Hybrid LSTM-attention Model for DDoS Attack Detection in Software-defined Networking

Distributed Denial of Service (DDoS) attacks threaten Software-Defined Networking (SDN) environments, requiring effective real-time detection. This study introduces a hybrid LSTM-Attention model to improve DDoS detection in SDN, combining Long Short-Term Memory (LSTM) networks for temporal pattern recognition with an attention mechanism to prioritize key traffic features like packet and byte counts per second. Trained on 15,000 balanced samples from the SDN DDoS dataset, the model achieved 96.90% accuracy, 100% recall for DDoS instances, and a 0.97 F1-score, outperforming statistical (88.5%), machine learning (94.0%), and other deep learning (95.0%) methods. Attention weight visualization confirmed its focus on critical features. With a two-hour training time on modest hardware (Google Colab, 12 GB RAM) and an AUC of 0.99, the model is efficient and robust for real-time use. It offers a scalable, interpretable framework for network security, providing actionable insights for administrators and supporting future detection of slow-rate attacks and insider breaches. As a proof-of-concept, a subsampled slow-rate DDoS simulation (10% of volumetric spikes) achieved 89.5% accuracy with tuned attention weights, suggesting potential for rate adjustments. Preliminary tests on UNSW-NB15 subsets, focusing on behavioral features, yielded 85.2% recall, indicating that integrating user profiling could enhance real-world detection.