Deep residual CNN-attention model with GMM statistical injection : a forensic approach to mitigating dataset bias for zero-day detection in SDN

Abstract

Software-Defined Networks (SDN) and its centralized control plane have become highly valuable assets of the present-day infrastructure, and therefore, one of the primary targets of DDoS attacks. Although Intrusion Detection Systems (IDS) that are based on Machine Learning have potential, most of the systems experience shortcut learning. Instead of training to actually attack them, they learn fixed identifiers such as IP addresses. These models are very accurate in the laboratory, but they do not reach accuracy in real-world applications. This paper addresses the issue through one of its strategies, the Forensic-Induced Progressive Refinement Strategy, which focuses on dataset validation rather than performance measurements. First, bias-inducing qualities are located and eliminated as a result of conducting a forensic audit. Second, in physics-based constraints, a Topology-Aware Multiclass Augmentation engine creates realistic traffic profiles of twelve classes in order to solve the issue of data scarcity and class imbalance. The main contribution is a Hybrid Wide and Deep Learning Framework that is a combination of two streams: a deep stream, which is a 1D-CNN, residual connection, and Multi-Head Attention to extract spatial patterns, and a wide stream, which uses Gaussian Mixture Models (GMM) to extract statistical grounds. The integrated Zero-Day Forensics mechanism employs Integrated GMM-based Negative Log-Likelihood thresholds to identify previously unknown attack type which breaks the closed-world assumption of traditional classifiers. The experimental findings indicate that the framework is 88.96% accurate on bias-free data and generalizes well against Zero-Day threats, which are highly inaccurate compared to the baseline models SVM and KNN when trained on biased data. The piece institutionalizes forensic rigor and architectural duality as the key concepts towards strong SDN intrusion detection.