Open AccessArticle

Hybrid AI-Powered Real-Time Distributed Denial of Service Detection and Traffic Monitoring for Software-Defined-Based Vehicular Ad Hoc Networks: A New Paradigm for Securing Intelligent Transportation Networks

Onur Polat

^1,*

Saadin Oyucu

Muammer Türkoğlu

³,

Hüseyin Polat

⁴

Ahmet Aksoz

⁵

and

Fahri Yardımcı

⁶

Department of Computer Engineering, Bingöl University, Bingöl 12000, Turkey

Department of Computer Engineering, Adiyaman University, Adiyaman 02040, Turkey

Department of Software Engineering, Samsun University, Samsun 55000, Turkey

⁴

Department of Computer Engineering, Faculty of Technology, Gazi University, Ankara 06500, Turkey

⁵

MOBILERS, Sivas Cumhuriyet University, Sivas 58580, Turkey

⁶

Independent Researcher, Ankara 06500, Turkey

Author to whom correspondence should be addressed.

Appl. Sci. 2024, 14(22), 10501; https://doi.org/10.3390/app142210501

Submission received: 8 October 2024 / Revised: 10 November 2024 / Accepted: 12 November 2024 / Published: 14 November 2024

(This article belongs to the Special Issue Emerging Technologies in Network Security and Cryptography)

Download

Browse Figures

Figure 1
General architecture of vehicular networks. "> Figure 2
Software Defined Network Architecture. "> Figure 3
Software Defined Vehicular Ad Hoc Network Architecture. "> Figure 4
SD-VANET_Guard intrusion detection system integration. "> Figure 5
The overall architecture of the 1DCNN-DT hybrid artificial intelligence model. "> Figure 6
The convolution process. "> Figure 7
The number of packets received and transmitted through the controller’s interface in the experimental SD-VANET topology. "> Figure 8
CPU utilization of the controller in the experimental SD-VANET topology. "> Figure 9
Percentage of DDoS traffic in the existing network flow within the experimental SD-VANET topology. ">

Versions Notes

Abstract

Vehicular Ad Hoc Networks (VANETs) are wireless networks that improve traffic efficiency, safety, and comfort for smart vehicle users. However, with the rise of smart and electric vehicles, traditional VANETs struggle with issues like scalability, management, energy efficiency, and dynamic pricing. Software Defined Networking (SDN) can help address these challenges by centralizing network control. The integration of SDN with VANETs, forming Software Defined-based VANETs (SD-VANETs), shows promise for intelligent transportation, particularly with autonomous vehicles. Nevertheless, SD-VANETs are susceptible to cyberattacks, especially Distributed Denial of Service (DDoS) attacks, making cybersecurity a crucial consideration for their future development. This study proposes a security system that incorporates a hybrid artificial intelligence model to detect DDoS attacks targeting the SDN controller in SD-VANET architecture. The proposed system is designed to operate as a module within the SDN controller, enabling the detection of DDoS attacks. The proposed attack detection methodology involves the collection of network traffic data, data processing, and the classification of these data. This methodology is based on a hybrid artificial intelligence model that combines a one-dimensional Convolutional Neural Network (1D-CNN) and Decision Tree models. According to experimental results, the proposed attack detection system identified that approximately 90% of the traffic in the SD-VANET network under DDoS attack consisted of malicious DDoS traffic flows. These results demonstrate that the proposed security system provides a promising solution for detecting DDoS attacks targeting the SD-VANET architecture.

Keywords:

SDN; DDoS attack; VANET; deep learning; real-time intrusion detection; intelligent transportation systems

1. Introduction

The rapid growth in the global human population has resulted in a substantial increase in the number of vehicles on the roads. In today’s world, private vehicles are the predominant mode of transportation, leading to an intensified strain on transportation infrastructure and safety. This surge in vehicle usage has consequently caused a rise in traffic accidents, highlighting the urgent need for safer and more efficient transportation solutions [1]. To alleviate range anxiety in electric vehicles, ensure safe and comfortable travel, and implement coordinated, mobility-aware charging strategies, there is a continuously growing demand for Intelligent Transportation Systems (ITS). These systems facilitate the exchange of critical information, such as traffic conditions, accidents, emergencies, and roadworks, among drivers. As a result, ITS enhances traffic flow management, enables early detection of potential hazards, and helps to mitigate the risk of accidents [2].

Initially, Mobile Ad Hoc Network (MANET) technology was used for wireless communication between vehicles, but due to its inability to meet the security and specific application requirements, it was replaced by Vehicular Ad Hoc Networks (VANETs). VANETs are critical in supporting autonomous driving, enhancing road safety, optimizing traffic flow, and improving passenger experience. VANETs facilitate vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and vehicle-to-pedestrian (V2P) communications, sharing information about road conditions, traffic density, and incident notifications to provide a safer and more efficient driving experience [3].

However, the traditional VANET architecture is insufficient to meet the basic requirements of intelligent transportation systems regarding network management, scalability, and routing. The existing VANET architecture, especially with the advent of 5G technology, is inadequate for content-based information sharing. Therefore, new network architectures are required to meet the needs of smart cities and intelligent vehicle technologies [4].

The Software Defined Networking (SDN) paradigm offers effective solutions to the scalability and management challenges of traditional VANET architectures. By decoupling the control and data planes, SDN enables centralized management of the network by a controller, allowing VANET networks to be managed more efficiently and effectively [5]. This centralized control and flexibility help overcome the scalability and coordination issues of traditional VANETs. The benefits of SDN play a significant role in the future of intelligent transportation systems through a new architecture known as SD-VANET (Software Defined-based Vehicular Ad Hoc Networks) [6].

In addition, SDN technology optimizes energy management for electric vehicles, increases the efficiency of charging infrastructure, supports vehicle-to-grid (V2G) integration, and enables dynamic pricing mechanisms. SDN also improves security by protecting the charging infrastructure from cyber threats [7]. In this context, SDN is emerging as a critical component in making the energy demands and grid support of electric vehicles more efficient.

Although SD-VANET has the potential to revolutionize intelligent transportation systems, it is vulnerable to cyberattacks like any other system. In particular, Distributed Denial of Service (DDoS) attacks pose a serious threat to SD-VANETs. Such attacks target the centralized controller of the SD-VANET, and a successful attack on the controller can adversely affect the entire network, resulting in degraded network performance or complete communication failure [8]. This situation threatens traffic safety, making the security of SD-VANETs critical to the success of intelligent transportation systems. Therefore, cybersecurity should be prioritized in designing these systems, and anomaly traffic detection systems must be developed to counter threats such as DDoS attacks [9].

In this study, a hybrid artificial intelligence model, called 1DCNN-DT, is proposed to detect DDoS attacks targeting the SDN controller in the SD-VANET architecture. To effectively extract features from low-volume DDoS traffic data, a Convolutional Neural Network (CNN) architecture is employed in the hybrid model. The proposed security system, named SD-VANET_Guard, is designed to operate as a module within the SDN network controller. SD-VANET_Guard, working within the SDN network controller, provides an attack detection methodology that includes collecting network traffic data, processing these data, and classifying network traffic.

The contributions of this study to the literature are as follows:

Contribution to Scalability and Flexibility in Intelligent Transportation Systems: This study highlights the challenges faced by the traditional VANET architecture in terms of scalability, flexibility, and management and proposes a new architecture called SD-VANET that utilizes the Software Defined Networking (SDN) approach as a solution to these issues. This architecture can potentially adapt to the future needs of intelligent transportation systems. In addition, SDN technology optimizes the charging requirements of electric vehicles, reducing latency and providing a faster and more efficient charging process.

Innovative Solution Proposal for Security Issues in SD-VANET Architecture: This study addresses potential security vulnerabilities in the SD-VANET architecture, which combines Software Defined Networking (SDN) and Vehicular Ad Hoc Networks (VANET). It proposes a hybrid artificial intelligence model (1DCNN-DT) specifically designed to effectively detect DDoS attacks targeting the SD-VANET controller.

Real-Time DDoS Detection and Traffic Monitoring: The research develops the SD-VANET_Guard security system, which can be seamlessly integrated into SD-VANET systems to accurately detect DDoS attacks and monitor network traffic in real-time. This security system enhances the reliability of SD-VANET by achieving high detection rates even under low-volume attack traffic.

Hybrid Attack Detection Approach Utilizing Artificial Intelligence: The proposed hybrid AI model combines a 1-Dimensional Convolutional Neural Network (1DCNN) and Decision Tree algorithms to effectively extract attack data from network traffic. This hybrid approach provides higher accuracy and faster detection compared to traditional methods.

Evidence of Effectiveness Through Experimental Results: The study tests the performance of the proposed model using real experimental data and demonstrates an impressive detection accuracy of approximately 90% for DDoS attacks. These results indicate that the proposed system is a promising solution for detecting attacks on the SD-VANET architecture.

Contribution to Security in Intelligent Transportation Systems: This research emphasizes the critical importance of security measures in the future of intelligent transportation systems by presenting a new defense mechanism that enhances the resilience of the SD-VANET architecture against cyber threats. This contribution is particularly relevant for applications involving autonomous vehicles and smart cities.

While SD-VANET is indeed an established technology and various models, including CNN and Decision Tree models, have been used in the detection of DDoS attacks, this study introduces a hybrid approach tailored specifically for real-time DDoS detection within SD-VANETs. Our model, 1D-CNN combined with Decision Tree (1DCNN-DT), is designed to address the unique network topology and dynamic communication environment inherent in SD-VANETs. Additionally, the SD-VANET_Guard system integrates this hybrid AI approach with real-time traffic monitoring, enhancing both detection speed and accuracy compared to traditional methods. The proposed model not only identifies DDoS attacks with high precision but also demonstrates resilience against the high variability in traffic flow within SD-VANET, an area that has received limited attention in existing literature. Experimental results indicate that this approach significantly improves detection rates and reduces latency, offering a practical and scalable solution for intelligent transportation systems.

