A novel unsupervised learning method for

intrusion detection in software defined networks

Zakaria Abou El Houda1,3 , Abdelhakim Senhaji Hafid1 , and Lyes Khoukhi2

1
NRL, Department of Computer Science and Operational Research, University of
Montreal, Canada
2
GREYC CNRS, ENSICAEN, Normandie University, France
3
ICD, University of Technology of Troyes, France
[email protected] [email protected]
[email protected]

Abstract. In recent years, there has been a huge increase in the number
of attacks that causes huge damage and financial losses for both educa-
tional and business organizations. Intrusion detection systems (IDSs)
play a key role in ensuring network security. With the emergence of new
types of security threats, traditional IDSs based on pattern matching
and signature filtering, are limited by their need of new/up-to-date at-
tacks patterns. To tackle this issue, Machine learning and Deep learning
(ML/DL) techniques have been proposed in the literature to enhance
the detection ability of traditional IDSs. In this paper, we investigate
a novel problem of using unsupervised learning in the task of network
intrusion detection in software defined networks (SDN). In particular, we
develop a novel outlier detection method with Isolation Forest (IDS-IF)
to effectively detect network anomalies in SDN. Most of the existing un-
supervised ML/DL techniques suffer from high false positive rates since
they consider any deviation from the normal behavior as intrusion. To
alleviate this issue, IDS-IF isolates intrusions instead of profiling normal
data samples. The proposed solution not only enhances the detection
performance but also reduces the false positive rates as well as com-
putational complexity. The experimental results using the well-known
public network security dataset KDD, show that IDS-IF outperforms re-
cent state-of-the-art outlier detection method (i.e., Local Outlier Factor
(LOF)) in terms of accuracy, F1 score, and false positives rates, making
it a promising method to cope with the new emerging security threats
in SDN.

Keywords: IDS · Unsupervised learning · Isolation Forest · SDN.

1 Introduction

Internet has become an essential element to individuals and organizations to

build online businesses, conduct online education, and improve human’s ability
to work and perform activities at any time and from anywhere. The increased de-
pendency on the Internet is accompanied by numerous security and privacy risks
2 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

(e.g., security issues with Internet of things (IoT) devices and theft of sensitive
data ). The new emerging security threats have been increasing in sophistication
and strength and are predicted to cost huge financial losses of about $20 Billion
(USD) By 2021 [1] for both educational and business organizations. Also, the re-
cent emergence of IoT botnets (e.g., Mirai botnet), as well as the rapid growth in
the number of insecure IoT devices, with an estimation of 75 billion connected
devices by the end of 2025 [2], can provide attackers with more sophisticated
tools (e.g., Botnet as-a-service) to conduct large scale and devastating attacks.
To ensure the security of networks, Internet service providers (ISPs) make use
of firewalls to control/filter connections between local network and the Inter-
net. Also, multiple security enforcement mechanisms such as anti-virus, access
control, and data encryption are used the protect the network from any suspi-
cious activity. However, it has been shown that these security measures are not
sufficient to fully protect network against zero-day attacks.
To this end, in addition to these preventive security mechanisms, intrusion
detection systems (IDSs) are used to effectively and timely secure the network
against any type of suspicious/unauthorized activity that can cause collateral
damage to either data integrity, data confidentiality, or data availability. Intru-
sion detection systems (IDSs) play a key role in ensuring the security of the
network. IDSs can be categorized into two categories: (1) Signature filtering-
based Intrusion Detection Systems (Misuse-Based detection, SFIDS); and (2)
Anomaly-based Intrusion Detection Systems (A-IDS). SFIDSs detect network
anomalies by using a pre-defined attack pattern/signature of well-known intru-
sions, while A-IDSs learn normal behaviors of activities and consider any devi-
ation as intrusion. SIDSs are vulnerable to zero-day attacks and are limited by
their need of new/up-to-date attacks patterns, while A-IDS suffers from high
false positive rate.
Software defined networks (SDN) is a novel paradigm that leverages network
programmability to solve the limitations of conventional networks. SDN provides
new capabilities through a logically centralized component, to cope with the new
emerging security threats ranging from DDoS attacks to phishing to data leakage
[3–13].
The recent emergence of Machine learning and Deep learning (ML/DL) tech-
niques have achieved promising results in many fields [14–18]. In order to effi-
ciently/timely handle the task if intrusion detection, IDSs adopted these ML/DL
techniques. ML/DL based IDSs can effectively detect existing and new network
security threats [19–21]. In this chapter, we investigate a novel problem of us-
ing unsupervised learning in the task of network anomaly/intrusion detection
in software defined networks (SDN). Most existing unsupervised ML/DL based
IDSs such as clustering-based techniques (e.g., K-means [22]), try to find a pro-
file o similar/normal data samples, then classify others/dissimilar as anoma-
lies/intrusions. These techniques have two main drawbacks: (1) high false posi-
tive rates since they consider any deviation from the normal behavior as intru-
sion; and (2) high computational complexity since they focus on memorizing a
large number of normal data samples patterns (i.e., hidden feature learning). To
 A novel unsupervised learning method for intrusion detection in SDN 3

