{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T07:10:21Z","timestamp":1773213021345,"version":"3.50.1"},"reference-count":25,"publisher":"MDPI AG","issue":"6","license":[{"start":{"date-parts":[[2022,5,27]],"date-time":"2022-05-27T00:00:00Z","timestamp":1653609600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>The design of existing machine-learning-based DoS detection systems in software-defined networking (SDN) suffers from two major problems. First, the proper time window for conducting network traffic analysis is unknown and has proven challenging to determine. Second, it is unable to detect unknown types of DoS saturation attacks. An unknown saturation attack is an attack that is not represented in the training data. In this paper, we evaluate three supervised classifiers for detecting a family of DDoS flooding attacks (UDP, TCP-SYN, IP-Spoofing, TCP-SARFU, and ICMP) and their combinations using different time windows. This work represents an extension of the runner-up best-paper award entitled \u2018Detecting Saturation Attacks in SDN via Machine Learning\u2019 published in the 2019 4th International Conference on Computing, Communications and Security (ICCCS). The results in this paper show that the trained supervised models fail in detecting unknown saturation attacks, and their overall detection performance decreases when the time window of the network traffic increases. Moreover, we investigate the performance of four semi-supervised classifiers in detecting unknown flooding attacks. The results indicate that semi-supervised classifiers outperform the supervised classifiers in the detection of unknown flooding attacks. Furthermore, to further increase the possibility of detecting the known and unknown flooding attacks, we propose an enhanced hybrid approach that combines two supervised and semi-supervised classifiers. The results demonstrate that the hybrid approach has outperformed individually supervised or semi-supervised classifiers in detecting the known and unknown flooding DoS attacks in SDN.<\/jats:p>","DOI":"10.3390\/fi14060164","type":"journal-article","created":{"date-parts":[[2022,5,27]],"date-time":"2022-05-27T07:05:07Z","timestamp":1653635107000},"page":"164","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["The Robustness of Detecting Known and Unknown DDoS Saturation Attacks in SDN via the Integration of Supervised and Semi-Supervised Classifiers"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9339-1685","authenticated-orcid":false,"given":"Samer","family":"Khamaiseh","sequence":"first","affiliation":[{"name":"Department of Computer Science and Software Engineering, Miami University, Oxford, OH 45056, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2640-7007","authenticated-orcid":false,"given":"Abdullah","family":"Al-Alaj","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Virginia Wesleyan University, Virginia Beach, VA 23455, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohammad","family":"Adnan","sequence":"additional","affiliation":[{"name":"Department of Computer Information Systems, Yarmouk University, Irbid 21163, Jordan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8554-3236","authenticated-orcid":false,"given":"Hakam W.","family":"Alomari","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Software Engineering, Miami University, Oxford, OH 45056, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,5,27]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Kreutz, D., Ramos, F., and Verissimo, P. (2013, January 16). Towards secure and dependable software-defined networks. Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, China.","DOI":"10.1145\/2491185.2491199"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"607","DOI":"10.1109\/TNSM.2019.2959268","article-title":"Detecting Saturation Attacks Based on Self-Similarity of OpenFlow Traffic","volume":"17","author":"Li","year":"2020","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"487","DOI":"10.1109\/TNSM.2017.2701549","article-title":"Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks","volume":"14","author":"Mohammadi","year":"2017","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Shin, S., Yegneswaran, V., Porras, P., and Gu, G. (2013, January 4\u20138). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany.","DOI":"10.1145\/2508859.2516684"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1206","DOI":"10.1109\/TNET.2016.2626287","article-title":"Lineswitch: Tackling control plane saturation attacks in software-defined networking","volume":"25","author":"Ambrosin","year":"2016","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Wang, H., Xu, L., and Gu, G. (2015, January 22\u201325). Floodguard: A dos attack prevention extension in software-defined networks. Proceedings of the 2015 45th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks, Rio de Janeiro, Brazil.","DOI":"10.1109\/DSN.2015.27"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Shang, G., Zhe, P., Bin, X., Aiqun, H., and Kui, R. (2017, January 1\u20134). FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. Proceedings of the IEEE INFOCOM 2017-IEEE Conference on Computer Communications, Atlanta, GA, USA.","DOI":"10.1109\/INFOCOM.2017.8057009"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Hu, D., Hong, P., and Chen, Y. (2017, January 4\u20138). Fadm: Ddos flooding attack detection and mitigation system in software-defined networking. Proceedings of the GLOBECOM 2017\u20132017 IEEE Global Communications Conference, Singapore.","DOI":"10.1109\/GLOCOM.2017.8254023"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Khamaiseh, S., Serra, E., Li, Z., and Xu, D. (2019, January 10\u201312). Detecting Saturation Attacks in SDN via Machine Learning. Proceedings of the 2019 4th International Conference on Computing, Communications and Security (ICCCS), Rome, Italy.","DOI":"10.1109\/CCCS.2019.8888049"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Khamaiseh, S., Serra, E., and Xu, D. (2020, January 13\u201317). vSwitchGuard: Defending OpenFlow Switches Against Saturation Attacks. Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain.","DOI":"10.1109\/COMPSAC48688.2020.0-157"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Khamaiseh, S.Y., Al-Alaj, A., and Warner, A. (2020, January 27\u201329). FloodDetector: Detecting Unknown DoS Flooding Attacks in SDN. Proceedings of the 2020 International Conference on Internet of Things and Intelligent Applications (ITIA), Zhenjiang, China.","DOI":"10.1109\/ITIA50152.2020.9312310"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Ashraf, J., and Latif, S. (2014, January 11\u201312). Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques. Proceedings of the 2014 National Software Engineering Conference, Rawalpindi, Pakistan.","DOI":"10.1109\/NSEC.2014.6998241"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Niyaz, Q., Sun, W., and Javaid, A.Y. (2016). A deep learning based DDoS detection system in software-defined networking (SDN). arXiv.","DOI":"10.4108\/eai.28-12-2017.153515"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Aizuddin, A.A., Atan, M., Norulazmi, M., Noor, M.M., Akimi, S., and Abidin, Z. (2017, January 5\u20137). DNS amplification attack detection and mitigation via sFlow with security-centric SDN. Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, Beppu, Japan.","DOI":"10.1145\/3022227.3022230"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Abubakar, A., and Pranggono, B. (2017, January 6\u20138). Machine learning based intrusion detection system for software defined networks. Proceedings of the 2017 Seventh International Conference on Emerging Security Technologies (EST), Canterbury, UK.","DOI":"10.1109\/EST.2017.8090413"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"102604","DOI":"10.1016\/j.cose.2022.102604","article-title":"A Hybrid Method of Entropy and SSAE-SVM Based DDoS Detection and Mitigation Mechanism in SDN","volume":"115","author":"Long","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Aslam, M., Ye, D., Tariq, A., Asad, M., Hanif, M., Ndzi, D., Chelloug, S.A., Elaziz, M.A., Al-Qaness, M.A., and Jilani, S.F. (2022). Adaptive Machine Learning Based Distributed Denial-of-Services Attacks Detection and Mitigation System for SDN-Enabled IoT. Sensors, 22.","DOI":"10.3390\/s22072697"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., and Ghogho, M. (2016, January 26\u201329). Deep learning approach for network intrusion detection in software defined networking. Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco.","DOI":"10.1109\/WINCOM.2016.7777224"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Braga, R., de Souza Mota, E., and Passito, A. (2010, January 10\u201314). Lightweight DDoS flooding attack detection using NOX\/OpenFlow. Proceedings of the IEEE Local Computer Network Conference, Denver, CO, USA.","DOI":"10.1109\/LCN.2010.5735752"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"9804061","DOI":"10.1155\/2018\/9804061","article-title":"A DDoS attack detection method based on SVM in software defined network","volume":"2018","author":"Ye","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_21","first-page":"166","article-title":"Leveraging SDN for detection and mitigation SMTP flood attack through deep learning analysis techniques","volume":"17","author":"Aziz","year":"2017","journal-title":"Int. J. Comput. Sci. Netw. Secur."},{"key":"ref_22","unstructured":"Da Silva, A.S., Wickboldt, J.A., Granville, L.Z., and Schaeffer-Filho, A. (2016, January 25\u201329). ATLANTIC: A framework for anomaly traffic detection, classification, and mitigation in SDN. Proceedings of the NOMS 2016\u20132016 IEEE\/IFIP Network Operations and Management Symposium, Istanbul, Turkey."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Liu, J., Lai, Y., and Zhang, S. (2017, January 17\u201319). FL-GUARD: A detection and defense system for DDoS attack in SDN. Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, Wuhan, China.","DOI":"10.1145\/3058060.3058074"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"106503","DOI":"10.1016\/j.compeleceng.2019.106503","article-title":"A DDoS attacks traceback scheme for SDN-based smart city","volume":"81","author":"Chen","year":"2020","journal-title":"Comput. Electr. Eng."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Wang, R., Jia, Z., and Ju, L. (2015, January 20\u201322). An entropy-based distributed DDoS detection mechanism in software-defined networking. Proceedings of the 2015 IEEE Trustcom\/BigDataSE\/ISPA, Helsinki, Finland.","DOI":"10.1109\/Trustcom.2015.389"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/14\/6\/164\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T23:19:49Z","timestamp":1760138389000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/14\/6\/164"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5,27]]},"references-count":25,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2022,6]]}},"alternative-id":["fi14060164"],"URL":"https:\/\/doi.org\/10.3390\/fi14060164","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,5,27]]}}}