Next Article in Journal
Multi-Scale Graph-Decoupling Spatial–Temporal Network for Traffic Flow Forecasting in Complex Urban Environments
Previous Article in Journal
Dynamical Graph Neural Networks for Modern Power Grid Analysis
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 15
Issue 3
10.3390/electronics15030494
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

A Survey of Multi-Layer IoT Security Using SDN, Blockchain, and Machine Learning

by
Reorapetse Molose
and
Bassey Isong
*
Department of Computer Science, North-West University, Mmabatho 2745, South Africa
*
Author to whom correspondence should be addressed.
Electronics 2026, 15(3), 494; https://doi.org/10.3390/electronics15030494
Submission received: 19 December 2025 / Revised: 16 January 2026 / Accepted: 20 January 2026 / Published: 23 January 2026
(This article belongs to the Section Artificial Intelligence)
Browse Figures
Versions Notes

Abstract

The integration of Software-Defined Networking (SDN), blockchain (BC), and machine learning (ML) has emerged as a promising approach to securing Internet of Things (IoT) and Industrial IoT (IIoT) networks. This paper conducted a comprehensive review of recent studies focusing on multi-layered security across device, control, network, and application layers. The analysis reveals that BC technology ensures decentralised trust, immutability, and secure access validation, while SDN enables programmability, load balancing, and real-time monitoring. In addition, ML/deep learning (DL) techniques, including federated and hybrid learning, strengthen anomaly detection, predictive security, and adaptive mitigation. Reported evaluations show similar gains in detection accuracy, latency, throughput, and energy efficiency, with effective defence against threats, though differing experimental contexts limit direct comparison. It also shows that the solutions’ effectiveness depends on ecosystem factors such as SDN controllers, BC platforms, cryptographic protocols, and ML frameworks. However, most studies rely on simulations or small-scale testbeds, leaving large-scale and heterogeneous deployments unverified. Significant challenges include scalability, computational and energy overhead, dataset dependency, limited adversarial resilience, and the explainability of ML-driven decisions. Based on the findings, future research should focus on lightweight consensus mechanisms for constrained devices, privacy-preserving ML/DL, and cross-layer adversarial-resilient frameworks. Advancing these directions will be important in achieving scalable, interoperable, and trustworthy SDN-IoT/IIoT security solutions.

1. Introduction

The exponential growth of Internet of Things (IoT) devices, accelerated by the deployment of 5G networks and the rise in Industrial IoT (IIoT) applications, has transformed network infrastructures while expanding their attack surfaces. While IoT connects consumer devices for automation, IIoT brings these capabilities to industrial environments using sensors, actuators, and edge computing in sectors including manufacturing and energy. The systems demand low latency, reliability, and security for real-time monitoring and predictive maintenance [1,2]. However, their heterogeneity, diverse communication protocols, and resource-constrained endpoints introduce security challenges. For instance, when cloud storage is used for data offloading and processing, concerns are raised over confidentiality, integrity, and protection of sensitive information. Traditional centralised security approaches struggle to meet these requirements at scale, creating demand for more flexible and adaptive security models [3,4,5,6,7]. Distributed Denial of Service (DDoS) attacks have become a persistent threat capable of overwhelming network resources, disrupting legitimate traffic, and causing large-scale service outages across IoT, IIoT, and Software-Defined Networking (SDN) environments [8,9,10]. Although SDN introduces programmability, global visibility, and separation of the control and data planes, its centralised architecture exposes weaknesses such as controller saturation, flow table overflow, and single points of failure (SPF), while inter-controller communications remain prone to spoofing, replay, and man-in-the-middle (MITM) attacks [7,8,9,10,11,12,13]. Integrating SDN and IoT (SDN-IoT) offers scalable resource allocation and traffic management for large deployments but also introduces new risks, including controller compromise, flow-rule manipulation, topology poisoning, and insecure inter-device communications [7,8,9,10,11].
Addressing these challenges requires multi-layered security architectures, as traditional perimeter-based models are insufficient for dynamic and distributed IoT ecosystems [10]. In this regard, blockchain (BC) has gained prominence for providing decentralisation, immutability, and trust through consensus mechanisms, tamper-proof logging, and secure access control [3,7,8,14,15,16,17]. Integrating BC with SDN supports multi-controller architecture, load balancing, secure flow-rule management, and energy-efficient routing, thereby mitigating the limitations of centralised control. At the same time, Artificial Intelligence (AI), particularly machine learning (ML) and DL techniques, have shown strong capabilities in detecting and mitigating DDoS attacks. Methods such as Artificial Neural Networks (ANN), Recurrent Neural Networks (RNN), Long Short-Term Memory (LSTM), Convolutional Neural Networks (CNN), and ensemble learning models have shown high accuracy and adaptability [18,19,20,21]. In addition, feature engineering strategies, including Recursive Feature Elimination (RFE), Sequential Forward Selection (SFS), and Minimum Redundancy Maximum Relevance (mRMR), further improve model efficiency, while hierarchical and online learning frameworks enable adaptive responses to evolving threats [3,22,23]. In the same vein, federated learning (FL) has also emerged as a promising approach by enabling privacy-preserving collaborative training at the network edge, thereby reducing the risks associated with transmitting raw IoT data to central servers [18,19,24]. Combined with BC and SDN programmability, FL provides a basis for integrated frameworks that support decentralised trust, secure controller coordination, and intelligent traffic analysis in IoT and 5G environments [16,25,26]. Empirical studies consistently report strong performance for these integrated SDN-BC-AI frameworks. For example, ensemble Random Forest (RF) models achieved 100% precision and recall, while DDoSBlocker systems recorded average detection and mitigation times of 3 s and 0.5 s, respectively [22,27]. However, some of the ensemble learning models report near-perfect precision and recall on specific benchmarks. These results reflect dataset bias and controlled conditions and cannot be assumed to generalise to real-world IIoT deployments.
Despite these promising results, significant limitations remain. DL models often require high computational resources that exceed the capabilities of constrained IoT devices [25,28], while BC consensus protocols can introduce latency and energy overheads [29]. Moreover, most existing research relies on simulated environments, with limited real-world deployment of integrated SDN-BC-ML solutions. Studies also tend to address isolated aspects such as secure controller coordination [8], east–west-bound authentication [9], or fine-grained access control [10], without providing holistic solutions that jointly consider scalability, energy efficiency, adaptability, and multi-domain interoperability. Moreover, challenges include handling heterogeneous IoT constraints [24], managing northbound scalability in multi-controller environments [11], and addressing emerging threats such as low-rate and zero-day DDoS attacks [25,28].
In response, this study systematically reviews fifty-nine selected relevant studies addressing the convergence of SDN, BC, and ML techniques for securing IoT networks. The review examines contributions across multiple layers, including device and identity (e.g., distributed PKI, self-certified keys, local training), control plane (e.g., inter-controller authentication, coordinated controllers), network/data (e.g., secure updates, DDoS detection), application (e.g., smart contracts, hybrid DL models), and cross-layer trust/consensus (e.g., BC-based mechanisms, FL). The effectiveness, evaluation methods, and limitations are highlighted for each approach. This is aimed at understanding the state of the art of security and privacy in the ecosystems and to advance a comprehensive security framework using cutting-edge technologies to reinforce the SDN-IoT ecosystem.
The contributions of this study are as follows:
(1)
It introduces a structured multi-layered taxonomy that groups security mechanisms across SDN, BC, and ML components, organised by device, control, network, and application layers.
(2)
It relates performance metrics such as accuracy, latency, throughput, and similar indicators to threat models reported in previous studies, allowing consistent interpretation of empirical results.
(3)
It classifies experimental studies by trust models, adversarial assumptions, and deployment realism, providing a basis for transparent comparison.
(4)
It identifies common limitations in scalability, deployment, energy use, and adaptive behaviour and outlines open directions.
The remainder of this paper is structured as follows: Section 2 presents the study background and related works, Section 3 discusses the methodology employed, Section 4 presents the comprehensive analysis of the state of the art, and Section 5 discusses the findings of this study. Section 6 highlights some of the important research directions, while Section 7 is this paper’s conclusion.

2. Background and Literature Review

2.1. Software-Defined Networks

SDN architecture separates the control plane, responsible for network logic and decision-making, from the data plane, which handles traffic forwarding. This decoupling allows programmatic management and dynamic adaptation to traffic patterns and policies but introduces challenges such as SPF, limited scalability, and potential security breaches [8,9]. Distributed SDN architectures integrate BC technology to provide secure coordination and decentralised trust. Fan et al. [8] proposed BC-Coordinating Controllers (BCC) using a permissioned BC with smart contracts for certificate issuance and controller parameter synchronisation. Rahouti et al. [9] introduced BRAVE-SDN, securing east–west controller communication with BC and identity-based cryptography (IBC). PBAC-SDN by Chattaraj et al. [10] uses a private BC for fine-grained access control between controllers and switches, mitigating MITM, replay, and spoofing attacks. Multi-controller solutions, such as SBAC-SDN [11], combine Hyperledger Fabric BC with caching and load balancing to improve scalability on the Northbound interface. RL-based MuZero has been applied to proactively optimise controller placement, with BC smart contracts recording secure placements [15].

2.2. Internet of Things

IoT networks consist of distributed, resource-constrained devices exchanging real-time data. Typically, IoT architecture includes edge devices such as sensors and actuators, edge gateways/servers for local processing, and cloud services for storage, analytics, and decision-making. However, security, privacy, scalability, and authentication challenges arise due to heterogeneity, mobility, and resource limitations [9]. To address these issues, among other strategies, distributed key management and lightweight cryptographic mechanisms, as developed in SDN solutions, can be applied directly to IoT networks. For instance, BRAVE-SDN [9] provides decentralised key management suitable for constrained devices, while PBAC-SDN [10] enables BC-based auditing and fine-grained access control to ensure that only authorised nodes communicate. Moreover, FL approaches allow distributed training without sharing raw data, preserving privacy while enabling intelligent decision-making [24]. Thus, integrating BC and ML across IoT layers strengthens trust, decentralised control, and adaptive analytics.

2.3. Machine Learning, Deep Learning, and Federated Learning Overview

Artificial Intelligence (AI) is a technology that enables computers and machines to exhibit human-like cognitive and behavioural capabilities through training data. Its sub-fields have broad multidisciplinary applications, including SDN and IoT [30]. This study adopts the following AI subfields to structure the thematic analysis presented in this paper:
Machine learning: Focus on automating tasks using algorithms that learn from trained data to predict outcomes. By combining algorithmic techniques, statistical methods, and data analysis, these algorithms can detect anomalies in SDN-IoT through predictive models [30,31]. ML is categorised into supervised, which employs labelled data for training, and unsupervised learning, which identifies patterns in unlabelled data.
Deep learning: A subfield of ML that uses neural networks to model complex relationships between input and output. These networks, inspired by the human brain, excel at handling large training datasets and performing complex tasks. This makes them well-suited for solving real-world SDN-IoT applications and data-driven decision-making [32,33].
Federated learning: A type of ML that decentralises learning and model training. In heterogeneous environments, each device often generates unique data, requiring models tailored to local data rather than a single centralised dataset [34]. FL enables lightweight training on edge devices while a global aggregator combines local updates without sharing raw data. This, in turn, preserves privacy, an especially critical concern in SDN-IoT networks [34,35].
As highlighted above, ML, DL, and FL play an important role in enhancing SDN-IoT security, enabling anomaly detection, intrusion prevention, and adaptive threat response. Particularly, FL has been effective in privacy preservation while training models across heterogeneous edge devices, supporting secure and scalable network functions. Thus, this study focuses on analysing how different studies employed them to achieve security and others in the SDN-IoT ecosystems.

2.4. Blockchain Technology in SDN-IoT

BC provides a decentralised, immutable ledger for securing communications and enforcing policies. In SDN and IoT, BC types include public, private, permissioned, and consortium BCs. Public BCs are fully open, private BCs restrict access to selected entities [10], and permissioned BCs require approval via consensus protocols such as Practical Byzantine fault tolerance (PBFT) or Proof of Authority (PoA) [8,9]. Consortium BCs balance governance and decentralisation. In practice, BC supports secure certificate issuance, decentralised PKI, fine-grained access control, and immutable event logging. Fan et al. [8] employed a permissioned BC with PBFT for controller coordination, Rahouti et al. [9] used a private Ethereum BC with IBC for authentication, Chattaraj et al. [10] implemented a private BC for SDN plane access control, and Kovacs et al. [14] and Zainal et al. [11] integrated permissioned BCs for multi-controller coordination, network function virtualization (NFV) validation, and Northbound access. These applications illustrate how BC enhances security, trust, and coordination in SDN-IoT networks.

2.5. Machine Learning in SDN-IoT

ML enables automated analysis and decision-making, improving security, traffic management, and resource allocation. Traditional algorithms such as decision trees (DTs), logistic regression (LR), RFs, Naïve Bayes (NB), and support vector machines (SVMs) are commonly used for classification and anomaly detection [25]. Ensemble methods improve robustness, while DL extracts hierarchical features for complex patterns [26]. Moreover, FL allows distributed model training across nodes, preserving privacy [24], while RL models like MuZero have been used to optimise SDN controller placement, with decisions recorded on Ethereum smart contracts for auditability [15]. ML models can be deployed across layers: edge devices perform lightweight analytics, gateways coordinate FL, and central or distributed controllers apply DL and RL for proactive management. Combined with BC, these techniques improve network reliability, scalability, and security without compromising privacy.
As shown in Figure 1, the integration of SDN, IoT, BC, and ML improves network security, scalability, and efficiency. BlockSD-5GNet [36] leverages Ethereum, Hyperledger, and BC ledger, combining SDN, NFV, and ML to mitigate DDoS, MITM, topology poisoning, and side-channel attacks. SBAC-SDN [11] uses Hyperledger Fabric BC with caching and load balancing to scale multi-controller SDN interfaces. Benoudifa et al. [15] applied MuZero RL with Ethereum smart contracts for secure controller placement. Kovacs et al. [14] utilised C to validate network function virtualisation (NFV) services in Internet Service Provider (ISP) federations. These works demonstrate decentralised trust via smart contracts, enhanced security through distributed PKI and BC-based access control [8,9,10], and improved performance with caching, load balancing, and controller-level BC integration [11,14]. Platforms such as Ethereum, Hyperledger Fabric, Mininet, POX, Ryu, and OpenDaylight (ODL) validate the feasibility and effectiveness of these integrated approaches [8,14,15].

