Detecting DDoS attacks in SDN: A Survey
DOI:
https://doi.org/10.59222/ustjet.4.1.3Keywords:
network cybersecurity, SDN, DDoS, information entropy, attack detectionAbstract
Software-Defined Networking (SDN), despite enabling centralized control and dynamic programmability, exposes critical security vulnerabilities particularly to Distributed Denial-of-Service (DDoS) threats targeting centralized controllers. This review synthesizes recent detection methods, including entropy-driven statistical models, machine learning-based classifiers, and hybrid techniques integrating both approaches. Entropy-based methods are computationally lightweight but often yield high incorrect detections during peak traffic bursts. Pure ML approaches, while highly accurate, struggle with hardware demands incompatible with legacy SDN infrastructure. Hybrid models significantly improve detection robustness; however, they face practical implementation hurdles related to complexity and scalability. While pure ML approaches excel in deep feature extraction, their substantial hardware demands often surpass what most real-world SDN environments can accommodate.
References
[1] M. Swami, R. Tiwari, and A. Kumar, “IQR-based approach for DDoS detection and mitigation in SDN,” Defence Technology, vol. 25, no. 1, pp. 76–87, 2023, doi: 10.1016/j.dt.2022.10.006.
[2] T. T. M. Dinh, T. D. Nguyen, M. B. Pham, Q. T. Can, and T. T. Nguyen, “DDoS attacks detection using dynamic entropy in software-defined network practical environment,” International Journal of Computer Networks & Communications, vol. 15, no.3, 2023.
[3] A. M. Tsobdjou, Y. Khamlichi, and S. El Kafhali, “Online entropy-based DDoS flooding attack detection system with dynamic threshold,” IEEE Transactions on Network and Service Management, vol. 19, no. 1, pp. 34–47, 2022, doi: 10.1109/TNSM.2022.3142254.
[4] R. M. A. Ujjan et al., “Entropy-based features distribution for anti-DDoS model in SDN,” Sustainability, vol. 13, no. 3, p. 1522, 2021, doi: 10.3390/su13031522.
[5] R. Batool, M. A. Khan, and A. Ghafoor, “Lightweight statistical approach towards TCP SYN flood DDoS attack detection and mitigation in SDN environment,” Security and Communication Networks, vol. 2022, Article 2593672, 2022, doi: 10.1155/2022/2593672.
[6] M. A. Aladaileh et al., “Rényi joint entropy-based dynamic threshold approach to detect DDoS attacks against SDN controller with various traffic rates,” Applied Sciences, vol. 12, no. 12, p. 6127, 2022, doi: 10.3390/app12126127.
[7] M. Conti, S. Tanimoto, and K. Satoshi, “A comprehensive and effective mechanism for DDoS detection in SDN,” in Proc. IEEE WiMOB, 2017, pp. 1–8, doi: 10.1109/WiMOB.2017.8115796.
[8] J. Li and B. Wu, “Early detection of DDoS based on φ-entropy in SDN networks,” in Proc. 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conf. (ITNEC), 2020, pp. 1–5, doi: 10.1109/ITNEC48623.2020.9084885.
[9] L. Zhou, M. Liao, C. Yuan, and H. Zhang, “Low-rate DDoS attack detection using expectation of packet size,” Security and Communication Networks, vol. 2017, Article 3691629, 2017, doi:10.1155/2017/3691629.
[10] A. Zahra, S. Khan, and M. Ahmed, “Adaptive entropy thresholding for DDoS detection in SDN,” in Proc. 6th Int. Conf. Signal Processing and Information Security (ICSPIS), 2022, pp.1–6, doi:10.1109/ICSPIS54653.2021.9729355.
[11] A. V. Kachavimath and D. G. Narayan, “A hybrid deep learning model with consensus-based feature selection for DDoS attacks detection in SDN,” Procedia Computer Science, vol. 252, pp. 643–652, 2025, doi: 10.1016/j.procs.2024.12.329.
[12] H. Hu, G. Ahn, and Z. Zhang, “Detecting and mitigating DDoS attacks in software-defined networks with correlation analysis,” in Proc. IEEE GLOBECOM, 2017, pp. 1–6, doi:10.1109/GLOCOM.2017.8254023.