Overall, this study emphasizes the importance of SDN-based VANET security for both academic and industrial applications and highlights the critical role of AI-based real-time DDoS detection in ensuring the reliability and security of intelligent transportation systems.

The introductory section of this study begins with a presentation of the general framework and objectives of the study. This is followed by a detailed literature review. The related studies section examines previous studies and existing methodologies in the field and identifies research gaps. The data collection, analysis, and modeling techniques used in the study are detailed in the materials and methods section. The performance evaluation section presents the results of the study, supported by statistical analyses. Finally, the conclusion section summarizes the main findings of the study. It also discusses the limitations and provides suggestions for future studies.

2. Related Work

Machine learning techniques have been widely used in the literature to address classification problems, such as Distributed Denial of Service (DDoS) attacks. Prominent classification algorithms that have been widely used in numerous studies include Support Vector Machine (SVM), Naive Bayes, K-Nearest Neighbor (KNN), Linear Discriminant Analysis (LDA), and Decision Tree (DT). These methods have shown promising results in various contexts.

In addition, some studies have adopted deep learning-based approaches and implemented feature selection and dimensionality reduction strategies to accurately classify attacks. Despite the advances in machine learning and deep learning techniques, there is a notable lack of studies focused on real-time detection of DDoS attacks specifically targeting Software Defined Vehicular Ad Hoc Networks (SD-VANETs). Most existing work focuses on classifying and detecting attacks using pre-existing datasets, limiting their applicability to dynamic and real-time environments.

A review of the literature reveals that while traditional machine learning methods have been effectively applied to DDoS detection, there is a significant gap in the exploration of real-time detection frameworks in the context of the SD-VANET architecture. Recent studies have primarily utilized static datasets, which may not adequately represent the dynamic nature of network traffic and the evolving tactics of attackers. This highlights the need for further research that utilizes real-time data collection and advanced machine learning techniques to improve the resilience of SD-VANETs against DDoS threats.

Alshamrani et al. pointed out that existing DDoS prevention mechanisms are not effective enough. In their study, they investigated the impact of misbehavior and newflow attacks on SDN architecture by periodically collecting traffic data from forwarding devices in the data plane and applying machine learning classification algorithms. The goal was to develop a system capable of responding quickly to sudden traffic changes in the SDN architecture. The designed system consists of three modules: a machine learning module, feature selection, and the model training, testing, and prediction phases. The study focused on Packet_In messages between the controller and forwarding devices during an attack, and classification algorithms such as SVM, J48, and Naive Bayes were used [10].

Yu et al. developed a software-based platform for vehicular networks. In this platform, attack detection is performed based on OFPT_PACKET_IN messages and flow table entries between the controller and the data plane. Using the SVM classifier, flow table entries were trained, and these entries were combined in the data acquisition module for real-time attack detection. The features of the flow entries were extracted and sent to the SVM training module to determine whether the entries were benign or malicious. In addition, a triggering module was created to reduce the number of OFPT_PACKET_IN messages, and the controller response time was shortened when a certain threshold was exceeded [11].

Tang et al. developed a deep learning model for flow-based anomaly detection. The Deep Neural Network (DNN) model was applied to attack detection, and the results showed that the deep learning approach has a strong potential for flow-based anomaly detection in SDNs [12].

Haider et al. emphasized that cyberattacks are a major threat to evolving computer networks. In particular, they noted that the integration of SDN architecture with artificial intelligence methods provides significant advantages in detecting and preventing DDoS attacks. In their study, they proposed a CNN-based system to detect and verify attacks using a flow-based dataset [13].

Dey et al. compared traditional machine learning algorithms and deep learning models for detecting attacks targeting the software-defined network controller. First, the Random Forest (RF) algorithm was applied to the NSL-KDD dataset, and feature selection was performed to improve accuracy. Then, attack detection was performed using a deep learning model based on Gated Recurrent Unit (GRU) and Long Short-Term Memory (LSTM). The results showed that deep learning outperformed in attack detection [14].

Gadze et al. emphasized that the controller in SDN architecture is the main target of attacks. LSTM and CNN-based deep learning models were used to detect DDoS attacks, and the performance of these models was compared with traditional machine learning algorithms. The study concluded that deep learning models achieved higher success rates than traditional algorithms [15].

In their study, Liu, B., and colleagues proposed a real-time anomaly defense framework called ERT (Extremely Randomized Trees)-EDR (Edit Distance on Real sequence) to detect and prevent TCP-targeted low-rate DoS (LDoS) attacks in SDN-based networks. ERT-EDR consists of three modules: collecting traffic statistics, detecting LDoS attacks using the ERT algorithm, identifying compromised ports, and mitigating the attack using the EDR algorithm. Experiments showed that ERT-EDR effectively detected LDoS attacks with an accuracy of 96.47% and successfully mitigated the attacks [16].

Setitra, M. A., and colleagues proposed a deep learning model called TabNet to detect DDoS attacks in SDN-based VANETs. TabNet is a model that works on tabular data and outperforms traditional machine learning models. The performance of the model was enhanced with Adam optimization, and comparative evaluations with other algorithms achieved 99.42% accuracy. The proposed method provides a better solution in terms of accuracy and efficiency for detecting DDoS attacks in SDN-based VANETs compared to traditional techniques [17].

In their study, Michelena, Á. et al. focus on detecting DoS attacks in IoT networks that use the MQTT protocol. They evaluate six supervised classification methods combined with PCA for feature reduction, achieving high detection accuracy. Models like Multi-Layer Perceptron and Decision Trees achieved AUC values exceeding 99%. This study offers a robust approach for securing MQTT-based IoT systems and suggests potential extensions to other protocols and types of attacks [18].

3. Ad Hoc Networks

Ad Hoc Networks are networks in which devices communicate directly without the need for a centralized access point. Originally developed for military operations, these networks provide a communication solution that does not require infrastructure between mobile units. As these networks evolved, Mobile Ad Hoc Networks (MANETs) emerged to provide a more dynamic and scalable structure. While MANETs offer advantages in scenarios such as emergencies and military operations, they face challenges related to security, performance, and management [19].

The limitations of MANETs, along with advances in wireless networking technologies, led to the concept of Vehicular Ad-Hoc Networks (VANETs). VANET enables wireless communication between vehicles and is used in traffic management, safety, and autonomous vehicle systems. VANET consists of components such as Road Side Units (RSUs), On Board Units (OBUs), and Application Units (AUs) (Figure 1). RSUs are fixed roadside nodes that communicate with vehicles, while OBUs collect and process data from in-vehicle sensors. AUs provide an interface to transmit this data to users [4]. The innovations offered by VANET play a critical role in areas such as smart cities and autonomous vehicles.

In VANETs, communication faces several unique challenges due to the inherent characteristics of vehicular environments. High mobility, caused by the continuous movement of vehicles, results in frequent topology changes that can disrupt communication paths and make maintaining consistent network connections more difficult [20]. Additionally, varying network densities, ranging from sparse connectivity in rural areas to highly dense networks in urban regions, further complicate network management [21]. These dynamic conditions impact communication efficiency and introduce significant challenges for real-time data processing and cybersecurity within VANETs.

This study builds upon the SD-VANET framework to address these specific challenges, an innovative approach that integrates SDN principles with VANETs [22]. By centralizing network control, SD-VANET enhances overall scalability, security, and flexibility, allowing for more adaptive and responsive network management [23]. SDN’s centralized control framework is particularly beneficial for VANET environments, as it allows for streamlined decision-making processes and quicker adjustments to rapid topology changes. This centralized approach also facilitates better handling of security measures, which are critical in VANETs due to the heightened risk of cyber threats, such as DDoS attacks, that can exploit the network’s dynamic nature [24].

Our approach utilizes a hybrid model that combines a one-dimensional 1D-CNN with a Decision Tree to effectively detect and mitigate DDoS attacks within the SD-VANET environment. The 1D-CNN, integrated within the SD-VANET architecture, serves as a powerful tool for feature extraction, enabling it to capture critical patterns from traffic flow data even in conditions of high mobility and network density. This deep learning component is capable of identifying complex relationships within the data, helping to distinguish between normal traffic and potentially malicious flows. Meanwhile, the Decision Tree model complements this by providing rapid classification capabilities, which are essential for real-time anomaly detection. The Decision Tree’s straightforward and computationally efficient structure allows the system to process data quickly, ensuring that the detection mechanism remains effective in dynamic and time-sensitive VANET environments.

By incorporating SDN into an ad hoc vehicular network, our proposed method achieves centralized, efficient traffic management along with robust cybersecurity measures. This combination addresses both the scalability and security needs of modern vehicular networks. Centralized control via SDN not only enhances the network’s ability to handle high traffic volumes but also allows for the rapid deployment of security protocols, such as DDoS detection and response strategies. As a result, our approach is particularly suitable for intelligent transportation systems, where reliable, real-time communication and high security are paramount. The integration of SDN within VANETs provides a pathway toward more resilient and adaptable vehicular networks, paving the way for secure and efficient intelligent transportation infrastructures.

4. Software Defined Networks

Software-Defined Networking (SDN) is a promising technology for network management and the future of next-generation networks, including 5G cellular, Wi-Fi 6, edge computing, and the Internet of Things (IoT). SDN offers an intelligent, flexible, and cost-effective architecture that supports innovative networks and meets the high bandwidth demands and dynamic nature of modern applications [25]. By separating the data plane from the control plane, traditionally integrated into legacy network architectures, SDN enables efficient and simplified network management (Figure 2) [26]. The control functions are abstracted and transferred to an external device, centralizing decision-making and optimizing network operations [27]. In SDN architecture, physical network devices become simple forwarding elements, responsible only for data transmission without any embedded control functions or software. This paradigm shift allows SDN to deliver the agility, scalability, and performance essential for today’s complex networking environments [28].

