By: Z. Shah, I. Ullah, H. Li, A. Levula, and K. Khurshid (2022) This paper provides a comprehensive survey of how blockchain technology can be applied to mitigate Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) environments, where constrained devices are often exploited to form botnets that generate malicious traffic. The authors explain the security weaknesses of IoT infrastructures and how blockchain’s decentralized, immutable, and transparent architecture can reduce single points of failure while improving trust, authentication, and automated response mechanisms. Existing blockchain-based mitigation techniques are systematically classified into four categories: distributed architecture-based solutions, access management-based solutions, traffic control-based solutions, and Ethereum platform-based solutions. The paper evaluates each category’s defense capabilities, performance trade-offs, and implementation challenges, emphasizing scalability, computational overhead, and portability concerns. The study concludes that while blockchain shows strong potential for IoT DDoS defense, further research is needed to design lightweight, scalable, and real-time capable systems suitable for resource-constrained IoT devices. Research Contributions: • Provides a structured taxonomy of blockchain-based DDoS mitigation solutions for IoT. • Compares prevention, detection, and response mechanisms across existing approaches. • Identifies scalability, latency, and resource overhead challenges in IoT–blockchain integration. • Outlines open research directions for developing lightweight and practical deployment models. Keywords: Blockchain, Distributed Denial of Service (DDoS), Internet of Things (IoT), Network Security, Smart Contracts, Access Control, Traffic Management, Decentralized Systems

By: Anshuman Singh and Brij B. Gupta (2022) This paper provides an extensive overview of Distributed Denial-of-Service (DDoS) attacks and the defense strategies developed to counter them across multiple modern computing environments, including cloud platforms, the Internet of Things (IoT), software-defined networks (SDN), and web-enabled systems. The authors first explain the nature of DDoS attacks, how attackers leverage distributed devices to form powerful botnets, and why growing interconnectivity has expanded the threat surface. They then survey a wide range of defense techniques from the literature, discussing traditional and emerging countermeasures such as traffic filtering, resource management strategies, anomaly-based detection, and the application of machine learning and blockchain technologies as defense enablers. The paper also reviews performance metrics used to evaluate defensive schemes and identifies key challenges and open research issues, particularly the need for more efficient, scalable, and adaptive DDoS mitigation frameworks in heterogeneous computing environments. Research Contributions: • Provides a broad taxonomy of DDoS attacks and defense mechanisms across diverse computing platforms, such as IoT, cloud, and SDN. • Highlights the roles of emerging technologies (e.g., blockchain, machine learning) in enhancing DDoS defense effectiveness. • Surveys performance metrics for evaluating defensive approaches, helping benchmark future innovations. • Identifies key challenges and open directions for future research in scalable, adaptive DDoS mitigation. Keywords: Distributed Denial-of-Service, DDoS mitigation, IoT security, cloud computing, SDN, blockchain defense, machine learning, cyber defenses

By: A. A. Najar and S. M. Naik (2024) This paper proposes a novel deep learning-enhanced method for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks in Software-Defined Networking (SDN) environments by combining Balanced Random Sampling (BRS) with Convolutional Neural Networks (CNNs) to improve accuracy and efficiency. The authors identify limitations in existing SDN-based DDoS detection systems, such as reliance on predefined signatures, low detection rates, and computational inefficiencies. To address these issues, they apply BRS to balance training data and train a CNN model that distinguishes between normal and attack traffic, achieving very high classification performance (over 99.99 % for binary classification and 98.64 % for multi-class scenarios). The framework incorporates mitigation measures such as traffic filtering, rate limiting, and IP blocking rules, along with a monitoring mechanism that ensures legitimate traffic is prioritized. Through experiments, the proposed model demonstrates highly accurate attack detection and practical mitigation capabilities tailored to SDN architectures, highlighting the potential of deep learning to strengthen next-generation network security. Research Contributions: • Introduces a combined Balanced Random Sampling and CNN model specifically for DDoS detection in SDN networks. • Addresses data imbalance issues to enhance detection accuracy. • Integrates practical mitigation techniques (rate limiting, filtering, IP blocking) within an SDN context. • Demonstrates near-perfect classification performance across binary and multi-class detection tasks. Keywords: DDoS detection, Software-Defined Networking (SDN), deep learning, convolutional neural network (CNN), balanced random sampling, traffic filtering, rate limiting.

