attack mitigation. J. Netw. Comput. Appl. (2024). https://doi.org/10.1016/j.jnca.2024.103868
Openflow SDN standards. https://opennetworking.org/software-defined-standards/specifications/. Accessed 10 Mar 2023
Hnamte, V., Najar, A.A., Nhung-Nguyen, H., Hussain, J., Sugali, M.N.: Ddos attack detection and mitigation using deep neural network in sdn environment. Comput. Secur. 138, 103661 (2024). https://doi.org/10.1016/j.cose.2023.103661
Proenca, M.L., Zarpelao, B.B., Mendes, L.S.: Anomaly detection for network servers using digital signature of network segment. In: Advanced Industrial Conference on Telecommunications/Service Assurance with Partial and Intermittent Resources Conference/E-Learning on Telecommunications Workshop (AICT/SAPIR/ELETE’05), pp. 290–295 (2005). https://doi.org/10.1109/AICT.2005.26
da Silva Ruffo, V.G., Brandão Lent, D.M., Komarchesqui, M., Schiavon, V.F., de Assis, M.V.O., Carvalho, L.F., Proenç, M.L.: Anomaly and intrusion detection using deep learning for software-defined networks: A survey. Expert Systems with Applications, 124982 (2024) https://doi.org/10.1016/j.eswa.2024.124982
Yungaicela-Naula, N.M., Vargas-Rosales, C., Perez-Diaz, J.A., Jacob, E., Martinez-Cagnazzo, C.: Physical assessment of an sdn-based security framework for ddos attack mitigation: introducing the sdn-slowrate-ddos dataset. IEEE Access 11, 46820–46831 (2023). https://doi.org/10.1109/ACCESS.2023.3274577
Nalayai, C.M., Katiravan, J., Geetha, S., Eunaicy, C.: A novel dual optimized ids to detect ddos attack in sdn using hyper tuned rfe and deep grid network. Cyber Secur. Appl. 2, 100042 (2024). https://doi.org/10.1016/j.csa.2024.100042
Halman, L.M., Alenazi, M.J.F.: Mcad: A machine learning based cyberattacks detector in software-defined networking (sdn) for healthcare systems. IEEE Access 11, 37052–37067 (2023). https://doi.org/10.1109/ACCESS.2023.3266826
Kumari, P., Jain, A.K.: A comprehensive study of ddos attacks over iot network and their countermeasures. Comput. Secur. 127, 103096 (2023). https://doi.org/10.1016/j.cose.2023.103096
Houda, Z.A.E., Hafid, A.S., Khoukhi, L.: Mitfed: a privacy preserving collaborative network attack mitigation framework based on federated learning using sdn and blockchain. IEEE Trans. Netw. Sci. Eng. 10(4), 1985–2001 (2023). https://doi.org/10.1109/TNSE.2023.3237367
Najar, A.A., Manohar Naik, S.: Cyber-secure sdn: a cnn-based approach for efficient detection and mitigation of ddos attacks. Comput. Secur. 139, 103716 (2024). https://doi.org/10.1016/j.cose.2024.103716
Zhou, H., Zheng, Y., Jia, X., Shu, J.: Collaborative prediction and detection of ddos attacks in edge computing: A deep learning-based approach with distributed sdn. Comput. Netw. 225, 109642 (2023). https://doi.org/10.1016/j.comnet.2023.109642
Yang, B., Arshad, M.H., Zhao, Q.: Packet-level and flow-level network intrusion detection based on reinforcement learning and adversarial training. Algorithms 15, 12 (2022). https://doi.org/10.3390/a15120453
Ma, J., Su, W., Li, Y., Peng, Y.: Synchronizing ddos detection and mitigation based graph learning with programmable data plane, sdn. Futur. Gener. Comput. Syst. 154, 206–218 (2024). https://doi.org/10.1016/j.future.2023.12.033
Kuntalp, M., Düzyel, O.: A new method for gan-based data augmentation for classes with distinct clusters. Expert Syst. Appl. 235, 121199 (2024). https://doi.org/10.1016/j.eswa.2023.121199
Xia, X., Pan, X., Li, N., He, X., Ma, L., Zhang, X., Ding, N.: Gan-based anomaly detection: a review. Neurocomputing 493, 497–535 (2022). https://doi.org/10.1016/j.neucom.2021.12.093
Arjovsky, M., Chintala, S., Bottou, L.: Wasserstein generative adversarial networks. In: Precup, D., Teh, Y.W. (eds.) Proceedings of the 34th International Conference on Machine Learning. Proceedings of Machine Learning Research, vol. 70, pp. 214–223. PMLR, San Diego, CA, USA (2017). https://proceedings.mlr.press/v70/arjovsky17a.html
Aldausari, N., Sowmya, A., Marcus, N., Mohammadi, G.: Video generative adversarial networks: a review. ACM Comput. Surv. 55, 2 (2022). https://doi.org/10.1145/3487891
Lim, W., Yong, K.S.C., Lau, B.T., Tan, C.C.L.: Future of generative adversarial networks (gan) for anomaly detection in network security: a review. Comput. Secur. 139, 103733 (2024). https://doi.org/10.1016/j.cose.2024.103733
Cao, J., Ma, J., Huang, D., Yu, P., Wang, J., Zheng, K.: Method to enhance deep learning fault diagnosis by generating adversarial samples. Appl. Soft Comput. 116, 108385 (2022). https://doi.org/10.1016/j.asoc.2021.108385
