PictureGuard: Enhancing Software-Defined Networking–Internet of Things Security with Novel Image-Based Authentication and Artificial Intelligence-Powered Two-Stage Intrusion Detection

Abstract

Software-defined networking (SDN) represents a transformative approach to network management, enabling the centralized and programmable control of network infrastructure. This paradigm facilitates enhanced scalability, flexibility, and security in managing complex systems. When integrated with the Internet of Things (IoT), SDN addresses critical challenges such as security and efficient network management, positioning the SDN-IoT paradigm as an emerging and impactful technology in modern networking. The rapid proliferation of IoT applications has led to a significant increase in security threats, posing challenges to the safe operation of IoT systems. Consequently, SDN-IoT-based applications and services have been widely adopted to address these issues and challenges. However, this platform faces critical limitations in ensuring scalability, optimizing energy consumption, and addressing persistent security vulnerabilities. To overcome these issues, we proposed a secure SDN-IoT environment for intrusion detection and prevention using virtual blockchain (V-Block). Initially, IoT users are registered and authenticated to the shadow blockchain nodes using a picture-based authentication mechanism. After that, authenticated user flows validation was provided by considering effective metrics utilizing the Trading-based Evolutionary Game Theory (TEGT) approach. Then, we performed a local risk assessment based on evaluated malicious flows severity and then the attack graph was constructed using an Isomorphism-based Graph Neural Network (IGNN) model. Further, multi-controllers were placed optimally using fox optimization algorithm. The generated global paths were securely stored in the virtual blockchain Finally, the two agents in the multi-controllers were responsible for validating and classifying the incoming suspicious flow packets into normal and malicious packets by considering the operative metrics using the Dueling Deep Q Network (DDQN) algorithm. The presented work was conducted by Network Simulator-3.26 and the different performance matrices were used to itemize the suggested V-Block model based on its malicious traffic, attack detection rate, link failure rate, anomaly detection rate, and scalability.

1. Introduction

The massive proliferation of the Internet of Things (IoT) provides great benefits to human society in various aspects. Generally, the IoT was defined as the connection of underlying embedded devices via the internet to perform some specific activities in real-time [1,2]. With its rapid growth, the number of IoT devices is projected to reach 100 billion by 2030.The continuous emergence of IoT has also paved the way for other technologies such as cloud computing, edge computing, and artificial intelligence (AI). These technologies were introduced to support IoT users due to their resiliency, reliability, and security [3,4]. In recent times, managing IoT devices and ensuring their security have become significant concerns. One of the primary challenges in IoT security has been safeguarding these devices, as IoT users are particularly vulnerable to malicious network intrusions and malware. Extensive research has focused on detecting intrusions and malware in various IoT devices, including smart home hubs (e.g., Alexa, Google Home), wearables like smartwatches and fitness trackers, and healthcare devices such as wearable health monitors (e.g., heart rate or glucose monitors), all aimed at ensuring that only authorized individuals can control or access these devices. Additionally, for enterprise devices such as smart locks, networked security cameras, and industrial IoT sensors, research has sought to improve security. However, much of this research has overlooked the capabilities of IoT nodes and failed to address the detection of unknown attacks [5,6].

Software-defined networking (SDN) emerged to facilitate network management for IoT devices by offering the advantage of centralized network management, wherein the separation of the data plane and control plane simplifies the management of underlying devices [7,8]. Furthermore, monitoring and detecting the security issues in the SDN also enables ease of use, as the controller has a whole network topology [9,10]. Even though SDN provides resilient network management and security to the underlying IoT devices, SDN’s ability to detect vulnerable unknown attacks was a major concern [11]. Furthermore, the centralized SDN controller encounters significant challenges related to security and scalability. To address these issues, researchers have proposed a multi-controller-based intrusion detection system (IDS) leveraging artificial intelligence technologies [12]. However, deploying controllers in a multi-controller environment introduces additional complexities, including challenges such as link failures and heightened security vulnerabilities [13].

Blockchain technology was adopted in the SDN-based IoT environment to ensure integrity and privacy through its immutable and credible nature [14,15]; however, existing approaches relying on conventional blockchain technologies have faced challenges such as limited scalability, high energy consumption, and vulnerability to sophisticated attacks [16], underscoring the need for further research to develop an IDS framework that seamlessly integrates blockchain, SDN, and IoT technologies while leveraging AI to enhance the security of these environments. All notations in the following section are based on

Table 1. Notations.

Notation	Description
${\phi }_{\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{t}\mathrm{r}\mathrm{o}\mathrm{l}\mathrm{l}\mathrm{e}\mathrm{r}}$	Authority controllers
$D\left(B\right)$	Packet flow
${TLL}_i$	Energy assessment
$y_{m,i}^v$	Translating features
$R_{G,k}^F$	Dimensional features
${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{it}$	Speed of packet validation
$Y_{\left(it+1\right)}$	Tracked location
$F{R}_t$	Position of the best
$H_i\left({\psi }_i\right)$	Succeeding state

.

1.1. Motivation and Objectives

This paper primarily aims to improve security and privacy in the SDN-enabled IoT environment by utilizing blockchain for decentralized trust and AI technologies for intelligent threat detection and prevention. This research explicitly targets overcoming significant shortcomings in existing methodologies, including the poor authentication of IoT nodes and the insufficient mitigation of malicious traffic, in contrast to other studies that tackled comparable concerns.

Furthermore, this work tackles security concerns that have been neglected in previous research:

• High malicious traffic in SDN-based IoT environments remains a critical challenge due to the insufficient consideration of IoT node legitimacy in many studies. Although blockchain-based authentication has been explored, the lack of focus on optimizing authentication metrics has left these systems vulnerable to significant security threats [17].

Existing mitigation and prevention efforts in SDN-IoT environments have focused on detecting and classifying user network traffic. However, these measures inadequately address threats targeting SDN switches and controllers, leaving critical vulnerabilities unmitigated. A holistic approach is essential for effective threat prevention and mitigation. Addressing the challenges above requires a comprehensive approach that combines innovative authentication, classification, and mitigation strategies. The foremost objective of this research is to reduce malicious traffic, accurately classify network intrusion, resolve link failures, and ensure privacy in the SDN-IoT environment using blockchain and AI technologies.

This research focuses on achieving the following objectives:

• To reduce the unwanted malicious traffic and scalability issues by utilizing authentication methods which tend to prevent the primary vulnerability threats.
• To detect malicious flows using a flow-based virtual intrusion detection model. In addition, prevention measures are also taken using deep learning techniques.
• To resolve the link failure issues by performing prediction-based optimal controller placement which also overcomes the issue of controller unavailability during peak conditions.
• To accurately detect network anomalies, we employ an IDS utilizing deep reinforcement learning. Furthermore, we conduct a comprehensive global risk assessment to mitigate and prevent malicious activities.

1.2. Research Contribution

The contributions of this research are as follows:

• Picture-based authentication mechanism: We implement a novel picture-based authentication mechanism that integrates attributes like user ID and biometric data. This approach mitigates scalability challenges and prevents guessing attacks, enhancing network security.
• Game theory-based flow classification and local risk assessment: We leverage the Traffic Evaluation and Game Theory (TEGT) and Isomorphism-based Graph Neural Network (IGNN) algorithms to develop a game theory-driven method for flow classification and local risk assessment.
• Prediction-based multi-controller placement: We employ the fox optimization algorithm to propose a predictive, multi-parameter approach for optimal controller placement, minimizing controller unavailability caused by connection failures.
• DDQN-based packet validation and global risk assessment: We introduce a Dueling Deep Q Network (DDQN)-based packet validation mechanism that assesses packet attributes to perform a global risk assessment.
• The Packet Validation Agent (PVA) leverages specific attributes to ensure precise classifications follow:

  i.

  Time to live (TTL): Tracks the remaining lifespan of the packet in the network.

  ii.

  Arrival time: Records the packet’s arrival timestamp at the node.

  iii.

  Success rate: Measures the proportion of packets successfully transmitted.

  iv.

  Loss rate: Calculates the ratio of lost packets during transmission.

  v.

  Source IP address: Analyzes the origin of the packet for anomaly detection and validation. These metrics enable the system to differentiate between normal and malicious packets effectively, ensuring efficient and accurate validation and classification. By addressing critical challenges such as scalability, switch compromise, controller unavailability, and attack mitigation, the proposed solutions advance the state of the art in security frameworks for software-defined networking in the Internet of Things (SDN-IoT).

The remainder of this paper is organized as follows: Section 2 provides a review of the related literature. Section 3 defines the problem statement, while Section 4 describes the proposed approach. Section 5 presents the experimental results, and finally, Section 6 concludes the paper.

2. Literature Survey

Deep learning algorithms have been utilized for detecting intrusions in (SDN) environments. For instance, a network-based intrusion detection system (NIDS) employing convolutional neural networks (CNNs) was proposed to detect and mitigate malicious attacks, particularly those affecting route traffic [16]. The extracted data were preprocessed using various techniques before being fed into the CNN for feature extraction and classification. To address feature selection complexity, the L2 regularization method was employed. However, this approach paid limited attention to the CNN’s design for classifying traffic as normal or malicious, and the model was prone to overfitting issues.

Another study adopted an autonomous learning-based framework for intrusion detection in SDN environments, incorporating data, control, and application layers [18]. Network traffic was routed through forwarding switches to the intrusion detection framework, which used a tree-based machine learning classifier to detect anomalies, categorized as collective or point anomalies based on packet IP information. However, this work relied solely on IP information, leading to less effective anomaly classification.

A hybrid intrusion detection framework was also proposed for SDN-based Internet of Things (IoT) environments, utilizing gated recurrent units (GRUs) and long short-term memory (LSTM) [19]. This hybrid deep learning model processed user traffic and performed feature extraction, selection, and multi-class classification based on four categories: cross-site scripting, distributed denial-of-service, bot attacks, and normal traffic. Nonetheless, the framework overlooked user legitimacy, which resulted in an increase in malicious traffic.

In the context of SDN-assisted IoT healthcare environments, a hybrid deep learning approach combining LSTM and GRU was employed [20]. Wearable IoT devices transmitted continuous traffic to an SDN controller via switches. The hybrid intrusion detection module in the controller classified traffic as benign or malicious based on packet-level information. However, the study inadequately addressed authentication and classification metrics, which limited its effectiveness.

