TY  - BOOK
AU  - Mahmoud Sami Ataa, 
AU  - Reda A. El-khoribi
AU  - Eman E. Sanad
TI  - Intrusion detection system for software defined networking based on deep learning approaches
U1  - 006.31 
PY  - 2025///
KW  - Deep learning
KW  - Ø§ÙØªØ¹ÙÙ Ø§ÙØ¹ÙÙÙ
KW  - Software-defined networks
KW  - Cybersecurity
KW  -  Intrusion detection system
KW  - Convolutional neural networks model
KW  - Long short term memory model
KW  - transformer model
KW  - Ø§ÙØ´Ø¨ÙØ§Øª Ø§ÙÙØ¹Ø±ÙØ© Ø¨Ø§ÙØ¨Ø±ÙØ¬ÙØ§Øª
KW  - Ø§ÙØ§ÙÙ Ø§ÙØ³ÙØ¨Ø±Ø§ÙÙ
N1  - Thesis (M.Sc)-Cairo University, 2025; Bibliography: pages 99-103; Issues also as CD
N2  -  Ensuring robust network security is crucial in the context of Software-
Defined Networking (SDN), which has become a multi -billion-dollar 
industry and is widely deployed in modern data centers. SDN provides 
network programmability, centralized control, and a global network view, 
offering significant advantages over traditional networks. However, these 
benefits come with new vulnerabilities and attack vectors, making SDN 
security a critical research area. The emergence of Machine Learning (ML) 
and, more specifically, Deep Learning (DL) has led to innovative approaches 
to securing SDN environments. 
This research focuses on developing an advanced Deep Learning -based 
Intrusion Detection System (IDS) to address SDN -specific attack vectors. 
We designed and evaluated two IDS models, a hybrid CNN-LSTM 
architecture and a Transformer encoder-only architecture. The IDS targets 
the SDN controller, a crucial component of the network that, if compromised, 
could lead to severe security breaches. The InSDN dataset was used for 
training and testing, as it accurately captures real -world SDN traffic. For 
evaluation, we employed accuracy, precision, recall, and F1-score as key 
