{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T21:17:24Z","timestamp":1776979044633,"version":"3.51.4"},"reference-count":28,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2024,2,5]],"date-time":"2024-02-05T00:00:00Z","timestamp":1707091200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"the European Union\u2019s Horizon Europe research and innovation program","award":["101084323"],"award-info":[{"award-number":["101084323"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Supervisory Control and Data Acquisition (SCADA) systems, which play a critical role in monitoring, managing, and controlling industrial processes, face flexibility, scalability, and management difficulties arising from traditional network structures. Software-defined networking (SDN) offers a new opportunity to overcome the challenges traditional SCADA networks face, based on the concept of separating the control and data plane. Although integrating the SDN architecture into SCADA systems offers many advantages, it cannot address security concerns against cyber-attacks such as a distributed denial of service (DDoS). The fact that SDN has centralized management and programmability features causes attackers to carry out attacks that specifically target the SDN controller and data plane. If DDoS attacks against the SDN-based SCADA network are not detected and precautions are not taken, they can cause chaos and have terrible consequences. By detecting a possible DDoS attack at an early stage, security measures that can reduce the impact of the attack can be taken immediately, and the likelihood of being a direct victim of the attack decreases. This study proposes a multi-stage learning model using a 1-dimensional convolutional neural network (1D-CNN) and decision tree-based classification to detect DDoS attacks in SDN-based SCADA systems effectively. A new dataset containing various attack scenarios on a specific experimental network topology was created to be used in the training and testing phases of this model. According to the experimental results of this study, the proposed model achieved a 97.8% accuracy rate in DDoS-attack detection. The proposed multi-stage learning model shows that high-performance results can be achieved in detecting DDoS attacks against SDN-based SCADA systems.<\/jats:p>","DOI":"10.3390\/s24031040","type":"journal-article","created":{"date-parts":[[2024,2,5]],"date-time":"2024-02-05T09:31:58Z","timestamp":1707125518000},"page":"1040","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":29,"title":["Multi-Stage Learning Framework Using Convolutional Neural Network and Decision Tree-Based Classification for Detection of DDoS Pandemic Attacks in SDN-Based SCADA Systems"],"prefix":"10.3390","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9313-4910","authenticated-orcid":false,"given":"Onur","family":"Polat","sequence":"first","affiliation":[{"name":"Department of Computer Engineering, Bing\u00f6l University, Bing\u00f6l 12000, Turkey"}]},{"given":"Muammer","family":"T\u00fcrko\u011flu","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, Samsun University, Samsun 55000, Turkey"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4128-2625","authenticated-orcid":false,"given":"H\u00fcseyin","family":"Polat","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Faculty of Technology, Gazi University, Ankara 06500, Turkey"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3880-3039","authenticated-orcid":false,"given":"Saadin","family":"Oyucu","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Adiyaman University, Adiyaman 02040, Turkey"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0998-2130","authenticated-orcid":false,"given":"H\u00fcseyin","family":"\u00dczen","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Bing\u00f6l University, Bing\u00f6l 12000, Turkey"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4548-8858","authenticated-orcid":false,"given":"Fahri","family":"Yard\u0131mc\u0131","sequence":"additional","affiliation":[{"name":"Independent Researcher, Ankara 06500, Turkey"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2563-1218","authenticated-orcid":false,"given":"Ahmet","family":"Aks\u00f6z","sequence":"additional","affiliation":[{"name":"MOBILERS, Sivas Cumhuriyet University, Sivas 58580, Turkey"}]}],"member":"1968","published-online":{"date-parts":[[2024,2,5]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1109\/67.222741","article-title":"SCADA communication techniques and standards","volume":"6","author":"Gaushell","year":"1993","journal-title":"IEEE Comput. Appl. Power"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"S\u00f6\u011f\u00fct, E., and Erdem, O.A. (2023). A Multi-Model Proposal for Classification and Detection of DDoS Attacks on SCADA Systems. Appl. Sci., 13.","DOI":"10.3390\/app13105993"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1109\/JPROC.2014.2371999","article-title":"Software-Defined Networking: A Comprehensive Survey","volume":"103","author":"Kreutz","year":"2015","journal-title":"Proc. IEEE"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Germano Da Silva, E., Dias Knob, L.A., Wickboldt, J.A., Gaspary, L.P., Granville, L.Z., and Schaeffer-Filho, A. (2015, January 11\u201315). Capitalizing on SDN-Based SCADA Systems: An Anti-Eavesdropping Case-Study. Proceedings of the 2015 IFIP\/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, Canada.","DOI":"10.1109\/INM.2015.7140289"},{"key":"ref_5","unstructured":"EUROPOL (2020). Catching the Virus Cybercrime, Disinformation and the COVID-19 Pandemic, EUROPOL."},{"key":"ref_6","unstructured":"Imperva Research Lab (2020). DDoS Attacks in the Time of COVID-19 Report, Imperva Research Labs."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1896","DOI":"10.1007\/s11036-019-01389-2","article-title":"SDNFV Based Threat Monitoring and Security Framework for Multi-Access Edge Computing Infrastructure","volume":"24","author":"Krishnan","year":"2019","journal-title":"Mob. Netw. Appl."