1. Introduction
The installation and configuration of network elements are complex tasks that require skilled personnel. When dealing with network nodes that interact with each other in complicated ways, a system-based approach involving simulation is necessary. However, the current programming interfaces of most networking equipment make it difficult to achieve this [
1]. Furthermore, to manage large, multi-vendor networks, with various technologies becoming increasingly costly, service providers face resource shortages and rising real-estate expenses. A novel network paradigm is required to integrate network management and provisioning across many domains [
2].
In network devices like switches and routers, SDN is a technique that separates the control plane from the data plane [
3,
4]. The control plane and data plane are tightly entwined in conventional networks, making it challenging to manage and scale the network [
5]. In an SDN design, a central controller controls the network and communicates with switches and routers using a standard protocol, such as OpenFlow protocol [
6].
Increased network scalability and flexibility are advantages of SDN. Network administrators may simply manage, configure, and enhance the network with a centralized controller. SDN additionally enables the development of virtual networks that can be altered to accommodate particular applications or traffic types. The SDN architecture is depicted in
Figure 1, and is made up of the data plane, control plane, and application plane [
7,
8].
The data plane consists of network devices such as routers, switches, and access points that are accessed and managed through control–data-plane interfaces (C-DPIs) by SDN controllers. The most commonly used C-DPI is the OpenFlow protocol [
6,
9]. The implementation of the SDN architecture heavily relies on the control plane. Essentially, the control plane functions as a separate process that operates within the control layer. This layer consists of one or more controllers that offer a comprehensive perspective of the entire SDN system through C-DPI. The controllers consist of essential components, such as a coordinator and virtualizer, which are responsible for managing the behavior of the controller. Additionally, there is a control logic that translates the networking needs of applications into instructions for allocating network element resources. Finally, the application plane is made up of one or more network applications that communicate with the controller(s) in order to use an abstract view of the network for internal decision-making. These applications exchange data with the controller(s) using an open application–controller-plane interface (A-CPI), such as REST API [
9].
Table 1 presents the common existing SDN controllers: NOX [
10], Floodlight [
11], POX [
12], OpenDayLight [
13], RYU [
14], and Beacon [
15]. These controllers can be categorized as either centralized, in which a single control entity manages the entire network, or distributed, in which the network is divided into various sections for management [
16,
17].
Centralized controllers can be classified as either physically centralized or logically centralized. Physically centralized controllers are installed on a single server and are responsible for managing the entire network. The benefit of a physically centralized controller is its ease of use and management due to having only one controller [
11]. A logically centralized controller utilizes numerous physical servers, with each controller of a specific network duty. They all, however, use a centralized data store to replicate a common network state [
18].
Distributed controllers serve as a distributed control plane for network management. Nevertheless, the network is partitioned into multiple domains, with each domain being managed by its own controller [
19,
20]. Distributed controllers come in two forms: flat and hierarchical designs. In a flat design, the network is divided into separate domains, with each domain having its controller. Controllers utilizing the flat design communicate with each other using east–west interfaces to gain a global network view. In contrast, hierarchical design employs a two-layer controller model. The first layer is a domain controller that handles switches and runs applications in its local domain, while the second layer is a root controller that maintains the global network and manages the domain controllers [
21].
One of the most important aspects of SDN is that it allows for network programmability, which enables the seamless integration of artificial intelligence (AI) into communication networks. By leveraging the application programming interface (API), SDN empowers network managers to send powerful programming instructions to network devices. With the help of AI, it can not only schedule automated and intelligent business orchestrators but also develop AI-optimized network strategies and automatically convert them into task scripts, which can be assigned to network allocation tasks via the API. Additionally, network statistics information can be automatically collected and processed to provide a solid foundation for ongoing network optimization. New functionalities can also be intelligently added as needed to the network environment via SDN applications [
22].
Machine learning (ML) is a crucial tool for enabling AI [
23] as it can effectively predict and schedule network resources based on the available data inputs [
24,
25]. It has applications in various areas providing data acquisition and analysis by emulating human learning behavior of knowledge [
26]. ML aims to enable computers to determine and enhance their performance over time without being explicitly programmed to do so [
27]. ML algorithms can be supervised, unsupervised, semi-supervised, or reinforcement, varying based on the type of data utilized for model training [
28,
29]. Supervised learning (SL) is the process of training a model using labeled data when the right output for each input is known. Unsupervised learning (USL) includes finding patterns and relationships in unlabeled data. Semi-supervised learning (SSL) is a set of both SL and USL. In reinforcement learning (RL), an agent learns to act in a given environment in order to maximize a reward [
30].