2.6. Related Works

This subsection presents existing reviews and survey studies in the literature, reflecting significant progress in SDN-enabled IoT security, but it remains disjointed and is summarised in Table 1. Mustafa et al. [37] and Jahangeer et al. [38] provide broad overviews of frameworks and layered security, but both reveal a reliance on simulations and a lack of real-time mitigation strategies. Mliki et al. [39] and Nasereddin and Gelenbe added valuable focus on ML-based intrusion detection systems (IDS) and protocol-level vulnerabilities, though they highlighted persistent challenges in maintaining accuracy under heterogeneous and resource-constrained conditions.
Surveys such as [18,40,41] extended the discussion to ML-SDN integration and BC applications, outlining benefits in traffic management, trust, and integrity, but consistently acknowledge limitations in scalability, latency, and computational efficiency. Similarly, Sharmila et al. [42] and Ghourab et al. [43] broaden the scope through taxonomies and cross-layer perspectives, though the computational complexity of proposed solutions remains unresolved. More focused contributions, including Wijesekara and Arachchige [44], Al Sukhni et al. [19], and Ali et al. [21], investigated BC-based IDS and DL methods, pointing to latency, energy constraints, and reliance on offline datasets. In the same vein, reviews such as Alfahaid et al. [45], Mishra et al. [46], and Ref. [47] further underscore the lack of realistic datasets, explainability challenges, and resource scalability issues. Rahdari et al. [20] added a structural classification of challenges across planes but left privacy protection insufficiently addressed.
Table 1 shows that the reviewed studies offer useful but partial contributions. Most work focused on one or two individual aspects, such as ML, BC, protocol vulnerabilities, or layered taxonomies, rather than presenting a combined perspective. None of the listed studies provides a comparison that jointly considers multi-layer SDN-IoT security, BC, ML, SDN controllers, and evaluation criteria. This gap motivates a survey that consolidates these separate contributions and offers a structured cross-layer analysis. As shown, the “Layer covered” and the “SDN controller” fields indicate the architectural scope assumed by each study. Evaluation metrics/insights reflect the security objectives emphasised in the work, like intrusion detection, routing attacks, trust issues, or integrity. In the same vein, the “Evaluation methods” field distinguishes conceptual reviews from works that include empirical or model-based analysis, signalling methodological depth. Furthermore, the dimensions in Table 1 are merely descriptive and independent. They are not hierarchical and do not imply exclusivity. Each field represents a distinctive feature of the reviewed study (e.g., architectural layers, trust mechanisms, BC type, SDN controller used, ML usage). A study may satisfy one or several dimensions without influencing the others. Thus, they should be considered as separate descriptors rather than mutually exclusive categories.

3. Methodology

In this paper, we conducted a comprehensive review following a PRISMA-guided structured scoping review [49] to systematically examine the integration of BC, SDN, and ML/DL for securing IoT and IIoT ecosystems. To achieve this, a structured literature search was performed across major publishing platforms, including IEEE Xplore, ACM Digital Library, SpringerLink, ScienceDirect, Google Scholar, MDPI, and indexing tools such as Google Scholar. The platforms were selected because they are comprehensively indexed under Web of Science (WOS) and Scopus. This ensures that the searching process captures all relevant peer-reviewed publications and reduces selection bias.
The literature search was conducted using structured Boolean keyword combinations across the above-mentioned databases. Since the review was developed over an extended period and databases continuously update their indexes, detailed per-database retrieval logs were not preserved. To support reproducibility, the keyword groups and Boolean structure of the search are reported in the relevant subsections, enabling researchers to replicate the search strategy.

3.1. Search Strategy and Timespan

The search was conducted between the years 2020 and 2025 using Boolean combinations of the following keywords:
  • “SDN”, “IoT”, “SDN-IoT”, “SDN-IIoT”
  • “Multi-layer security,” “IoT/IIoT security,” “SDN- IoT/IIoT security,”
  • “Blockchain”, “Machine learning”, “federated learning,” and “deep learning”
For search engines to return accurate and relevant search results, the structuring of complex queries using Boolean logic is essential. The following query was adopted and used to gather literature sources used in the study:
(“Software defined networks” OR “Internet of things” OR “SDN-IoT” OR “SDN-IIoT”) AND (“Multi-layer security” OR “IoT/IIoT security” OR “SDN- IoT/IIoT security”) AND (“Machine learning” OR “Federated learning” OR “Blockchain” OR “Deep learning”)

3.2. Inclusion and Exclusion Criteria

To ensure reproducibility and transparency following PRISMA-compliant criteria explicitly, the following were applied:
Inclusion Criteria:
  • Peer-reviewed journal or conference papers.
  • Full-text available in English.
  • Studies focusing on SDN-IoT/IIoT security.
  • Integration of BC, ML/DL, or FL.
  • Studies reporting on quantitative performance metrics, including latency, throughput, energy consumption, packet loss, accuracy, recall, precision, or F1-score.
Exclusion Criteria:
  • Duplicate records.
  • Non-English publications.
  • Extended abstracts, posters, theses, and non-peer-reviewed documents.
  • Studies lacking evaluation or missing performance benchmarks.
  • Papers unrelated to SDN-IoT multilayer security or not involving BC/ML/DL/FL.

3.3. Study Selection Process

This study initially identified 120 records through database searching, with 29 records removed on the basis of duplication before screening, leaving 91 records screened. The screening for relevance was based on their titles and abstracts, strictly following the defined inclusion and exclusion criteria, leaving 23 records excluded. A total of 68 records or full-text articles were assessed for eligibility, and 9 were excluded for various reasons. Finally, 59 studies met the required quality threshold and were included in the review. The PRISMA workflow is shown in Figure 2. In addition, two independent reviewers observed a high level of agreement during the study selection and article evaluation; any disagreements or discrepancies were resolved through discussion and consensus, in accordance with PRISMA recommendations.
The quality threshold was applied using a four-criterion screening grid: (i) relevance to SDN-IoT or SDN-IoT security, (ii) inclusion of BC and/or ML mechanisms, (iii) clarity of experimental methodology, and (iv) availability of quantitative performance results. Studies meeting at least three of these four criteria were retained for final inclusion.

3.4. Data Extraction and Synthesis

The data was extracted across four analytical categories for each paper that met the required quality threshold:
  • Security: Device, control, network, and application layers; cryptographic methods; ML/DL solutions.
  • Performance results: Latency, throughput, CPU usage, energy consumption, detection accuracy, precision, recall, and F1-score.
  • Technology ecosystem: SDN, BC platforms, ML/DL/FL frameworks, simulation tools, and testbed setup environments.
  • Limitations: Scalability constraints, dataset dependence, attack coverage, and energy overhead.
Furthermore, we then applied narrative synthesis to identify patterns and research gaps, with comparative tables, radar charts, and heatmaps used to demonstrate trends across heterogeneous metrics. We strictly follow this methodology to ensure reproducibility, systematic comparison, and transparency while acknowledging potential limitations from publication bias, simulation reliance, and dataset heterogeneity. Insights derived from this synthesis informed the identification of research gaps and directions for future work in advancing security in SDN-IoT/IIoT ecosystems.

4. SDN-IoT/IIoT Security Frameworks

This section presents an analysis of some of the existing security frameworks to strengthen the SDN-IoT architecture based on BC technology and ML methods. The analysis is structured into themes as follows:

4.1. BC-Based Security Integration

This subsection presents selected studies on BC integration in SDN, summarised in Table 2. Fan et al. [8] proposed BCC, a permissioned BC framework securing SDN/SD-WAN control planes against insider threats and PKI vulnerabilities. Using Auth-SC and Coord-SC smart contracts, the system achieved sub-second consensus for certificate and key distribution with minimal networking overhead. Rahouti et al. [9] developed BRAVE-SDN to protect east–west controller communication with BC and identity-based cryptography, enabling decentralised key generation and mitigating impersonation and MITM attacks; formal AVISPA analysis confirmed robustness, though specific performance metrics were not reported. Chattaraj et al. [10] introduced PBAC-SDN, combining attribute-based encryption, certificate-based key agreements, and private BC for multi-layer access control, showing low computational overhead (switch: 7.064 + 0.021n ms; controller: 1.735 + 0.006n ms) and reduced communication cost (2336 bits per access). Zainal et al. [11] addressed scalability and Northbound interface security with SBAC-SDN, reporting CPU peaks of 60.3% across eight controllers, memory under 8 GB, response times below 1 s, throughput of 4.34–4.67 req/s, and zero errors. Kovacs et al. [14] examined BC deployment on SDN controllers for large-scale ISP networks via virtual ISP federations, demonstrating robust connectivity over encrypted TCP/UDP links, while highlighting the need for evaluation of smart contracts, traffic isolation, and scalability.
For BC-SDN-IoT architectures targeting security, energy efficiency, and routing, Yazdinejad et al. [29] designed a cluster-based SDN controller framework combining public and private BCs, SDN-managed authentication, and energy-aware routing, achieving ~97% accuracy with improved throughput, lower end-to-end delay, and reduced energy consumption in Mininet-WiFi simulations of six clusters with 90 devices. Ghamdi [50] proposed a hybrid SDN-BC classifier to mitigate flooding attacks, showing ~23% lower packet-loss recovery, ~50% energy reduction, higher throughput, and lower response time in Mininet/OpenStack tests with 50 devices. For smart building and condominium deployments, Rahman et al. [51] presented DistB-Condo, a BC-based IoT-SDN-NFV framework using energy-efficient CHS and smart contracts, achieving higher throughput, faster response, improved bandwidth resilience under DDoS, and efficient CPU utilisation. Similarly, DistBlockBuilding [52] combined multi-controller SDN, IoT sensing, and BC for secure, private data transfer, showing increased throughput, lower round-trip times, and stable performance with growing node counts, outperforming OpenFlow-based and MINA solutions. Both studies highlight BC-SDN applications for energy-efficient, secure, and resilient smart building environments, with further evaluation needed for BC performance and optimisation.
As shown in Table 2, BC-SDN integration improves security, scalability, and efficiency across multi-controller, IoT, and smart networks. For instance, frameworks like BCC, BRAVE-SDN, PBAC-SDN, and SBAC-SDN enhance trust, access control, and consensus while maintaining low latency and computational overhead [8,9,10,11]. Large-scale ISP deployments show strong cross-layer communication [14], and IoT or smart building architectures achieve higher throughput, lower delay, and reduced energy consumption, primarily in simulation or emulation studies [29,50,51,52]. These solutions are generally effective, though further work is needed to address real-world scalability, energy optimisation, and deployment challenges.
Particularly, all studies employed BC mechanisms across all SDN layers, utilising varied consensus and trust approaches such as PBFT, permissioned ledgers, smart contracts-based, and dual-ledger architectures. Ethereum, being either private, permissioned, or hybrid, is the most common BC substrate, with Hyperledger Fabric and other permissioned solutions less frequent. Moreover, SDN controllers are typically specified, such as Ryu, ODL, POX, or multi-controller setups, though a few studies did not report details of the controller used. Likewise, evaluation focuses on communication, computation, and energy metrics, with several studies reporting throughput, latency, packet loss, or efficiency indicators. However, reporting detail is uneven: while some works provided quantitative measures of CPU, memory, energy, and related performance metrics, others rely on protocol analysis without numerical data. Test methods include simulations, emulation, and prototype deployment, indicating a mix of conceptual and empirical validation methods.

4.2. BC-SDN-IoT Security Integrations

This subsection presents studies integrating BC into SDN-IoT/IIoT, summarised in Table 3. Rahman et al. [3] proposed Block-SDoTCloud, a hybrid SDN-BC architecture securing IoT cloud storage. SDN provides centralised control, load balancing, and dynamic management, while BC ensures immutability and distributed trust. Simulations with Mininet-WiFi and OpenFlow showed improved throughput, faster file transfers, reduced response times, and stable CPU usage during DDoS attacks, though the evaluation was limited to DDoS. Islam et al. [16] combined SDN, BC, and NFV for smart city IoT, employing a CHS algorithm to prioritise high-energy nodes. Experiments using Mininet-WiFi and Ethereum demonstrated higher throughput under increasing transactions, stable CPU, and linear gas growth for over 1200 requests, with limitations including energy overhead from multiple controllers and unmeasured end-to-end delays.
For IIoT security, Dildar et al. [5] introduced a hybrid BC architecture with lightweight cryptography, smart contracts, and off-chain storage, supporting 10,000 devices with 100 TPS, BC latency of 5 s (2.8 s with DPoS), and ~30% energy reduction, constrained by simulation-based validation. Rahman et al. [53] proposed DistB-SDCloud, a four-layer SDN-BC-IIoT architecture covering data extraction, SDN control, distributed BC, and cloud management. Experiments showed improved throughput, latency, bandwidth stability, and DDoS resilience compared to standard SDN and BC solutions, with future work suggesting AI integration. However, these performance metrics are not directly comparable across studies due to heterogeneous network sizes, traffic models, and hardware.
For large-scale IoT and cloud networks, Faizullah et al. [17] developed a permissioned BC-integrated SDN framework where servers act as BC nodes for access validation, policy enforcement, and flow-table management. Evaluations with ten controllers and 990 IoT nodes showed stable bandwidth (~2.1 Gb/s) and efficient flow updates under high traffic, limited by controlled experimental settings and potential overhead in larger deployments. Rahman et al. [54] proposed SmartBlock-SDN, a layered SDN-BC framework incorporating CHS, rogue switch isolation, flow-rule verification, and IDS monitoring. Simulations indicated up to 50% energy reduction at SDN controllers, lower end-to-end delays, and higher throughput, constrained by fixed-node assumptions and limited-scale testing.
Table 3 presents SDN-BC studies that enhance security, efficiency, and scalability in IoT, IIoT, and cloud networks. Architectures such as Block-SDoTCloud, SmartBlock-SDN, and DistB-SDCloud enhance throughput, reduce response times and delays, stabilise CPU usage, and cut energy consumption by up to 50% under DDoS and high-traffic conditions [3,53,54]. Large-scale IoT cloud frameworks maintain stable bandwidth (~2.1 Gb/s) and efficient flow updates [17], while smart city deployments show linear BC gas growth and stable CPU under 1200+ transactions [16].
Similar to Table 2, all studies used BC mechanisms across SDN layers, often with explicit cross-layer coordination. However, consensus and trust methods vary, including distributed ledgers, hybrid public–private chains with DPoS, permissioned consensus, and access-control validation. Among these, Ethereum still maintains its position as the most common BC substrate, while permissioned and hybrid deployments are less frequent. Most works involved SDN controllers or OpenFlow switches, though a few omit controller details. In terms of evaluation, metrics such as throughput, delay, or response time, bandwidth stability, and energy consumption were utilised. Reported results generally indicate throughput improvements, reduced delays, and low energy usage; however, the level of quantification varies across studies. Test methods include simulations, emulations, and large-scale experimental setups. While some studies incorporated DDoS or adversarial scenarios, others focused on protocol execution and resource efficiency. This indicates that, across the studies, the environments vary in both deployment realism and depth of method used. However, limitations remain across studies, including reliance on simulations, fixed-node assumptions, unmeasured end-to-end delays, and limited attack coverage, indicating a need for real-world validation and broader threat testing.