alleviate these issues, we develop a novel outlier detection method with Isolation
Forest (IDS-IF) that can effectively detect network anomalies in SDN while hav-
ing a low false positive rate as well as low computational complexity. To achieve
this, IDS-IF isolates intrusions instead of profiling normal data samples. Anoma-
lies/Intrusions are mostly few and rare/different data samples (i.e., minority in
the dataset), which make them susceptible to isolation with low computation
rather than profiling a large number of normal data samples. IDS-IF not only
enhances the detection performance but also reduces the false positive rates as
well as computational complexity. The experimental results using the well-known
public network security dataset KDD [23], show that IDS-IF outperforms recent
state-of-the-art Outlier detection method (i.e., Local Outlier Factor (LOF)) in
terms of accuracy, F1 score, and false positives rates, making it a promising
method to cope with the new emerging security threats in SDN.
The main contributions of this paper can be summarized as follows:

– We propose a novel lightweight unsupervised learning method for anomaly/intrusion

detection in a software defined networks (SDN) environment.
– We propose a novel outlier detection method with Isolation Forest (IDS-IF)
to effectively detect network anomalies in SDN.
– We evaluate the performance of IDS-IF in terms of accuracy, F1 score,
and computational complexity. We compare the performance of IDS-IF with
recent state-of-the-art Outlier detection method. The experimental results
show that IDS-IF achieves security and high accuracy/F1 score in detecting
new security threats, making it a promising method to cope with the new
emerging security threats in SDN.

The remainder of this chapter is organized as follows. In Section II, we present

a review of related works in supervised and unsupervised ML/DL techniques
for anomaly/intrusion detection and we discuss the main limitations. Then, we
present a general overview of IDS-IF in Section III. In Section IV, we describe
the design and specification of IDS-IF. In Section V, we present the performance
evaluation of IDS-IF. Finally, Section VI concludes the paper.

2 Related Works
The new emerging security threats are becoming more devastating; several state-
of-the-art works have integrated supervised and unsupervised ML/DL techniques
to improve the efficiency of traditional IDSs to cope with these attacks. In the
following, we overview the most representative ML/DL based IDSs as well as
their security issues.
Ruoning et al. [24] proposed a novel real-time intrusion detection scheme that
uses a dynamic cumulative-distance anomaly detection algorithm (i.e., k-nearest
neighbors (k-NN)). Their proposed architecture consisted of a distributed data
processing platform that uses flume for a reliable log data aggregation, and
collection and storm for a distributed and reliable and stream processing. The
effectiveness of the proposed scheme was evaluated using a real-world dataset.
4 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

