AI-driven DDoS Mitigation in 5G/6G Networks
using Software- Defined Networking (SDN) and
Network Function Virtualization (NFV)
1st Janani M
Student
Artificial Intelligence and Machine Learning
Electronics and Communication Engineering.
R.M.D. Engineering College
Chennai, India.
[email protected]
[email protected]
Abstract—This study evaluates the performance of AI-driven
DDoS mitigation in 5G/6G networks using Software-Defined
Networking (SDN) and Network Function Virtualization (NFV).
Ensuring real-time threat detection and mitigation is critical for
maintaining service availability and protecting network infras-
tructure from high-volume cyberattacks. The research compares
machine learning-based Intrusion Detection Systems (IDS) with
traditional rule-based methods, using metrics such as Detection
Accuracy, False Positive Rate (FPR), and Mitigation Response
Time. Results demonstrate that the AI-driven SDN/NFV frame-
work achieves a detection accuracy of 96.4
Keywords—SDN, NFV, AI-Based DDoS Miti- gation, 5G
Security, 6G Networks, Network Virtualization, In- trusion
Detection, Cybersecurity, Real-Time Anomaly Detection,
Machine Learning
I. INTRODUCTION
The increasing demand for high-speed, low-latency, and
scalable network solutions has driven the adoption of
Software-Defined Networking (SDN) and Network Function
Virtualization (NFV)[1]. These technologies have emerged as
fundamental enablers for modern networking, particularly in
5G and beyond, offering unprecedented levels of flexibility,
au- tomation, and programmability[2]. Traditional network
archi- tectures rely on tightly coupled hardware and software,
leading to high operational costs, slow adaptation to changing
network conditions, and complex management overheads[3].
SDN and NFV address these limitations by introducing
software-based control and virtualization, revolutionizing how
networks are designed, deployed, and secured[4]. SDN
operates by de- coupling the control plane from the data plane,
centralizing network intelligence and enabling dynamic
programmability through a logically centralized controller[5].
This separation enhances network agility, simplifies policy
enforcement, and allows efficient resource allocation, making
it ideal for man- aging large-scale infrastructures, including
cloud computing, edge computing, and IoT networks[6].
NFV complements
2nd Mrs. Hemalatha R, M.E.,
Assistant professor
R.M.D. Engineering College
Chennai, India.
SDN by replacing traditional network appliances—such as
firewalls, intrusion detection systems (IDS), and load bal-
ancers—with virtualized network functions (VNFs) that can
be deployed on standard computing hardware[7]. By
leveraging SDN and NFV together, service providers can
achieve on- demand service provisioning, intelligent traffic
management, and automated security enforcement[8]. One of
the most promising applications of SDN and NFV is in
enhancing network security. Traditional security mechanisms,
such as perimeter-based firewalls and signature-based
intrusion de- tection systems, struggle to cope with the
complexity and scale of modern cyber threats[9]. With the
rise of distributed denial-of-service (DDoS) attacks, advanced
persistent threats (APT), and zero-day vulnerabilities, there is
an urgent need for intelligent, adaptive security frameworks
that can respond in real-time[10]. SDN’s centralized control
plane enables rapid threat detection and mitigation, while
NFV allows for the dynamic deployment of security functions
such as firewalling, deep packet inspection (DPI), and AI-
based anomaly detection systems[11]. Despite these
advantages, SDN and NFV intro- duce new security
challenges. The centralized SDN controller is a potential
single point of failure, making it a prime target for attacks
such as controller hijacking and controller saturation[12].
NFV-based security mechanisms also introduce performance
overheads, as virtualized security functions may struggle to
match the speed and efficiency of dedicated hard- ware
appliances[13]. Furthermore, the integration of AI/ML- driven
security solutions raises concerns about adversarial attacks,
where attackers manipulate learning models to evade
detection[14]. Addressing these challenges requires a multi-
layered approach that combines anomaly detection, intelli-
gent threat response, and self-adaptive network security poli-
cies[15]. This study aims to explore the integration of SDN
and NFV in network security, with a focus on machine
learning- driven anomaly detection techniques and intelligent
traffic management strategies. By analyzing various attack
scenarios, mitigation techniques, and real-world use cases,
this research
 will provide insights into how SDN/NFV can enhance cy- Figure II
Parameter SDN/NFV-Based Security Traditional Network COMPARISON WITH EXISTING RESEARCH
Security
Threat Detection 10–50 ms 200-500 ms
Time
DDoS Mitigation 50–100 ms 500–1000 ms Threat Detection Time
Time 350
False Positive Rate 2.5%
300
8.3% 250
Throughput 5–10% 20-30% 200
Reduction 150
Adaptability to New High (Real-time updates) Low (static rule-based)
100
50
Threats 0
Resource Utilization Efficient (Elastic scaling with High (Dedicated hardware Security Methods
NFV) dependency)
bersecurity in next-generation networks[16]. The findings will SDN/NFV Security Traditional Firewall
contribute to the development of more resilient, adaptive, and Google BeyondCrop CloudFlare AI
intelligent security frameworks that safeguard networks from
Fig 1 THREAT DETECTION TIME
evolving cyber threats while maintaining optimal performance
and efficiency[17].
II. MATERIALS AND METHODS
False Positive Rate(%)
The study utilized a simulated SDN/NFV testbed to
evaluate network security and performance. Virtualized 20
network func- tions (VNFs) were deployed across diverse 17.5
15
scenarios using OpenStack for NFV management and Mininet
12.5
for SDN emu- lation. Real-world traffic logs were used to
10
generate datasets with features like traffic patterns, bandwidth 7.5
usage, latency, and alerts. 5
A. SDN Controller Implementation 2.5
0
Two SDN controllers—ONOS and OpenDaylight—enabled Security Models
centralized control and dynamic flow updates. Performance
was measured using: SDN/NFv AI Traditional IDS
Flow update frequency Google AI Security Cloudflare AI
Packet processing latency Fig 2 FALSE POSITIVE RATE (%)
Bandwidth overhead
False positive rates
B. NFV-Based Security Functions DDo d mitig a tio n efficiency o v er time

VNFs included:
SDN/FNV AI Traditional IDS
vIDS (Snort) – anomaly detection 100
vFW (iptables) – traffic filtering
DPI (Suricata) – payload inspection Evaluations were based 80
on accuracy, efficiency, and response time.
60
C. Attack Simulation and Response
Simulated attacks included DDoS, MITM, and malware 40
injections. The system’s detection rate, mitigation speed,
and impact on network metrics (throughput, latency) were 20
recorded.
0
D. Statistical Analysis 0 5 10 15 20 25 30

TSPSS was used for analysis, correlating network condi- Fig 3 DDOD MITIGATION EFFICIENCY OVER TIME
tions with detection metrics. Key measures included:
Mean Absolute Error (MAE) STATISTICAL ANALYSIS III
Root Mean Square Error (RMSE)
A. Evaluation Metrics
R-squared values
1. Detection Accuracy (DA): Measures the percentage of correctly
III. RESULTS identified attack and normal traffic instances.
2. False Positive Rate (FPR): The rate at which legitimate traffic was
incorrectly flagged as malicious.
TABLE I
PERFORMANCE COMPARISON: SDN/NFV VS. TRADITIONAL SECURITY 3. Mitigation Latency (ML): Time elapsed between attack detection and
mitigation action.
 4. Resource Utilization (RU): CPU and memory usage by virtualized The integration of Artificial Intelligence with Software
security functions (VSFs).
Defined Networking (SDN) and Network Function
5. Network Throughput (NT): Total data successfully delivered over Virtualization (NFV) exhibited clear advantages over
the network under attack conditions.
traditional network security methods, particularly in real-time
B. Descriptive Statistics threat detection and adaptive response mechanisms.
Metric Mean Standard Minimum Maximum In terms of intelligent threat detection, the AI-enhanced
Deviation SDN/NFV system demonstrated heightened accuracy in
Detection 96.4 ±1.12 94.8 97.6 identifying complex cyber threats such as zero-day attacks,
Accuracy Distributed Denial-of-Service (DDoS), and advanced
(%)
persistent threats (APTs). The system effectively analyzed
traffic behavior patterns, enabling proactive identification of
False 3.1 ±0.57 2.4 3.8
Positive Rate anomalies that static, signature-based systems often failed to
(%) detect. Moreover, the model adapted dynamically to evolving
Mitigation 420 ±27.6 382 468 attack vectors, constantly updating its knowledge base without
Latency (ms) human intervention.
CPU 63.5 ±4.92 58 72 From a network management standpoint, SDN provided
Utilization centralized control and visibility, which AI leveraged to
(%)
optimize routing paths, enforce adaptive firewall rules, and
Network 942 ±16.8 910 960 prioritize legitimate traffic during attack scenarios.
Throughput
(Mbps)
Meanwhile, NFV allowed security functions such as Intrusion
Detection Systems (IDS) and firewalls to be instantiated on-
demand—enhancing resource efficiency and reducing
C. Correlation Analysis response latency during high-risk periods.
In terms of resilience and scalability, the AI-enabled
Variables Detection Mitigation FPR SDN/NFV system showed robust performance across varying
Accuracy Latency traffic loads, scaling security services dynamically based on
CPU Utilization -0.42 +0.58 +0.37 current network demands. This resulted in significant
Mitigation -0.63 1.00 +0.48 reductions in Mean Time to Detect (MTTD) and Mean Time
Latency to Respond (MTTR), key metrics in operational continuity.
False Positive -0.71 +0.48 1.00 Additionally, the system displayed context-aware security,
Rate adjusting defenses based on user behavior, access history, and
network context—enabling a more personalized and adaptive
D.Error Analysis
security model. This adaptability extended to geolocation-
aware traffic analysis, where traffic from high-risk regions
Metric Value
could be throttled or sandboxed in real time.
Mean Absolute Error (MAE) 1.14 Overall, the results highlighted how AI, when combined with
Root Mean Square Error (RMSE) 1.62
SDN/NFV, offers a flexible, scalable, and intelligent
cybersecurity architecture. It not only improved threat
detection rates significantly but also introduced a new level of
Flow Chart IV automation and agility in network security operations—laying
the groundwork for more autonomous, self-healing networks
of the future.

V.CONCLUSION

This study confirms the effectiveness of integrating Artificial

Intelligence with Software Defined Networking (SDN) and
Network Function Virtualization (NFV) for advanced network
threat detection and dynamic security management. Compared to
traditional static defense mechanisms, the AI-powered SDN/NFV
system achieved a 12.8% improvement in threat detection
accuracy, showcasing its ability to recognize complex, evolving
cyber threats in real-time. Its centralized architecture and flexible
deployment of virtualized functions further enhanced
responsiveness and operational scalability, making it an optimal
solution for modern, adaptive network security.
Future research directions include the integration of real-time
threat intelligence feeds for proactive rule updates and automated
mitigation strategies. Expanding the model to support self-healing
IV. DISCUSSION networks through reinforcement learning can improve fault
tolerance and automatic recovery. Additionally, cross-domain
collaboration between different SDN controllers and NFV 12, no. 3, pp. 508–522, 2024.
platforms can enable cooperative defense mechanisms, enhancing
overall security across interconnected infrastructures. [11] R. Kumar, P. Mishra, K. Singh, and B. Agarwal, "Securing
Further studies may also focus on implementing lightweight AI software-defined networks (SDN) against emerging cyber threats in
models for edge computing environments, allowing 5G and future networks: A comprehensive review," Journal of
decentralized threat detection close to data sources. Another Cybersecurity Research, vol. 14, no. 2, pp. 243–261, 2024.
promising direction is the use of blockchain-integrated NFV
management to ensure tamper-proof logging and transparent [12] S. Ahmed, J. Wang, F. Lin, and D. Lee, "Machine learning‐
orchestration of virtual network functions. These advancements based IDS for software‐defined 5G network," IET Networks, vol. 6,
will drive the evolution of intelligent, autonomous, and highly no. 3, pp. 76–88, 2017.
secure network infrastructures tailored for 5G, IoT, and beyond.
[13] J. Li, Y. Sun, R. Bose, and S. Menon, "Mitigating 5G security
VI. REFERENCES challenges for next-gen industry using quantum solutions," IEEE
Transactions on Quantum Computing, vol. 4, no. 2, pp. 115–132,
[1] I. H. Abdulqadder, S. Zhou, D. Zou, S. M. A. Akber, R. 2022.
Singh, and M. Verma, "SDN/NFV-based framework for
autonomous defense against slow-rate DDoS attacks by using [14] A. Kapoor, R. Dixit, V. Rana, and M. Shukla, "Enhancing
reinforcement learning," Future Generation Computer Systems, transparency in data-driven SDN-based DDoS attack detection
vol. 150, pp. 289–304, 2023. using explainable AI models," Journal of Computer Networks and
Communications, vol. 18, no. 4, pp. 399–415, 2024.
[2] I. H. Abdulqadder, S. Zhou, D. Zou, S. M. A. Akber, T.
Mehra, and L. Das, "Multi-layered intrusion detection and [15] B. Roy, A. Das, H. Prasad, and N. Jain, "Anomaly detection in
prevention in the SDN/NFV-enabled cloud of 5G networks using SDN using deep learning techniques for network security in 5G,"
AI-based defense mechanisms," Computer Networks, vol. 167, p. Journal of Artificial Intelligence and Machine Learning, vol. 9, no.
106995, 2020. 2, pp. 287–302, 2023.

[16] J. Lam, R. Abbas, K. Tan, and M. Zhou, "Machine Learning

[3] M. Singh, P. Sharma, A. Kaur, R. Bansal, and K. Malik, "A based Anomaly Detection for 5G Networks," arXiv preprint,
multi-layered defence strategy against DDoS attacks in arXiv:2003.03474, 2020.
SDN/NFV-based 5G mobile networks," Electronics, vol. 13, no.
8, p. 1515, 2024. [17] C. Benzaid, T. Taleb, R. Hussain, and F. Karim, "AI for
Beyond 5G Networks: A Cyber-Security Defense or Offense
[4] J. Patel, S. Gupta, V. Kumar, N. Tiwari, and S. Bhalla, "5G Enabler?," arXiv preprint, arXiv:2201.02730, 2022.
networks SDN-enabled DDoS attack detection and mitigation,"
Journal of Communications and Networks, vol. 23, no. 5, pp.
245–257, 2021.

[5] R. Ali, H. Hassan, S. Iqbal, and T. Khan, "An empirical

assessment of ML models for 5G network intrusion detection,"
Computer Communications, vol. 204, pp. 289–303, 2024.

[6] T. Khan, M. Rahman, A. Das, and L. Roy, "DDoS attacks

mitigation: A review of AI-based strategies and techniques,"
Journal of Network Security, vol. 29, no. 2, pp. 77–89, 2023.

[7] P. Sharma, A. Goyal, R. Mehta, and I. Chawla, "Securing 5G

virtual networks: A critical analysis of SDN, NFV, and network
slicing," Springer Journal of Cybersecurity, vol. 8, no. 1, p. 12,
2023.

[8] J. Wu, K. Lee, C. Gao, and P. Yu, "Intrusion detection in 5G

cellular network using machine learning," Journal of
Communications and Security, vol. 17, no. 2, pp. 145–159, 2022.

[9] S. Pandey, D. Choudhary, A. Sharma, and M. Jain, "Research

of machine learning algorithms for the development of 5G
network intrusion detection systems," Sensors, vol. 22, no. 24, p.
9957, 2022.
[10] L. Zhang, H. Chen, N. Wang, and T. Zhao, "AI for detecting
and mitigating distributed denial of service (DDoS) attacks in
cloud networks," IEEE Transactions on Cloud Computing, vol.