Data Plane: Network devices such as switches, routers, and wireless devices collect network traffic and transmit these data to the controller. They also process packets according to the rules established by the controller.

Control Plane: The controller acts as the central management unit of the network, optimizing network performance, defining flow rules, and virtualizing network functions. It adds new rules to the data plane using protocols such as OpenFlow.

Application Plane: Network services and applications communicate with the controller through the Northbound interface to obtain information about the state of the network and to apply high-level policies. The Southbound interface facilitates the controller’s interaction with data plane devices.

SDN’s open interfaces simplify the configuration and management of complex and heterogeneous networks to meet the dynamic needs of today’s networks [29].

4.1. Software Defined Vehicular Ad Hoc Networks

Software Defined Vehicular Ad Hoc Networks (SD-VANET) is a new paradigm resulting from the integration of Software Defined Networking (SDN) technology into VANET. This architecture enhances the flexibility and programmability of networks by separating the data and control planes while enabling more efficient resource management. SD-VANET comprises controllers, OpenFlow-compatible transmission devices (such as Road Side Units and Access Points), and vehicles under the control of the controller [30].

The SD-VANET architecture is divided into three fundamental planes: the data plane, the control plane, and the application plane (Figure 3). The data plane includes data transmission devices such as Road Side Units, Access Points, and switches. These devices connect to the controller via the OpenFlow protocol and have a fallback mechanism that allows them to revert to traditional VANET functions if necessary. The control plane acts as the brain of the network, directing traffic, minimizing security threats, and optimizing network performance [6]. The use of multiple controllers enhances security and increases data transmission speed. The application plane includes network services and applications, such as routing, security, load balancing, and virtualization. The Northbound interface allows applications to interact with the controller, facilitating dynamic network management.

This architecture combines the advantages of centralized control and programmability provided by SDN with the flexibility of VANET, offering innovative solutions, particularly in autonomous vehicles and intelligent transportation systems [9].

The utilization of multi-controller architectures in mobile network structures such as SD-VANETs enhances real-time response rates, providing an effective counter to attacks. This architecture enables the network to operate efficiently at larger scales by distributing tasks and resources among controllers, thereby balancing the load of network management. Furthermore, the multi-controller setup allows for seamless failover; if one controller fails, others take over its responsibilities, ensuring uninterrupted network availability [31]. By enabling different sections of the network to be managed by specific controllers, this design facilitates the application of tailored solutions across various network segments, thereby enhancing flexibility. In Software-Defined wireless networks, hierarchical multi-controller configurations and strategic controller placement optimize resource usage and reduce latency by strengthening control over data plane elements [28].

4.2. SD-VANET Architecture: Advantages and Disadvantages

Traditional VANET networks are struggling to meet the increasing demands for flexibility, security, and scalability, leading to the development of SD-VANET structures integrated with SDN technology to meet these needs. However, this new technology brings some disadvantages along with its advantages [5].

Advantages:

Flexibility and Vendor Independence: The flexible and programmable nature of SDN eliminates vendor dependency by isolating network applications from hardware. This makes it easier to integrate new technologies.

Performance Optimization: With its central controller, SDN can effectively address optimization issues such as traffic scheduling, congestion control, and packet routing by enabling efficient information exchange between network layers.

Ease of Configuration and Innovation: The central controller simplifies network configuration and facilitates the addition of innovations, which is a significant advantage in complex and heterogeneous network environments [32].

Security and Defense Mechanisms: SDN enables centralized monitoring and analysis of network traffic, enabling the development of effective defenses against attacks. In addition, its self-healing capabilities help detect malicious traffic and prevent attacks.

Dynamic Channel Management: SD-VANET can dynamically select channels and frequencies based on the communication needs of vehicles, optimizing communication according to traffic density and road conditions.

Efficient Routing: The central controller of SDN optimizes data flow, reducing message delay and network bandwidth consumption.

Disadvantages:

Security Threats: As a critical part of the network, SDN’s central controller becomes a target for attack. Failure of the controller could render the entire network inoperable [33].

Scalability and Latency: Efficient management of centralized control in large-scale networks is challenging, leading to potential latency and scalability issues. As network traffic increases, the controller may become a bottleneck, adversely affecting network performance [7].

Dynamic and Rapidly Changing Structure: The high mobility of VANET can cause communication disruptions between the controller and data plane devices, reducing overall network performance.

Security Challenges: The dynamic nature of SD-VANET requires new security solutions to protect network devices. Moreover, controlling malicious nodes can lead to an overload on the controller.

Need for AI-Based Solutions: Increasing vehicle density in traffic can complicate the controller’s ability to manage traffic. This problem should be addressed by integrating AI-based traffic prediction algorithms.

While the SD-VANET architecture offers innovative solutions to the challenges faced by traditional VANET structures, it also presents new challenges that require careful management, particularly in areas such as security and scalability [34].

4.3. SD-VANET Network Security: DDoS Attacks and Risks

The widespread adoption of autonomous vehicles and the development of intelligent transportation systems pose new challenges to the security of SD-VANET networks [23]. Integrating such systems without ensuring network security can cause significant damage to infrastructure and endanger human lives. SD-VANET networks are particularly vulnerable to cyber threats, such as DDoS attacks [35].

4.3.1. DDoS Attacks and Impacts

DDoS attacks target the central controller of the SDN architecture, crippling the functionality of the network. An attacker generates false packets to exhaust network resources, overwhelming the controller’s processing capacity. Since these false packets do not match the flow tables, the controller must continuously request new rules [36]. Over time, the controller’s resources become depleted, rendering it incapable of processing legitimate traffic and bringing network services to a standstill [37].

4.3.2. Threats to the SD-VANET Architecture

DDoS attacks primarily target the control plane, the data plane, and the communication channels between these two planes. Failure of the controller can render the entire SD-VANET architecture non-functional. The communication between the controller and the devices in the data plane, managed through the OpenFlow protocol, regulates the functions of these devices and ensures the integrity of network traffic [36]. However, if this channel is attacked, an adversary can intercept and manipulate the data flow [38].

The security of SD-VANET networks necessitates robust measures against threats such as DDoS attacks. Exhausting the controller’s resources can lead to network collapse and service disruptions. Therefore, the resilience of security protocols and infrastructure is critical for the success of such networks [39].

5. Material and Methods

A security system called SD-VANET_Guard has been proposed for the detection of DDoS attacks targeting the controller within the SD-VANET architecture. This system is designed to operate within the Software Defined Networking (SDN) controller of VANET networks to assist in protecting against DDoS attacks. The SD-VANET_Guard security system incorporates a hybrid artificial intelligence model known as 1DCNN-DT for detecting DDoS attacks. Our detection methodology involves collecting network traffic data using the Ryu controller, processing this data, and classifying the network traffic data. The experimental topology created to collect DDoS attack data and legitimate network traffic data are illustrated in Figure 4.

The experimental SD-VANET topology comprises 20 vehicles (vehicle IP range: 10.0.0.1–10.0.0.20) and 6 Access Points (APs) that support WPA2 encryption. The APs are placed along the roadside to provide wireless connectivity to the vehicles located in the data plane. The vehicles connect to the APs using Intelligent Transportation Systems (ITS) connections that simulate the IEEE 802.11p wireless standard, also known as WAVE (Wireless Access in Vehicular Environments) [40]. The Ryu controller establishes a connection with communication devices in the data plane through the APs using the OpenFlow protocol. The simulation is integrated with the SUMO emulator, which generates the movement of vehicles on a predefined road network.

sFlow has been integrated into the network for real-time monitoring of network traffic. sFlow collects data traffic from the experimental SD-VANET network. When sFlow is initiated, it automatically connects to the sFlow agent defined on the devices in the SD-VANET network and begins collecting data traffic, including IP addresses, sampling rates, and polling intervals.

The Ryu controller and Mininet-WIFI operate on the same virtual machine, while sFlow runs on a different virtual machine. Mininet-WIFI and Ryu-SDN are installed on Ubuntu 20.04-1 with 4 GB of RAM and a dual-core CPU, whereas sFlow is installed on Ubuntu 20.04-1 with 4 GB of RAM and a single-core CPU.

The performance of the SD-VANET model was evaluated under conditions similar to those of intelligent transportation systems using the Mininet-WiFi simulator. This simulation demonstrated the system’s robustness in handling real-time traffic flows and DDoS attack scenarios. Consistent with recent studies, SD-VANETs have shown efficacy in detecting sophisticated attacks within dynamic environments [41]. Future research will extend the simulation scenarios to further validate the model’s scalability and resilience under a broader range of conditions.

5.1. Simulation Environment in the Context of Vehicular Networks

In this study, the simulation environment was configured to reflect vehicular network conditions within an SD-VANET framework. The simulation focuses on core characteristics of VANET environments, such as dynamic network topology changes and high mobility. While specific vehicular mobility models were not individually applied, the setup incorporates elements that approximate typical traffic behaviors in vehicular networks.

To emulate the high density and dynamic communication demands of VANETs, network parameters were selected to replicate frequent topology shifts and variable traffic flows. This approach provides an effective baseline for evaluating the SD-VANET_Guard system’s performance in identifying and mitigating DDoS attacks within the SD-VANET context, where real-time response and adaptation to network dynamics are critical.

5.2. Scenario for Legal Network Traffic

The Iperf tool was utilized to load the network and evaluate its capacity. Iperf is a tool that employs a client-server model, generating traffic in the form of data streams between server and client nodes. It produces random traffic, meaning that a host sends packets to any other host in the network with equal probability. Iperf can create TCP or UDP streams to load the network. In TCP mode, an Iperf client transmits an infinite amount of data to the server via a TCP stream. After a specified duration, the Iperf tool cancels the TCP connection and displays various statistics and the total amount of data successfully transmitted on the screen.