The experimental results showed that this algorithm is suitable for real-time
network anomaly detection in high-speed network.
Yang et al. [25] developed a new framework that uses support vector machines
(SVM) method to detect and mitigate network anomalies in a SDN environment.
This framework consisted of three modules: (1) a traffic collection module, to
extract network traffic features/characteristics and prepare them for network
traffic identification module; (2) a network anomaly identification module, to
perform the classification and to identify anomalies using SVM method; and
(3) a flow table delivery module, to dynamically adjust Openflow (OF) rules
according to the attack identification module. The effectiveness of the proposed
framework was tested and evaluated using KDD’99 dataset.
Majjed et al. [26] designed an effective DL framework, self-taught learning
(STL-IDS), that uses a sparse autoencoder (SAE) along with a support vector
machines (SVM) method to detect and mitigate network anomalies. STL-IDS
uses a feature selection method and a dimensionality reduction scheme to reduce
training time complexity while improving the prediction accuracy using the SVM
algorithm.
Taher et al. [27] proposed a novel supervised ML method that uses Artificial
Neural Network (ANN) along with a feature selection method to detect and
mitigate network anomalies. The authors have shown that ANN with feature
selection method outperform SVM with respect to intrusion detection rate. The
effectiveness of the proposed framework was tested and evaluated using NSL-
KDD dataset.
Yin et al. [28] proposed a novel deep learning scheme (RNN-IDS), that uses
recurrent neural networks for network intrusion detection. The authors have
studied the performance of RNN-IDS in binary and multi-class classification
using NSL-KDD dataset. The experimental results showed that RNN-IDS out-
performs sallow ML models with respect to detection accuracy.
Wang et al. [29] proposed a hierarchical spatial-temporal feature-based IDS
called HAST-IDS. HAST-IDS has two main stages: (1) it uses deep convolutional
neural networks (CNNs) to learn the low-level spatial features of network traffic;
and (2) it uses LSTM (Long short-term memory) to learn a high-level temporal
feature. The effectiveness of the proposed framework was tested and evaluated
using the standard DRAPA and ISCX2012 datasets.
Tuan et al. [30] proposed a light-weight unsupervised learning scheme based
on Local outlier Factor (LoF) algorithm to detect and mitigate network anoma-
lies (e.g., DDoS attacks) in a SDN environment. LoF measured local deviation
for a given data sample with respect to its neighbors (i.e., local density). The
proposed solution requires minimal network resources and achieved promising
result using CAIDA dataset.
Gao et al. [31] proposed an adaptive ensemble learning method that combines
multiple shallow ML models (i.e., Decision Trees (DT), support vector machine
(SVM), logical regression (LR), k-nearest neighbors (KNN), Adaboost, random
forests (RF), and deep neural networks) to increase the detection rate of shallow
ML models. Also, they have proposed an ensemble adaptive voting algorithm.
 A novel unsupervised learning method for intrusion detection in SDN 5

he effectiveness of the proposed framework was tested and evaluated using NSL-
KDD dataset.
Based on our analysis of existing works [24–30], we found that a number of
these schemes [27–30] are computationally expensive. Also, most of them suffer
from high false positive rates since they consider any deviation from the normal
behavior as intrusion. To address the shortcomings of the existing solutions [24–
30], we propose a novel outlier detection method with Isolation Forest (IDS-IF)
to effectively detect network anomalies in SDN. IDS-IF isolates intrusions instead
of profiling normal data samples; it does not use any computationally expensive
method (i.e., density measure, distance measure) to detect intrusions. Also, IDS-
IF can handle large size and extremely high-dimensional problems. IDS-IF not
only enhances the detection performance but also reduces false positive rates as
well as computational complexity. The experimental results using the well-known
public network security dataset KDD [23], show that IDS-IF outperforms recent
state-of-the-art Outlier detection method [30] in terms of accuracy, F1 score,
and false positives rates, making it a promising method to cope with the new
emerging security threats in SDN.

