Abstract:
Software-Defined Networking (SDN) has emerged as a key solution for meeting the expanding demands of IT and online computing services. Its ability to offer flexible network management and cost-efficient operations has made it a preferred choice for businesses across various industries. However, SDN environments are highly susceptible to security threats, particularly Distributed Denial of Service (DDoS) attacks, which can severely impact network performance and economic stability. Addressing these security concerns is crucial to ensuring the reliability and resilience of SDN-based infrastructures. This research proposes an effective solution to detect DDoS attacks using ensemble-based machine learning. Ensemble models excel at analyzing network traffic, identifying hidden patterns, and distinguishing between benign and malicious packets. This capability helps prevent unnecessary costs incurred by users due to DDoS attacks. However, the use of black-box machine learning models in DDoS detection raises concerns about false positives (legitimate packet rejection) and false negatives (malicious packet acceptance). To address this issue, explainable AI techniques SHAP and LIME have been employed to enhance model interpretability, providing insights into the decision-making process. The CIC-DDoS-2019 dataset was utilized for model development and evaluation. Results demonstrate that the ensemble-based model outperforms non-ensemble models on the dataset. With an outstanding accuracy of 0.9999 for binary classification and 0.9627 for multi-class classification, the XGB model outperformed the others in both tests. The model's choices were interpreted using SHAP analysis, which highlighted the most significant aspects. Top contributing features in the multi-class scenario were 'Min Packet Length,' 'Fwd Packet Length Min,' 'Flow Bytes/s,' and 'Inbound.' 'Packet Length Std,' 'Destination Port,' 'Bwd Packet Length Max,' 'Bwd Packet Length Mean,' and 'Fwd PSH Flags' turned out to be the most important feature influencing the model's predictions for binary classification. Additionally, SHAP and LIME were used to explain individual model predictions, ensuring transparency in the decision-making process. This research highlights the effectiveness of ensemble-based models in DDoS detection and the importance of explainable AI in improving trust and reliability in cybersecurity applications.