Random flows among users were generated using Iperf in conjunction with the Mininet Flow Generator. For each flow, one user is randomly selected as the server and another user is chosen as the client. The randomly selected users establish TCP and UDP connections using Iperf.

ApacheBench measures the performance of a web server by saturating it with HTTP requests and recording latency and success metrics, thereby conducting an HTTP benchmark. A large number of HTTP requests are sent using ApacheBench. In the simulation, all users run a Python HTTP server and an Iperf server to generate TCP and UDP traffic flows.

When normal traffic data are transmitted across the network, the Ryu controller records flow statistics in a local file in CSV format upon receiving an “OFPC_FLOW_STATS_REPLY” message from the OpenFlow switches. The recorded attributes are augmented by adding a traffic class, increasing the number of features. In this class, normal traffic is labeled as “0”.

5.3. Attack Scenario

A TCP flood attack was carried out by the attacking vehicle (vehicle 5) targeting the victim vehicle (vehicle 4) using the command ‘hping3—a 1.1.1.1 -p 80 -w 200—rand-source 10.0.0.8’ with the Hping3 packet generator. The TCP window size was set to 200 bytes. During the experimental study, normal traffic continued uninterrupted during the attack.

When attack traffic data are transmitted across the network, the Ryu controller records flow statistics in a local file in CSV format upon receiving an “OFPC_FLOW_STATS_REPLY” message from the OpenFlow switches. In the traffic class, attack traffic is labeled as “1”.

5.4. Dataset

An experimental simulation was conducted for 10 min to collect data on DDoS attacks and normal network traffic. During the simulation, TCP and UDP packets were initially sent as normal packets and later as DDoS attack packets. Each of these packets has a payload of 512 bytes. The resulting dataset contains 698,767 samples and 21 features and is categorized into two classes: “Normal” and “DDoS Attacks.” Of the samples, 309,602 represent normal network traffic flow data, while 389,165 correspond to DDoS attack traffic flow data. All features in the dataset are derived from traffic flow statistics specific to the SD-VANET architecture. The attributes in the dataset are presented in Table 1.

After labeling and recording normal network traffic data and attack traffic data in the controller, the model was created by running the 1DCNN-DT training code. All the collected data were used during the training phase. After training, the model was saved to the detection module in the controller.

5.5. Network Traffic Data Collection

In this study, an experimental topology for SD-VANET was established, where data samples were collected using the Ryu modular application. A module within the Ryu controller reads switch statistics every

T_{f} = 10

s and stores these statistics in a local file. This section mathematically formalizes the system’s core operations, traffic feature extraction, and DDoS detection process.

5.5.1. Traffic Feature Collection via OpenFlow

In the OpenFlow-based approach, the control plane (SDN controller) queries the data plane devices (OpenFlow switches) for traffic statistics at regular intervals

T_{f}

. Let there be

N

switches, denoted by

S_{i}

where

i = 1,2, \dots, N

At each time step t, the SDN controller sends a flow statistics request,

R_{f} (t)

, to each switch

S_{i}

to retrieve up-to-date traffic information. This request is structured as (Equation (1)):

R_{f} (t) = \{O F P C_F L O W_S T A T S_R E Q U E S T\} \forall i = 1,2, \dots, N

(1)

In Equation (1):

R_{f} (t)

: represents the flow statistics request made by the controller to each switch

S_{i}

at time t.

OFPC_FLOW_STATS_REQUEST: a specific OpenFlow command that queries switches for flow statistics, ensuring the controller obtains information about each flow passing through the switches.

The notation

\forall i = 1,2, \dots, N

: indicates that this request is made to all switches in the network, where N is the total number of switches in the system.

Each switch

S_{i}

responds with a flow statistic reply

R_{f_r e p l y} (t)

, which contains traffic features

F_{i} (t)

for each flow at time t. These features include packet counts, byte counts, and flow durations, among others. Mathematically, this can be expressed as:

R_{f_r e p l y} (t) = \{O F P C_F L O W_S T A T S_R E P L Y| F_{i} (t)\}

(2)

where the feature set

F_{i} (t) = {timestamp, datapath_id, flow_id, ip_src, ip_dst, tp_src, tp_dst, ip_proto, packet_count, byte_count, \dots}

(3)

Equation (3) represents the traffic features collected from a switch. Traffic features from each switch are recorded at specific time intervals and are used to analyze network traffic. This set of traffic features is defined as

F_{i} (t)

, and includes the following components:

timestamp: The timestamp when the traffic feature was collected.
datapath_id: The unique identifier of the switch.
flow_id: The unique identifier for each flow.
ip_src, ip_dst: Source and destination IP addresses.
tp_src, tp_dst: Source and destination transport protocol port numbers.
ip_proto: IP protocol number (e.g., TCP, UDP).
packet_count: The total packet count for a specific flow.
byte_count: The total byte count for a specific flow.

These traffic features are recorded for all flows collected from a switch at a specific time and are expressed as shown in Equation (3).

Each switch sends its flow statistics to the controller, which aggregates these responses over all switches

i = 1,2, \dots N

. The combined feature set for all switches at time t is denoted as:

F_{a l l} (t) = ⋃_{i = 1}^{N} F_{i} (t)

(4)

Equation (4) represents the aggregated traffic features collected from all switches. Since there are multiple switches

S_{i}

in the system, the traffic features from each switch are collected as

F_{i} (t)

. To compile traffic features from all switches at time step t, a cumulative feature set

F_{a l l} (t)

is used in Equation (4).

Where

$F_{i} (t)$ : Traffic features collected from the i-th switch at time t (e.g., packet count, byte count, etc.)
$N$ : Total number of switches
$F_{a l l} (t)$ : Represents the aggregated traffic features collected from all switches at time t.

The aggregated flow statistics are then stored locally in CSV format for further processing:

D_{l o c a l} (t) = {{F}_{a l l} (t)}

(5)

5.5.2. Multi-Threaded Processing in Ryu Controller

The Ryu controller is designed to handle multiple tasks simultaneously using threads. Let

T_{j}

denote thread j, where each thread performs a specific function. For instance:

T_{1}

: Monitors “OFPT_PACKET_IN” messages and applies flow rules.

T_{2}

: Sends “OFPC_FLOW_STATS_REQUEST” messages at each

T_{f}

interval and requests flow statistics from switches.

T_{3}

: Collects flow statistics from the data plane, processes the replies, and stores the data in CSV files.

T_{4}

: Reads the CSV files and initiates the DDoS detection model if a new flow request exists. This process is repeated every 10 s, forming a periodic loop.

The overall system operates asynchronously, with each thread contributing to the continuous flow of data processing and feature extraction.

5.5.3. DDoS Detection Using Traffic Features

The DDoS detection process begins by analyzing the traffic feature vectors

X (t)

derived from the flow statistics at time t. The feature vector

X (t)

contains critical network statistics aggregated from all switches:

X (t) = [\sum_{i = 1}^{N} {p a c k e t_c o u n t}_{i} (t), \sum_{i = 1}^{N} {b y t e_c o u n t}_{i} (t), \sum_{i = 1}^{N} {f l o w_d u r a t i o n}_{i} (t), \dots]

(6)

where

\sum_{i = 1}^{N} {p a c k e t_c o u n t}_{i} (t)

: Total packet count across all switches at time t.

\sum_{i = 1}^{N} {b y t e_c o u n t}_{i} (t)

: Total byte count across all switches at time t.

Let

X (t) \in R^{d}

where d represents the number of traffic features. The DDoS detection model evaluates

X (t)

to classify the traffic as either normal or an attack. The binary output

\hat{y} (t)

of the detection model is defined as:

\hat{y} (t) = \{\begin{matrix} 1, i f d d o s a t t a c k i s d e t e c t e d \\ 0, i f n o r m a l t r a f f i c i s d e t e c t e d \end{matrix}

(7)

The detection process can be formulated as a classification problem where a detection function

f_{d e t e c t} (X (t))

maps the feature vector to a binary outcome:

\hat{y} (t) = f_{d e t e c t} (X (t))

(8)

where

f_{d e t e c t}

: DDoS detection model (e.g., a classification algorithm)

\hat{y} (t)

: Detection result at time t (1: DDoS attack detected, 0: Normal traffic)

5.5.4. sFlow-RT Data Collection and Monitoring

In the experimental setup, sFlow-RT is configured on a separate server to act as a collector for gathering flow data. The sFlow-RT system accesses flow data from all switches using the OpenFlow protocol. At every time step t, the sFlow-RT collects flow data

X_{s f l o w} (t)

from each switch, which is made available via an HTTP endpoint:

X_{s f l o w} (t) = [{m e t r i c}_{1} (t), {m e t r i c}_{2} (t), \dots]

(9)

where

{m e t r i c}_{1} (t), {m e t r i c}_{2} (t), \dots

: Metrics collected by sFlow-RT at each time step t.

Prometheus fetches this data from the sFlow-RT HTTP endpoint every 10 s and stores it in a time-series format:

X_{p r o m} (t) = \{X_{s f l o w} (t), t\}

(10)

These metrics are stored as a timestamped dataset in Prometheus for further analysis and visualization.

5.5.5. Visualization of Network Metrics

The visualization of network traffic metrics is handled by Grafana, which retrieves the time-series data from Prometheus and presents it as understandable graphs and alerts. Let

V_{g r a f a n a} (t)

denote the visual representation of metrics at time t:

V_{g r a f a n a} (t) = V i s u a l i z e (X_{p r o m} (t))

(11)

where

Visualize: A function that visualizes the data obtained from Prometheus in Grafana

X_{p r o m} (t)

: Prometheus data at time t.

Grafana processes the data to generate real-time visualizations, helping administrators to monitor network health and detect anomalies efficiently.

