Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Abbas Jasem Altamemi,Aladdin Abdulhassan,Nawfal Turki Obeis

DOI: https://doi.org/10.11591/eei.v11i5.4155

2022-10-01

Bulletin of Electrical Engineering and Informatics

Abstract:The term software defined networking (SDN) is a network model that contributes to redefining the network characteristics by making the components of this network programmable, monitoring the network faster and larger, operating with the networks from a central location, as well as the possibility of detecting fraudulent traffic and detecting special malfunctions in a simple and effective way. In addition, it is the land of many security threats that lead to the complete suspension of this network. To mitigate this attack this paper based on the use of machine learning techniques contribute to the rapid detection of these attacks and methods were evaluated detecting DDoS attacks and choosing the optimum accuracy for classifying these types within the SDN, the results showed that the proposed system provides the better results of accuracy to detect the DDos attack in SDN network as 99.90% accuracy of Decision Tree (DT) algorithm.

Ahmad Hamarshe,Huthaifa I. Ashqar,Mohammad Hamarsheh

DOI: https://doi.org/10.48550/arXiv.2303.06513

IF: 5.414

2023-03-11

Machine Learning

Abstract:The concept of Software Defined Networking (SDN) represents a modern approach to networking that separates the control plane from the data plane through network abstraction, resulting in a flexible, programmable and dynamic architecture compared to traditional networks. The separation of control and data planes has led to a high degree of network resilience, but has also given rise to new security risks, including the threat of distributed denial-of-service (DDoS) attacks, which pose a new challenge in the SDN environment. In this paper, the effectiveness of using machine learning algorithms to detect distributed denial-of-service (DDoS) attacks in software-defined networking (SDN) environments is investigated. Four algorithms, including Random Forest, Decision Tree, Support Vector Machine, and XGBoost, were tested on the CICDDoS2019 dataset, with the timestamp feature dropped among others. Performance was assessed by measures of accuracy, recall, accuracy, and F1 score, with the Random Forest algorithm having the highest accuracy, at 68.9%. The results indicate that ML-based detection is a more accurate and effective method for identifying DDoS attacks in SDN, despite the computational requirements of non-parametric algorithms.

Hasan Kamel,Mahmood Zaki Abdullah

DOI: https://doi.org/10.11591/ijeecs.v28.i3.pp1613-1620

2022-12-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:Software defined networking (SDN) is the networking model which has completely changed the network through attempting to make devices of network programmable. SDN enables network engineers to manage networks more quickly, control networks from a centralized location, detect abnormal traffic, and distinguish link failures in efficient way. Aside from the flexibility introduced by SDN, also it is prone to attacks like distributed denial of service attacks (DDoS), that could bring the entire network to a halt. To reduce this threat, the paper introduces machine learning model to distinguish legitimate traffic from DDoS traffic. After preprocessing phase to dataset, the traffic is classified into one of the classes. We achieved an accuracy score of 99.95% by employing an optimized extremely randomized trees (ERT) classifier, as described in the paper. As a result, the goal of traffic flow classification using machine learning techniques was achieved.

Yonghong Wang,Xiaofeng Wang,Mazeyanti Mohd Ariffin,Masoumeh Abolfathi,Abdulmajeed Alqhatani,Laila Almutairi

DOI: https://doi.org/10.1016/j.compeleceng.2023.108655

2023-05-01

Abstract:The Software-Defined Network (SDN) provides a more flexible and effectively managed network design for next-generation networking. Network managers can easily manage and regulate the entire network using its programmable central controller architecture. This central controller serves as the focal point for numerous attack vectors due to its centralized structure. However, Distributed Denial of Service (DDoS) attacks against the SDN is the most prominent. The goal of this project is to use a machine learning method to categorize SDN traffic as either attack or normal traffic. Next, the Feature Selection method, such as the Filter-based Fisher score method, Wrapper-based method, and analysis of variables (ANOVA) f-test, is used for finely-granulated detection. Then, a rule-based detection method using the Renyi joint entropy algorithm is employed to detect DDoS attacks on SDN controllers. We manage a public "DDoS attack SDN Dataset" with 23 attributes overall. The dataset includes normal and attack traffic for the Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), and Transmission Control Protocol (TCP). Except for attributes that specify the target and source machines, the dataset, which contains more than 100,000 recordings, has statistical features such as byte count, duration sec, packet rate, and packet per flow. In the classification process, many classifiers such as Artificial Neural Network (ANN), XGBoost (XGB), Support Vector Machine (SVM), and k-Nearest Neighbor (k-NN) were used. The test results demonstrated the efficacy and efficiency of the suggested strategy using the analysis of variables (ANOVA), which performed better than competing methods across a range of evaluation parameters.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Hasen AlMomin,Abdullahi Abdu Ibrahim