By: Selman Hizal, Unal Cavusoglu, and Devrim Akgun (2024) This paper presents an advanced deep learning-powered intrusion detection system (IDS) specifically designed to detect and classify Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) networks using the recently published CICIoT2023 dataset as its benchmark. The authors highlight the growing threat posed by DDoS attacks against increasingly interconnected IoT environments and describe how traditional detection systems struggle with evolving attack patterns and imbalanced traffic data. Their proposed solution involves extensive preprocessing (including feature selection, duplication removal, and normalization) to improve training quality, followed by the development of a two-stage classification approach where the first stage differentiates between normal and attack traffic and the second stage identifies specific attack subtypes. Multiple deep learning models—including deep neural networks (DNN), convolutional neural networks (CNN), and long short-term memory (LSTM) networks—are trained and evaluated, with results showing that the two-stage architecture significantly outperforms baseline models in both accuracy and real-time detection performance. The study suggests this framework provides a robust and scalable IDS for future IoT deployments where rapid and precise DDoS detection is essential. Research Contributions: • Proposes a deep learning-based IDS tailored to IoT environments using the CICIoT2023 dataset. • Designs and implements a two-stage classification approach separating attack detection and subtype identification. • Evaluates multiple neural network architectures (DNN, CNN, LSTM) showing improved detection over baseline models. • Applies thorough data preprocessing to enhance model performance and generalization. Keywords: IoT security, Distributed Denial of Service (DDoS), intrusion detection system (IDS), deep learning, neural network, CNN, LSTM, data preprocessing

By: Amandeep Kaur, C. R. Krishna, and N. V. Patil (2025) This article presents an in-depth review of Software-Defined Networking (SDN) in the context of Distributed Denial of Service (DDoS) threats, providing a detailed examination of SDN’s ecosystem, architectural components, attack vulnerabilities, and defense research. The authors outline how SDN’s decoupling of control and data planes introduces both flexibility and security risks, particularly as the centralized controller becomes a focal point for DDoS exploitation. A structured taxonomy of DDoS attack types in SDN environments is developed, followed by a critical evaluation of statistical, machine learning, and deep learning-based detection methods documented in the literature. The paper also compares open-source distributed processing frameworks used for traffic engineering in SDN and discusses key security challenges associated with scalable network design, controller placement, flow management, and real-time mitigation. Publicly available DDoS datasets are surveyed to support performance evaluation practices, and the review closes by highlighting persistent research gaps and future directions for robust, adaptive mitigation strategies in SDN-enabled networks. Research Contributions: • Provides a comprehensive SDN ecosystem overview including components, operational workflows, and inherent vulnerabilities. • Develops a taxonomy of DDoS attack categories specific to SDN architectures. • Reviews and critiques existing statistical and machine/deep learning-based DDoS detection techniques in SDN. • Characterizes traffic engineering frameworks and highlights security challenges in current SDN deployments. • Summarizes datasets and evaluation practices used for benchmarking DDoS defense solutions. Keywords: Software-Defined Networking (SDN), Distributed Denial of Service (DDoS), network security, traffic engineering, taxonomy, machine learning, deep learning, datasets, mitigation challenges

By: P. Chaudhary, A. K. Singh, and B. B. Gupta (2025) This paper proposes a dynamic, multiphase framework for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks in Software-Defined Networking (SDN)-based fog-enabled Consumer Internet of Things (CIoT) environments, addressing the unique security challenges posed by large-scale, heterogeneous IoT deployments. The framework begins with entropy-based anomaly detection to flag suspicious traffic patterns and dynamically adjusts thresholds using Chebyshev’s inequality to adapt to changing network conditions. A symmetrical uncertainty and k-means clustering-based attribute selection algorithm enhances classification accuracy before machine learning models differentiate between normal and attack traffic. In simulated SDN-fog IoT environments and with the BoT-IoT dataset, the system achieved high detection accuracy (e.g., Random Forest with 98.71 % for binary classification) and improved multi-class attack identification for varied DDoS types like Ping Flood and TCP-SYN Flood. The fog-enabled architecture reduced response times by about 35 % when compared to centralized defenses, demonstrating the approach’s scalability and responsiveness for real-world CIoT networks. Research Contributions: • Proposes a multiphase detection-and-mitigation framework tailored to SDN-based fog-empowered IoT environments. • Introduces dynamic thresholding (Chebyshev’s inequality) for adaptable anomaly detection. • Uses attribute selection via symmetrical uncertainty and k-means clustering to enhance classification performance. • Demonstrates high accuracy and reduced response times in simulated SD-FCIoT settings using the BoT-IoT dataset. Keywords: Distributed Denial of Service (DDoS), SDN security, fog computing, IoT, anomaly detection, machine learning, entropy-based detection, attribute selection, Random Forest classifier