3 IDS-IF: An Overview
This section presents an overview of IDS-IF. When designing IDS-IF, we did
consider the following goals/objectives. First, IDS-IF should ensure/guarantee a
full protection from the new emerging security threats. Unlike existing ML/DL
based IDSs [24–30] that try to find a profile o similar/normal data samples,
then classify others/dissimilar as anomalies/intrusions. IDS-IF aims to isolates
intrusions instead of profiling normal data samples. Anomalies/Intrusions are
mostly few and rare/different data samples which make them susceptible to
isolation with low computation rather than profiling normal data samples that
consist of a large number of data samples. Then, these anomalies/intrusions
should be effectively and timely detected/mitigated, using an OpenFlow (OF)
security policy, and the overall system has to be as secure as possible.
Fig. 1 shows the architecture of IDS-IF. IDS-IF haw two phases: (1) a novel
outlier detection method with Isolation Forest (IDS-IF) to effectively detect
network anomalies in SDN; this method is implemented on the application plane
(i.e., top of the SDN controller); and (2) a security policy mitigation scheme to
effectively mitigate network anomalies allowing to timely and effectively detect
and mitigate these network security threats. The Northbound API (i.e., REST
API) is used in the detection/mitigation process to offer the inter-operability
to use/manage any type of SDN controller (e.g., Ryu OpenFlow controller [32],
Floodlight OpenFlow controller [33]).

4 IDS-IF
In this section, we describe in more detail IDS-IF; in particular, we describe how
it effectively isolates anomalies without normal data sample profiling.
6 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

Security Action
IDS-IF
and Policy

Northbound Northbound Northbound

APIs APIs APIs
(e.g., Rest (e.g., Rest (e.g., Rest
API) API) API)

AS A AS B AS C

Southbound Southbound Southbound

APIs APIs APIs
(e.g., (e.g., (e.g.,
OpenFlow) OpenFlow) OpenFlow)

Fig. 1. System architecture.

IDS-IF isolates intrusions/anomalies instead of profiling normal data sam-

ples; it utilizes the fact that anomalies/intrusions are mostly few and rare/different
data samples, which make them susceptible to isolation with low computation
rather than profiling large number of normal data samples. IDS-IF is mainly
based on decisions trees; we define path length p(z) of a data point z as the
number of edges that the data point z traverses from the root of the tree to
the external node of the tree. Abnormal data points are mostly few and have
different representation (e.g., feature space), which result in a shorter path p(z)
in the tree. Closer data points to the root of the tree (i.e., shorter path length
p(z)), more likely these data points are intrusions.
In IDS-IF, forest of trees are constructed using multiple decision trees, each
tree trains on a sub-set of data. To construct an optimal tree, a random sub-set
of feature is selected. Then, we construct multiple split using different features.
Several methods (i.e., Information Gain (IG) using entropy and Gini Index) can
be used to select the best feature that maximizes the information for a particular
split in the tree. In IG, we use entropy to measure the degree of randomness;
the higher the value of the IG, the more order of disorder. Thus, the intention is
 A novel unsupervised learning method for intrusion detection in SDN 7

to decrease the entropy from the top of the tree (i.e., root node) to the bottom
of the tree (i.e., leaf node). IG is defined as follows:
N
X
IG = − pj ∗ log(pj ) (1)
j=1

where pj is the class probability.

Gini Index or Gini impurity computes the amount of probability of a partic-
ular feature that is misclassified when selected randomly. Gini Index measure is
defined as follows:
N
X
GI = 1 − pj 2 (2)
j=1

where pj is the probability of a misclassified feature.

Once an optimal tree is constructed using the aforementioned metrics, an
anomaly score is calculated, for each data point z, as follows:
−E(p(z))
sc(z, m) = 2 c(m) (3)
where p(z) is the path length of a data point z, m is the number external nodes,
E(p(z)) is the average of p(z), and c(m) is the average path length of unsuccessful
search in a binary search tree (BST), it is defined as follows:
m−1
c(m) = 2H(m − 1) − (2 ) (4)
m
where H(j) is an harmonic number that can be estimated by Euler’s constant
(i.e., ln(j) + 0.5772156649).
Using the anomaly score in Eq. 3, we can classify each data point z as either
normal or abnormal. A score s close to 1 for a particular data point z, indicates
that z is very likely an abnormal data point, while a score s close to 0 for a
particular data point z, indicates that z is very likely a normal data point.

4.1 Evaluation oF IDS-IF

In this section, we present the evaluation of IDS-IF. First, we introduce the

experimental environment. Then, we evaluate the performance of IDS-IF.