4.3. ML-Based Security Integration in SDN-IoT

Studies on ML-based anomaly detection in SDN-IoT/IIoT environments show extensive use of ensemble and DL methods, summarised in Table 4 and Table 5. Maheshwari et al. [12] proposed an Optimised Weighted Voting Ensemble (OWVE) combining six classifiers (SVM, RF, GBM) with hybrid optimisation (BHO) to secure control and data planes via a POX controller. Evaluated on CIC-DDoS2019 and CAIDA-2007 datasets, it achieved 99.416–99.359% accuracy and a 0.4978% false alarm rate. Limitations included dependence on dataset features and the absence of large-scale deployment metrics. Hnamte et al. [55] developed a DNN integrated with the Ryu controller for real-time traffic classification, achieving 99.98–100% accuracy and minimal false positives. Mininet-based simulations showed efficient CPU use and rapid mitigation, though IoT-specific datasets and scalability remain open issues.
Several studies focused on ensemble-based methods. Bithi et al. [22] combined RF with Recursive Feature Elimination (RFE), achieving near-100% accuracy and zero false positives, with XAI providing transparency. Hirsi et al. [56] enhanced this with RF ensembles and PCA, reaching 100% accuracy, precision, recall, and F1-score, with low testing times (0.25364 s). Kaur et al. [57] introduced a Hierarchical DDoS Defence System (HDDS) with multi-layered adaptive ML, achieving 95% overall accuracy (100% for high-rate attacks) and effective mitigation of diverse traffic types. Other studies compared algorithms and explored domain-specific applications. Lai [58] benchmarked multiple ML algorithms in simulated SDN environments, with RF achieving an ROC AUC of 1.00 and XGBoost/LightGBM excelling in minority-class attacks. Oyucu et al. [58] targeted SDN-based SCADA systems, proposing an optimised DT ensemble with boosting, bagging, and RUSBoost, achieving 95.17% accuracy, 97.3% sensitivity, and 94.8% specificity. Limitations include reliance on simulations and potential scalability challenges.
Furthermore, studies on SDN-enabled IoT DDoS detection show diverse approaches integrating ML, FL, and RL techniques. Yousuf and Mir [59] proposed DALCNN, an RNN with Tanh2 activation, deployed on the ODL platform. The three-tier architecture (Device, Controller, Application) achieved 99.98% detection accuracy and improved throughput, latency, and controller performance. Mitigation was implemented via firewall rules, though the framework remains limited in attack diversity and activation function exploration. Similarly, Sinha et al. [27] introduced DDoSBlocker, a lightweight RF-based system integrated with the Floodlight controller. It achieved 99.71% accuracy, a 0.51% FPR, and sub-second mitigation while maintaining low CPU use. Future directions include adaptation for malicious switches and dynamic traffic. Bhayo et al. [61] developed a supervised ML framework with the SDN-WISE controller, employing DT, NB, and SVM classifiers for 96.1–98.1% detection accuracy. Resource use remained efficient (~30% CPU/memory), but evaluation was limited to simulations and lacked mitigation. Kavitha and Ramalakshmi [62] extended detection to a distributed multi-controller architecture, achieving 99.99% accuracy, reduced execution times, and improved CPU utilisation, enhancing resilience against controller failures, though scalability remains uncertain.
Federated and online learning approaches also feature prominently. Ali et al. [63] proposed Weighted Federated Learning (WFL), where local ANNs share model weights aggregated via preference weighting. The system achieved 98.85% accuracy, with reduced communication overhead and enhanced privacy. However, validation was simulation-based, and real-time deployment challenges persist. Alashhab et al. [23,64,65] introduced multiple frameworks: an LSTM-based RNN for sequence-dependent IoT detection (98.88% accuracy on Edge-IIoTset), a Passive-Aggressive model for continuous LDDoS detection, and an earlier modular ensemble system integrating IDS/IPS for adaptive defence. These studies consistently reported 98–99.7% detection accuracy with adaptability, but faced limitations in scope, computational efficiency, and reliance on simulations.
More recent work integrates federated learning with deep models. Babbar and Rani [66] developed FRHIDS, combining FL with a CNN-LSTM hybrid and a recommender system. Evaluated on UNSW-NB15, it achieved 99.8% accuracy, outperforming prior models by ~12%. Uddin and Kumar [67] extended FL to Satellite-IoT, combining SDN, LEO satellites, LPWANs, and supervised ML, achieving up to 99.66% accuracy with RF. Enhancements such as load balancing, honeypots, and differential privacy were suggested for scalability and security in space-IoT contexts. For reinforcement learning, Guo et al. [26] presented DQSP, a deep RL-based secure routing protocol using DDPG actor-critic models. Simulations demonstrated a 10% improvement in packet delivery ratio over OSPF, reduced delay, and resilience against malicious routing. However, results were limited by small-scale simulations and sensitivity to reward design.
Table 4 and Table 5 summarise SDN and SDN-IoT studies on ML, DL, and FL for DDoS detection, mitigation, and adaptive routing. All studies focused on SDN layers, integrating diverse ML approaches such as ensemble (e.g., SVM, RF, GBM, DT) [22,56] and hybrid ML models like OWVE [12], hierarchical systems [57], sequential or adaptive retraining strategies, DNN such as RNNs and LSTMs [59,64], RL such as DDPG [26], and federated frameworks such as RF-, CNN-, or LSTM-based for privacy-preserving, decentralised detection [63,66,67]. These methods achieved high detection accuracy, low false positives/negative rates, low-latency response, while addressing flow table overflows, controller saturation, and resilience against low-rate or evolving attacks.
SDN controller deployment is generally specified, including POX, Ryu, ODL, SDN-WISE, or multi-controller setups, though some studies omit controller details or use controller-agnostic simulations. Moreover, evaluation metrics consistently cover detection performance using standard metrics like accuracy, F1, precision, recall, resource usage in terms of CPU/memory include throughput, response time, and latency. Reported findings show high accuracy (often ≥95–99%) with low positives and manageable computational overheads. Some studies also measure network-level performance enhancements, like improved packet delivery ratio and reduced delay under attack [26]. Similarly, to studies reported in Table 2 and Table 3, evaluation methods cover simulations (e.g., Mininet, custom IoT topologies, Matlab, etc.), emulation, train–test splits, cross-validations, and comparative studies against baseline classifiers. While some simulated adversarial or DDoS scenarios, others focused on federated aggregation or adaptive routing evaluation. Furthermore, benchmark datasets such as CIC-DDoS2019, NLS-KDD, SCADA, CAIDA, UNSW-NB15, and Edge-IIoTset were used across studies. In general, despite the differences in ML methods, controller configurations, and evaluation practices, the studies consistently report high detection performance across SDN layers. However, limitations remained across studies, including heavy reliance on benchmark datasets, limited real-world deployment, fixed node assumptions, and scalability issues, prompting the need for further or broader validation and deployment studies in operational SDN-IoT settings.

4.4. ML-Based Security Integration in IoT

This subsection summarises FL-based approaches for IoT anomaly detection, where most authors focused on DDoS attacks using broad multi-attack datasets, as shown in Table 6 and Table 7. Alshdadi et al. [68] proposed an FL framework integrating a hybrid DL model, ResVGG-SwinNet, combining ResNet, VGGNet, and Swin-Transformer for multi-label attack detection. IoT devices train locally and share only model updates, preserving privacy and reducing network load. Real-time detection, attack isolation, and dynamic resource allocation are supported by adaptive priority scheduling and threat intelligence. Evaluations on CIC-DDoS2019, UNSW-NB15, and IoT23 achieved 99.0% accuracy, 2.5% false alert rate, 99.3% AUC, and 93.0% optimisation efficiency. Limitations include sensitivity to network congestion, packet loss, and heterogeneity in real-world scenarios. Alhasawi and Alghamdi [7] introduced FL-DAD, a decentralised FL framework using CNNs on edge devices. Tested on CICIDS2017, FL-DAD achieved ≥98% detection across accuracy, precision, recall, and F1-score, with extremely low false positive (0.009) and false negative (0.007) rates. The system reduces communication overhead during training and scales effectively with 10–100 nodes, addressing privacy, single point of failure, and centralised IDS limitations. Remaining challenges include non-IID data, edge device constraints, legacy system integration, and dataset specificity.
Zhu and Niu [69] extended FL with Homomorphic Encryption, edge computing, and a trust chain. Computations occur on encrypted model parameters (Paillier scheme), with edge nodes handling initial aggregation. A key generation centre distributes encryption keys securely, while the trust chain ensures transparency and immutability. Evaluated on MNIST, the system maintained accuracy comparable to standard FL with minimal convergence impact, though reliance on a trusted key centre and heterogeneous participant data remains a limitation. Mahmud et al. [24] developed a privacy-preserving FL-based IDS for CPSs and heterogeneous IoT networks. Using DL models (LeNet, FCN, DNN, LSTM, GRU) and lightweight SSL cryptography, the system detects DoS, DDoS, ransomware, data injection, XSS, PCA, and MITM attacks. Experiments on real-world datasets demonstrated high detection (>91% for LeNet and FCN), scalable training, low computational overhead, and resilience to concept drift. Limitations include small client numbers, reliance on supervised learning, and evaluation against known attacks, highlighting the need for larger deployments, semi-supervised learning, and detection of emerging threats.
Moreover, Janivasya and Rachmawati [71] evaluated eight ML algorithms on UNSW-NB15, with RF achieving the highest accuracy (97.68%) and DT, LSTM, MLP, and GRU consistently above 96%. Chi-square analysis identified key features enhancing model performance, highlighting the proactive potential of ML-based defences. Otoum et al. [72] proposed DL-IDS, a DL framework for IoT networks addressing high-dimensional and uncertain data. Using Spider Monkey Optimisation for feature selection and a Stacked-Deep Polynomial Network for classification, DL-IDS achieved 99.02% accuracy, 99.38% precision, 98.91% recall, and 99.14% F1-score on NSL-KDD, outperforming prior approaches.
Alduailij et al. [73] focused on cloud-based detection, combining Mutual Information and RF Feature Importance to select 19 features, with RF achieving 99.9% accuracy and minimal misclassification on CICIDS2017 and CICDDoS2019 datasets. Siddhartan et al. [74] proposed SENMQTT-SET for MQTT-based IoT networks, reducing 120 raw features to 11 via an ensemble multi-view cascade feature generation algorithm. DT emerged as the Elite ML model, achieving over 99% accuracy while demonstrating efficient detection under increased packet loss, latency, and delays caused by DoS attacks.
Studies also highlight adversarial vulnerabilities in ML/DL-based NIDS. Qiu et al. [70] examined black-box attacks on DL-based NIDS, achieving a 94.31% success rate in evading detection or triggering false alarms, notably against Kitsune autoencoder-based systems. Papadopoulos et al. [75] analysed label poisoning and FGSM attacks on ML/DL models using Bot-IoT, showing that non-targeted FGSM attacks significantly reduced accuracy and recall for DDoS and DoS traffic, while label poisoning, though detectable, could manipulate SVM models during training. These studies underscore the importance of robust, attack-resilient detection mechanisms.
Table 6 and Table 7 summarise SDN-IoT studies on DDoS detection, anomaly detection, and traffic classification, focusing on FL, hybrid ML/DL models, and classical ML/DL approaches. FL and hybrid methods, such as CNN-based FL-DAD [7] and ResVGG-SwinNet [68], achieve high accuracy (>98–99%) while reducing network load and preserving privacy. Improvements, including homomorphic encryption [69] and DL-based FL for heterogeneous IoT [24], further enhance security, scalability, and resilience. Classical ML/DL methods such as RF [71,73], DL-IDS [72], and SENMQTT-SET [74] remain effective but may be vulnerable to adversarial attacks [70,75].
All the studies addressed multiple SDN-IoT layers, from device to application layers, with some incorporating cloud or virtualized environments. The coordination and trust mechanisms include federated averaging, trust chains, key management for encrypted updates, hierarchical IDS control, ensemble feature selection, and adversarial training. ML techniques employed are diverse, including CNNs, RNNs, LSTM, GRU, DNN, FCN, SMO, KNN, RF, and Gradient Boosting and ensemble models, often applied for DDoS mitigation, traffic classification, and adaptive detection in IoT networks. On the other hand, SDN controller or aggregation deployments vary, such as cloud servers, FL aggregation servers, IDS-based control planes, MQTT brokers, and NIDS monitoring systems. Also, evaluation metrics were consistently applied, including accuracy, recall, F1, precision, false positive/negative rates, convergence time, training/prediction time, loss, and miscalculation rates. Reported performance is generally high, often ≥97%, though adversarial or concept-drift scenarios can reduce effectiveness.
Furthermore, evaluation methods including simulations, emulations, server-client experiments, train–test splits, benchmark datasets (e.g., CICIDS2017, IoT23, MNIST, Mirai botnet, etc.), and encrypted aggregation tests were used across studies. These studies, although they applied different ML, FL, and deployment approaches, all aim for accurate, scalable, and privacy-aware detection in SDN-IoT. Nonetheless, challenges remain with limited edge resources, non-IID data, real-world testing, adversarial threats, and heterogeneous IoT, indicating areas for further research.

4.5. BC-ML-Based Security Integration in IoT

This subsection summarises studies combining BC and ML with SDN-IoT/IIoT for security, as presented in Table 8. Ababio et al. [28] proposed a BC-assisted FL framework for secure, self-optimising digital twins in IIoT. Integrating FL, BC, XAI, and homomorphic encryption, the framework enables decentralised, privacy-preserving edge training while maintaining data integrity and interpretability. Weighted aggregation balances heterogeneous datasets, BC records updates via smart contracts, and XAI supports adaptive training. Evaluated on CIFAR-10, it achieved 95% accuracy, ~300 ms latency, and scalability to 1000 edge devices. Limitations include potential challenges in anomaly detection and adversarial resilience.
Saveetha et al. [76] introduced a federated ML and BC framework for DDoS detection, with distributed local training preserving privacy and BC ensuring model integrity. Reputation-based miner selection incentivises legitimate participation. Experiments on IDS2018 and CIC-DDoS2019 achieved up to 99.1% accuracy with RF, with future work targeting broader attack types and SDN integration. Abdullah et al. [77] developed FLDoSADC-DTL, combining FL, BC, and deep transfer learning with stacked autoencoders for DoS detection in IIoT. Feature selection via the Sand Cat Swarm Algorithm and hyperparameter tuning with Black Widow Optimisation improved performance. On the Edge-IIoT Cybersecurity dataset, it achieved 95.11% accuracy, 87.73% precision, 87.77% recall, 87.72% F1-score, and 92.36% AUC, while limitations included edge device constraints and BC overhead.
Arazzi et al. [78] proposed a privacy-preserving anomaly detection framework using FL, HE, and BC. GRU-based networks model device behaviour, with resource-constrained nodes offloading tasks and BC managing trust and logging. The system achieved 0.85 average detection accuracy and resilience against poisoning, slandering, whitewashing, and sleep deprivation attacks, but required sufficient heterogeneous nodes, frequent communication, and incurred a 16.6% performance reduction due to task delegation. Manh et al. [79] developed a BC-based IoT cyberattack detection framework (PPDiL) combining AI with HE. Cloud providers train DL models on encrypted data using 1D/2D packing and FedAvg-based distributed learning, reducing computational overhead. Experiments on the BNAT dataset achieved ~91% accuracy, comparable to non-encrypted models, with adaptability to different BC consensus mechanisms and hardware, supporting real-world deployment.
Table 8 shows that combining FL, BC, DL, and homomorphic encryption enables secure, privacy-preserving, and scalable attack detection in heterogeneous IoT and IIoT networks. BC-assisted FL with XAI and HE achieved 95% accuracy for IIoT digital twins [28], FL-BC frameworks with reputation-based miners and deep transfer learning exceeded 95% accuracy for DDoS/DoS detection [76,77], GRU-based FL with HE and BC reached 0.85 accuracy for IoT anomaly detection [78], and encrypted DL models with FedAvg maintained ~91% accuracy while reducing computational overhead [79]. Collectively, these studies confirm the effectiveness of FL, BC, and HE for high-accuracy, privacy-preserving, and scalable detection.