[13] H. Zhang, X. Chen, Y. Li, and Z. Wang, “Autoencoder-SVM hybrid model for SDN anomaly detection,” Computers & Security, vol. 117, p. 102604, 2022, doi: 10.1016/j.cose.2022.102604.
[14] L. Zhou, Y. Zhu, Y. Xiang, and T. Zong, “A novel feature-based framework enabling multi-type DDoS attacks detection,” World Wide Web, vol. 26, no. 1, pp. 163–185, 2023, doi:10.1007/s11280-022-01040-3.
[15] R. M. A. Ujjan et al., “Entropy-based features distribution for anti-DDoS model in SDN,” Sustainability, vol. 13, no. 3, p. 1522, 2021, doi: 10.3390/su13031522.
[16] M. B. Dehkordi, M. Soltanaghaei, and M. Conti, “The DDoS attacks detection through machine learning and statistical methods in SDN,” The Journal of Supercomputing, vol. 76, no. 8, pp. 6023–6045, 2020, doi: 10.1007/s11227-020-03323-w.
[17] K. Kanodia, H. Kumar, and S. Patel, “DDoS detection based on PCA and Rényi entropy to secure SDN,” Procedia Computer Science, vol. 218, pp. 3177–3186, 2024, doi: 10.1016/j.procs.2023.11.354.
[18] D. G. Narayan, W. Heena, and A. Kumar, “A collaborative approach to detecting DDoS attacks in SDN using entropy and deep learning,” Journal of Telecommunications and Information Technology, vol. 97, no. 3, pp. 79–87, 2024, doi: 10.26636/jtit.2024.3.1609.
[19] R. Sato, T. Ohshima, and T. Kitagawa, “Real-time two-stage detection and mitigation system for DDoS attacks in SDN,” Computer Networks, vol. 240, p. 110096, 2025, doi: 10.1016/j.comnet.2024.110096.
[20] ONOS Project, “ONOS SDN controller,” 2024. [Online]. Available: https://onosproject.org (accessed: 21 Sep. 2025).
[21] Open Networking Foundation, “OpenFlow switch specification,” 2023. [Online]. Available: https://opennetworking.org (accessed: 21 Sep. 2025).
[22] X. Wang, Y. Liu, and H. Chen, “Detection and mitigation of DDoS attacks based on multi-dimensional characteristics in SDN,” Scientific Reports, vol. 14, no. 1, p. 66907, 2024, doi: 10.1038/s41598-024-66907-z.
[23] J. Halladay, T. Doleck, and S. Lemay, “Detection and characterization of DDoS attacks using time-based features,” IEEE Access, vol. 10, pp. 49 794–49 807, 2022, doi: 10.1109/ACCESS.2022.3172595.
[24] A. K. Sanjeetha, N. Kumar, and P. S. Rao, “Real-time DDoS detection and mitigation in software-defined networks using machine learning techniques,” International Journal of Computing, vol. 21, no. 3, pp. 76–91, 2022, doi: 10.47839/ijc.21.3.2691.
[25] M. Valizadeh and M. Taghinezhad-Niar, “DDoS attacks detection in multi-controller-based software-defined network,” in Proc. 2022 IEEE 12th Annual Computing and Communication Workshop and Conf. (CCWC), 2022, pp. 1–6, doi: 10.1109/CCWC54503.2022.9731368.
[26] N. Shah, A. Mehta, M. Qureshi, and S. Raza, “Adaptive entropy-based lightweight encryption framework for SDN-enabled smart cities,” Transactions on Emerging Telecommunications Technologies, advance online publication, 2025, doi: 10.1002/ett.5056.
[27] G. Baldini and I. Amerini, “Online distributed denial of service intrusion detection based on adaptive sliding window and morphological fractal dimension,” Computer Networks, vol. 210, p. 108923, 2022, doi: 10.1016/j.comnet.2022.108923.
[28] J. David and M. Thomas, “DDoS attack detection using fast entropy approach on flow-based network traffic,” Procedia Computer Science, vol. 50, pp. 30–36, 2015, doi: 10.1016/j.procs.2015.04.006.
[29] B. K. Joshi and M. C. Joshi, “Comparative study of dynamic-threshold-based distributed denial-of-service attack detection techniques in software-defined network,” Advances and Applications in Mathematical Sciences, vol. 22, no. 5, pp. 1013–1023, 2023.