metrics. Experimental results demonstrated that the Transformer model with 
48 features achieved the highest accuracy of 99.02%, while the CNN -LSTM 
model closely followed with 99.01%. 
To optimize the IDS for real-world deployment, we reduced the feature 
set to 6 and 4 features, assessing the impact on performance. Additionally, 
we addressed the poor representation of certain attack types by merging four 
underrepresented attacks into a single class, significantly improving 
classification accuracy. Furthermore, we explored binary classification, 
where all attack types were combined into a single attack class, resulting in 
higher accuracy for both models. Notably, the CNN-LSTM model achieved 
the best results with 6 features, reaching an accuracy of 99. 19% and a 99.49% 
F1-score, surpassing state-of-the-art results. 
Beyond model evaluation, we assessed the IDSâs impact on SDN 
network performance by analyzing key metrics such as latency, throughput, 
CPU, and memory usage. The findings indicate that while the CNN -LSTM-
based IDS introduced a slight increase in latency of 0.016 ms, a marginal 
decrease in throughput of approximately 100 kBps, and minimal resource 
consumption, 5% CPU and 1% memory increase, we also developed a 
Transformer-based IDS that exhibited a higher computational impact. This 
second IDS resulted in a 0.004 ms increase in latency, a 31 kBps decrease in 
throughput, a 25% increase in CPU usage, and a 3% increase in memory 
usage. These results highlight the tr ade-off between model complexity and 
network performance. While both IDS solutions effectively detect intrusions, 
the CNN-LSTM model offers a more lightweight implementation compared 
to the Transformer-based IDS, which provides more sensitive detection 