4.6. BC-ML-Based Security Frameworks in SDN-IoT/IIoT

This subsection summarises studies combining BC, ML/DL, and SDN-IoT/IIoT for secure DDoS detection and controller placement, as shown in Table 9 and Table 10. Benoudifa et al. [15] proposed a proactive SDN controller placement framework using MuZero RL and Ethereum smart contracts, optimising placements based on latency, traffic, and device connectivity while immutably recording decisions. Simulations on Mininet/ODL/Ganache validated adaptive, tamper-proof placement under DoS attacks. Similarly, Jmal et al. [4] developed distributed SDN-IoT architectures integrating BC and ANN for real-time DDoS detection. Multi-controller setups reduce centralisation risks, BC ensures immutable inter-controller communication, and encrypted firewalls protect the data plane. Evaluated on IoT intrusion datasets, both frameworks achieved perfect classification metrics, though limitations include hardware/software demands, BC latency, integration challenges, and scalability with growing nodes or transactions.
Pawar et al. [80] combined multi-controller SDN, BC, and an attention-based CNN-LSTM (At-C-L) for DDoS detection. On the InSDN dataset (343,939 flows), At-C-L achieved 98.3% accuracy, 97.3% F1-score, 97.1% PPV, and AUC 0.979, outperforming CNN, LSTM, and Bi-LSTM baselines. Alotaibi [25] applied Bi-LSTM-HBA with Honey Badger metaheuristic and SMOTE for large IoT networks, achieving ≈ 99.55% accuracy, precision ≈ 99.36%, recall ≈ 99.44%, F1 ≈ 99.42%, throughput 663 Mbps, latency 0.45 s, and CPU usage 22.46%, surpassing GRU-LSTM baselines. Limitations include BC latency, control-plane bottlenecks, and centralisation; lightweight BC and federated learning are suggested. Hybrid DL-BC approaches include HDL-SDN [13], integrating CNN-LSTM with BC and RBFT consensus. Evaluated on NSL-KDD, it achieved 92.89–98.02% specificity and 95.42% precision, outperforming CNN, LSTM, and DL-IDPS-SDN models, though deployment and latency metrics are unreported. Hsu and Liu [6] combined FL, BC, and SDN for IoT/smart city DDoS detection, using DNN, CNN, RNN, and LSTM models optimised via Particle Swarm Optimisation. FL enables local training without raw data sharing, BC provides tamper-proof logging, and SDN supports dynamic traffic control. Evaluations show high accuracy, efficient anomaly detection, and scalability, with future work targeting model compression and lightweight deployment.
Furthermore, Rahman et al. [36] proposed BlockSD-5GNet, a 5G architecture combining SDN, NFV, BC, and ML to mitigate DDoS, MITM, topology poisoning, and side-channel attacks. SDN provides centralised control, NFV virtualises functions, BC ensures integrity, and ML supports proactive decisions. Simulations demonstrated improved throughput, bandwidth utilisation, latency reduction, and node failure resilience compared to SDN-only or conventional 5G networks. Limitations include BC speed, scalability, and reliance on traditional ML, with future work suggested in FL, DL, energy-efficient management, and optimised consensus. Abdulqadder et al. [81] presented a directed acyclic graph (DAG)-based BC framework for 5G-enabled SDN, integrating multi-plane SDN controllers, edge computing, NFV-enabled virtual switches, and honeypots. Multi-level authentication uses QUARK hashing, PUFs, biometrics, and one-time pads, while CapsNet honeypots and SAC algorithms validate packets. DAG BC with PoET consensus ensures immutable storage, and Honey Badger Optimisation with time-based handover improves load balancing. Simulations show >99% detection accuracy and improvements in bandwidth, delay, response time, packet loss, and authentication, addressing integrity, availability, confidentiality, authenticity, and backward secrecy. Future research includes real-world deployment and adaptive DAG consensus.
Hu et al. [82] proposed BC-SDN, deploying edge BC-as-a-Service (BaaS) with smart contracts for SDN-controlled IoT security. BC agents co-located with SDN switches verify flows and maintain immutable ledgers, with contract-theoretic incentives encouraging truthful verification. Game-theoretic analysis maximises social welfare. Simulations show scalability, efficient reward allocation, and low computational complexity, though large-scale deployment and diverse flow policy evaluation remain challenges. Similarly, Prasad et al. [83] introduced MOBCF-ADDLM, a decentralised DDoS detection framework combining BC, Deep Belief Networks, and evolutionary optimisation (Aquila and Red Panda optimisers for feature selection and hyperparameters). BC ensures tamper-proof records, DBNs model high-dimensional traffic, and metaheuristic optimisation improves accuracy and convergence. Experiments on BoT-IoT datasets achieved 99.22% accuracy, low processing times, and reduced overfitting. Limitations include single-dataset evaluation, adaptability to evolving attacks, and resource overhead; future work suggests cross-dataset validation, real-time SDN integration, and adaptive learning.
Table 10. Summary of BC-ML-SDN-IoT security frameworks.
Table 10. Summary of BC-ML-SDN-IoT security frameworks.
StudyLayers CoveredBC/ConsensusML MethodsSDN Controller/FL ServerEvaluation MetricsPerformance InsightEvaluation Method
[4]Device, NetworkPrivate BC; Inter-controller communicationANN for detection and payload optimisationDistributed SDN controllersAccuracy, precision, recall, F1-scorePerfect metrics (1.0)Novel SDN Dataset validation
[25]Device, Network, ApplicationEthereum; smart contracts; decentralised trustBi-LSTM with SE blocks; Honey Badger Algorithm; SMOTECentralised SDN controllerAccuracy, precision, recall, F1, throughput, latency, CPUAccuracy 99.55%; throughput 663 Mbps; Latency 0.45 s; CPU 22.46%CICIDS 2018 dataset; comparison with GRU-LSTM; runtime measurements
[80]Device, NetworkPrivate Ethereum BC; Oracle; immutable policiesAt-C-L: Attention + CNN + LSTM for DDoS detectionMulti-controller SDNAccuracy, F-score, PPV, AUCAccuracy 98.3%; F-score 97.3%; outperformed CNN, LSTM, Bi-LSTM; faster attack identification under loadInSDN dataset (343,939 flows); ROC/AUC analysis; controller comparisons
[82]Device, Network, ApplicationEdge BC Agents; smart contracts; Byzantine consensusGame-theoretic optimisation for reward allocationSDN controllers for path calculation and flow rule generationSocial welfare, latency, BlocksizeImmutable flow ledger ensures auditing; IAS latency linear; ISS more efficient; edge deployment reduces overhead.Analytical simulations with varying verifier cost, number of verifiers, latency/honesty combinations
[83]Device, Network, ApplicationBC; smart contractsDBN for DDoS classification; AO feature selection; RPO hyperparameter tuningSDN controllersAccuracy, precision, recall, F1-score, MCC, processing timeAccuracy 99.22% (multiclass), 97.41% (binary); processing time 9.31 sBoT-IoT datasets; 30% TESPHA; training/validation analysis
Table 9 and Table 10 present SDN-enabled IoT and 5G studies highlighting BC integration, distributed architectures, and advanced learning for security and performance. Multi-controller SDN with BC and ANN/CNN-LSTM/Bi-LSTM/attention-based models [4,6,13,15,25,44,66,80,82] achieve ≈98–99.5% DDoS detection accuracy, privacy preservation, and real-time anomaly detection. 5G-focused work [36,81] combines SDN, NFV, DAG/PoET BC, ML, and optimisation to enhance throughput, latency, and authentication. Edge solutions [82,83] ensure tamper-proof records and resilience. Limitations include BC overhead, scalability, and resource demands; future directions include lightweight deployment, federated learning, and adaptive consensus.

5. Discussion

This paper reviewed and synthesised studies on integrating BC and ML with SDN to achieve multi-layer security in IoT and IIoT environments. The analysis focused on security coverage, performance outcomes, technological platforms, and limitations across the studies considered, supported by Table 11, Table 12 and Table 13.
In terms of security coverage across layers, analysis of the reviewed studies shows that security mechanisms span multiple SDN–IoT layers (Figure 3). At the device and identity layer, distributed PKI, identity-based cryptography, attribute-based encryption, and cluster-based validation were widely applied [8,9,16], while lightweight cryptography, digital signatures, and BC authentication strengthened IIoT deployments [5]. Control-plane defences included multi-controller architectures [14,15,62], flow-rule verification [13,54], rogue switch isolation [54], and RL-based controller placement [15]. At the data/network layer, encrypted forwarding [4,5], flow verification [13], and BC-backed validation [3,17] were employed. The application and policy layer was secured through certificate caching [15], fine-grained access control [17], and cloud service integrity checks [53]. Cross-layer trust was reinforced through BC consensus mechanisms, including PBFT [8], PoS [29], DPoS [5], smart contracts [28], and reputation-based models [76]. Adversarial vulnerabilities were reported in DL-based intrusion detection [70], whereas federated and distributed approaches improved resilience by decentralising model training and preserving privacy [7,68].
As summarised in Table 11, security measures addressed DDoS, low-rate DDoS, control-plane saturation, IoT/IIoT botnets, data integrity violations, cloud vulnerabilities, CPS/IIoT risks, and 5G-SDN-IoT network attacks. Analysis shows that DDoS/flooding attacks are the most dominant attack on the SDN-IoT environment, followed by IoT/IIoT attacks and Botnets. Additionally, the mitigation strategies frequently combined hybrid ML/DL models, FL, and RL for adaptive control, BC-enabled validation, and metaheuristic optimisations. In addition, SDN controllers (including Ryu, POX, ODL, Floodlight), edge and cloud computing platforms, IoT/IIoT devices, and BC frameworks like Ethereum, Hyperledger, and DAG supported these deployments. In the same vein, reported performance shows high detection accuracy, about 79–100%, low false positives, low latency, improved throughput, and resource efficiency [7,24,68].
Table 12 details how SDN controllers and FL servers were employed across layers, including the BC integration and ML methods used. Ryu and multi-controller SDN configurations were dominant, often paired with Ethereum-based BCs [8,15,54], while FL servers facilitated privacy-preserving model training with both public and private BCs [7,28,68]. This cross-layer coverage underscores the adaptability of SDN controllers in securing IoT environments.
Furthermore, in terms of BC and ML ecosystems, Table 13 further organises the studies by BC type and consensus mechanism, linking them with ML methods, datasets, and evaluation approaches. Ethereum-based, permissioned, dual, and DAG BCs consistently provided immutability and distributed trust [5,7,8,10,68,81]. Classical, deep, and federated ML models supported anomaly detection, intrusion prevention, and adaptive mitigation [7,9,24,28,68,69]. Accordingly, evaluations mainly relied on simulations, emulations, testbeds, and dataset-based assessments [7,8,11,15,68], validating both security and performance outcomes.
Furthermore, across the reviewed studies, measurable improvements in throughput, latency, and detection accuracy were consistently reported (Table 11, Table 12 and Table 13). Lightweight consensus mechanisms achieved low overheads, such as intra-domain authentication in 0.05 s [8] and DPoS, reducing BC latency from 5 s to 2.8 s [5]. Energy efficiency was observed in cluster-head designs, reducing controller energy use by up to 50% [54], although multi-controller setups could offset these gains [16]. Throughput improvements included stable bandwidth at 2.1 Gb/s under load [17], 663 Mbps compared to a 158 Mbps baseline [25], and ~350 Mbps gain with NFV [36]. Detection accuracy frequently exceeded 95% and often surpassed 98% [7,12,25,57,59,64,68,81], supported by strong precision, recall, and F1-scores [4,25,83]. Response times remained low, ranging from 0.5–5 s for ML-based mitigation [23,27] to 0.45 s in BC-DL integrated models [25]. Resource efficiency varied, with some frameworks maintaining ~30% CPU usage [25,61], while others faced higher overhead due to DL or federated aggregation [65,67].
Figure 4 and Figure 5 complement Table 11, Table 12 and Table 13. Figure 4 presents normalised performance metrics across attack categories, highlighting consistent high accuracy alongside resource trade-offs. For instance, LR-DDoS defences achieved near-perfect accuracy with low latency [13,28], whereas IoT/IIoT and data-poisoning defences exhibited greater variability and overhead [56,59]. Likewise, Figure 4 provides a comparison across metrics, showing the strengths and weaknesses in attack mitigation.
In terms of the technologies used across studies, the solutions relied on established SDN controllers (like Ryu, POX, ODL, Floodlight), often combined with BC platforms (such as Ethereum, Hyperledger, DAG, private). Testbeds were dominated by Mininet/Mininet-WiFi, NS-3, and OpenStack, with validation supported by Wireshark, AVISPA, and Scapy. Moreover, ML implementations used TensorFlow, Keras, PyTorch, and Scikit-Learn, with optimisations from Bayesian search, hybrid heuristics, or federated aggregation [12,60,64]. In the same vein, cryptographic schemes such as AES, RSA, and HE strengthened privacy [78,79], while NFV [16,36] and edge computing [7,24,68] extended scalability. Secure aggregation protocols (e.g., Paillier [69]) and BC-enabled auditing ensured tamper resistance and decentralised trust. Despite this robust ecosystem, many studies remained confined to small-scale or simulated environments.
As discussed above, despite promising results, limitations remain. Most evaluations relied on simulations, limiting generalizability [11,12,55]. Scalability challenges continue, particularly with PBFT’s O(n2) complexity [10]; there are limited evaluations beyond tens of thousands of devices [5] and DAG BC consensus mechanisms [81]. Dataset dependency was common, with IDS performance relying heavily on benchmark or custom datasets [12,22,65]. Furthermore, resource overhead is recurrent, whether from multi-controller setups [4,16], BC latency [4,80], or cryptographic protocols [69,79]. Centralised SDN controllers remain a potential single point of failure [25], and adversarial resilience in DL-based frameworks is yet to be fully addressed [70,75]. Finally, mobility, heterogeneity, and interoperability in large-scale IoT networks are underexplored [50,51,82]. These findings confirm that BC and ML integration improve multi-layer security in SDN-IoT systems. Gains in throughput, latency, and detection accuracy validate feasibility, while unresolved issues in scalability, resource efficiency, dataset dependence, and deployment realism constrain practical adoption. The evidence suggests that while the foundations of a secure, decentralised, and intelligent SDN-IoT ecosystem are established, bridging the gap from controlled simulations to real-world implementation remains a central challenge.