},{"key":"ref_8","unstructured":"(2021). ENISA THREAT LANDSCAPE 2021, ENISA."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"135812","DOI":"10.1109\/ACCESS.2019.2926441","article-title":"A Survey of Security in SCADA Networks: Current Issues and Future Challenges","volume":"7","author":"Ghosh","year":"2019","journal-title":"IEEE Access"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Saghezchi, F.B., Mantas, G., Violas, M.A., de Oliveira Duarte, A.M., and Rodriguez, J. (2022). Machine Learning for DDoS Attack Detection in Industry 4.0 CPPSs. Electronics, 11.","DOI":"10.3390\/electronics11040602"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Ozkan-Okay, M., Samet, R., Aslan, \u00d6., Kosunalp, S., Iliev, T., and Stoyanov, I. (2023). A Novel Feature Selection Approach to Classify Intrusion Attacks in Network Communications. Appl. Sci., 13.","DOI":"10.3390\/app131911067"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"117671","DOI":"10.1016\/j.eswa.2022.117671","article-title":"A Lightweight Approach for Network Intrusion Detection in Industrial Cyber-Physical Systems Based on Knowledge Distillation and Deep Metric Learning","volume":"206","author":"Wang","year":"2022","journal-title":"Expert Syst. Appl."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1016\/j.neunet.2022.12.011","article-title":"Proposed Algorithm for Smart Grid DDoS Detection Based on Deep Learning","volume":"159","author":"Diaba","year":"2023","journal-title":"Neural Netw."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"100542","DOI":"10.1016\/j.ijcip.2022.100542","article-title":"Cyber-Attacks Detection in Industrial Systems Using Artificial Intelligence-Driven Methods","volume":"38","author":"Wang","year":"2022","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Ferrag, M.A., Shu, L., Djallel, H., and Choo, K.K.R. (2021). Deep Learning-Based Intrusion Detection for Distributed Denial of Service Attack in Agriculture 4.0. Electronics, 10.","DOI":"10.3390\/electronics10111257"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"561","DOI":"10.1007\/s10586-021-03426-w","article-title":"A Stacked Deep Learning Approach to Cyber-Attacks Detection in Industrial Systems: Application to Power System and Gas Pipeline Systems","volume":"25","author":"Wang","year":"2022","journal-title":"Clust. Comput."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"103007","DOI":"10.1016\/j.cose.2022.103007","article-title":"Detection and Mitigation of Field Flooding Attacks on Oil and Gas Critical Infrastructure Communication","volume":"124","author":"Mohammed","year":"2023","journal-title":"Comput. Secur."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Ortega-Fernandez, I., Sestelo, M., Burguillo, J.C., and Pi\u00f1\u00f3n-Blanco, C. (2023). Network Intrusion Detection System for DDoS Attacks in ICS Using Deep Autoencoders. Wirel. Netw., 3.","DOI":"10.1007\/s11276-022-03214-3"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Altaha, M., and Hong, S. (2022). Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol. Electronics, 11.","DOI":"10.3390\/electronics11142184"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1030","DOI":"10.1109\/TII.2022.3190352","article-title":"Trustworthy and Reliable Deep-Learning-Based Cyberattack Detection in Industrial IoT","volume":"19","author":"Khan","year":"2023","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"2637","DOI":"10.1109\/COMST.2019.2908266","article-title":"Software Defined Networks-Based Smart Grid Communication: A Comprehensive Survey","volume":"21","author":"Rehmani","year":"2019","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"100433","DOI":"10.1016\/j.ijcip.2021.100433","article-title":"Architecture and Security of SCADA Systems: A Review","volume":"34","author":"Yadav","year":"2021","journal-title":"Int. J. Crit. Infrastruct. Prot."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"1942","DOI":"10.1109\/COMST.2020.2987688","article-title":"A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics","volume":"22","author":"Pliatsios","year":"2020","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Lins, T., and Oliveira, R.A.R. (2017, January 24\u201326). Energy Efficiency in Industry 4.0 Using SDN. Proceedings of the 2017 IEEE 15th International Conference on Industrial Informatics (INDIN), Emden, Germany.","DOI":"10.1109\/INDIN.2017.8104841"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"116748","DOI":"10.1016\/j.eswa.2022.116748","article-title":"A Novel Approach for Accurate Detection of the DDoS Attacks in SDN-Based SCADA Systems Based on Deep Recurrent Neural Networks","volume":"197","author":"Polat","year":"2022","journal-title":"Expert Syst. Appl."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1016\/j.inffus.2021.11.011","article-title":"Tabular Data: Deep Learning Is Not All You Need","volume":"81","author":"Armon","year":"2022","journal-title":"Inf. Fusion"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Alzubaidi, L., Zhang, J., Humaidi, A.J., Al-Dujaili, A., Duan, Y., Al-Shamma, O., Santamar\u00eda, J., Fadhel, M.A., Al-Amidie, M., and Farhan, L. (2021). Review of Deep Learning: Concepts, CNN Architectures, Challenges, Applications, Future Directions, Springer International Publishing.","DOI":"10.1186\/s40537-021-00444-8"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1109\/MIC.2006.5","article-title":"Denial-of-Service Attack-Detection Techniques","volume":"10","author":"Carl","year":"2006","journal-title":"IEEE Internet Comput."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/24\/3\/1040\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T13:55:21Z","timestamp":1760104521000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/24\/3\/1040"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,5]]},"references-count":28,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2024,2]]}},"alternative-id":["s24031040"],"URL":"https:\/\/doi.org\/10.3390\/s24031040","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,2,5]]}}}