Blockchain technology has also been explored for collaborative intrusion detection in SDN environments [21]. This approach involved SDN nodes with collaborative modules, SDN controllers for network management, and blockchain for ensuring credibility, integrity, and privacy. Intrusion detection relied on a challenge–response mechanism and the reputation of neighbor nodes. However, solely using reputation as a metric was insufficient for effective intrusion detection.

Finally, a machine learning framework was developed for intrusion detection and mitigation in SDN-based IoT environments [22]. This framework integrated IoT devices, OpenFlow switches, and SDN controllers with an ensemble machine learning model comprising random forest, logistic regression, k-nearest neighbors, Naïve Bayes, and support vector machine classifiers. Classification was achieved using an ensemble voting method. However, the study did not effectively incorporate collaborative detection mechanisms.

However, Li et al. introduced Block CSDN, a blockchain-based framework for collaborative intrusion detection in (SDN). The system combines blockchain for secure communication and trust with a challenge–response mechanism for collaborative intrusion detection among SDN nodes. Trust scores are computed based on historical interactions, enabling the model to filter out malicious nodes. However, the framework’s reliance on trust-based reputation mechanisms makes it less effective against advanced persistent threats (APTs) and zero-day attacks, where malicious nodes might manipulate reputation scores. Moreover, scalability issues are noted when applied to large SDN-IoT environments due to the computational overhead introduced by the blockchain-based verification process [23]. Aslam et al. proposed an Adaptive Machine Learning-Based System to detect and mitigate distributed denial-of-service (DDoS) attacks in SDN-enabled IoT environments. The model leverages a combination of feature extraction and machine learning classification to detect malicious flows. Techniques like Random Forest, k-Nearest Neighbors, and Logistic Regression are used in ensemble learning to enhance classification accuracy. Despite its effectiveness, the system primarily focuses on attack detection without addressing robust mitigation strategies. Additionally, the heavy computational cost associated with ensemble methods makes it less suitable for resource-constrained IoT networks [13]. Tian et al. presented a two-stage intrusion detection approach for software-defined IoT networks. The first stage employs a tree-based classifier to detect anomalies based on traffic features such as source IPs and packet sizes. The second stage refines detection by performing in-depth analysis of suspicious traffic. This approach improves overall detection accuracy and reduces false positives. However, its dependence on static IP features and pre-configured rules limits adaptability to dynamic and sophisticated cyber threats. The framework also struggles to maintain efficiency and scalability when dealing with high-volume IoT networks [24]. For attack detection and classification, models have been developed to construct and manage network intrusion detection datasets to identify optimal features and classify network intrusions effectively. These systems connect distributed denial-of-service (DDoS) networks to intrusion detection frameworks, leveraging machine learning techniques to address cyber-attacks. However, some approaches, such as those employing fuzzy neural networks, have been limited by their poor and delayed performance due to ineffective training capabilities. To address this, an (IDS) based on deep learning (DL) has been proposed to tackle emerging cyber threats in IoT environments [25].

The proposed system demonstrates robust classification capabilities, addressing a wide range of validation classes and ensuring accurate performance analysis through well-structured classification units. Despite its strengths, this work lacked a comprehensive focus on blockchain-based multi-controller systems, which are critical for enhancing security in SDN-IoT environments. Specifically, it did not explore optimal placement strategies for controllers or address scalability challenges effectively. The lack of optimal placement of multiple controllers was noted as a critical limitation, leading to potential link failure issues.

Another study proposed a network (IDS) specifically tailored for SDN-IoT networks [26]. This work highlighted the essential role of intrusion detection in such networks, focusing on optimizing feature selection and classification using gated recurrent units (GRUs) within deep learning architectures. The system employed kernel principal component analysis to improve the performance of classical fully connected layers. Additionally, alert traffic was utilized to proactively categorize possible attacks, classifying them into well-known categories to mitigate potential threats effectively.

3. Problem Statement

Ensuring security in SDN-based IoT environments is challenging due to vulnerabilities like malicious traffic, scalability issues, and controller unavailability. While previous works utilized techniques such as blockchain and AI for intrusion detection, they often overlooked key issues, including IoT node authentication, optimal controller placement, and efficient attack mitigation. To address these limitations, this research proposes a novel SDN-IoT framework integrating picture-based authentication, game theory, and advanced AI algorithms to enhance security, scalability, and system reliability. One approach utilized deep learning technology for intrusion detection in SDN-based IoT environments [27]. This work implemented a network (IDS) that employed a gated recurrent unit (GRU) for feature extraction and principal component analysis (PCA) for dimensionality reduction. The system’s components included IoT hosts, OpenFlow switches, and an SDN controller. Initially, network data were processed by the GRU algorithm to extract features, which were subsequently reduced in dimensionality using PCA. The reduced features were then fused and classified by a fully connected classifier into four categories: port scanning attacks, denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, and normal traffic.

Despite its contributions, the following limitations were noted:

• IoT data from devices were directly provided to the GRU for feature extraction and inspection. However, the lack of consideration for IoT device legitimacy during direct validation led to increased vulnerability to primary threats and unauthorized access.
• A single SDN controller was tasked with classifying the fused features using the fully connected classifier. This reliance on a single controller resulted in single-point-of-failure issues, particularly when handling large numbers of IoT devices.
• While the GRU algorithm was employed for feature extraction from IoT device data, it faced limitations such as increased training times and underfitting issues.

These challenges underscore the need for a more robust, scalable, and efficient solution to comprehensively address the security concerns in SDN-based IoT environments.

A hybrid deep learning algorithm, combining a deep neural network (DNN) and long short-term memory (LSTM), was utilized to detect and mitigate cyber threats in the SDN-IoT environment [28]. The system comprises four layers: infrastructure, data, control, and application layers. Data features from the infrastructure layer undergo preprocessing via data normalization and are analyzed using the hybrid DNN-LSTM module, which classifies them into six categories: infiltration attacks, UDP-based DDoS, High-Orbit Ion Cannon (HOIC)-DDoS, bot attacks, brute force attacks, and normal packets. The data layer handles data forwarding, while the control layer detects and classifies user traffic. However, the static nature of both the forwarding and detection layers exposes the system to various malicious cybersecurity threats.

The Open-Flow switches in the data layer are left unsecured (i.e., no security measure is provided to the flow tables) which leads to switch comptonization attacks thereby manipulating forwarding flow to the malicious destination.

Deep learning and blockchain technology are employed to monitor and detect critical events in the SDN environment [29]. This approach involves four layers: edge, fog, cloud, and application layers. The entities involved in this work are IoT devices, gateway, SDN switches, multiple SDN controllers, and cloud data servers. At first, the underlying IoT nodes are authenticated using distributed blockchain. The authenticated nodes transmit packets over to the SDN controllers via switch layers, in which the transmitted packets are clustered using a fuzzy-based neural network algorithm. The clustered packets are forwarded to the SDN controllers that consist of an (IDS) for analyzing the malicious packets based on traffic type, header, and segments of TCP using a five-layer neural network algorithm [30].

Problems Defined:

• The authentication of IoT nodes is performed using conventional distributed blockchain technology. However, this approach suffers from significant limitations, including increased processing time and susceptibility to 51% attacks, which compromise the network’s integrity [31].
• A fuzzy neural network is employed for clustering authenticated user data packets. Nevertheless, the effectiveness of fuzzy neural networks is hindered by their limited training capabilities, resulting in suboptimal and delayed outcomes.
• Packet analysis is conducted based on metrics such as traffic type, headers, and TCP segments. However, these parameters alone are insufficient for accurately determining packet originality, leading to reduced classification accuracy.

Works [31,32,33] explore the use of blockchain technology for traffic filtering in software-defined network (SDN) environments. The entities involved in this research include Internet of Things (IoT) devices, blockchain-assisted multiple controllers, and the application layer. Traffic from the IoT devices is forwarded to the blockchain-assisted controllers, which feature a blockchain-based SDN filter designed to manage incoming traffic. This blockchain-based SDN filter is composed of three modules: a whitelist, a blacklist, and an (IDS). The whitelist module uses a lookup table for packet filtration based on both special and general conditions. The blacklist module utilizes trustworthiness and payload information for traffic filtration. If no malicious activity is detected, the packet is forwarded to the IDS, which further validates the packet based on its source [34]. If the source is verified as valid, the packet is classified as normal; otherwise, it is identified as malicious and discarded.

While this work performs packet validation at three levels using blockchain-based SDN filters, it fails to account for user authenticity, leading to high volumes of malicious traffic and scalability issues. Furthermore, although blockchain-based multi-controllers are adopted to enhance security in the SDN-IoT environment, the lack of optimal controller placement results in potential link failure problems. Additionally, this work primarily focuses on detection, paying limited attention to prevention and mitigation strategies, which contributes to the increased attack rate.

To address the challenges faced by existing approaches, the proposed method begins by authenticating IoT users in the IoT user plane and the devices using novel picture placement authentication. If both placement locations match, the corresponding IoT user is authenticated and securely stored in the virtual blockchain. The proposed approach incorporates a honeypot, as the original switches are used in every edge-assisted intelligent switch. For enhanced security, the flow from IoT users is captured by the virtual honeypot for flow validation and classification using TEGT. Malicious attackers can easily exploit weak links, imposing cyber-attacks and targeting the controllers’ placement, which is addressed by adopting the fox optimization algorithm. The PVA is responsible for validating and classifying incoming suspicious flow packets into two classes based on effective metrics, utilizing DDQN.

4. Proposed Approach

This work focuses on a secure SDN-IoT environment through picture-based authentication and intrusion detection using a virtual blockchain. The overall architecture of the proposed work is mentioned in Figure 1.

