{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T18:31:53Z","timestamp":1770748313051,"version":"3.49.0"},"reference-count":47,"publisher":"PeerJ","license":[{"start":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T00:00:00Z","timestamp":1770681600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"abstract":"<jats:p>This study presents the development of a realistic and comprehensive SDN-ATK dataset designed to evaluate the effectiveness of machine learning (ML) and deep learning (DL) approaches for attack detection in Software-Defined Networking (SDN) environments. Unlike existing datasets, SDN-ATK explicitly includes attacks targeting key SDN components such as SDN controllers and OpenFlow switches, addressing a critical gap in current research. We evaluated three ML (XGBoost, Random Forest, and Decision Tree) and three DL (Convolutional Neural Network (CNN), Feed-forward Neural Network (FNN), and Long Short-Term Memory (LSTM)) algorithms across binary and multiclass classification tasks to assess detection performance. Our results demonstrate that DL models, particularly FNN and CNN outperform ML counterparts, achieving 98\u201399% accuracy, precision, and recall in binary classification. Explainability analyses were conducted using SHAP (SHapley Additive explanations) on the XGBoost model, offering valuable insights into the importance of feature and improving transparency in ML-based attack detection. The study\u2019s findings provide critical guidance for both academia and industry, highlighting that within our Ryu-based SDN testbed, DL models demonstrated more reliable and balanced performance for large-scale attack detection. This work lays a solid foundation for future research, including developing real-time, intelligent, and explainable intrusion detection systems for SDN environments.<\/jats:p>","DOI":"10.7717\/peerj-cs.3556","type":"journal-article","created":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T08:19:16Z","timestamp":1770711556000},"page":"e3556","source":"Crossref","is-referenced-by-count":0,"title":["SDN-ATK: a novel SDN-specific attack dataset"],"prefix":"10.7717","volume":"12","author":[{"given":"S. Melih","family":"Do\u011fan","sequence":"first","affiliation":[{"name":"Information Security Engineering Department, Graduate School of Natural and Applied Sciences, Gazi University Ankara, Ankara, Turkey"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9449-8465","authenticated-orcid":true,"given":"Kaya Emre","family":"Arikan","sequence":"additional","affiliation":[{"name":"Information Security Engineering Department, Graduate School of Natural and Applied Sciences, Gazi University Ankara, Ankara, Turkey"}]},{"given":"Mustafa","family":"Alkan","sequence":"additional","affiliation":[{"name":"Electrical and Electronics Engineering Department, Faculty of Technology, Gazi University Ankara, Ankara, Turkey"}]}],"member":"4443","published-online":{"date-parts":[[2026,2,10]]},"reference":[{"key":"10.7717\/peerj-cs.3556\/ref-1","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3465481.3469190","article-title":"A Hybrid CNN-LSTM based approach for anomaly detection systems in SDNs","author":"Abdallah","year":"2021"},{"issue":"1","key":"10.7717\/peerj-cs.3556\/ref-2","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1007\/s10922-020-09575-4","article-title":"Scalability, consistency, reliability and security in SDN controllers: a survey of diverse SDN controllers","volume":"29","author":"Ahmad","year":"2020","journal-title":"Journal of Network and Systems Management"},{"key":"10.7717\/peerj-cs.3556\/ref-3","doi-asserted-by":"publisher","DOI":"10.17632\/jxpfjc64kr.1","article-title":"DDOS attack SDN dataset. 