Network managers may therefore create networks that are more flexible, efficient, and safe by integrating SDN and ML. According to
Figure 2, In SDN, a variety of tasks can benefit from the utilization of ML algorithms, such as network resource management, where they can forecast traffic demand and dynamically assign network resources to satisfy it. This may result in greater network resource use, which would lower overall operation costs [
26].
By examining user behavior, network anomalies, and traffic patterns, ML can be used to find potential security vulnerabilities [
31]. This can lessen the threat of cyberattacks, particularly from malware, which is known for its ability to remain undetected in systems and execute automated coordinated attacks, making it particularly destructive for distributed systems such as IoT and Smart cities [
32]. By providing real-time detection and mitigation assistance, this approach enhances cybersecurity measures. Additionally, ML can support the detection and isolation of network defects as well as the prediction of network performance decline, resulting in a more effective and dependable network [
22,
33].
Last but not least, ML can be used to categorize network traffic according to the kind of application or user behavior, enabling the prioritizing of high-priority traffic and assisting in making sure that vital applications obtain the necessary QoS levels. This can improve customer pleasure and experience, especially in applications that need real-time replies, high throughput, or low latency [
34].
In conclusion, ML has the potential to be a potent tool for improving a number of SDN-related features, such as security, resource management, routing optimization, QoS prediction, and TC. Organizations may optimize their networks for greater performance, dependability, and security by utilizing ML techniques, which will ultimately improve their business outcomes.
Additionally, the SDN architecture’s centralization and programmability, as well as the controller’s capacity to gather real-time data, allow for the application of “intelligence” via ML approaches for effective routing and QoS provisioning [
35].
SDN and ML have the ability to work together to build extremely intelligent and effective networks that can accommodate changing situations while delivering greater performance and security. We may anticipate seeing many more potential uses of this technology in the networking industry as ML develops.
1.1. Motivation
In [
1], the focus is on the initial efforts to examine how AI is applied in the context of SDN. However, it is noteworthy that this paper does not specifically delve into TC in SDN using ML methods, but rather explores broader applications and implications of AI within the SDN framework. The overview presented in [
33] provides a highly detailed introduction to basic ML algorithms and their applications in SDN networks, offering valuable references and guidance for further study. However, it is important to note that this paper covers studies only until 2018; thus, newer developments and advancements in the field may not be fully captured. The survey conducted by [
26] serves as an introduction to relevant studies exploring the intersection of ML algorithms and SDN network applications, providing insights into their combined impact and potential in the field. While it may provide insights into the combined impact and potential of ML algorithms in SDN, it likely does not delve deeply into TC using ML methods. In [
36], the focus is on IP TC using ML, although it does not delve into TC within the context of SDN. Our primary research objective is to offer a comprehensive overview of TC using ML techniques specifically applied in the context of SDN.
1.2. Contribution
The contributions of the paper can be listed as follows:
Exploration of ML techniques for TC in SDN environments in a comprehensive manner.
Incorporating the most recent research efforts in the SDN TC field.
Including the most recent publicly available datasets suitable for training and evaluating ML models in SDN TC tasks.
Highlighting the role of the ML model for mitigating the SDN security aspects.
Discussing the limitations and open research issues in SDN TC.
Providing insights into areas requiring further investigation and development.
Our paper is organized as follows. First, QoS in SDN using ML is discussed in
Section 2. In
Section 3, a comparison between traditional and ML TC methods is provided.
Section 4 presents SDN TC using ML. Security in SDN using ML is presented in
Section 5.
Section 6 contains some useful datasets. Limitations and open research issues are introduced in
Section 7. Finally, the paper is concluded in
Section 8.
2. QoS in SDN Using Machine Learning
QoS is the ability of a network to give priority to selected network traffic and provide better service to users by ensuring dedicated bandwidth, controlling jitter and latency, and enhancing loss characteristics. QoS aims to provide end-to-end guarantees, and there are multiple technologies available to achieve this, which can be used individually or in combination. Resource reservation and allocation, prioritized scheduling, queue management, routing, and other services can be utilized by a network operating system to implement QoS.