5.5.6. Overall System Workflow

The overall workflow of the SD-VANET_Guard DDoS detection system can be summarized mathematically as follows:

\hat{y} (t) = f_{d e t e c t} ([\sum_{i = 1}^{N} {p a c k e t_c o u n t}_{i} (t), \sum_{i = 1}^{N} {b y t e_c o u n t}_{i} (t), \dots])

(12)

This entire process operates in real time, enabling the system to detect DDoS attacks swiftly and provide continuous monitoring and feedback through visual dashboards.

5.6. Attack Detection Module

The SD-VANET_Guard security system we have developed incorporates a hybrid artificial intelligence model named 1DCNN-DT, designed to detect DDoS attacks.

The 1DCNN-DT model is a hybrid artificial intelligence model consisting of the combination of a one-dimensional convolutional neural network and decision tree algorithms. The model extracts deep features through 1DCNN layers to detect attack patterns in network traffic. It then passes these features to the Decision Tree algorithm to classify them as attacks or normal traffic. While 1DCNN captures the fine details that stand out in low-volume DDoS attack traffic, the Decision Tree provides real-time threat detection by quickly classifying these features. This structure balances accuracy and processing speed, providing an effective security solution in dynamic network environments such as SD-VANET.

In this study, the collection of network traffic data is performed through the Ryu controller. SD-VANET_Guard collects all flow table entries from each switch in the experimental topology via the OpenFlow protocol. These entries are transmitted from the data plane to the control plane of the network. The developed data collection module processes each flow table entry and extracts specific attributes. These attributes are derived from network traffic characteristics, such as packet count, data size, source and destination IP addresses, and protocol type. Feature extraction is performed based on predefined criteria to analyze the behavior of the flow over time.

The extracted features are transmitted, in JSON format or other standard data transmission formats, to the hybrid AI model (1DCNN-DT) that has been pre-trained to classify the flow as either legal or illegal. This process involves feeding the data into the input layer of the hybrid AI model in the controller, with the data being transmitted over the TCP/IP protocol or directly via the network’s transmission channels with minimal latency. The hybrid AI model processes these inputs and determines whether the flow is legal or illegal.

Upon detecting illegal network traffic, the system generates an immediate alert. This alert is relayed by the controller to the router or other network components. The alert generation typically takes place through an alert module within the controller, and these alerts are communicated to network administrators and relevant security units via protocols such as SNMP (Simple Network Management Protocol) or syslog. Additionally, the alert can be programmed to trigger actions, such as limiting or blocking traffic from the source of the attack.

Following the data collection process, the 1DCNN-DT hybrid artificial intelligence model was employed for processing the data and classifying the network traffic. To detect DDoS attacks, a dataset was first created for use in the training and testing phases of the hybrid AI model. In the prepared dataset, samples of illegal network traffic and legal network traffic were labeled as ‘0’ and ‘1’, respectively, representing the two classes. Subsequently, the training and testing of the hybrid AI model were conducted. After completing the training and performance testing, the model was made ready for deployment.

The SD-VANET_Guard security system was then integrated as part of the controller. This systematic structure is capable of distinguishing between legal network traffic flows originating from normal traffic activity and illegal network traffic flows generated by DDoS attacks.

The hybrid artificial intelligence model 1DCNN-DT proposed in this study consists of three phases. The overall architecture, including these phases, is presented in Figure 5.

As shown in Figure 5, the first phase of the proposed 1DCNN-DT model involves training the CNN architecture. This CNN architecture consists of 3 convolutional layers and 2 fully connected layers, as depicted in Figure 5. In the second phase of the proposed model, deep features are extracted by utilizing the parameters of the trained CNN architecture. These deep features are then used to train a Decision Tree (DT) classifier. In the final phase of the model, the accuracy of the proposed system is evaluated using the test dataset. The following sections provide a detailed explanation of each phase of the proposed model.

In the 1DCNN-DT hybrid AI model, three convolutional layers are utilized. The convolutional layers filter the data to extract deep features, and the weights of these filters are optimized during the model’s training process [42,43]. An example of the convolution process is presented in Figure 6.

Here,

w

represents the filter weights (the parameters to be trained),

x

denotes the input,

w_{0}

is the bias, and

N_{o u t p u t}

represents the convolution output.

In Figure 6, the matrix x on the left represents the input data, where each cell corresponds to a pixel or data point derived from the input. The matrix w at the top shows the filter (kernel) used in the convolutional layer. This filter functions like a sliding window over the data, applied at multiple positions across the input to help extract specific features [44]. The convolution operation is performed by multiplying the weights in the filter with the corresponding sections of the input data, followed by adding the bias value

w_{0}

. This process is repeated at each position to generate a new output matrix,

N_{o u t p u t}

The data presented as input to the 1DCNN-DT hybrid artificial intelligence model

(X_{1}, X_{2}, \dots X_{N})

, are first fed into a 1-dimensional convolution (1D Conv) layer with a kernel size of 5 and 16 filters. This initial convolutional layer facilitates the extraction of basic patterns from the input data. Following this layer, non-linear features are defined through the ReLU (Rectified Linear Unit) activation function, and the data are passed to the second 1D convolutional layer. In the second convolutional layer, 32 filters with a kernel size of 5 are used to extract deeper and more complex features. The third convolutional layer employs 64 filters with a kernel size of 5 [45].

Each convolutional layer extracts features at different levels from the input data. The resulting feature maps are then transformed into a one-dimensional vector via a flattened layer. In the final stage, these deep features are passed to a decision tree classifier model. The decision tree classifier assigns the data samples to a specific class based on the extracted deep features [46].

The development of the 1DCNN-DT hybrid artificial intelligence model consists of three main phases. In the first phase, a CNN architecture, primarily composed of three convolutional layers and two fully connected layers, is constructed. The CNN is trained using the training dataset, and as a result, deep features are extracted. In the second phase, these deep features are fed into a Decision Tree classifier, where the samples are classified. In the final phase, the performance and accuracy of the proposed model are evaluated using the test dataset.

5.6.1. Phase One: Construction of the Convolutional Neural Network Architecture

In this study, the extraction of deep features plays a crucial role in the 1DCNN-DT hybrid artificial intelligence model developed for detecting DDoS attacks. As detailed in Table 2, a CNN architecture was implemented during the deep feature extraction process. This architecture is designed to process data in depth and automatically extract critical features, and it has been optimized to enhance the attack detection performance of the 1DCNN-DT hybrid model.

In the initial phase of developing the 1DCNN-DT hybrid artificial intelligence model, a 1D CNN architecture was constructed, which primarily consists of three convolutional layers and two fully connected layers. The input layer of the model is represented by a data sequence with dimensions of 89 × 1. In the first convolutional layer, the input data are transformed to a size of 85 × 16 using 16 filters and a kernel of size 5. At this stage, the ReLU activation function is applied, resulting in an output of size 86 × 16. The second convolutional layer operates with 32 filters and a kernel of size 5, reducing the data size to 81 × 32. After applying the ReLU activation again, the output size becomes 82 × 32. The third convolutional layer employs 64 filters and a kernel of size 5, further reducing the data to 77 × 64. Subsequently, the ReLU activation is applied, yielding an output size of 78 × 64. The resulting output is then flattened to form a vector of 4928 dimensions. This vector is fed into two fully connected (dense) layers with 256 neurons each, and the ReLU activation function is utilized at the output of each layer.

In the developed 1D CNN architecture, a final fully connected layer with 4 neurons performs classification using the Softmax activation function, resulting in a 4-dimensional output. This architecture effectively enables the processing and classification of deep features. In the first phase of developing the proposed 1DCNN-DT hybrid artificial intelligence model, the 1D CNN architecture was trained using the DDoS training dataset. The Binary Cross-Entropy loss function, defined in Equation (13), was employed for training.

L = - \sum_{i, j}^{M} y_{i \times j} l o g (P_{i \times j}) + (1 - y_{i \times j}) l o g (1 - P_{i \times j})

(13)

Here,

y_{i \times j}

and

P_{i \times j}

represent the actual value and the predicted value of the pixel at position

i \times j

, respectively. The value

L

denotes the mean error value.

5.6.2. Phase Two: Training the Decision Tree Classifier with Deep Features

Decision Tree is a widely preferred method among supervised learning algorithms because it is easy to use, the results are straightforward to interpret, and it can handle both categorical and numerical data. Additionally, despite complex relationships within the dataset, decision tree algorithms can produce reliable results. This algorithm iteratively splits the dataset into smaller, more homogeneous subsets. At each node, decisions are made based on a specific feature, which helps the model gradually understand the structure of the dataset and improves classification accuracy [47].

In the tree structure, internal nodes represent the key features of the dataset, branches represent decision-making rules, and leaf nodes represent the final classification outcomes. The Decision Tree compares feature values starting from the root node, following branches until more homogeneous subsets are formed at each stage. This process continues until a classification result is reached at the leaf node at the end of each branch.

In this study, the Gini Index was used to select the best feature, as it evaluates the purity of the dataset. It is an appropriate method for minimizing the diversity of data at a node and optimizing the decision-making process. To control the complexity of the tree structure, the maximum depth of the tree was limited to 12. This limitation was imposed to prevent overfitting and enhance the overall performance of the model. While deep tree structures often perform well on training datasets, it should be noted that such structures can reduce the model’s generalization capacity.

5.6.3. Phase Three: Testing Phase

The performance of the 1DCNN-DT hybrid model was tested by fixing the parameters learned during the training process. At this stage, the model was directed to classify new data that it had not encountered previously during training. Accuracy, precision, recall, and F1-score metrics were used to evaluate the model’s performance. This approach enabled the assessment of the model’s overall effectiveness and its ability to apply the knowledge gained during training to new data successfully.

6. Performance Evaluation of the SD-VANET_GUARD DDoS Attack Detection System

In this section, the performance results of the proposed detection module for the security system are examined. The results of the tests conducted on the SD-VANET_Guard attack detection system have been analyzed and presented in detail.