capabilities with higher resource consumption.; ØªÙØ¹ÙØ¯Ù Ø£ÙØ§Ù Ø§ÙØ´Ø¨ÙØ§Øª Ø£ÙØ±ÙØ§ Ø¨Ø§ÙØº Ø§ÙØ£ÙÙÙØ© ÙÙ Ø§ÙØ´Ø¨ÙØ§Øª Ø§ÙÙØ¹Ø±ÙØ© Ø¨Ø§ÙØ¨Ø±ÙØ¬ÙØ§Øª (SDN)Ø ÙÙÙ ØµÙØ§Ø¹Ø© Ø³Ø±ÙØ¹Ø© Ø§ÙÙÙÙ ØªÙÙØ¯ÙÙØ± Ø¨ÙÙÙØ§Ø±Ø§Øª Ø§ÙØ¯ÙÙØ§Ø±Ø§Øª ÙØªÙØ³ØªØ®Ø¯Ù Ø¹ÙÙ ÙØ·Ø§Ù ÙØ§Ø³Ø¹ ÙÙ Ø§ÙØ´Ø¨ÙØ§Øª Ø§ÙØ­Ø¯ÙØ«Ø© ÙÙØ±Ø§ÙØ² Ø§ÙØ¨ÙØ§ÙØ§Øª. ÙÙÙØ± Ø§ÙØªØ­ÙÙ Ø§ÙÙØ±ÙØ²Ù ÙØ§ÙØ±Ø¤ÙØ© Ø§ÙØ´Ø§ÙÙØ© ÙÙØ´Ø¨ÙØ© ÙÙ SDN ÙØ²Ø§ÙØ§ ÙØ§Ø¶Ø­Ø© ÙÙØ§Ø±ÙØ© Ø¨Ø§ÙØ´Ø¨ÙØ§Øª Ø§ÙØªÙÙÙØ¯ÙØ©Ø ÙÙÙÙØ§ ØªÙØ¯Ø®Ù Ø£ÙØ¶ÙØ§ ÙÙØ§Ø· Ø¶Ø¹Ù Ø¬Ø¯ÙØ¯Ø©. ÙÙÙØ§Ø¬ÙØ© ÙØ°Ù Ø§ÙØªØ­Ø¯ÙØ§ØªØ ÙØ¬Ø£ Ø§ÙØ¨Ø§Ø­Ø«ÙÙ Ø¥ÙÙ ØªÙÙÙØ§Øª Ø§ÙØªØ¹ÙÙ Ø§ÙØ¢ÙÙØ ÙØ¨Ø´ÙÙ Ø®Ø§Øµ Ø§ÙØªØ¹ÙÙ Ø§ÙØ¹ÙÙÙ (DL)Ø ÙØªØ£ÙÙÙ Ø¨ÙÙØ© SDN Ø§ÙØªØ­ØªÙØ©.ÙÙ ÙØ°Ù Ø§ÙØ¯Ø±Ø§Ø³Ø©Ø ØªÙ ØªØ·ÙÙØ± ÙØ¸Ø§ÙÙ ÙØ´Ù ØªØ³ÙÙ (IDS) ÙØªÙØ¯ÙÙÙ ÙØ¹ØªÙØ¯Ø§Ù Ø¹ÙÙ Ø§ÙØªØ¹ÙÙ Ø§ÙØ¹ÙÙÙ: Ø£Ø­Ø¯ÙÙØ§ ÙØ²ÙØ¬ Ø¨ÙÙ Ø§ÙØ´Ø¨ÙØ§Øª Ø§ÙØ§ÙØªÙØ§ÙÙØ© (CNN) ÙØ°Ø§ÙØ±Ø© Ø§ÙÙØ¯Ù Ø§ÙØ·ÙÙÙ Ø§ÙÙØµÙØ± (LSTM)Ø ÙØ§ÙØ¢Ø®Ø± ÙØ¹ØªÙØ¯ Ø¹ÙÙ ÙÙÙØ°Ø¬ Ø§ÙÙØ­ÙÙ (Transformer) Ø¨Ø§Ø³ØªØ®Ø¯Ø§Ù Ø·Ø¨ÙØ§Øª Ø§ÙØªØ´ÙÙØ± ÙÙØ·. ØªØ³ØªÙØ¯Ù ÙØ°Ù Ø§ÙØ£ÙØ¸ÙØ© ÙØ­Ø¯Ø© Ø§ÙØªØ­ÙÙ ÙÙ SDNØ ÙÙÙ ÙÙÙÙ Ø­Ø±Ø¬ ÙÙØ¹Ø±Ø¶ ÙÙÙØ¬ÙØ§ØªØ Ø¨Ø§Ø³ØªØ®Ø¯Ø§Ù ÙØ¬ÙÙØ¹Ø© Ø¨ÙØ§ÙØ§Øª InSDN ÙÙØ­Ø§ÙØ§Ø© Ø­Ø±ÙØ© Ø§ÙÙØ±ÙØ± Ø§ÙÙØ§ÙØ¹ÙØ©.ÙÙØªÙÙÙÙ ÙØ°Ù Ø§ÙØ£ÙØ¸ÙØ© ÙÙØ§Ø³ØªØ®Ø¯Ø§Ù Ø§ÙÙØ¹ÙÙØ ØªÙ ØªÙÙÙØµ Ø¹Ø¯Ø¯ Ø§ÙØ³ÙØ§Øª Ø§ÙÙØ³ØªØ®Ø¯ÙØ© ÙÙ 48 (Ø§ÙÙØ¬ÙÙØ¹Ø© Ø§ÙÙØ§ÙÙØ©) Ø¥ÙÙ 6 Ù4 Ø³ÙØ§Øª ÙÙØ·. ÙÙØ§ ØªÙ Ø¯ÙØ¬ Ø£ÙÙØ§Ø¹ Ø§ÙÙØ¬ÙØ§Øª ÙÙÙÙØ© Ø§ÙØªÙØ«ÙÙ ÙØªØ­Ø³ÙÙ Ø¯ÙØ© Ø§ÙØªØµÙÙÙØ ÙØ³Ø§ÙÙ Ø§ÙØªØµÙÙÙ Ø§ÙØ«ÙØ§Ø¦Ù ÙÙ ØªØ¹Ø²ÙØ² Ø§ÙØ£Ø¯Ø§Ø¡ ÙÙ Ø®ÙØ§Ù ØªØ¨Ø³ÙØ· Ø¹ÙÙÙØ© Ø§ÙÙØ´Ù Ø¹Ù Ø§ÙÙØ¬ÙØ§Øª.Ø­ÙÙ ÙÙÙØ°Ø¬ CNN-LSTM Ø£Ø¯Ø§Ø¡Ù ÙØªÙÙØ²ÙØ§ Ø¨Ø§Ø³ØªØ®Ø¯Ø§Ù 6 Ø³ÙØ§Øª ÙÙØ·Ø Ø¥Ø° ÙØµÙØª Ø¯ÙØªÙ Ø¥ÙÙ 99.19% Ù 99.49% Ø¹ÙÙ ÙÙÙØ§Ø³ F1Ø ÙÙÙ ÙØ§ ÙÙØ¹Ø¯ ÙÙ Ø£ÙØ¶Ù Ø§ÙÙØªØ§Ø¦Ø¬ ÙÙ ÙØ°Ø§ Ø§ÙÙØ¬Ø§Ù. ÙÙÙ Ø§ÙØªÙÙÙÙ Ø§ÙÙÙØ§Ø¦Ù ÙÙØ£Ø¯Ø§Ø¡Ø ØªØ¨ÙÙ Ø£Ù ÙÙÙØ°Ø¬ Transformer ÙØªÙØªØ¹ Ø¨Ø­Ø³Ø§Ø³ÙØ© ÙØ´Ù Ø£Ø¹ÙÙØ ÙÙÙ ÙÙÙØ°Ø¬ CNN-LSTM ÙØ¯ÙÙ ØªÙØ§Ø²ÙÙØ§ Ø£ÙØ¶Ù ÙÙ Ø­ÙØ« ØªÙÙÙÙ Ø§ÙØªØ£Ø«ÙØ± Ø¹ÙÙ Ø²ÙÙ Ø§ÙØ§Ø³ØªØ¬Ø§Ø¨Ø©Ø ÙØ³Ø±Ø¹Ø© Ø§ÙÙØ¹Ø§ÙØ¬Ø©Ø ÙØ§Ø³ØªÙÙØ§Ù Ø§ÙÙÙØ§Ø±Ø¯
ER  -