4.2 Experimental Environment

The implementation of IDS-IF is done using scikit-learn[34], an open source li-

brary that integrates wide range of supervised and unsupervised machine learn-
ing techniques. Various functions of scikit-learn were used to implement IDS-IF.
We run our experiments on Google Colaboratory [35] using the Tesla T4 GPU.
We used the well-known public network security dataset KDD’99 dataset [23]
that was created and maintained by MIT Lincoln Laboratory for 1998 DARPA
8 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

Table 1. Samples of KDD dataset

Intrusion Detection Evaluation Program. KDD’99 data records were collected

over nine weeks during the third International Knowledge Discovery and Data
Mining Competition in a local area network (LAN) that simulates a typical
United States Air Force LAN; it contains about five million connection records.
The dataset was created with the aim of providing research community with a
large training dataset for supervised learning techniques. Table. 1 shows sam-
ples of the KDD dataset. Each data sample can be categorized as one of the five
classes: Distributed Denial of Service (DDoS), Probe (Probing), User to Root
Attack (U2R), and Remote to Local Attack (R2L).
KDD contains a large proportion of about 80% of abnormal data, this is
unrealistic in real world. Thus, we transform KDD into two data sets: SA and
SF. SA contains all normal observations with a small proportion of about 1%
of abnormal data of KDD dataset. SF contains all normal observations with a
small proportion of about 0.3% of abnormal data of KDD dataset. Thus, making
it suitable for such unsupervised tasks. Table. 2 shows the details of KDD, SA,
and SF datasets. KDD dataset contains about five million of data records, it
contains 41 features per record that can be either continuous or discrete. SA
dataset contains about one million of data records, it contains 41 features per
record that can be either continuous or discrete. SF dataset contains about
one million of data records, it contains 4 features per record that can be either
continuous or discrete. The output Label that contains name of attack is changed
to numerical values according to Table. 3. For data pre-processing phase, we have
encoded categorical/non-numeric features (i.e., flag feature and service feature)
into numeric values. Then, we have re-scaled the values of the features according
to Eq. (5) using a standardization technique.

Xi − M ean(Xi )
Xi0 = (5)
stdev(Xi )
 A novel unsupervised learning method for intrusion detection in SDN 9

Table 2. Details of KDD, SA, and SF datasets

Dataset Records Dimensionality type of features Label

KDD 4898431 41 Continuous/Discrete Normal/Abnormal
SA 976158 41 Continuous/Discrete Normal/Abnormal
SF 699691 4 Continuous/Discrete Normal/Abnormal

Table 3. KDD labels

Label Binary
Normal 0
DoS 1
Probe 1
R2L 1
U2R 1

where Xi denotes data input feature (e.g., flag), M ean(Xi ) and stdev(Xi )
denote, respectively, the mean and standard deviation values of each data input
feature.

4.3 Performance Evaluation

We evaluate the performance of IDS-IF in terms of Accuracy, Precision, detection
rate (DR), area under the ROC Curve (AUC), and F1-score. The ROC curve
shows TPR (True Positive Rate) according FPR (False Positive Rate). Finally,
a confusion matrix is used to show the overall performance of IDS-IF (see Table.
4).
Accuracy is the percentage of the number of correct classifications over the
total number of classification. Accuracy is defined as follows:
TP + TN
Accuracy = (6)
TP + TN + FP + FN
Precision is the percentage of the number of correct classifications of anoma-
lies/intrusions over the total number of classified anomalies/intrusions. Precision
is good performance metric/suited for a highly imbalanced class distribution, it
is defined as follows:
TP
P recision = (7)
TP + FP
detection rate (DR) is the percentage of the number of correct classifications of
anomalies/intrusions over the total number of presented anomalies/intrusions.
DR is defined as follows:
TP
Recall = DR = T P R = (8)
TP + FN
10 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

Table 4. Confusion matrix.

