High-Recall Intrusion Prevention in SDN-IoT: A Hash-Based Lightweight Défense using NSL-KDD and CIC-IDS-2017 Datasets

Abstract

 The rapid proliferation of Internet of Things (IoT) and Software-Defined Networking (SDN) has introduced significant cybersecurity challenges due to inherent vulnerabilities in real-time, dynamic network environments. This paper presents a novel, lightweight intrusion prevention system (IPS) that leverages SHA-256-based hash matching to achieve high recall and low latency in SDN-IoT architectures. The proposed model achieves ultra-fast packet inspection with a processing latency of just 0.08 seconds, making it suitable for high-throughput environments. Evaluation using benchmark datasets NSL-KDD and CIC-IDS-2017 demonstrates the system’s near-perfect detection rates of 99.82% and 100%, respectively. While the overall accuracy remains moderate (55.48% for NSL-KDD and 58.29% for CIC-IDS-2017), the model excels in recall and F1-score, achieving 67.86% and 73.11%. Additionally, hash-matching speeds exceed 1.8 to 2.7 million packets per second, enabling scalability for large-scale, real-time networks. The system also effectively blocked 222,192 malicious packets (CIC-IDS-2017) and 135,786 (NSL-KDD), underscoring its practical impact. By bridging proactive threat mitigation and fast packet processing, this solution enhances security without compromising performance. The proposed IPS is especially suited for edge computing, smart cities, and industrial IoT deployments, offering an efficient and robust framework for modern cybersecurity defence.