6. Possible Research Directions

Based on the studies reviewed, which show several significant progresses in securing SDN-IoT ecosystems through BC and ML, we identified several directions that remain open for further investigation.
Most frameworks have been validated in controlled testbeds or simulation environments such as Mininet, Ethereum, and Hyperledger [3,5,17], but deployment in industrial or smart city networks is needed to assess scalability, latency, and interoperability under heterogeneous IoT conditions [8,29,50,51,52]. Similarly, ML and DL are effective for anomaly detection; however, adaptive, multi-layer mechanisms that integrate identity management, policy enforcement, and predictive security are necessary [13,28,51,52]. Federated and distributed learning architectures offer improved scalability and privacy, particularly in multi-controller SDN, while adversarial resilience and semi-/unsupervised approaches remain critical for heterogeneous IoT data [7,22,24,55,68,70,75,78]. Also, ML models should evolve beyond static benchmarks (e.g., CICIDS, BoT-IoT, KDD99, NSL-KDD, etc.) in terms of IDS performance. There should be validation on diverse datasets and adaptive mechanisms that evolve with new traffic patterns, and heterogeneous IoT environments are needed for robust, generalizable models [7,12,24,56,59,68,80,82,83]. In the same vein, while high detection rates are reported, interpretability is limited. Incorporating explainable methods can improve trust in automated decisions and support human-in-the-loop interventions [28].
Moreover, security evaluations have focused mainly on DDoS attacks [3,53,54]; thus, future research should cover insider threats, routing manipulation, data poisoning, and zero-day exploits, using adaptive FL and cross-layer defences [4,6,9,10,50,77]. Likewise, energy and QoS considerations remain underexplored, with CHS reducing controller energy [54], but multi-controller designs sometimes increase energy consumption [16,27,29,50]. Therefore, dynamic load balancing, green networking strategies, and optimisation of ML models on constrained devices are essential. Furthermore, BC consensus introduces latency and overhead, highlighting trade-offs. Lightweight, hybrid, or controller-assisted protocols, as well as alternatives like PoET, RBFT, and DAG-based approaches, could balance security and performance like throughput [5,8,10,13,29,50,81].
Other issues identified are interoperability across SDN, BC, NFV, IoT, and cloud services, which are viewed as barriers. Standardised protocols with P4-programmable data planes can be used to support heterogeneous deployments [16,29,52]. Similarly, cryptographic mechanisms require optimisation for constrained devices, with lightweight HE, secure multi-party computation, and efficient aggregation needed to maintain privacy without degrading performance [24,69,79].
As SDN, BC, and ML unite to secure IoT systems, we thus advise that future designs should address scalability, energy efficiency, consensus optimisation, adversarial resilience, interoperability, and explainability to move beyond controlled prototypes.

7. Conclusions

This paper systematically reviewed and presented an analysis of 59 recent studies on the integration of BC, SDN, and ML for securing IoT and IIoT networks. The findings revealed that multi-layered security frameworks, covering device, control, network, and application layers, can effectively mitigate threats. When combined with cryptographic protocols, consensus mechanisms, and ML/DL techniques, these frameworks address attacks such as DDoS, rogue nodes, and unauthorised access. Moreover, reported empirical evaluations consistently indicate improvements in throughput, latency, energy efficiency, detection accuracy, and F1-score, particularly when FL, caching strategies, or hybrid BC architectures are employed. Similarly, BC provides immutable, distributed trust, while ML enables adaptive anomaly detection and mitigation, with federated and hybrid approaches enhancing scalability and privacy. The effectiveness of solutions is also moulded by ecosystem-level factors, including SDN controllers, cryptographic design choices, consensus protocols, and edge computing environments. Despite these developments, limitations persist. Most studies relied on simulations or small-scale testbeds, leaving the scalability and interoperability of proposed solutions in heterogeneous, real-world deployments largely unverified. This study found that challenges such as resource overhead, dataset dependency, limited adversarial resilience, and the explainability of ML-driven decisions remain unresolved.
Future research should focus on real-world SDN-IoT/IIoT deployments. Important directions include testing federated-BC for ≥ 90% accuracy under non-IID traffic, developing lightweight, energy-efficient consensus mechanisms, and measuring latency, energy, and trust devices without degrading or compromising trust. In addition, models combining adaptive, privacy-preserving ML/DL with accuracy and adversarial resilience metrics should be designed, as well as implementing cross-layer, adversarial-resilient frameworks to evaluate throughput and latency, and adopting interoperability standards with explainable security mechanisms to assess transparency and compliance. These verifiable hypotheses provide concrete pathways for translating current simulation-based findings into practical and trustworthy SDN-IoT security deployments.

Author Contributions

Conceptualisation, B.I. and R.M.; methodology, B.I. and R.M.; validation, B.I. and R.M.; investigation, B.I.; resources, R.M.; writing—original draft preparation, R.M.; writing—review and editing, B.I.; supervision, B.I.; project administration, B.I. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Acknowledgments