Classified as abnormal Classified as normal

abnormal TP (True Positives) FN (False Negatives)
data
normal data FP (False Positives) TN (True Negatives)

Table 5. Used scenarios

Scenarios Type Dataset

1 Binary Classification SA
2 Binary Classification SF

It is often convenient to combine multiple performance metrics (i.e., precision

and recall) into a single metric called F1 score. F1 is the harmonic mean of the
precision and recall, it is defined as follows:

2
F1 = 1 1 (9)
P recision + Recall

False positive rate (FPR) is the percentage of the number of anomalies/intrusions

incorrectly classified as normal data over the total number of negative samples.
FPR is defined as follows:

FP
FPR = (10)
TN + FP
where TP (True Positives) represent anomalies/intrusions that are correctly
identified/classified as intrusions, FN (False Negatives) represent anomalies/intrusions
that are classified as normal data samples, FP (False Positives) represent nor-
mal data samples that are identified/classified as anomalies/intrusions, and TN
(True Negatives) represent normal data samples that are identified/classified as
normal data samples.
To test the effectiveness of IDS-IF, we defined two scenarios that are sum-
marized in Table. 5. For scenario 1, we consider a binary classification using SA
dataset that contains 1% of abnormal data of KDD dataset. For scenario 2, we
consider a binary classification using SF dataset that contains 0.3% of abnormal
data of KDD dataset.
We compare the performance of IDS-IF with a recent state-of-the-art Outlier
detection method [30] in terms of of Accuracy, Precision, Recall, and F1 score
in both scenarios. Higher these permanence metrics values indicate a better
classification model.
Figs. 2 and 3 show the confusion matrices on the KDD dataset for scenario
1 and scenario 2, respectively. In scenario 1, IDS-IF achieves 89%, 97%, 88%,
94%, 92% in accuracy, precision, recall, AUC, and F1 score, respectively; while
LoF achieves 81%, 93%, 82%, 46%, 87% in accuracy, precision, recall, AUC,
 A novel unsupervised learning method for intrusion detection in SDN 11

Table 6. Performance metrics of IDS-IF and LoF on KDD dataset

Methods Scenarios Accuracy Precision Recall AUC F1

IDS-IF Scenario 1 89% 97% 88% 94% 92%
LoF Scenario 1 81% 93% 82% 46% 87%
IDS-IF Scenario 2 89% 96% 88% 85% 91%
LoF Scenario 2 81% 91% 81% 47% 87%

and F1 score, respectively. In scenario 2, IDS-IF achieves 89%, 96%, 88%, 85%,
91% in accuracy, precision, recall, AUC, and F1 score, respectively; while LoF
achieves 81%, 91%, 81%, 47%, 87% in accuracy, precision, recall, AUC, and F1
score, respectively. Table. 6 shows the performance metrics of IDS-IF and LoF
on KDD dataset. We observe that in both scenarios, IDS-IF achieves the highest
accuracy, precision, recall, AUC, and F1 score, making it a promising method
to mitigate the new emerging threats in SDN environment.

(a) (b)

Fig. 2. Confusion matrices for scenario 1 on KDD dataset for: a) IDS-IF; and b) LoF.

5 Conclusion
In this paper, we proposed a novel outlier detection method with Isolation For-
est (IDS-IF) to effectively detect network anomalies in SDN. The experimental
results using the well-known public network security dataset KDD, showed that
IDS-IF outperforms recent state-of-the-art Outlier detection method (i.e., Local
12 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

(a) (b)

Fig. 3. Confusion matrices for scenario 2 on KDD dataset for: a) IDS-IF; and b) LoF.

Outlier Factor (LOF)) in terms of accuracy, precision, recall, AUC, F1 score,

and false positives rates, making it a promising method to cope with the new
emerging security threats in SDN.

