DDoS Attack Detection and Classification Using Hybrid Model for Multicontroller SDN

A software-de ﬁ ned network (SDN) brings a lot of advantages to the world of networking through ﬂ exibility and centralized management; however, this centralized control makes it susceptible to di ﬀ erent types of attacks. Distributed denial of service (DDoS) is one of the most dangerous attacks that are frequently launched against the controller to put it out of service. This work takes the special ability of SDN to propose a solution that is an implementation run at the multicontroller to detect a DDoS attack at the early stage. This method not only detects the attacks but also identi ﬁ es the attacking paths and starts a mitigation process to provide protection for the network devices. This method is based on the entropy variation of the destination host targeted with its IP address and can detect the attack within the ﬁ rst 250 packets of malicious tra ﬃ c attacking a particular host. Then, ﬁ ne-grained packet-based detection is performed using a deep-learning model to classify the attack into di ﬀ erent types of attack categories. Lastly, the controller sends the updated tra ﬃ c information to neighbor controllers. The chi-squared ( x 2 ) test feature selection algorithm was also employed to reveal the most relevant features that scored the highest in the provided data set. The experiment result demonstrated that the proposed Long Short-Term Memory (LSTM) model achieved an accuracy of up to 99.42% using the data set CICDDoS2019, which has the potential to detect and classify the DDoS attack tra ﬃ c e ﬀ ectively in the multicontroller SDN environment. In this regard, it has an enhanced accuracy level to 0.42% compared with the RNN-AE model with data set CICDDoS2019, while it has improved up to 0.44% in comparison with the CNN model with the di ﬀ erent data set ICICDDoS2017.


Introduction
SDN is a new design that consists of three layers: data, control, and application plane, with the data and control planes being independent of one another [1]. The data plane is made up of switches and routers that forward network traffic; the control plane is comprised of NOX, POX, Beacon, Floodlight, and Open Daylight controllers; and the application plane contains applications that configure SDN. When the network is under a DDoS attack, the SDN controller is unable to respond to the normal traffic that is coming from the rest of the network, and the SDN loses centralized control. As a result, the key ben-efit of SDN, which is a centralized network control, is threatened by DDoS attacks [2,3].
In this regard, most of the recent works are focused on detecting and classifying DDoS attacks with a single controller using different mechanisms and are also focused on either the accuracy or efficiency, not both. There are multiple controllers in data centers that need to be protected from DDoS attacks. Each of these controllers has a different network traffic tolerance level. Spoofing the source (also called as fake source address) is one approach to hiding the perpetrator's identity when this kind of attack occurs [4,5]. Furthermore, the attackers attempt to overwhelm the target with bogus packets for the malicious packets to be served. The causes of such attacks are as follows [6]: DDoS is a powerful weapon when there is a conflict between two groups or two individuals by obstructing an opponent's applications and infrastructure; an person may intentionally become an attacker and carry out unwanted activities in response to a perceived injustice through this attack; and through cyber warfare (which is motivated by politics or geopolitics), a terrorist cell attempts to attack some of the sensitive zones to destroy the economic system. There are different forms of DDoS attacks that are indicated in Figure 1.
In the literature, there are several techniques available for detecting, classifying, and mitigating the DDoS attack. As such, the strategies are categorized into entropy-based, machinelearning-based, and deep-learning-based techniques [7]. The proposed entropy mechanism compares the entropy flow values of source and destination IP addresses that are detected by the SDN controller to predefined entropy threshold values that change adaptively based on network dynamics [8]. In this regard, some of the entropy-based DDoS attack detection solutions are located in various studies and explained in the following section [9][10][11][12][13][14][15][16].
The open challenges in DDoS attack detection and classification using entropy and a deep-learning model for multicontroller SDN could include the following: Developing more robust and accurate models: while the current study proposes a model for detecting and classifying DDoS attacks using entropy and deep learning, there is still room for improvement in terms of accuracy and robustness. Future studies could explore different machine-learning algorithms, feature selection techniques, and architectures to improve the performance of the model. Evaluating the model's performance in a real-world environment: the current study evaluates the proposed model using simulated DDoS attacks. However, it is important to evaluate the model's performance in a real-world environment where there are multiple types of traffic and network conditions are constantly changing. Future studies could explore how the model performs in actual network environments. Addressing the issue of false positives: false positives can be a significant issue in DDoS attack detection, as they can lead to unnecessary network downtime or resource allocation. Future studies could explore ways to reduce the number of false positives generated by the model. Considering the impact of DDoS attacks on different types of networks: the current study focuses on DDoS attacks in a multicontroller SDN environment, but DDoS attacks can target different types of networks such as cloud networks and IoT networks. Future studies could explore the impact of DDoS attacks on these different types of networks and develop models that are tailored to their specific characteristics.
By addressing these open challenges, future researchers can help advance the field of DDoS attack detection and classification and develop more effective and efficient techniques for protecting networks against these types of attacks.

