A Hybrid CNN–BiLSTM Framework with LightGBM Stacking, SDN-Gate, and PSO-Based Threshold Optimization for Enhanced Intrusion Detection in SDN Environments
Received: 2 March 2026 | Revised: 31 March 2026 and 22 April 2026 | Accepted: 23 April 2026 | Online: 6 June 2026
Corresponding author: Maryam Yasmin Ahman
Abstract
Intrusion detection in Software-Defined Networking (SDN) remains challenging due to dynamic control plane traffic and the scarcity of realistic datasets. Conventional Intrusion Detection Systems (IDSs) often struggle to capture diverse SDN-specific threats, including flow rule flooding, topology poisoning, control plane reflection, and other controller-targeted anomalies. This study presents a hybrid Convolutional Neural Network (CNN)–Bidirectional Long Short-Term Memory (BiLSTM) → Light Gradient Boosting Machine (LightGBM) + SDN-Gate with Particle Swarm Optimization (PSO) framework designed to enhance detection accuracy and control plane reliability. A realistic SDN traffic dataset was generated in a GNS3 testbed combining OpenDaylight, Open vSwitch, and multiple Linux hosts, encompassing both general and SDN-specific attacks. The proposed framework employs convolutional and bidirectional recurrent layers for spatial–temporal feature learning, Synthetic Minority Over-sampling Technique–Edited Nearest Neighbor (SMOTE-ENN) for class imbalance mitigation, and LightGBM stacking with PSO-based threshold optimization for calibrated decision fusion. The SDN-Gate, a lightweight LightGBM-based verifier, reevaluates SDN-specific predictions using confidence margins, and verifies and selectively demotes uncertain SDN-specific predictions, thereby reducing false alarms and improving controller-level reliability, and providing a practical foundation for IDS implementations in SDN environments. Experimental results demonstrate 99.80% accuracy and 97.16% Macro-F1 on the full dataset, and 97.22% accuracy and 97.22% Macro-F1 on the Address Resolution Protocol (ARP) and Man-in-the-Middle (MITM) attacks subset, outperforming baseline deep and shallow learning models. Overall, the proposed framework provides a reliable and explainable approach to improving and strengthening the security of SDN networks in real-world settings.
Keywords:
Software-Defined Networking (SDN), Intrusion Detection Systems (IDSs), Deep Learning (DL), CNN–BiLSTM, Particle Swarm Optimization (PSO)References
D. Kreutz, F. M. V. Ramos, P. E. Veríssimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig, "Software-Defined Networking: A Comprehensive Survey," Proceedings of the IEEE, vol. 103, no. 1, pp. 14–76, Jan. 2015.
N. P. Mwanza and J. Kalita, "Detecting DDoS Attacks in Software Defined Networks Using Deep Learning Techniques: A Survey," International Journal of Network Security, vol. 25, no. 2, pp. 360–376, Mar. 2023.
M. Mittal, K. Kumar, and S. Behal, "Deep learning approaches for detecting DDoS attacks: a systematic review," Soft Computing, vol. 27, no. 18, pp. 13039–13075, Sept. 2023.
M. S. Elsayed, N.-A. Le-Khac, and A. D. Jurcut, "InSDN: A Novel SDN Intrusion Dataset," IEEE Access, vol. 8, pp. 165263–165284, 2020.
N. Ahmed et al., "Network Threat Detection Using Machine/Deep Learning in SDN-Based Platforms: A Comprehensive Analysis of State-of-the-Art Solutions, Discussion, Challenges, and Future Research Direction," Sensors, vol. 22, no. 20, Oct. 2022, Art. no. 7896.
T. Panse, V. Gaddam, B. S. Manthina, H. R. Battu, P. Sunitha, and V. Sailaja, "A Hybrid Deep Learning-Powered SDN-Based Intrusion Detection Architecture for Cognitive IoT Security," Engineering, Technology & Applied Science Research, vol. 15, no. 5, pp. 27495–27501, Oct. 2025.
R. B. Said and I. Askerzade, "Attention-Based CNN-BiLSTM Deep Learning Approach for Network Intrusion Detection System in Software Defined Networks," in 2023 5th International Conference on Problems of Cybernetics and Informatics, Baku, Azerbaijan, 2023, pp. 1–5.
M. Abdallah, N. An Le Khac, H. Jahromi, and A. Delia Jurcut, "A Hybrid CNN-LSTM Based Approach for Anomaly Detection Systems in SDNs," in Proceedings of the 16th International Conference on Availability, Reliability and Security, Vienna, Austria, 2021, pp. 1–7.
M. Afroj, K. M. S. Rifat, and Md. S. Rahman, "Enhanced Detection of DoS/DDoS Attacks in SDN Using Ensemble and Hybrid CNN-LSTM Models," in 2024 IEEE International Conference on Computing, Applications and Systems, Cox's Bazar, Bangladesh, 2024, pp. 1–6.
B. Nugraha and R. N. Murthy, "Deep Learning-based Slow DDoS Attack Detection in SDN-based Networks," in 2020 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Leganes, Spain, 2020, pp. 51–56.
"GNS3 | The software that empowers network professionals." GNS3. https://www.gns3.com/.
"OpenDaylight: Automating networks of any size & scale." OpenDaylight. https://www.opendaylight.org/.
"Open vSwitch: Production Quality, Multilayer Open Virtual Switch." Openvswitch. https://www.openvswitch.org/.
"OWASP Juice Shop | OWASP Foundation." Owasp. https://owasp.org/www-project-juice-shop/.
"hping3 | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/hping3/.
"slowhttptest | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/slowhttptest/.
"goldeneye | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/goldeneye/.
"hydra | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/hydra/.
"medusa | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/medusa/.
"nmap | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/nmap/.
"masscan | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/masscan/.
D. Smyth, "smythtech/sdnpwn." Apr. 07, 2026. [Online]. Available: https://github.com/smythtech/sdnpwn.
"sqlmap | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/sqlmap/.
"burpsuite | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/burpsuite/.
"bettercap | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/bettercap/.
"metasploit-framework | Kali Linux Tools." Kali Linux. https://www.kali.org/tools/metasploit-framework/.
"Wireshark • Go Deep." Wireshark. https://www.wireshark.org/.
M. Y. Ahman, "SDN_IDPS: A Realistic Software-Defined Networking Intrusion Detection Dataset with SDN-Specific Attack Modeling." Zenodo, Mar. 30, 2026.
"CICFlowMeter (formerly ISCXFlowMeter)." Canadian Institute for Cybersecurity | UNB. https://www.unb.ca/cic/research/applications.html.
"tshark(1) Manual Page." Wireshark. https://www.wireshark.org/docs/man-pages/tshark.html.
"Python Release Python 3.12.11." Python. https://www.python.org/downloads/release/python-31211/.
"Colab." Google for Developers. https://developers.google.com/colab.
"TensorFlow: An end-to-end platform for machine learning." TensorFlow. https://www.tensorflow.org/.
"Keras: Deep Learning for humans." Keras. https://keras.io/.
"Welcome to LightGBM's documentation! — LightGBM 4.6.0.99 documentation." LightGBM. https://lightgbm.readthedocs.io/en/latest/.
Downloads
How to Cite
License
Copyright (c) 2026 Maryam Yasmin Ahman, Saleh El-Yakub Abdullahi, Steve Adeshina Adetunji
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.