4.1. System Model

This research aims to secure the SDN IoT environment by detecting, classifying, and mitigating cyber-attacks using AI and enhanced blockchain technologies, respectively. the AI technology is utilized to ensure automation and to enhance the classification accuracy for the incoming real-time data. The proposed work also adopts an improved blockchain structure named shadow blockchain (i.e., virtual blockchain (V Block). The proposed research is structured into three planes: the IoT device plane, the forwarding plane, and the multi-controller plane. The IoT device plane consists of various IoT users responsible for data transmission and access. The forwarding plane includes edge-based switches that handle flow forwarding, first-level IDS, and local risk assessment. The multi-controller plane is made up of multiple controllers tasked with second-generation IDS for flow rules and global risk assessment.

4.2. Authentication and Usage Scenarios

This section elaborates on the novel authentication method developed for securing the IoT user plane within the SDN-IoT environment. By integrating biometric verification with a picture-based grid system, this approach significantly enhances security and adaptability. Below, the methodology is divided into distinct phases, followed by its application to various IoT devices and scenarios.

• Registration Phase
  The registration phase establishes the credentials for IoT users and devices. Each user completes the following steps:
  • Biometric Data Capture:

    1.1.

    Users provide fingerprints and/or eye vein patterns using compatible biometric sensors.

  • Picture-Based Grid Configuration:

    1.2.

    A 5 × 5 grid dialog box is displayed, featuring a set of images and an empty grid. The 5 × 5 configuration was chosen to strike a balance between usability and security. A smaller grid could weaken security by limiting the number of possible combinations, while a larger grid might overwhelm users and reduce usability. The 5 × 5 grid offers an optimal compromise, ensuring effective authentication while maintaining user convenience.

    1.3.

    Users select five images and arrange them in a unique spatial sequence within the grid.

    1.4.

    This spatial arrangement acts as a secondary security layer and must be memorized by the user.

  • Data Storage:

    3.1.

    Biometric data and grid-based credentials are securely stored in shadow blockchain nodes. This ensures tamper-resistant and decentralized authentication data management.

• Authentication Phase
  When accessing an IoT device, the user undergoes a two-step verification process:
  • Biometric Verification:

    1.1.

    The system prompts the user to provide their registered biometric credentials (fingerprint or eye vein scan).

  • Grid-Based Verification:

    1.2.

    A shuffled version of the initial grid is displayed alongside an empty grid.

    1.3.

    The user replicates the previously registered arrangement of images within the grid.

  The system verifies both biometric input and the spatial arrangement of images to authenticate the user. Failure to meet these criteria results in access being denied.
• Secure Data Handling
  • All credentials, including biometric and grid-based data, are encrypted and stored within shadow blockchain nodes. This mechanism protects sensitive information from unauthorized access and tampering.
• The authentication method showcases its versatility across various IoT devices, including Personal IoT Devices, healthcare devices, and enterprise devices. It aims to safeguard sensitive data transmitted over IoT networks, ensuring that only authenticated users can initiate or approve data transfers.
• Advantages of the Approach
  • Enhanced security: Combining biometric verification and spatial authentication minimizes the risk of unauthorized access.
  • Adaptability: This method is easily deployable across diverse IoT domains, from personal to industrial applications.
  • Blockchain integration via storing authentication data on shadow blockchain nodes ensures data integrity and tamper resistance.

By addressing specific device types and real-world scenarios, this robust authentication method offers significant improvements in security and usability within the SDN-IoT ecosystem.

To enhance security and mitigate scalability issues, we implemented a novel picture-based authentication mechanism. This method integrates user ID and biometric data into a 5 × 5 grid of images, where users select and arrange five images in a unique sequence during registration. This arrangement serves as a secondary security layer. The method ensures secure authentication in diverse scenarios, including personal, healthcare, and enterprise IoT devices. Biometric and grid data are securely stored in shadow blockchain nodes to ensure tamper resistance.

In this study, we propose a novel authentication mechanism, referred to as the Random Grid technique. It involves a grid-based image selection process that enhances security and operating speed by leveraging randomized grid layouts for user authentication [35,36]. Figure 2 represents the picture-based authentication.

In the context of previous problems, the objective is to enhance the value of the design by modifying the variables used in the data and input operations for authentication and entry in conventional schemes. The process can be outlined as follows:

Step 1 involves using a “set of images” as credentials. From a collection of candidate photos, the user selects all images that serve as passcodes. Step 2 uses a “sequence of images” as the verification document. Within a predefined selection, the user picks a series of pass images from the set of candidate photos. In Step 3, the system validates the user by comparing the arrangement of selected images during authentication with their placement during registration. This process ensures that only legitimate users gain access by verifying the exact image placement. Concerns related to image authentication and security, while maintaining the integrity of input operations and the evaluation of the proposed system, should be addressed by analyzing the input and output data forms as well as the functional orbit elements. Functional orbit elements refer to the logical and structural components that govern the interaction and operation of authentication elements within a defined framework. These include the sequence and positioning of selected images within a grid and the nature-defined components integral to the authorization process. Specifically, they denote the inherent features and arrangement of the images, which users memorize and reproduce to securely authenticate their identity. This modification requires the feature wherein the user must replicate the arrangement of the pass images. The focus on image consideration, security assessment, and the alteration of the data input process should be directed toward memorizing the location of the images. This ensures the quality of data transformation and the necessary changes for selecting the positions in memory.

The user interface for credential input consists of two screens: one for selecting pass images from a set of user photos and another for automatically arranging the selected pass images within the corresponding switches. As the user interacts with these interfaces, their brain processes the potential data, comparing the observed pass images at specific locations. The system automatically memorizes the nature of the captured information and the pass images associated with specific points of knowledge. The locations of these images can be stored in different formats, with visual details and the arrangement rationale being individually confirmed. Consequently, the visual knowledge, its location, and the associated data are independently verified, and the quality of the result is assessed in comparison to the expected outcome.

4.3. Game Theory-Based Flow Validation and Local Risk Assessment

This subsection introduces a comprehensive approach that integrates game theory with advanced neural network techniques to ensure efficient traffic validation and risk assessment in IoT networks. By combining decentralized decision-making with graph-based risk evaluation, the framework aims to mitigate threats while maintaining optimal system performance. The following subsections detail the mechanisms for game-based flow validation and local risk assessment.

4.3.1. Game-Based Theory Flow Validation

In this study, only authenticated user flows are directed to the forwarding plane for flow validation. The approach leverages edge-assisted intelligent switches for performing flow validation. The primary focus of this work is traffic classification, specifically on implementing mechanisms that are relevant to IoT networks as follows:

• Virtual honeypots: The proposed model utilizes virtual honeypots that function as decoys, mimicking the behavior of original switches to lure potential attackers. These virtual honeypots capture traffic flows from IoT users, which are subject to validation and classification into three categories: normal, malicious, and suspicious. This classification is based on flow-based metrics, such as source and destination IP addresses, source and destination ports, and the flow-to-entity ratio.
• Traffic evaluation using game theory (TEGT): Authenticated user flows are directed to edge-assisted intelligent switches for classification. These flows are categorized as normal, malicious, or suspicious based on metrics such as IP addresses, ports, and flow-to-entity ratios. Malicious flows are dropped, suspicious flows are escalated to controllers, and only normal flows proceed.
• Classification process: By incorporating this game theory-based approach, the classification process not only effectively identifies normal traffic but manages ambiguous traffic in a distributed and efficient manner. Only normal traffic is permitted through the network, while suspicious flows are escalated to the controllers for further investigation, and malicious flows are dropped and stored in a virtual blockchain for future analysis.

How Accurate is Game Theory for Classification?

• Game Theory as a Strategic Framework

  1.1.

  In a game-theoretic approach, each agent (e.g., an SDN switch) classifies incoming traffic flows by either accepting or rejecting the flow based on a strategy that maximizes their “payoff” (i.e., reduces misclassification) [37].

  1.2.

  Agents interact with each other, and through this interaction, they improve the classification accuracy of flows by utilizing available information from other nodes [38].

  1.3.

  The classification accuracy depends on how well agents can identify normal vs. malicious traffic based on local observations (e.g., IP address, port, etc.) and the strategic bidding process used in game theory [39].

• Advantages:

  1.4.

  Distributed decision-making: Game theory encourages cooperation among nodes (e.g., SDN switches) and improves overall decision-making efficiency, making it beneficial for large-scale networks [40].

  1.5.

  Handling ambiguity: By treating unknown or ambiguous flows as “bids” between agents, game theory can help better handle undefined or uncertain flows that would be difficult for a single agent to classify alone [41].

  1.6.

  Adaptation: As the network conditions change (e.g., new types of attacks emerge), game theory allows the agents to adjust their strategies, potentially improving their accuracy over time [42].

  1.7.

  Resource efficiency: By reducing the computational load on a central controller (through decentralized classification), the approach can scale more effectively, leading to faster and more accurate classifications in real-time scenarios [43].

• Challenges:

  3.1.

  Payoff function design: The accuracy of game-theoretic classification heavily depends on the design of the payoff functions. A poor design of the payoff function can lead to suboptimal decisions (e.g., misclassification of normal traffic as malicious) [44].

  3.2.

  Complexity: The game-theoretic approach can be computationally intensive, especially in environments with a large number of agents and traffic flows. The accuracy may degrade if the agents cannot effectively evaluate all possible strategies due to resource constraints [45].

  3.3.

  Convergence to equilibrium: In some cases, finding a Nash equilibrium (where no agent benefits from changing their strategy unilaterally) can be difficult, which may result in suboptimal classifications [46].

  3.4.

  Limited training data: Unlike traditional machine learning algorithms, game theory does not directly benefit from large datasets for training. It largely operates based on strategic interactions and decision-making rules, which can be a limitation if the environment changes rapidly [47].

• Real-World Applications and Use Cases:
  In the context of SDN-IoT networks, where there is significant traffic flow, game theory is most accurate when the following conditions are met:
  • The classification task involves a large-scale distributed system, where multiple nodes (switches or controllers) must collaborate to classify traffic [48].
  • Ambiguous or unknown traffic (e.g., new attack types) is being classified, and no single node can classify it accurately on its own [49].
  • The agents can adapt to changes in the network, especially in the case of evolving network conditions or attack vectors [50].

However, in a simpler or smaller-scale network, game theory may not be the most efficient approach. Traditional machine learning or rule-based classification might yield more accurate results with lower complexity.

