Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model
Software-defined networking (SDN) represents a transformative shift in network architecture by decoupling the control plane from the data plane, enabling centralized and flexible management of network resources. However, this architectural shift introduces significant security challenges, as SDN’s c...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-07-01
|
| Series: | AI |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2673-2688/6/7/154 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850067536626843648 |
|---|---|
| author | Mohammed N. Swileh Shengli Zhang |
| author_facet | Mohammed N. Swileh Shengli Zhang |
| author_sort | Mohammed N. Swileh |
| collection | DOAJ |
| description | Software-defined networking (SDN) represents a transformative shift in network architecture by decoupling the control plane from the data plane, enabling centralized and flexible management of network resources. However, this architectural shift introduces significant security challenges, as SDN’s centralized control becomes an attractive target for various types of attacks. While the body of current research on attack detection in SDN has yielded important results, several critical gaps remain that require further exploration. Addressing challenges in feature selection, broadening the scope beyond Distributed Denial of Service (DDoS) attacks, strengthening attack decisions based on multi-flow analysis, and building models capable of detecting unseen attacks that they have not been explicitly trained on are essential steps toward advancing security measures in SDN environments. In this paper, we introduce a novel approach that leverages Natural Language Processing (NLP) and the pre-trained Bidirectional Encoder Representations from Transformers (BERT)-base-uncased model to enhance the detection of attacks in SDN environments. Our approach transforms network flow data into a format interpretable by language models, allowing BERT-base-uncased to capture intricate patterns and relationships within network traffic. By utilizing Random Forest for feature selection, we optimize model performance and reduce computational overhead, ensuring efficient and accurate detection. Attack decisions are made based on several flows, providing stronger and more reliable detection of malicious traffic. Furthermore, our proposed method is specifically designed to detect previously unseen attacks, offering a solution for identifying threats that the model was not explicitly trained on. To rigorously evaluate our approach, we conducted experiments in two scenarios: one focused on detecting known attacks, achieving an accuracy, precision, recall, and F1-score of 99.96%, and another on detecting previously unseen attacks, where our model achieved 99.96% in all metrics, demonstrating the robustness and precision of our framework in detecting evolving threats, and reinforcing its potential to improve the security and resilience of SDN networks. |
| format | Article |
| id | doaj-art-a6fb3b5e9b28499eabe59ca23fd3090a |
| institution | DOAJ |
| issn | 2673-2688 |
| language | English |
| publishDate | 2025-07-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | AI |
| spelling | doaj-art-a6fb3b5e9b28499eabe59ca23fd3090a2025-08-20T02:48:17ZengMDPI AGAI2673-26882025-07-016715410.3390/ai6070154Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language ModelMohammed N. Swileh0Shengli Zhang1College of Electronics and Information Engineering, Shenzhen University, Shenzhen 518060, ChinaCollege of Electronics and Information Engineering, Shenzhen University, Shenzhen 518060, ChinaSoftware-defined networking (SDN) represents a transformative shift in network architecture by decoupling the control plane from the data plane, enabling centralized and flexible management of network resources. However, this architectural shift introduces significant security challenges, as SDN’s centralized control becomes an attractive target for various types of attacks. While the body of current research on attack detection in SDN has yielded important results, several critical gaps remain that require further exploration. Addressing challenges in feature selection, broadening the scope beyond Distributed Denial of Service (DDoS) attacks, strengthening attack decisions based on multi-flow analysis, and building models capable of detecting unseen attacks that they have not been explicitly trained on are essential steps toward advancing security measures in SDN environments. In this paper, we introduce a novel approach that leverages Natural Language Processing (NLP) and the pre-trained Bidirectional Encoder Representations from Transformers (BERT)-base-uncased model to enhance the detection of attacks in SDN environments. Our approach transforms network flow data into a format interpretable by language models, allowing BERT-base-uncased to capture intricate patterns and relationships within network traffic. By utilizing Random Forest for feature selection, we optimize model performance and reduce computational overhead, ensuring efficient and accurate detection. Attack decisions are made based on several flows, providing stronger and more reliable detection of malicious traffic. Furthermore, our proposed method is specifically designed to detect previously unseen attacks, offering a solution for identifying threats that the model was not explicitly trained on. To rigorously evaluate our approach, we conducted experiments in two scenarios: one focused on detecting known attacks, achieving an accuracy, precision, recall, and F1-score of 99.96%, and another on detecting previously unseen attacks, where our model achieved 99.96% in all metrics, demonstrating the robustness and precision of our framework in detecting evolving threats, and reinforcing its potential to improve the security and resilience of SDN networks.https://www.mdpi.com/2673-2688/6/7/154BERT-base-uncased modelNatural Language Processing (NLP)SDN attackssoftware-defined networking (SDN) |
| spellingShingle | Mohammed N. Swileh Shengli Zhang Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model AI BERT-base-uncased model Natural Language Processing (NLP) SDN attacks software-defined networking (SDN) |
| title | Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model |
| title_full | Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model |
| title_fullStr | Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model |
| title_full_unstemmed | Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model |
| title_short | Unseen Attack Detection in Software-Defined Networking Using a BERT-Based Large Language Model |
| title_sort | unseen attack detection in software defined networking using a bert based large language model |
| topic | BERT-base-uncased model Natural Language Processing (NLP) SDN attacks software-defined networking (SDN) |
| url | https://www.mdpi.com/2673-2688/6/7/154 |
| work_keys_str_mv | AT mohammednswileh unseenattackdetectioninsoftwaredefinednetworkingusingabertbasedlargelanguagemodel AT shenglizhang unseenattackdetectioninsoftwaredefinednetworkingusingabertbasedlargelanguagemodel |