A Hybrid Deep Learning Approach for Network Intrusion Detection System in Software-Defined Networking with Hybrid Feature Selection

Abstract

The increasing adoption of Software-Defined Networking (SDN) introduces flexible and programmable architectures but also creates new security challenges, including vulnerability to Distributed Denial-of-Service (DDoS), botnet, and probing attacks. Traditional intrusion detection systems often fall short in adapting to dynamic SDN environments d ue to high false alarm rates and limited generalization. This paper proposes a hybrid deep learning model—CNN-BiLSTM—designed to detect network intrusions in SDN infrastructures. The proposed approach leverages the spatial feature extraction capabilities of Convolutional Neural Networks (CNN) and the sequential learning power of Bidirectional Long Short-Term Memory (BiLSTM) networks. A hybrid feature selection technique combining Random Forest and Recursive Feature Elimination (RFE) is employed to enhance learning efficiency. Experiments conducted on benchmark datasets including NSL-KDD, UNSW-NB15, and InSDN demonstrate that the CNN-BiLSTM model achieves superior performance in both binary and multiclass classification tasks, outperforming baseline models in accuracy, F1-score, and detection rate. These results confirm the model’s effectiveness in enhancing SDN security against evolving cyber threats.

Introduction

The evolution of Software-Defined Networking (SDN) introduces both significant advantages (such as scalability and dynamic adaptability) and challenges, particularly in terms of security. Due to its centralized control, SDN is vulnerable to attacks if the controller is compromised. Intrusion Detection Systems (IDS) play a crucial role in identifying and mitigating unauthorized access or malicious behavior in SDN environments. Traditional IDS approaches, based on rule sets or signature matching, often fail to detect evolving threats like zero-day attacks, polymorphic malware, and advanced persistent threats.

Deep learning-based IDS solutions, particularly models like Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks, have shown potential in addressing these challenges by learning complex patterns from network traffic data. However, single-architecture models often struggle with generalization across diverse attacks or suffer from high false positives. To overcome these limitations, this paper proposes a hybrid CNN-BiLSTM model, combining the strengths of CNNs for spatial feature extraction and BiLSTM networks for capturing temporal dependencies.

Key contributions of this work include:

• CNN-BiLSTM Model: A robust architecture designed for real-time intrusion detection in SDN environments.

• Hybrid Feature Selection: Combines Random Forest and Recursive Feature Elimination (RFE) to enhance classification performance by reducing redundancy and improving efficiency.

• Evaluation: Comprehensive tests using multiple datasets (NSL-KDD, UNSW-NB15, InSDN) demonstrate superior performance, reducing false alarms and improving accuracy.

Additionally, the paper highlights the growing importance of hybrid deep learning models for intrusion detection and the need for SDN-specific solutions. It also discusses the challenges of feature selection, class imbalance, and computational efficiency in current research.

In terms of methodology, the paper outlines data preprocessing techniques, feature selection strategies, model architecture, and hyperparameter optimization. The CNN-BiLSTM model is trained on popular datasets like InSDN, NSL-KDD, and UNSW-NB15, using advanced techniques like Z-score normalization, hybrid feature selection, and 5-fold cross-validation. Evaluation metrics include accuracy, precision, recall, and false alarm rate.

The proposed system is implemented using Python, TensorFlow/Keras, and scikit-learn, with hardware requirements for training on mid-range systems or GPUs. The paper concludes that the hybrid deep learning approach can significantly enhance SDN security, providing a scalable and effective solution for real-time intrusion detection.

Conclusion

This study presents a hybrid deep learning-based intrusion detection system that integrates Convolutional Neural Networks (CNN) with Bidirectional Long Short-Term Memory (BiLSTM) to enhance the detection of cyber threats in Software-Defined Networking (SDN) environments. The proposed CNN-BiLSTM architecture leverages CNN’s capability for spatial feature extraction and BiLSTM’s strength in modeling bidirectional temporal dependencies, enabling comprehensive detection of both known and evolving intrusion patterns. To address feature redundancy and class imbalance—common challenges in intrusion detection—a hybrid feature selection mechanism combining Random Forest and Recursive Feature Elimination (RFE) was employed. Additionally, normalization and data augmentation techniques were incorporated to ensure robust model generalization. Experimental evaluations on NSL-KDD, UNSW-NB15, and InSDN datasets demonstrate that the CNN-BiLSTM model significantly outperforms existing architectures such as LSTM, CNN-LSTM, and other baseline models. The model achieved a binary classification accuracy of 99.97% with a macro-averaged F1-score of 97.36% for multiclass scenarios, while maintaining a low false alarm rate. The system also exhibited stable convergence and resilience to overfitting under cross-validation. The findings confirm that hybrid deep learning approaches, when combined with proper feature selection and preprocessing strategies, can serve as effective tools in modern SDN security frameworks. The proposed architecture provides a scalable, accurate, and real-time solution for protecting programmable networks from a wide range of threats.

References

[1] L. Zhang, J. Huang, Y. Zhang, and G. Zhang, “Intrusion detection model of CNN-BiLSTM algorithm based on mean control,” in Proc. IEEE 11th Int. Conf. Software Engineering and Service Sciences (ICSESS), Oct. 2020, pp. 22–27. [2] S. Revathi and A. Malathi, “A detailed analysis on NSL-KDD dataset using various machine learning techniques for intrusion detection,” Int. J. Eng. Res. Technol., vol. 2, no. 12, pp. 1848–1853, 2013. [3] F. A. Khan, A. Gumaei, A. Derhab, and A. Hussain, “A novel two-stage deep learning model for efficient network intrusion detection,” IEEE Access, vol. 7, pp. 30373–30385, 2019. [4] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghosh, “Deep learning approach for network intrusion detection in software-defined networking,” in Proc. Int. Conf. Wireless Networks and Mobile Communications (WINCOM), Oct. 2016, pp. 258–263. [5] S. Boukria and M. Guerroumi, “Intrusion detection system for SDN network using deep learning approach,” in Proc. Int. Conf. Theoretical and Applicative Aspects of Computer Science (ICTAACS), vol. 1, Dec. 2019, pp. 1–6. [6] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho, “Deep convolutional neural network for intrusion detection in SDN-based networks,” in Proc. 4th IEEE Conf. Network Softwarization Workshops (NetSoft), Jun. 2018, pp. 202–206.

Copyright

Copyright © 2025 Ch. Divya, Vavilapalli Sulochana, Kaja Venkata Nitya Santhoshi, Indurthy Gokul Surya, Karna Veerendranadh, Jakkam Chaitanya Manikanta. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.