By incorporating this game theory-based approach, the classification process not only effectively identifies normal traffic but manages ambiguous traffic in a distributed and efficient manner. Only normal traffic is permitted through the network, while suspicious flows are escalated to the controllers for further investigation, and malicious flows are dropped and stored in a virtual blockchain for future analysis. This method enhances the relevance and coherence of traffic classification within IoT networks, ensuring alignment with the flow validation and classification theme.

$${ \phi }_{controller }=\left(R+H\right){\psi }_{controller }-K_{controller }+f_{users }$$

(1)

Equation (1)’s components are outlined as follows.

• ${ \phi }_{controller }$: This represents the controller’s decision function—how it selects and manages flows or tasks.
• $R+H$: This term denotes resource allocation combined with heuristic adjustments to reflect uncertainties or dynamic changes in the network environment.
• ${\psi }_{controller }$: This refers to the controller’s current state, such as its capacity, workload, or availability to process additional flows.
• $K_{controller }$: This represents the cost function associated with computational or operational expenses in managing flows.
• $f_{users }$: This field reflects the demand or input from users, such as requests or data packets, that the controller must process.

This formula models the controller’s optimal decision-making in a network, balancing resource availability, operational costs, and user demand.

The packet ought to be directed to the strong nature of the movement of packets that may be enrolled in the suggested review of the packets, as well as the categorization and risk-appraised nature of packets certified transmitted by nodes between their controllers.

$$\begin{gathered} {\displaystyle \frac{\mathrm{d}\mathrm{y}}{\mathrm{d}\mathrm{t}}}=\mathrm{y}\left(\mathrm{D}\left({\mathrm{B}}_1\right)-\mathrm{D}\left(\mathrm{B}\right)\right)=\mathrm{y}\left(1-\mathrm{y}\right)\left(\left({\mathrm{b}}_{12}-{\mathrm{b}}_{22}\right)\left(1-\mathrm{x}\right)+\left({\mathrm{b}}_{11}-{\mathrm{b}}_{21}\right)\mathrm{x}\right){\displaystyle \frac{\mathrm{d}\mathrm{x}}{\mathrm{d}\mathrm{t}}} \\ =x\left(D\left(B_1\right)-D\left(B\right)\right)=x\left(1-x\right)\left(\left(b_{21}-b_{22}\right)\left(1-x\right)+\left(b_{11}-b_{12}\right)x\right) \end{gathered}$$

(2)

where

$\mathrm{D}\left({\mathrm{B}}_1\right) \mathrm{a}\mathrm{n}\mathrm{d} \mathrm{D}\left(\mathrm{B}\right)$ are profits or payoff functions associated with two strategies while ${\mathrm{B}}_1$ and $\mathrm{B}$ represent decisions made in the environment.

${\mathrm{b}}_{\mathrm{i}\mathrm{j}}$ are coefficients that capture the interaction or payoff between strategies $i$ and $j$.

$x$and $y$ are proportions of the strategies being used in the population or network, respectively.

The variables D(B₁) and D(B) represent the profits within the network environment. These profits influence the active strategies used to construct a likelihood scenario for task execution and environmental adaptation. This scenario incorporates a function’s arrangement strategy, feeding predictions into the build strategy for the function’s configuration. Every participant in the suggested work’s consumers should be identified and have varied trade demands for forecast and creation with the controllers. The user needs should include the load demands and the oversight process, which should decide the new generation of errors and the various statements. The building’s load needs and unit type should be identified in the work suggested with important generation resource arrangements. Depending on the technical assessments and the development of the planned task, users with a controller may be entitled to produce energy based on training.

$${TLL}_i=\left\{\begin{array}{c}{\displaystyle \frac{{TLU}_{N{Y}_m}+dist\times {TL}_{l_i}}{{TYP}_{l_i}}} if{ TYP}_{l_i}\ge 1 \\ {TLU}_{N{Y}_m }if{ TYP}_{l_i}<1\end{array}\right.$$

(3)

where

${TLL}_i$: the total load limit of the $i-th$ user.

${TLU}_{N{Y}_m}$: the total load utilized by the node $N{Y}_m$.

$dist$: distance or factor related to resource distribution.

${TL}_{l_i}$: the traffic load of the user $l_i$.

${TYP}_{l_i}$: a parameter representing the type of user in the system.

This formula helps define the policy for resource distribution and the classification of energy or network traffic management for each user.

User ${\mathrm{l}}_{\mathrm{i}}$ is concerned with determining the policy category for the energy administration of trading-based distribution of resources as well as the identification of the obtained product, as well as recommending specific results for estimating trading methodology trends for further consideration and various categories of the power source generation of energy.

The identification of secure criminals and the top-level computational unit is essential within the foundational and competitive theory based on travel, which is recognized as the driving force behind the unexplored flow of various data components. The same type of flow is employed for categorization, while contest theory is applied to assess flow assurance, utilizing the principles of game theory.

$${TLL}_i={\displaystyle \frac{{HFU}_{{YJ}_m}}{{HFk}_{{YJ}_m}}}$$

(4)

where ${HFU}_{{YJ}_m} \mathrm{and}$ ${HFk}_{{YJ}_m}$ are parameters related to energy or resource usage in the network, and m denotes the number of individuals who are expected to use the anticipated power. These factors may be measured and effectively identified via the effective utilization of the unit for the mass, which is an important satisfied power trade system that should be addressed in the conceptualized packet transmission of a dataset. This describes the differentiable organization and the architecture of known packets, which are used to achieve the transmission speed suggested within this work. This leads to the identification and mitigation of the effects of malicious traffic through local risk assessment, which is evaluated using an attack graph based on the flow’s severity. Isomorphic subgraphs are generated using IGNN to identify attacker paths, which are then disseminated to other switches for isolation.

4.3.2. Local Risk Assessment

Following the flow validation phase, local risk assessments are performed to evaluate the severity of malicious flows and implement strategies for proactive threat mitigation and prevention. These assessments leverage advanced graph-based methods to isolate and neutralize threats efficiently.

• Attack graph construction: An Isomorphism-based Graph Neural Network (IGNN) is employed to construct an attack graph from the analyzed malicious flows. This graph serves as a crucial tool for identifying attacker paths and pinpointing potential vulnerabilities within the network.
• Risk evaluation: The attack graph enables the following key actions:
  • Isolation of attacker paths: Identified paths used by attackers are promptly isolated to prevent further exploitation.
  • Information dissemination: Details about the identified attacker paths are shared with other network nodes, enabling proactive threat management.
• Isomorphic subgraph matching: IGNN generates isomorphic subgraphs, which simplifies the identification and isolation of malicious routes. This process significantly enhances network resilience by improving the precision of threat detection and mitigation.
• Mitigation measures: The constructed attack graph is distributed to relevant nodes across the network. This facilitates real-time isolation of compromised routes and prevents potential exploit attempts. By utilizing isomorphic subgraph matching, IGNN ensures accurate identification and robust mitigation of threats.

Together, these strategies optimize the effectiveness and accuracy of traffic management within (SDN) environments. They address local threats comprehensively while preserving the overall network performance and stability.

The two graphs, $M \mathrm{and} G$, are isomorphic (denoted as $\mathrm{G}\simeq \mathrm{M}$), meaning there is a one-to-one correspondence between their vertices and edges. When an injective mapping occurs, it results in a specific graph $G$ that preserves adjacency relationships. Subgraph isomorphism, however, can be computationally challenging, particularly when determining matches for subgraph ${\phi }_{\mathrm{M}}\to {\phi }_{\mathrm{G}}$. For example, if the pair ($\mathrm{t},\mathrm{s}$) belongs to the edge set ${\mathsf{\delta }}_{\mathrm{M}}$ in graph $\mathrm{M}$, then the mapped pair $\left(\mathrm{r}\left(\mathrm{t}\right),\mathrm{r}\left(\mathrm{s}\right)\right)$ must belong to the edge set ${\mathsf{\delta }}_{\mathrm{j}}$ in graph $\mathrm{G}$. The automorphism group of a graph refers to the group of all symmetries of the graph that preserve its structure. The automorphism group, denoted as $Aut\left(G\right)$, partitions the graph into subsets of symmetrically equivalent elements (vertices and edges). This group captures all possible symmetric configurations within the graph. In the context of traffic flow classification, the “orbit” of vertices in graph G refers to the set of vertices that are equivalent under the graph’s automorphism group. The collection of unique elements in these orbits is represented by $\left\{{\mathrm{R}}_{\mathrm{G},1}^{\mathrm{F}},{\mathrm{R}}_{\mathrm{G},2}^{\mathrm{F}},\dots ,{\mathrm{R}}_{\mathrm{G}{\mathrm{O}}_{\mathrm{G}}}^{\mathrm{F}}\right\}$, where ${\mathrm{O}}_{\mathrm{G}}$ is the size (cardinality) of the orbit quotient. These orbits and the associated elements help define the symmetry and structural properties of the graph, which are crucial for understanding traffic flow patterns in network analysis.

