A Literature Survey on the Application of Deep Learning in SDN and SIEM for Cyberattack Prevention

Abstract

This paper presents a systematic review of the literature regarding deep learning models in Software-Defined Networking and Security Information and Event Management systems for preventing and detecting cybersecurity threats. When it comes to the de facto standard to detect threats using signature and rules-based detection, they are not valid anymore, taking into account the complexities of networked environments and sophistication zero-day attacks and others such as advanced persistent threats. Therefore, the purpose of this paper is to report an overview of the current state of integrating DL architectures, such as CNNs, RNNs and hybrids, in the current literature to allow for more rapid and accurate detection of threats, responsive actions to be performed without triggering an alert or warning detection rule indicator sign by a user overwhelmed with a large number of false-positives. The authors discuss four important research works, the proposed models, metrics of interest and practical implications. Finally, we discuss the comparisons between the models, focusing on the CNN-BiLSTM model. The survey concludes with recommendations on what DL models to utilize for different types of cyber-attacks and when to trade between performance and computational cost.

Introduction

Software-Defined Networking (SDN) introduces a powerful architectural shift by separating the control plane from the data plane and centralizing network management through an SDN controller. While this offers greater flexibility and programmability, it also creates a major vulnerability—a single point of failure. Similarly, Security Information and Event Management (SIEM) systems collect and analyze logs for threat detection but often struggle with predefined rules, capacity limitations, false positives, and alert fatigue.

To address these challenges, recent research incorporates deep learning (DL) models, which can autonomously learn complex patterns in large volumes of network and log data. Four key research papers demonstrate how DL improves security in SDN and SIEM environments:

1. Paper 1 introduces a hybrid CNN-BiLSTM model for SDN intrusion detection. After feature selection using Random Forest and RFE, the model combines CNN’s spatial analysis with BiLSTM’s temporal understanding. Evaluations on datasets like NSL-KDD and UNSW-NB15 show accuracy above 99%, outperforming standalone CNNs and LSTMs.

2. Paper 2 presents a proactive SIEM framework using Wazuh logs, PCA/ICA preprocessing, and an LSTM classifier to reduce false positives and improve attack classification. The model successfully handles sequential log data and significantly outperforms traditional rule-based SIEM detection.

3. Paper 3 compares CNN, LSTM, and DNN models for IoT/SDN threat detection using the CICIoT2023 dataset. CNN achieves the best results—99.10% accuracy for multi-class and 99.40% for binary classification—due to its strength in identifying spatial patterns in traffic data.

4. Paper 4 proposes a hybrid DBN-RNN framework for detecting complex, multi-phase attacks like Advanced Persistent Threats (APTs). The DBN extracts deep hierarchical features, while the RNN processes temporal patterns. Although highly effective, the model is computationally heavy and less suitable for real-time deployment.

A comparison of methods highlights the strengths of the CNN-BiLSTM architecture: CNNs extract spatial correlations in network traffic, while BiLSTMs capture forward- and backward-temporal dependencies, yielding high accuracy and reduced false positives. However, limitations include high computational cost, large data requirements, and limited interpretability.

Conclusion

As one can see, based on the overview of the existing literature, deep learning models offer a substantial upgrade for SDN and SIEM cybersecurity models. Indeed, considering the nature and complexity of current-generation threats, the examined works suggest a very clear tendency: from individual to hybrid models and systems. Thus, the following recommendations can be formulated:

References

[1] Arora, R., & Kharbas, V. K. (2024). Machine Learning-Driven Anomaly Detection: Strengthening Siem Tools For Robust Cyber Defense. Journal of Propulsion Technology, 40(2). [2] Becerra-Suarez, F. L., Tuesta-Monteza, V. A., Mejia-Cabrera, H. I., & Arcila-Diaz, J. (2024). Performance Evaluation of Deep Learning Models for Classifying Cybersecurity Attacks in IoT Networks. Informatics, 11(1), 22. [3] Ben Said, R., Sabir, Z., & Askerzade, I. (2023). CNN-BILSTM: A hybrid deep learning approach for network intrusion detection system in software defined networking with hybrid feature selection. IEEE Access. [4] Bensaoud, A., & Kalita, J. (2025). Optimized Detection of Cyber- Attacks on IoT Networks via Hybrid Deep Learning Models. arXiv preprint arXiv:2501.03152. [5] Chaganti, R., Suliman, W., Ravi, V., & Dua, A. (2023). Deep Learning Approach for SDN-Enabled Intrusion Detection System in IoT Networks. Information, 14(7), 384. [6] Elshewey, A. M., Abbas, S., Osman, A. M., Aldakheel, E. A., & Fouad, Y. (2025). DDOS classification of network traffic in software defined networking SDN using a hybrid convolutional and gated recurrent neural network. Scientific Reports, 15(1), 1–15. [7] Gao, J. (2022). Network Intrusion Detection Method Combining CNN and BiLSTM in Cloud Computing Environment. Computational Intelligence and Neuroscience, 2022. [8] Hu, T., Guo, Z., Baker, T., & Lan, J. (2017). Multi-controller Based Software-Defined Networking: A Survey. IEEE Access, 5, 19074– 19089. [9] Lourd, R. J., Dineshkumar, T., & Kaviarasan, S. (2024). A multi- controller SDN framework for advanced attack detection and mitigation in IoT environment. International Journal of Scientific Research in Science and Technology (IJSRST), 11(1), 108–114. [10] Mahmud, M. Z., Alve, S. R., Islam, S., & Khan, M. M. (2024). SDN Intrusion Detection Using Machine Learning Method. Computer Science & Information Technology (CS & IT), 14(3), 1–12. [11] Mehmood, S., Amin, R., Mustafa, J., Ahmad, N., Ahmad, R., & Abunadi, I. (2025). Distributed Denial of Services (DDoS) attack detection in SDN using Optimizer-equipped CNN-MLP. PLOS ONE, 20(2), e0315488. [12] Nurusheva, A., Abdiraman, A., Satybaldina, D., & Goranin, N. (2024). Machine Learning Algorithms in SIEM Systems for Enhanced Detection and Management of Security Events. Bulletin of L.N. Gumilyov Eurasian National University. Technical Sciences and Technologies Series, 149(4), 118–129. [13] Sapkota, B., Ray, A., Yadav, M. K., Dawadi, B. R., & Joshi, S. R. (2025). Machine Learning-Based Attack Detection and Mitigation with Multi-Controller Placement Optimization over SDN Environment. Journal of Cybersecurity and Privacy, 5(1), 103–120. [14] Sarker, I. H. (2021). AI-Driven Cybersecurity: An Overview, Security Intelligence Modeling and Research Directions. Preprints.org, 2021110300. [15] Sebopelo, R., & Isong, B. (2024). An Integrated Framework for Controllers Placement and Security in Software-Defined Networks Ecosystem. Journal of Information Systems and Informatics, 6(1), 180–198. [16] Sheeraz, M., Durad, M. H., Al-Jarrah, M. A., Hamasalh, F., Saeed, M., & Rashid, B. (2024). Revolutionizing SIEM Security: An Innovative Correlation Engine Design for Multi-Layered Attack Detection. Sensors, 24(1), 164. [17] Suresh Kumar, L. K. (2021). An Efficient Network Intrusion Detection Model Combining CNN and BILSTM. Journal of Contemporary Issues in Business and Government, 27(2). [18] Tendikov, N., Rzayeva, L., Mammadli, Z., Zeynalli, H., Hajiyeva, G., Mammadov, N., & Suleymanli, R. (2024). Security Information Event Management data acquisition and analysis methods with machine learning principles. Results in Engineering, 21, 101740. [19] Younus, Z. S., & Alanezi, M. (2025). Proactive SIEM-based framework for cyberattack monitoring and classification. Baghdad Science Journal, 25(1), 0064–0064. [20] Zhang, C., Li, J., Wang, N., & Zhang, D. (2025). Research on Intrusion Detection Method Based on Transformer and CNN- BiLSTM in Internet of Things. Sensors, 25(1), 239.

Copyright

Copyright © 2025 Dr. S. Gunasekaran , Febin A, Nikhil Sanjay, T A Narayanan, Vishnu P U. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.