By: Sharmin Aktar and Abdullah Yasin Nur (2023) This paper proposes an anomaly-based DDoS detection method built around a contractive autoencoder that learns a compact representation of normal network traffic and flags attacks when reconstruction error becomes unusually high. Instead of training on all labeled attack categories, the model uses a semi-supervised setup (training primarily on non-attack instances) and then applies a stochastic thresholding strategy over reconstruction loss to decide whether a traffic instance is anomalous. The approach is evaluated on three widely used intrusion-detection datasets—CIC-IDS2017, NSL-KDD, and CIC-DDoS2019—and is compared against baseline autoencoder variants (e.g., basic AE, VAE, LSTM-AE). Reported results show strong detection performance across datasets, with accuracies ranging roughly from the low 90s to high 90s depending on the dataset and setting. Research Contributions: • Proposes a contractive autoencoder–based deep learning method for DDoS anomaly detection. • Uses a semi-supervised training approach focused on learning normal traffic behavior. • Introduces a stochastic threshold selection process (multiple runs with varying thresholds) rather than a single fixed threshold. • Evaluates performance on CIC-IDS2017, NSL-KDD, and CIC-DDoS2019, comparing against other AE-based deep learning baselines. Keywords: DDoS detection, anomaly detection, deep learning, contractive autoencoder, intrusion detection system (IDS), reconstruction loss, CIC-IDS2017, NSL-KDD, CIC-DDoS2019

By: Abdussalam A. Alashhab, M. Soperi Mohd Zahid, Babangida Isyaku, Asma Abbas Elnour, Wamda Nagmeldin, Abdelzahir Abdelmaboud, Talal A. A. Abdullah, and Umar Maiwada (2024) This paper proposes a machine-learning-based framework to improve real-time detection and mitigation of Distributed Denial of Service (DDoS) attacks in Software-Defined Networking (SDN) environments by leveraging an ensemble online learning model. The authors highlight that traditional ML models often struggle with evolving attack patterns—especially low-rate or zero-day DDoS variants—because of fixed feature sets and limited adaptability. To address this, their solution processes SDN traffic with online learning that dynamically updates the model with new traffic patterns and uses adaptive feature selection to continuously refine its detection capability. The architecture is validated within an SDN simulation (Mininet with Ryu controller), and results show a 99.2 % detection rate across diverse DDoS types on both custom and benchmark datasets such as CICDDoS2019, InSDN, and slow-read-DDoS. The study also compares its performance with other models on similar datasets, demonstrating superior accuracy and adaptability, and outlines how the framework supports proactive mitigation in SDN networks. Research Contributions: • Introduces an ensemble online ML model that dynamically adapts to evolving DDoS attack traffic in SDN environments. • Implements dynamic feature selection to improve generalization across attack types. • Demonstrates high detection performance (≈ 99.2 %) on custom and benchmark datasets including CICDDoS2019 and InSDN. • Validates model effectiveness within a simulated SDN setup (Mininet + Ryu), underscoring its real-time applicability. Keywords: Distributed Denial of Service (DDoS), Software-Defined Networking (SDN), online machine learning, ensemble learning, adaptive feature selection, real-time detection, Mininet simulation.

By: Vanlalruata Hnamte, Ashfaq Ahmad Najar, Hong Nhung-Nguyen, Jamal Hussain, and Manohar Naik Sugali (2024) This paper presents a deep-learning-based framework for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks in Software-Defined Networking (SDN) environments using a Deep Neural Network (DNN) model trained to recognize traffic patterns associated with DDoS behavior. The authors motivate the work by noting that SDN’s centralized control logic can become a high-impact target during volumetric attacks, and propose a scalable detection pipeline that analyzes network traffic features to classify malicious activity and support mitigation actions within the SDN setting. The model is evaluated on multiple datasets (including InSDN, CICIDS2018, and a Kaggle DDoS dataset), and the reported results show very high detection accuracy across them (approximately 99.98%, 100%, and 99.99%, respectively), alongside low loss values—supporting the claim that the approach can perform robustly across different traffic sources and attack distributions. Research Contributions:  • Proposes a DNN-based detection model tailored for DDoS identification in SDN environments. • Evaluates the approach on multiple datasets (InSDN, CICIDS2018, Kaggle DDoS) to demonstrate generality. • Reports near-perfect detection accuracy and low loss, indicating strong classification reliability in testing. • Discusses practical considerations for deploying deep learning defenses in real-world SDN infrastructures. Keywords: DDoS, Software-Defined Networking (SDN), deep neural network (DNN), deep learning, intrusion detection, network security