This was supported by the Department of Computer Science and the Unit for Data Science and Computing at the North-West University, Mafikeng campus, South Africa.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Dwivedi, S.; Goyal, N.K. Addressing reliability and security for industrial Internet of Things systems: Layered approach using software defined network. Int. J. Syst. Assur. Eng. Manag. 2025, 16, 3597–3613. [Google Scholar] [CrossRef]
  2. Gomez, D.L.; Montoya, G.A.; Lozano-Garzon, C.; Donoso, Y. Strategies for assuring low latency, scalability, and interoperability in edge computing and TSN networks for critical IIoT services. IEEE Access 2023, 11, 42546–42577. [Google Scholar] [CrossRef]
  3. Rahman, A.; Islam, M.J.; Khan, M.S.I.; Kabir, S.; Pritom, A.I.; Karim, M.R. Block-sdotcloud: Enhancing security of cloud storage through blockchain-based SDN in IoT network. In Proceedings of the 2020 2nd International Conference on Sustainable Technologies for Industry 4.0 (STI), Dhaka, Bangladesh, 19–20 December 2020; IEEE: New York, NY, USA, 2020; pp. 1–6. [Google Scholar]
  4. Jmal, R.; Ghabri, W.; Guesmi, R.; Alshammari, B.M.; Alshammari, A.S.; Alsaif, H. Distributed blockchain-SDN secure IoT system based on ANN to mitigate DDoS attacks. Appl. Sci. 2023, 13, 4953. [Google Scholar] [CrossRef]
  5. Dildar, M.S.; Khan, A.S.; Abbasi, I.A.; Shaheen, R.; Al Ruqaishi, K.; Ahmed, S. End-to-end security mechanism using Blockchain for Industrial Internet of Things. IEEE Access 2025, 13, 20584–20598. [Google Scholar] [CrossRef]
  6. Hsu, M.-H.; Liu, C.-C. A Decentralized Framework for the Detection and Prevention of Distributed Denial of Service Attacks Using Federated Learning and Blockchain Technology. Eng. Proc. 2025, 92, 48. [Google Scholar]
  7. Alhasawi, Y.; Alghamdi, S. Federated learning for decentralized DDoS attack detection in IoT networks. IEEE Access 2024, 12, 42357–42368. [Google Scholar] [CrossRef]
  8. Fan, W.; Chang, S.-Y.; Kumar, S.; Zhou, X.; Park, Y. Blockchain-based secure coordination for distributed SDN control plane. In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June–2 July 2021; IEEE: New York, NY, USA, 2021; pp. 253–257. [Google Scholar]
  9. Rahouti, M.; Drid, H.; Hamouid, K.; Massmi, K.; Mehenna, S.E. Brave-sdn: Blockchain-reliant authentication for versatile east–west bound in distributed SDNS. Int. J. Inf. Secur. 2025, 24, 51. [Google Scholar] [CrossRef]
  10. Chattaraj, D.; Bera, B.; Das, A.K.; Rodrigues, J.J.; Park, Y. Designing fine-grained access control for software-defined networks using private blockchain. IEEE Internet Things J. 2021, 9, 1542–1559. [Google Scholar] [CrossRef]
  11. Zainal, Z.; Abdullah, A.; Hakim, F.; Abdullah, M.D.H. SBAC-SDN: A Scalable Blockchain-based Access Control in Northbound Interface for Multi-Controller SDN with Load Balancing Mechanism. Environments 2026, 55, 24–43. [Google Scholar] [CrossRef]
  12. Maheshwari, A.; Mehraj, B.; Khan, M.S.; Idrisi, M.S. An optimized weighted voting based ensemble model for DDoS attack detection and mitigation in SDN environment. Microprocess. Microsyst. 2022, 89, 104412. [Google Scholar] [CrossRef]
  13. Alkhamisi, A.; Katib, I.; Buhari, S.M. Blockchain-assisted hybrid deep learning-based secure mechanism for software defined networks. In Proceedings of the 2023 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 6–8 January 2023; IEEE: New York, NY, USA, 2023; pp. 1–8. [Google Scholar]
  14. Kovacs, R.; Buzura, S.; Iancu, B.; Dadarlat, V.; Peculea, A.; Cebuc, E. Practical implementation of a blockchain-enabled SDN for large-scale infrastructure networks. Appl. Sci. 2024, 14, 1914. [Google Scholar] [CrossRef]
  15. Benoudifa, O.; Ait Wakrime, A.; Benaini, R. Securing SDN controller placement with MuZero and blockchain-based smart contracts. J. King Saud Univ. Comput. Inf. Sci. 2025, 37, 105. [Google Scholar] [CrossRef]
  16. Islam, M.J.; Rahman, A.; Kabir, S.; Karim, M.R.; Acharjee, U.K.; Nasir, M.K.; Band, S.S.; Sookhak, M.; Wu, S. Blockchain-SDN-based energy-aware and distributed secure architecture for IoT in smart cities. IEEE Internet Things J. 2021, 9, 3850–3864. [Google Scholar] [CrossRef]
  17. Faizullah, S.; Khan, M.A.; Alzahrani, A.; Khan, I. Permissioned blockchain-based security for SDN in IoT cloud networks. In Proceedings of the 2019 International Conference on Advances in the Emerging Computing Technologies (AECT), Al Madinah Al Munawwarah, Saudi Arabia, 10 February 2020; IEEE: New York, NY, USA, 2020; pp. 1–6. [Google Scholar]
  18. Zhao, Y.; Li, Y.; Zhang, X.; Geng, G.; Zhang, W.; Sun, Y. A survey of networking applications applying the software defined networking concept based on machine learning. IEEE Access 2019, 7, 95397–95417. [Google Scholar] [CrossRef]
  19. Al Sukhni, B.; Dave, J.M.; Manna, S.K.; Zhang, L. Investigating the security issues of multi-layer IoT attacks using machine learning techniques. In Proceedings of the 2022 Human-Centered Cognitive Systems (HCCS), Shanghai, China, 17–18 December 2022; IEEE: New York, NY, USA, 2022; pp. 1–9. [Google Scholar]
  20. Rahdari, A.; Jalili, A.; Esnaashari, M.; Gheisari, M.; Vorobeva, A.A.; Fang, Z.; Sun, P.; Korzhuk, V.M.; Popov, I.; Wu, Z. Security and Privacy Challenges in SDN-Enabled IoT Systems: Causes, Proposed Solutions, and Future Directions. Comput. Mater. Contin. 2024, 80, 2511–2533. [Google Scholar] [CrossRef]
  21. Ali, T.E.; Chong, Y.-W.; Manickam, S. Machine learning techniques to detect a DDoS attack in SDN: A systematic review. Appl. Sci. 2023, 13, 3183. [Google Scholar] [CrossRef]
  22. Bithi, M.; Hossain, M.A.; Ahmed, M.K.; Sultana, R.; Ahammad, I.; Islam, M.S. Enhanced DDoS detection in software defined networking using ensemble-based machine learning. In Proceedings of the 2024 6th International Conference on Electrical Engineering and Information & Communication Technology (ICEEICT), Dhaka, Bangladesh, 2–4 May 2024; IEEE: New York, NY, USA, 2024; pp. 1032–1037. [Google Scholar]
  23. Alashhab, A.A.; Zahid, M.S.; Isyaku, B.; Elnour, A.A.; Nagmeldin, W.; Abdelmaboud, A.; Abdullah, T.A.A.; Maiwada, U.D. Enhancing DDoS attack detection and mitigation in SDN using an ensemble online machine learning model. IEEE Access 2024, 12, 51630–51649. [Google Scholar] [CrossRef]
  24. Mahmud, S.A.; Islam, N.; Islam, Z.; Rahman, Z.; Mehedi, S.T. Privacy-Preserving Federated Learning-Based Intrusion Detection Technique for Cyber-Physical Systems. Mathematics 2024, 12, 3194. [Google Scholar] [CrossRef]
  25. Alotaibi, J. A hybrid software-defined networking approach for enhancing IoT cybersecurity with deep learning and blockchain in smart cities. Peer-Peer Netw. Appl. 2025, 18, 123. [Google Scholar] [CrossRef]
  26. Guo, X.; Lin, H.; Li, Z.; Peng, M. Deep-Reinforcement-Learning-Based QoS-Aware Secure Routing for SDN-IoT. IEEE Internet Things J. 2020, 7, 6242–6251. [Google Scholar] [CrossRef]
  27. Sinha, M.; Bera, P.; Satpathy, M.; Sahoo, K.S.; Rodrigues, J.J. DDoSBlocker: Enhancing SDN security with time-based address mapping and AI-driven approach. Comput. Netw. 2025, 259, 111078. [Google Scholar] [CrossRef]
  28. Ababio, I.B.; Bieniek, J.; Rahouti, M.; Hayajneh, T.; Aledhari, M.; Verma, D.C.; Chehri, A. A Blockchain-Assisted federated learning framework for secure and Self-Optimizing digital twins in industrial IoT. Future Internet 2025, 17, 13. [Google Scholar] [CrossRef]
  29. Yazdinejad, A.; Parizi, R.M.; Dehghantanha, A.; Zhang, Q.; Choo, K.K.R. An Energy-Efficient SDN Controller Architecture for IoT Networks With Blockchain-Based Security. IEEE Trans. Serv. Comput. 2020, 13, 625–638. [Google Scholar] [CrossRef]
  30. Kühl, N.; Schemmer, M.; Goutier, M.; Satzger, G. Artificial intelligence and machine learning. Electron. Mark. 2022, 32, 2235–2244. [Google Scholar] [CrossRef]
  31. Sarker, I.H. Machine learning: Algorithms, real-world applications and research directions. SN Comput. Sci. 2021, 2, 160. [Google Scholar] [CrossRef]
  32. Sharifani, K.; Amini, M. Machine learning and deep learning: A review of methods and applications. World Inf. Technol. Eng. J. 2023, 10, 3897–3904. [Google Scholar]
  33. Taye, M.M. Understanding of machine learning with deep learning: Architectures, workflow, applications and future directions. Computers 2023, 12, 91. [Google Scholar] [CrossRef]
  34. Zhang, C.; Xie, Y.; Bai, H.; Yu, B.; Li, W.; Gao, Y. A survey on federated learning. Knowl. Based Syst. 2021, 216, 106775. [Google Scholar] [CrossRef]
  35. Nguyen, D.C.; Ding, M.; Pathirana, P.N.; Seneviratne, A.; Li, J.; Poor, H.V. Federated learning for internet of things: A comprehensive survey. IEEE Commun. Surv. Tutor. 2021, 23, 1622–1658. [Google Scholar] [CrossRef]
  36. Rahman, A.; Khan, M.S.I.; Montieri, A.; Islam, M.J.; Karim, M.R.; Hasan, M.; Kundu, D.; Nasir, M.K.; Pescapè, A. BlockSD-5GNet: Enhancing security of 5G network through blockchain-SDN with ML-based bandwidth prediction. Trans. Emerg. Telecommun. Technol. 2024, 35, e4965. [Google Scholar] [CrossRef]
  37. Mustafa, R.; Sarkar, N.I.; Mohaghegh, M.; Pervez, S. A cross-layer secure and energy-efficient framework for the internet of things: A comprehensive survey. Sensors 2024, 24, 7209. [Google Scholar] [CrossRef] [PubMed]
  38. Jahangeer, A.; Bazai, S.U.; Aslam, S.; Marjan, S.; Anas, M.; Hashemi, S.H. A Review on the Security of IoT Networks: From Network Layer’s Perspective. IEEE Access 2023, 11, 71073–71087. [Google Scholar] [CrossRef]
  39. Mliki, H.; Kaceam, A.H.; Chaari, L. A Comprehensive Survey on Intrusion Detection based Machine Learning for IoT Networks. EAI Endorsed Trans. Secur. Saf. 2021, 8, e3. [Google Scholar] [CrossRef]
  40. Attkan, A.; Ranga, V. Cyber-physical security for IoT networks: A comprehensive review on traditional, blockchain and artificial intelligence based key-security. Complex Intell. Syst. 2022, 8, 3559–3591. [Google Scholar] [CrossRef]
  41. Almarri, S.; Aljughaiman, A. Blockchain technology for IoT security and trust: A comprehensive SLR. Sustainability 2024, 16, 10177. [Google Scholar] [CrossRef]
  42. Kumari, N.S.; Vimala, H.; Pruthvi, C.; Shreyas, J. Holistic survey on security in IoT application layer: Attacks, protocols, and applications. IEEE Access 2024, 12, 186957–187014. [Google Scholar] [CrossRef]
  43. Ghourab, E.M.; Jaafar, W.; Bariah, L.; Muhaidat, S.; Yanikomeroglu, H. Interplay between physical layer security and blockchain technology for 5G and beyond: A comprehensive survey. Authorea Prepr. 2023. [Google Scholar] [CrossRef]
  44. Wijesekara, D.S.N.; Arachchige, P. Intrusion Detection Using Blockchain in Software-Defined Networking: A Literature Review. J. Eng. Sci. Technol. Rev. 2025, 18, 57–79. [Google Scholar] [CrossRef]
  45. Alfahaid, A.; Alalwany, E.; Almars, A.M.; Alharbi, F.; Atlam, E.; Mahgoub, I. Machine Learning-Based Security Solutions for IoT Networks: A Comprehensive Survey. Sensors 2025, 25, 3341. [Google Scholar] [CrossRef]
  46. Mishra, S.R.; Shanmugam, B.; Yeo, K.C.; Thennadil, S. SDN-Enabled IoT Security Frameworks—A Review of Existing Challenges. Technologies 2025, 13, 121. [Google Scholar] [CrossRef]
  47. Navaneethakrishnan, P.; Peter, S.E. Securing IoT-SDN Models: A Comprehensive Review of Deep Learning Approaches and Challenges. In Proceedings of the 2024 5th International Conference on Electronics and Sustainable Communication Systems (ICESC), Coimbatore, India, 7–9 August 2024; IEEE: New York, NY, USA, 2024; pp. 307–315. [Google Scholar]
  48. Nasereddin, M.; Gelenbe, E. A Survey of the Security of IoT Network Layers. Authorea Prepr 2025. [Google Scholar] [CrossRef]
  49. Sarkis-Onofre, R.; Catalá-López, F.; Aromataris, E.; Lockwood, C. How to properly use the PRISMA Statement. Syst. Rev. 2021, 10, 117. [Google Scholar] [CrossRef]
  50. Ghamdi, M.A.A. An Optimized and Secure Energy-Efficient Blockchain-Based Framework in IoT. IEEE Access 2022, 10, 133682–133697. [Google Scholar] [CrossRef]
  51. Rahman, A.; Islam, M.J.; Rahman, Z.; Reza, M.M.; Anwar, A.; Mahmud, M.A.P.; Nasir, M.K.; Noor, R.M. DistB-Condo: Distributed Blockchain-Based IoT-SDN Model for Smart Condominium. IEEE Access 2020, 8, 209594–209609. [Google Scholar] [CrossRef]
  52. Rahman, A.; Nasir, M.K.; Rahman, Z.; Mosavi, A.; Shahab, S.; Minaei-Bidgoli, B. DistBlockBuilding: A Distributed Blockchain-Based SDN-IoT Network for Smart Building Management. IEEE Access 2020, 8, 140008–140018. [Google Scholar] [CrossRef]
  53. Rahman, A.; Islam, M.J.; Band, S.S.; Muhammad, G.; Hasan, K.; Tiwari, P. Towards a blockchain-SDN-based secure architecture for cloud computing in smart industrial IoT. Digit. Commun. Netw. 2023, 9, 411–421. [Google Scholar] [CrossRef]
  54. Rahman, A.; Islam, M.J.; Montieri, A.; Nasir, M.K.; Reza, M.M.; Band, S.S.; Pescape, A.; Hasan, M.; Sookhak, M.; Mosavi, A. Smartblock-sdn: An optimized blockchain-sdn framework for resource management in IOT. IEEE Access 2021, 9, 28361–28376. [Google Scholar] [CrossRef]
  55. Hnamte, V.; Najar, A.A.; Nhung-Nguyen, H.; Hussain, J.; Sugali, M.N. DDoS attack detection and mitigation using deep neural network in SDN environment. Comput. Secur. 2024, 138, 103661. [Google Scholar] [CrossRef]
  56. Hirsi, A.; Audah, L.; Salh, A.; Alhartomi, M.A.; Ahmed, S. Enhancing SDN security using ensemble-based machine learning approach for DDoS attack detection. Indones. J. Electr. Eng. Comput. Sci. 2025, 38, 1073–1085. [Google Scholar] [CrossRef]
  57. Kaur, S.; Kumar, K.; Aggarwal, N. Enhancing DDoS defense in SDN using hierarchical machine learning models. J. Netw. Comput. Appl. 2025, 239, 104168. [Google Scholar] [CrossRef]
  58. Lai, J. Machine Learning-Based Network Detection Research for SDNs. In Proceedings of the ITM Web of Conferences, Enugu, Nigeria, 4–5 December 2025; EDP Sciences: Les Ulis, France, 2025; p. 01015. [Google Scholar]
  59. Yousuf, O.; Mir, R.N. DDoS attack detection in Internet of Things using recurrent neural network. Comput. Electr. Eng. 2022, 101, 108034. [Google Scholar] [CrossRef]
  60. Oyucu, S.; Polat, O.; Türkoğlu, M.; Polat, H.; Aksöz, A.; Ağdaş, M.T. Ensemble learning framework for DDoS detection in SDN-based SCADA systems. Sensors 2023, 24, 155. [Google Scholar] [CrossRef]
  61. Bhayo, J.; Shah, S.A.; Hameed, S.; Ahmed, A.; Nasir, J.; Draheim, D. Towards a machine learning-based framework for DDoS attack detection in software-defined IoT (SD-IoT) networks. Eng. Appl. Artif. Intell. 2023, 123, 106432. [Google Scholar] [CrossRef]
  62. Kavitha, D.; Ramalakshmi, R. Machine learning-based DDoS Attack Detection and Mitigation in SDNs for IoT environments. J. Frankl. Inst. 2024, 361, 107197. [Google Scholar]
  63. Ali, M.N.; Imran, M.; Din, M.S.U.; Kim, B.-S. Low rate DDoS detection using weighted federated learning in SDN control plane in IoT network. Appl. Sci. 2023, 13, 1431. [Google Scholar] [CrossRef]
  64. Alashhab, A.; Zahid, M.S.; Muneer, A.; Abdullahi, M. Low-rate DDoS attack detection using deep learning for SDN-enabled IoT networks. Authorea Prepr. 2022, 13, 11. [Google Scholar] [CrossRef]
  65. Alashhab, A.A.; Zahid, M.S.M.; Abdullahi, M.; Rahman, M.S. Real-time detection of low-rate DDoS attacks in SDN-based networks using online machine learning model. In Proceedings of the 2023 7th Cyber Security in Networking Conference (CSNet), Montreal, QC, Canada, 16–18 October 2023; IEEE: New York, NY, USA, 2023; pp. 95–101. [Google Scholar]
  66. Babbar, H.; Rani, S. FRHIDS: Federated Learning Recommender Hybrid Intrusion Detection System Model in Software-Defined Networking for Consumer Devices. IEEE Trans. Consum. Electron. 2024, 70, 2492–2499. [Google Scholar] [CrossRef]