Literature Review
Wang et al. [1] proposed a self-feedback dynamic thresholding system based on the previous results of trigger and detection. In this system, the threshold was used as a trigger and adjusted dynamically. Their proposed results showed that the number of calls was reduced significantly to the resource-consuming detection algorithm. Omar et al. [2] analyzed the effects of distributed denial-of-service (DDS) attacks on a software-defined networking environment and proposed an entropy-based approach to detect these attacks. They used the flexibility of the OpenFlow protocol and an OpenFlow controller (POX) to mitigate the attacks upon detection. Through simulation, the results of the detection algorithm were observed and then implemented into a small-scaled network test bed, and finally, the results of the proposed algorithm were presented and analyzed. Wang et al. [3] extended a copy of the packet number counter of the flow entry in the OpenFlow table. Based on the flow-based nature of SDN, they designed a flow statistics process in the switch. Later, they proposed an entropy-based lightweight DDoS flooding attack detection model running in the OF edge switch. This achieved distributed anomaly detection in SDN and reduced the flow collection overload to the controller. Also, the detailed algorithm was provided for a small calculation overload and implemented in SDN software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results showed that this detection mechanism detected the attack quickly and achieved a high detection accuracy with a low false-positive rate.
Fawcett et al. [4] introduced TENNISON, a novel distributed SDN security framework that combines the efficiency of SDN control and monitoring with the resilience and scalability of a distributed system. They demonstrated the effectiveness and capabilities of the TENNISON framework through the use of four attack scenarios. Zubaydi et al. [5] reviewed the different detection techniques that were available to prevent DDoS attacks and the characteristics of these techniques. Wang et al. [10] proposed an SDN scalability architecture for multidomain, multivendor networking. They designed and implemented the coordinator controller to enable different SDN administrative domains. This method was validated by building a multidomain experiment environment consisting of three vendors. The results showed great ability in maintaining the consistency of the network state view and end-to-end provisioning services. Kavitha et al. [11] proposed a collaborative approach for DDoS attack detection in a distributed SDN multicontroller platform. It also analyzed DDoS attacks in distributed controllers, which differ from centralized controllers in SDNs. The study detected attacks and provided an attack mitigation process through the implementation of a monitoring solution that used the POX controller with the Open vSwitch.
Bawany et al. [17] proposed a framework capable of meeting application-specific DDoS attack detection and mitigation requirements. They explained how this framework can be utilized to secure applications built for smart cities. Furthermore, this work highlighted open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation. Scott-Hayward et al. [18] presented a broad survey of the research relating to security in softwaredefined networking. Ahmad and Mir [19] presented the various control plane architectures and discussed various SDN controllers. They analyzed more than forty SDN controllers in terms scalability, reliability, consistency, and security performance parameters. They also examined the mechanisms used by various SDN controllers.

