An Improved Method for Anomalous Traffic Detection in SDN Based on Gated Feature Fusion

Abstract

Existing anomalous traffic detection methods based on feature fusion in Software-Defined Networking (SDN) lack adaptability in weight allocation mechanisms. Consequently, their detection accuracy and model generalization capabilities fail to meet practical security requirements. To solve these limitations, this paper proposes a refined detection method based on hybrid feature selection and gated fusion. First, the framework employs XGBoost combined with the Recursive Feature Elimination (RFE) algorithm. This process identifies shallow statistical features with high discriminative power. Simultaneously, the method utilizes a 1D Convolutional Neural Network (1D-CNN) integrated with a Squeeze-and-Excitation (SE) block to extract deep temporal semantic features. Subsequently, a tailored gated fusion mechanism incorporating linear projection layers for feature alignment adaptively integrates these two categories of features. The fused features are then input into a Multilayer Perceptron (MLP) to execute anomalous traffic detection. Experimental results demonstrate that the proposed method achieves superior performance. Specifically, on the InSDN Dataset, the binary and multi-classification accuracy rates reach 99.91% and 99.88%. Similarly, the accuracy rates on the NSL-KDD dataset are 99.78% and 99.76%. Finally, we established a local simulation environment. Experimental results demonstrate that our method attains an average precision exceeding 93% for anomalous traffic detection in simulated real scenarios.

1. Introduction

SDN [1] improves network flexibility through centralized control and programmable management. However, this architecture faces issues such as Distributed Denial of Service (DDoS) [2] attacks and Advanced Persistent Threats (APT) [3]. If these attacks compromise the SDN controller, the entire network risks paralysis. Therefore, anomalous traffic detection in SDN environments is critical for security assurance.

To solve these threats, SDN-based Intrusion Detection Systems (IDS) [4] have become core components of defense frameworks. Traditional IDS primarily rely on signature matching of anomalous traffic. Yu et al. [5] proposed a method combining unsupervised pre-training via stacked Dilated Convolutional Autoencoders (DCAEs) with supervised fine-tuning. This method demonstrated high accuracy and low false alarm rates in multiple classification tasks. However, the model training process is time-consuming. Furthermore, it lacks robustness against novel or obfuscated attacks and fails to identify them accurately. Consequently, research has shifted toward anomalous traffic detection methods based on Machine Learning (ML) and Deep Learning (DL). DL models, such as Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), use powerful automatic feature learning capabilities. They capture complex, high-dimensional patterns from raw traffic. This leads to significant breakthroughs in detection accuracy. Yin et al. [6] proposed an intrusion detection method based on RNNs (RNN-IDS). Experimental results show that this method outperforms traditional machine learning methods in accuracy.

Despite the success of deep learning methods, these approaches face two core challenges in practical applications. First, most models focus on deep semantic features from packet content or temporal relationships. These models often neglect shallow statistical features, including traffic rate, packet length distribution, and connection duration. These features contain critical information. Such features intuitively reflect the macro-level behavioral state of the network. Furthermore, as demonstrated by [7], these features are vital for distinguishing normal traffic from specific attacks. Second, existing research mainly uses static strategies like simple concatenation or weighted averaging to fuse features from different sources. These methods cannot dynamically adjust feature importance based on traffic context. This leads to information redundancy or the obscuring of critical insights by noise. Ultimately, this limits model generalization and robustness.

To solve the problem of effectively fusing shallow statistical features with deep temporal semantic features, this paper proposes an anomalous traffic detection method in SDN based on hybrid feature selection and gated fusion. This method extracts two types of features in parallel. It uses XGBoost and RFE to identify discriminative shallow statistical features. Simultaneously, it uses a 1D-CNN and a SE block to extract deep temporal semantic features. Finally, a tailored gated fusion mechanism incorporating specialized projection layers assigns weights to both feature types adaptively based on input traffic characteristics. This achieves dynamic information complementarity by aligning the heterogeneous representation spaces of the extracted features.

The main contributions of this paper are summarized as follows:

(1)

We propose a hybrid feature extraction framework. It combines shallow statistical feature selection based on XGBoost-RFE with deep temporal feature extraction based on 1D-CNN-Attention. This effectively solves the problem of insufficient expressive power of single features.

(2)

We design a refined anomalous traffic detection method utilizing an adapted gated fusion unit. By integrating learnable linear transformations, this method dynamically adjusts fusion weights between shallow statistical features (XGBoost-RFE) and deep temporal semantic features (1D-CNN-Attention) based on input samples. This specialized design optimizes the integration of disparate SDN feature modalities, effectively solving the problems of information redundancy and noise interference.

The remainder of this paper is organized as follows: Section 2 reviews the related work in SDN security and anomaly detection techniques. Section 3 details the proposed improved anomalous traffic detection method based on gated feature fusion, including the model architecture and data preprocessing procedures. Section 4 presents the experimental analysis and results, providing a comprehensive evaluation of the model’s performance on the InSDN dataset. Finally, Section 5 concludes the paper and discusses potential directions for future research.

2. Related Work

The SDN architecture consists of three layers: the Data Plane, the Control Plane, and the Application Plane. SDN adopts a centralized Control Plane and a distributed Data Plane. This design achieves the separation of these two planes. The Control Plane utilizes southbound interfaces to manage interface forwarding. This facilitates the centralized management of network devices on the Data Plane. Furthermore, the Control Plane provides flexible programmable control to the Application Plane through northbound interfaces. This architecture improves network programmability and simplifies configuration operations for users. However, it simultaneously introduces new attack surfaces. Consequently, traditional intrusion detection solutions face numerous challenges in this environment. Therefore, various methods exist for anomalous traffic detection and defense in SDN. These methods are primarily categorized into statistical learning, traditional machine learning and deep learning, and feature fusion methods.

Intrusion detection systems based on statistical learning typically utilize traffic statistical features, information entropy, or distribution changes to identify anomalies. Braga et al. [7] proposed a lightweight detection method based on Self-Organizing Maps (SOM). However, its reliance on statistical traffic features for classification inherently limits its adaptability and robustness against novel or low-rate attacks. Aladaileh et al. [8] proposed a detection method based on generalized Rényi joint entropy. However, this method was primarily validated on UDP traffic. Consequently, its adaptability to complex attack types, such as TCP SYN or hybrid attacks, is insufficient. Aladaileh et al. [9] proposed a DDoS attack detection method based on entropy. However, it exhibits high false positive rates and low detection accuracy when facing low-rate, multi-target attacks.

Statistical-based methods demonstrate certain effectiveness in handling specific attack types. However, they typically rely on predefined thresholds and simple traffic characteristics. To solve these limitations, researchers apply machine learning methods to IDS. This aims to enhance detection accuracy and compensate for the deficiencies of statistical approaches. Song et al. [10] proposed Eunoia, a real-time threat awareness framework based on random forests and decision trees. However, as its cost function considers solely link utilization and latency metrics, the model demonstrates insufficient capabilities for fine-grained identification and differentiated responses to complex multi-stage attacks. Kokila et al. [11] proposed a DDoS attack detection framework based on Support Vector Machines (SVM). This approach emphasizes the deployability of single classifiers in low-overhead scenarios. However, it exhibits inadequate characterization of low-rate, multi-stage, or encrypted DDoS traffic, and lacks a closed-loop mechanism for online incremental learning and real-time flow rule updates. Mohd Mat Isa et al. [12] introduced an intrusion detection framework AERF. Nevertheless, when attack characteristics shift, the reconstruction distribution of its autoencoder is prone to variation, requiring model retraining to maintain accuracy and consequently leading to temporary detection blind spots.

Traditional machine learning methods provide satisfactory accuracy and efficiency when manual feature selection is sufficient. However, their adaptability to high-dimensional and dynamic data is limited, and the computational overhead remains significant in most scenarios. Consequently, deep learning has emerged as a core research direction for IDS. Brandão Lent et al. [13] proposed an unsupervised GAN model for DDoS detection in SDN. However, it requires alternating optimization of generator and discriminator, and is highly sensitive to hyperparameters, leading to unstable training. Chaganti et al. [14] proposed a deep learning method based on Long Short-Term Memory (LSTM) networks. However, model training relies heavily on large amounts of labeled data results in identification challenges when encountering unknown attack types. Ataa et al. [15] proposed an intrusion detection method for SDN environments. They constructed two deep learning models based on a CNN-LSTM hybrid architecture and a Transformer encoder architecture, respectively. However, model training and inference require considerable time. This is particularly true for the Transformer architecture, which demands high computational resources. Consequently, deployment becomes difficult.

While deep learning exhibits significant potential in automated feature extraction, existing models tend to overemphasize deep temporal semantic information, often at the expense of shallow statistical features that possess high discriminative value. To address this imbalance, researchers have introduced feature fusion techniques as a robust solution. Saheed et al. [16] proposed a hybrid feature selection method for intrusion detection systems. However, its performance heavily depends on the parameter settings of the Bat Algorithm (BA) and the modulus selection in the Residue Number System (RNS); thus, the stability of its generalization ability across diverse network environments warrants further validation. Damtew et al. [17] introduced a Heterogeneous Ensemble Feature Selection (HEFS) method. Nevertheless, this approach remains sensitive to feature selection thresholds and exhibits insufficient accuracy in identifying minority class samples. Ramkumar et al. [18] developed an intrusion detection method based on Deep Residual Networks (DRNs) by integrating RV coefficient feature fusion with the Exponential Sea Lion Optimization (ExpSLO) algorithm. However, its reliance on the Spark platform and protracted training times lead to suboptimal performance in high-throughput network environments.

