UKMDDoSFlow: A Flow-Based OpenFlow SDN Dataset for DDoS Detection

Labeled flow statistics are collected from an emulated software-defined networking (SDN) environment to construct the UKMDDoSFlow dataset. The dataset is designed to support research on machine learning–based Distributed Denial of Service (DDoS) detection in OpenFlow-based SDN networks. The experimental environment emulates a small enterprise SDN topology consisting of six hosts connected to a single Open vSwitch (OVS) switch configured with OpenFlow v1.3. The switch is managed by a centralized Ryu controller running an L3 routing application. Flow records are extracted from OpenFlow flow table statistics exported by the controller through its RESTful API interface. The network is organized into three logical traffic groups: an attacker host (h1), four client hosts (h2-h5) generating legitimate traffic, and a victim server (h6) acting as the attack target. All hosts are connected to the OVS switch (s1), which communicates with the Ryu controller via the OpenFlow control channel. The controller exposes RESTful endpoints, particularly the /flows endpoint, which provides real-time OpenFlow flow table statistics used for dataset collection. Legitimate traffic is generated from the client hosts toward the victim server to emulate normal network activity. Attack traffic is generated from the attacker host using Scapy-based generators implementing three Distributed Denial of Service (DDoS) scenarios: TCP SYN flood, UDP flood, and ICMP flood. The resulting dataset contains four traffic categories: benign traffic, TCP SYN flood, UDP flood, and ICMP flood attacks. Each traffic scenario is executed for approximately one hour to capture temporal variations in network behavior. In total, the dataset contains 35,865 flow records collected over approximately four hours of network activity, including 11,541 benign flows (32.18%) and 24,324 attack flows (67.82%). It should be noted that the dataset size is intentionally limited, as it is primarily intended to learn interpretable feature thresholds using a decision tree model to support ML-guided rule-based DDoS detection in SDN environments. The learned thresholds are then translated into lightweight detection rules that can be efficiently deployed within the controller monitoring framework.