Machine Learning Based Cyber Attacks Detector in Software Difined Networks (Sdn) For Healthcare Systems

Abstract

In 2026, the healthcare sector remains a primary target for sophisticated cyber threats, with ransomware and insider attacks surging by over 35% compared to previous years. Traditional static network architectures struggle to protect the burgeoning ecosystem of Internet of Medical Things (IoMT) devices and sensitive Electronic Health Records (EHR). This paper proposes a robust Machine Learning-based Cyber Attack Detector (MCAD) integrated within a SoftwareDefined Networking (SDN) framework tailored for modern healthcare infrastructures. By decoupling the control plane from the data plane, the SDN architecture provides a centralized, programmable vantage point that enables realtime traffic monitoring and rapid threat mitigation. Our method utilizes a Layer 3 (L3) learning switch application on an SDN controller (such as Ryu) to capture high-fidelity network features, which are then processed through a hybrid machine learning pipeline. The system employs advanced ensemble algorithms, including XGBoost, Random Forest, and CatBoost, to identify diverse attack vectors such as DDoS, probe scans, and unauthorized lateral movements. A specialized feature selection mechanism ensures high detection accuracy while maintaining the low latency required for critical medical environments. Experimental results on modern healthcare-specific datasets demonstrate an F1- score of 0.99 for normal traffic and a significant reduction in false alarm rates. Furthermore, the integration of Explainable AI (XAI) components allows network administrators to interpret the "why" behind flagged anomalies, fostering trust in automated security responses. This holistic approach addresses the "crown jewel" protection mandate of 2026, providing a scalable, proactive defense mechanism that ensures patient safety and regulatory compliance in increasingly complex digital health landscapes.