In summary, existing research indicates that single detection models often struggle with accuracy and efficiency when facing high-dimensional and dynamic network traffic, primarily due to limitations in feature extraction dimensions. While feature fusion has emerged as a mainstream approach to enhancing detection performance, most current studies rely on static fusion strategies. Such methods lack the capability to adaptively adjust the weight distribution between shallow and deep features based on input sample characteristics, thereby restricting the model’s detection ceiling for novel or complex attacks.

Table 1. Summary of Related Work.

Ref.	Year	Model	Dataset	No. of Features	Highest Accuracy
					Binary	Multi-Class
[7]	2010	SOM-based detection	Self-collected dataset	6	98.61%	-
[8]	2021	GEADDDC (Rényi joint entropy-based detection)	Self-collected dataset	2	99.72%	-
[9]	2023	Entropy-based detection	Self-collected dataset	-	97%	-
[10]	2017	Decision Tree	KDD99	10	82.48%	-
				15	91.17%
[11]	2014	SVM	DARPA2000	-	-	95.11%
[12]	2017	Autoencoder and random forest	NSL-KDD	-	-	98.40%
[13]	2024	GAN	CICIDS2019	6	99.45%	-
[14]	2023	LSTM	DS1	25	97.70%	97.10%
[15]	2024	CNN-LSTM	InSDN	48	-	99.08%
				6		99.19%
				25		98.86%
[15]	2024	Transformer	InSDN	48	-	99.16%
				6		99.16%
				25		98.93%
[16]	2023	Bat-RNS+PCA+NB	NSL-KDD	16	-	97.82%
[17]	2023	Heterogeneous Ensemble Feature Selection (HEFS)	NSL-KDD	10	99.6%	-
[18]	2022	RV coefficient + ExpSLO-based DRN	MQTT Apache web server 2021	-	87.25%	-

provides a categorized summary of the aforementioned literature.

To solve the aforementioned limitations, this paper proposes an improved detection method based on hybrid feature selection and gated fusion. First, the framework utilizes the XGBoost model combined with the RFE algorithm. This process selects shallow statistical features with high discriminative power. Simultaneously, the method employs a 1D-CNN integrated with a SE block. This architecture extracts deep temporal semantic features. Subsequently, the paper designs a dynamic fusion module based on a gating mechanism. This mechanism fuses these two feature types dynamically. The fusion weights adjust adaptively according to input samples. Consequently, the method enhances detection accuracy and generalization capabilities. Meanwhile, the approach maintains model interpretability and computational controllability. Finally, the system feeds the fused features into a Multilayer Perceptron (MLP) to complete anomalous traffic detection. To validate the effectiveness of the method, we conducted extensive comparative and ablation experiments on datasets such as InSDN [19] and NSL-KDD [20]. A detailed description of these datasets, including traffic characteristics and sample distribution, is provided in Section 3.1.1. Furthermore, we designed and deployed a local simulation environment. This environment verifies the applicability and accuracy of the proposed method.

3. Improved Anomalous Traffic Detection Method Based on Gated Feature Fusion

To address the issues of limited accuracy, insufficient generalization capability, and inflexible feature fusion weights in existing single-stage detection models, this paper proposes a workflow, as illustrated in the technical architecture of Figure 1.

This workflow integrates data preprocessing, feature extraction, feature fusion, and anomaly detection. After the raw data are standardized through the preprocessing pipeline, the framework executes two parallel extraction processes: an XGBoost based RFE algorithm for capturing shallow statistical features, and a 1D-CNN integrated with an SE block for extracting deep temporal semantic features. These heterogeneous feature streams are dynamically integrated via an improved gated fusion module. Finally, an MLP performs anomalous traffic detection.

3.1. Data Preprocessing

Effective data preprocessing is essential to ensure the quality of the input traffic features and the subsequent performance of the detection models. In this section, we first provide a detailed description of the datasets used for evaluation in Section 3.1.1. Subsequently, the specific data processing procedures, including data cleaning, normalization, Label Encoding, and data splitting, are elaborated in Section 3.1.2.

3.1.1. Dataset Description

The InSDN Dataset [19], released in 2020, aims to bridge the gap in appropriate datasets for training models in SDN settings. Unlike traditional datasets collected from non-SDN environments, InSDN incorporates attack patterns with features unique to SDN architectures. These specific attributes are crucial for evaluating threat detection technologies in SDN contexts. Simulated attacks must account for the novel network architecture; for instance, attackers may employ techniques like “IPsweep” and “Portscan” to flood SDN controllers with unmatched flow packets, triggering frequent Packet-In events that consume significant bandwidth and controller resources. Consequently, such actions cause network instability and generate a novel form of DDoS attacks that do not conform to the traditional definition but remain applicable within SDN networks. While traditional datasets do not represent these scenarios, the InSDN Dataset effectively covers them, which is a primary reason for selecting it in this paper.

The InSDN Dataset encompasses SDN-specific attacks targeting conventional network components along with attacks targeting various standard traffic types. Specific attack categories cover multiple forms, including Denial of Service (DoS), DDoS, Probe, Botnet, Exploitation, Brute Force, and Web attacks. By employing multiple internal and external attack vectors, the dataset effectively simulates realistic and complex environments.

Furthermore, this paper employs the NSL-KDD benchmark dataset to validate the generalization capability and robustness of the proposed model. By applying identical preprocessing and training protocols to both datasets, we ensure an objective assessment of model adaptability across diverse network traffic environments.

The NSL-KDD dataset [20] serves as an enhanced version of the classic KDD Cup 1999 dataset. This improved benchmark resolves inherent flaws found in KDD99, such as redundant records and data imbalance, providing more reliable data for IDS and machine learning research. The NSL-KDD dataset comprises 41 features, ranging from protocol types and durations to login attempt count and connections to the same target host. The processed labels are categorized into normal data and four attack classes: R2L, DoS, U2R, and Probe. In the experiments of this paper, the framework employs the training set and test set of the NSL-KDD dataset for model training and evaluation, respectively.

3.1.2. Dataset Processing

Data preprocessing in this paper encompasses multiple steps, including data cleaning, normalization, and label encoding, to transform raw data into a standardized format suitable for model training. The specific implementation logic is summarized in Algorithm 1.

Algorithm 1 Data Preprocessing and Normalization Strategy

Require: Raw dataset ${\mathcal{D}}_{\mathrm{r}\mathrm{a}\mathrm{w}}$ in CSV format Ensure: Normalized training set ${\mathrm{D}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}^{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m}}$ and testing set ${\mathrm{D}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}^{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m}}$ Initialize $\mathcal{D}\leftarrow {\mathcal{D}}_{\mathrm{r}\mathrm{a}\mathrm{w}}$ //Part1: Data Cleaning for each row $\mathrm{r}$ in $\mathcal{D}$ do if $\mathrm{r}$ contains any null or missing values then Remove $\mathrm{r}$ from $\mathcal{D}$ end if end for if ‘id’ column exists in $\mathcal{D}$ then Drop ‘id’ column from $\mathcal{D}$ end if //Part2: Label EncodingLet $\mathrm{L}$ be the ‘Label’ column in $\mathcal{D}$ Create a mapping $\mathrm{M}$ from each unique category in $\mathrm{L}$ to an integer Apply mapping $\mathrm{M}$ to transform column $\mathrm{L}$ into numerical labels //Part3: Data Splitting(Prevent Data Leakage) Split $\mathcal{D}$ into training set ${\mathcal{D}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}$(70%) and testing set ${\mathcal{D}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}$(30%) //Part4: Feature Normalization(Min-Max Scaling) Let ${\mathrm{C}}_{\mathrm{n}\mathrm{u}\mathrm{m}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{c}}$ be the set of all numeric feature columns For each column $\mathrm{c}$ in ${\mathrm{C}}_{\mathrm{n}\mathrm{u}\mathrm{m}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{c}}$ do ${\mathrm{c}}_{\mathrm{m}\mathrm{i}\mathrm{n}}\leftarrow \mathrm{m}\mathrm{i}\mathrm{n}\left({\mathcal{D}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}\right[\mathrm{c}\left]\right)$                         $⊳\mathrm{C}\mathrm{a}\mathrm{l}\mathrm{c}\mathrm{u}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{e} \mathrm{s}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{s} \mathrm{o}\mathrm{n} \mathrm{T}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n} \mathrm{s}\mathrm{e}\mathrm{t} \mathrm{O}\mathrm{N}\mathrm{L}\mathrm{Y}$ ${\mathrm{c}}_{\mathrm{m}\mathrm{a}\mathrm{x}}\leftarrow \mathrm{m}\mathrm{a}\mathrm{x}\left({\mathcal{D}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}\right[\mathrm{c}\left]\right)$ for each value ${\mathrm{x}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}$ in ${\mathcal{D}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}\left[\mathrm{c}\right]$ do ${\mathrm{x}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}\leftarrow ({\mathrm{x}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}-{\mathrm{c}}_{\mathrm{m}\mathrm{i}\mathrm{n}})/({\mathrm{c}}_{\mathrm{m}\mathrm{a}\mathrm{x}}-{\mathrm{c}}_{\mathrm{m}\mathrm{i}\mathrm{n}})$ end for for each value ${\mathrm{x}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}$ in ${\mathcal{D}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}\left[\mathrm{c}\right]$ do ${\mathrm{x}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}\leftarrow ({\mathrm{x}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}-{\mathrm{c}}_{\mathrm{m}\mathrm{i}\mathrm{n}})/({\mathrm{c}}_{\mathrm{m}\mathrm{a}\mathrm{x}}-{\mathrm{c}}_{\mathrm{m}\mathrm{i}\mathrm{n}})$ end for End for Return ${\mathrm{D}}_{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}^{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m}}$,${\mathrm{D}}_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}^{\mathrm{n}\mathrm{o}\mathrm{r}\mathrm{m}}$