In this study, the performance of a Decision Tree model utilizing CNN features has been examined. The model demonstrates consistent success with accuracy, precision, recall, and an F1 score of 99.6%, indicating its capability to accurately detect DDoS attacks and traffic conditions. These high-performance metrics highlight the model’s ability to accurately classify positive and negative classes, suggesting its potential as a robust tool for securing intelligent transportation networks.

A series of experiments were conducted to evaluate the effectiveness of the SD-VANET_Guard attack detection system in detecting DDoS attacks. In these experiments, the system’s performance was tested by initiating mixed types of DDoS flood attacks, such as TCP/SYN flood and UDP flood, while the system was operational.

Table 3 presents detailed information regarding the start times of each module. In the first scenario, the 1DCNN-DT hybrid model, which had been trained using a pre-constructed training dataset, was executed at 17:54:00. At the same time, an initiation command was issued for the attack detection module, activating it successfully. The detection module identified the DDoS attack at 17:58:00. Simultaneously, the Ryu controller started generating flow rules in response to flow requests from the data plane devices at 17:54:00. The DDoS attack itself was initiated at 17:57:30. Due to the dynamic nature of the VANET architecture, intermittent communication breakdowns occurred between the controller and the data plane devices. As a result of this mobility-induced network instability, delays were experienced in the transmission of flow requests from the data plane to the controller, leading to the detection of the attack only at 17:58:00.

In a DDoS attack, the attacker uses compromised computers, turned into zombies, to continuously send requests to Access Points (APs). When these requests do not match the rules present in the flow tables of the APs or Roadside Units (RSUs) (resulting in a flow miss), “OFPT PACKET_IN” messages are transmitted to the controller via the RSUs or APs using the OpenFlow protocol, prompting the creation of new flow rules. Due to the DDoS attack, a large number of packets are sent from the data plane devices to the controller within a short period (Figure 7). As illustrated, a surge in packet transmission from the data plane to the controller occurred at 17:57:30, coinciding with the initiation of the DDoS attack. The controller responds to these incoming flow rule requests using “OFPT PACKET_MOD” messages. This leads to resource exhaustion of the controller (memory, CPU, bandwidth, etc.), causing network malfunction. As shown in Figure 8, the increasing flow of rule requests from 17:57:30 onwards overwhelmed the controller’s processing capacity, resulting in CPU usage reaching 100%.

In the experimental study, a DDoS attack was generated using the Hping3 packet generation tool, where the attacker directed high-volume attack traffic at a rate of 4.55 Mb/s per second through the data plane devices. The incoming packets were matched against the flow entries in the OpenFlow switch’s flow table; however, if no match was found (miss flow), the packets were forwarded to the controller via “OFPT_PACKET_IN” messages, requesting the creation of a new rule. Consequently, the controller received a large number of “OFPT_PACKET_IN” messages within a short period. In response to these rule requests, the controller created new rules and transmitted them to the switch’s flow table. Based on this mechanism, the attack detection system successfully identified the DDoS attack in the SD-VANET network at 17:57:30, as shown in Figure 9. Approximately 90% of the existing flows in the network consisted of DDoS traffic. The detection mechanism demonstrated its capability to distinguish between attack traffic and normal network traffic within the SD-VANET environment. The test results revealed that the 1DCNN-DT hybrid model achieved high classification accuracy and that the proposed SD-VANET_Guard defense system operated effectively as a DDoS detection tool.

SD-VANET networks present a unique environment for traffic flow due to several inherent characteristics, including high vehicle mobility, frequent and unpredictable topology changes, and dynamic network density. These factors create distinct patterns in traffic flows that differ from those observed in more stable, traditional networks. In a typical DDoS attack on a conventional network, attack traffic often overwhelms the target by saturating available bandwidth and exploiting vulnerabilities in a relatively stable network structure. However, in SD-VANET, the variability of traffic flow, rapid vehicle movement, and frequent changes in connection points introduce additional complexities that shape the nature of DDoS traffic.

During DDoS attacks in an SD-VANET environment, traffic flows experience unique disruptions due to the highly mobile nature of the network. For example, as vehicles frequently enter and exit the communication range of Roadside Units (RSUs) and other network nodes, the attack traffic exhibits irregular bursts, creating a sporadic, less predictable pattern compared to attacks on static networks. This leads to high packet loss and temporary link failures, which in turn generate rapid changes in traffic density and the distribution of packet flows. Consequently, DDoS attacks in SD-VANET are marked by short, intense spikes in packet transmission followed by rapid declines, as opposed to the more sustained traffic saturation seen in traditional networks.

Our hybrid detection model leverages the 1D-CNN to capture these unique variations in SD-VANET traffic data, focusing on features such as fluctuating packet arrival rates, intermittent surges, and distinctive flow patterns that occur as vehicles move in and out of range. The 1D-CNN component is particularly suited for SD-VANET’s dynamic context, as it can extract and analyze subtle temporal features from traffic data that correspond to the irregular flow changes caused by high mobility. For instance, when a vehicle under attack transitions out of the RSU’s coverage, the CNN detects the resulting drop in packet reception, while the Decision Tree classifier interprets this as part of the DDoS signature unique to SD-VANET.

Furthermore, SD-VANET networks often experience variable traffic densities, with high concentrations of vehicles in urban areas and lower densities in rural zones. This variability affects the detection of DDoS attacks, as the density changes influence the volume and flow of both legitimate and malicious traffic. Our model is trained to recognize these density-related fluctuations, allowing it to distinguish between natural traffic flow changes and malicious surges that indicate a DDoS event. Unlike conventional DDoS attacks where traffic overload remains consistent, DDoS in SD-VANET generates traffic spikes that coincide with high-density vehicular clusters, making it essential for the detection model to differentiate between these natural and attack-induced anomalies. The Decision Tree classifier contributes by processing these complex flow patterns quickly, helping to classify high-density traffic surges more effectively in real-time.

By addressing these unique characteristics: high mobility, rapid topology changes, and variable traffic density, the SD-VANET_Guard system provides a tailored solution for SD-VANET environments. The proposed hybrid model thus moves beyond merely detecting high volumes of traffic; it dynamically adapts to the shifting conditions of SD-VANET, enabling robust and responsive DDoS detection that aligns with the specific demands of intelligent transportation networks. This capability highlights our system’s novelty and effectiveness in securing SD-VANET against DDoS threats.

7. Conclusions

This study presents a novel security solution for SD-VANET (Software Defined Vehicular Ad Hoc Networks) to counter DDoS (Distributed Denial of Service) attacks in intelligent transportation systems. By combining the flexibility of Software Defined Networks (SDN) with the dynamic communication capabilities of VANET, SD-VANET provides an innovative framework that meets the growing demands of smart transportation infrastructures. However, as emphasized in this study, the centralized SDN controller in SD-VANET introduces significant security vulnerabilities, particularly against DDoS attacks. To mitigate this risk, the proposed SD-VANET_Guard system utilizes a hybrid artificial intelligence model that integrates 1D-CNN with Decision Trees (DT) for DDoS attack detection. Experimental results indicate that the system can identify approximately 90% of malicious DDoS traffic, demonstrating the effectiveness of the SD-VANET_Guard system in enhancing resilience against such attacks.

To further contextualize the performance of the SD-VANET_Guard system, a comparison with relevant studies in the field is provided in Table 4. This table highlights key metrics, methodologies, and results from similar approaches, allowing readers to understand the relative strengths and unique contributions of this study’s hybrid 1D-CNN and Decision Tree model. By positioning our findings alongside existing research, we emphasize how SD-VANET_Guard addresses the real-time detection needs of SD-VANET environments while mitigating vulnerabilities specific to DDoS attacks in intelligent transportation systems.

While several studies have explored the detection of DDoS attacks within SD-VANET and similar network environments, this manuscript presents a unique approach by focusing on a hybrid 1D-CNN and Decision Tree (DT) model specifically optimized for the real-time detection of DDoS attacks in the dynamic SD-VANET environment. Unlike other studies that primarily focus on static datasets or general IoT networks, our model addresses the high variability of traffic flows within SD-VANET and provides a low-latency solution tailored for intelligent transportation systems. Additionally, the integration of the SD-VANET_Guard system directly into the SDN controller allows for efficient processing and rapid response to DDoS attacks, which distinguishes this study from prior work. This work, therefore, fills a critical gap in SD-VANET security by enhancing detection accuracy and response time under realistic network conditions.

In conclusion, this study addresses the scalability and management challenges inherent in traditional VANET architectures through the use of SDN while simultaneously providing a robust security framework to safeguard future intelligent transportation systems from cyber threats. The integration of AI-based attack detection in SD-VANET networks represents a promising approach for both academic research and practical applications in intelligent transportation and network security.

Author Contributions

Conceptualization, O.P., S.O. and M.T.; methodology, MT., O.P. and F.Y.; software, A.A. and S.O.; validation, H.P., M.T. and S.O.; formal analysis, A.A., O.P., F.Y. and M.T.; investigation, H.P., M.T., F.Y., O.P. and S.O.; resources, O.P. and F.Y.; data curation, O.P. and M.T.; writing original draft preparation, M.T., S.O. and A.A.; writing review and editing, H.P., F.Y. and S.O.; visualization, S.O. and M.T.; supervision, O.P. All authors have read and agreed to the published version of the manuscript.

Funding

This paper is supported by the European Union’s Horizon Europe Research and Innovation Programme under grant agreement No. 101095863, project FLEXSHIP.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Acknowledgments

The authors also acknowledge Horizon Europe for the support of our research group.

Conflicts of Interest

The authors declare no conflict of interest.

