An Investigation into the Application of Deep Learning in the Detection and Mitigation of DDOS Attack on SDN Controllers

Round 1

Reviewer 1 Report

Need more details about the dataset. generatation, samples was needed to understand the result statistical significance.

Every image and table require more description and point out what they signifies and why it will help to conclude that RNN LSTM will be better.

Suggestions:

Change figure 4 and 5 to more better format as example check figure 7 from https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8893994file:///C:/Users/Cliff/AppData/Local/Temp/Artificial_Neural_Network_Based_Gait_Recognition_U.pdf

Figure 6 7 8 9 , half of the figure is covered by the legend. Also it hard to understand as colors are very close to each other for some method. How about present for important ones and for others provide in the table

see figure 18 and 20, if u started from 3 in x-axis for figure 18, you can do 2 for x-axis in figure 20. That would make the image concise.

Please in caption, provide a little more details about the image.

Author Response

Please see the attachment.

Author Response File: Author Response.docx

Reviewer 2 Report

• This paper proposes deep learning models, long-short term memory (LSTM) and convolutional neural network (CNN) to detect DDoS attack, particularly TCP, UDP and ICMP flood attacks that target the SDN controller. A three tier architecture that consist of 7 switches, 8 hosts (2 per switch) and an external controller (single host connected to a switch) is considered using the SDN Mining simulator, where the floodlight controller and OpenFlow switches are deployed by means of a virtual machine running on Ubuntu, under a specific scenario. In this work, K-neighbour nearest (KNN), Logistic Regression, Linear SVC, SVC, Decision Tree, Random Forest, Gradient Boosting and Naïve Bayes classifiers are considered as machine-learning models. The process workflow of the detection and defence mechanisms are captured in Figure 5. Using the metrics accuracy, recall and true negative rate, the proposed scheme is evaluated by simulations, showing promising results; the most important being that the proposed scheme is able to detect and mitigate the DDoS attack with a good performance. The details on the time taken to achieve this are also given along with the split ratio of the training and testing sets. Results show that RNN LSTM the best of the studied models to be used for DDoS detection and mitigation in SDN controllers.
• Comments:
• (1) A sentence or two should be included at the end of the Abstract highlighting the main findings from simulations, preferably in a quantitative fashion (for instance, our proposed RNN LSTM is Y1% better than model Z in terms of accuracy, Y2% better than model Z in terms of recall metric, Y3% better than model Z in terms of negative rate, etc…
• (2) In Related Work Section, papers should be narrated as follows:
• In [5], the authors used KNN, SVM, etc… 
• Also, at the end of the discussion in Section 2: Related Work, the authors should include a Table that qualitatively compare and contrast the related works cited, preferably in terms of few common features (for instance, type of DDoS attack treated in the paper, performance metric used in the assessment of the paper, machine learning model(s) used in the paper, mitigation time (if any), etc …)

Author Response

Please see the attachment.

Author Response File: Author Response.docx

Round 2

Reviewer 1 Report

The authors sufficiently addressed my concerns