(1)

Data Cleaning

To further ensure data integrity, we perform a comprehensive inspection of all records. Upon detecting missing values or empty rows, the process removes the corresponding records. Furthermore, identifier columns that lack discriminative information are discarded, ensuring that the model focuses on critical features.

(2)

Normalization

The continuous features in the InSDN Dataset exhibit significant variations in numerical ranges. For example, the range for Tot Fwd Pkts (Total Forwarded Packets) is [0, 16,928]. Meanwhile, the range for Fwd Pkt Len Mind (Forward Packet Length Mean) is [0, 3900]. Consequently, the scales of different features vary substantially. To simplify arithmetic operations and unify value ranges, this paper uses Min-Max normalization. This method maps each feature linearly to the [0, 1] interval, thereby preventing features with larger magnitudes from dominating the learning process.

(3)

Label Encoding

To accommodate the numerical requirements of the classifiers, categorical attributes in the InSDN Dataset such as protocol type (proto), connection state (state), and service type (service)—must be transformed. While One-Hot Encoding is a common alternative, this paper employs the Label Encoding technique, which assigns a unique numerical label to each distinct category. This approach effectively preserves categorical information while facilitating feature extraction. Finally, the framework applies this encoding technique to the Label column to obtain numerical targets.

(4)

Data Splitting

To evaluate the model’s practical defense capability in dynamic SDN environments, this study adopts an Open-set Recognition (OSR) evaluation protocol rather than a standard closed-set split. In real-world SDN deployments, network administrators frequently encounter “zero-day” attacks or novel variants of existing threats that are not present in historical training logs. Traditional supervised learning, which assumes that the training and testing sets share the same label space, often fails to generalize to these unobserved categories.

Consequently, our data partitioning strategy is designed to simulate this “unseen threat” scenario. We define a subset of minority classes as “Unknown Attacks” to be excluded entirely from the training phase. For the InSDN dataset, these include BFA, BOTNET, U2R, and Web-Attack; for the NSL-KDD dataset, R2L and U2R are reserved. Specific information is shown in

Table 2. InSDN Dataset Details.

No.	Type	Description	Count
1	DDoS	Distributed Denial of Service	121,942
2	Probe	Probe Attack	98,129
3	Normal	Normal Traffic	68,424
4	DoS	Denial of Service	53,616
5	BFA	Brute Force Attack	1405
6	Web-Attack	Web Attack	192
7	BOTNET	Botnet	164
8	U2R	User-to-Root Attack	17

. The training set consists only of the remaining “Known” categories, split into a 7:3 ratio for training and baseline testing. The excluded minority samples are then reintroduced only during the testing phase to assess the model’s binary classification capability. Specifically, its ability to correctly identify these completely novel patterns as “Anomalous.”

We avoid using traditional oversampling techniques, such as SMOTE, which studies [21,22] have shown that SMOTE generates synthetic samples by interpolating between a small number of existing samples, effectively “leaking” the distribution of these specific attacks into the training process. While this can improve closed-set metrics, it often leads to overly optimistic performance, which fails when the model faces structurally different, truly unknown attacks. In contrast, our approach forces the model to learn robust latent representations of “normal” and “general attack” features, thereby enhancing its generalization ability to typical open-set challenges in SDN environments.

3.2. Feature Extraction

High-dimensional network traffic data often contains redundant or irrelevant attributes that may increase computational overhead and degrade model performance. Particularly when handling imbalanced or complex traffic patterns, certain features can drive model overfitting. Therefore, feature selection is essential for enhancing efficiency and generalization by identifying and retaining the most informative attributes. While dimensionality reduction improves generalization, it may occasionally discard features containing complementary information. In complex tasks like network intrusion detection, relying solely on single source features often proves insufficient to capture both underlying patterns and high-level semantic behaviors. To overcome this limitation, this paper employs a feature fusion strategy, the specific workflow of which is shown in Algorithm 2.

Algorithm 2 Feature Extraction and Gated Fusion

Require: Training set D_train, Test set D_test, Number of features to select $\mathrm{k}=45$ Ensure: Fused feature vectors ${\mathrm{F}}_{\mathrm{f}\mathrm{u}\mathrm{s}\mathrm{e}\mathrm{d}}$ for classification //Part1: Shallow Features Selection (XGBoost + RFE) Initialize XGBoost model ${\mathrm{M}}_{\mathrm{x}\mathrm{g}\mathrm{b}}$ and RFE selector with ${\mathrm{M}}_{\mathrm{x}\mathrm{g}\mathrm{b}}$ Train ${\mathrm{M}}_{\mathrm{x}\mathrm{g}\mathrm{b}}$ on D_train using 5-fold cross-validation to get feature importances Rank features based on average importance scores Use RFE to select the top $\mathrm{k}$ features from $\mathrm{X}$ Apply the selected feature indices to D_test to ensure consistent feature dimensionality without leakage. Let ${\mathrm{F}}_{\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{l}\mathrm{l}\mathrm{o}\mathrm{w}}$ be the resulting set of $\mathrm{k}$-dimensional shallow feature vectors. //Part2: Deep Feature Extraction(1D-CNN+SE Block) Initialize 1D-CNN model ${\mathrm{M}}_{\mathrm{c}\mathrm{n}\mathrm{n}}$ with a Squeeze-and-Excitation(SE) block Reshape each input sample ${\mathrm{X}}_{\mathrm{i}}$ to a 3D tensor ${\mathrm{F}}_{\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{v}}\leftarrow {\mathrm{M}}_{\mathrm{c}\mathrm{n}\mathrm{n}}$.Conv1D(X) ${\mathrm{F}}_{\mathrm{s}\mathrm{e}}\leftarrow {\mathrm{M}}_{\mathrm{c}\mathrm{n}\mathrm{n}}$.SEBlock(${\mathrm{F}}_{\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{v}}$) ${\mathrm{F}}_{\mathrm{d}\mathrm{e}\mathrm{e}\mathrm{p}}\leftarrow {\mathrm{M}}_{\mathrm{c}\mathrm{n}\mathrm{n}}$.AdaptiveAvgPool(${\mathrm{F}}_{\mathrm{s}\mathrm{e}}$)         $⊳$Extract deep feature vectors //Part3: Gated Fusion Mechanism Initialize linear projection layers ${\mathrm{P}}_{\mathrm{s}}$,${\mathrm{P}}_{\mathrm{d}}$ and gating layer ${\mathrm{L}}_{\mathrm{g}}$ For each sample $\mathrm{i}$ from 1 to N do   ${\mathrm{F}}_{\mathrm{s},\mathrm{i}}^{\prime }\leftarrow {\mathrm{P}}_{\mathrm{s}}({\mathrm{F}}_{\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{l}\mathrm{l}\mathrm{o}\mathrm{w}},\mathrm{i})$          $⊳$Project shallow features.   ${\mathrm{F}}_{\mathrm{d},\mathrm{i}}^{\prime }\leftarrow {\mathrm{P}}_{\mathrm{d}}({\mathrm{F}}_{\mathrm{d}\mathrm{e}\mathrm{e}\mathrm{p}},\mathrm{i})$           $⊳$Project deep features.   ${\mathrm{F}}_{\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{c}\mathrm{a}\mathrm{t},\mathrm{i}}\leftarrow \mathrm{c}\mathrm{o}\mathrm{n}\mathrm{c}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{n}\mathrm{a}\mathrm{t}\mathrm{e}({\mathrm{F}}_{\mathrm{s},\mathrm{i}}^{\prime },{\mathrm{F}}_{\mathrm{d},\mathrm{i}}^{\prime })$   ${\mathrm{g}}_{\mathrm{i}}\leftarrow \mathrm{\sigma }\left({\mathrm{L}}_{\mathrm{g}}\right({\mathrm{F}}_{\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{c}\mathrm{a}\mathrm{t},\mathrm{i}}\left)\right)$            $⊳$Calculate gate vector using Sigmoid $\mathrm{\sigma }$   ${\mathrm{F}}_{\mathrm{f}\mathrm{u}\mathrm{s}\mathrm{e}\mathrm{d},\mathrm{i}}\leftarrow {\mathrm{g}}_{\mathrm{i}}\odot {\mathrm{F}}_{\mathrm{s},\mathrm{i}}^{\prime }+(1-{\mathrm{g}}_{\mathrm{i}})\odot {\mathrm{F}}_{\mathrm{d},\mathrm{i}}^{\prime }$     $⊳\odot$ is element-wise product end for Return ${\mathrm{F}}_{\mathrm{f}\mathrm{u}\mathrm{s}\mathrm{e}\mathrm{d}}$

This approach integrates heterogeneous or multidimensional features to leverage the strengths of different feature subsets. The method combines shallow statistical characteristics with deep temporal semantic features. In this process, to ensure the rigor of the evaluation and prevent data leakage, the feature selection process using XGBoost-RFE is conducted strictly within the training folds. Specifically, the importance ranking and recursive elimination are determined solely based on training data, and the resulting feature subset is then applied to the test set for evaluation. By maintaining such strict data isolation, feature fusion effectively enriches the descriptive dimensions and depth of the input space without introducing evaluation bias. This mechanism constructs a more comprehensive representation of network behavior, and ultimately the fusion improves detection accuracy and model robustness.