DOI: https://doi.org/10.1109/hora49412.2020.9152873

2020-06-01

Abstract:Software Defined-Network (SDN) is still lately attracting much new research of interest. SDN networks introduce a new design that works on split the control plane from the data plane in order to allow a broader filed to program the network smoothly and efficiently to gain much simplicity, compared to the traditional networks. Any change in traditional networks required a re-configuration on a set of resources for the network. Whereas in new SDN network needs one person with knowledge on the control layer (controller) to manage all network resources and update rules with less time. One of the most critical attacks that increased lately is the Distributed Denial of Service (DDoS), which works to make the service unavailable for an unknown period. In this paper, we will suggest a method to detect a DDoS attack that targeting one or multiple victims concurrently by combining two algorithms of Machine Learning (ML), which is entropy and Principal Component Analysis (PCA). Also, we examined the efficiency of our schema through a Mininet emulator and a pox controller and using open vSwitch as a switch. We have obtained high detection accuracy to detect DDoS attacks.

Nisharani Meti,D G Narayan,V. P. Baligar

DOI: https://doi.org/10.1109/icacci.2017.8126031

2017-09-01

Abstract:Software Defined Networking (SDN) is a new promising networking concept which has a centralized control over the network and separates the data and control planes. This new approach provides abstraction of lower-level functionality and allows the network administrators to initialize, control, change, and manage network behavior programmatically. The centralized control, being the major advantage of SDN can sometimes also be a major security threat. If the intruder succeeds in attacking the central controller, he would get access to the entire system. The controller is highly vulnerable to Distributed Denial of Service (DDoS) attacks which lead to exhaustion of the system resources which causes non-availability of the services given by the controller. It is critical to detect the attacks in the controller at earlier stage. Many algorithms and techniques have been discovered for this purpose. But less work has been done in the field of SDN networks. Using machine learning algorithms for classifying the connections into legitimate and illegitimate is one such solution. We use two machine learning algorithms namely, the Support Vector Machine (SVM) classifier and the Neural Network (NN) classifier to detect the suspicious and harmful connections.

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

DOI: https://doi.org/10.35940/ijrte.b3670.078219

2019-07-30

International Journal of Recent Technology and Engineering

Abstract:Software Defined Networking (SDN) is a modern emerging technology in networking. The great advantage of this network is, decoupling of the carrier plane and the control plane as well as which provides centralized control. A Controller is the intelligent part of SDN. It offers several benefits such as network programmability, dynamic computing, and cost-effective, high bandwidth. However, SDN has many security issues. The DDoS attack on SDN is a significant issue, and various proposals have been proposed for the detection and prevention of attacks. The main objective of this proposal is to detect DDoS attacks with the help of SDN techniques. In this proposal, a deep learning based Artificial Neural Network (ANN) model is used to detect the DDoS attacks. This can reduce learning time as well as detection time. To evaluate our model we use different machine learning algorithms and deep learning algorithm with different optimizers to train the network traffic which is generated in Mininet emulator and evaluates the results by various metrics such as detection rate, accuracy score, and confusion matrix with classification report. The result shows less detection time (4Secs) with a high accuracy score of 92% in our proposed Artificial Neural Network (ANN) model