Wireless Communications and Mobile Computing
Bannour et al. [20] reviewed an SDN with a special focus on the distributed SDN control. A thorough discussion was made on the major challenges of distributed SDN control along with some insights into emerging and future trends in that area. Krishnan and Najeem [21] presented the taxonomy of threats, risks, and attack vectors that can disrupt the SDN stack and extended various approaches to solve these problems, to deploy SDN securely in production environments. Pandikumar et al. [22] proposed a solution with an implementation running at the multicontroller to detect the DDoS attack at the early stage. The proposed method was based on the entropy variation of the destination host targeted with its IP address and detected the attack within the first 250 packets of malicious traffic attacking a particular host in the SDN. Lawal and Nuray [23] presented a real-time detection of the distributed denial-ofservice (DDoS) attacks on the SDN and a control method based on the sFlow mitigation technology. For this, sFlow analysis samples of packets were collected from the network traffic, and handling rules were generated to be sent to the controller in case of an attack detection. The implementation was done by emulating the network in Mininet which runs on a Virtual Machine (VM), and it was shown that the proposed method effectively detects and mitigates DDoS attacks. Sebbar et al. [24] presented different attacks in SDN layers and interfaces, proposing two scenarios in order to describe the methodology of the Man-in-the-Middle (MITM) attack in different controllers like OpenDayLight (ODL), Open Network Operating System (ONOS), and RYU. They focused on the ODL controller which was the subject of this study. The simulation results indicated that the attackers easily controlled the SDN controller, and communication between the control layer and infrastructure layer was not secure. This result shows that ODL was vulnerable with respect to MITM attack. In this research, many recommendations and solutions to prevent and detect the MITM attack were offered.
Xu et al. [25] presented a twofold complication of management: one is an isolation mechanism enabling regional customization and overcoming flatness of OpenFlow networks, and the second one is achieved by dividing information into several sorts. Mohsin and Hamid [26] investigated the impact of a DDoS attack on an SDN environment and proposed a light and effective method for detecting this attack at an early stage based on calculating the entropy of destination network traffic IP addresses. The proposed method proved their ability to detect the DDoS attack with minimum detection time in three different SDN network topologies that were single, linear, and multicontroller. The RYU controller was used with the Mininet emulator and OpenFlow protocol. Sahoo et al. [27] reviewed security concerns of SDN, possible DDoS attacks in individual layers of SDN, and ongoing research efforts on SDN-enabled DDoS detection solutions. Based on the findings, an information distance-based flow discriminator framework was discussed.
Mousavi and St-Hilaire [9] proposed using the central control of an SDN for attack detection and introduced a solution that was effective and lightweight in terms of the resources. Dalou et al. [28] proposed an entropy-based mechanism for the distributed denial-of-service (DDoS) attack detection and mitigation in SDN networks that was evaluated through extensive simulation experiments. Wang and Liu [29] proposed a DDoS attack detection method based on information entropy and deep learning; the experiments indicated that the accuracy of this method reaches 98.98%, which has the potential to detect a DDoS attack traffic effectively in the SDN environment. Wei et al. [30] proposed a hybrid deep-learning technique that utilizes two deep neural network models for effective feature extraction and accurate DDoS attack detection and classification without human intervention.
Elsayed et al. [31] proposed the DDoSNet, against DDoS attacks in SDN environments. This method was based on a deep-learning (DL) technique, combining the Recurrent Neural Network (RNN) with an autoencoder. This model was evaluated using the newly released data set CICDDoS2019, which contains a comprehensive variety of DDoS attacks and addresses the gaps of the existing current data sets. The authors have noted a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our model provides great confidence in securing these networks.
Gadze et al. [32] suggested the DDoS attack prediction using a hybrid deep-learning (DL) model, namely, a CNN with BiLSTM (bidirectional long/short-term memory), in order to effectively anticipate DDoS attacks using benchmark data from  3 Wireless Communications and Mobile Computing other models [33][34][35][36][37][38]. By ranking and choosing features that scored the highest in the provided data set, only the most pertinent features were picked. Experiment findings demonstrate that the proposed CNN-BI-LSTM attained an accuracy of up to 94.52 percent using the data set CICDDoS2019 during training, testing, and validation. The detailed research outputs and research gaps are indicating in Table 1.
From Table 1, most ML and deep-learning algorithms got the highest accuracy compared to traditional methods that can recognize both known and unknown DDoS attacks. However, to date, high accuracy is achieved during training but the accuracy in tests is lower, and there is a need to investigate new methods that can improve accuracy for unknown DDoS attacks and find an accurate solution for them.

Research Methodology
This section describes the material and methodology of the present work. The systematic diagram of the process steps for the implementation of feature selection methods and machinelearning classifiers is presented in Figure 2. To explain the investigation, this research discusses the methods that were used in the proposed solution in the SDN multicontroller.
3.1. Data Set Description. Adequate training and testing data sets were prepared for the desired solution. CICDDoS2019: DDoS attacks are a type of network security threat that is aimed at overloading target networks with malicious traffic. The data is prepared for the training model directly. The CICDDoS2019 data set was available in a .CSV format where more than 80 features were extracted using CICFlowMeter. The following steps were adopted to preprocess the data before the module training.

Feature Selection.
Instead of choosing all features in the source data, we concentrated on identifying the appropriate attributes to forecast DDoS attacks. To choose the most optimum features from the raw data, numerous approaches, such as principal component analysis (PCA), decision tree, random forest regressor, and chi-squared (x 2 ) test, can be used. An x 2 test analyzes whether the frequencies of particular classes and features are independent or reliant on the correlation among predictor and target variables.

Parameter Setting.
To increase the likelihood of getting an appropriate classification while backtesting the proposed model, the hyperparameters must be set up correctly and changed during creation of the deep-learning model. Higher accuracy and a reduced chance of overfitting the data are two benefits of using the suggested ideal hyperparameters. The evaluation of the deep-learning model by backtesting it with the test data reveals the optimal value for a hyperparameter.

Model Training.
After feature selection, the suggested framework Keras input format is supported by the deeplearning model, which is created utilizing the input layer's regularization, recurrent, activation, and dense layer shapes. Consequently, the model needs to be compiled after the model and network are created. The evaluation metrics are a requirement for the following stage of model training.

Proposed DDoS Attack Detection and Classification
The main contribution of the study is DDoS attack detection and classification in a multicontroller SDN that is also implemented with three POX controllers. Its performance is also evaluated through accuracy, recall, F1-measure, and precision.

Proposed
Model Architecture. Figure 3 shows the architecture for the DDoS attack detection system and classification method. Based on this context, the gaps of the proposed model architecture solution are addressed.

Entropy-Based Method (Controller Detection Design).
Entropy-based methods depend on network feature distributions to detect anomalous network activities [19]. Entropy is calculated using probability distributions for several network features including source IP address, destination IP address, and port numbers. Anomalies are detected using predetermined criteria on changes in the entropy values. The initial section of the overall method includes PACKET_IN message rate detection, port entropy detection, and the control module. The controller is responsible for filtering suspicious traffic previously to improve recall. The control module is implemented by the controller itself.

Rate Detection
Module. An attacker can launch a DDoS in an SDN system by sending spoof packets that do not match any switch flow entries. The switch will send PACKET_IN messages to the controller to request the processing method. Thus, the received packet rate by the controller increases in a short time. When it exceeds the normal threshold, the possibility of the current network being attacked increases. The following step is to determine if the abnormal performance is caused by a network attack or flash crowd behavior.  Once the condition is matched, the packets are forwarded to the allocated destination port. When large numbers of packets arrive with a repeated IP address, the switch identifies the rule mismatches and redirects them to the controller. The controller calculates the entropy given by the switches. The entropy is based on the threshold value, found against the rule set, in every suspicious host. The controller decides that a DDoS attack has taken place. Meanwhile, the controller sends the packets based on the high entropy value to the deep detection server module for additional attack detection and classification. Then, the attack detection and classification information are sent to the neighborhood controllers which are connected in a distributed setup. Attacks must be detected at the earliest to protect the controllers and other forwarding components. In the existing study, attack detection was done for the first 50 packets, while the subsequent study considered the first 50 incoming packets for detection.

Deep Detection Server Design (Deep Learning).
In this research, a method for detecting DDoS attacks in multicontroller SDNs based on information entropy and deep learning is offered. To begin, the controller can review suspicious (untrusted packets) traffic by detecting information entropy. The deep-learning model then uses detailed packet-based detection to classify the attack into different attack types ( Figure 4). This technique brings together the advantages of information entropy and deep learning. Finally, the controller distributes the change to all neighborhood controllers.
Two-level detection is used for network traffic to ensure high accuracy and minimal computing complexity at the same time. To ensure great efficiency, the controller runs a preliminary section based on information entropy. The packet-based deep section uses deep detection to ensure fine granularity and high accuracy. The detection includes the data-processing section and the deep-learning detection section. The traffic will be transformed into the acceptable input shape in the first section. The second section outputs the detection and classification results based on the deep-learning method.
(1) Data-processing module: before feeding the input data to the training model, we need to prepare the data via normalization, encoding, feature extraction, and feature selection  In this research study, a logically centralized and physically distributed controller architecture is used. Logically centralized means that the architecture takes advantage of the concept of a multicontroller design; at the same time, a single controller is also considered. In a logically centralized architecture, all the controllers have the same responsibilities, and they split the charge equally. They are always aware of every change in the network, and they share the same information instantly, thanks to network synchronization. The network information is stored in the NIB (Network Information Base) and writes and reads the contents of NIB to synchronize the state of each controller. Controllers detect malicious activity quickly, based on the threshold level of packets, and decide on whether the packets are to be forwarded or sent to the deep detection server for attack classification. This analysis will be updated in the controller database and sent to other controllers in the distributed controller connection domain, so their databases are updated as well, as shown in Figure 5. Lower values of entropy will be regarded as attacks based on the tests conducted, which helps to determine a threshold for entropy. Any time the network configuration changes, the threshold can be adjusted. Figure 6 shows the virtual box window running Mininet.

Wireless Communications and Mobile Computing
The experiment covers four cases of normal and attack traffic runs.
(i) Normal traffic is run on all switches with randomly generated packets going to all hosts to find the threshold for usual traffic (normal) (ii) Attack traffic is run from two hosts. Attacks were run manually 4.7.2. Deep-Learning Simulation. The DDoS2019 data set is used in this experiment. This includes 12 categories of the most recent common DDoS assaults as well as normal traffic (benign) DDoS attacks. This DDoS is based on real-world facts (PCAPs) and with labeled flows based on attack vectors (.CSV files). These DDoS attack type data sets have a size of 20.7 GB, and it is quite difficult to get the type of device to process this type of large-sized b/s; it needs a high GPU. In this experiment, 81 features, 300,000 total rows for each attack type, and more than 1 million rows in the data set were selected. And the attack type that used in this experiment is LDAP, UDP, UDP_lag, SYN, WebDDoS, and BENIGN.

Feature Selection.
Principal component analysis (PCA), decision tree, random forest regressor, and chi-squared (x 2 ) test [29] can all be used to select the most optimal features from raw data. This study used an x 2 test to rank and choose features as indicated in the following equation.

Performance Evaluations and Discussion
In this section, performance evaluations of the proposed models for DDoS attack detection and classification using entropy and deep learning are discussed. In this case, we first considered testing the entropy-based experiment and also the four deeplearning models to evaluate their performance achievements. Finally, the comparison was made with selected existing works. Figure 7 shows when normal traffic is flowing to the controller; as a result, the controller is also expected to do nothing except calculate the entropy value. This value helps the controller to determine whether the packet is an attack or not. In this regard, the entropy value is stable, and there is no sudden change that would make the controller suspect the existence of an attack; therefore, the controller takes no action. In Figure 8, in a condition where there is an attack detected in the network, the entropy value does not stay as stable as in      Wireless Communications and Mobile Computing the normal environment. The entropy value goes down below the threshold value which, in this case, is equal to 1. In this scenario, the attack traffic has been generated from two hosts, making one of the other hosts as the target. Figure 6 shows the sudden change in the packet flow as expected. Figure 9, which is shown below, compares the outcomes of normal traffic and attack traffic entropy value variations. As a result, as the normal traffic is being generated and growing from the threshold set, its entropy value changes and is displayed. However, when a controller detects attack traffic, the entropy value decreases and falls below the threshold level. Here, it can be concluded that entropy-based attack detection has good efficiency with less accuracy. To increase the accuracy of the controller, the traffic which is lower than the threshold value is forwarded into the deep detection server which is running a deep-learning algorithm; then, the deep detection server detects the attack and classifies it into different attack types.

Result of the Entropy-Based Experiment.
Based on Figure 9, by generating normal traffic, the entropy value is calculated as 1.15 to avoid false positives, and for false negatives, the entropy value is taken as 1. This entropy value will be a threshold for detecting the attack. In Figure 9, when traffic is generated from hosts 1 and 2, the entropy value decreases to 0.04; this decrement of the entropy value increases the probability of an attack.

Results of the Deep-Learning Models.
Here we made four experiments under the same data set (i.e., DDoS2019) with regard to different deep-learning algorithms, including GRU, RNN, LSTM, and MLP. In all experiments, initialization of the sequential function of the SoftMax layer takes the input and classifies the data into six different types of attacks independently using categorical classification. In the loss function, categorical cross-entropy is used with the Adam optimizer that has a learning rate of 0.001 for RNN, GRU, and LSTM models, while categorical cross-entropy with the Adadelta optimizer having a learning rate of 0.001 has been used for the MLP model. In order to minimize overfitting of the model, a dropout of 0.01 is used for the RNN, GRU, and LSTM models, while for the MLP model, it is 0.03. The models are also trained with several epochs and batch sizes of 1000 for RNN, GRU, and LSTM, while the batches sizes of MLP are 800. The experiment has been made on each algorithm separately in order to finally consider the optimal one with respect to the accuracy of the evaluation metric. Figures 10 and 11 show that the RNN model trains up to 30 epochs. The result shows that the training loss was reduced from 0.9674 to 0.0692, while the testing loss was reduced from 0.6023 to 0.0521. Also, the training accuracy has improved from 0.6847 to     Figures 14 and 15 show that the LSTM model trains up to 23 epochs. The training loss has been reduced from 1.2709 to 0.0178; similarly, the testing loss was also reduced from 0.7896 to 0.0184. Also, the training accuracy has been improved from 0.6372 to 0.9952, and the testing accuracy was enhanced from 0.7458 to 0.9943. Figures 16 and 17 shows that the MLP model trains up to 40 epochs. The training loss has been reduced from 1.3105 to 0.0822, and the testing loss was reduced from 0.8991 to 0.0786. Also, the training accuracy has been improved from 0.7151 to 0.9819, and the testing accuracy was enhanced from 0.7899 to 0.9833. Therefore, from the obtained results, one can conclude that the LSTM model beats the other three models since it reduces training_loss by 0.0280 and testing_loss by 0.0193, which is lower than the other models. As a result, this model also improved the training accuracy by 0.99311 and the testing accuracy by 0.9957.  Table 1, based on the evaluation matrices like accuracy, recall, F1-score, precision, training_loss, val_loss, training accuracy, and val_accuracy of the proposed models. The LSTM model is better for the classification of the given data set into 6 different attack types. In this experiment of the LSTM model, an accuracy of 99.56 is achieved that is better than those of the other three deep-learning algorithms. And also, LSTM has reduced the training loss = 0:028 and the testing loss = 0:0193 that are lower loss rates than in the other algorithms. Lastly, in the comparison, the accuracy is also better than those of the others with a training accuracy of 0.9931 and testing_ accuracy of 0.9957. Based on the experiment, LSTM also has better precision, recall, and F1-score as described in Table 2. So, based on the four experiments, it is concluded that LSTM has better classification accuracy than the others. Furthermore, Figure 18 represents their experiment results.

MLP Model Assessment. Lastly, the result under
The ROC curve is used to measure and verify that those models operate accurately. The ROC curve indicates the relation between two parameters: true and false classes. The area underneath the ROC curve (AUC) measures reparability between false-positive and true-positive rates.
In other experiment results, the ROC of the proposed four deep-learning models such as GRU (Figure 19 Lastly, the experiment result of the proposed LSTM model has been compared with other well-known models in the related work. Baseline papers and other related papers with the same data set are selected. Their performance results are shown in Table 3 as well as Figure 23. From the result, it is concluded that the current proposed model that is LSTM with feature selection has a higher accuracy than the others.
In comparison with the LSTM model with the baseline model, it is enhanced by 0.421%, which is higher than that of the RNN-AE model on the CICDDoS2019 data set. Also, it is improved by 0.44%, which is higher than that of the CNN model on the ICICDDoS2017 data set.
To increase reliability, this model used a logically centralized and physically distributed controller architecture. To increase efficiency and accuracy, entropy-based and deeplearning models are used. This entropy-based model improved the efficiency, whereas deep learning increased accuracy. The attack comes from the data plane forwarded to the entropy module controller; then, this module calculates the probability of being an attack. If it has a high probability, the controller forwards it to the deep-learning module for better accuracy. This entropy-based model prevents the controller from overloading which will increase efficiency and accuracy. These two methods together can improve the efficiency and accuracy of the model.
The feature selection method (chi-squared (x 2 )) provides better accuracy by selecting only essential or high-weighted features from the data set. Therefore, the LSTM model with the feature selection technique has high accuracy and low error classification. Then, this LSTM model was deployed In entropy-based detection, the probability of the attack is identified, and then it is sent to the deep-learning module. This increases the efficiency of the controller and decreases overloading the deep detection server. In this deep-learning model experiment, a feature selection method has been used that is the chi-squared (x 2 ) technique that helps us to focus on the  13 Wireless Communications and Mobile Computing essential and high-weighted features. So, in the experiment, RNN, MLP, LSTM, and GRU approaches were used. Before training the model, the data set is preprocessed, and after that, the x 2 feature selection method is used to get high weighted features and then fed into RNN, MLP, LSTM, and GRU deep-learning models. The standard RNN is easier to use and requires less training time. GRU uses fewer training parameters and, therefore, uses less memory and executes faster than LSTM, while LSTM is capable of learning long-term sequences on a larger sample and is more accurate.

Wireless Communications and Mobile Computing
However, the outcomes of the detection and classification of the DDoS attack using the feature selection method are promising when the qualitative results are evaluated. When comparing the overall features of information in the data set, the model's detection and classification accuracy are increased and the error rate is decreased. Accordingly, the LSTM model has achieved an accuracy of 3.02%, 1.82%, and 1.12% in comparison with GRU, RNN, and MLP, respectively. On the other hand, the authors compared their proposed model with the baseline and related work models in which LSTM has brought significant improvements. When compared with the RNN-AE model with data set CICDDoS2019 and the CNN model with data set ICICD-DoS2017, it has achieved, respectively, 0.421% and 0.44%.

Case Studies Based on This Method.
A potential case study for the DDoS attack detection and classification using an entropy-based and deep-learning model for multicontroller SDN to solve the proposed architecture could be as follows: (1) Scenario. A large e-commerce website is experiencing a DDoS attack that is causing a significant slowdown in its network traffic. Assume that the network has been configured with the SDN architecture. The network administrator is unable to detect and mitigate this attack using their traditional existing security measures and needs a more robust solution.
(2) Proposed Approach. The proposed architecture involves using an entropy-based and deep-learning model to detect and classify DDoS attacks in a multicontroller SDN environment. Our current architecture includes multiple controllers that work together to monitor and analyze network traffic and identify potential DDoS attacks in order to assist the network administrator.

Case Study Steps
(1) Implementation. The IT team implements the proposed architecture in the e-commerce website's network infrastructure. The architecture is configured to monitor all incoming traffic and detect any anomalies that could indicate a DDoS attack.
(2) DDoS Attack Simulation. The IT team simulates a DDoS attack on the e-commerce website's network by generating a large number of requests from multiple sources. The attack is designed to overwhelm the network and cause a significant slowdown in traffic.  (3) Detection and Classification. The proposed architecture detects and classifies the DDoS attack using the entropybased and deep-learning model. The controllers work together to analyze the network traffic and identify the characteristics of the attack.
(4) Mitigation. Once the DDoS attack is detected and classified, the proposed architecture triggers a mitigation mechanism to block the attack traffic and restore normal network traffic. The mitigation mechanism could be implemented through a variety of methods, such as traffic filtering, traffic shaping, or blacklisting of the attacker's IP addresses.
(5) Evaluation. The IT team evaluates the effectiveness of the proposed architecture in detecting and mitigating the DDoS attack. They analyze the accuracy of the detection and classification, the speed and effectiveness of the mitigation mechanism, and the overall impact on network performance.
(6) Comparison with Existing Solutions. The IT team compares the performance of the proposed architecture with their existing security measures for detecting and mitigating DDoS attacks. They evaluate the strengths and weaknesses of each approach and determine if the proposed architecture provides a more effective and efficient solution.
By implementing this case study, the researcher can demonstrate the effectiveness of their proposed architecture in a real-world scenario and provide evidence of its potential benefits. The case study can also highlight any challenges or limitations of the proposed architecture and provide insights into how these challenges can be addressed.

Conclusions
The networking industry and academia have concluded that distributed controller designs are necessary for the future of SDN because centralized systems cannot meet the demands of efficiency, scalability, and availability. Also, DDoS attack detection and classifications in multicontroller SDN have significant benefits to the new SDN-based data centers being designed. An entropy-based and deep-learning model is proposed for effectively and accurately classifying the attacks. To ensure high accuracy and low computational complexity at the same time, two-level detection is applied for network traffic. The controller performs a preliminary section based on information entropy to assure high efficiency. The deep detection server is used for the packet-based deep detection to guarantee fine granularity and high accuracy.
The chi-square (x 2 ) test is used as the feature selection algorithm to reveal the most relevant features and perform an effective classification. Secondly, the baseline model is limited to binary classification (attack and normal) which lacks a detailed description of the attack type. This problem is addressed by categorical classification. This categorical classification allowed making specific attack descriptions of the type of attack that is coming to the controller.
Thirdly, the baseline model is focused on a single controller topology which leads to the single point of failure.
In this situation, the requirements for efficiency, scalability, security, and availability are not met by this architecture, to avoid a single point of failure or to increase efficiency, scalability, and availability.
In this paper, a comprehensive solution has been provided for SDN multicontroller architectures by explaining their characteristics and presenting different scenarios of the implementation. In this work, the effort to implement a multicontroller-based SDN solution to detect a DDoS attack on the controller is accomplished. The environment is implemented using a logically centralized but physically distributed POX controller. This brings many solutions to the shortcomings of the single controller-based environment. This research succeeded in detecting DDoS attacks early in a multicontroller structure.
Finally, incorporating the entropy-based and deeplearning method into a model that has a better efficiency and accuracy of DDoS attack detection and classification in multicontroller SDN is achieved. Based on the experiment results, accuracy of 98.6% from RNN, 98.3% from MLP, 96.4% from GRU, and 99.42% from LSTM are recorded. Among all, LSTM showed high accuracy compared to the other proposed models. With the baseline work comparison without feature selection, CNN with the ICICDDoS2017 data set has an accuracy of 98.98%, and the RNN autoencoder with the CICDDoS2019 data set has an accuracy of 99%.
The experiment result shows that the effectiveness and accuracy of the proposed model with feature selection have a higher accuracy of 99.42% than those of the baseline papers without feature selection. This work concludes that a logically centralized and physically distributed architecture, as well as use of the feature selection method, allows for increased reliability, efficiency, and availability.

Data Availability
The data sets used and/or analyzed during the current study are available from the corresponding author on reasonable request.

Ethical Approval
All procedures performed in the studies were in accordance with the ethical standards of the institutional and/or national research committee and with the comparable ethical standards.

Consent
For this type of study, formal consent is not required. Authors give consent for the publication of the submitted research article in Silicon.