3.2.1. Shallow Statistical Feature Selection Method Based on XGBoost and Recursive Feature Elimination

To identify the most discriminative features and reduce dimensionality, this study employs a hybrid strategy combining XGBoost with RFE. As an ensemble learning method, XGBoost excels in feature ranking and classification due to its capability to capture complex nonlinear interactions. The implementation process is described below.

Let Equation (1) denote the original sample set:

$$\mathrm{D} = {\left\{({\mathrm{x}}_{\mathrm{i}},{\mathrm{y}}_{\mathrm{i}})\right\}}_{\mathrm{i}=1}^{\mathrm{N}}$$

(1)

where ${\mathrm{x}}_{\mathrm{i}}\in {\mathbb{R}}^{\mathrm{d}}$ denotes the input vector with $\mathrm{d}$ features, and ${\mathrm{y}}_{\mathrm{i}}$ represents the corresponding class label.

As a gradient boosting tree model, XGBoost constructs the final prediction function by progressively fitting residual terms through additive models. Equation (2) presents the mathematical form of the prediction model.

$${\widehat{\mathrm{y}}}_{\mathrm{i}}={\displaystyle {\sum }_{\mathrm{t}=1}^{\mathrm{T}}}{\mathrm{f}}_{\mathrm{t}}({\mathrm{x}}_{\mathrm{i}}), {\mathrm{f}}_{\mathrm{t}}\in \mathrm{F}$$

(2)

where $\mathrm{T}$ denotes the total number of trees (set to 100), ${\mathrm{f}}_{\mathrm{t}}$ represents each individual regression tree, and $\mathrm{F}$ represents the function space of tree Equation (3) presents the objective function.

$$\mathrm{L}\left(\mathrm{\theta }\right)={\displaystyle {\sum }_{\mathrm{i}=1}^{\mathrm{N}}}\mathrm{l}({\mathrm{y}}_{\mathrm{i}},{\widehat{\mathrm{y}}}_{\mathrm{i}})+{\displaystyle {\sum }_{\mathrm{t}=1}^{\mathrm{T}}}\mathrm{\Omega }({\mathrm{f}}_{\mathrm{t}})$$

(3)

Here, the first term represents the loss function, while the second term denotes the structural regularization term used to control model complexity. Equation (4) defines this regularization term:

$$\mathrm{\Omega }\left(\mathrm{f}\right)=\mathrm{\gamma }\mathrm{T}+{\displaystyle \frac{1}{2}}\mathrm{\lambda }{\displaystyle {\sum }_{\mathrm{j}=1}^{\mathrm{T}}}{\mathrm{w}}_{\mathrm{j}}^2$$

(4)

where $\mathrm{\gamma }$ controls the quantity of trees, and $\mathrm{\lambda }$ controls the L2 regularization of the leaf node weights.

Following the training phase, this method evaluates feature importance based on the usage frequency or average gain. To enhance the stability of the assessment, this study uses 5-fold cross-validation. For each fold $\mathrm{k}\in \{1,2,\dots ,5\}$, the system trains XGBoost model separately. The process accumulates the score ${\mathrm{I}}_{\mathrm{j}}^{\left(\mathrm{k}\right)}$ for each feature. Finally, Equation (5) presents the calculation for the average importance score:

$${\stackrel{-}{\mathrm{I}}}_{\mathrm{j}} = {\displaystyle \frac{1}{\mathrm{K}}}{\displaystyle {\sum }_{\mathrm{k}=1}^{\mathrm{K}}}{\mathrm{I}}_{\mathrm{j}}^{\left(\mathrm{k}\right)}, \mathrm{K} = 5$$

(5)

The framework sorts the features in descending order based on these average scores, selecting the top $\mathrm{k}$ features as the candidate feature set. To further refine this subset, the RFE method is employed as a wrapper-based selection tool. The core principle involves evaluating the contribution of each feature during each iteration and removing the “least important” attribute until a target number of features is reached.

Let ${\mathrm{S}}^{\left(\mathrm{t}\right)}$ denote the feature subset at the current iteration. Equation (6) defines the update rule for each iteration:

$${\mathrm{S}}^{\left(\mathrm{t}\right)}={\mathrm{S}}^{(\mathrm{t}-1)}\setminus \left\{\arg \underset{{\mathrm{x}}_{\mathrm{j}}\in {\mathrm{S}}^{(\mathrm{t}-1)}}{\min }\mathrm{S}\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{e}({\mathrm{x}}_{\mathrm{j}})\right\}$$

(6)

Here, $\mathrm{S}\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{e}\left({\mathrm{x}}_{\mathrm{j}}\right)$ denotes the impact of feature ${\mathrm{x}}_{\mathrm{j}}$ on model performance. The process continues until the number of remaining features reaches the predefined limit $\mathrm{k}$. Although the study initially evaluates a total of 55 features,

Table 3. Selected Top-45 Features.

Top	Feature Name	Description
1	Protocol	Type of protocol, e.g., tcp, udp, etc.
2	Pkt Len Max	Max of the length of a packet
3	Fwd Header Len	Total bytes used for headers in the forward direction
4	Tot Fwd Pkts	Total packets in the forward direction
5	Dst Port	Destination port number
6	TotLen Fwd Pkts	Total size of packet in forward direction
7	Bwd Header Len	Total bytes used for headers in the backward direction
8	Init Bwd Win Byts	The total number of bytes sent in initial window in the backward direction
9	SYN Flag Cnt	Number of packets with SYN
10	Fwd Pkts/s	Number of forward packets per second
11	Fwd Pkt Len Min	Min of the size of packet in forward direction
12	Bwd Pkt Len Mean	Mean of the size of packet in backward direction
13	Fwd Pkt Len Mean	Mean of the size of packet in forward direction
14	Bwd IAT Max	Max of the Time between two packets sent in the backward direction
15	Idle Mean	Mean time flow was idle before becoming active
16	TotLen Bwd Pkts	Total size of packet in backward direction
17	Pkt Size Avg	Average size of packet
18	Bwd PSH Flags	Number of times the PSH flag was set in packets travelling in the backward direction (0 for UDP)
19	Active Min	Min of the time flow was active before becoming idle
20	Pkt Len Std	Standard deviation of the length of a packet
21	RST Flag Cnt	Number of packets with RST
22	Bwd Pkt Len Std	Standard deviation of the size of packet in backward direction
23	Flow IAT Min	Min of the time between two packets sent in the flow
24	Tot Bwd Pkts	Total packets in the backward direction
25	Bwd Pkts/s	Number of backward packets per second
26	Pkt Len Mean	Mean of the length of a packet
27	Bwd IAT Std	Standard deviation of the Time between two packets sent in the backward direction
28	Src Port	Source port number
29	Idle Max	Max time flow was idle before becoming active
30	Pkt Len Min	Min of the length of a packet
31	Flow Pkts/s	Number of flow packets per second
32	Bwd Pkt Len Max	Max of the size of packet in backward direction
33	Fwd IAT Min	Min of the time between two packets sent in the forward direction
34	Flow IAT Std	Standard deviation of the time between two packets sent in the flow
35	Fwd IAT Mean	Mean of the time between two packets sent in the forward direction
36	Flow Byts/s	Number of flow bytes per second
37	Idle Min	Min time flow was idle before becoming active
38	FIN Flag Cnt	Number of packets with FIN
39	Flow Duration	Duration of the flow in Microsecond
40	Fwd Pkt Len Std	Standard deviation of the size of packet in forward direction
41	Fwd IAT Max	Max of the time between two packets sent in the forward direction
42	Fwd Act Data Pkts	Count of packets with at least i byte of TCP data payload in the forward direction
43	Bwd Pkt Len Min	Min of the size of packet in backward direction
44	Bwd IAT Tot	Total of the time between two packets sent in the backward direction
45	Fwd Pkt Len Max	Max of the size of packet in forward direction

explicitly presents the specific details of the Top-45 features identified as the optimal subset based on final experiments. This selection suggests that the 45-feature threshold represents an optimal trade-off point where the discriminative information is maximized; further increasing the feature count introduces redundant information or noise that detracts from the model’s generalization. The remaining 10 features that were not adopted are cataloged and analyzed in Section 4.2.1 to provide a comparative baseline. To ensure the statistical stability of this cutoff, we verified the consistency of the XGBoost importance scores across all 5 folds of the cross-validation process. The ranking of the Top-45 features remained highly consistent, with the core feature set showing minimal membership changes across folds. This stability indicates that the selected threshold captures the intrinsic characteristics of the traffic patterns and serves as a robust basis for the subsequent gated fusion mechanism. Consequently, the framework utilizes this optimized 45-feature combination for subsequent model training. Section 4, “Experimental Analysis and Results”, presents the comprehensive experimental details and the omitted feature comparison.