Initially, the traditional network was not designed with QoS in mind, and various techniques were later introduced to improve performance tuning. These techniques allowed Internet Service Providers (ISPs) to optimize the internet as required. However, with emerging technologies like big data, cloud computing, and an increasing number of devices, the traditional internet faces new challenges that it struggles to cope with. SDN addresses these issues by making the internet more flexible and programmable [
37]. So, as mentioned above, QoS refers to the ability to prioritize network traffic based on its importance and ensure that critical traffic receives preferential treatment over non-critical traffic. TC is one method that can be used to achieve this prioritizing [
38,
39].
In SDN, TC is often carried out by the controller, which can make use of ML algorithms to automatically recognize and categorize distinct forms of network traffic based on characteristics like packet size, protocol type, and application behavior. The controller can then apply QoS policies, such as giving priority to important traffic or limiting the bandwidth of specific categories of traffic, using this information.
4. SDN Traffic Classification Using ML
In [
113], TC within an SDN/cloud environment was investigated through the application of SL. Four distinct algorithms (SVM, NB, RF, and J48 tree (C4.5)) were employed, utilizing two sets of features: features collected from observed data and default features generated from Netmate. The results for collected features indicate accuracy rates of 79.49% (SVM), 82.05% (NB), 97.44% (RF), and 82.05% (J48 tree (C4.5)), while for the generated dataset, the accuracy became 85.29% (SVM), 84.87% (NB), 95.8% (RF), and 92.86% (J48 tree (C4.5)).
Detecting and classifying conflicting flows in SDNs were discussed in [
64] based on some features (action, protocol, MAC address, and IP address) using various ML algorithms (DT, SVM, EFDT, and Hybrid (DT-SVM)), and EFDT and hybrid DT-SVM algorithms were designed based on DT and SVM algorithms to achieve higher performance. The studies were carried out on two network topologies (simple tree and fat tree) with flow volumes ranging from 1000 to 100,000. The results demonstrate that EFDT has the highest accuracy.
In [
114], the authors proposed a model that integrates SDN and ML algorithms for TC. SL algorithms (SVM, NB, and Nearest Centroid) were used, and the results show that the supervised models used have an accuracy of more than 90%.
In [
63], it has been focused on examining and creating a TC solution using ML that could be integrated into an SDN platform. The research presented an ML-driven TC solution for SDN, leveraging existing network statistics and an offline procedure to understand network traffic patterns with the aid of a clustering algorithm. Instead of predefining a fixed number of network traffic classes, an unsupervised learning (USL) algorithm was employed to determine the most suitable number of network traffic classes, thereby offering a more customized TC approach for network operators. To accomplish this, the dataset was initially clustered and annotated using an unsupervised ML algorithm, followed by training multiple classification models based on the resulting dataset.
In
Table 3, we thoroughly examine the aforementioned related works and offer a detailed comparison with respect to objective, classification models, features, dataset (topology), controller, and accuracy achieved.
In [
115], the authors applied various ML algorithms to classify real network traffic data automatically. To assess the performance of these algorithms on actual physical and virtual networks, two different scenarios were implemented. The first scenario involves regular data delivery over the network, while the second scenario simulates a malicious network, where the receiver node is periodically flooded with excessive requests. Results show that the second scenario has an overall lower accuracy than the first scenario.
The work performed in [
116] examined two ML algorithms (SVM and K-means) for TC. The dataset used is from [
117]. The results show that the overall accuracy achieved is greater than 95%.
In [
118], a QoS-aware TC system was proposed that combines DPI and semi-supervised ML algorithms. DPI labels certain traffic flows that belong to known applications. The labeled data are subsequently employed by a SSL algorithm comprising Laplacian SVM and K-Means to categorize traffic flows from unknown applications. By doing so, the system can classify both known and unknown traffic flows into distinct QoS classes. Simulation results show that Laplacian SVM accuracy ranges from approximately 80% to 90%.
In [
42], an application-aware TC system 2qw introduced. SDN topology is implemented to gather traffic data. Following that, multiple SL algorithms are applied to categorize traffic flows into different applications.
The work performed in [
119], proposed a MultiClassifier system that identifies applications through the integration of an ML-based classifier and a DPI-based classifier. When a new flow arrives, the ML-based classifier is first used for classification. If the reliability of its classification result exceeds a predetermined threshold value, it is considered the final result of the MultiClassifier system. However, if the ML-based classifier’s result’s reliability is beneath the threshold, the system will resort to DPI-based classification. If the DPI-based classification returns “UNKNOWN”, the classification results from the ML-based classifier will still be selected. Otherwise, the classification results from the DPI-based classifier will be selected.