  67. Uddin, R.; Kumar, S.A.P. SDN-Based Federated Learning Approach for Satellite-IoT Framework to Enhance Data Security and Privacy in Space Communication. IEEE J. Radio Freq. Identif. 2023, 7, 424–440. [Google Scholar] [CrossRef]
  68. Alshdadi, A.A.; Almazroi, A.A.; Ayub, N.; Lytras, M.D.; Alsolami, E.; Alsubaei, F.S.; Alharbey, R. Federated Deep Learning for Scalable and Privacy-Preserving Distributed Denial-of-Service Attack Detection in Internet of Things Networks. Future Internet 2025, 17, 88. [Google Scholar] [CrossRef]
  69. Zhu, B.; Niu, L. A privacy-preserving federated learning scheme with homomorphic encryption and edge computing. Alex. Eng. J. 2025, 118, 11–20. [Google Scholar] [CrossRef]
  70. Qiu, H.; Dong, T.; Zhang, T.; Lu, J.; Memmi, G.; Qiu, M. Adversarial attacks against network intrusion detection in IoT systems. IEEE Internet Things J. 2020, 8, 10327–10335. [Google Scholar] [CrossRef]
  71. Janivasya, R.P.; Rachmawati, I.D.A. DDoS Detection using Machine Learning Approach. Procedia Comput. Sci. 2024, 245, 1157–1164. [Google Scholar] [CrossRef]
  72. Otoum, Y.; Liu, D.; Nayak, A. DL-IDS: A deep learning–based intrusion detection framework for securing IoT. Trans. Emerg. Telecommun. Technol. 2022, 33, e3803. [Google Scholar] [CrossRef]
  73. Alduailij, M.; Khan, Q.W.; Tahir, M.; Sardaraz, M.; Alduailij, M.; Malik, F. Machine-learning-based DDoS attack detection using mutual information and random forest feature importance method. Symmetry 2022, 14, 1095. [Google Scholar] [CrossRef]
  74. Siddharthan, H.; Deepa, T.; Chandhar, P. SENMQTT-SET: An intelligent intrusion detection in IoT-MQTT networks using ensemble multi cascade features. IEEE Access 2022, 10, 33095–33110. [Google Scholar] [CrossRef]
  75. Papadopoulos, P.; Thornewill von Essen, O.; Pitropakis, N.; Chrysoulas, C.; Mylonas, A.; Buchanan, W.J. Launching adversarial attacks against network intrusion detection systems for IoT. J. Cybersecur. Priv. 2021, 1, 252–273. [Google Scholar] [CrossRef]
  76. Saveetha, D.; Maragatham, G.; Ponnusamy, V.; Zdravković, N. An integrated federated machine learning and blockchain framework with optimal miner selection for reliable DDoS attack detection. IEEE Access 2024, 12, 127903–127915. [Google Scholar] [CrossRef]
  77. Abdullah, M.; Mengash, H.A.; Maray, M.; Alrslani, F.A.; Alkhudhayr, H.; Alghanmi, N.A.; Subahi, A.; Majdoubi, J. Federated learning with Blockchain on Denial-of-Service attacks detection and classification of edge IIoT networks using Deep Transfer Learning model. Comput. Electr. Eng. 2025, 124, 110319. [Google Scholar] [CrossRef]
  78. Arazzi, M.; Nicolazzo, S.; Nocera, A. A fully privacy-preserving solution for anomaly detection in IoT using federated learning and homomorphic encryption. Inf. Syst. Front. 2025, 27, 367–390. [Google Scholar] [CrossRef]
  79. Manh, B.D.; Nguyen, C.-H.; Hoang, D.T.; Nguyen, D.N.; Zeng, M.; Pham, Q.-V. Privacy-Preserving cyberattack detection in Blockchain-Based IoT systems using AI and homomorphic encryption. IEEE Internet Things J. 2025, 12, 16478–16492. [Google Scholar] [CrossRef]
  80. Pawar, P.P.; Kumar, D.; Ananthan, B.; Pradeepa, A.S.; Selvi, A.S. An efficient DDoS attack detection using attention based hybrid model in blockchain based SDN-IOT. In Proceedings of the 2024 3rd International Conference on Artificial Intelligence for Internet of Things (AIIoT), Vellore, India, 3–4 May 2024; IEEE: New York, NY, USA, 2024; pp. 1–5. [Google Scholar]
  81. Abdulqadder, I.H.; Zou, D.; Aziz, I.T. The DAG blockchain: A secure edge assisted honeypot for attack detection and multi-controller based load balancing in SDN 5G. Future Gener. Comput. Syst. 2023, 141, 339–354. [Google Scholar] [CrossRef]
  82. Hu, J.; Reed, M.; Thomos, N.; Ai-Naday, M.F.; Yang, K. Securing SDN-Controlled IoT Networks Through Edge Blockchain. IEEE Internet Things J. 2021, 8, 2102–2115. [Google Scholar] [CrossRef]
  83. Prasad, V.; Bavirthi, S.S.; Anupama, C.; Laxmi Lydia, E.; Kumar, K.S.; Ammar, K.; Ishak, M.K. Blockchain enhanced distributed denial of service detection in IoT using deep learning and evolutionary computation. Sci. Rep. 2025, 15, 22537. [Google Scholar] [CrossRef] [PubMed]
Electronics 15 00494 g001
Figure 1. Typical SDN-IoT-BC-ML architecture [28].
Figure 1. Typical SDN-IoT-BC-ML architecture [28].
Electronics 15 00494 g001
Electronics 15 00494 g002
Figure 2. Study selection workflow.
Figure 2. Study selection workflow.
Electronics 15 00494 g002
Electronics 15 00494 g003
Figure 3. Layer coverage across studies.
Figure 3. Layer coverage across studies.
Electronics 15 00494 g003
Electronics 15 00494 g004
Figure 4. Normalised performance metrics across attacks.
Figure 4. Normalised performance metrics across attacks.
Electronics 15 00494 g004
Electronics 15 00494 g005
Figure 5. Metric-by-metric performance metrics across attacks.
Figure 5. Metric-by-metric performance metrics across attacks.
Electronics 15 00494 g005
Table 1. Summary of related studies.
Table 1. Summary of related studies.
StudyLayers CoveredConsensus/TrustBC TypeSDN ControllerML MethodsEvaluation Metrics/InsightsEvaluation Methods
[18]Resource and securityReview
[19]MultiMulti-layer detectionReview
[20]MultiPlane-specific gapsReview
[21]AccuracyReview
[37]✓ (AI IDS)Security and energy focusReview
[38]NetworkRouting attacksReview
[39]IDS performanceReview
[40]MultiKey managementReview
[41]MultiTrust and integrityReview
[42]ApplicationThreat and protocol analysisReview
[43]MultiCross-layer securityReview
[44]IDS securityReview
[45]Multi✓ (DL, EL, TL, FL)ML trendsReview
[46]MultiDataset critiqueReview
[47]Multi✓ (DL)High accuracyReview
[48] Attack classificationReview
This StudyMultiBC and ML-based security and privacy preservation for SDN/IoT/SDN-IoTSurvey
✓ = addressed, ✗ = not addressed.
Table 2. Summary of BC-SDN security frameworks.
Table 2. Summary of BC-SDN security frameworks.
StudyLayers CoveredConsensus/Trust MechanismBC TypeSDN ControllerEvaluation MetricsPerformanceEvaluation Method
[8]All Layers, Cross-LayerPBFT; resilient to n compromised controllersPermissioned EthereumRyu Certificate/key distribution overheadIntra-domain latency: 0.05 s; Inter-domain latency: 225 ms; CPU: 4–5%; RAM: ~63 MBPrototype implementation, experimental measurement
[9]All LayersPrivate Ethereum; replay and MITM protectionPrivate EthereumCommunication and computation overheadOverhead not quantified; AVISPA confirms protocol resistanceFormal security analysis, protocol simulations
[10]All LayersPBFT; resilient to MITM, replay, and insider attacksPrivate BCComputation and communication costSwitch delay: 7.064 + 0.021n ms; Controller delay: 1.735 + 0.006n msTestbed deployment, formal analysis
[11]All LayersSmart contract–based trust index cachingHyperledger FabricRyu Response time, throughput, error rateCPU ≤ 60.3%; Memory < 8 GBSimulation (Mininet + Ryu)
[14]All LayersPermissioned BC; cross-layer trustPermissioned BCPOXPacket exchange, TCP handshake durationTCP packet: 117 bytes; UDP packet: 573 bytesProof-of-concept, Mininet emulation
[29]All Layers, Cross-LayerDual BC, cluster-head selection, smart contractsHybrid: Private & Public EthereumODL Throughput, delay, packet loss, energy consumptionHigher throughput; lower delay; ~23–50% energy reductionMininet-WiFi simulation, queueing model, comparative experiments
[50]All Layers, Cross-LayerDual BC; controller-based authenticationEthereum (PoS)ODLThroughput, response time, packet loss, energy consumption~23% packet-loss reduction; ~50% energy savingsEmulation/testbed, comparative experiments
[51]All Layers, Cross-LayerDistributed ledger with consensus; CHSEthereumODL Throughput, bandwidth resilience~5% lower response time; CPU-efficientSimulation with IoT sensors and SDN gateways
[52]All Layers, Cross-LayerDistributed BC ledger, smart contracts, cluster-head selectionEthereumMultipleThroughput, RTT, energy efficiencyHigher sustained throughput; improved energy efficiencySimulation (Mininet/Mininet-WiFi)
All layers = Device/Identity, Control, Data/Network, Application/Policy, ODL = OpenDayLight.
Table 3. Summary of BC-SDN-IoT security frameworks.
Table 3. Summary of BC-SDN-IoT security frameworks.
StudyLayers CoveredConsensus/TrustBC TypeSDN ControllerEvaluation MetricsEnergy/Network PerformanceEvaluation Method
[3]All Layers, Cross-LayerDistributed BC; SDN centralised load balancingEthereumOpenFlow Throughput, response time, CPU utilisation, file transfer.Higher throughput; stable CPU, faster file transfersSimulation; DDoS flooding scenario; Wireshark
[5]All Layers, Cross-LayerHybrid BC, DPoS; trust scores per devicePublic + Private Latency, throughput, energy reduction, interoperabilityLatency ~5 s (2.8 s with DPoS); 100 TPS; ~30% energy reductionSimulation with Ethereum/Hyperledger; protocol interoperability tests
[16]All Layers, Cross-LayerEthereum BC; CHS algorithm; NFV-based trustEthereum-Throughput, response time, gas consumptionHigher throughput; linear gas, stable CPUMininet-WiFi simulation; smart contracts
[17]All Layers, Cross-LayerPermissioned BC; consensus for updates and load verificationPermissioned OpenFlow Flow update time, bandwidth, DDoS resilienceStable bandwidth 2.1 Gb/s; improved DDoS resilienceExperimental evaluation: 15-server cluster, 10 controllers, 990 nodes
[53]All Layers, Cross-LayerBC access control and immutable block validationEthereum OpenFlow Throughput, response time, bandwidth, latencyHigher throughput; lower response time; stable bandwidthSimulation and emulation; Mininet/Mininet-WiFi/OpenStack; Wireshark
[54]All Layers, Cross-LayerBC consensus: rogue switch isolation, attack detectionEthereum RyuEnergy consumption, throughput, end-to-end delay50% lower energy at controllers; higher throughput than baselineMininet-WiFi simulation; RESTful application; Wireshark packet analysis
All layers = Device/Identity, Control, Data/Network, Application/Policy.
Table 4. Summary of ML-SDN-IoT security frameworks.
Table 4. Summary of ML-SDN-IoT security frameworks.
Study IDLayers CoveredConsensus/TrustML Methods SDN ControllerEvaluation MetricsPerformance InsightEvaluation Method
[12]All layersWeighted ensemble, BHO optimiserEnsemble ML: SVM, RF, GBM; BHO hybrid optimisationPOXAccuracy, FPR, FARAccuracy 99.42% (CIC-DDoS2019), FAR 0.50%Benchmark datasets, comparison with base classifiers
[22]All layersXAI interpretability; feature importanceEnsemble RF with RFE; SHAP, Lime-Accuracy, precision, recall, F1, AUC, FPRAccuracy, precision, recall, F1, AUC = 1.0; FPR 05-fold cross-validation; comparative studies
[27]All layersTime-based host authentication; dynamic ML-triggeringRFFloodlightAccuracy, FPR, detection/mitigation time, CPU usageAccuracy 99.71%, FPR 0.51%; detection 3 s, mitigation 0.5 s; CPU reduced 12–30%Mininet; custom and Geant topologies
[55]All layersCentralised SDN control; threshold-based classificationDNN (four hidden layers, 128–256 neurons), Adam optimiser, dropoutRyu (2 controllers)Accuracy, FPR, detection/inference timeAccuracy 99.98–100%, FPR 0.003%, inference 3.37–117.09 sMininet; InSDN, CICIDS2018, Kaggle DDoS
[56]All layersPCA-based feature selectionEnsemble RF with PCARyuAccuracy, precision, recall, F1Accuracy 100%; zero false positives; testing time 0.254 sSDN-DDoS, CIC-DDoS2019 datasets
[57]All layersHierarchical ML with adaptive retrainingAdaBoost, LR, Gaussian NBRyuAccuracy, FPR/FNR, processing timeOverall, 95% accuracy; high-rate attacks 100%; 75% faster per instanceSDN-DAD dataset; simulation
[58]All layersML-based anomaly detection; multi-algorithm ensembleRF, DT, LR, XGBoost, LightGBMSDN controllerAccuracy, precision, recall, F1, ROC/AUCRF ROC AUC 1.00; high DoS detectionSimulated SDN; KDD Cup 99 dataset
[59]All layersSequential SDN control; RNN detectionRNN (Tanh2) with DALCNNODLACC, TPR, FPR, precision, recall, F1, ROCACC 99.98%, TPR 0.999, FPR 0.01; throughput 140,000 resp/s; latency 11 msMininet; NSL-KDD, Wireshark live capture
[60]All layersEnsemble detection with hyperparameter optimisationDecision Tree ensemble: Boosting, Bagging, RUSBoostPOX with OMLAccuracy, Sensitivity, SpecificityPeak accuracy 95.17%; sensitivity 97.3%; specificity 94.8%10-fold cross-validation; SCADA dataset
All layers = Device/Identity, Control, Data/Network, Application/Policy, ODL = OpenDaylight.
Table 5. Summary of ML-SDN-IoT security frameworks.
Table 5. Summary of ML-SDN-IoT security frameworks.
Study IDLayers CoveredConsensus/TrustML Methods SDN ControllerEvaluation MetricsPerformance InsightEvaluation Method
[23]All layersEnsemble online ML; drift detectionBernoulliNB, Passive-Aggressive, SGD, MLPRyu with OML IDS/IPSDetection rate, F1, FAR, response time, CPUDetection 99.2%, F1 0.9817, FAR 0.025; 5 s response; CPU 28%Mininet, 80-host simulation; benchmark datasets
[26]All layersDRL-based adaptive routing (DDPG)Deep RL (DDPG)-Packet delivery ratio, end-to-end delay≥10% higher PDR under grey hole and DDoS; lower delay; stable convergenceSimulated SDN-IoT; TensorFlow DRL training
[61]All layersSupervised DDoS detection moduleDT, Naï
ve Bayes, SVM		SDN-WISE IoT controllerAccuracy, CPU/memory, throughputDT 98.1%, NB 97.4%, SVM 96.1%; 30% CPU/mem; 48 pkt/sSimulation; dataset preprocessing
[62]All layersDistributed detection and mitigationID3, LR, KNN, MLPMulti-controller SDNAccuracy, execution time, CPU utilisationID3 99.99%, KNN 99.98%, MLP 99.95%, LR 99.94%; improved CPUCustom dataset; train–test split; single-/multi-controller comparison
[63]All layersWeighted Federated Learning for LR-DDoSANN (LM, BR, SCG)SDN controller aggregating weighted updatesAccuracy, Sensitivity, Specificity, F1, FPR, FNRAccuracy 98.85%; FPR 2.2%, FNR 1.8%; F1 94.2%CAIDA dataset; MATLAB v22 simulation; federated aggregation
[64]All layersLSTM-based IDSRNN-LSTM, Adam optimiser-Accuracy, Precision, Recall, F1Accuracy 98.88%, precision 0.9746, recall 0.9657, F1 0.9691Edge-IIoTset; 70/30 train–test split
[65]All layersPassive-Aggressive online learningPA classifierRyuDetection rate, precision, recall, F1, LossDetection 99.7%, precision 0.9795, recall 0.9923, F1 0.9891; Loss 0.174Mininet; train–test split; limited attacks
[66]All layersFederated CNN-LSTM IDSFederated learning; CNN-LSTM-Accuracy, recall, F1Accuracy 99.8%, recall 84%, F1 78.7%; +12% over baselineUNSW-NB15; simulation; feature extraction and secure aggregation
[67]All layersFL with supervised ML classifiersRF, DT, SVM; FL aggregation-Accuracy, precision, recall, F1RF: 99.66% (SDN), 90.33% (SAT20); FL: 79.47%; preserves privacySDN and SAT20 simulation; traffic generation and classification
All layers = Device/Identity, Control, Data/Network, Application/Policy, ODL = OpenDaylight.
Table 6. Summary of ML-IoT security frameworks.
Table 6. Summary of ML-IoT security frameworks.
StudyLayers CoveredConsensus/TrustML Methods/ContributionSDN Controller/FL ServerEvaluation MetricsPerformance InsightEvaluation Method
[7]All LayersFederated Averaging for secure aggregationCNN-based DDoS detection; iterative model aggregationFL serverAccuracy, precision, recall, F1-score, FPR, FNRAccuracy, precision, recall, F1 ≥ 98%; FPR 0.009, FNR 0.007; scalable to 100 nodes; communication reduced 10.5→7.9 MBCICIDS2017 dataset; 10–100 simulated IoT nodes; TensorFlow Federated
[68]All LayersFL for privacy; gradient aggregation prevents leakageResVGG-SwinNet hybrid DL for multi-label DDoS detection; mitigation via ACLs, load balancing, sinkholingFL server coordinating model updatesAccuracy, FAR, AUC, F1-score, MSI, OESAccuracy 99.0%; FAR 2.5%; AUC 99.3%; F1 98.5%; MSI 97.5%; OES 93%; 30 communication roundsCIC-DDoS2019, UNSW-NB15, IoT23 datasets; nine simulated clients