3.2.2. Deep Temporal Semantic Feature Extraction Method Based on Convolution and SE Mechanism

To effectively extract high-order temporal features and local dependencies from network traffic data, this study utilizes a specialized architecture integrating a 1D-CNN with an SE block. The specific implementation is described below.

After preprocessing, normalization, and tensor conversion, the process generates a three-dimensional tensor $\mathrm{X}\in {\mathrm{R}}^{\mathrm{B}\times \mathrm{C}\times \mathrm{L}}$. Here, $\mathrm{B}$ denotes the batch size. $\mathrm{C} = 1$ represents the channel count, indicating that the raw features serve as single-channel inputs. $\mathrm{L}$ denotes the original feature dimension. Subsequently, the model uses a one-dimensional convolutional layer to extract local features, as described in Equation (7). This layer utilizes 16 convolutional kernels with a size of 3 and applies same-padding to better model adjacent relationships between features.

$${\mathrm{F}}_{\mathrm{conv}}=\mathrm{ReLU}\left(\mathrm{Conv}1\mathrm{D}\right(\mathrm{X}\left)\right)\in {\mathrm{R}}^{\mathrm{B}\times 16\times \mathrm{L}}$$

(7)

To further enhance the modeling capability for key channel-dimension features, an SE block is integrated following the convolutional layer. The module first performs channel dimension compression (squeeze), followed by recalibration (excitation) via a two-layer fully connected network to generate channel attention weights. Equation (8) illustrates the core principle:

$$\mathrm{s} = \mathrm{\sigma }\left({\mathrm{W}}_2\cdot \mathrm{ReLU}\left({\mathrm{W}}_1\cdot \mathrm{AvgPool}\left({\mathrm{F}}_{\mathrm{conv}}\right)\right)\right)$$

(8)

Here, ${\mathrm{W}}_1 \in {\mathrm{R}}^{{\displaystyle \frac{\mathrm{C}}{\mathrm{r}}}\times \mathrm{C}}$ and ${\mathrm{W}}_{2 }\in {\mathrm{R}}^{\mathrm{C}\times {\displaystyle \frac{\mathrm{C}}{\mathrm{r}}}}$ represent the weight matrices, with the reduction ratio $\mathrm{r}$ is set to 8. $\mathrm{\sigma }$ denotes the Sigmoid function. Finally, the system performs channel-wise weighted fusion, as shown in Equation (9):

$${\mathrm{F}}_{\mathrm{att}} = {\mathrm{F}}_{\mathrm{conv}}\odot \mathrm{s}$$

(9)

This mechanism assigns weights across different channels to effectively suppress redundant feature responses and highlight key channels. Finally, the model employs adaptive average pooling (AdaptiveAvgPool1d(1)) to further compress the weighted features ${\mathrm{F}}_{\mathrm{att}}$, resulting in a 16-dimensional fixed-length vector representation. This vector serves as the deep feature output, defined by Equation (10).

$${\mathrm{f}}_{\mathrm{out}}=\mathrm{Dropout}\left(\mathrm{Pool}\left({\mathrm{F}}_{\mathrm{att}}\right)\right)\in {\mathrm{R}}^{\mathrm{B}\times 16}$$

(10)

In this method, the dropout rate is set to 0.5 to prevent overfitting. To ensure the scientific validity and robustness of the hyperparameters, this study employs a 5-fold Stratified K-Fold cross-validation strategy, aligning with the XGBoost-RFE feature selection method. The results confirm that the selected hyperparameters exhibit strong generalization capabilities.

3.3. Dynamic Feature Fusion Method Based on Gating Mechanism

The preceding subsections detailed the feature extraction tasks at two distinct levels: first, the selection of discriminative shallow statistical features via XGBoost, and second, the extraction of deep temporal semantic features using a 1D-CNN integrated with an SE block. Since these two feature types describe network traffic behavior from complementary perspectives, their integration provides a more holistic representation. However, direct concatenation or averaging risks neglecting the varying importance of features across different samples, potentially compromising the model’s discriminative capability. To address this issue, this paper employs a dynamic fusion strategy based on a gating mechanism to achieve adaptive information integration at the feature level.

Specifically, let ${\mathrm{f}}_{\mathrm{x}\mathrm{g}\mathrm{b}}\in {\mathbb{R}}^{{\mathrm{d}}_1}$ denote the 45-dimensional feature vector. This vector is selected by the feature selection method based on XGBoost and RFE. Additionally, let ${\mathrm{f}}_{\mathrm{c}\mathrm{n}\mathrm{n}}\in {\mathbb{R}}^{{\mathrm{d}}_2}$ represent the 16-dimensional deep feature representation output by the CNN module. To integrate these heterogeneous inputs, the architecture first employs two sets of learnable linear projection layers. These layers project the features into a unified fusion space ${\mathbb{R}}^{\mathrm{d}}$ to bridge the representation gap between discrete statistical metrics and continuous neural embeddings. Equations (11) and (12) illustrate the specific formulas.

$${\mathrm{h}}_{\mathrm{xgb}}={ \mathrm{W}}_{\mathrm{xgb}}{\mathrm{f}}_{\mathrm{xgb}}+{\mathrm{b}}_{\mathrm{xgb}}$$

(11)

$${\mathrm{h}}_{\mathrm{cnn}}={ \mathrm{W}}_{\mathrm{cnn}}{\mathrm{f}}_{\mathrm{cnn}}+{\mathrm{b}}_{\mathrm{cnn}}$$

(12)

Subsequently, the framework concatenates these two feature sets and feeds them into a gated network equipped with a Sigmoid activation function to generate a sample-specific fusion weight vector $\mathrm{g}$. Equation (13) presents the specific formula.

$$\mathrm{g}=\mathrm{\sigma }\left({\mathrm{W}}_{\mathrm{g}}\cdot \left[{\mathrm{h}}_{\mathrm{xgb}}\Vert {\mathrm{h}}_{\mathrm{cnn}}\right]+{\mathrm{b}}_{\mathrm{g}}\right), \mathrm{g} \in [0, 1{]}^{\mathrm{d}}$$

(13)

Equation (14) presents the expression for the final output fused features ${\mathrm{f}}_{\mathrm{fused}}$.

$${\mathrm{f}}_{\mathrm{fused}}=\mathrm{g}\odot {\mathrm{h}}_{\mathrm{x}\mathrm{g}\mathrm{b}}+(1 - \mathrm{g})\odot {\mathrm{h}}_{\mathrm{c}\mathrm{n}\mathrm{n}}$$

(14)

Here, $\odot$ denotes the element-wise multiplication operation. This refined gating mechanism offers a significant advantage over simple concatenation or conventional GMU formulations. While traditional methods treat all features equally or rely on fixed weightings, our approach dynamically recalibrates the importance of expert-selected statistical features versus automated deep features based on the real-time traffic context. For instance, during a high-volume DDoS attack, the gate can learn to prioritize statistical rate features, whereas for stealthy APT probing, it may focus more on deep temporal patterns.

To achieve precise identification of abnormal traffic, this study inputs the dynamically fused feature vector ${\mathrm{f}}_{\mathrm{fused}}$ into a MLP classification module. This classifier employs a hidden layer with 32 neurons. The layer utilizes the ReLU activation function to enhance nonlinear expressive capability. To accommodate different detection tasks, two separate model instances with task-specific output layers are implemented: for binary classification, the output layer consists of 2 neurons, while for multi-class classification, it is configured with 4 neurons. Subsequently, the Softmax function calculates category probabilities. Regarding the training configuration, this study employs the Adam optimizer with an initial learning rate of 0.001. The batch size is set to 64, with a maximum of 50 epochs. To further enhance generalization and prevent overfitting, the model applies a Dropout rate of 0.5 after the MLP hidden layer. Additionally, the training process implements an early stopping strategy based on the validation set’s macro-F1 score. Finally, the entire training process employs 5-fold stratified cross-validation to ensure the stability and robustness of the classification performance.

4. Experimental Analysis and Results

This section provides a comprehensive evaluation of the proposed anomaly detection framework through various experimental scenarios. We begin by defining the evaluation metrics used to quantify model performance in Section 4.1. Then, an ablation study is presented in Section 4.2 to verify the effectiveness of the gated fusion module. Section 4.3 and Section 4.4 analyze the experimental results for binary and multi-class classification, respectively. Finally, Section 4.5 discusses the model’s performance on the validation set to demonstrate its generalization capability.