Huang, F., Deng, Y.: Tcgan: Convolutional generative adversarial network for time series classification and clustering. Neural Netw. 165, 868–883 (2023). https://doi.org/10.1016/j.neunet.2023.06.033
Navidan, H., Moshiri, P.F., Nabati, M., Shahbazian, R., Ghorashi, S.A., Shah-Mansouri, V., Windridge, D.: Generative adversarial networks (gans) in networking: a comprehensive survey & evaluation. Comput. Netw. 194, 108149 (2021). https://doi.org/10.1016/j.comnet.2021.108149
Jabbar, A., Li, X., Omar, B.: A survey on generative adversarial networks: variants, applications, and training. ACM Comput. Surv. 54, 8 (2021). https://doi.org/10.1145/3463475
Lee, J., Lee, H.: Improving ssh detection model using ipa time and wgan-gp. Comput. Secur. 116, 102672 (2022). https://doi.org/10.1016/j.cose.2022.102672
Yao, W., Shi, H., Zhao, H.: Scalable anomaly-based intrusion detection for secure internet of things using generative adversarial networks in fog environment. J. Netw. Comput. Appl. 214, 103622 (2023). https://doi.org/10.1016/j.jnca.2023.103622
Kumar, V., Sinha, D.: Synthetic attack data generation model applying generative adversarial network for intrusion detection. Comput. Secur. 125, 103054 (2023). https://doi.org/10.1016/j.cose.2022.103054
Adiban, M., Siniscalchi, S.M., Salvi, G.: A step-by-step training method for multi generator gans with application to anomaly detection and cybersecurity. Neurocomputing 537, 296–308 (2023). https://doi.org/10.1016/j.neucom.2023.03.056
Girish, L., Rao, S.K., Renukananda, T., Vidyashree, K., Hemashree, R.: Dadgan: Ddos anomaly detection using generative adversarial network. In: 2021 IEEE International Conference on Computation System and Information Technology for Sustainable Solutions (CSITSS), pp. 1–7 (2021). https://doi.org/10.1109/CSITSS54238.2021.9683282
Katzef, M., Cullen, A.C., Alpcan, T., Leckie, C.: Generative adversarial networks for anomaly detection on decentralised data. Annu. Rev. Control. 53, 329–337 (2022). https://doi.org/10.1016/j.arcontrol.2021.10.002
Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani, A.A.: Developing realistic distributed denial of service (ddos) attack dataset and taxonomy. In: 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–8 (2019). https://doi.org/10.1109/CCST.2019.8888419
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948.tb01338.x
Santos, K.C., Miani, R.S., Oliveira Silva, F.: Evaluating the impact of data preprocessing techniques on the performance of intrusion detection systems. J. Netw. Syst. Manage. 32(2), 36 (2024). https://doi.org/10.1007/s10922-024-09813-z
Brandão Lent, D.M., Silva Ruffo, V.G., Carvalho, L.F., Lloret, J., Rodrigues, J.J.P.C., Lemes Proença, M.: An unsupervised generative adversarial network system to detect ddos attacks in sdn. IEEE Access 12, 70690–70706 (2024). https://doi.org/10.1109/ACCESS.2024.3402069
Akgun, D., Hizal, S., Cavusoglu, U.: A new ddos attacks intrusion detection model based on deep learning for cybersecurity. Comput. Secur. 118, 102748 (2022). https://doi.org/10.1016/j.cose.2022.102748
Datasets used in publications - Orion Research Group. http://www.uel.br/grupos/orion/datasets.html. Accessed 26 May 2023
Mininet. http://mininet.org/overview/. Accessed 10 Mar 2023
P4. https://p4.org/. Accessed 10 Jun 2023
Floodlight. https://floodlight.atlassian.net/wiki/spaces/floodlightcontroller/overview. Accessed 20 Mar 2023
Scapy - Packet crafting for Python2 and Python3. https://scapy.net. Accessed 10 Mar 2023
Hping3 - command-line oriented TCP/IP packet assembler/analyzer. http://hping.org. Accessed 10 Mar 2023
CICFlowMeter-V3. https://www.unb.ca/cic/research/applications.html#CICFlowMeter. Accessed 22 Aug 2023
This work was supported by CAPES, Brazil, due to the concession of scholarships and by the National Council for Scientific and Technological Development (CNPq) of Brazil under Grant of Project 306397/2022-6.
All datasets are public and freely available.
Author information
Authors and Affiliations
All authors contributed equally to this work.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Zacaron, A.M., Lent, D.M.B., da Silva Ruffo, V.G. et al. Generative Adversarial Network Models for Anomaly Detection in Software-Defined Networks. J Netw Syst Manage 32, 93 (2024). https://doi.org/10.1007/s10922-024-09867-z
DOI: https://doi.org/10.1007/s10922-024-09867-z