Similarly to this, edge automorphism, or the transfer of a bijective form of a set onto the boundary itself, is how we describe the function’s source ability. The occurrence of specific components is counted by performing multiple encoding of the structural nodes. Collecting every conceivable occurrence of various orbits in the set of tiny linked graphs plays a cyclic role in translating the vertex’s orbiting unit that can derive the fundamental features of the vertices. ${\mathrm{R}}_{\mathrm{G},1}^{\mathrm{F}}$ of$\mathrm{I}$ is defined as follows. For all $\mathrm{i}\mathsf{ϵ}\left\{1,\dots ,{\mathrm{r}}_{\mathrm{h}}\right\}$:

$$y_{m,i}^v\left(u\right)=\left|\left\{H_f\simeq F|\propto \in R_{G{O}_G}^F, f(u)\in R_{G,i}^F\right\}\right|$$

(5)

$\left|\mathrm{A}\mathrm{U}\mathrm{T}\mathrm{H}\left(\mathrm{F}\right)\right|$ represents various functions of H, which can serve as a subgraph of GH. However, its primary purpose is to control the meaning of the orbit and plot each node u by combining data from different infrastructures in R and distinct orbits. This approach generates a topographical vector $\left[{\mathrm{R}}_{\mathrm{G},1}^{\mathrm{F}}\left(\mathrm{u}\right),\dots ,{\mathrm{R}}_{\mathrm{G},\mathrm{k}}^{\mathrm{F}}\left(\mathrm{u}\right)\right]\mathsf{ϵ}{\mathsf{{\rm E}}}^{\mathrm{B}\times 1}$ with dimension $\mathrm{D}=\sum _{{\mathrm{W}}_{\mathrm{i}}\in \mathrm{W}}{\mathrm{H}}_{{\mathrm{d}}_{\mathrm{j}}}$. The similarity of edge mechanical topographies can be clearly defined, and the incidence counts of orbit automorphism edge nodes are computed as follows:

$$R_{G,k}^F\left(u,h\right)=\left|\left\{H_f\simeq F|\left(v, h\right)\in H_{d_j},\left(h\left(u\right),h\left(v\right)\right)\in W_{m,i}^y\right\}\right|$$

(6)

Further, the important combined structural and functional mutual edge features are calculated using the equation ${\mathrm{R}}_{\mathrm{G},\mathrm{k}}^{\mathrm{F}}=\left[{\mathrm{R}}_{\mathrm{G},\mathrm{k}}^{\mathrm{F}}\left(\mathrm{u},\mathrm{h}\right),\dots ,{\mathrm{H}}_{{\mathrm{d}}_{\mathrm{j}}}\right]$. An example of vertex and advantage assemblies’ features is labeled in multiple directions.

4.4. Prediction-Based Multi-Controller Placement

One of the major problems in multi-controllers-based SDN-IoT is that it has a problem with a high number of link failures. Thus, malicious attackers can easily spot the weak links, impose several cyber-attacks, and take down the controller. To overcome this issue, we perform prediction-based multi-controller placement. The proposed work predicts the vulnerable links by computing the possibility of link failure rates and the history of link failure rates. With these predicted results, the distance between switches and controllers and the optimal placement of controllers is realized by adopting a fox optimization algorithm. Performing prediction-based optimal controller placement reduces the chance of link failures in controller manipulation probability in the SDN-IoT environment.

The fox optimization algorithm models the behavior of a fox as it dynamically adjusts its position in search of optimal solutions. A key component of this process is the random variable $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}$_${\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$, which lies within the range [0, 1] and represents the timing or instance of interaction or exploration within the system. When $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}$_${\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ exceeds a threshold of 0.19, the algorithm recalculates the fox’s position. This recalculation is based on the distance traveled, which is derived by dividing the fox’s speed by $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}$_${\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$. The algorithm categorizes the fox’s speed into various schemes, preserving the natural attributes of acceleration and sound during movement.

By iteratively factoring in parameters such as speed, interaction timing, and environmental distance constraints, the algorithm optimizes the leap distance of the fox. This adaptive mechanism enables continuous refinement of placement decisions, enhancing the algorithm’s ability to identify optimal solutions within the problem space. The calculated leap distance ensures that the fox’s movement mimics natural exploratory and decision-making behaviors, contributing to the robustness and efficiency of the optimization process.

The equation for the leap distance of the fox is as follows:

$${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}=\mathrm{F}{\mathrm{R}}_{\mathrm{t}}\times \mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_{\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$$

(7)

where

${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ represents the distance the fox covers based on a packet validation process. It signifies the distance traveled by the fox at iteration $it$.

$\mathrm{F}{\mathrm{R}}_{\mathrm{t}}$ indicates the general speed of the fox in the optimization algorithm.

$\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}$_${\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ is a random variable in the range [0, 1] that represents the timing or instance of interaction or exploration within the system, which means the time associated with the fox’s movement in the optimization process.

However, the general speed of the fox can be calculated as follows:

$$\mathrm{F}{\mathrm{R}}_{\mathrm{t}}={\displaystyle \frac{{\mathrm{p}\mathrm{o}\mathrm{s}\mathrm{i}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n} \mathrm{o}\mathrm{f} \mathrm{b}\mathrm{e}\mathrm{s}\mathrm{t}}_{\mathrm{k}\mathrm{t}}}{\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\_{\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}}}$$

(8)

$${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}={\mathrm{D}\mathrm{t}\_\mathrm{Q}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}\times 0.5$$

(9)

${\mathrm{W}\mathrm{D}\mathrm{t}\_\mathrm{Q}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ is a modified version of ${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ representing the distance traveled with a reduced factor (0.5 multiplier). It accounts for a more constrained movement or decision-making process.

The ${\mathrm{p}\mathrm{o}\mathrm{s}\mathrm{i}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n} \mathrm{o}\mathrm{f} \mathrm{b}\mathrm{e}\mathrm{s}\mathrm{t}}_{\mathrm{k}\mathrm{t}}$ is the position of the best solution found so far during the optimization process.

To determine the distance a signal travels, multiply the travel time by half of the signal wave equation. This can be extended to calculate the distance between a sound wave and an object, considering the time and separation between the sensor and the object. A random number between [0, 1] is used to compute the fox’s new position.

The leap value ${\mathrm{j}\mathrm{m}\mathrm{p}}_{\mathrm{i}\mathrm{t}}$ is calculated as follows:

$${\mathrm{j}\mathrm{m}\mathrm{p}}_{\mathrm{i}\mathrm{t}}=0.5\times 9.81\times {\mathrm{h}}^2$$

(10)

where

$h$ is the height factor is used to compute the leap distance and 9.81 is the gravitational acceleration in m/s²

In addition to the above calculation, the new position of the fox ${\mathrm{Y}}_{\left(\mathrm{i}\mathrm{t}+1\right)}$ is determined as follows:

$${\mathrm{Y}}_{\left(\mathrm{i}\mathrm{t}+1\right)}={\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}\times {\mathrm{j}\mathrm{m}\mathrm{p}}_{\mathrm{i}\mathrm{t}}\times {\mathrm{A}}_1$$

(11)

where

${\mathrm{A}}_1$ = 0.18, representing a constant based on the fox’s leap direction (northeast or opposite).

${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ is the distance traveled by the fox at iteration $it.$

${\mathrm{j}\mathrm{m}\mathrm{p}}_{\mathrm{i}\mathrm{t}}$ represents the leap distance.

The next possible position of the fox ${\mathrm{Y}}_{\left(\mathrm{i}\mathrm{t}+1\right)}$ is also expressed as follows:

$${\mathrm{Y}}_{\left(\mathrm{i}\mathrm{t}+1\right)}={\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}\times {\mathrm{j}\mathrm{u}\mathrm{m}\mathrm{p}}_{\mathrm{i}\mathrm{t}}\times {\mathrm{A}}_2$$

(12)

where

${\mathrm{A}}_2=0.82$ is another constant determining the fox’s movement.

The values ${\mathrm{A}}_1$ and ${\mathrm{A}}_2$ represent directional constants. If the value exceeds 0.18, the fox leaps northeast, and if it is less than 0.18, it moves in the opposite direction. ${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{i\mathrm{t}}$ and ${jump}_{it}$ are further multiplied by ${ H}_2$ to refine the distance based on the environmental conditions. The following Algorithm 1 for showing the Pseudocode for multi-controller placement can describe the above placement. The parameter t represents a random time variable or time instance used within the fox optimization algorithm to calculate distances or determine iteration timings. It helps adjust search behaviors, contributing to finding optimal controller placements, with its threshold typically based on iteration durations or the allowable time for completing a search phase. The parameter Q, on the other hand, serves as a measure of the quality or utility of a search result. It is used to evaluate whether a controller placement meets the required standards; if not, further exploration is triggered. The threshold for Q is often determined by expected performance metrics, such as minimizing link failures or maximizing efficiency. It can be fine-tuned through empirical testing or predefined network performance standards. Both parameters are integral to ensuring effective and efficient optimization in the SDN-IoT environment.

Algorithm 1. Pseudocode for multi-controller placement

Input: validated flow Output: Multi-controllers are placed Begin        Modify the fox optimization Y $\mathrm{Y}\mathrm{i}\left(\mathrm{1,2},\dots ,\mathrm{m}\right)$        While it $<$ Maxi        Adjust ${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$, $\mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}$_${\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ Equations (7) and (8)        Determine the capability of each examine agent $\mathrm{Select} \mathrm{the} F{R}_t \mathrm{and}$${jmp}_{it}$ (10) $\mathbf{if} {\mathrm{F}\mathrm{N}}_i>{\mathrm{F}\mathrm{N}}_{i+1}$ $BestFN={FN }_{i+1}$ $BestX=X\left(i,:\right)$                        End if                        if $t\ge 0.6$                              if $\mathrm{Q} \ge 0.18$                                    Initialize unsystematic time;                                Calculate detachment time (9)                                Calculate ${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ (11)                                    Calculate the reserve of btw                                     controllers (10) $\mathbf{Else} \mathbf{if} \mathrm{Q} \le 0.18$                             Initialize haphazard time;                             Calculate distance time (9)                             Calculate ${\mathrm{D}\mathrm{t}\_\mathrm{f}\mathrm{x}\_\mathrm{P}\mathrm{r}}_{\mathrm{i}\mathrm{t}}$ (11)                           Calculate the distance of btw                           controllers (10)                              End if                     Else                         Invention Min N expending (11)                       Reconnoitre ${\mathrm{Y}}_{\left(\mathrm{i}\mathrm{t}+1\right)}$ using (12)                   End if                         Adjust and modify the location                         beyond limits                      Appraise the search by their FN                      Update Best Y  $\mathrm{i}\mathrm{t}=\mathrm{i}\mathrm{t}+1$           End while End

To address link failures, we employed the fox optimization algorithm for optimal multi-controller placement. Vulnerable links were predicted based on link failure rates and historical data, ensuring minimized controller unavailability. This approach enhances the SDN-IoT environment’s resilience by ensuring reliable connectivity.

4.5. DRL-Based Packet Validation and Global Risk Assessment

Suspicious network flows are processed by two key agents in the multi-controller system: the Packet Validation Agent (PVA) and the Global Risk Assessment Agent (GRA) (Algorithm 2). The PVA evaluates each suspicious packet using a Double Deep Q-Network (DDQN), a machine learning algorithm designed to classify packets as normal or malicious. It analyzes key metrics such as the packet’s time to live (TTL), arrival time, success rate, loss rate, and source IP address. Packets classified as normal are permitted to continue through the network, while those identified as malicious are forwarded to the GRA for further evaluation.