References

1. S. Morgan, “Global ransomware damage costs predicted to reach $20 billion (usd)
by 2021.” [Online]. Available: https://cybersecurityventures.com/
2. L. Horwitz, “The future of iot miniguide: The burgeoning iot market contin-
ues.” [Online]. Available: https://www.cisco.com/c/en/us/solutions/internet-of-
things/future-of-iot.html
3. S. Scott-Hayward, S. Natarajan, and S. Sezer, “A survey of security in software
defined networks,” IEEE Communications Surveys Tutorials, vol. 18, no. 1, pp.
623–654, Firstquarter 2016.
4. Z. A. El Houda, L. Khoukhi, and A. Hafid, “Chainsecure - a scalable and proactive
solution for protecting blockchain applications using sdn,” in 2018 IEEE Global
Communications Conference (GLOBECOM), 2018, pp. 1–6.
5. D. B. Rawat and S. R. Reddy, “Software defined networking architecture, security
and energy efficiency: A survey,” IEEE Communications Surveys Tutorials, vol. 19,
no. 1, pp. 325–346, Firstquarter 2017.
6. Z. A. El Houda, A. Hafid, and L. Khoukhi, “Co-iot: A collaborative ddos mitigation
scheme in iot environment based on blockchain using sdn,” in 2019 IEEE Global
Communications Conference (GLOBECOM), 2019, pp. 1–6.
7. D. Zhou, Z. Yan, G. Liu, and M. Atiquzzaman, “An adaptive network data collec-
tion system in sdn,” IEEE Transactions on Cognitive Communications and Net-
working, vol. 6, no. 2, pp. 562–574, 2020.
 A novel unsupervised learning method for intrusion detection in SDN 13

8. Z. Abou El Houda, A. S. Hafid, and L. Khoukhi, “Cochain-sc: An intra- and inter-

domain ddos mitigation scheme based on blockchain using sdn and smart contract,”
IEEE Access, vol. 7, pp. 98 893–98 907, 2019.
9. Z. A. E. Houda, A. Hafid, and L. Khoukhi, “Blockchain meets ami: Towards se-
cure advanced metering infrastructures,” in ICC 2020 - 2020 IEEE International
Conference on Communications (ICC), 2020, pp. 1–6.
10. T. Alharbi, “Deployment of blockchain technology in software defined networks: A
survey,” IEEE Access, vol. 8, pp. 9146–9156, 2020.
11. Z. A. E. Houda, A. Hafid, and L. Khoukhi, “Blockchain-based reverse auction for
v2v charging in smart grid environment,” in ICC 2021 - 2021 IEEE International
Conference on Communications (ICC), 2021, pp. 1–6.
12. H. Moudoud, S. Cherkaoui, and L. Khoukhi, “Towards a secure and reliable feder-
ated learning using blockchain,” in 2021 IEEE Global Communications Conference
(GLOBECOM), 2021, pp. 01–06.
13. Z. A. El Houda, A. S. Hafid, and L. Khoukhi, “A novel machine learning framework
for advanced attack detection using sdn,” in 2021 IEEE Global Communications
Conference (GLOBECOM), 2021, pp. 1–6.
14. Y. Bengio, A. Courville, and P. Vincent, “Representation learning: A review and
new perspectives,” IEEE Transactions on Pattern Analysis and Machine Intelli-
gence, vol. 35, no. 8, pp. 1798–1828, 2013.
15. Y. Pei, Y. Huang, Q. Zou, X. Zhang, and S. Wang, “Effects of image degradation
and degradation removal to cnn-based image classification,” IEEE Transactions
on Pattern Analysis and Machine Intelligence, vol. 43, no. 4, pp. 1239–1253, 2021.
16. S. Mittal, M. Tatarchenko, and T. Brox, “Semi-supervised semantic segmentation
with high- and low-level consistency,” IEEE Transactions on Pattern Analysis and
Machine Intelligence, vol. 43, no. 4, pp. 1369–1379, 2021.
17. Z. A. E. Houda, A. Hafid, and L. Khoukhi, “Brainchain - a machine learning
approach for protecting blockchain applications using sdn,” in ICC 2020 - 2020
IEEE International Conference on Communications (ICC), 2020, pp. 1–6.
18. Z. Abou El Houda, L. Khoukhi, and A. Senhaji Hafid, “Bringing intelligence to
software defined networks: Mitigating ddos attacks,” IEEE Transactions on Net-
work and Service Management, vol. 17, no. 4, pp. 2523–2535, 2020.
19. H. Moudoud, S. Cherkaoui, and L. Khoukhi, “An iot blockchain architecture using
oracles and smart contracts: the use-case of a food supply chain,” in 2019 IEEE
30th Annual International Symposium on Personal, Indoor and Mobile Radio Com-
munications (PIMRC), 2019, pp. 1–6.
20. H. Moudoud, L. Khoukhi, and S. Cherkaoui, “Prediction and detection of fdia and
ddos attacks in 5g enabled iot,” IEEE Network, pp. 1–8, 2020.
21. H. Moudoud, S. Cherkaoui, and L. Khoukhi, “Towards a scalable and trustworthy
blockchain: Iot use case,” in ICC 2021 - 2021 IEEE International Conference on
Communications (ICC), 2021, pp. 1–6.
22. K. P. Sinaga and M. Yang, “Unsupervised k-means clustering algorithm,” IEEE
Access, vol. 8, pp. 80 716–80 727, 2020.
23. “Kdd cup 1999 dataset.” [Online]. Available:
http://kdd.ics.uci.edu/databases/kddcup99/
24. Ruoning Song and Fang Liu, “Real-time anomaly traffic monitoring based on dy-
namic k-nn cumulative-distance abnormal detection algorithm,” in 2014 IEEE 3rd
International Conference on Cloud Computing and Intelligence Systems, 2014, pp.
187–192.
14 Zakaria Abou El Houda, Abdelhakim Senhaji Hafid, and Lyes Khoukhi

25. L. Yang and H. Zhao, “Ddos attack identification and defense using sdn based on
machine learning method,” in 2018 15th International Symposium on Pervasive
Systems, Algorithms and Networks (I-SPAN), 2018, pp. 174–178.
26. M. Al-Qatf, Y. Lasheng, M. Al-Habib, and K. Al-Sabahi, “Deep learning approach
combining sparse autoencoder with svm for network intrusion detection,” IEEE
Access, vol. 6, pp. 52 843–52 856, 2018.
27. K. A. Taher, B. Mohammed Yasin Jisan, and M. M. Rahman, “Network intrusion
detection using supervised machine learning technique with feature selection,” in
2019 International Conference on Robotics,Electrical and Signal Processing Tech-
niques (ICREST), 2019, pp. 643–646.
28. C. Yin, Y. Zhu, J. Fei, and X. He, “A deep learning approach for intrusion detection
using recurrent neural networks,” IEEE Access, vol. 5, pp. 21 954–21 961, 2017.
29. W. Wang, Y. Sheng, J. Wang, X. Zeng, X. Ye, Y. Huang, and M. Zhu, “Hast-
ids: Learning hierarchical spatial-temporal features using deep neural networks to
improve intrusion detection,” IEEE Access, vol. 6, pp. 1792–1806, 2018.
30. N. N. Tuan, N. Danh Nghia, P. H. Hung, D. Khac Tuyen, N. M. Hieu, N. Tai Hung,
and N. H. Thanh, “An abnormal network traffic detection scheme using local outlier
factor in sdn,” in 2020 IEEE Eighth International Conference on Communications
and Electronics (ICCE), 2021, pp. 141–146.
31. X. Gao, C. Shan, C. Hu, Z. Niu, and Z. Liu, “An adaptive ensemble machine
learning model for intrusion detection,” IEEE Access, vol. 7, pp. 82 512–82 521,
2019.
32. “Ryu controller.” [Online]. Available:
https://ryu.readthedocs.io/en/latest/library.html
33. “Floodlight openflow controller.” [Online]. Available:
https://floodlight.atlassian.net/wiki/spaces/HOME/overview
34. “Scikit-learn: Machine learning in python,” Journal of Machine Learn-
ing Research, vol. 12, no. 85, p. 2825–2830, 2011. [Online]. Available:
https://www.jmlr.org/papers/volume12/pedregosa11a/pedregosa11a.pdf
35. “Google colaboratory.” [Online]. Available: https://colab.research.google.com/