Skip to main content

Survey on SDN based network intrusion detection system using machine learning approaches


Software Defined Networking Technology (SDN) provides a prospect to effectively detect and monitor network security problems ascribing to the emergence of the programmable features. Recently, Machine Learning (ML) approaches have been implemented in the SDN-based Network Intrusion Detection Systems (NIDS) to protect computer networks and to overcome network security issues. A stream of advanced machine learning approaches – the deep learning technology (DL) commences to emerge in the SDN context. In this survey, we reviewed various recent works on machine learning (ML) methods that leverage SDN to implement NIDS. More specifically, we evaluated the techniques of deep learning in developing SDN-based NIDS. In the meantime, in this survey, we covered tools that can be used to develop NIDS models in SDN environment. This survey is concluded with a discussion of ongoing challenges in implementing NIDS using ML/DL and future works.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. 1.

    Hewlett Packard Enterprise (2015) 2015 cost of cyber crime study: global, independently conducted by Ponemon institute LLC publication, Ponemon Institute research report. Avaiable Accessed 26 June 2017

  2. 2.

    Kreutz D, Ramos FMV, Verissimo PE, Rothenberg CE, Azodolmolky S (2015) Software-defines network- a comprehensive survey. Published in Proceedings of the IEEE, 103, 1

  3. 3.

    Aburomman AA, Reza MBI (2016) Survey of learning methods in intrusion detection systems. International conference on advances in electrical, electronic and system Engineering(ICAEES), Putrajaya, pp 362–365.

  4. 4.

    Mehdi SA, Khalid J, Khaiyam SA (2011) Revisiting traffic anomaly detection using software defined networking. In: Sommer R, Balzarotti D, Maier G (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg

  5. 5.

    Garcı´a-Teodoroa P, Dı´az-Verdejo J, Macia´-Ferna’ndez G, Va´zquez E (2009) Anomaly-based network intrusion detection: Techniques, systems and challenges. J Comput Secur 28(1-2):18–28

    Article  Google Scholar 

  6. 6.

    Tuan TA, Mhamdi L, Mclernon D, Zaidi SAR, Ghogho M (2016) Deep learning approach for network intrusion detection in software defined networking. Int Conf Wirel Netw Mob Commun.

  7. 7.

    Open Networking Foundation (2013) SDN architecture overview, Version 1.0. Available Accessed 27 June 2017

  8. 8.

    Niyaz Q, Sun W, Javaid AY (2016) A deep learning based DDoS detection system in software defined networking (SDN). CoRR abs/1611.07400.

  9. 9.

    Sezer S, Scott-Hayward S, Chouhan PK (2013) Are we ready for SDN? Implementation challenges for software-defined networks. In: IEEE Communication Magazine, vol. 51, no. 7, pp 36–43.

  10. 10.

    Atkinson RC, Bellekens XJ, Hodo E, Hamilton A, Tachtatzis C (2017) Shallow and deep networks intrusion detection system: a taxonomy and survey. CoRR, arXiv preprint arXiv:1701.02145. 2017 Jan 9

  11. 11.

    Survey of Current Network Intrusion Detection Techniques Accessed 26 June 2017

  12. 12.

    Supervised and unsupervised machine learning algorithms learning-algorithms/. Accessed 20 June 2017

  13. 13.

    Zamani M, Movahedi M (2015) Machine learning techniques for intrusion detection. CoRR, arXiv preprint arXiv:1312.2177. 2017 Jan 9

  14. 14.

    Thaseen S, Kumar Ch (2013) An analysis of supervised tree based classifiers for intrusion detection system. In: Proceedings of the international conference on pattern recognition, informatics and mobile engineering (P RIME). Pp. 21–22

  15. 15.

    Niyaz Q, Sun W, Javaid AY, Alam M (2016) A deep learning approach for network intrusion detection system. International conference wireless networks and mobile communications (WINCOM)

  16. 16.

    Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the ACM symposium on applied computing. Pages 412–419

  17. 17.

