What to build A real-time flow-based DDoS detector running at the SDN controller (northbound app) that flags suspicious flows/hosts and triggers prevention actions. Detection should use features available in controller flow/stats (per-flow packet rate, byte rate, unique src IPs per dst, SYN rate, avg packet size, entropy of src IPs, flow duration). Methods & models (practical choices) Start with TabNet or tree-based models (LightGBM / RandomForest) for tabular flow features — TabNet shows strong results in SDN-VANET DDoS detection in recent work. Train offline first then deploy model inference in controller. ScienceDirect As a baseline implement simpler signature/statistical detectors (thresholds, moving-average + z-score, entropy rules) to compare. For streaming detection consider light LSTM/CNN on short time windows (1–5s) if sequence features are useful. Implementation pieces Emulation: Mininet-WiFi + SUMO to produce mobility and wireless behavior; use Mininet-WiFi’s OpenFlow support so the controller sees realistic flows. Mininet-WiFi Controller: Ryu / ONOS / OpenDaylight — implement a northbound app that: Pulls flow stats periodically (1s–5s). Extracts sliding-window features. Calls the ML model (local inference). Installs mitigation flows (rate limit / drop / redirect to honeypot). (OpenDaylight/ONOS docs/examples helpful for REST API usage.) OpenDaylight Documentation Datasets for training: Use CIC-IDS/CICFlowMeter features for general traffic patterns and augment with VANET-specific/synthetic datasets (see Objective 3). CIC-IDS2017 is commonly used for IDS training. University of New Brunswick Evaluation metrics Detection: precision, recall, F1, AUC. Operational: detection latency (time from attack start to flag), mitigation effectiveness (packets dropped, throughput restored), false positive rate (FP impacts on benign vehicles). Controller overhead: CPU, memory, flow-table usage.