From
Table 3 it can be seen that the collective findings from the reviewed papers underscore the significant impact and versatility of ML techniques in the domain of TC within SDNs. The integration of SVM and DT in [
64] is motivated by several reasons. One primary advantage is that DTs excel at capturing complex decision boundaries, while SVMs are adept at handling high-dimensional spaces. By combining these strengths, the hybrid model can better accommodate diverse datasets, capturing both linear and non-linear relationships effectively. Additionally, the hybrid model offers robustness to noise, drawing on SVM’s noise tolerance while still leveraging DTs to discern intricate patterns. The interpretability of the model is enhanced, as DTs inherently provide clear rules for decision making, contributing to a more understandable and interpretable model. Moreover, the hybrid model can exploit the non-linear capabilities of both SVM and decision trees, proving advantageous in scenarios where intricate relationships need to be captured. The combination also enables insights into feature importance, a benefit derived from the inherent property of DTs. The ensemble effect, derived from combining SVM and DTs, is another notable advantage, often leading to improved model performance. Additionally, the hybrid model can handle imbalanced data effectively, benefiting from decision trees’ ability to address such scenarios. Lastly, the computational efficiency of the hybrid model is enhanced, with DTs being less computationally intensive compared to certain SVM configurations. Overall, the adoption of the hybrid SVM and DT model is driven by a strategic amalgamation of these advantages to address the specific requirements of the research problem at hand. In [
114], the showcase emphasized the applicability of diverse ML algorithms, revealing varying performance across scenarios, while [
63] uses SVM with both linear and Radial Basis Function (RBF) kernels. The observed outcomes reveal a notable performance discrepancy between the two kernels. The decision to employ the linear SVM kernel may stem from the dataset’s characteristics, where the underlying relationships between features and the target variable are more effectively captured by a linear decision boundary.
Linear SVMs are particularly potent when dealing with linearly separable data, and the high accuracy achieved with this kernel in this paper underscores its appropriateness for the given context. On the other hand, the observed low accuracy with the RBF kernel suggests that the inherent flexibility and capacity to capture non-linear relationships might not be beneficial for this specific dataset. The RBF kernel introduces additional complexity, and in situations where a simpler model suffices, it may lead to overfitting or suboptimal performance. The choice between linear and RBF kernels often hinges on the characteristics of the data, and the results highlight the significance of this consideration in determining the most suitable kernel for the given research context. The achievement in [
116] demonstrated impressive accuracy using SVM and K means. In [
118], the proposal of a QoS-aware TC system combining DPI and semi-supervised ML algorithms demonstrated the successful categorization of known and unknown traffic flows. The application-aware TC system in [
42], leveraging SDN topology, and the MultiClassifier system in [
119], combining ML-based and DPI-based classifiers, further contribute to the diversity of ML approaches. In summary, putting all these studies together shows that using ML is really effective for sorting out different types of traffic in SDNs. However, it also suggests that we need to keep looking into it and make it better to deal with specific problems and work well in real-world networks.
5. Security in SDN Using ML
ML algorithms play an important role in security and TC by analyzing network traffic patterns to discern normal behavior from potential security threats. By leveraging ML for TC, SDN can precisely identify and categorize various types of network traffic, enabling targeted security measures. The integration of ML-driven TC with security protocols ensures a dynamic defense mechanism against evolving threats, as the network can adapt in real time to anomalies. This seamless collaboration between security and TC in SDN not only enhances threat-detection and -response capabilities but also contributes to the overall robustness and reliability of modern network architectures.
The implementation of a threat-aware system, known as Eunoia, as proposed by [
62], utilizes ML to counter network intrusion in SDN. Initially, the data preprocessing subsystem employs a forward feature selection strategy to choose relevant feature sets. Subsequently, the predictive data modeling subsystem utilizes DT and RF algorithms to identify malicious activities. A dataset of 30,000 entries was randomly selected from 10% of the KDD99 intrusion-detection dataset based on the 1998 DARPA initiative. Results demonstrate that RF achieves an accuracy of 98.75% when using the entire dataset, 99.4% when excluding ambiguous data, and 45% when only ambiguous data are selected. Meanwhile, accuracy for DT was measured using ambiguous data only for different numbers of features, yielding 82.48% and 91.17% for the selection of 10 and 15 features, respectively.
