A Hybrid Stacking-Voting Ensemble Framework for RealTime Cyberattack Detection in SDN-Enabled Healthcare Networks

Abstract

Software-Defined Networking (SDN) has emerged as a promising networking paradigm for modern healthcare infrastructures due to its centralized management, programmability, and scalability. However, the centralized architecture of SDN introduces critical cybersecurity vulnerabilities that expose healthcare systems to distributed denial-of-service (DDoS) attacks, unauthorized access, malware propagation, and other advanced cyber threats. Conventional intrusion detection systems (IDSs) and standalone machine learning classifiers often suffer from poor generalization, high false-positive rates, and limited adaptability to dynamic SDN traffic environments. To address these limitations, this paper proposes MCAD, a hybrid ensemble-based Machine Learning Cyberattack Detection framework for SDN-enabled healthcare systems. The proposed framework integrates heterogeneous machine learning classifiers through stacking and soft voting ensemble strategies to improve detection robustness and classification performance. The framework incorporates Recursive Feature Elimination with Cross-Validation (RFECV), Synthetic Minority Oversampling Technique (SMOTE), and standardized preprocessing techniques to optimize training effectiveness and reduce class imbalance issues. Multiple machine learning algorithms including KNearest Neighbor (KNN), Decision Tree (DT), Random Forest (RF), Naïve Bayes (NB), Logistic Regression (LR), AdaBoost, and Extreme Gradient Boosting (XGBoost) are evaluated using the MCAD-SDN dataset. Experimental evaluation is performed using stratified 5-fold crossvalidation and standard performance metrics including accuracy, precision, recall, F1-score, and confusion matrix analysis. Results demonstrate that the proposed hybrid ensemble framework significantly outperforms individual classifiers and achieves highly reliable intrusion detection performance while minimizing false-positive and falsenegative rates. Furthermore, the proposed framework is deployed using a Flask-based real-time detection interface, demonstrating its practical applicability in healthcare SDN environments. The findings indicate that hybrid ensemble learning provides an effective and scalable solution for enhancing cybersecurity resilience in SDN-enabled healthcare systems.