[30] A. Koay, I. Welch, and W. K. G. Seah, “Effectiveness of entropy-based features in high- and low-intensity DDoS attacks detection,” in Advances in Information and Computer Security, 2019, pp. 196–203, doi: 10.1007/978-3-030-31511-5_16.
[31] L. Li, J. Zhou, and N. Xiao, “DDoS attack detection algorithms based on entropy computing,” in Information and Communications Security, 2007, pp. 452–466, doi: 10.1007/978-3-540-77048-0_35.
[32] A. Mishra, N. Gupta, and B. B. Gupta, “Defense mechanisms against DDoS attack based on entropy in SDN-cloud using POX controller,” Telecommunication Systems, vol.77, no.1, pp.47–62, 2021, doi:10.1007/s11235-020-00747-w.
[33] S. Saharan, V. Gupta, N. Vora, and M. Maheshwari, “Detection of distributed denial of service attacks using entropy on sliding window with dynamic threshold,” in L. Barolli, A. Poniszewska-Maranda, and H. Enokido, Eds., Advanced Information Networking and Applications, 2022, pp. 424–434, doi: 10.1007/978-3-030-99584-3_37.
[34] S. Shohani, R. Javidan, and M. K. Rafsanjani, “Statistical model for early detection of random-target DDoS attacks in software-defined networking,” Wireless Personal Communications, vol. 121, no. 1, pp. 1–20, 2021, doi: 10.1007/s11277-021-08465-5.
[35] O. Subasi, J. Manzano, and K. Barker, “Denial-of-service attack detection via differential analysis of generalized entropy progressions,” arXiv preprint, 2021.
[36] C. Fan, N. M. Kaliyamurthy, S. Chen, H. Jiang, Y. Zhou, and C. Campbell, “Detection of DDoS attacks in software-defined networking using entropy,” Applied Sciences, vol. 12, no. 1, p. 370, 2021, doi: 10.3390/app12010370.
[37] X. Ma and Y. Chen, “DDoS detection method based on chaos analysis of network traffic entropy,” IEEE Communications Letters, vol. 17, no. 1, pp. 114–117, 2013, doi: 10.1109/LCOMM.2012.110312.122123.
[38] M. A. Aladaileh, M. Anbar, I. H. Hasbullah, Y.-W. Chong, and Y. K. Sanjalawe, “Detection techniques of distributed denial-of-service attacks on software-defined-networking controller–a review,” IEEE Access, vol. 8, pp. 143985–143995, 2020, doi: 10.1109/ACCESS.2020.3014544.
[39] G. Shang, P. Zhe, X. Bin, H. Aiqun, and R. Kui, “FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks,” in Proc. IEEE INFOCOM, 2017, pp. 1–9.
[40] A. Mayoral, R. Vilalta, R. Muñoz, R. Casellas, and R. Martínez, “SDN orchestration architectures and their integration with cloud computing applications,” Optical Switching and Networking, vol. 26, pp. 2–13, 2017, doi: 10.1016/j.osn.2017.07.001.
[41] V. Mittal, A. Sharma, and A. Gupta, “Deep learning approaches for detecting DDoS attacks: A systematic review,” Journal of Network and Computer Applications, vol. 175, p. 102917, 2021, doi: 10.1016/j.jnca.2021.102917.
[42] F. Alanazi, K. Jambi, F. Eassa, M. Khemakhem, A. Basuhail, and K. Alsubhi, “Ensemble deep learning models for mitigating DDoS attack in software-defined network,” Intelligent Automation & Soft Computing, vol. 33, no. 2, pp. 1–12, 2022, doi: 10.32604/iasc.2022.023456.
[43] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud-computing environments: A survey, some research issues, and challenges,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 602–622, 2015, doi: 10.1109/COMST.2015.2487361.
[44] H. Zhang and X. Chen, “Autoencoder-SVM hybrid model for SDN anomaly detection,” Sensors, vol. 24, no. 2, pp. 139–154, 2024, doi: 10.3390/s24020139.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 The copyright is transferred to the University of Science and Technology, Sana’a, Yemen.
This work is licensed under a Creative Commons Attribution 4.0 International License.