4.1. Evaluation Metrics

To comprehensively evaluate the performance of the constructed intrusion detection model, this study employs four standard classification evaluation metrics: Accuracy, Precision, Recall, and F1-score. These metrics effectively measure the discriminative capability of the model across different categories. To ensure the reliability and stability of the experimental results, all metrics are reported as the arithmetic mean derived from 5-fold cross-validation. This approach avoids the bias associated with single point estimates and provides a more objective assessment of the model’s generalization ability, particularly in security scenarios characterized by class imbalance or high costs associated with false positives and false negatives.

Specifically, the overall performance is defined as the average of the results across $k$ folds. The following formulas define the calculations for these four metrics:

$$Accuracy={\displaystyle \frac{1}{K}}{\displaystyle {\sum }_{i=1}^K}{\displaystyle \frac{T{P}_i+T{N}_i}{T{P}_i+T{N}_i+F{P}_i+F{N}_i}}$$

(15)

$$Precision={\displaystyle \frac{1}{K}}{\displaystyle {\sum }_{i=1}^K}{\displaystyle \frac{T{P}_i}{T{P}_i+F{P}_i}}$$

(16)

$$Recall={\displaystyle \frac{1}{K}}{\displaystyle {\sum }_{i=1}^K}{\displaystyle \frac{T{P}_i}{T{P}_i+F{N}_i}}$$

(17)

$$F1-score={\displaystyle \frac{1}{K}}{\displaystyle {\sum }_{i=1}^K}\left(2\cdot {\displaystyle \frac{Precisio{n}_i\cdot Recal{l}_i}{Precisio{n}_i+Recal{l}_i}}\right)$$

(18)

• True Positive (TP): The number of positive samples correctly predicted as positive by the model. For example, the model correctly identifies attack traffic as an attack.
• True Negative (TN): The number of negative samples correctly predicted as negative by the model. For example, the model correctly identifies normal traffic as normal.
• False Positive (FP): The number of negative samples incorrectly predicted as positive by the model. This error represents normal traffic being misclassified as attack traffic.
• False Negative (FN): The number of positive samples incorrectly predicted as negative by the model. This error represents attack traffic being missed and classified as normal traffic.

Additionally, different classification tasks allow for the aggregation of these metrics using various averaging methods. To mitigate the interference of sample size discrepancies on overall metrics in multi-class tasks, this study employs the macro-average method for each fold. This approach involves calculating the metrics for each class individually and then computing their arithmetic mean, as shown in Equation (19).

$$Metri{c}_{macro}={\displaystyle \frac{1}{N}}{\displaystyle {\sum }_{j=1}^N}Metri{c}_j$$

(19)

Here, $N$ denotes the total number of categories. In binary classification tasks, the study employs the binary averaging method, positioning the positive class as the core of the evaluation. The final results reported in subsequent sections represent the mean and standard deviation across all folds, ensuring a rigorous statistical foundation for the performance evaluation.

4.2. Ablation Experiments

Ablation experiments play a crucial role in model performance evaluation. These experiments assist researchers in gaining deeper insights into the influence of individual components on the final performance. By progressively removing or modifying specific components, ablation experiments reveal the contribution of various design choices to the overall model. Consequently, this process provides theoretical support for model improvement and optimization.

This study conducts ablation experiments on the InSDN Dataset to validate the contribution of each module. The analysis specifically focuses on the effects of fusion strategies and gating mechanisms. This paper compares several distinct model configurations. These configurations cover baseline models like XGBoost-MLP and CNN-MLP, along with several feature fusion approaches. Section 4.2.3 lists the specific results.

4.2.1. Comparison of Optimal Number of Features

The feature selection method based on XGBoost and RFE initially identified the top 55 features. Among these, the 10 features that were ultimately not adopted in the final optimal subset are detailed in

Table 4. Features excluded from the optimal subset.

Top	Feature Name	Description
46	Active Mean	Mean of the time flow was active before becoming idle
47	ACK Flag Cnt	Number of packets with ACK
48	Fwd IAT Tot	Total of the time between two packets sent in the forward direction
49	Down/Up Ratio	Download and upload ratio
50	Flow IAT Mean	Mean of the time between two packets sent in the flow
51	Flow IAT Max	Max of the time between two packets sent in the flow
52	Bwd IAT Min	Min of the Time between two packets sent in the backward direction
53	Active Max	Max of the time flow was active before becoming idle
54	Active Std	Standard deviation of the time flow was active before becoming idle
55	Bwd IAT Mean	Mean of the Time between two packets sent in the backward direction

, which serves as a subsequent extension to Table 3.

To further enhance accuracy and reduce computational complexity, this study conducted a secondary selection phase. This process focused on optimizing the number of features. The experiment integrated the selected feature counts with the subsequent processing steps. Figure 2 presents the final observed results.

Experimental validation confirms that model performance gradually improves as the number of features increases. The performance reaches its peak when the system utilizes the top 45 features. Consequently, this study selects the top 45 features as the optimal feature set.

4.2.2. Comparison of Baseline Models

In the initial phase of the ablation experiments, this paper first examined two baseline models: XGBoost-MLP and CNN-MLP. The XGBoost-MLP model achieved an accuracy of 97.27%, precision of 97.58%, recall of 96.74%, and F1-score of 97.13%. In contrast, the CNN-MLP model demonstrated significantly lower results. This model recorded an accuracy of 95.64%, precision of 95.51%, recall of 93.24%, and F1-score of 94.15%. The comparison reveals that the CNN-MLP model falls far short of the performance level of XGBoost-MLP. These results indicate that standalone CNN or XGBoost models exhibit limitations in handling this task. Consequently, these single-model approaches fail to fully leverage the potential of the data.

4.2.3. Comparison of Different Fusion Strategies

Next, this paper compares several distinct feature fusion strategies.

Table 5. Comparison of Ablation Experiments.

Index	Model	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)
1	XGBoost-MLP	97.27 ± 0.12	97.58 ± 0.15	96.74 ± 0.18	97.13 ± 0.14
2	CNN-MLP	95.64 ± 0.25	95.51 ± 0.28	93.24 ± 0.35	94.15 ± 0.31
3	Concatenation fusion	99.61 ± 0.06	99.45 ± 0.08	99.53 ± 0.07	99.49 ± 0.07
4	Fixed weight fusion	99.54 ± 0.08	99.38 ± 0.09	99.43 ± 0.10	99.41 ± 0.09
5	Random weight fusion	99.78 ± 0.05	99.73 ± 0.06	99.72 ± 0.06	99.73 ± 0.05
6	This model	99.88 ± 0.02	99.86 ± 0.03	99.85 ± 0.02	99.86 ± 0.02

presents the specific data. First, the experiment evaluates concatenation fusion without the gating mechanism. This model achieves an accuracy of 99.61%, precision of 99.45%, recall of 99.53%, and F1-score of 99.49%. This result indicates that model performance improves significantly through simple concatenation fusion. However, this approach does not yet reach the optimal level.

In the fixed-weight fusion experiment, the system sets the weights for both XGBoost and CNN to 0.5. In this configuration, the model achieves an accuracy of 99.54%, precision of 99.38%, recall of 99.43%, and F1-score of 99.41%. Compared to concatenation fusion, the performance of the fixed-weight model declines slightly. However, this strategy still delivers satisfactory results.

Subsequently, the study employs a random weight fusion strategy. This method uses a random function to assign fusion weights during each iteration. Consequently, the model accuracy further improves to 99.78%, with precision at 99.73%, recall at 99.72%, and F1-score at 99.73%. Random weight fusion significantly enhances performance. This finding demonstrates the effectiveness of dynamically adjusting weights during feature fusion.

4.2.4. Anomalous Traffic Detection Method Based on Improved Gated Fusion Features

Experimental data demonstrates that the anomaly traffic detection method based on improved gated fusion features outperforms the random weight fusion model. This superiority is evident across all performance metrics. Specifically, the proposed model achieves an accuracy of 99.88%. Precision and F1-score both stabilize at 99.86%. Additionally, the recall reaches 99.85%. These results indicate that the dynamic weights computed through the gating mechanism capture complementary information between heterogeneous features more accurately. While the performance of the random weight fusion strategy is numerically competitive, our proposed gated fusion model consistently achieves superior results with significantly higher stability, as evidenced by the reduced standard deviation. This suggests that the learned gating mechanism effectively converges to an optimal feature-weighting configuration, whereas random weighting introduces greater performance volatility. The consistent improvement across all metrics, combined with the reduction in variance, demonstrates that the gating mechanism provides a more reliable and robust solution for SDN anomaly detection.