[69]Device/Identity, Control, Data/NetworkKey Generation Centre; trust chain for loggingFL on encrypted model updates; Paillier HEEdge + central aggregation platformAccuracy, convergence time, encryption overheadAccuracy comparable to FedAvg; minimal convergence impact; time overhead increases with key size and participantsMNIST dataset; encrypted aggregation evaluation
[70]Device/Identity, Control, Data/NetworkModel extraction, saliency maps for feature selectionDL autoencoders (Kitsune ensemble) for anomaly detectionDL-based NIDSDetection evasion rate, FP, FNAE attacks: 94.31% evasion; triggers FP; practical for real-time IoTMirai botnet, video streaming datasets; RMSE, attack timing
[71]Device/Identity, Control, Data/NetworkFeature selection via chi-squareRF, DT, KNN, LR, SVM, LSTM, MLP, GRUML-based detection systemsAccuracy, precision, recall, F1RF 97.68%; DT ~96%; LSTM/MLP/GRU ~96%; KNN 95%; LR/SVM 92–93%UNSW-NB15 dataset; train/test split; multiple ML evaluation
All layers = Device/Identity, Control, Data/Network, Application/Policy, ODL = OpenDaylight.
Table 7. Summary of ML-IoT security frameworks.
Table 7. Summary of ML-IoT security frameworks.
StudyLayers CoveredConsensus/TrustML Methods/ContributionSDN Controller/FL ServerEvaluation MetricsPerformance InsightEvaluation Method
[24]All LayersFederated Averaging (FedAvg) + SSL encryptionLeNet, FCN, DNN, LSTM, GRU for IDS; privacy-preserving global aggregationCloud server + local clientsAccuracy, precision, recall, F1-score, LossLeNet 91.68% ACC; F1 87.78%; low computational overhead; concept-drift resilient; FCN also high performanceToN-IoT dataset; seven heterogeneous sensors; server-client experiments; convergence/loss analysis
[72]Device/Identity, Network, ApplicationIDS-based controlSMO + SDPN for hierarchical DL traffic classificationIDS-based control planeAccuracy, precision, recall, F1-score, training timeAccuracy 99.02%; precision 99.38%; recall 98.91%; F1 99.14%; training time reduced 66.59%NSL-KDD dataset; training/testing split
[73]Cloud servers, virtualised IoTFeature selection + ensemble learningMI, RFFI, KNN, LR, RF, Gradient Boosting, Weighted Voting EnsembleIDS monitoringAccuracy, precision, recall, F1-scoreRF accuracy 0.999977; WVE also effective; LR underperformsCICIDS2017 and CICDDoS2019 datasets; evaluation metrics as above
[74]Device/IdentityEnsemble multi-view cascade feature selection; Elite MLSeven ML models evaluated; DT selected as Elite MLMQTT broker + pub/sub controlAccuracy, F1, prediction timeDT > 99%; DoS attacks increased packet loss and latency; EML improved detection efficiency4 RPi + 2 NodeMcu publishers; 2 RPi + 1 NodeMcu subscribers; metrics: Accuracy, F1, prediction time
[75]Device/Identity, Network, ApplicationAdversarial training and countermeasuresLabel poisoning (SVM), FGSM (ANN)NIDS-based control and monitoringAccuracy, recall, misclassification ratesFGSM reduces ANN accuracy 99.8→92.7%; label poisoning moderately impacts SVM; DDoS/DoS misclassifiedBot-IoT dataset; binary/multi-class ANN, SVM; epsilon tuning
All layers = Device/Identity, Control, Data/Network, Application/Policy, ODL: OpenDaylight.
Table 8. Summary of BC-ML-IoT security frameworks.
Table 8. Summary of BC-ML-IoT security frameworks.
StudyLayers CoveredBC/ConsensusML Methods/ContributionSDN Controller/FL ServerEvaluation MetricsPerformance InsightEvaluation Method
[28]Device, Network, ApplicationPrivate/permissioned; smart contracts; Weighted FLFL with weighted aggregation; XAI for interpretabilityFL aggregator; BC validationAccuracy, Training Loss, LatencyAccuracy 95%; Training loss 0.015; Latency 300 ms; scalable to 1000 edge devicesSimulation with CIFAR-10; two clients; 50 epochs
[76]Device, NetworkConsortium BC; reputation-based miner selectionDistributed FL: Random Forest, MLP, LRReputation-based miner selectionAccuracy, recall, F1-scoreRandom Forest 99.1%; MLP 95.1%; Logistic Regression 88.5%IDS 2018, CIC-DDoS2019 datasets; confusion matrix analysis
[77]Device, Network, ApplicationPrivate BC; SCSA-secure communicationFL, Deep TL; BWOA; Feature selectionFL coordination serverAccuracy, precision, recall, F1-score, AUCAccuracy 95.11%; precision 87.73%; recall 87.77%; F1-score 87.72%; AUC 92.36%Edge-Iao Cybersecurity dataset; 80/20 train–test split
[78]Device, NetworkPermissioned BC; Trust/Reputation model; HEFL, GRU neural network; Secure Multi-party ComputationFL aggregatorAccuracyAverage accuracy 85%; secure delegation reduces performance by ~16.6%; aggregation times: PC 118 ms, Raspberry Pi 4 241 ms, ARM1176 755 msMultiple test sets; computational feasibility and security analysis
[79]Device, Network, ApplicationPoA/PoS/PoW; HE; FedAvg aggregationDNN on encrypted data; HE-compatible training; distributed model aggregationBC nodes/FL aggregatorAccuracy, Training Time, ConvergenceDetection accuracy ~91%; training time reduced 52.75 h → 21.64 h with five workers; HE feasibleBNAT dataset; real hardware testing (Intel Xeon BN)
Table 9. Summary of BC-ML-SDN-IoT security frameworks.
Table 9. Summary of BC-ML-SDN-IoT security frameworks.
StudyLayers CoveredBC/ConsensusML MethodsSDN Controller/FL ServerEvaluation MetricsPerformance InsightEvaluation Method
[4]Device, NetworkPrivate BC; consensus-based trustANN for real-time DDoS detectionMultiple distributed SDN controllersAccuracy, precision, recall, F1-scorePerfect metrics (1.0); secure routing; optimal payload handlingDataset-based ANN evaluation; simulated traffic testing
[6]Device, Network, ApplicationBC for tamper-proof logging; FL aggregationDNN, CNN, RNN, LSTM; Particle Swarm OptimisationSDN controllers for dynamic traffic managementAccuracy, precision, recall, F1-scoreHigh detection metrics, reduced bandwidth, and latencySimulated DDoS traffic; CNN-LSTM compared with other DL models
[13]NetworkHyperledger permissioned; RBFTCNN-LSTM hybrid; weight dispersive regularisationSDN controller with Dropout moduleAccuracy, precision, recall, SpecificityAccuracy 92.89–98.02%; precision 95.42%; improved recall; mitigated overfittingNSL-KDD dataset; comparison with DL-IDPS-SDN, baseline CNN/LSTM
[15]Device, Control, Network, ApplicationEthereum; smart contractsMuZero RL for dynamic controller placementODL, dynamic placementAccuracy, correct placement, hyperparametersCorrect secure placement; prevents DoS; hyperparameters: simulations 50, discount 0.997, training steps 10,000, batch 128Simulations: Mininet, DoS via hping3; smart contract verification
[36]Device, NetworkEthereum, Hyperledger, BC ledgerRandom Forest Regressor for bandwidth predictionFive Floodlight SDN controllers; NFV integrationBandwidth, throughput, node failure rate, R2Throughput improved ~350 Mbps; node failure halved; R2 = 0.8161Mininet-WiFi emulation; four gateways; six switches
Table 11. Attacks, mitigation mechanisms, platforms, and performance.
Table 11. Attacks, mitigation mechanisms, platforms, and performance.
Attack/ThreatMitigation/Defence MechanismsTechnologies/PlatformsReported PerformanceReferences
DDoS/FloodingMulti-layer SDN firewall; hybrid ML/DL ensembles (CNN-LSTM, DNN, RNN-LSTM, ResVGG-SwinNet, SAE-DTL, Bi-LSTM-HBA, At-C-L); Federated/Online Learning; flow-rule verification; BC smart contractsSDN controllers (Ryu, POX, ODL, Floodlight), Mininet/Mininet-WiFi/Fat-tree, IoT/IIoT devices, BC frameworks, datasets 1Accuracy 95–100%, F1 0.965–1.0, Latency 0.45–0.5 s, CPU 22–33%, Throughput 158–663 Mbps[3,4,8,9,10,11,12,14,15,16,25,50,55,62,64,66,67,71,73,74,80]
Low-Rate/Stealthy DDoS (LR-DDoS)RNN-LSTM and hybrid DL; online ML/Passive-Aggressive; FL with weight aggregation; edge-based adaptive scheduling; reputation-based BC nodesSDN controllers, Mininet, Edge-IIoTset, CICDDoS2019, IoT23, UNSW-NB15, Custom SDN datasets, BC-enabled IoT networksAccuracy 98.88–99.7%, Precision 0.974–0.9795, Recall 0.965–0.9923, F1 0.969–0.989, Real-time detection[6,7,63,64,65,68]
Control Plane Saturation/Flow Table OverflowOWVE + hybrid metaheuristic; multi-controller SDN; MuZero RL controller placement; BC smart contractsSDN controllers (POX, Ryu, ODL), Mininet, DDoS datasets, Ethereum BCAccuracy 99.35–99.42%, False Alarm 0.5%, Adaptive, Tamper-proof controller placement[12,15,55,62]
IoT/IIoT Attacks and BotnetsFL for distributed anomaly detection; hybrid DL (CNN-LSTM, DBN, ResVGG-SwinNet, GRU, SAE-DTL, Bi-LSTM-HBA, At-C-L); safe-device recommendations; multi-layer SDN and BC securitySDN-WISE, SDN-IoT, LEO satellites, LPWAN (LoRa, NB-IoT), IoT/IIoT devices, Mininet, Edge-IIoTset, BC-enabled SDNAccuracy 79–99.8%, CPU 22–30%, Early isolation of malicious nodes, Improved throughput[3,4,8,18,19,20,21,24,27,28,37,38,39,40,41,42,43,45,47,48,52,53,54,61,62,66,67,72,75,76,78,81,82,83]
Data Integrity/Privacy/Model PoisoningFL with encrypted weights; BC for immutable records; recommender systems; HE and trust chain verification; secure delegation and aggregator reputation; DAG BC and BaaS agentsSDN controllers, IoT devices, Edge-IIoTset, Mininet, BC (Ethereum, private, DAG), Cloud AIAccuracy 79–100%, privacy preserved, resilient to poisoning/slandering/whitewashing, reduced communication overhead[3,4,6,7,16,24,25,28,53,63,66,67,68,69,75,77,78,79,80,82,83]
Cloud/Smart City IoT VulnerabilitiesLayered SDN + BC + NFV; CHS for energy efficiency; Smart contracts; load balancing; multi-layer security; FL-enhanced privacySDN controllers, Mininet-WiFi, Ethereum, OpenStack, Private BC, Cloud IoT, Flower FL frameworkImproved throughput, stable CPU, reduced response time under load, supports decentralised multi-controller IoT.[3,5,6,16,17,24,25,53,54]
CPS/Industrial IoT SecurityFL + BC + HE; XAI for interpretability; weighted aggregation and secure delegation; FedAvg and privacy-preserving distributed learning; multi-layer securityIIoT devices, Edge nodes, Cloud AI, BC-enabled IoT networksAccuracy 85–95%, low latency ~300 ms, scalable up to 1000 edge devices, maintains data integrity and privacy[28,77,78,79]
5G/SDN-IoT Network VulnerabilitiesSDN + NFV + BC + ML/DL; multi-plane SDN controllers; DAG or permissioned BC (PoET/RBFT/BaaS); RL (MuZero) for controller placement; Honey Badger/SAC/CapsNet load balancing; hybrid CNN-LSTM, Bi-LSTM, attention-CNN-LSTMSDN controllers, Mininet, ODL, IoT/IIoT devices, 5G infrastructure, Ethereum, Hyperledger, Private/DAG BC, Edge computing, NFV-enabled switches, HoneypotsAccuracy 92–99%, reduced latency, improved throughput and bandwidth, resilient and scalable 5G/SDN-IoT deployments[13,15,36,81,82]
Datasets used = 1 CICDDoS2019, InSDN, IoT23, NSL-KDD, BoT-IoT, UNSW-NB15, CIFAR-10, BNAT, Edge-IIoTset, MNIST.
Table 12. SDN controllers/FL servers vs. layer coverage.
Table 12. SDN controllers/FL servers vs. layer coverage.
Controller/FL ServerLayers CoveredBlockchain IntegrationML Methods 1Observations
RyuAll Layers, Cross-LayerEthereum, Private, HyperledgerDNN, RNN, CNN, Bi-LSTM, Attention-CNN-LSTMSupports ensemble/DL studies; evaluated for accuracy, FPR, and detection time
POX/POX + OMLAll LayersPermissioned BCEnsemble SVM/RF/GBM, DTLow computational overhead; hybrid ML; simulation-based evaluation
ODLAll Layers, Cross-LayerDual BCRNN, DNNThroughput, latency, packet loss, and energy efficiency are measured; it integrates RNNs and CHS algorithms.
FloodlightAll LayersEthereum/PrivateRF, DTDynamic ML detection; reduced CPU; evaluated for accuracy, FPR, mitigation time
Multi-controller SDNDevice, Control, Network, ApplicationEthereum, PrivateMuZero RL, DNN, CNN, RNN, LSTM, DBN, Attention CNN-LSTMDynamic traffic and attack mitigation; multi-layer integration
FL server/aggregatorAll LayersPublic and Private BCFL, ResVGG-SwinNet, CNN, ANN, GRU, DNN, LeNet, FCNPrivacy-preserving aggregation; metrics: Accuracy, F1, FAR, latency, MSI, OES
All Layers = Device/Identity, Control Plane, Data/Network, Application/Policy. 1 = CNN-LSTM, DNN, RNN-LSTM, ResVGG-SwinNet, SAE-DTL, Bi-LSTM-HBA, At-C-L, DBN, GRU, LeNet, FCN.
Table 13. BC/consensus, ML methods, datasets, and evaluation techniques.
Table 13. BC/consensus, ML methods, datasets, and evaluation techniques.
Blockchain/ConsensusML Approaches 1Datasets Used 2Evaluation MethodsHigh-Level Observations
Ethereum/Public/Smart ContractsRL, ANN, Bi-LSTM, Attention-CNN-LSTM, DNN (encrypted)CICIDS2018, CICDDoS2019, InSDN, NSL-KDD, Edge-IIoTSimulation (Mininet, NS-3, Mininet-WiFi), Testbed/Emulation, Dataset-based evaluationAccurate, secure routing; low latency and CPU; scalable; secure controller placement
Private/Permissioned Ethereum/HyperledgerFL (weighted, secure, deep transfer), Hybrid DL (CNN-LSTM), DNN, GRUNSL-KDD, CICIDS2018, BoT-IoT, TESPHA, Novel SDN Dataset, CIFAR-10, Edge-IIoT Cybersecurity, BNATDataset testing, 5-/10-fold cross-validation, comparative simulation, protocol emulation, security analysisHigh detection rates (>95%), mitigate overfitting, privacy-preserving aggregation, energy/CPU-efficient
Dual/Hybrid BC (Public + Private, DPoS, DAG/PoET)Federated learning, CapsNet, SAC, ResVGG-SwinNet, AO feature selectionCIC-DDoS2019, UNSW-NB15, IoT23, MNISTSimulation with traffic generation, Federated learning testbed, analytical modelling, encrypted aggregation evaluationHigh detection (>99%), low packet loss, improved bandwidth, latency reduction, secure federated aggregation
Others (PBFT, Reputation/Trust-based, Weighted/Consensus)Ensemble ML: SVM, RF, GBM; Decision Trees; RNN; DRL (DDPG)NSL-KDD, CICIDS2017, CICDDoS2019, KDD Cup 99, ToN-IoT, UNSW-NB15, IoT23, Edge-IIoTset, Custom datasetsBenchmark dataset testing, Mininet simulation/emulation, testbed, comparative evaluation, analytical modellingEffective DoS/DDoS detection; low FPR; CPU-efficient; fast detection/mitigation; accurate performance evaluation
Ethereum/Public/Smart ContractsRL, ANN, Bi-LSTM, Attention-CNN-LSTM, DNN (encrypted)CICIDS2018, CICDDoS2019, InSDN, NSL-KDD, Edge-IIoTSimulation (Mininet, NS-3, Mininet-WiFi), testbed/emulation, dataset-based evaluationAccurate, secure routing; low latency and CPU; scalable; secure controller placement
Private/Permissioned Ethereum/HyperledgerFL (weighted, secure, deep transfer), Hybrid DL (CNN-LSTM), DNN, GRUNSL-KDD, CICIDS2018, BoT-IoT, TESPHA, Novel SDN Dataset, CIFAR-10, Edge-IIoT Cybersecurity, BNATDataset testing, 5-/10-fold cross-validation, comparative simulation, protocol emulation, security analysisHigh detection rates (>95%), mitigate overfitting, privacy-preserving aggregation, energy/CPU-efficient
1: Full ML model list includes CNN-LSTM, DNN, RNN-LSTM, ResVGG-SwinNet, Bi-LSTM-HBA, Attention-CNN-LSTM, DBN, GRU, LeNet, FCN, Random Forest, SVM, AdaBoost, Decision Tree. 2 Datasets: CICDDoS2019, CICIDS2018, NSL-KDD, IoT23, BoT-IoT, UNSW-NB15, CIFAR-10, MNIST, Edge-IIoTset, BNAT, TESPHA, InSDN.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Molose, R.; Isong, B. A Survey of Multi-Layer IoT Security Using SDN, Blockchain, and Machine Learning. Electronics 2026, 15, 494. https://doi.org/10.3390/electronics15030494

AMA Style

Molose R, Isong B. A Survey of Multi-Layer IoT Security Using SDN, Blockchain, and Machine Learning. Electronics. 2026; 15(3):494. https://doi.org/10.3390/electronics15030494

Chicago/Turabian Style

Molose, Reorapetse, and Bassey Isong. 2026. "A Survey of Multi-Layer IoT Security Using SDN, Blockchain, and Machine Learning" Electronics 15, no. 3: 494. https://doi.org/10.3390/electronics15030494

APA Style

Molose, R., & Isong, B. (2026). A Survey of Multi-Layer IoT Security Using SDN, Blockchain, and Machine Learning. Electronics, 15(3), 494. https://doi.org/10.3390/electronics15030494

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop