pith. machine review for the scientific record. sign in

arxiv: 2604.20934 · v1 · submitted 2026-04-22 · 💻 cs.CR · cs.LG

Recognition: unknown

SDNGuardStack: An Explainable Ensemble Learning Framework for High-Accuracy Intrusion Detection in Software-Defined Networks

Ashikuzzaman , Md. Saifuzzaman Abhi , Mahabubur Rahman , Md. Manjur Ahmed , Md. Mehedi Hasan , Md. Ahsan Arif
Authors on Pith no claims yet

Pith reviewed 2026-05-10 00:09 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords intrusion detectionsoftware-defined networksensemble learningexplainable AIInSDN datasetSHAPnetwork securitymachine learning
0
0 comments X

The pith

An ensemble model called SDNGuardStack detects intrusions in software-defined networks at 99.98 percent accuracy while providing SHAP-based explanations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops SDNGuardStack, an ensemble learning system for intrusion detection tailored to the centralized architecture of software-defined networks. It applies a preprocessing pipeline and mutual information feature selection to the InSDN dataset, which models realistic SDN traffic and attacks, then combines multiple base learners for prediction. SHAP values add interpretability so analysts can see why the model flags certain flows. If correct, the result shows that high detection performance and practical explainability can be achieved together on SDN-specific data, supporting more resilient network operations.

Core claim

The authors claim that SDNGuardStack, formed by ensembling base learners after mutual information feature selection and trained on the InSDN dataset of realistic SDN attack scenarios and traffic patterns, reaches 99.98 percent accuracy and a Cohen Kappa of 0.9998. This exceeds the performance of other models tested while remaining interpretable through SHAP analysis that identifies Flow ID, Bwd Header Len, and Src Port as the most influential features. The framework is presented as both high-performing and practically executable for SDN security deployments.

What carries the argument

SDNGuardStack ensemble of base learners, using mutual information for feature selection and SHAP for explainability on the InSDN dataset.

If this is right

  • The ensemble outperforms other models in both accuracy and Cohen Kappa score.
  • SHAP explanations enable security analysts to understand and respond to model predictions.
  • Features such as Flow ID, Bwd Header Len, and Src Port emerge as the strongest drivers of detection decisions.
  • The approach supports practical, executable intrusion detection suitable for real SDN environments.
  • The results advance the creation of secure and resilient network infrastructures.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar ensembles could be tested on traffic from other centralized network architectures to check whether the accuracy pattern holds.
  • The emphasis on interpretability may help the method gain acceptance in environments that require auditable decisions.
  • Measuring inference time under high-volume SDN traffic loads would reveal whether the framework meets real-time constraints.
  • Extending the preprocessing steps to newer SDN controller variants could broaden the framework's applicability.

Load-bearing premise

The InSDN dataset accurately captures realistic attack scenarios and traffic patterns in SDN without bias, leakage, or distribution shift that would inflate performance on held-out data.

What would settle it

Evaluating the trained SDNGuardStack model on an independent SDN traffic trace set that includes previously unseen attack types and measuring whether accuracy stays near 99.98 percent would test the central claim.

Figures

Figures reproduced from arXiv: 2604.20934 by Ashikuzzaman, Mahabubur Rahman, Md. Ahsan Arif, Md. Manjur Ahmed, Md. Mehedi Hasan, Md. Saifuzzaman Abhi.

Figure 3
Figure 3. Figure 3: SHAP summary plot showing the mean absolute SHAP value [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
read the original abstract

Software-Defined Networking (SDN) is another technology that has been developing in the last few years as a relevant technique to improve network programmability and administration. Nonetheless, its centralized design presents a major security issue, which requires effective intrusion detection systems. The SDN-specific machine learning-based intrusion detection system described in this paper is innovative because it is trained and tested on the InSDN dataset which models attack scenarios and realistic traffic patterns in SDN. Our approach incorporates a comprehensive preprocessing pipeline, feature selection via Mutual Information, and a novel ensemble learning model, SDNGuardStack, which combines multiple base learners to enhance detection accuracy and efficiency. In addition, we include explainable AI methods, including SHAP to add transparency to model predictions, which helps security analysts respond to incidents. The experiments prove that SDNGuard-Stack has an accuracy rate of 99.98% and a Cohen Kappa of 0.9998, surpassing other models, and at the same time being interpretable and practically executable. It is interesting to see such features like Flow ID, Bwd Header Len, and Src Port as the most important factors in the model predictions. The work is a step towards closing the gap between performance intrusion detection and realistic deployment in SDN, which will lead to the creation of secure and resilient network infrastructures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes SDNGuardStack, an ensemble learning framework for intrusion detection in Software-Defined Networks. It trains and evaluates on the InSDN dataset using a preprocessing pipeline, Mutual Information-based feature selection, a stacked ensemble of base learners, and SHAP for explainability. The central claim is that the approach achieves 99.98% accuracy and 0.9998 Cohen's Kappa, outperforming other models while remaining interpretable and practically deployable.

Significance. If the performance claims hold under leakage-free evaluation, the work would offer a concrete, high-accuracy, explainable IDS solution for SDN environments, where centralized control planes create unique attack surfaces. The explicit use of SHAP to surface features such as Flow ID and Bwd Header Len is a positive step toward analyst-usable transparency. However, the absence of rigorous experimental controls currently prevents the result from being treated as a reliable advance.

major comments (2)
  1. [Abstract] Abstract and experimental methodology: the headline result of 99.98% accuracy and 0.9998 Cohen's Kappa is presented without any description of the train-test split strategy, cross-validation scheme, hyperparameter tuning protocol, or how baselines were re-implemented. These omissions make it impossible to determine whether the reported superiority is reproducible or an artifact of an unspecified experimental design.
  2. [Feature Selection] Feature selection pipeline: Mutual Information feature selection is stated to be part of the preprocessing pipeline, yet the text gives no indication that it was computed exclusively on training folds. When MI is calculated on the full InSDN dataset before any split, label information from test samples leaks into the selected feature set, rendering the held-out accuracy non-indicative of generalization. Network flows are not i.i.d. (shared IPs, ports, temporal correlations), so a simple random split without deduplication or temporal blocking would compound the leakage; no such safeguard is described.
minor comments (1)
  1. [Abstract] The abstract lists Flow ID, Bwd Header Len, and Src Port as the most important features according to SHAP but does not reference a table or figure that reports the actual SHAP values or rankings, making the interpretability claim harder to verify.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful and constructive review. The comments highlight important gaps in experimental description and potential methodological issues that we will address through targeted revisions to improve reproducibility and validity.

read point-by-point responses

  1. Referee: [Abstract] Abstract and experimental methodology: the headline result of 99.98% accuracy and 0.9998 Cohen's Kappa is presented without any description of the train-test split strategy, cross-validation scheme, hyperparameter tuning protocol, or how baselines were re-implemented. These omissions make it impossible to determine whether the reported superiority is reproducible or an artifact of an unspecified experimental design.

    Authors: We agree that the current manuscript lacks explicit details on these aspects of the experimental design. In the revised version, we will add a dedicated Experimental Setup section that fully specifies the train-test split strategy (including ratio, stratification, and any deduplication steps), the cross-validation procedure used for hyperparameter optimization, the tuning protocol (search method and ranges), and the precise re-implementation details for all baseline models using the identical preprocessing pipeline. These additions will enable independent reproduction of the results. revision: yes

  2. Referee: [Feature Selection] Feature selection pipeline: Mutual Information feature selection is stated to be part of the preprocessing pipeline, yet the text gives no indication that it was computed exclusively on training folds. When MI is calculated on the full InSDN dataset before any split, label information from test samples leaks into the selected feature set, rendering the held-out accuracy non-indicative of generalization. Network flows are not i.i.d. (shared IPs, ports, temporal correlations), so a simple random split without deduplication or temporal blocking would compound the leakage; no such safeguard is described.

    Authors: The referee correctly points out that the manuscript does not indicate whether Mutual Information feature selection was restricted to training folds only. We will revise the preprocessing description to explicitly state that feature selection is performed independently within each training fold of the cross-validation process to eliminate leakage. We will also add discussion of the non-i.i.d. properties of network flow data and detail the splitting safeguards employed (such as IP/port deduplication or temporal blocking where feasible). If re-execution under the corrected pipeline alters the metrics, we will report the updated results. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper reports measured empirical performance (99.98% accuracy, 0.9998 Cohen's kappa) of an ensemble classifier on the external public InSDN dataset after a standard preprocessing and mutual-information feature-selection pipeline. No equations, first-principles derivations, or load-bearing claims reduce by construction to the authors' own fitted parameters, self-definitions, or self-citations. The central result is a direct test-set statistic, not a renamed fit or a uniqueness theorem imported from prior author work. The derivation chain is therefore self-contained as an experimental report against an independent benchmark.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 1 invented entities

The central claim rests on the representativeness of the InSDN dataset and standard supervised-learning assumptions about i.i.d. data and generalization; no new physical or mathematical entities are introduced.

free parameters (2)
  • Ensemble hyperparameters and base-learner choices
    Required for training the stacked model but not specified in the abstract.
  • Mutual information feature selection threshold
    Determines which features are retained; choice affects the final model.
axioms (1)
  • domain assumption InSDN dataset models realistic SDN attack scenarios and traffic patterns.
    All training, testing, and performance claims depend on this dataset being a faithful proxy for real deployments.
invented entities (1)
  • SDNGuardStack no independent evidence
    purpose: Named ensemble combining multiple base learners.
    Custom label for a standard stacking approach; no new underlying mechanism.

pith-pipeline@v0.9.0 · 5568 in / 1458 out tokens · 59262 ms · 2026-05-10T00:09:49.532982+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references · 4 canonical work pages

  1. [1]

    Detection of attacks in software -defined networks (sdn)* : *how to conduct attacks in sdn environments,

    J. R. Dora and L. Hluchy, “Detection of attacks in software -defined networks (sdn)* : *how to conduct attacks in sdn environments,” in 2023 IEEE 17th International Symposium on Applied Computational Intelligence and Informatics (SACI), 2023, pp. 000 623–000 630

    2023

  2. [2]

    Proactive intrusion detection in sdn infrastructures harnessing machine learning predictions,

    J. Cabral, A. V. Neto, and H. W. da Silva, “Proactive intrusion detection in sdn infrastructures harnessing machine learning predictions,” in 2024 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), 2024, pp. 1–4

    2024

  3. [3]

    A survey on software defined network -enabled edge cloud networks: Challenges and future research directions,

    B. U. Kazi, M. K. Islam, M. M. H. Siddiqui, and M. Jaseemuddin, “A survey on software defined network -enabled edge cloud networks: Challenges and future research directions,” Network, vol. 5, no. 2,

  4. [4]

    Available: https://www.mdpi.com/2673-8732/5/2/16

    [Online]. Available: https://www.mdpi.com/2673-8732/5/2/16

  5. [5]

    Optimized approaches to malware detection: A study of machine learning and deep learning techniques,

    A. Fahim, S. Dey, M. N. Absur, M. Kamrul Siam, M. T. Huque, and J. Jafor Godhuli, “Optimized approaches to malware detection: A study of machine learning and deep learning techniques,” in 2025 IEEE 14th International Conference on Communication Systems and Network Technologies (CSNT), 2025, pp. 269–275

    2025

  6. [6]

    Detection of misre - porting attacks on software -defined immersive environments,

    S. Saha, M. N. Absur, S. Yousefi, and S. Debroy, “Detection of misre - porting attacks on software -defined immersive environments,” in 2025 21st International Conference on Network and Service Management (CNSM). IEEE, 2025, pp. 1–7

    2025

  7. [7]

    Enhancing iot cyber attack detection in the presence of highly imbalanced data,

    M. E. Haque, M. S. H. Polash, M. Al -Imran, S. Simla, M. A. Hossain, and S. Jahan, “Enhancing iot cyber attack detection in the presence of highly imbalanced data,” in 2025 IEEE 14th International Conference on Communication Systems and Network Technologies (CSNT), 2025, pp. 1124–1129

    2025

  8. [8]

    A framework for sdn forensic readiness and cybersecurity incident response,

    M. B. Jimenez and D. Fernandez, “A framework for sdn forensic readiness and cybersecurity incident response,” in 2022 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), 2022, pp. 112–116

    2022

  9. [9]

    Sdn network reliability guarantee mechanism based on network characteristics,

    F. Huicong, S. Han, L. Wandi, Z. Jianhua, Z. Shijia, L. Wenxiao, and L. Peng, “Sdn network reliability guarantee mechanism based on network characteristics,” in 2023 IEEE 7th Information Technology and Mechatronics Engineering Conference (ITOEC), vol. 7, 2023, pp. 1093– 1097

    2023

  10. [10]

    A blockchain -based hybrid framework for secure and scalable electronic health record management in in -patient follow -up tracking,

    A. H. Siam, M. E. Haque, F. A. Farid, A. Sutradhar, J. Uddin, and S. Mansor, “A blockchain -based hybrid framework for secure and scalable electronic health record management in in -patient follow -up tracking,” Computers, Materials and Continua , vol. 86, no. 3, January 2026

    2026

  11. [11]

    Optimizing ddos detection in sdns through machine learning models,

    M. E. Haque, A. Hossain, M. S. Alam, A. H. Siam, S. M. F. Rabbi, and M. M. Rahman, “Optimizing ddos detection in sdns through machine learning models,” in 2024 IEEE 16th International Conference on Computational Intelligence and Communication Networks (CICN), 2024, pp. 426–431

    2024

  12. [12]

    Intrusion detection in software defined network using deep learning approaches,

    M. S. Ataa, E. E. Sanad, and R. A. El-Khoribi, “Intrusion detection in software defined network using deep learning approaches,” Scientific Reports, vol. 14, no. 1, p. 29159, 2024

    2024

  13. [13]

    Intelligent sdn to enhance security in iot networks,

    S. Ibrahim, A. M. Youssef, M. Shoman, and S. Taha, “Intelligent sdn to enhance security in iot networks,” Egyptian Informatics Journal, vol. 28, no. 2, p. 100564, 2024

    2024

  14. [14]

    Sdn-ids: A deep learning model for detecting ddos attacks,

    M. A. Shariff and C. N. K. Babu, “Sdn-ids: A deep learning model for detecting ddos attacks,” International Journal of Engineering and Computer Education, vol. 11, no. 6, pp. 122–136, 2024, open Access

    2024

  15. [15]

    Network intru - sion detection and prevention system using hybrid machine learning with supervised ensemble stacking model,

    G. A. Mills, D. K. Acquah, R. Asamoah, and S. Kotei, “Network intru - sion detection and prevention system using hybrid machine learning with supervised ensemble stacking model,” Journal of Computer Networks and Communications, vol. 2024, p. 5775671, 2024

    2024

  16. [16]

    Sdn anomalous traffic detection based on temporal convolutional network,

    Z. Wang, Z. Guan, X. Liu, C. Li, X. Sun, and J. Li, “Sdn anomalous traffic detection based on temporal convolutional network,” Applied Sciences, vol. 15, no. 8, p. 4317, 2025

    2025

  17. [17]

    An optimization -inspired intrusion detection model for software -defined networking,

    H. Xu, L. Bai, and W. Huang, “An optimization -inspired intrusion detection model for software -defined networking,” Electronic Research Archive, vol. 33, no. 1, pp. 231–254, 2025

    2025

  18. [18]

    Federated learning based ddos attacks detection in large scale software -defined network,

    Y. S. N. Fotse, V. Kengne, and A. M. Telea, “Federated learning based ddos attacks detection in large scale software -defined network,” IEEE Transactions on Communications, vol. 74, no. 1, pp. 101–115, 2025

    2025

  19. [19]

    Insdn: A novel sdn intrusion dataset,

    M. S. Elsayed, N. -A. Le-Khac, and A. D. Jurcut, “Insdn: A novel sdn intrusion dataset,” IEEE Access, vol. 8, pp. 165 263–165 284, 2020

    2020

  20. [20]

    Insdn dataset,

    Badcodebuilder, “Insdn dataset,” 2023, accessed: 2023-08-23. [Online]. Available: https://www.kaggle.com/datasets/badcodebuilder/ insdn-dataset

    2023

  21. [21]

    Ensemble deep learning: A review,

    M. A. Ganaie, M. Hu, M. Tanveer, and P. N. Suganthan, “Ensemble deep learning: A review,” CoRR, vol. abs/2104.02395, 2021. [Online]. Available: https://arxiv.org/abs/2104.02395

    work page arXiv 2021

  22. [23]

    A Unified Approach to Interpreting Model Predictions

    S. Lundberg and S. -I. Lee, “A unified approach to interpreting model predictions,” 2017. [Online]. Available: https://arxiv.org/abs/1705.07874

    work page Pith review arXiv 2017

  23. [24]

    Induction of decision trees,

    J. R. Quinlan, “Induction of decision trees,” Machine Learning, vol. 1, pp. 81–106, 1986

    1986

  24. [25]

    Extremely randomized trees,

    P. Geurts, D. Ernst, and L. Wehenkel, “Extremely randomized trees,” Machine Learning, vol. 63, pp. 3–42, 2006

    2006

  25. [26]

    Knn model -based approach in classification,

    G. Guo, H. Wang, D. Bell, Y. Bi, and K. Greer, “Knn model -based approach in classification,” in On The Move to Meaningful Internet Sys- tems 2003: CoopIS, DOA, and ODBASE, ser. Lecture Notes in Computer Science, R. Meersman, Z. Tari, and D. Schmidt, Eds. Springer, 2003, vol. 2888, pp. 688–703

    2003

  26. [27]

    Mlp -mixer: An all -mlp architecture for vision,

    I. Tolstikhin, N. Houlsby, A. Kolesnikov, L. Beyer, X. Zhai, T. Unterthiner, J. Yung, A. Steiner, D. Keysers, J. Uszkoreit, M. Lucic, and A. Dosovitskiy, “Mlp -mixer: An all -mlp architecture for vision,”

  27. [28]

    CoRR, abs/2105.01601

    [Online]. Available: https://arxiv.org/abs/2105.01601

    work page arXiv

  28. [29]

    Random forests,

    L. Breiman, “Random forests,” Machine Learning , vol. 45, no. 5, pp. 5–32, 2001

    2001

  29. [30]

    Proceedings of the 22nd

    T. Chen and C. Guestrin, “Xgboost: A scalable tree boosting system,” in Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ser. KDD ’16. ACM, Aug. 2016, p. 785–794. [Online]. Available: http: //dx.doi.org/10.1145/2939672.2939785

    work page doi:10.1145/2939672.2939785 2016