4.3. Results of Binary Classification Models

Deep learning models, particularly CNN, LSTM, and GAN, have achieved remarkable results in intrusion detection. However, despite their outstanding accuracy, challenges remain. Specifically, enhancing generalization capabilities while reducing false positive and false negative rates is difficult. To evaluate the performance of the proposed model, this study compares it against several baselines. These baselines include the DNN-based LSTM model (DNN-LSTM), Generative Adversarial Network (GAN), combined CNN and LSTM model (cuCNN-LSTM), Gated Recurrent Unit model (GRU), and Bidirectional LSTM model (Bi-LSTM). To ensure a fair and rigorous comparison, all baseline models were independently evaluated under the exact same experimental framework as our proposed method. This includes the use of identical data preprocessing procedures, the same Top-45 feature selection results, and the specific Open-set Recognition (OSR) data partitioning protocol described. We did not adopt the performance metrics directly from the original cited literature, as those results were obtained under different data split conditions and preprocessing pipelines, which would render the comparison invalid. To ensure the statistical rigor of the comparison, a paired t-test was conducted between the proposed model and the strongest baseline in each category. The results consistently yielded $p$-values less than 0.05, confirming that the performance improvements are statistically significant despite the high saturation of the metrics.

Table 6. Binary Classification Results on InSDN Dataset.

Reference	Model	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)
[13]	GAN	89.25 ± 0.45	65.37 ± 0.85	98.37 ± 0.32	78.54 ± 0.65
[23]	cuDNN-LSTM	99.75 ± 0.06	99.94 ± 0.02	99.80 ± 0.05	99.37 ± 0.08
[24]	CNN-LSTM	99.63 ± 0.08	99.39 ± 0.10	98.78 ± 0.12	99.08 ± 0.11
[25]	GRU	99.72 ± 0.07	99.91 ± 0.03	98.68 ± 0.09	99.29 ± 0.07
[26]	Bi-LSTM	99.78 ± 0.05	99.90 ± 0.04	98.99 ± 0.06	99.45 ± 0.05
	This model	99.91 ± 0.02	99.63 ± 0.03	99.94 ± 0.02	99.78 ± 0.03

presents the performance comparison of different models on the experimental dataset. The results demonstrate that the proposed model achieves optimal performance in Accuracy (99.91%), Recall (99.94%), and F1-Score (99.78%). This outcome indicates outstanding performance in detection rate and overall balance. However, regarding Precision, cuDNN-LSTM (99.94%), GRU (99.91%), and Bi-LSTM (99.90%) slightly outperform the proposed model (99.63%).

This result suggests that in rare instances, the proposed method exhibits a higher false positive rate compared to certain recurrent neural networks. This discrepancy likely stems from the design emphasis on enhancing recognition capabilities for minority class samples. Specifically, the model strengthens feature extraction and fusion to boost Recall. Consequently, the system tends to classify certain borderline samples as positive. While this strategy incurs a slight loss in Precision, it significantly boosts Recall. This trade-off leads to a further reduction in false negatives. False negatives are often more severe than false positives in intrusion detection tasks. The risk of undetected attacks far outweighs the cost of generating additional alerts. Therefore, this strategy offers greater advantages in practical applications.

Regarding the performance comparison of the models, cuDNN-LSTM achieves the highest Precision (99.94%). However, its Recall (99.80%) and F1-Score (99.37%) are slightly lower than those of the proposed model. This result indicates insufficient coverage of abnormal samples. GRU and Bi-LSTM maintain relatively high levels of Accuracy and Precision. However, their Recall values are 98.68% and 98.99%, respectively. These figures fall short of the detection capability achieved by the proposed method. CNN-LSTM performs well in terms of F1-Score (99.08%). Nevertheless, its overall performance still lags behind Bi-LSTM and the proposed method. GAN achieves a high Recall (98.37%) but suffers from extremely low Precision (65.37%). Consequently, this imbalance results in excessive false positive rates.

Overall, the proposed model achieves optimal results in Recall and F1-Score. While its Precision is slightly lower than that of some recurrent neural networks, the model demonstrates superior comprehensive performance and practical value. In intrusion detection scenarios, high Recall effectively reduces attack false negatives. The proposed method further enhances Recall while maintaining high Precision. Therefore, this approach proves more practical in environments with stringent security requirements.

4.4. Multi-Class Classification Model Results

The proposed model demonstrates outstanding performance in multi-class classification tasks. It surpasses existing mainstream models across multiple evaluation metrics.

Table 7. Multi-Class Classification Results on the InSDN Dataset.

Reference	Model	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)
[13]	GAN	99.47 ± 0.08	99.25 ± 0.10	99.40 ± 0.09	99.32 ± 0.09
[23]	cuDNN-LSTM	99.68 ± 0.04	99.55 ± 0.05	99.61 ± 0.04	99.58 ± 0.05
[24]	CNN-LSTM	99.38 ± 0.09	99.11 ± 0.12	99.31 ± 0.10	99.20 ± 0.11
[25]	GRU	99.73 ± 0.05	99.62 ± 0.06	99.67 ± 0.05	99.64 ± 0.06
[26]	Bi-LSTM	99.75 ± 0.04	99.66 ± 0.05	99.69 ± 0.04	99.67 ± 0.05
	This model	99.88 ± 0.02	99.86 ± 0.03	99.85 ± 0.02	99.86 ± 0.02

presents the experimental results for different models in multi-class classification tasks. The proposed method achieves optimal performance across all four metrics. Specifically, the Accuracy is 99.88%. Precision and Recall reach 99.86% and 0.9985, respectively. Consequently, the F1-Score maintains the highest level at 0.9986. This result demonstrates that the proposed approach maintains exceptionally high detection accuracy and stability. This capability persists even when confronting complex multi-class traffic patterns.

Regarding the overall trend, RNNs and their variants continue to demonstrate strong advantages. GRU, cuDNN-LSTM, and Bi-LSTM all achieve Accuracy scores above 99.6% in the multi-classification task. Among these, Bi-LSTM achieves an Accuracy of 99.75% and an F1-Score of 99.67%. This model performs closest to the proposed method among the comparison approaches. This result validates the effectiveness of the bidirectional structure in capturing temporal dependencies. GRU also demonstrates stable performance, with an Accuracy of 99.73% and an F1-Score of 99.64%. This performance indicates its ability to balance efficiency and accuracy in multi-class scenarios.

In contrast, CNN-LSTM achieves an Accuracy and F1-Score of 99.38% and 99.20%, respectively. These figures are slightly lower than those of RNNs. This discrepancy indicates that merely combining local convolutional features with temporal information has certain limitations. Specifically, this combination lacks sufficient category discrimination capability. The GAN model performs the least satisfactorily. Although its Accuracy and Recall approach 99.5%, its F1-Score is only 99.32%. This score is significantly lower than that of other models. This gap likely stems from the limitations of GAN in sample generation and class boundary delineation. Consequently, the model struggles to achieve stable classification performance under complex multi-class distributions.

Notably, some comparison models, such as Bi-LSTM and GRU, approach the Precision or Recall of the proposed model. However, they still lag in composite metrics. The proposed approach achieves the highest Precision of 99.86%. Simultaneously, it maintains the optimal Recall of 99.85%. This dual advantage demonstrates the ability to effectively distinguish between different categories. Furthermore, the method minimizes both false negatives and false positives in multi-class scenarios. Ultimately, the improvement in F1-Score fully validates the overall superiority of the model in multi-class classification tasks.

4.5. Validation Set Results

During model training, the validation set serves as a crucial tool for evaluating model generalization capabilities. It assesses model performance on unseen data. Additionally, the process guides model tuning. This study employs the NSL-KDD dataset as the validation set. The experiment utilizes the same training workflow and hyperparameter tuning strategy as applied to the InSDN Dataset. This approach further validates the effectiveness of the proposed model.

(1)

Binary Classification Task

For the binary classification task, the proposed method demonstrates outstanding performance on the validation set.

Table 8. Binary Classification Results on the NSL-KDD Dataset.

Reference	Model	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)
[13]	GAN	93.46 ± 0.35	97.56 ± 0.42	90.13 ± 0.55	93.70 ± 0.48
[23]	cuDNN-LSTM	99.63 ± 0.08	99.73 ± 0.06	99.58 ± 0.10	99.66 ± 0.08
[24]	CNN-LSTM	99.72 ± 0.06	99.93 ± 0.04	99.55 ± 0.08	99.74 ± 0.06
[25]	GRU	99.68 ± 0.07	99.75 ± 0.05	99.65 ± 0.09	99.70 ± 0.07
[26]	Bi-LSTM	99.53 ± 0.09	99.75 ± 0.07	99.37 ± 0.12	99.56 ± 0.10
	This model	99.78 ± 0.03	99.90 ± 0.04	99.69 ± 0.04	99.80 ± 0.05

presents the specific results. The proposed model achieves an accuracy of 99.78%, precision of 99.90%, recall of 99.69%, and F1-score of 99.80%. Compared to the cuDNN-LSTM and CNN-LSTM models, the proposed method improves accuracy by 0.15% and 0.06%, respectively. In terms of precision, the model outperforms cuDNN-LSTM by 0.17%. However, it is marginally lower than CNN-LSTM by 0.03%. Furthermore, the F1-score outperforms both cuDNN-LSTM and CNN-LSTM. This result indicates that the proposed approach achieves superior accuracy. Moreover, it demonstrates greater robustness in balancing precision and recall.

(2)

Multi-Class Classification Task

For the multi-class classification task, the proposed method also demonstrates outstanding performance.

Table 9. Multi-Class Classification Results on the NSL-KDD Dataset.

