# DDoS attack detection method based on improved convolutional long short-term memory and three-way decision in SDN

**Authors:** Haizhen Wang, Xiaojing Yang, Na Jia

PMC · DOI: 10.1371/journal.pone.0322839 · PLOS One · 2025-05-14

## TL;DR

This paper introduces a new method for detecting DDoS attacks in SDN using improved ConvLSTM and three-way decision, achieving high accuracy on benchmark datasets.

## Contribution

The novel ConvLTSM-MHA-TWD method enhances feature extraction and classification accuracy for DDoS detection in SDN.

## Key findings

- The method achieved 0.994 accuracy on the CICIDS2017 dataset.
- It reached 0.977 accuracy on the DDoS SDN dataset.
- The model handles large data volumes effectively with improved training stability.

## Abstract

Software Defined Networking (SDN) is an emerging network architecture and management method, whose core idea is to separate the network control plane from the data transmission plane. It is precisely because of this characteristic that SDN controllers are susceptible to external malicious attacks, the most common of which are Distributed Denial of Service (DDoS) attacks. This paper suggests a way to find DDoS attacks called ConvLTSM-MHA-TWD. It is based on the Convolutional Long Short-Term Memory Network (ConvLSTM) and three-way decision (TWD). It solves the problem of insufficient feature extraction in SDN environment and improves classification accuracy. This method uses ConvLSTM to extract data features, and uses multi-head attention (MHA) mechanism to learn the long-distance dependence relationship in the input data, and then constructs multi-granularity feature space. ConvLSTM and MHA outputs are added to form a residual connection to further enhance feature extraction and timing modeling capabilities and solve the problem of gradient disappearance during model training. Then the three-way decision theory is used to make decisions on network behaviors immediately. For the network behaviors that cannot be made immediately, the delayed decision is made, and the feature extraction and decision are made on this part of the network behaviors again. Finally, the classification results are output. This paper conducted experiments on data sets CICIDS2017 and DDoS SDN, with accuracy rates of 0.994 and 0.977, respectively, which has better overall performance, and is suitable for training large amounts of data.

## Full-text entities

- **Diseases:** ConvLSTM (MESH:D000088562), DDoS (MESH:D019575), IDS (MESH:C537310)
- **Chemicals:** ConvLSTM (-)

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12077717/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12077717/full.md

## References

35 references — full list in the complete paper: https://tomesphere.com/paper/PMC12077717/full.md

---
Source: https://tomesphere.com/paper/PMC12077717