Open Access

ARTICLE

Explainable Hybrid AI Model for DDoS Detection in SDN-Enabled Internet of Vehicle

Oumaima Saidani¹, Nazia Azim², Ateeq Ur Rehman^3,*, Akbayan Bekarystankyzy⁴, Hala AbdelHameed Mostafa⁵, Mohamed R. Abonazel⁶, Ehab Ebrahim Mohamed Ebrahim⁷, Sarah Abu Ghazalah⁸

1 Department of Information Systems, College of Computer and Information Sciences, Princess Nourah bint Abdulrahman University, P.O. Box 84428, Riyadh, 11671, Saudi Arabia
2 Department of Computer Science, Abdul Wali Khan University Mardan, Mardan, 23200, KPK, Pakistan
3 School of Computing, Gachon University, Seongnam-si, 13120, Republic of Korea
4 School of Digital Engineering, Narxoz University, Almati, 050000, Kazakhstan
5 Faculty of Computer and Artificial Intelligence, Fayoum University, Fayoum, 63514, Egypt
6 Department of Applied Statistics and Econometrics, Faculty of Graduate Studies for Statistical Research, Cairo University, Giza, 12613, Egypt
7 Department of Economics, College of Business, Imam Mohammad Ibn Saud Islamic University (IMSIU), P.O. Box 90950, Riyadh, 11623, Saudi Arabia
8 Department of Informatics and Computer System, College of Computer Science, King Khalid University, Abha, 61421, Saudi Arabia

* Corresponding Author: Ateeq Ur Rehman. Email:

Computers, Materials & Continua 2026, 87(2), 20 https://doi.org/10.32604/cmc.2025.072772

Received 03 September 2025; Accepted 14 November 2025; Issue published 12 March 2026

Abstract

The convergence of Software Defined Networking (SDN) in Internet of Vehicles (IoV) enables a flexible, programmable, and globally visible network control architecture across Road Side Units (RSUs), cloud servers, and automobiles. While this integration enhances scalability and safety, it also raises sophisticated cyberthreats, particularly Distributed Denial of Service (DDoS) attacks. Traditional rule-based anomaly detection methods often struggle to detect modern low-and-slow DDoS patterns, thereby leading to higher false positives. To this end, this study proposes an explainable hybrid framework to detect DDoS attacks in SDN-enabled IoV (SDN-IoV). The hybrid framework utilizes a Residual Network (ResNet) to capture spatial correlations and a Bi-Long Short-Term Memory (BiLSTM) to capture both forward and backward temporal dependencies in high-dimensional input patterns. To ensure transparency and trustworthiness, the model integrates the Explainable AI (XAI) technique, i.e., SHapley Additive exPlanations (SHAP). SHAP highlights the contribution of each feature during the decision-making process, facilitating security analysts to understand the rationale behind the attack classification decision. The SDN-IoV environment is created in Mininet-WiFi and SUMO, and the hybrid model is trained on the CICDDoS2019 security dataset. The simulation results reveal the efficacy of the proposed model in terms of standard performance metrics compared to similar baseline methods.

---

Keywords

---