Reference	Model	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)
[13]	GAN	97.04 ± 0.25	96.04 ± 0.38	95.28 ± 0.42	95.65 ± 0.40
[23]	cuDNN-LSTM	99.63 ± 0.08	99.21 ± 0.12	99.44 ± 0.10	99.32 ± 0.11
[24]	CNN-LSTM	99.41 ± 0.10	98.84 ± 0.15	99.11 ± 0.13	98.97 ± 0.14
[25]	GRU	99.71 ± 0.06	99.43 ± 0.08	99.66 ± 0.07	99.55 ± 0.07
[26]	Bi-LSTM-HBA	99.57 ± 0.09	99.23 ± 0.10	99.35 ± 0.09	99.29 ± 0.09
	This model	99.76 ± 0.03	99.34 ± 0.05	99.79 ± 0.03	99.56 ± 0.04

presents the specific results. On the validation set, the model achieves an accuracy of 99.76%, precision of 99.34%, recall of 99.79%, and F1-score of 99.56%. Specifically, the accuracy of the proposed method is 0.13% higher than that of cuDNN-LSTM and 0.35% higher than that of CNN-LSTM. Additionally, the F1-score improves by 0.24% and 0.59%, respectively. These results demonstrate that the proposed model excels not only in binary classification tasks but also in multi-class classification tasks. This adaptability highlights the significant advantages of the approach.

In summary, the validation set results further confirm the efficiency and broad applicability of this method. The data demonstrates the ability of the model to deliver outstanding performance consistently across diverse tasks. Consequently, the proposed approach possesses strong practical value.

(3)

Simulation Experiment

To evaluate the practical applicability and operational feasibility of the proposed model, a prototype system was deployed in a virtualized SDN environment. The specific structure is shown in Figure 3. The control plane, managed by the Ryu controller (version 4.3.4), communicates with the data plane via the OpenFlow v1.3 protocol. The topology consists of two core switches (S1, S2), four aggregation layer switches (S3–S6), and six edge switches (S7–S12), Additionally, twelve hosts (H1–H12) connect to this infrastructure, implemented within Mininet (version 2.3.0). The entire simulation was hosted on an Ubuntu 20.04 LTS virtual machine allocated with 4 vCPUs and 16 GB of RAM.

To ensure a rigorous evaluation of real-time operational performance, diverse abnormal traffic patterns were simulated by carefully defining their type, structure, and velocity to match the constraints of a virtualized network stack. Specifically, DoS attacks were simulated using Hping3 on host H1 to generate TCP SYN flood traffic. This attack involved a randomized source IP structure with a velocity maintained at approximately 1000 to 3000 packets per second, a range specifically chosen to test the stress limits of the Ryu controller’s asynchronous message handler without inducing an immediate system crash. For DDoS scenarios, a coordinated distributed UDP flood was launched from both H1 and H2 using LOIC, generating a combined throughput of 120–180 Mbps. This volume is sufficient to saturate the virtual link bandwidth and trigger sustained Packet-in requests, thereby simulating the link congestion typically observed during volumetric attacks. Additionally, probe attacks were executed from H1 using Nmap to perform aggressive port scanning and OS fingerprinting, creating a complex structure of TCP/UDP packets across a wide range of ports to evaluate the model’s sensitivity to low-volume reconnaissance patterns. Concurrently, Iperf3 was employed between the remaining hosts to maintain a steady-state normal background traffic of approximately 40–60 Mbps, providing a realistic baseline for evaluating the model’s discriminative capability under mixed traffic conditions. The detection model is integrated into the Ryu controller as an asynchronous detection module. Considering the resource constraints of the virtual machine environment, the quantitative performance evaluation is summarized in

Table 10. System Performance in a Virtualized Environment.

Metric	Description	Value (Mean ± Std)
Throughput	Maximum bandwidth processed in the VM environment	420.5 ± 25.8 Mbps
Detection Latency	End-to-end processing time	24.8 ± 3.2 ms
Inference Overhead	Peak CPU utilization of the Ryu process during attack	38.6% ± 5.4%
Memory Footprint	Additional RAM used by the detection module	412 ± 35 MB
Packet Drop Rate	Packet loss under high-frequency Packet-in requests	0.85% ± 0.12%

.

To further evaluate the model’s discriminative capability across different threat categories in a dynamic environment, the specific classification performance for each simulated traffic type was recorded. Unlike the offline tests on static datasets, the simulation involves transient feature fluctuations and background noise from normal network operations. The classification results, summarized in

Table 11. Classification Performance across Categories.

Type	Tool	Precision (%)	Recall (%)	F1-Score (%)
Normal	Iperf3	96.4 ± 1.2	95.8 ± 0.8	96.1 ± 1.0
DoS	Hping3	94.2 ± 1.5	93.5 ± 1.8	93.9 ± 1.6
DDoS	LOIC	92.7 ± 2.1	91.4 ± 2.4	92.1 ± 2.2
Probe	Nmap	91.5 ± 2.8	90.2 ± 3.1	90.8 ± 2.9

, demonstrate that the proposed model maintains high precision and recall even under the resource constraints and timing sensitivities of the Ryu controller.

The experimental results presented in Table 9 and Table 10 provide a comprehensive validation of the model’s operational feasibility and robustness in a real-world SDN simulation. The performance data in Table 9 reveals that the system effectively manages a throughput of over 420 Mbps with a manageable CPU overhead, confirming that the gated fusion architecture is efficient enough to operate alongside core controller functions without inducing systemic instability. This computational overhead is primarily driven by the CNN-SE feature extraction branch and the continuous gating computation during high-load scenarios. Although the detection latency of 24.8 ms is slightly higher than that of hardware-based deployments, it remains well within the acceptable threshold for mitigating rapid-fire attacks like SYN floods before they can fully compromise switch flow tables. Furthermore, the analysis of Table 10 indicates that while the precision and recall metrics across different attack categories show a slight decrease compared to the saturated results of the offline evaluation, this reflects a more realistic assessment of the model’s performance. This marginal decline is primarily attributed to the transient nature of flow features and the inevitable noise generated by concurrent normal background traffic, which can occasionally obscure the distinct signatures of low-volume probe attacks or high velocity bursts.

The significant performance in detecting DDoS and DoS attacks, despite the high-load conditions of the virtualized environment, underscores the effectiveness of the gated fusion mechanism in extracting critical features from saturated traffic streams. To further mitigate resource consumption in large-scale deployments, future iterations could incorporate model quantization or a selective activation mechanism to engage the deep branch only for borderline samples. By achieving high accuracy and low packet drop rates under simulated stress, the prototype demonstrates that it can bridge the gap between theoretical deep learning research and practical network defense. Consequently, these findings suggest that the proposed method offers a reliable, low-overhead solution for real-time threat detection, providing evidence that it is capable of maintaining network integrity in the face of diverse and evolving cybersecurity threats.

5. Conclusions

This paper proposes a novel anomalous traffic detection framework based on improved gated feature fusion in an SDN environment. The proposed methodology addresses the detection accuracy bottlenecks caused by single-dimensional feature representations and rigid fusion strategies in existing methods. First, the data preprocessing module executes cleaning, Min-Max normalization, and label encoding on raw traffic data to construct a standardized input space. Building upon this foundation, the feature engineering phase employs a dual-track parallel strategy. The first track utilizes an XGBoost model combined with the RFE algorithm to select the top 45 most discriminative shallow statistical features, thereby preserving key macro-level network behavioral attributes. Simultaneously, the second track deploys a 1D-CNN with an SE block to extract deep temporal semantic features, enhancing the representation capability for complex attack patterns. Subsequently, the framework integrates these heterogeneous features via an improved gated fusion mechanism that employs a gated vector generated by a Sigmoid activation function. Consequently, the system adaptively adjusts the fusion weights based on the contextual characteristics of input samples, effectively mitigating information redundancy and noise interference inherent in static fusion. Finally, the resulting weighted vectors are fed into an MLP classifier to achieve high-precision anomaly identification.

Experimental analysis demonstrates that the proposed method exhibits competitive performance across multiple key metrics. Test results on both InSDN and NSL-KDD datasets indicate that this approach yields improvements over several existing models, such as CNN-LSTM and GAN. Specifically, the method excels in recall and F1-scores, which directly reflects a significant reduction in the false negative rate for anomalous samples. Additionally, ablation experiments confirm the value of the gating mechanism, demonstrating that the dynamic fusion of heterogeneous features effectively enhances model consistency within complex network environments.

The prototype deployment on Mininet and the Ryu controller provides an assessment of the model’s operational potential in simulated SDN environments. The system demonstrates robust detection capabilities across diverse threats, maintaining F1-scores between 91.5% and 96.4%. Under high-intensity attack scenarios, the prototype efficiently processes traffic at 420.5 Mbps with a detection latency of 24.8 ms, while incurring a peak CPU utilization of 38.6% and a 412 MB memory footprint.

In summary, the proposed method reduces false negative rates while maintaining high detection accuracy, offering a viable approach for enhancing security defense in SDN environments. Future work will focus on optimizing computational overhead, specifically through model quantization and selective activation strategies, to further improve real-time efficiency in resource-constrained scenarios. Furthermore, we aim to evaluate the framework’s generalization across broader, real-world network conditions.