M. Revathi,V. V. Ramalingam,B. Amutha

DOI: https://doi.org/10.1007/s11277-021-09071-1

IF: 2.017

2021-09-15

Wireless Personal Communications

Abstract:Recently, SDN has arisen as a new network platform that offers unparalleled programming that enables network operators to dynamically customize and control their networks. The attackers aim to paralyse the logical plane, the brain of the network that offers several advantages, by using the SDN controller. However, the control plane is the desirable target of security attacks on the opponents because of its characteristics. One of the most common threats is the DDOS attacks to drain network capacity by sending them heavy traffic, causing network congestion. SDN is a common area of investigation for SDN defenceand DDoS threat identification and prevention in the SDN context has been introduced to many researchers since the proposed SDN attacks. Nevertheless, security risks must be adequately secured. In this paper we suggest a discrete scalable memory based support vector machine algorithm for DDoS threat and SDN mitigation architecture for attack detection. By starting the process of attack detection the input data can gets pre-processed by using Spark standardization technique in which the missing values are replaced and the unwanted data are removed. Then the feature extractions are done using semantic multilinear component analysis algorithm. The classifier is responsible for predicting target and for this a novel discrete scalable memory based support vector machine (DSM-SVM) algorithm is used which provides high accuracy of attack prediction. Followed by attack detection the mitigation process was done, here the mitigation server can identify the threat by intelligently dropping malicious bot traffic and absorbing the rest of the traffic. Here the suggested mechanism achieves attack traffic mitigation and benign traffic dropping. We have evaluated the whole process on KDD dataset. The proposed network model was trained and then used in an SDN threat detection and mitigation environment as part of the assessment process. The entire experiment is run on a VMware-based Ubuntu virtual machine. Weka will utilize our suggested classifier model for training and evaluation, while Mininet uses a RYU controller to establish an SD Network. The findings demonstrate that the mechanism presented exceeds the other algorithms examined, by expressing 99.7% accuracy especially concerning training and testing time over KDD dataset.

telecommunications

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.3390/fi13050111

2021-04-28

Future Internet

Abstract:Software-defined Networking (SDN) has recently developed and been put forward as a promising and encouraging solution for future internet architecture. Managed, the centralized and controlled network has become more flexible and visible using SDN. On the other hand, these advantages bring us a more vulnerable environment and dangerous threats, causing network breakdowns, systems paralysis, online banking frauds and robberies. These issues have a significantly destructive impact on organizations, companies or even economies. Accuracy, high performance and real-time systems are essential to achieve this goal successfully. Extending intelligent machine learning algorithms in a network intrusion detection system (NIDS) through a software-defined network (SDN) has attracted considerable attention in the last decade. Big data availability, the diversity of data analysis techniques, and the massive improvement in the machine learning algorithms enable the building of an effective, reliable and dependable system for detecting different types of attacks that frequently target networks. This study demonstrates the use of machine learning algorithms for traffic monitoring to detect malicious behavior in the network as part of NIDS in the SDN controller. Different classical and advanced tree-based machine learning techniques, Decision Tree, Random Forest and XGBoost are chosen to demonstrate attack detection. The NSL-KDD dataset is used for training and testing the proposed methods; it is considered a benchmarking dataset for several state-of-the-art approaches in NIDS. Several advanced preprocessing techniques are performed on the dataset in order to extract the best form of the data, which produces outstanding results compared to other systems. Using just five out of 41 features of NSL-KDD, a multi-class classification task is conducted by detecting whether there is an attack and classifying the type of attack (DDoS, PROBE, R2L, and U2R), accomplishing an accuracy of 95.95%.

DOI: https://doi.org/10.51316/jst.166.ssad.2023.33.2.1

2023-05-15

Abstract:Software Defined Network (SDN) is a new architecture designed to make the network infrastructure more flexible and easier to manage. It allows network administrators to configure network parameters as well as integrating new functions using programming languages easily. Thanks to the centralized control paradigm, it is easier to collect information of the entire network, which facilitates the implementation of machine learning algorithms to detect anomaly traffic as well as network attacks. Recently, with the development of machine learning and artificial intelligence, several methods have been applied to detect and mitigate Distributed Denial of Service (DDoS) attacks. However, all of activities from monitoring data, detecting and mitigating the attack consume time and resources. To reduce unnecessary redundancy, in this paper, we divide attack detection into two phases, which are anomaly detection phase with lightweight machine learning algorithm and attack detection phase when anomaly behaviors have been detected. This reduces the in-depth analysis of normal traffic and helps to improve the use of computing resources and data transmission efficiency of the network. By setting up a testbed, we have successfully run this model as well as evaluated the accuracy of the model. The results show that our model can detect attacks quickly and accurately.