1","author":"Ahuja","year":"2020"},{"key":"10.7717\/peerj-cs.3556\/ref-4","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/NOMS47738.2020.9110426","article-title":"ATMoS: autonomous threat mitigation in SDN using reinforcement learning","author":"Akbari","year":"2020"},{"key":"10.7717\/peerj-cs.3556\/ref-5","doi-asserted-by":"publisher","first-page":"188","DOI":"10.1109\/TPS-ISA56441.2022.00032","article-title":"Enhanced scanning in SDN networks and its detection using machine learning","author":"Alqahtani","year":"2022"},{"key":"10.7717\/peerj-cs.3556\/ref-6","article-title":"Cyber attacks detection and mitigation in SDN environments","author":"Alshamrani","year":"2018"},{"issue":"2","key":"10.7717\/peerj-cs.3556\/ref-7","doi-asserted-by":"publisher","first-page":"e0297548","DOI":"10.1371\/journal.pone.0297548","article-title":"HLD-DDoSDN: high and low-rates dataset-based DDoS attacks against SDN","volume":"19","author":"Bahashwan","year":"2024","journal-title":"PLOS ONE"},{"issue":"5","key":"10.7717\/peerj-cs.3556\/ref-8","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/s10207-025-01114-z","article-title":"Detection and mitigation of cyber-attacks in software defined networks using machine learning\/deep learning: a systematic literature review, research challenges and future directions","volume":"24","author":"Do\u011fan","year":"2025","journal-title":"International Journal of Information Security"},{"issue":"1","key":"10.7717\/peerj-cs.3556\/ref-9","doi-asserted-by":"publisher","first-page":"102367","DOI":"10.1016\/j.cose.2021.102367","article-title":"DIGFuPAS: deceive IDS with GAN and function-preserving on adversarial samples in SDN-enabled networks","volume":"109","author":"Duy","year":"2021","journal-title":"Computers & Security"},{"key":"10.7717\/peerj-cs.3556\/ref-10","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/GLOBECOM46510.2021.9685643","article-title":"A novel machine learning framework for advanced attack detection using SDN","author":"El Houda","year":"2021"},{"key":"10.7717\/peerj-cs.3556\/ref-11","doi-asserted-by":"publisher","first-page":"165263\u2013165284","DOI":"10.1109\/ACCESS.2020.3022633","article-title":"InSDN: a novel SDN intrusion dataset","volume":"8","author":"Elsayed","year":"2020","journal-title":"IEEE Access"},{"key":"10.7717\/peerj-cs.3556\/ref-12","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1145\/2491185.2491189","article-title":"The beacon openflow controller","author":"Erickson","year":"2013"},{"key":"10.7717\/peerj-cs.3556\/ref-13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/CSITSS54238.2021.9683282","article-title":"DadGAN: DDOS anomaly detection using generative adversarial network","author":"Girish","year":"2021"},{"key":"10.7717\/peerj-cs.3556\/ref-14","doi-asserted-by":"publisher","first-page":"37052","DOI":"10.1109\/ACCESS.2023.3266826","article-title":"MCAD: a machine learning based cyberattacks detector in software-defined networking (SDN) for healthcare systems","volume":"11","author":"Halman","year":"2023","journal-title":"IEEE Access"},{"key":"10.7717\/peerj-cs.3556\/ref-15","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/SDS54264.2021.9732104","article-title":"Network security challenges and countermeasures in SDN environments","author":"Hegazy","year":"2021"},{"key":"10.7717\/peerj-cs.3556\/ref-16","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2015.23283","article-title":"Poisoning network visibility in software-defined networks: new attacks and countermeasures","author":"Hong","year":"2015"},{"key":"10.7717\/peerj-cs.3556\/ref-17","article-title":"Alexa top 1000 most visited websites","author":"HTMLStrip","year":"2025"},{"issue":"17","key":"10.7717\/peerj-cs.3556\/ref-18","doi-asserted-by":"publisher","first-page":"9488","DOI":"10.3390\/app13179488","article-title":"Comparative study of AI-Enabled DDoS detection technologies in SDN","volume":"13","author":"Ko","year":"2023","journal-title":"Applied Sciences"},{"key":"10.7717\/peerj-cs.3556\/ref-19","first-page":"30","article-title":"Towards developing network forensic mechanism for botnet activities in the IoT based on machine learning techniques","volume-title":"Mobile Networks and Management. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","author":"Koroniotis","year":"2018"},{"key":"10.7717\/peerj-cs.3556\/ref-20","doi-asserted-by":"publisher","first-page":"12035","DOI":"10.1088\/1757-899X\/927\/1\/012035","article-title":"Using GRU based deep neural network for intrusion detection in software-defined networks","author":"Kurochkin","year":"2020"},{"key":"10.7717\/peerj-cs.3556\/ref-21","doi-asserted-by":"publisher","first-page":"464","DOI":"10.1109\/NICS54270.2021.9701522","article-title":"On the improvement of machine learning based intrusion detection system for SDN networks","author":"Le","year":"2021"},{"key":"10.7717\/peerj-cs.3556\/ref-22","article-title":"Penetration testing software, pen testing security","author":"Metasploit","year":"2025"},{"key":"10.7717\/peerj-cs.3556\/ref-23","article-title":"An instant virtual network on your laptop (or Other PC)","author":"Mininet","year":"2022"},{"key":"10.7717\/peerj-cs.3556\/ref-24","article-title":"Mythic documentation","author":"Mythic","year":"2024"},{"key":"10.7717\/peerj-cs.3556\/ref-25","article-title":"CSI: managing risk from software defined networking controllers","author":"National Security Agency\/Central Security Service","year":"2023"},{"issue":"5","key":"10.7717\/peerj-cs.3556\/ref-26","doi-asserted-by":"publisher","first-page":"100289","DOI":"10.1016\/j.iot.2020.100289","article-title":"A survey on the architecture, application, and security of software defined networking: challenges and open issues","volume":"12","author":"Nisar","year":"2020","journal-title":"Internet of Things"},{"key":"10.7717\/peerj-cs.3556\/ref-27","article-title":"Open network operating system (ONOS) SDN controller for SDN\/NFV solutions","author":"ONF","year":"2025"},{"key":"10.7717\/peerj-cs.3556\/ref-28","article-title":"Production quality, multilayer open virtual switch","author":"Open vSwitch","year":"2025"},{"key":"10.7717\/peerj-cs.3556\/ref-29","article-title":"Automating networks of any size & scale","author":"OpenDaylight","year":"2025"},{"issue":"11","key":"10.7717\/peerj-cs.3556\/ref-30","doi-asserted-by":"publisher","first-page":"45820","DOI":"10.1109\/ACCESS.2022.3168972","article-title":"SDN security review: threat taxonomy, implications, and open challenges","volume":"10","author":"Rahouti","year":"2022","journal-title":"IEEE Access"},{"key":"10.7717\/peerj-cs.3556\/ref-31","doi-asserted-by":"publisher","first-page":"692","DOI":"10.1109\/ESCI50559.2021.9396962","article-title":"Analyzing the application of SMOTE on machine learning classifiers","author":"Rattan","year":"2021"},{"key":"10.7717\/peerj-cs.3556\/ref-32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3453648","article-title":"Application threats to exploit northbound interface vulnerabilities in software defined networks","volume":"54","author":"Rauf","year":"2021","journal-title":"ACM Computing Surveys"},{"key":"10.7717\/peerj-cs.3556\/ref-33","article-title":"Setup TLS connection\u2014Ryu 4.34 documentation","author":"Ryu","year":"2025"},{"key":"10.7717\/peerj-cs.3556\/ref-34","article-title":"Build SDN agilely","author":"Ryu SDN Framework","year":"2025"},{"key":"10.7717\/peerj-cs.3556\/ref-35","doi-asserted-by":"publisher","first-page":"602","DOI":"10.1109\/IWCMC58020.2023.10183024","article-title":"Machine learning algorithms for enhancing intrusion detection within SDN\/NFV","author":"Sahbi","year":"2023"},{"issue":"2","key":"10.7717\/peerj-cs.3556\/ref-36","doi-asserted-by":"publisher","first-page":"509","DOI":"10.1016\/j.comcom.2020.02.085","article-title":"New-flow based DDoS attacks in SDN: taxonomy, rationales, and research challenges","volume":"154","author":"Singh","year":"2020","journal-title":"Computer Communications"},{"issue":"2","key":"10.7717\/peerj-cs.3556\/ref-37","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1007\/s12083-017-0630-0","article-title":"Survey on SDN based network intrusion detection system using machine learning approaches","volume":"12","author":"Sultana","year":"2019","journal-title":"Peer-to-Peer Networking and Applications"},{"issue":"5","key":"10.7717\/peerj-cs.3556\/ref-38","doi-asserted-by":"publisher","first-page":"1758","DOI":"10.1109\/TC.2025.3541143","article-title":"A