Optimizing LSTM-CNN for Lightweight and Accurate DDoS Detection in SDN Environments

Abstract

Purpose: This study optimizes the LSTM-CNN model to detect Distributed Denial of Service (DDoS) attacks in Software-Defined Networking (SDN)-based networks and improves accuracy, computational efficiency, and class imbalance handling.

Methods: We developed an Improved LSTM-CNN by removing the Conv1D layer, reducing LSTM units to 64, and using 21 features with a 5-timestep approach. The InSDN dataset (50,000 samples) was preprocessed with one-hot encoding, MinMaxScaler normalization, and sequence formation. Class imbalance was managed using class weights (0:2.0, 1:0.5) instead of SMOTE, with performance compared against Baseline LSTM-CNN and Dense-only models optimized with the Sine Cosine Algorithm (SCA).

Result: The Improved LSTM-CNN achieved 0.99 accuracy, 0.93 F1-score for Benign traffic, and 1.00 for Malicious traffic, with ~25,000 parameters and 125 ms inference time on Google Colab. It outperformed Baseline LSTM-CNN (0.08 accuracy) and was more efficient than Dense-only (46,000 parameters), with a false positive rate of ~1%.

Novelty: This research presents a lightweight, efficient DDoS detection solution for SDN, leveraging temporal modeling and class weights, suitable for resource-constrained controllers like OpenDaylight or ONOS. However, its generalization is limited by dataset diversity, necessitating broader validation.