    Syarif I, Prugel-Bennett A, Wills G (2012) Unsupervised clustering approach for network anomaly detection. In: Benlamri R (eds) Networked Digital Technologies. NDT 2012. Communications in Computer and Information Science, vol 293. Springer, Berlin, Heidelberg

  18. 18.

    Tsai C, Hsu Y, Lin C, Lin W (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36:11994–12000

    Article  Google Scholar 

  19. 19.

    Bennett KP, Demiriz A (2017) Semi-supervised support vector machines. Neural Comput & Applic 28(5):969–978

    Article  Google Scholar 

  20. 20.

    Haweliya J, Nigam B (2014) Network intrusion detection using semi supervised support vector machine. Int J Comput Appl 85, 9

  21. 21.

    Chen C, Gong Y, Tian Y (2008) Semi-supervised learning methods for network intrusion detection. Int Conf Sys, Man Cybern, IEEE.

  22. 22.

    Deep learning stand to benefit to data analytics and HPC expertise stands-to- benefit-from-data-analytics-and-high-performance-computing-hpc-expertise.html. Accessed 3 July 2017

  23. 23.

    LeCun Y, Bengio Y, Hinton G (2015) Deep learning review. Weekly journal of science in nature international. Nature 521, doi:

  24. 24.

    Convolutional Neural Networks (2017) Accessed 10 July 2017

  25. 25.

    Deng L, Yu D (2014) Deep learning methods and applications. Microsoft Research. Available Accessed 10 July 2017

  26. 26.

    Alom MZ, Bontupalli VR, Taha TM (2015) Intrusion detection using deep belief networks. Aerospace and electronics conference, NAECON. IEEE

  27. 27.

    Tutorial Accessed June 15 2017

  28. 28.

    Vyas A (2017) Deep learning in natural language processing” in mphasis, deep learning- NL_whitepaper

  29. 29.

    Hughes T, Mierle K (2013) Recurrent neural networks for voice activity detection IEEE International Conference on Acoustics, Speech and Signal Processing, Vancouver, BC, pp 7378–7382.

  30. 30.

    Salama MA, Eid HF, Ramadan RA, Darwish A, Hassanien AE (2011) Hybrid intelligent intrusion detection scheme. Soft computing in industrial applications in advances in intelligent and soft computing book series (AINSC, volume 96), pp 293–303

  31. 31.

    Fiore U, Palmieri F, Castiglione A, Santis AD (2013) Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122(25):13–23

    Article  Google Scholar 

  32. 32.

    Eid HFA, Darwish A, Hassanien AE, Abraham A (2010) Principal components analysis and support vector machine based intrusion detection system. International conference intelligent systems design and applications (ISDA)

  33. 33.

    Wang L, Jones R (2017) Big data analytics for network intrusion detection: a survey. Int J Netw Commun.

  34. 34.

    Open Networking Foundation (2014) SDN architecture, Issue 1 June 2014 ONF TR-502

  35. 35.

    Nunes BAA, Mendonca M, Nguyen XN, Obraczka K and Turletti T (2014) A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks. In IEEE Communications Surveys & Tutorials, vol 16, no. 3, pp 1617–1634, Third Quarter 2014.

  36. 36.

    Bakshi T (2017) State of the art and recent research advances in software defined networking. In Wireless Communications and Mobile Computing, 2017, 1530-8669, Hindawi Publishing Corporation

  37. 37.

    Yan Q, Yu FR, Gong Q and Li J (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp 602–622 Firstquarter 2016.

  38. 38.

    Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. 35th Annual IEEE conference on local computer networks, Denver, Colorado

  39. 39.

    Open Networking Foundation, Jun (2014) [Online]. Available: Accessed 10 July 2017

  40. 40.

    Prete LR, Shinoda AA, Schweitzer CM, De Oliveira RLS (2014) Simulation in an SDN network scenario using the POX controller. 2014 I.E. Colombian Conference on Communications and Computing (COLCOM), Bogota, pp 1–6.

  41. 41.