By: Surendra Kumar, Mridula Dwivedi, Mohit Kumar, and Sukhpal Singh Gill (2024) This article presents an extensive survey focused on securing cloud computing platforms against Distributed Denial of Service (DDoS) attacks by analyzing both vulnerabilities inherent in cloud infrastructures and the range of Artificial Intelligence (AI)-based defensive techniques designed to detect, prevent, and mitigate these threats. The authors begin by highlighting cloud computing’s core advantages—such as scalability, elasticity, and shared resource models—and explain how these same characteristics expose cloud services to high-impact application-layer and volumetric attacks that can overwhelm resources and disrupt availability. The review systematically categorizes different DDoS attack types seen in cloud settings and examines a broad spectrum of machine learning (ML) and deep learning (DL) detection frameworks, including single, hybrid, and ensemble models used in the literature. Importantly, it also analyzes evaluation metrics, benchmark datasets, and simulation tools that researchers rely on when validating defense systems, and identifies key limitations such as imbalanced datasets, detection latency, and the lack of automated real-time responses. The survey concludes by identifying open research challenges and recommending future directions for developing more intelligent, efficient, and practical DDoS defense strategies tailored to cloud environments. Research Contributions: • Provides a comprehensive taxonomy of DDoS attacks targeting cloud services and their impact on cloud availability. • Surveys and categorizes AI-enabled detection and mitigation techniques (ML/DL), including hybrid and ensemble models. • Reviews performance evaluation criteria, tools, and benchmark datasets used to assess cloud DDoS defenses. • Identifies research gaps and future challenges, especially for real-time, scalable, and automated defense mechanisms. Keywords: Cloud computing security, Distributed Denial of Service (DDoS), AI-based detection, machine learning, deep learning, attack taxonomy, performance evaluation.

By: Meenakshi Mittal, Krishan Kumar, and Sunny Behal (2022) This paper systematically reviews existing research on using deep learning techniques to detect Distributed Denial of Service (DDoS) attacks, addressing the limitations of traditional signature-based and shallow machine learning approaches amid evolving cyberthreats. The authors survey literature from major digital libraries—including IEEE, ACM, ScienceDirect, Springer, and Google Scholar—categorizing studies according to the types of deep learning models applied, their methodologies, and their strengths and weaknesses. Key components examined include the preprocessing strategies, feature extraction techniques, network architectures, hyperparameter settings, benchmark datasets, and performance metrics used across studies. The review also identifies gaps such as inconsistent evaluation settings, lack of standardized datasets, and challenges in generalizing models for real-world traffic, concluding with a discussion of research directions to improve the reliability, scalability, and real-time applicability of deep learning-based DDoS detection systems. Research Contributions: • Provides a comprehensive survey of deep learning methods used for DDoS attack detection across a broad academic corpus. • Categorizes defense approaches by model type and architectural design, including CNNs, RNNs, autoencoders, hybrid models, and ensemble techniques. • Analyzes datasets, preprocessing techniques, performance metrics, and evaluation practices used in past work, highlighting inconsistencies and limitations. • Identifies open research challenges such as the need for standardized benchmarks, interpretable models, and methods resilient to evolving attack patterns. Keywords: Distributed Denial of Service (DDoS), deep learning, systematic review, intrusion detection, benchmark datasets, feature extraction, performance evaluation, network security.

By: Sajid Mehmood, Rashid Amin, Jamal Mustafa, Mudassar Hussain, Faisal S. Alsubaei, and Muhammad D. Zakaria (2025) This paper proposes a hybrid deep learning model combining Convolutional Neural Networks (CNNs) and Multilayer Perceptrons (MLPs), enhanced with optimizer-based tuning and SHAP-based feature selection, to detect Distributed Denial of Service (DDoS) attacks in Software-Defined Networking (SDN) environments. SDN’s centralized control plane offers flexibility but introduces vulnerabilities that attackers can exploit by flooding controller flow tables with malicious traffic, overloading switches, and degrading service. The proposed Optimizer-equipped CNN-MLP model processes network traffic flows and uses Bayesian and adaptive optimization to fine-tune hyperparameters, while SHAP feature selection identifies the most impactful features for classification. Evaluated on benchmark datasets such as CICDDoS-2019 and InSDN, the model demonstrates extremely high detection performance — up to 99.98 % accuracy, precision, and F1-score — showing robustness across different attack patterns and supporting near real-time analysis. Research Contributions: • Develops a hybrid CNN-MLP deep learning model specifically for SDN DDoS detection. • Uses SHAP feature selection to improve input relevancy and model interpretability. • Applies optimizer-based tuning (Bayesian/Adam) to enhance model performance. • Validates the approach on multiple datasets (CICDDoS-2019, InSDN) with very high accuracy and F1-scores across metrics. Keywords: Distributed Denial of Service (DDoS), Software-Defined Networking (SDN), deep learning, CNN-MLP, optimizer, feature selection, SHAP, CICDDoS-2019, InSDN