Waheed G. Gadallah,Nagwa M. Omar,Hosny M. Ibrahim,

DOI: https://doi.org/10.5815/ijcnis.2021.03.02

2021-06-08

International Journal of Computer Network and Information Security

Abstract:Software-Defined Networking is a new network architecture that separates control and data planes. It has central network control and programmability facilities, so it improves manageability, scaling, and performance. However, it may suffer from creating a single point of failure against the controller, which represents the network control plane. So, defending the controller against attacks such as a distributed denial of service attack is a valuable and urgent issue. The advances of this paper are to implement an accurate and significant method to detect this attack with high accuracy using machine learning-based algorithms exploiting new advanced features obtained from traffic flow information and statistics. The developed model is trained with kernel radial basis function. The technique uses advanced features such as unknown destination addresses, packets inter-arrival time, transport layer protocol header, and type of service header. To the best knowledge of the authors, the proposed approach of the paper had not been used before. The proposed work begins with generating both normal and attack traffic flow packets through the network. When packets reach the controller, it extracts their headers and performs necessary flow calculations to get the needed features. The features are used to create a dataset that is used as an input to linear support vector machine classifier. The classifier is used to train the model with kernel radial basis function. Methods such as Naive Bayes, K-Nearest Neighbor, Decision Tree, and Random Forest are also utilized and compared with the SVM model to improve the detection operation. Hence, suspicious senders are blocked and their information is stored. The experimental results prove that the proposed technique detects the attack with high accuracy and low false alarm, compared to other related techniques.

Amany I Hassan,Eman Abd El Reheem,Shawkat K Guirguis

DOI: https://doi.org/10.1038/s41598-024-67984-w

2024-08-06

Abstract:Software-defined networks (SDNs) have been growing rapidly due to their ability to provide an efficient network management approach compared to traditional methods. However, one of the major challenges facing SDNs is the threat of Distributed Denial of Service (DDoS) attacks, which can severely impact network availability. Detecting and mitigating such attacks is challenging, given the constantly evolving range of attack techniques. In this paper, a novel hybrid approach is proposed that combines statistical methods with machine-learning capabilities to address the detection and mitigation of DDoS attacks in SDN environments. The statistical phase of the approach utilizes an entropy-based detection mechanism, while the machine-learning phase employs a clustering mechanism to analyze the impact of active users on the entropy of the system. The k-means algorithm is used for clustering. The proposed approach was experimentally evaluated using three modern datasets, namely, CIC-IDS2017, CSE-CIC-2018, and CICIDS2019. The results demonstrate the effectiveness of the system in detecting and blocking sudden and rapid attacks, highlighting the potential of the proposed approach to significantly enhance security against DDoS attacks in SDN environments.

Fizza Rizvi,Ravi Sharma,Nonita Sharma,Manik Rakhra,Arwa N. Aledaily,Wattana Viriyasitavat,Kusum Yadav,Gaurav Dhiman,Amandeep Kaur

DOI: https://doi.org/10.1007/s11042-024-18744-5

IF: 2.577

2024-03-14

Multimedia Tools and Applications

Abstract:Distributed Denial of Service (DDoS) attacks continue to pose a significant threat to network infrastructures, exploiting vulnerabilities within existing security protocols and disrupting the seamless availability of online services. The intricate interconnections of nodes within computer networks contribute to the dynamic structure of this environment, complicating efforts to establish a secure and productive user experience. Effectively mitigating DDoS attacks in this complex networked setting remains a challenge. While current strategies primarily rely on anomaly detection and signature-based techniques, utilizing statistical analysis and predefined patterns to identify and thwart attacks, none have consistently demonstrated efficacy or reliability. Consequently, there is a compelling need for advancements in security mechanisms to address DDoS threats more effectively. This research introduces an innovative and highly efficient approach that incorporates various classification algorithms, including Random Forest, Decision Tree, Gradient Boosting, Linear SVM, Logistics, K-nearest neighbors (KNN), and AdaBoost, for DDoS attack detection. The performance of these machine learning classifiers is evaluated using key metrics such as accuracy, recall, F1-score, and precision. Remarkably, experimental results reveal outstanding accuracy rates, with Random Forest achieving the highest accuracy in detecting attacks. Additionally, a genetic algorithm is employed to select optimal features from the dataset, further enhancing the performance of the classifiers. This results in a notable 25% increase in accuracy, surpassing AdaBoost and Logistics, with K-nearest neighbors emerging as the top performer in terms of accuracy.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Huseyin Polat,Onur Polat,Aydin Cetin