References

Lee, M.; Atkison, T. VANET Applications: Past, Present, and Future. Veh. Commun. 2021, 28, 100310. [Google Scholar] [CrossRef]
Engoulou, R.G.; Bellaïche, M.; Pierre, S.; Quintero, A. VANET Security Surveys. Comput Commun 2014, 44, 1–13. [Google Scholar] [CrossRef]
Hasrouny, H.; Samhat, A.E.; Bassil, C.; Laouiti, A. VANet Security Challenges and Solutions: A Survey. Veh. Commun. 2017, 7, 7–20. [Google Scholar] [CrossRef]
Shahid Anwer, M.; Guy, C. A Survey of VANET Technologies. J. Emerg. Trends Comput. Inf. Sci. 2014, 5, 661–671. [Google Scholar]
Al-Heety, O.S.; Zakaria, Z.; Ismail, M.; Shakir, M.M.; Alani, S.; Alsariera, H. A Comprehensive Survey: Benefits, Services, Recent Works, Challenges, Security, and Use Cases for SDN-VANET. IEEE Access 2020, 8, 91028–91047. [Google Scholar] [CrossRef]
Mekki, T.; Jabri, I.; Rachedi, A.; Chaari, L. Software-Defined Networking in Vehicular Networks: A Survey. Trans. Emerg. Telecommun. Technol. 2022, 33, e4265. [Google Scholar] [CrossRef]
Arif, M.; Wang, G.; Geman, O.; Balas, V.E.; Tao, P.; Brezulianu, A.; Chen, J. SDN-Based VANETs, Security Attacks, Applications, and Challenges. Appl. Sci. 2020, 10, 3217. [Google Scholar] [CrossRef]
Oluchi Anyanwu, G.; Nwakanma, C.I.; Lee, J.M.; Kim, D.S. Optimization of RBF-SVM Kernel Using Grid Search Algorithm for DDoS Attack Detection in SDN-Based VANET. IEEE Internet Things J. 2023, 10, 8477–8490. [Google Scholar] [CrossRef]
Polat, H.; Turkoglu, M.; Polat, O. Deep Network Approach with Stacked Sparse Autoencoders in Detection of DDoS Attacks on SDN-Based VANET. IET Commun. 2020, 14, 4089–4100. [Google Scholar] [CrossRef]
Alshamrani, A.; Chowdhary, A.; Pisharody, S.; Lu, D.; Huang, D. A Defense System for Defeating DDoS Attacks in SDN Based Networks. In Proceedings of the MobiWac 2017—Proceedings of the 15th ACM International Symposium on Mobility Management and Wireless Access, Co-Located with MSWiM 2017, Miami, FL, USA, 21–25 November 2017; Association for Computing Machinery, Inc.: New York, NY, USA, 2017; pp. 83–92. [Google Scholar]
Yu, Y.; Guo, L.; Liu, Y.; Zheng, J.; Zong, Y. An Efficient SDN-Based DDoS Attack Detection and Rapid Response Platform in Vehicular Networks. IEEE Access 2018, 6, 44570–44579. [Google Scholar] [CrossRef]
Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M.; Moussa, F. El DeepIDS: Deep Learning Approach for Intrusion Detection in Software Defined Networking. Electronics 2020, 9, 1533. [Google Scholar] [CrossRef]
Haider, S.; Akhunzada, A.; Mustafa, I.; Patel, T.B.; Fernandez, A.; Choo, K.K.R.; Iqbal, J. A Deep CNN Ensemble Framework for Efficient DDoS Attack Detection in Software Defined Networks. IEEE Access 2020, 8, 53972–53983. [Google Scholar] [CrossRef]
Dey, S.K.; Rahman, M.M. Effects of Machine Learning Approach in Flow-Based Anomaly Detection on Software-Defined Networking. Symmetry 2020, 12, 7. [Google Scholar] [CrossRef]
Gadze, J.D.; Acheampomaa Bamfo-Asante, A.; Agyemang, O.; Nunoo-Mensah, H.; Adu-Boahen, K. An Investigation into the Application of Deep Learning in the Detection and Mitigation of DDOS Attack on SDN Controllers. Technologies 2021, 9, 14. [Google Scholar] [CrossRef]
Liu, B.; Tang, D.; Chen, J.; Liang, W.; Liu, Y.; Yang, Q. ERT-EDR: Online Defense Framework for TCP-Targeted LDoS Attacks in SDN. Expert Syst Appl 2024, 254, 124356. [Google Scholar] [CrossRef]
Setitra, M.A.; Fan, M. Detection of DDoS Attacks in SDN-Based VANET Using Optimized TabNet. Comput. Stand. Interfaces 2024, 90, 103845. [Google Scholar] [CrossRef]
Michelena, Á.; Aveleira-Mata, J.; Jove, E.; Alaiz-Moretón, H.; Quintián, H.; Calvo-Rolle, J.L. Development of an Intelligent Classifier Model for Denial of Service Attack Detection. Int. J. Interact. Multimed. Artif. Intell. 2023, 8, 33–42. [Google Scholar] [CrossRef]
Ku, I.; Lu, Y.; Gerla, M.; Gomes, R.L.; Ongaro, F.; Cerqueira, E. Towards Software-Defined VANET: Architecture and Services. In Proceedings of the 2014 13th Annual Mediterranean Ad Hoc Networking Workshop, MED-HOC-NET 2014, Piran, Slovenia, 2–4 June 2014; IEEE Computer Society: Washington, DC, USA, 2014; pp. 103–110. [Google Scholar]
Correia, S.; Boukerche, A.; Meneguette, R.I. An Architecture for Hierarchical Software-Defined Vehicular Networks. IEEE Commun. Mag. 2017, 55, 80–86. [Google Scholar] [CrossRef]
Bhatia, J.; Dave, R.; Bhayani, H.; Tanwar, S.; Nayyar, A. SDN-Based Real-Time Urban Traffic Analysis in VANET Environment. Comput Commun 2020, 149, 162–175. [Google Scholar] [CrossRef]
Di Maio, A.; Palattella, M.R.; Soua, R.; Lamorte, L.; Vilajosana, X.; Alonso-Zarate, J.; Engel, T. Enabling SDN in VANETs: What Is the Impact on Security? Sensors 2016, 16, 2077. [Google Scholar] [CrossRef]
Shafiq, H.; Rehman, R.A.; Kim, B.S. Services and Security Threats in SDN Based VANETs: A Survey. Wirel. Commun. Mob. Comput. 2018, 2018, 8631851. [Google Scholar] [CrossRef]
2018 IEEE 8th Annual Computing and Communication Workshop and Conference: 8–10 January 2018, Las Vegas, NV, USA; Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2018; ISBN 9781538646496.
Hu, F.; Hao, Q.; Bao, K. A Survey on Software-Defined Network and OpenFlow: From Concept to Implementation. IEEE Commun. Surv. Tutor. 2014, 16, 2181–2206. [Google Scholar] [CrossRef]
Farooq, M.S.; Riaz, S.; Alvi, A. Security and Privacy Issues in Software-Defined Networking (SDN): A Systematic Literature Review. Electronics 2023, 12, 3077. [Google Scholar] [CrossRef]
Karakus, M.; Durresi, A. A Survey: Control Plane Scalability Issues and Approaches in Software-Defined Networking (SDN). Comput. Netw. 2017, 112, 279–293. [Google Scholar] [CrossRef]
Kalupahana Liyanage, K.S.; Ma, M.; Joo Chong, P.H. Controller Placement Optimization in Hierarchical Distributed Software Defined Vehicular Networks. Comput. Netw. 2018, 135, 226–239. [Google Scholar] [CrossRef]
Söğüt, E.; Tekerek, A.; Erdem, O.A. Machine Learning-Based DDoS Attack Detection on SDN-Based SCADA Systems. Gazi J. Eng. Sci. 2024, 9, 596–611. [Google Scholar] [CrossRef]
Islam, M.M.; Khan, M.T.R.; Saad, M.M.; Kim, D. Software-Defined Vehicular Network (SDVN): A Survey on Architecture and Routing. J. Syst. Archit. 2021, 114, 101961. [Google Scholar] [CrossRef]
Hu, T.; Guo, Z.; Yi, P.; Baker, T.; Lan, J. Multi-Controller Based Software-Defined Networking: A Survey. IEEE Access 2018, 6, 15980–15996. [Google Scholar] [CrossRef]
Hussain, R.; Lee, J.; Zeadally, S. Trust in Vanet: A Survey of Current Solutions and Future Research Opportunities. IEEE Trans. Intell. Transp. Syst. 2021, 22, 2553–2571. [Google Scholar] [CrossRef]
Shu, J.; Zhou, L.; Zhang, W.; Du, X.; Guizani, M. Collaborative Intrusion Detection for VANETs: A Deep Learning-Based Distributed SDN Approach. IEEE Transactions on Intelligent Transportation Systems 2021, 22, 4519–4530. [Google Scholar] [CrossRef]
Chahal, M.; Harit, S.; Mishra, K.K.; Sangaiah, A.K.; Zheng, Z. A Survey on Software-Defined Networking in Vehicular Ad Hoc Networks: Challenges, Applications and Use Cases. Sustain. Cities Soc. 2017, 35, 830–840. [Google Scholar] [CrossRef]
Anyanwu, G.O.; Nwakanma, C.I.; Lee, J.M.; Kim, D.S. RBF-SVM Kernel-Based Model for Detecting DDoS Attacks in SDN Integrated Vehicular Network. Ad Hoc Netw. 2023, 140, 103026. [Google Scholar] [CrossRef]
Ma, R.; Wang, Q.; Bu, X.; Chen, X. Real-Time Detection of DDoS Attacks Based on Random Forest in SDN. Appl. Sci. 2023, 13, 7872. [Google Scholar] [CrossRef]
Aslam, N.; Srivastava, S.; Gore, M.M. A Comprehensive Analysis of Machine Learning- and Deep Learning-Based Solutions for DDoS Attack Detection in SDN. Arab. J. Sci. Eng. 2024, 49, 3533–3573. [Google Scholar] [CrossRef]
Revathi, M.; Ramalingam, V.V.; Amutha, B. A Machine Learning Based Detection and Mitigation of the DDOS Attack by Using SDN Controller Framework. Wirel. Pers. Commun. 2022, 127, 2417–2441. [Google Scholar] [CrossRef]
Sultana, R.; Grover, J.; Tripathi, M. A Novel Framework for Misbehavior Detection in SDN-Based VANET. In Proceedings of the International Symposium on Advanced Networks and Telecommunication Systems, ANTS, New Delhi, India, 14–17 December 2020; IEEE Computer Society: Washington, DC, USA, 2020; Volume 2020-December. [Google Scholar]
Jiang, D.; Delgrossi, L. IEEE 802.11p: Towards an International Standard for Wireless Access in Vehicular Environments. In Proceedings of the IEEE Vehicular Technology Conference, Singapore, 11-14 May 2008; pp. 2036–2040.
Hameed Hussein, N.; Paw Koh, S.; Tak Yaw, C.; Kiong Tiong, S.; Member, S.; Benedict, F.; Yusaf, T.; Kadirgama, K.; Chung Hong, T. SDN-Based VANET Routing: A Comprehensive Survey on Architectures, Protocols, Analysis, and Future Challenges. IEEE Access 2024. [CrossRef]
Li, Z.; Liu, F.; Yang, W.; Peng, S.; Zhou, J. A Survey of Convolutional Neural Networks: Analysis, Applications, and Prospects. IEEE Trans. Neural Netw. Learn. Syst. 2022, 33, 6999–7019. [Google Scholar] [CrossRef]
Türk, F.; Kökver, Y. Detection of Lung Opacity and Treatment Planning with Three-Channel Fusion CNN Model. Arab. J. Sci. Eng. 2024, 49, 2973–2985. [Google Scholar] [CrossRef]
Taye, M.M. Theoretical Understanding of Convolutional Neural Network: Concepts, Architectures, Applications, Future Directions. Computation 2023, 11, 52. [Google Scholar] [CrossRef]
Chen, L.; Li, S.; Bai, Q.; Yang, J.; Jiang, S.; Miao, Y. Review of Image Classification Algorithms Based on Convolutional Neural Networks. Remote Sens. 2021, 13, 4712. [Google Scholar] [CrossRef]
Saxena, A. An Introduction to Convolutional Neural Networks. Int. J. Res. Appl. Sci. Eng. Technol. 2022, 10, 943–947. [Google Scholar] [CrossRef]
Bansal, M.; Goyal, A.; Choudhary, A. A Comparative Analysis of K-Nearest Neighbor, Genetic, Support Vector Machine, Decision Tree, and Long Short Term Memory Algorithms in Machine Learning. Decis. Anal. J. 2022, 3, 100071. [Google Scholar] [CrossRef]
Türkoğlu, M.; Polat, H.; Koçak, C.; Polat, O. Recognition of DDoS Attacks on SD-VANET Based on Combination of Hyperparameter Optimization and Feature Selection. Expert Syst. Appl. 2022, 203, 117500. [Google Scholar] [CrossRef]