The data presented in
Table 4 highlight the substantial influence and flexibility of ML methods in the field of TC for security in SDNs, as indicated by the collective results of the reviewed papers. In [
120], ML techniques to counteract Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in SDN are proposed and assessed. The evaluation of these techniques takes place in a realistic scenario where the SDN controller is exposed to DDoS attacks, with the aim of deriving crucial insights to enhance the security of future communication networks through ML-based approaches. The ML techniques utilized include SVM, NB, DT, and Logistic Regression, with corresponding accuracy rates of 97.5%, 96.03%, 96.78%, and 89.98%, respectively.
The examination of DDoS attacks, as explored in [
121], involves the analysis of traffic flow patterns. The focus is on distinguishing between normal and abnormal traffic by utilizing various ML algorithms, including NB, KNN, K-means, and K-medoids. The accuracy rates for the ML methods are 94%, 90%, 86%, and 88%, respectively.
In [
122], an improved behavior-based SVM is introduced for the classification of network attacks. To enhance the accuracy of intrusion detection and accelerate the learning of normal and intrusive patterns, DT is employed as a feature-reduction technique. This involves prioritizing relevant features and selecting the most qualified ones, which are then utilized as input data for training the SVM classifier. The results demonstrate an average accuracy of 97.55%.
From
Table 4, it is evident that the papers reviewed present various approaches and techniques for utilizing ML in countering network intrusion in SDN environments. The study proposing the threat-aware system Eunoia [
62] utilizes ML, specifically DT, and RF, to identify malicious activities in SDN. The results demonstrate high accuracy rates for RF, particularly when excluding ambiguous data. However, the accuracy significantly decreases when only ambiguous data are considered, highlighting the importance of data preprocessing and feature selection in enhancing model performance. The findings from the study outlined in [
120] underscore the effectiveness of employing ML techniques to combat DoS and DDoS attacks in SDN environments. Through the utilization of SVM, NB, DT, and Logistic Regression, the study achieved notable accuracy rates, ranging from 89.98% to 97.5%. These results highlight the potential of ML-based approaches to significantly enhance the security posture of future communication networks, offering robust defenses against malicious cyber threats such as DDoS attacks. The achievement in [
122] introduces an enhanced behavior-based SVM for classifying network attacks. By leveraging DT as a feature-reduction technique, the model prioritizes relevant features to enhance intrusion-detection accuracy and expedite the learning process for normal and intrusive patterns. The findings reveal an impressive average accuracy of 97.55%, showcasing the efficacy of the proposed SVM approach in accurately identifying and classifying network attacks.
In conclusion, the reviewed papers collectively demonstrate the effectiveness of ML techniques, particularly ensemble methods like RF and SVM, in detecting and mitigating network intrusion in SDN environments. Additionally, the importance of data preprocessing, feature selection, and model optimization is emphasized in improving the accuracy and robustness of ML-based intrusion detection systems.
8. Conclusions
SDN and ML are innovative technologies that have the potential to greatly enhance network performance and QoS. SDN facilitates centralized and programmable network management, enabling efficient resource utilization and dynamic adaptation to changing traffic demands. ML, on the other hand, can analyze network data to identify patterns and forecast future traffic behavior, offering proactive QoS management capabilities. When combined with TC, SDN and ML can accurately identify and prioritize different traffic types, optimizing network performance, mitigating congestion, and improving the overall user experience.
However, the effectiveness of this approach heavily relies on the quality and quantity of data used for analysis. By leveraging larger and more diverse datasets, the accuracy and robustness of these technologies can be significantly enhanced, unlocking their full potential in improving network performance and QoS management. Therefore, future research should focus on collecting and utilizing comprehensive datasets to further advance the application of ML algorithms in the context of SDN.
This paper provided a comprehensive survey of the application of ML algorithms in the domain of SDN, with a specific emphasis on TC. We discussed the differences between traditional and ML-based TC methods, highlighting the advantages offered by ML techniques. Additionally, we provided an overview of various ML algorithms that have been applied in SDN environments. By examining the existing literature, we explored the current state of the field and identified key research limitations and open issues that require further investigation.
Despite the progress made, there are still several challenges that need to be addressed in the field of ML and SDNs. Collaboration among researchers is crucial in overcoming these challenges and advancing the field. By working together, we can make new discoveries and develop innovative approaches that will shape the future of traffic categorization in SDNs. This survey serves as a valuable reference, providing insights into the current state of the field and inspiring further exploration in this rapidly evolving area.