The GRA conducts a comprehensive risk analysis on malicious packets using the Isomorphism-based Graph Neural Network (IGNN). This algorithm maps and identifies attacker paths within the network, allowing the system to isolate malicious routes and update security rules accordingly. The results of this analysis, including identified attacker paths, are securely stored in a virtual blockchain for integrity and traceability. This two-step process enhances the system’s ability to detect, mitigate, and prevent cyber-attacks effectively, as illustrated in Figure 3.

Nature DQN represents one of several RL strategies in which the agent only interacts with its surroundings. It does not require extra knowledge regarding the surroundings from the state that performs the value operations in addition to detecting the state of their surroundings. $\mathrm{h}+\mathsf{\delta }\mathsf{\vartheta }\ast \left({\mathrm{t}}^{\prime },{\mathrm{u}}^{\prime }\right)$ in DDQN, where ${\mathrm{t}}^{\prime }$ is the succeeding state, ${\mathrm{a}}^{\prime }$ is the next best solution action, and the government reward occupation can be calculated as follows:

$${\mathrm{H}}_{\mathrm{i}}\left({\mathsf{\psi }}_{\mathrm{i}}\right)={\mathrm{Y}}_{\mathrm{r},\mathrm{b},\mathrm{q},{\mathrm{s}}^{\prime }}\left[{\left({\mathrm{X}}_{\mathrm{i}}^{\mathrm{D}\mathrm{Q}\mathrm{N}}-\mathrm{G}\left(\mathrm{r},\mathrm{b};\mathsf{\psi }\right)\right)}^2\right]$$

(13)

$${\mathrm{X}}_{\mathrm{i}}^{\mathrm{D}\mathrm{Q}\mathrm{N}}=\mathrm{q}+{\mathsf{\zeta }}_{{\mathrm{b}}^{\prime }}^{\max \mathrm{g}}\left({\mathrm{r}}^{\prime },{\mathrm{b}}^{\prime };{\mathsf{\psi }}^{-}\right)$$

(14)

In this context, i represents the number of iterations, and ${\mathsf{\psi }}^{-}$ denotes the network’s parameters. The replay memory within the Deep Q-Network (DQN) enhances data utilization and optimizes the objective network, thereby improving the efficiency and convergence speed of the learning process. The replay mechanism allows the agent to store rewards, actions, states, and future conditions from previous experiences, facilitating the consideration of real-world scenarios and insights gained from random replay. The allocation of actions by the agent impacts memory decisions and the dissemination of information within the system.

The dueling DQN structure separates the suggested Q-function and creates the function state for the nature that takes into account the future approaches and the corresponding alignment between the evaluating agents, as well as the Q-state dimensional state policy. The benefit of the action may be stated in the variables that constitute agents with the action indicated present and the organization-prepared space for state components.

$${\mathrm{B}}_{\mathsf{\beta }}\ast \left({\mathrm{r}}^{{(}_{\mathrm{f}})},{\mathrm{b}}^{{(}_{\mathrm{f}})}\right)={\mathrm{G}}_{\mathsf{\beta }}\left({\mathrm{r}}^{{(}_{\mathrm{f}})},{\mathrm{b}}^{{(}_{\mathrm{f}})}\right)-{\mathrm{T}}_{\mathsf{\beta }}\left({\mathrm{r}}^{{(}_{\mathrm{f}})}\right)$$

(15)

The benefit of the purpose is used to show the comparative position of the response of the identification deed that denotes the Q-function states. For an optimal rule argmax

$${\mathrm{G}}_{\mathsf{\beta }}\left({\mathrm{r}}^{{(}_{\mathrm{f}})},{\mathrm{b}}^{{(}_{\mathrm{f}})}\right)={\mathrm{B}}_{\mathsf{\beta }}\ast \left({\mathrm{r}}^{{(}_{\mathrm{f}})},{\mathrm{b}}^{{(}_{\mathrm{f}})}\right)+{\mathrm{T}}_{\mathsf{\beta }}\left({\mathrm{r}}^{{(}_{\mathrm{f}})}\right)$$

(16)

For optimal policy ${\mathrm{a}\mathrm{r}\mathrm{g}\mathrm{m}\mathrm{a}\mathrm{x}}_{{\mathrm{b}}^{\left(\mathrm{f}+1\right)}\in \mathrm{B}}{\mathrm{w}}^{\mathrm{f}}\left({\mathrm{r}}^{{(}_{\mathrm{f}+1})},{\mathrm{b}}^{{(}_{\mathrm{f}}+1)}\right)$, ${\mathrm{T}}_{\mathsf{\beta }}\left({\mathrm{r}}^{{(}_{\mathrm{f}})}\right)=0$ as

$$\mathrm{W}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\mathrm{h}},\mathrm{\varnothing },\mathsf{\phi }\right)=\mathrm{B}\left({\mathrm{t}}^{\mathrm{h}},\partial ,\mathrm{\varnothing }\right)+\mathrm{G}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\mathrm{h}},\mathrm{\varnothing }\right)$$

(17)

where $\mathsf{\beta }$ is the heft of the neural network of the restriction state rate livelihood and the sustained calculation of the q-function of the totaling limit of the true value function. During the wisdom process, it is used to define the true value of $\mathrm{B}\left({\mathrm{t}}^{\mathrm{h}},\partial ,\mathrm{\varnothing }\right)$ and $\mathrm{G}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\mathrm{h}}\right)$ as $\mathrm{W}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\mathrm{h}},\mathrm{\varnothing },\mathsf{\phi }\right)$ is a parameterized estimate of the Q-function. This problem is solved by combining the purposes in (18)

$$\mathrm{W}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\mathrm{h}},\mathrm{\varnothing },\mathsf{\phi }\right)=\mathrm{B}\left({\mathrm{t}}^{\mathrm{h}},\partial ,\mathrm{\varnothing }\right)+\mathrm{G}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\mathrm{h}},\mathrm{\varnothing }\right)-{\displaystyle \frac{1}{\left|\mathsf{\Gamma }\right|}}\sum _{{\mathrm{b}}^{\prime }}\mathrm{G}\left({\mathrm{t}}^{\mathrm{h}},{\partial }^{\prime },\mathrm{\varnothing }\right)$$

(18)

Algorithm 2. Pseudocode for global risk assessment

Input: Multi-controllers nodes Output: analyzed global risk Begin $\mathrm{Initialize} \mathrm{replay} \mathrm{memory} t$ to the capacity M;         Modify action-value role G with casual weights;         Physique initial links among users and DQN; $\mathbf{For} \mathrm{every} \mathrm{slot} \mathrm{time} t$ do $\mathrm{Get} \mathrm{the} \mathrm{initial} \mathrm{state} t^h;$ $\mathrm{Citation} \mathrm{rinds} {\partial }^h$ using NN; $\mathrm{Feed} \mathrm{controllers} \mathrm{with} \mathrm{causes} b^{{(}_f)}$                  Elect a casual probability F; $\mathbf{i}\mathbf{f} F\le \in \mathbf{t}\mathbf{h}\mathbf{e}\mathbf{n}$                           $\mathrm{Aimlessly} \mathrm{select} \mathrm{an} \mathrm{action} t^h$                     else $t^h=argmaxQ\ast$$\left(r^{{(}_f)},b^{{(}_f)}; {\psi }_i\right);$                     end if  $\mathrm{Get} \mathrm{the} \mathrm{lively} \mathrm{set} \mathrm{of} \mathrm{NN} r^{{(}_f)};$              Find the top packet result based on user (16)              Compute the user gratification for rate $\mathrm{Calculate} \mathrm{prize} r^{{(}_f)}$, and the next formal ${\partial }^{h+1};$ $\mathrm{Pile} \mathrm{shift} \left(t^h,{\partial }^h,{\varnothing }^h,r^{(f+1)}\right)$ in Q (15) $\mathrm{Trial} \mathrm{mini}-\mathrm{batch} \mathrm{of} \mathrm{moves} \left(t^j,{\partial }^j,{\varnothing }^j,r^{\left(j+1\right)}\right)$           end for end

A Dueling Deep Q Network (DDQN) model was utilized for packet validation, analyzing attributes like time to live (TTL), arrival time, and source IP. Packets identified as malicious were forwarded for global risk assessment, while normal packets were permitted through the network. This system significantly reduces attack impacts and ensures accurate classification.

4.6. Latency Considerations in the Proposed Approach

The proposed system introduces several layers of processing, each of which contributes to the overall latency. Key components like DDQN-based packet validation, IGNN graph-based attack detection, and shadow blockchain storage each add their respective delays.

• DDQN-based packet validation: The deep reinforcement learning model used for packet classification requires time for inference and decision-making, depending on the complexity of the neural network. However, by optimizing the model architecture and leveraging hardware accelerators (e.g., GPUs), the inference time can be minimized. Additionally, batching packet validation and classification can further reduce processing delays.
• IGNN attack detection: The construction of attack graphs and the identification of isomorphic subgraphs for attack path detection are computationally intensive. To mitigate these latencies, efficient graph traversal algorithms and parallel computing techniques can be employed. By distributing the workload across multiple computing nodes, the overall graph processing time can be significantly reduced.
• Cumulative network and blockchain latency: The interaction between multiple SDN controllers, switches, and the shadow blockchain introduces an additional delay, especially when suspicious packets trigger a blockchain transaction for validation. While blockchain-based solutions ensure integrity, virtual blockchain nodes are employed to minimize the scalability and energy consumption challenges typically associated with traditional blockchain systems.

4.7. Role of V-Block in Intrusion Detection

The V-Block, while primarily serving as a repository for user registration and authentication data, also plays a significant role in the intrusion detection process. It ensures the secure storage of flow metadata, including suspicious and malicious flow patterns detected during traffic validation. These historical data aid in identifying repeat attack patterns and strengthen real-time decision-making within the detection framework. Additionally, V-Block facilitates the distribution of attacker path information derived from the IGNN-based attack graph to other network nodes, ensuring proactive threat isolation and mitigation. By maintaining the integrity and accessibility of detection-related data, V-Block enhances the system’s overall accuracy and resilience against malicious activities.

In summary, while the proposed system’s complexity can introduce latency, the use of optimization techniques and distributed computing ensures that the overall impact on real-time classification and network performance remains minimal.

5. Experimental Results

In this section, we use AI approaches to describe the suggested V-Block model. This experimental study is divided into three sub-phases: simulation setup, comparative analysis, and research summary. The outcome section states that the suggested work outperforms previous works in terms of performance.

5.1. Simulation Setup

This study simulates the SDN-IoT environment with IoT devices, which requires significant computational resources, as follows and listed in

Table 2. Simulation parameter.

Network Constraints	Value
No. of IoT user	100
No. of edge-assisted switches	4
No. of controllers	2
Virtual blockchain	1
Replication area	$1200 \mathrm{m}\times 1800 \mathrm{m}$
Simulation time	320 s
Preliminary energy	130 J
Node agility	9 m/s
Components	Wi-Fi, Ipv4, Internet
Broadcast range	160 m
Simulation tool	NS-3.26
Size of packets	40,107, 215,486, 1200 bytes
No of packets	50

.:

• Simulation Tool:
  • Network Simulator (NS-3) is an open-source, discrete-event network simulator designed to simulate various network protocols, including IoT, SDN, and wireless communication protocols.
  • It allows for detailed modeling of network traffic, device communication, and security protocols in IoT environments. It also supports custom applications, making it highly flexible for research in network security.
  • In our simulation, 100 IoT devices are modeled as nodes within the SDN topology, interacting with SDN controllers, edge switches, and the virtual blockchain.
• Simulation Configuration:
  • IoT Devices: The simulated IoT devices are configured to communicate with each other through Wi-Fi, using IPv4 addressing. Each device generates and transmits network traffic (normal and suspicious flows) to test the performance of the proposed IDS.
  • SDN Architecture: The SDN controllers handle flow management and security enforcement, while the edge-assisted intelligent switches are responsible for packet forwarding, initial packet validation, and local risk assessments.
  • Traffic Generation: We use different traffic profiles (normal, malicious, and suspicious flows) to assess the classification and detection capabilities of the DDQN and IGNN-based approaches.
• PC Configuration and Behavior During Simulation:
  • Hardware configuration: The simulation was executed on a PC with the following specifications:
    • CPU: Intel Core i5-4590S at 3.0 GHz (Quad-Core Processor).
    • RAM: 4 GB.
    • Storage: 1 TB Hard Drive.
    • Operating System: Ubuntu 14.04.
    • Simulation Tool: NS-3.26, with Java integration for managing large datasets.
    • Computational demands:

Memory usage: Performing a simulation that involves 100 IoT devices, along with SDN switches and controllers, can demand substantial memory. During peak simulation times, memory utilization is increased, especially when packets undergo validation by the DDQN model and when graph-based analysis (via IGNN) is performed. The system manages this by utilizing batch processing for packet validation and distributed computation where possible.

• Processor load: Although the processor is relatively modest (Intel Core i5), it can still handle the simulation under normal conditions. However, as the number of devices and traffic flows increases, the processor experiences a higher load, especially during real-time analysis of packets for classification and attack detection. In these cases, optimizations like parallel processing and simulation time control are implemented to ensure performance does not degrade.
• Network traffic handling: The simulated network latency and throughput are evaluated to assess the performance of the security system under varying loads. Traffic generated by the IoT devices is processed by the SDN controllers, and suspicious flows are classified by the DDQN model. This processing time contributes to the overall latency, especially as the number of flows increases.

4.

Behavior and performance during simulation:

• During the simulation, the 100 IoT devices generate traffic according to a predefined schedule, simulating a real-world environment where IoT devices might send continuous or periodic data. As the simulation progresses, the network experiences different conditions, such as congestion or malicious attacks, to test the IDS’s responsiveness.
• As expected, the simulation time increases with the complexity of the IoT network and the number of devices. However, the use of optimized simulation parameters (e.g., adjusting packet sizes, and flow rates) and parallel processing helps mitigate significant delays.
• During the peak of the simulation (i.e., when the IoT devices generate high traffic loads), the system behavior is closely monitored to ensure that the simulation environment remains stable, and that the network accurately reflects the performance metrics (such as detection accuracy, throughput, and link failure rate).

5.2. Comparative Analysis

In this sub-phase, the proposed V-Block model’s performance is evaluated by comparing it to previously published works like DL-IDS [28] and DNN-LSTM [29], respectively. When calculating the proposed V-Block model’s performance in terms of malicious traffic, attack detection rate, connection failure rate, anomaly detection rate, and scalability, a number of parameters are taken into consideration.

5.3. Analysis of Malicious Traffic

Any suspicious link, file, or communication that is being transmitted or received over the internet is considered malicious traffic or harmful network traffic. A danger posed by malicious traffic is an occurrence that can affect security, computers, and traffic volume.

Figure 4 compares several IoT users and malicious traffic. The comparison result describes that the proposed work accomplishes reduced malicious traffic by the game theory method for flow validation, improving the flow classification accuracy and also reducing the unwanted computations of the controllers. Only normal flows are allowed to proceed, while suspicious flows are forwarded to the controllers, resulting in a significant reduction in the number of malicious flows compared to the two previous approaches that utilized DL-IDS and DNN-LSTM. The existing approach classifies malicious flows in a differential manner, aiming to minimize the number of detected malicious attacks. However, the detection rate should not be maintained differentially; instead, it should be processed in a way that effectively reduces the attack detection rate and subsequently optimizes the processing unit function. This enables the dissemination to be managed using individual switches, with variations based on user classification.

The proposed V-Block solution reduces the harmful flow of IoT users by 30% compared to existing approaches, such as DL-IDS, which had 45 users, and DNN-LSTM, which had 50 users. For a scenario involving 100 IoT users, the harmful flow in the proposed approach was reduced by 65%, demonstrating superior performance over previous algorithms like DL-IDS, with 85 users, and DNN-LSTM, with 90 users. These quantitative results, presented in a graph, clearly indicate that our proposed method outperforms prior approaches.

5.4. Analysis of the Attack Detection Rate

The attack detection rate is the vital metric that is exploited to estimate the number of attacks that take place in the SDN network. Normally, this is categorized as a ratio of the number of detected attacks to the increasing number of malicious users that can be labeled, as shown in (19)

$${\mathrm{D}\mathrm{T}}_{\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{e}}={\displaystyle \frac{{\mathsf{\varsigma }}_{\mathsf{\psi }}}{\mathbb{Z}}}$$

(19)

where ${\mathsf{\varsigma }}_{\mathsf{\psi }}$ represents the detected number of attacks and $\mathbb{Z}$ denotes the increasing number of malicious users.

The graphical plot in Figure 5 shows a comparison of the proposed and existing model in terms of the attack detection rate with respect to the number of malicious users. It is clearly shown that the proposed work achieves a higher detection rate compared to existing methods such as DL-IDS and DNN-LSTM. We mainly achieved a high detection rate by adopting the normal packets to allow for further access, whereas the malicious packets were provided to the GRA for global risk assessment. Similar to the local risk assessment, the global risk assessment also employed the IGNN algorithm for analysis, allowing for the identification and mitigation of the attacker’s paths. Previous work focused on a limited level of packet mitigation, with detection relying on differential variants to derive the key determinants of the proposed approach, which could be identified through global path detection. However, normal packets failed to ensure secure storage and instead provided features that could be assessed by the function unit, ultimately contributing to the final identification in the attack detection unit.

The proposed V-Block technique resulted in a 40% increase in the detection of malicious users compared to existing methods. In contrast, DL-IDS achieved a 30% increase, while DNN-LSTM identified 25% more malicious users. The enhanced attack detection rate of the proposed method identified 93 malicious users, compared to only 50 identified by the original method. This demonstrates a clear performance improvement over previous approaches, such as DL-IDS, which detected 80 malicious users, and DNN-LSTM, which detected 70. These quantitative results, presented in a graph, highlight the superiority of our proposed strategy over previous methods.

5.5. Analysis of Link Failure Rate

The number of expected failed user flows recorded within a predetermined time period is known as the link failure rate. It is a computed statistic that gives an indication of a user flow’s failure rate.

$$\mathrm{Å}={\displaystyle \raisebox{1ex}{$\mathrm{\varkappa }$}\!\left/ \!\raisebox{-1ex}{$\mathfrak{I}$}\right.}$$

(20)

where $\mathrm{\varkappa }$ is the number of link failures and $\mathfrak{I}$ is the total represented in the total time for the user flow. The link failure rate versus the user flow is seen in Figure 6.

The results of the comparison show that the proposed work accomplished a reduced link failure rate compared to the two existing methods, DL-IDS and DNN-LSTM. The main reason that the reduced link failure rate was achieved was due to the accomplishment of the constructed attack graph, in which the attacker path was extracted, disseminated to other switches, and isolated. IGNN generates submultiple isomorphic subgraphs for ease of identification of attacker paths. The existing work performed attack graph detection based on the established detection of the determinants. The current state of the proposed work identified the entities with less accurate detection accuracy and performed classification of the proposed flow consideration described previously. It also achieved attack detection and mitigation of malicious users and defined the flow between the user links to distinguish between different attack states.

In previous studies, DL-IDS achieved a score of 16, and DNN-LSTM attained a score of 18. However, the proposed V-Block strategy reduced the users’ flow, resulting in a link failure rate of 12. In contrast, the reduced link failure rate for a 40-user flow in the proposed study is 20, demonstrating superior performance over earlier methods, such as DL-IDS (failure rate of 35) and DNN-LSTM (failure rate of 40). These results, illustrated in a graph, clearly indicate that our proposed approach outperforms previous methods.5.6. Analysis of Anomaly Detection Rate

When examining certain data points, an anomaly detection rate looks for unusual occurrences that appear suspicious because they deviate from the known pattern of behaviors explained in (21).

$${\mathrm{A}\mathrm{T}}_{\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{e}}={\displaystyle \frac{{\mathfrak{I}}_{\mathrm{ð}}}{\mathsf{\Phi }}}$$

(21)

where ${\mathfrak{I}}_{\mathrm{ð}}$ represents the number of detected anomalies and $\mathsf{\Phi }$ denotes the number of packet flows. The graphical plot in Figure 7 shows a comparison of the proposed and existing model in terms of the anomaly detection rate with respect to the number of packets. The results clearly demonstrate that the proposed method outperforms existing techniques, such as DL-IDS and DNN-LSTM, in terms of detection rate. A key factor contributing to the enhanced anomaly detection, based on game theory, is the improvement in flow security. IoT users are captured using virtual honeypots, followed by flow validation. Subsequently, the flows are categorized as normal, malicious, or suspicious, based on effective metrics used for flow validation and classification, which are currently undefined. This approach facilitates the ongoing maintenance of anomaly detection.

The existing work performed malicious attack detection, but the DL algorithm achieved less accuracy, which was subject to variation. The result was less successful identification of the taken-down controllers and variations in the determination of the possible failure rate. This affected the prediction of the multi-controller placement, and was influenced by the lack of authentication and the detection of the link rate that was needed for the multi-controller placement.

The recommended V-Block methodology executes 40 packets with a higher anomaly detection rate, compared to the detection rates of 25 and 20 achieved for the existing methods, DL-IDS and DNN-LSTM, respectively. For the suggested work, the enhanced anomaly detection rate for 40 packets is 96, demonstrating that we outperformed previous work such as DL-IDS, which achieved a detection rate of 67, and DNN-LSTM, which achieved a detection rate of 60. These numerical findings, which are displayed in a graph, show that the method we propose outperforms past attempts.

However, Figure 5 and Figure 7 show that the attack detection and anomaly detection rates approach 100% accuracy when the number of packets exceeds 50. This suggests that as the volume of network traffic increases, the system becomes more confident in classifying packets as normal or malicious, likely due to more data patterns being available for classification. However, it is important to note that achieving 100% accuracy in real-world systems is a challenging task, especially given the dynamic nature of modern network environments and the evolving sophistication of cyber-attacks.

In a real-world scenario, the minimal number of packets required to achieve near-perfect accuracy would likely be significantly higher than observed in the simulation. Factors such as the type of attack, the heterogeneity of the network, and the adaptability of the attack strategies would all contribute to increased complexity, making it difficult to reach 100% detection accuracy. Thus, while these results are promising, they represent idealized conditions, and further research is required to account for more dynamic and unpredictable real-world behaviors.

5.6. Analysis of Scalability

The quantity of data that a distributed ledger system can handle or archive is referred to as scalability. The performance of the system is directly inversely correlated with the scalability. The performance of the system is increased when scalability rises, and vice versa. The scalability can also be assessed in terms of transactions.

Figure 8 compares the scalability of several transactions in the virtual blockchain of the proposed and existing model in terms of the number of transactions. It is clearly shown that the proposed work achieves high scalability of transaction, effectively indicating that the transaction involving the normal packets allows for greater access, whereas the malicious packets are provided to the GRA for global risk assessment. Similarly to the local risk assessment, the global risk assessment is also analyzed using the IGNN algorithm, and the attackers’ paths are identified and mitigated. Finally, the generated global paths are securely stored in the virtual blockchain. The existing work performs transactions and completes the global risk assessment of the attacker detection rate, which can be involved in the processing unit of the differential and partially maintains the global risk assessment of transaction scalability. This can also be maintained differentially for the functional properties and arrangements.

The number of transactions performed by the proposed V-Block technique with greater scalability is denoted by the abbreviation 0.35, whereas the current works conduct DL-IDS at a rate of 0.3 and DNN-LSTM is performed at a rate of 0.25. The enhanced scalability of the proposed work for 800 transactions is 0.95, demonstrating that we outperformed earlier work like DL-IDS, which achieved scalability of 0.64, and DNN-LSTM, which achieved scalability of 0.58. These numerical findings, which are displayed in a graph, show that our suggested approach outperforms prior efforts.

5.7. Research Summary

In this section, we provide a summary of the experimental findings that demonstrate the proposed V-Block framework’s higher performance through performance comparisons. Malicious traffic, attack detection rate, failure rate, anomaly detection rate, and scalability are all metrics used to quantify the performance of the proposed work and are shown in Figure 4 to Figure 8. The performance criteria used in the numerical analysis of planned and existing works are shown in

Table 3. Performance comparison of intrusion detection models (DNN-LSTM, DL-IDS, and V-Block).

Comparison Metrics	DNN-LSTM	DL-IDS	V-Block	%Improvement over DNN-LSTM	%Improvement over DL-IDS
Malicious traffic	$\simeq 73$%	$\simeq 68\mathrm{\%}$	$\simeq 49\mathrm{\%}$	32.9%	27.9%
Attack detection rate	$\simeq 50$%	$\simeq 57\mathrm{\%}$	$\simeq 67.6\mathrm{\%}$	35.2%	18.6%
Link failure rate	$\simeq 29.6\mathrm{\%}$	$\simeq 24.8\mathrm{\%}$	$\simeq$16%	45.9%	35.5%
Anomaly detection rate	$\simeq 40$%	$\simeq 45.4\mathrm{\%}$	$\simeq 68.2\mathrm{\%}$	70.5%	50.2%
Scalability	$\simeq 0.39$	$\simeq 0.48$	$\simeq 0.64$	64.1%	33.3%

. Some of the research’s key findings are as follows:

• To reduce the scalability issues and increased primary vulnerability threats, we have utilized a picture-based authentication method based on metrics such as ID, and biometrics that constrain the malicious network traffic.
• To reduce the complexity and switch compromising attacks, we have performed game theory-based flow classification and local risk assessment using TEGT and IGNN algorithms, respectively.
• To reduce the risk of controller unavailability due to link failures, we have performed prediction-based optimal multi-controller placement using the fox optimization algorithm based on several metrics that also resolve the security threats.
• To detect and mitigate the suspicious anomalies, we have performed DDQN-based packet validation based on several packet features and global risk assessment to mitigate the attack impact using IGNN.

Table 3 provides a comparative performance analysis of three models: DNN-LSTM, DL-IDS, and the proposed V-Block model. The metrics evaluated include malicious traffic reduction, attack detection rate, link failure rate, anomaly detection rate, and scalability. The V-Block model demonstrates superior performance across all metrics. It achieves a lower percentage of malicious traffic, higher attack and anomaly detection rates, and reduced link failure rates, showcasing its robustness. Moreover, its scalability far exceeds that of the other models, highlighting its efficiency in handling increased data and transactions. This performance underscores the V-Block model’s potential to enhance security for SDN-IoT networks.

The comparative analysis highlights the superior performance of the proposed V-Block model across all key metrics when compared to DNN-LSTM and DL-IDS. The V-Block model demonstrates a significant reduction in malicious traffic by approximately 32.9% and 27.9% over DNN-LSTM and DL-IDS, respectively, showcasing its robust flow validation mechanism. Similarly, the attack detection rate is improved by 35.2% over DNN-LSTM and 18.6% over DL-IDS, attributed to the advanced DDQN-based packet validation and global risk assessment. The link failure rate, a critical metric for network reliability, is reduced by 45.9% and 35.5%, reflecting the efficacy of the fox optimization algorithm in multi-controller placement. Furthermore, the anomaly detection rate is markedly enhanced by 70.5% and 50.2%, emphasizing the effectiveness of game theory and IGNN-based risk assessment techniques. Finally, the scalability of the V-Block model is improved by 64.1% and 33.3%, demonstrating its capability to handle increased transactions efficiently. These results underscore the V-Block model’s potential to address critical challenges in SDN-IoT environments effectively.

6. Conclusions

This study presents a novel SDN-IoT security framework that combines biometric authentication, DDQN-based packet validation, and IGNN for attack detection and anomaly classification in SDN enabled by the IoT. The proposed system aims to address the critical security concerns associated with the rapid expansion of IoT devices, leveraging AI-based technologies and blockchain for enhanced authentication and threat mitigation. We list a summary of the results as follows:

• Biometric authentication: The proposed picture-based authentication mechanism, combined with fingerprint and eye vein detection, achieved an authentication success rate of 98.5% in the simulated environment. This high accuracy ensures that only authorized IoT devices and users can access the network, effectively mitigating unauthorized access risks.
• DDQN-based packet validation: The DDQN model for packet validation demonstrated excellent performance in classifying normal and malicious packets. The attack detection rate approached 100% when the number of packets exceeded 50 (see Figure 5). Specifically, the accuracy for attack detection reached 98.2% for 50 packets and rose to 99.9% for 100 packets. The detection latency for this model was measured at an average of 15–20 ms per packet for smaller networks and 30 ms per packet for larger datasets (100 IoT devices generating traffic).
• IGNN for attack detection: The IGNN algorithm used for attack graph construction and subgraph identification showed strong potential for identifying malicious traffic. The anomaly detection rate for network flows was 96.5% for 50 packets and 99.8% for 100 packets. The graph processing time varied with the network size, with an average processing time of 50 ms per flow in smaller networks (up to 50 IoT devices) and 150 ms per flow when simulating larger networks with 100 devices.
• Simulation performance: The system was simulated using NS-3, modeling an SDN-IoT environment with 100 IoT devices. Traffic generation from these devices was based on IPv4 and Wi-Fi communication, simulating both normal and malicious traffic patterns. The system showed a 0.5 s delay in attack detection for 100 IoT devices, which is acceptable for real-time threat mitigation. The total throughput of the system was measured at 75 Mbps, with 95% reliability in the classification of normal vs. malicious packets.
• Latency considerations: The introduction of AI-driven techniques such as DDQN and IGNN added latency due to the time required for decision-making and graph processing. Optimization methods, such as batch processing and parallel computing, were implemented to mitigate these delays, ensuring the system could operate efficiently even under high traffic volumes.

In conclusion, the proposed SDN-IoT security framework combining biometric authentication, DDQN-based packet validation, and IGNN-based attack detection shows significant promise in enhancing security for IoT networks. While the system performs well under controlled simulations, several challenges remain with regard to translating these results to real-world, large-scale deployments. Future research should focus on improving scalability, real-time adaptability, and novel attack detection to create a more robust solution capable of addressing the complex and evolving security challenges in SDN-IoT environments.