    Open Flow [Online]. Available: Accessed 12 July 2017

  42. 42.

    NOX. [Online]. Available: Accessed 12 July 2017

  43. 43.

    POX. [Online]. Available: Accessed 12 July 2017

  44. 44.

    Kaur S, Singh J, Ghumman NS (2014) Network programmability using POX controller. International conference on communication, computing & systems, at SBS Staten technical campus, Ferozepur, Punjab, India, volume: 1

  45. 45.

    Nguyen HT, Petrovic S, Franke K (2010) A comparison of feature-selection methods for intrusion detection. In: Kotenko I, Skormin V (eds) Computer Network Security. MMM-ACNS 2010. Lecture Notes in Computer Science, vol 6258. Springer, Berlin, Heidelberg, pp 242–255

  46. 46.

    Gogoil P, Bhuyan MH (2012) Packet and flow-based network intrusion dataset. International conference on contemporary computing IC3, pp 322–334

  47. 47.

    Hu F, Hao Q, Bao K (2014) A survey on software-defined network and openFlow: from concept to implementation. IEEE communication surveys & tutorial 16:4

    Article  Google Scholar 

  48. 48.

    Alom MZ, Bontupall VR, Taha TM (2015) Intrusion detection using deep belief networks. In: Aerospace and electronics conference, NAECON

  49. 49.

    Coates A, Lee H, Ng Andrew Y (2011) An analysis of single-layer networks in unsupervised feature learning. In: Proceedings of the fourteenth international conference on artificial intelligence and statistics, PMLR 15:215–223

  50. 50.

    Lu Y, Cohen I, Zhou XS, Tian Q (2014) Feature selection using principal feature analysis. Pattern Recogn Lett 49:33–39

    Article  Google Scholar 

  51. 51.

    Eid HF, Salama MA, Hassanien AE, Kim TH (2011) Bi-layer behavioral based feature selection approach for network intrusion classification. Commun Comput Inf Sci Book Ser 259:195–203

    Google Scholar 

  52. 52.

    Hasan MAM, Nasser M, Ahmad S, Molla KH (2016) Feature selection for intrusion detection using random forest. In: Journal of information security, pp 129–140

  53. 53.

    Kloft M, Brefeld U, Dussel P, Gehl C, Laskov P (2008) Automatic feature selection for anomaly detection. In: Proceedings of the 1st ACM workshop on AISec, Pages 71–76, Alexandria, Virginia, ACM New York, USA

  54. 54.

    Shiravi A, Shiravi H, Tavallaee M, Ghorbani AA (2012) Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput Secur 31(3):357–374

    Article  Google Scholar 

  55. 55.

    University of New Brunswick (2017) [Online] available Accesses 22 June 2017

  56. 56.

    Creech G, Hu J (2013) Generation of a new IDS test dataset: time to retire the KDD collection. Wirel Commun Netw Conf (WCNC).

  57. 57.

    Nour M, Slay J (2016) The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf Secur J: A Glob Perspec, pp 1–14

  58. 58.

    Almomani I, Al-Kasasbeh B, Al-Akhras M (2016) WSN-DS: a dataset for intrusion detection systems in wireless sensor networks. J Sens 16p

  59. 59.

    Jankowski D, Amanowwicz M (2016) On efficiency of selected machine learning algorithms for intrusion detection in software defined networks. Int J Electron Telecommun, 62(3):247–252

Download references

Author information



Corresponding author

Correspondence to Naveen Chilamkurti.

Additional information

This article is part of the Topical Collection: Special Issue on Software Defined Networking: Trends, Challenges and Prospective Smart Solutions

Guest Editors: Ahmed E. Kamal, Liangxiu Han, Sohail Jabbar, and Liu Lu

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Sultana, N., Chilamkurti, N., Peng, W. et al. Survey on SDN based network intrusion detection system using machine learning approaches. Peer-to-Peer Netw. Appl. 12, 493–501 (2019).

Download citation


  • NIDS
  • Machine learning
  • Deep learning
  • SDN