By: Razvan Bocu and Maksim Iavich (2026) This paper focuses on building DDoS detectors that generalize across changing attack styles and shifting network conditions, aiming to avoid the common problem where a model performs well only on the dataset it was trained on. The authors frame DDoS detection as a pattern-learning problem in which the key challenge is robustness to distribution shift (e.g., different traffic baselines, different organizations, different mixes of attack intensities). They propose a machine-learning-based detection workflow that emphasizes learning stable, reusable patterns from traffic features rather than overfitting to dataset-specific quirks, and they discuss evaluation considerations that reflect real operational conditions (where traffic evolves over time). Overall, the work positions “generalized” detection as the main objective, highlighting how model design and evaluation choices affect whether a DDoS detector remains reliable when moved to new environments. Research Contributions: • Targets generalization of DDoS detection models across heterogeneous traffic conditions rather than single-dataset performance. • Presents a machine-learning framework oriented around learning stable DDoS patterns that transfer between environments. • Emphasizes evaluation considerations tied to realistic deployment conditions (traffic drift and changing attack behavior). Keywords: DDoS detection, machine learning, generalized detection, traffic classification, network security, robustness

By: Anam Rajper, Norlina Binti Paraman, Muhammad Nadzir Marsono, Noor Jahan Rajper, Hira Hameed, and Muhammad Usman (2026) This paper proposes a three-tier defense framework to detect and mitigate Distributed Denial of Service (DDoS) attacks in Software-Defined Networking (SDN) by combining adaptive statistical analysis, event-driven machine learning, and port connection analysis for more precise and efficient defense. The first tier uses an enhanced cumulative sum (CUSUM) algorithm with adaptive thresholds to detect abnormal traffic patterns based on real-time flow table data from OpenFlow switches, enabling rapid anomaly flagging. In the second tier, an event-based decision tree classifier is triggered only when needed so that the SDN controller is not continually burdened by machine learning inference. The third tier introduces a port connection analysis technique using Link Layer Discovery Protocol (LLDP) to distinguish direct versus indirect attack sources without tracing the entire attack path, improving mitigation precision. Evaluations show this integrated mechanism achieves extremely high accuracy (≈ 99.99%), drastically reduces computational load and false positives (~87%), and minimizes unnecessary mitigation actions (~94%) with negligible packet loss. Research Contributions: • Develops a three-tier SDN control plane defense mechanism combining statistical detection, event-activated ML classification, and LLDP-based port analysis. • Applies an adaptive CUSUM algorithm to rapidly detect traffic anomalies without heavy controller overhead. • Uses event-driven ML classification to limit machine learning processing only to relevant cases, improving efficiency. • Introduces port connection analysis to pinpoint attack sources without full path tracing, enhancing mitigation precision. • Demonstrates performance gains over existing SDN DDoS defenses in accuracy, controller load, and false positive reduction. Keywords: Distributed Denial of Service (DDoS), Software-Defined Networking (SDN), CUSUM, machine learning classifier, adaptive detection, port connection analysis, Link Layer Discovery Protocol (LLDP), anomaly detection, network security.

By: Doaa Mohsin Abd Ali Afraji, Jaime Lloret, and Lourdes Peñalver (2025) This article reviews the state of the art in applying deep learning (DL)–based defense strategies to mitigate Distributed Denial of Service (DDoS) attacks within cloud computing environments, where large-scale resource sharing and diverse traffic patterns present significant vulnerabilities. The authors first categorize DDoS attacks into three primary types—volumetric, protocol-based, and application-layer attacks—and discuss how each affects cloud infrastructure differently. The review highlights how deep learning models enhance cybersecurity by learning complex traffic anomalies that traditional rule-based systems struggle to detect. However, it also emphasizes significant challenges, including scarcity of high-quality labeled datasets, limitations in method diversity, and the need for explainable and transparent AI to build trust in automated defenses. The paper concludes by advocating for future work to focus on better datasets, more accurate algorithms, and transparent AI practices to advance DDoS defense in cloud systems. Research Contributions: • Categorizes DDoS attack types relevant to cloud computing, improving clarity on threat classification. • Surveys deep learning-based detection and mitigation techniques and discusses their strengths and limitations. • Highlights critical challenges such as dataset quality, explainability, and model transparency in current approaches. • Suggests future research directions emphasizing higher-quality data, more accurate algorithms, and explainable AI for practical deployment. Keywords: Distributed Denial of Service (DDoS), cloud computing security, deep learning, explainable AI, machine learning, cybersecurity strategies.