DOI: https://doi.org/10.3390/su12031035

IF: 3.9

2020-02-01

Sustainability

Abstract:Software Defined Networking (SDN) offers several advantages such as manageability, scaling, and improved performance. However, SDN involves specific security problems, especially if its controller is defenseless against Distributed Denial of Service (DDoS) attacks. The process and communication capacity of the controller is overloaded when DDoS attacks occur against the SDN controller. Consequently, as a result of the unnecessary flow produced by the controller for the attack packets, the capacity of the switch flow table becomes full, leading the network performance to decline to a critical threshold. In this study, DDoS attacks in SDN were detected using machine learning-based models. First, specific features were obtained from SDN for the dataset in normal conditions and under DDoS attack traffic. Then, a new dataset was created using feature selection methods on the existing dataset. Feature selection methods were preferred to simplify the models, facilitate their interpretation, and provide a shorter training time. Both datasets, created with and without feature selection methods, were trained and tested with Support Vector Machine (SVM), Naive Bayes (NB), Artificial Neural Network (ANN), and K-Nearest Neighbors (KNN) classification models. The test results showed that the use of the wrapper feature selection with a KNN classifier achieved the highest accuracy rate (98.3%) in DDoS attack detection. The results suggest that machine learning and feature selection algorithms can achieve better results in the detection of DDoS attacks in SDN with promising reductions in processing loads and times.

environmental sciences,environmental studies,green & sustainable science & technology

Quamar Niyaz,Weiqing Sun,Ahmad Y Javaid

DOI: https://doi.org/10.4108/eai.28-12-2017.153515

2016-11-23

Abstract:Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

Networking and Internet Architecture

Amran Mansoor,Mohammed Anbar,Abdullah Ahmed Bahashwan,Basim Ahmad Alabsi,Shaza Dawood Ahmed Rihan

DOI: https://doi.org/10.3390/systems11060296

2023-06-09

Systems

Abstract:The rapid growth of cloud computing has led to the development of the Software-Defined Network (SDN), which is a network strategy that offers dynamic management and improved performance. However, security threats are a growing concern, particularly with the SDN controller becoming an attractive target for malicious actors and potential Distributed Denial of Service (DDoS) attacks. Many researchers have proposed different approaches to detecting DDoS attacks. However, those approaches suffer from high false positives, leading to low accuracy, and the main reason behind this is the use of non-qualified features and non-realistic datasets. Therefore, the deep learning (DL) algorithmic technique can be utilized to detect DDoS attacks on SDN controllers. Moreover, the proposed approach involves three stages, (1) data preprocessing, (2) cross-feature selection, which aims to identify important features for DDoS detection, and (3) detection using the Recurrent Neural Networks (RNNs) model. A benchmark dataset is employed to evaluate the proposed approach via standard evaluation metrics, including false positive rate and detection accuracy. The findings indicate that the recommended approach effectively detects DDoS attacks with average detection accuracy, average precision, average FPR, and average F1-measure of 94.186 %, 92.146%, 8.114%, and 94.276%, respectively.

Hsiu-Min Chuang,Fanpyn Liu,Chung-Hsien Tsai

DOI: https://doi.org/10.3390/sym14061178

2022-06-08

Symmetry

Abstract:Recent developments have made software-defined networking (SDN) a popular technology for solving the inherent problems of conventional distributed networks. The key benefit of SDN is the decoupling between the control plane and the data plane, which makes the network more flexible and easier to manage. SDN is a new generation network architecture; however, its configuration settings are centralized, making it vulnerable to hackers. Our study investigated the feasibility of applying artificial intelligence technology to detect abnormal attacks in an SDN environment based on the current unit network architecture; therefore, the concept of symmetry includes the sustainability of SDN applications and robust performance of machine learning (ML) models in the case of various malicious attacks. In this study, we focus on the early detection of abnormal attacks in an SDN environment. On detection of malicious traffic in SDN topology, the AI module in the topology is applied to detect and act against the attack source through machine learning algorithms, making the network architecture more flexible. Under multiple abnormal attacks, we propose a hierarchical multi-class (HMC) architecture to effectively address the imbalanced dataset problem and improve the performance of minority classes. The experimental results show that the decision tree, random forest, bagging, AdaBoost, and deep learning models exhibit the best performance for distributed denial-of-service (DDoS) attacks. In addition, for the imbalanced dataset problem of multiclass classification, our proposed HMC architecture performs better than previous single classifiers. We also simulated the SDN topology and scenario verification. In summary, we concatenated the AI module to enhance the security and effectiveness of SDN networks in a practical manner.