low-rate DoS attack mitigation scheme based on port and traffic state in SDN","volume":"74","author":"Tang","year":"2025","journal-title":"IEEE Transactions on Computers"},{"key":"10.7717\/peerj-cs.3556\/ref-39","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/ISCIT55906.2022.9931222","article-title":"Federated learning-based cyber threat hunting for APT attack detection in SDN-enabled networks","author":"Thi","year":"2022"},{"issue":"2","key":"10.7717\/peerj-cs.3556\/ref-40","doi-asserted-by":"publisher","first-page":"e21","DOI":"10.1002\/spy2.21","article-title":"A comprehensive 3-dimensional security analysis of a controller in software-defined networking","volume":"1","author":"Tseng","year":"2018","journal-title":"Security and Privacy"},{"key":"10.7717\/peerj-cs.3556\/ref-41","doi-asserted-by":"publisher","first-page":"424","DOI":"10.1109\/JRFID.2023.3279329","article-title":"SDN-based federated learning approach for satellite-IoT framework to enhance data security and privacy in space communication","volume":"7","author":"Uddin","year":"2023","journal-title":"IEEE Journal of Radio Frequency Identification"},{"key":"10.7717\/peerj-cs.3556\/ref-42","article-title":"Applications | Research | Canadian institute for cybersecurity","author":"UNB","year":"2025"},{"issue":"2","key":"10.7717\/peerj-cs.3556\/ref-43","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1109\/JCN.2020.000006","article-title":"Routing optimization for cloud services in SDN-based Internet of Things with TCAM capacity constraint","volume":"22","author":"Xu","year":"2020","journal-title":"Journal of Communications and Networks"},{"issue":"6","key":"10.7717\/peerj-cs.3556\/ref-44","doi-asserted-by":"publisher","first-page":"3514","DOI":"10.1109\/TNET.2017.2748159","article-title":"Flow wars: systemizing the attack surface and defenses in software-defined networks","volume":"25","author":"Yoon","year":"2017","journal-title":"IEEE\/ACM Transactions on Networking"},{"key":"10.7717\/peerj-cs.3556\/ref-45","doi-asserted-by":"publisher","first-page":"108495\u2013108512","DOI":"10.1109\/ACCESS.2021.3101650","article-title":"SDN-based architecture for transport and application layer DDoS attack detection by using machine and deep learning","volume":"9","author":"Yungaicela-Naula","year":"2021","journal-title":"IEEE Access"},{"issue":"8","key":"10.7717\/peerj-cs.3556\/ref-46","doi-asserted-by":"publisher","first-page":"104155","DOI":"10.1016\/j.cose.2024.104155","article-title":"HIDIM: a novel framework of network intrusion detection for hierarchical dependency and class imbalance","volume":"148","author":"Zhou","year":"2025","journal-title":"Computers & Security"},{"issue":"3","key":"10.7717\/peerj-cs.3556\/ref-47","doi-asserted-by":"publisher","first-page":"e2112","DOI":"10.1002\/nem.2112","article-title":"SDN-based teleprotection and control power systems: a study of available controllers and their suitability","volume":"31","author":"Zopellaro Soares","year":"2021","journal-title":"International Journal of Network Management"}],"container-title":["PeerJ Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/peerj.com\/articles\/cs-3556.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/peerj.com\/articles\/cs-3556.xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/peerj.com\/articles\/cs-3556.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/peerj.com\/articles\/cs-3556.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T08:19:21Z","timestamp":1770711561000},"score":1,"resource":{"primary":{"URL":"https:\/\/peerj.com\/articles\/cs-3556"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,10]]},"references-count":47,"alternative-id":["10.7717\/peerj-cs.3556"],"URL":"https:\/\/doi.org\/10.7717\/peerj-cs.3556","archive":["CLOCKSS","LOCKSS","Portico"],"relation":{},"ISSN":["2376-5992"],"issn-type":[{"value":"2376-5992","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,10]]},"article-number":"e3556"}}