Figure 1. General architecture of vehicular networks.

Figure 2. Software Defined Network Architecture.

Figure 3. Software Defined Vehicular Ad Hoc Network Architecture.

Figure 4. SD-VANET_Guard intrusion detection system integration.

Figure 5. The overall architecture of the 1DCNN-DT hybrid artificial intelligence model.

Figure 6. The convolution process.

Figure 7. The number of packets received and transmitted through the controller’s interface in the experimental SD-VANET topology.

Figure 8. CPU utilization of the controller in the experimental SD-VANET topology.

Figure 9. Percentage of DDoS traffic in the existing network flow within the experimental SD-VANET topology.

Table 1. The features in the dataset.

timestamp	datapath_id	flow_id
ip_src	tp_src	ip_dst
tp_dst	ip_proto	icmp_code
icmp_type	flow_duration_sec	flow_duration_nsec
idle_timeout	hard_timeout	flags
packet_count	byte_count	packet_count_per_second
packet_count_per_nsecond	byte_count_per_second	byte_count_per_nsecond

Class: Traffic class. The data in the dataset used in this study are labeled data. These two classes are “0” and “1”. “0” represents data received during normal traffic flow, and ‘1’ represents data received during a DDoS attack.

Table 2. Proposed One-Dimensional Architecture.

Layer	Parameters	Size
Input	Model Input	$89 \times 1$
Conv1D	filters: 16, kernel size: 5	$85 \times 16$
ReLU		$86 \times 16$
Conv1D	filters: 32, kernel size: 5	$81 \times 32$
ReLU		$82 \times 32$
Conv1D	filters: 64, kernel size: 5	$77 \times 64$
ReLU		$78 \times 64$
Flatten		$4928$
Dense	nerons: 256	$256$
ReLU		$256$
Dense	nerons: 256	$256$
ReLU		$256$
Dense	nerons: 4	$4$
Softmax	Model Output	$4$

Table 3. The actions of each module over time in the simulation.

Situation	Event	Time
Initial State	Start of Implementation	17:54:00
	The Ryu controller (flow statistics collection module) sends flow statistics requests to the switches, and the responses are written to a local file.	17:54:00
Detection State	Activation/Initialization of the detection module. (Every 10 s, read the local file and run the prediction, then publish the result to InfluxDB)	17:54:00
Detection State	Attack Detection	17:58:00
Flow Generation State	Ryu controller flow rule creation/modification (the controller responds to flow requests from devices in the data plane).	17:54:00

Table 4. Comparison of DDoS Detection Techniques and Performance Metrics Across Related Studies.

Study Reference	Network Type	Classification Techniques	Feature Selection	Accuracy (%)	Remarks
Türkoğlu et al. [48].	SD-VANET	Hyperparameter-optimized model with feature selection	Yes	98.7	Focused on SD-VANET with optimized parameters
Michelena et al. [18].	IoT Networks	Decision Trees, MLP, Random Forest, SVM, FLD, Naive Bayes + PCA	Yes	Above 99	IoT-specific but relevant methodologies for DoS detection
This Study	SD-VANET	Hybrid 1D-CNN and Decision Tree (1DCNN-DT)	No	99.6	Real-time detection tailored for dynamic SD-VANETs

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Polat, O.; Oyucu, S.; Türkoğlu, M.; Polat, H.; Aksoz, A.; Yardımcı, F. Hybrid AI-Powered Real-Time Distributed Denial of Service Detection and Traffic Monitoring for Software-Defined-Based Vehicular Ad Hoc Networks: A New Paradigm for Securing Intelligent Transportation Networks. Appl. Sci. 2024, 14, 10501. https://doi.org/10.3390/app142210501

AMA Style

Polat O, Oyucu S, Türkoğlu M, Polat H, Aksoz A, Yardımcı F. Hybrid AI-Powered Real-Time Distributed Denial of Service Detection and Traffic Monitoring for Software-Defined-Based Vehicular Ad Hoc Networks: A New Paradigm for Securing Intelligent Transportation Networks. Applied Sciences. 2024; 14(22):10501. https://doi.org/10.3390/app142210501

Chicago/Turabian Style

Polat, Onur, Saadin Oyucu, Muammer Türkoğlu, Hüseyin Polat, Ahmet Aksoz, and Fahri Yardımcı. 2024. "Hybrid AI-Powered Real-Time Distributed Denial of Service Detection and Traffic Monitoring for Software-Defined-Based Vehicular Ad Hoc Networks: A New Paradigm for Securing Intelligent Transportation Networks" Applied Sciences 14, no. 22: 10501. https://doi.org/10.3390/app142210501

APA Style

Polat, O., Oyucu, S., Türkoğlu, M., Polat, H., Aksoz, A., & Yardımcı, F. (2024). Hybrid AI-Powered Real-Time Distributed Denial of Service Detection and Traffic Monitoring for Software-Defined-Based Vehicular Ad Hoc Networks: A New Paradigm for Securing Intelligent Transportation Networks. Applied Sciences, 14(22), 10501. https://doi.org/10.3390/app142210501

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Hybrid AI-Powered Real-Time Distributed Denial of Service Detection and Traffic Monitoring for Software-Defined-Based Vehicular Ad Hoc Networks: A New Paradigm for Securing Intelligent Transportation Networks

Abstract

1. Introduction

2. Related Work

3. Ad Hoc Networks

4. Software Defined Networks

4.1. Software Defined Vehicular Ad Hoc Networks

4.2. SD-VANET Architecture: Advantages and Disadvantages

4.3. SD-VANET Network Security: DDoS Attacks and Risks

4.3.1. DDoS Attacks and Impacts

4.3.2. Threats to the SD-VANET Architecture

5. Material and Methods

5.1. Simulation Environment in the Context of Vehicular Networks

5.2. Scenario for Legal Network Traffic

5.3. Attack Scenario

5.4. Dataset

5.5. Network Traffic Data Collection

5.5.1. Traffic Feature Collection via OpenFlow

5.5.2. Multi-Threaded Processing in Ryu Controller

5.5.3. DDoS Detection Using Traffic Features

5.5.4. sFlow-RT Data Collection and Monitoring

5.5.5. Visualization of Network Metrics

5.5.6. Overall System Workflow

5.6. Attack Detection Module

5.6.1. Phase One: Construction of the Convolutional Neural Network Architecture

5.6.2. Phase Two: Training the Decision Tree Classifier with Deep Features

5.6.3. Phase Three: Testing Phase

6. Performance Evaluation of the SD-VANET_GUARD DDoS Attack Detection System

7. Conclusions

Author Contributions

Funding

Institutional Review Board Statement

Informed Consent Statement

Data Availability Statement

Acknowledgments

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI