Future Generation Computer Systems 154 (2024) 206–218

Contents lists available at ScienceDirect

Future Generation Computer Systems

journal homepage: www.elsevier.com/locate/fgcs

Synchronizing DDoS detection and mitigation based graph learning with

programmable data plane, SDN
Jie Ma ∗, Wei Su, Yikun Li, Yihua Peng
School of Electronic and Information Engineering, Beijing Jiaotong University, Beijing, 100044, China

ARTICLE INFO ABSTRACT

Keywords: The availability of SD-IoT is now under complex and serious cyber threats, especially distributed denial-
Software defined network of-service attacks. However, traditional defense schemes suffer from coarse-grained centralized sampling
Programmable data plane approaches, low accuracy of detection models, and inefficient mitigation methods. In this paper, a novel
Distributed denial of service
DDoS defense scheme is proposed, which consists of a high-accuracy detection mechanism based on a Graph
In-band network telemetry
Convolutional Neural Network learning model and a mitigation mechanism based on fast traffic migration.
Graph convolutional neural network
In the detection stage, a fine-grained INT sampling approach is utilized to obtain multidimensional network
topology and status information. The Graph Convolutional Neural Network learning model detects switches
containing DDoS attack traffic with high accuracy because the detection model not only extracts and utilizes
multiple temporal and spatial features of the collected information, but also has a better learning and
representation capability. In the mitigation stage, the enhanced whitelist with dynamic threshold-based values
is automatically adapted to the real-time state of the network environment for enhanced mitigation flexibility.
The fast programmable segment rerouting strategy can block attack traffic in time and ensure the continuity
of network services. The results of several comparison experiments show that the proposed scheme can detect
DDoS attacks more accurately and mitigate them more effectively than traditional schemes.

1. Introduction How to detect and defend such a large-scale DDoS attack is an

urgent problem to be studied. With the emergence and popularity of
Internet-of-Things (IoT) refers to the means of connecting physi- Software Defined Networks (SDN) [12–14], administrators can manage
cal things through the Internet to gain the assessment of real-world the network and defend against cyber attacks with the flexibility and
information [1–3]. As of today, there are an estimated 20 billion efficiency of decoupling the data plane and control plane. Hence, the
things/devices connected to the Internet [4]. With the recent increase Software-Defined Everything paradigm (SD-X) provides a new idea for
in the size of IoT networks, attackers often choose IoT devices as the the security management of the IoT and its devices [15,16]. Software-
source or medium for generating attacks to target other networks and Defined Internet of Things (SD-IoT) is an advanced network archi-
systems on the Internet for malicious cyber attacks [5–7]. One such tecture for managing and protecting IoT devices against threats such
malicious network attack that is easy to initiate and extremely destruc- as botnet attacks, while researchers often characterize the layers for
tive is the Distributed Denial of Service (DDoS). Attackers compromise SD-IoT in terms of a variation of the traditional structure of the IoT,
vulnerable nodes in the IoT and then transform them into botnets and which is the Cloud layer, Fog layer, and Edge layer, as shown in
utilize such massively distributed hosts to create a large number of Fig. 1. The traditional IoT attack detection and mitigation schemes are
packets with spoofed IP addresses to launch access attacks to the victim currently deployed on SDN controllers in the cloud layer with detection
servers, which can quickly consume the victim server’s resources and models based on entropy detection algorithms [17,18], probabilistic
make them unable to respond to normal requests [8–10]. A Nokia statistical methods [19,20], and machine learning algorithms [21,22]
Threat Intelligence Center 2023 Report reveals that Distributed Denial to evaluate network traffic. The new recent paradigm of In-network
of Service traffic from IoT botnets originated from a large number of Security based on SDN employs programmable network elements to
insecure IoT devices are on the rise and have increased five times in the detect and mitigate malicious traffic on the path before reaching the
past year. The number of IoT devices involved in botnet-driven DDoS edge layer or cloud servers to minimize performance delays and reduce
attacks has increased from about 200,000 a year ago to about 1 million, the runtime overhead of the dedicated servers deployed for security
which produces more than 40% of all DDoS traffic today [11].

∗ Corresponding author.
E-mail address: [email protected] (J. Ma).

https://doi.org/10.1016/j.future.2023.12.033
Received 4 July 2023; Received in revised form 12 November 2023; Accepted 28 December 2023
Available online 3 January 2024
0167-739X/© 2023 Elsevier B.V. All rights reserved.
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

detection nodes in the global topology. The P4 detection nodes

collect fine-grained status information about the current network
topology such as the switch ID, egress port timestamps, ingress
port timestamps, and the queue length of ports. Distributed traffic
collection schemes are utilized to avoid information interactions
that form network bottlenecks.
• A high-precision Graph Convolutional Neural Network model
transforms information with network traffic and network topol-
ogy multidimensional attributes into the network status tensor
to form feature values and then detects DDoS flooding attacks in
SD-IoT network scenarios. Identify network element devices that
contain DDoS attack traffic with the spectral clustering approach.
• The proposed mitigation strategy, which combines a
programmable data plane-based whitelist with a segment rerout-
ing scheduling algorithm, can block attack traffic promptly and
significantly reduce the impact of attack traffic on background
traffic without interrupting network services.
• Experimental results show that the proposed detection and mit-
igation scheme can effectively detect multiple DDoS flooding
attacks at an early stage, which ensures that the network can
recover quickly and the impact on network performance is mini-
mized.

Fig. 1. The three-layer network architecture of SD-IoT under botnet attacks. The rest of this paper is organized as follows: Section 2 discusses
the work related to DDoS detection and mitigation schemes in SDN.
Section 3 describes the basic structure and implementation details of
purposes [23]. The P4 switches with programmable data planes that are the proposed DDoS flooding attack detection and mitigation mecha-
located in the fog layer can directly deploy threshold-based detection nism. Section 4 presents the performance of the proposed approaches
algorithms and packet drop strategies to provide security services to evaluation experiments. The paper concludes and outlooks in Section 5.
IoT devices in the edge layer.
There are more issues with the mentioned detection and mitigation 2. Related work
schemes. Attack detection schemes deployed in the control plane suffer
from low detection accuracy, a lack of information on fine-grained tem- As a new network architecture, the decoupling feature of the data
poral and spatial features characterizing traffic attributes and network plane and control plane gives SDN controllers great flexibility, scala-
topology status, and mitigation schemes with high CPU occupation and bility, and centralized control [13,25,26]. Hence, such a new network
high network recovery latency. Data plane detection schemes have even architecture is extensively utilized in scenarios such as IoT [27], cloud
lower accuracy because they usually rely on thresholds whose accuracy data center networks [28], and wireless LANs [29]. Due to the develop-
depends on expert knowledge, and the direct packet-drop strategy leads ment of P4 programmable switches, power-efficient network elements
to an increased chance of misleadingly killing normal packets when with high processing capacity are provided for SDN data planes [30–
dropping them. Hence, such a high-accuracy and timeliness Graph 32]. Reviewing the different schemes based on the SDN paradigm
Convolutional Neural Network-based detection and mitigation scheme regarding the detection and mitigation of Distributed Denial of Service
for DDoS flooding attacks is proposed to overcome the above problems. attacks can be divided into some schemes deployed in the control plane
Information collection is a prerequisite for attack detection, the in-band and others deployed in the data plane.
network telemetry (INT) technique based on the programmable data The traditional detection approaches based on controllers are to
plane is utilized to monitor the fine-grained network status [24]. With obtain some data in the network environment such as the source IP
the help of multiple statistical characteristics of network traffic, over- address of the packet, and the destination address of the packet, and
dependence on individual characteristics of the network service can be then calculate their entropy values to evaluate the dispersion of the
effectively avoided. An information entropy-based approach is adopted network traffic with the help of network traffic monitoring tools such
to measure the changes in network characteristics, and a dynamic as sFlow, tcpdump, and iftop. Thomas et al. [33] collected traffic
threshold is derived based on the changes in network characteristics directly from the environment with the network traffic monitoring tool
a dynamic threshold is derived for coarse-grained anomaly warning. iftop and then compared the end-to-end transmission throughput to
And then the network anomaly is automatically detected by the Graph determine that a transmission request was malicious if it exceeded a
Convolutional Neural Network learning algorithm. To avoid cutting off specified threshold malicious attack. Sahoo et al. [34] proposed an
the communication of legitimate clients when the SD-IoT network is entropy-based distributed denial-of-service attack detection mechanism
under DDoS attacks, it is not possible to simply drop all or part of based on the natural advantages of SDN for data flows. Wang et al. [18]
the traffic directly, thus a combined whitelist and mitigation agent proposed a lightweight entropy-based DDoS flooding attack detection
mechanism is implemented in the network. All the suspicious traffic model running on an OpenFlow edge switch. A drawback of this type of
is routed to the agent by the segment rerouting approach. The network detection method is that its accuracy depends on the threshold value of
can quickly recover and continue to provide continuity of service entropy. Nevertheless, the selection of the threshold value relies mainly
for legitimate clients with the adoption of the above detection and on a priori expert knowledge. Zuo et al. [35] used the traffic matrix and
mitigation schemes. principal component analysis to detect abnormal traffic.
The main contributions of this work can be summarized as follows: Another type of classical approach utilizes the computational scal-
ability of the controller to draw key features of the network traffic
• A new algorithm is proposed to select P4 trust detection nodes encapsulated in the relevant packet header from Packet_in messages
that support the use of in-band telemetry, which utilizes node and then detect DDoS attacks with the help of probability-based sta-
metrics to reduce the performance and cost overhead of deploying tistical methods [19,20,36] or machine learning algorithms [10,37,

207
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Table 1
Comprehensive comparative analysis of attack detection and mitigation schemes.
Comparison metrics [35] [10] [40] [37] [42] [43] [33] The proposed scheme
Detection Method (𝐸) (𝑀) (𝑀) (𝑀) (𝐸) (𝑀) (𝑆) (𝑀)
Detection Accuracy ↓ ↑ ∼ ∼ ∼ ∼ ↓ ↑
Scalability ↓ ↓ ↓ ↓ ∼ ∼ ∼ ↑
Realistic Dataset – ✓ ✓ ✕ – ✓ – ✓
Latency Overhead ↓ ↓ ∼ ↑ ↓ ∼ ∼ ∼
Computation Overhead on SDN controllers ↑ ↑ ∼ ∼ ↑ ∼ ∼ ∼
Computation Overhead on programmable switches ↓ ∼ ∼ ↑ ↑ ↑ ∼ ∼

(𝑀): Scheme based on Machine Learning detection algorithm. (𝐸): Scheme based on Entropy detection algorithm. (𝑆): Scheme based on Statistical Analysis algorithm.
Symbol ↑ indicates a high degree. Symbol ↓ indicates a low degree. Symbol ∼ indicates a medium degree.
Realistic dataset: (✓) realistic dataset, (✕) unrealistic dataset, (−) unused dataset.

38]. Ahmed et al. [36] collected packet-level and flow-level feature As mentioned above, there are still some serious problems in this
information at the transport layer, and then classified the statistics field that need to be solved. For example, in some network envi-
according to the dynamic characteristics of network traffic patterns ronments that require very high detection accuracy such as SD-IoT,
and detected distributed denial-of-service attacks from them. Kokila traditional schemes are not feasible. With a centralized traffic collection
et al. [39] proposed an SVM-based network intrusion detection system scheme, it is also prone to form network bottlenecks. Hence, the
that can accurately determine whether a DDoS attack has occurred proposed DDoS attack detection and mitigation scheme is based on INT
but suffers from a long detection time and low detection efficiency. distributed sampling and GCN learning model in SD-IoT. The graph
Hu et al. [40] collected network traffic information through SDN con- convolutional neural network learning model makes full use of the sam-
trollers and sFlow agents, and then measured network characteristics pled multi-dimensional attribute spatiotemporal feature information to
by an entropy-based method and utilized the SVM classification algo- improve the accuracy of fine-grained detection and reduce the false
rithm to identify network anomalies with low detection accuracy. Xu alarm rate.
et al. [37] proposed an attack detection method based on the fast KNN
model, and the results show that the method improves the efficiency 3. System overview
of KNN in detecting DDoS attacks with high accuracy, precision, and
stability. However, the proposed method is trained and evaluated on an 3.1. Basic assumptions
impractical NSL-KDD dataset. Cvitić et al. [38] proposed a DDoS traffic
detection model that uses a logistic model tree boosting method for
The notations used in this paper are listed in Table 2, and the
different loT device classes. Liu et al. [10] proposed an attack detection
proposed DDoS attack detection and mitigation scheme based on INT
scheme with the use of information entropy and a CNN-based deep
sampling and GCN learning model in SDN is based on the following
learning model. Hannache et al. [41] proposed a method to detect and
assumptions:
mitigate ICMP flood, SYN flood, and UDP flood DDoS attacks. Based
on a traffic classifier, they used BPNN for online DDoS detection and • It is assumed that the probability of the attacking threat to the
evaluated their model with a synthetic dataset. programmable switch in the data plane is almost zero.
With the rapid development of SDN programmable data planes, sev- • Controllers on the control plane are at risk of being maliciously
eral algorithmic schemes have emerged that leverage the P4 switches’ attacked and captured by illegal sites.
programmable capabilities to deploy directly on the data plane to • The controller cluster consists of a limited number of controllers
detect or mitigate DDoS attacks [30,43–45]. Lapolli et al. [45] proposed and a Zookeeper management server. The Zookeeper manage-
an anomaly detection method based on Shannon entropy estimation de- ment server is brought in to manage all controllers inside the
ployed on the P4 programmable switch. Gonzalez et al. [42] proposed cluster, which solves the problem of information sharing and
an in-network push mechanism to speed up the defense with entropy- data consistency among multiple controllers, thus alleviating the
based analysis. He et al. [46] proposed a secure duplicate address problem of a single point of failure caused by the attack against
detection mechanism called P4DAD, which can only defend against
the controller.
duplicate address spoofing attacks. However, hardware-based entropy
• The control plane and the data plane are effectively networked
detection methods usually rely on thresholds; thus, their detection accu-
by means of an Out-Band.
racy is low. Musumeci et al. [43] proposed a detection scheme deployed
• The setting attack type is composed of SYN flooding attacks, UDP
on switch hardware based on machine learning models focusing on TCP
flooding attacks, and HTTP flooding attacks.
Flood attacks. HJ et al. [47] introduced the SwitchTree scheme to em-
• When multiple hosts launch attacks simultaneously, the attacking
bed the random forest algorithm into a programmable switch capable
of detecting network attacks at wire speed and with high accuracy. flows enter the network from different edge switches and the
However, current machine learning classification algorithms deployed different attacking paths may partially overlap.
on programmable switches are simplistic, due to the natural drawbacks
of their constrained chip hardware processing, which results in low 3.2. Deployment of detection nodes and network state awareness
detection accuracy. All these above-mentioned detection strategies still
require further fine-grained analysis of network status information in This is an issue about how to select a few core traffic forwarding
the SDN control plane. nodes with minimized expenses in an Autonomous System (AS) to
Based on the seven popular evaluation metrics in the table, repre- deploy and upgrade as trusted P4 programmable nodes so that they
sentative detection, and mitigation schemes are compared with each filter and mitigate illegal traffic at the first signs of the network
other, and the specific comparison results are listed in Table 1. We can attacks, reduce the impact of illegal traffic on the traditional traffic
observe that through horizontal and vertical comparisons, it is clear forwarding nodes and the target servers in the network, meanwhile,
that researchers have successfully applied different approaches in the decrease the high CPU utilization and the large bandwidth cost of
field of traffic detection and have achieved a large number of results in the controller required for telemetry network status information. The
DDoS attack detection and mitigation, none of the schemes is the best undirected network graph ℘(𝑁, 𝐿, 𝜛𝑁 , 𝜛𝐿 ) of an AS is given, where
or the worst, so there are both advantages and obvious disadvantages 𝑁 denotes the set of network nodes, 𝐿 denotes the set of links, 𝜛𝑁
of these techniques. denotes the node attribute matrix and 𝜛𝐿 denotes the edge attribute

208
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Table 2
Main symbolic meanings of the proposed scheme.
Symbol Meaning
𝑁 Set of topology nodes
𝐿 Set of topology links
𝜛𝑁 The node attribute matrix
𝜛𝐿 The edge attribute matrix
𝛥𝑡 A time step
𝑆𝑖𝑑 The switch with id number
𝐼𝑃𝑠𝑟𝑐 The source IP address of a packet
𝐼𝑃𝑑𝑠𝑡 The destination IP address of a packet
℘ The undirected network graph
𝐴 The hidden feature matrix
𝛥𝑡
𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 The weighted adjacency matrix
𝛥𝑡
𝜛𝑑𝑒𝑔𝑟𝑒𝑒 The weighted degree diagonal matrix
|𝑁| The number of switch nodes
Fig. 2. The design of the detection node deployment and network state awareness.
𝜉𝑛 The normal switch
𝜉𝑀𝑣 The switch with mainly attack traffic
𝜉𝑁𝑣 The neighbor switch of 𝜉𝑀𝑣
𝐈𝑁 The identity matrix The P4 trusted detection nodes encapsulate the detection node and
the queue state messages such as Switch ID, Link utilization, Port-
level receive overrun error count, Queue ID, Queue length, Ingress
matrix. The node deployment strategy must be fulfilled: any link in the timestamp, and Egress timestamp into the packet’s INT_MetaData field.
set 𝐿 is monitored by at least one trusted detection node. The deployed of the packets during 𝛥𝑡 (a time step). After binary packets with valid
detection nodes can cover all the links in the whole network, which network state information reach the trusted network edge detection
support the collection of fine-grained network state-aware information. node, the metadata is extracted to encapsulate as INT Report and sent
The node deployment problem is transformed into an NP-complete to INT Monitor. To achieve high processing speed to accommodate the
Set Cover Problem (SCP), and thus we propose the greedy algorithm high-speed traffic in the data plane, the INT Monitor is developed with
to solve this type of unweighted SCP problem. The heuristic algo- P4 switch’s kernel bypass AF_XDP, which allows parsing a large number
rithm solves the problem as follows: initialize the empty set of 𝑀; of INT reports per second on a single kernel. The sampled multidimen-
initialize the set of 𝐸, which contains all edges in the undirected sional spatiotemporal data are classified and aggregated by the switch
network graph. The set ID and then stored in a database of sampled information. Based on such
{ of edges in the actual
} network topology can
be defined as 𝐸 = 𝑒𝑛1 𝑛2 , 𝑒𝑛1 𝑛3 , … , 𝑒𝑛𝑖 𝑛𝑖+𝑗 ; The definition of 𝐸 ′ = information characterizing the network status, to enrich the feature
{{ } { } { }} values of the attack detection model, we calculate more fine-grained
𝑒𝑛1 𝑛2 , 𝑒𝑛1 𝑛3 , … , 𝑒𝑛2 𝑛3 , 𝑒𝑛2 𝑛4 , … , … , 𝑒𝑛𝑖 𝑛𝑗 , … is the set of edges feature values such as 𝐼𝑃𝑠𝑟𝑐 entropy value, 𝐼𝑃𝑑𝑠𝑡 entropy value, average
connected to each vertex. In case there is an element 𝑒𝑛𝑖 𝑛𝑘 in the set of 𝐸 packets per second, average bytes per second, and average link utiliza-
that is not contained in the set of 𝑀, iterate through 𝐸 ′ to get the subset tion per second by the following equations Eqs. (2), (3), (4), (5).
𝐸𝑛′ that contains 𝑒𝑛𝑖 𝑛𝑘 and has the maximum number of elements, then
𝑖
add it to the empty set 𝑀. Loop the above steps until the set of 𝑀 ∑𝑚
𝑓𝑖 𝑓
𝐻 =− log2 𝑖 (2)
contains all elements of the set of 𝐸. For example, in Figs. 2 and 3, 𝑖=1
𝑓𝑡 𝑓𝑡
the strategy first deploys two types of switches as trusted detection
{ } where 𝑚 is the number of connected targets. 𝑓𝑖 denotes the number of
nodes, which consist of switches 𝑆1 at the topology edge, and last-
{ } byte-based traffic received by the detected target from source 𝑖, and 𝑓𝑡
hop forward switches 𝑆8 , 𝑆15 connected to the target servers. The
denotes the total byte-based traffic received by the detected target.
detection nodes are all marked as 0 in the initialization status list, noted
{{ } { } { }} ( ) total packets sent in 𝛥𝑡
as 𝑆1 , 0 , 𝑆8 , 0 , 𝑆15 , 0 . The rest of the legacy routing nodes are Average packets 𝑆𝑖 = (3)
marked as 1. Initiate the neighbor list and the node degree list. 𝛥𝑡
The degree values are calculated for all switches in the network where average packets per second mean the average number of packets
except the switches at the topology edge and the previous hop switches forwarded by switch 𝑆𝑖 during 𝛥𝑡, and the values are normalized to a
connected to the destination servers. Sort the switches in decreasing range of 0 to 1.
order based on the degree values and put them in an array sorted. The ( ) total bytes sent in 𝛥𝑡
top element of the sorted array is selected and placed in the deploy- Average bytes 𝑆𝑖 = (4)
𝛥𝑡
ment status set, which is continuously updated and finally outputs the
where average bytes per second mean the average number of bytes
switch deployment status list. After algorithmic filtering, the switches
{ } forwarded by switch 𝑆𝑖 during 𝛥𝑡, and the values are normalized to a
𝑆1 , 𝑆4 , 𝑆6 , 𝑆7 , 𝑆8 , 𝑆15 , 𝑆16 are upgraded to detect nodes that cover
range of 0 to 1.
all the links in the network. The key consideration in the problem ( )
of deploying detection nodes is that no two legacy routing nodes are Average link utilization 𝑆𝑖 =
allowed to maintain a neighbor relationship to ensure that each link is ∑𝛥𝑡 (5)
𝑖=1 bytes sent ÷ link bandwidth
𝑖
connected to 1 or 2 detection nodes. In this way, the traffic forwarded
𝛥𝑡
through links in the AS can either reach the detection node in 1 hop or
where average link utilization per second indicates how much band-
be forwarded directly to the detection node to reach the next detection
width is consumed by the source. The values are in the range of 0 to 1.
node in 1 or 2 hops. Thereby the controller can obtain link traffic statis-
tics from the detection node to complete subsequent fine-grained attack
detection missions. The time complexity of the proposed algorithm is 3.3. Detecting DDOS attacks
a polynomial function consisting of the heap sorting algorithm’s time
complexity and the loop algorithm’s complexity, which can be defined The multidimensional network status information is utilized as per-
as Eq. (1), where 𝑛 is the number of switches. formance metrics to form a node attribute matrix 𝜛𝑁 ∈ R|𝑁|×|𝑓𝑁 | and
the edge attribute matrix 𝜛𝐿 ∈ R|𝐿|×|𝑓𝐿 | , where 𝑓𝑁 and 𝑓𝐿 represent
(𝑛 + 𝑛 log(𝑛)) = (𝑛(1 + log(𝑛))) (1) the number of node attributes and edge attributes, respectively. The

209
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Fig. 3. The architecture of the maliciousattack defensive scheme.

graph convolutional neural network is modeled in each time step 𝛥𝑡 𝛥𝑡

matrix 𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 is defined as
as ℘𝛥𝑡 , where 𝛥𝑡 ∈ 1, 2, 3 … ,  . ℘𝛥𝑡 varies in each time step as 𝜛𝐿
𝛥t 𝛥t
and 𝜛𝑁 change over time, depending on the status of communication 𝜛
̃ adjacency = 𝐈𝑁 + 𝜛adjacency (7)
between network element devices in the current network environment.
𝛥𝑡 Graph pooling is the pooling and extraction of significant information
Then let 𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 ∈ R𝑁×𝑁 be the weighted adjacency matrix of ℘𝛥𝑡
from the graph by merging clusters of strongly connected nodes with
formed such that 𝜔𝑖𝑗 is defined as the edge weight between switch 𝑆𝑖
𝛥𝑡 the use of clustering. The defined graph pooling layer is utilized to
and switch 𝑆𝑗 if they are connected, else let 𝜔𝑖𝑗 = 0. Denote 𝜛𝑑𝑒𝑔𝑟𝑒𝑒 as a
𝛥𝑡
( ) aggregate the information of multiple -matrices containing multiple
weighted degree diagonal matrix, and let 𝜛𝑑𝑒𝑔𝑟𝑒𝑒 = 𝑑𝑖𝑎𝑔 𝑑1 , 𝑑2 , … , 𝑑𝑁
∑𝑁 representations for each node into one feature representation of the
where 𝑑𝑖 = 𝑗=1 𝑤𝑖𝑗 . Define 𝛾 ∈ R𝜏×1 to denote the true label vector. If graph ℘𝛥𝑡 . The method of mean pooling is applied to a graph pooling
the network element devices are under DDoS attacks during time step layer that obtains a graph-level representation ℘𝛥𝑡 of the graph ℘𝛥𝑡
𝛥𝑡 such that 𝛾 𝛥𝑡 = 1, else 𝛾 𝛥𝑡 = 0. The graph neural network-based by considering the mean value of all its node-level representations
model is guided to train and detect any intentional or unintentional in the proposed detection model. The pseudocode of the proposed
anomalous behaviors in the target network, as shown in Fig. 3. The graph convolutional neural network model-based DDoS detection and
proposed DDoS detection model is designed based on concepts such
identification is shown in Algorithm 1. If 𝛾∗𝛥𝑡 = 1, the final status
as graph convolutional layers and graph pooling, which consists of
results of the switches in ℘𝛥𝑡 can be identified with the use of spec-
multiple graph convolutional layers, a graph pooling layer, multiple
tral clustering. Spectral clustering is a clustering algorithm based on
fully connected multilayer perceptron neural network layers, and a
undirected weighted graphs that maps data in high-dimensional space
sigmoid layer. The graph information is processed through the above
to low-dimensional and then clusters them in low-dimensional space
layer structure to decide whether the network element devices in the
by other clustering algorithms (e.g. K-Means). The main method which
target network are under attack. For a given graph ℘𝛥𝑡 with a weighted
𝛥𝑡 𝛥𝑡 , each graph is utilized in the spectral clustering algorithm is the Graph Laplacian
adjacency matrix 𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 and a node attribute matrix 𝜛𝑁
matrix developed based on the spectral graph theory. The Normalized
convolution layer outputs a hidden feature matrix 𝐴 containing hidden
Graph Laplacian of the graph ℘𝛥𝑡 in time step 𝛥𝑡 is calculated by the
node-level matrices, which can be formalized as
{[ following equation;
( )− 1 ( )−1
𝛥t 2 𝛥t
=𝑓 𝐈𝑁 + 𝜛 ̃ degree ×𝜛̃ adjacency 𝛥𝑡 = 𝐈𝑁 − 𝜛degree
𝛥𝑡 𝛥𝑡
× 𝜛adjacency (8)
] } (6)
( )− 1 The eigenvectors and eigenvalues obtained from the spectral de-
𝛥t 2 𝛥𝑡
× 𝜛
̃ degree × 𝜛𝑁 ×𝛷 composition of 𝛥𝑡 are utilized in combination with the traditional
K-Means algorithm to classify the switches containing attack traffic and
where 𝑓 is the activation function used, 𝐈𝑁 ∈ R𝑁×𝑁 is an identity switches forwarding normal traffic in the target network. Depending
matrix, 𝛷 is the matrix of learnable parameters for a given graph on the final spatiotemporal status of all switches forwarding traffic in
convolutional layer, 𝜛 𝛥𝑡
̃ degree is a modified weighted degree diagonal the network topology, the switches are classified into three categories:
matrix calculated, which differs from 𝜛degree 𝛥t in that it utilizes the normal switching nodes 𝜉𝑛 , switches containing mainly attack traffic
weights in 𝜛 𝛥t 𝛥𝑡
̃ adjacency instead of 𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 . And the weighted adjacency 𝜉𝑀𝑣 , and the neighbor switches 𝜉𝑁𝑣 . The normal switches 𝜉𝑛 are the set

210
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Algorithm 1 The suspicious traffic detection algorithm based on graph the latency of processing due to traffic engineering mitigation schemes
convolutional neural network model based on methods such as machine learning, a more targeted and
Require: ℘, 𝛾, 𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 flexible programmable segment rerouting approach is adopted instead
Ensure: 𝛾∗ of the above strategy to mitigate DDoS attacks.
1: Training the DDoS detecting model: ⊳ the model training is When the attack detection model detects abnormal network status,
implemented for graphs belonging to the 𝑇 𝑟𝑎𝑖𝑛 time step the mitigation policy is triggered, which causes the mitigation APP
2: for ℘𝛥𝑡 where 𝛥𝑡 = 1 ∶ 𝑇 𝑟𝑎𝑖𝑛 do deployed on the ONOS controller in the attack mitigation state. The
3: Calculate  with Eq.4 and Eq.5 for each GCN layer mitigation APP first identifies the attack flows based on the pre-set
4: Obtain ℘𝛥𝑡 by combining  from multiple GCN layers to use the white-list mechanism and then migrates the attack flows with the
graph pooling segment routing method and forwards the normal benign flows. The set
5: Transfer ℘𝛥𝑡 to fully connected layers and the sigmoid layer black-and-white lists include static black-and-white lists and dynamic
6: Gain the error by comparing sigmoid layer output to 𝛾 𝛥𝑡 black-and-white lists, where static black-and-white lists are defined
7: Tune the model parameters by back-propagating the error by prior knowledge, such as individual IP addresses, and IP address
8: end for segments. The other is a dynamic black-and-white list, which the
9: Testing the DDoS detecting model: ⊳ the remaining graphs are mitigation APP collects by regular polling of network status information
utilized for testing the proposed attacking detection model based on some rules. The mitigation APP follows the rules to analyze
10: for ℘𝛥𝑡 where 𝛥𝑡 = 1 ∶ 𝑇 𝑒𝑠𝑡 do the stored information for updating the black-and-white list such as
11: 𝛥𝑡
Obtain the sigmoid layer output 𝛾𝑠𝑖𝑔𝑚𝑜𝑖𝑑 by learned model the flow has a pair-flow, the number of flows with the same source
parameters IP address exceeds the set dynamic threshold at the time steps, and the
12: 𝛥𝑡
if 𝛾𝑠𝑖𝑔𝑚𝑜𝑖𝑑 > 0.5 then number of flows with the same source IP address exceeds the dynamic
13: 𝛾∗𝛥𝑡 = 1 threshold value. Then the source IP addresses that satisfy the above
14: else rules are added to the blacklist and sent to the mitigation agent at the
15: 𝛾∗𝛥𝑡 = 0 same time. Such a dynamic threshold can be automatically adjusted
16: end if for the real-time status of the network environment. Based on the law
17: end for of normal distribution, we can derive the following equation Eq. (9),
𝛥𝑡
Require: 𝛾∗𝛥𝑡 ,𝜅,𝜛𝑑𝑒𝑔𝑟𝑒𝑒 𝛥𝑡
,𝜛𝑎𝑑𝑗𝑎𝑐𝑒𝑛𝑐𝑦 ⊳ the value of 𝜅 is set to 3 for which consists of the average value of the traffic and the standard
identifying the three status types of the switch deviation of the traffic.
√
Ensure: 𝜉𝑛 ,𝜉𝑀𝑣 ,𝜉𝑁𝑣
∑𝑚
𝑓𝑖 ⎛ ∑𝑚 𝑓 2 − 𝜇 2 ⎞
18: if 𝛾∗𝛥𝑡 = 1 then + 2⎜ ⎟
𝑖=1 𝑖
𝑇𝑡𝑟𝑎𝑓 𝑓 𝑖𝑐 = (9)
𝛥𝑡
Calculate the Graph Laplacian 𝛥𝑡 with 𝛥𝑡 = 𝐈𝑁 − 𝜛adjacency × 𝑚 ⎜ 𝑚 ⎟
19: 𝑖=1 ⎝ ⎠
( )−1
𝛥𝑡
𝜛degree If the source IP address is in the whitelist, the flows are identified
as benign and processed by the controller normally with the segment
20: 𝛥𝑡
Calculate first 𝑘 eigenvectors 𝑞1 , 𝑞2 , ..., 𝑞𝑘 of corresponding to
routing approach. Once identified as attacking flows, they are rerouted
𝑘 of its smallest eigenvalues
21: Form  ∈ R𝑁×𝑘 containing vectors 𝑞1 , 𝑞2 , ..., 𝑞𝑘 by the mitigation APP to be bypassed and preferentially migrated to
22: for 𝑖 = 1 to 𝑁 do the mitigation agent, which then identifies them for more fine-grained
23: let 𝑎𝑖 ∈ R𝑘 be the vector corresponding to 𝑖𝑡ℎ row of 𝑄 processing. With the flexibility, scalability, and applicability of Segment
24: end for rerouting, network connectivity is maintained with little additional
( ) overhead imposed on the SDN controller. The purpose of segmented
25: Cluster vector points 𝑎𝑖 𝑖=1,2,…,𝑁 ∈ R𝑘 with K-Means algo-
𝛥𝑡 ,𝜉 𝛥𝑡 where 𝜇
( [ 𝛥𝑡 ] [ 𝛥𝑡 ] [ 𝛥𝑡 ]) rerouting is to divide the route of a flow into small segments and then
rithm into 𝜉𝑛𝛥𝑡 , 𝜉𝑀𝑣 𝜉𝑛 > 𝜇𝐴𝑇 𝜉𝑁𝑣 > 𝜇𝐴𝑇 𝜉𝑀𝑣
( [ 𝛥𝑡 ] [ 𝛥𝑡 ]
𝑁𝑣 [ 𝛥𝑡 ])
𝐴𝑇
assign Segment Rerouting IDs to these segments and network nodes. In
or 𝜇𝑇 𝐷 𝜉𝑀𝑣 > 𝜇𝑇 𝐷 𝜉𝑁𝑣 > 𝜇𝑇 𝐷 𝜉𝑛 ⊳ any network average
each segment, the path is calculated by Dijkstra or the shortest path
performance values
algorithm based on IGP link weights. To change the packet headers for
26: else
the optimum target, the segment rerouting code based on the P4 (Pro-
27: Consider all switches 𝜉 ∈ 𝜉𝑛𝛥𝑡
gramming Protocol-independent Packet Processor) language is shown
28: end if
in Fig. 4. The head node encodes the computed paths and generates
the labeled path information. And then the header node encapsulates
the path information in the data message which is forwarded hop by
of switches that are neither the primary switches forwarding the attack hop similar to the MPLS forwarding scheme. The SDN controller with
traffic nor the 1-hop neighbors away from them in the target network information about the entire network topology and network status (col-
during the time step 𝛥𝑡. The switches 𝜉𝑀𝑣 containing the attacking flows lected by the above INT approach) computes such paths periodically
are the ones that forward a large number of attack traffic or connect to based on such knowledge. Through the above strategies, DDoS attacks
the victims directly during DDoS attacks. The neighbor switching nodes are detected and then mitigated without affecting normal services.
𝜉𝑁𝑣 are the set of switches with a 1-hop distance to 𝜉𝑀𝑣 . The designed APP with mitigation features is compiled and loaded
under the custom APP compilation output directory of the ONOS con-
3.4. Mitigating DDoS attacks troller version 2.5.5. The ONOS controller locates the module in Java
language and activates it (The APP is compiled with the bazel command
With the above proposed Graph Convolutional Neural Network to generate an oar file, and then activated by running the onos-app
based detection model, it is easy to learn which switches in the net- localhost install onos-apps-mga.oar install command in the oar file
work topology environment forwarded the attack traffic. To effectively directory. The controller invokes the pathPalnmodule() interface in
mitigate DDoS attacks, it is necessary to shield as many attacking flows the program to realize the function of planning the forwarding path
as possible in a real network environment and minimize the false kill of the traffic with the current network topology information.). In the
of the normal service flows to avoid disconnecting the communications implementation of the mitigation capabilities, the codes mainly define
of legitimate clients. Hence, the traditional strategy of simply dropping abstract classes such as Decive, Link, Path, Flow, and so on by Core in
packets is not suitable here. To reduce the error rate of false positives NB (Northbound Protocol) API, and SB (Southbound Protocol) API to
and false negatives for packets dropping and at the same time reduce fulfill the functions such as host control and packet parsing.

211
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Fig. 4. The P4 pipeline design for rerouting mechanism.

Fig. 6. The diagram of the actual network equipment layout.

Table 3
The setting of device addresses and states.
Device IP address State
Controller 192.168 .71 .128 –
P4 Switche_1 172.16.50.241 –
P4 Switche_2 172.16.50.242 –
P4 Switche_3 172.16.50.243 –
… … …
P4 Switche_12 172.16.50.248 –
Mitigation Agent 192.168 .71 .156 –
legacy switche_1 10.0 .11 .151 –
legacy switche_2 10.0 .11 .152 –
… … …
legacy switche_8 10.0 .11 .158 –
H_4 10.0 .1 .104 Malicious
Fig. 5. The topology of the experimental network. H_16 10.0 .4 .104 Malicious
H_20 10.0 .5 .104 Malicious
H_7 10.0 .3 .103 Normal
H_8 10.0 .3 .104 Normal
4. Evaluation and discussion … … Normal
H_28 10.0 .4 .103 Normal
H_29 10.0 .4 .104 Normal
4.1. Implementation of system H_30 10.0 .8 .101 Under attack

The Software-Defined Network architecture and the fat-tree topol-

ogy are considered as the network topology in this paper. The simula-
tion experiments are performed in the Mininit [48]1 and ONOS [49]2 is cabinet of the computer room, and the hardware components of the
selected as the controller of the network. The hardware and operating prototype system are illustrated in Fig. 6, where the servers and some
system configuration is Intel(R) Xeon(R) CPU E3-1230 [email protected] programmable switches with Tofino chips, and the operation interface
4 Core, 8 GB RAM, and Ubuntu 18.04. The experimental topology of the controller is shown on the left of the picture. The bmv2 program
consists of 12 programmable switches, 8 legacy switches, and 30 hosts is executed on a server running Ubuntu18.04, equipped with an Intel(R)
as shown in Fig. 5. Hosts H_4, H_16, and H_20 are selected as malicious Xeon(R) CPU E3-1230 [email protected] 4 Cores and 8 GB of memory.
hosts to launch DDoS attacks with the HPING [50] command.3 Host The ONOS is deployed on the server running Ubuntu 18.04 with an
H_30 is the victim host, the remaining hosts are normal hosts, and Intel(R) Xeon(R) Silver CPU 4214 @2.20GHz48 12 Cores and 62.6 GB
the CAIDA traffic traces [51]4 are utilized to generate the background of memory. The P4 programmable switch used is the Barefoot Networks
traffic. The relevant settings for the devices are listed in Table 3. Wedge 100BF-32, running on the Open Network Linux OS ONL-master
The INT sampling module, the sketch-based whitelist module, and the system, with an Intel(R) Xeon(R) CPU [email protected] GHz and 16 GB of
segment rerouting module have been developed in the P4 language memory.
on the programmable switch. The mitigation app is developed in Java
and the graph convolutional network detection module is developed 4.2. Experimental setup and parameters setting
in Python on the ONOS controller. To test the performance of the
The experiment utilizes the ISP Maps dataset from the Rocketfuel
proposed scheme in a real network topology, we deploy it in the
dataset [52] and the CAIDA traffic traces dataset [51]. Rocketfuel is
an Internet Service Provider topology mapping engine provided by
1
https://mininet.org/. the University of Washington that measures routing-level ISP network
2
https://opennetworking.org/onos/. topologies. To facilitate the cross-validation experiments conducted
3
https://linux.die.net/man/8/hping3. by [14,53], 80% of the samples are selected as the training dataset and
4
https://www.caida.org/data/passive. the remaining 20% as the test dataset by setting the same experimental

212
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Table 4
Flow entropy difference of different flow window values in experimental topology.
Size of the detection window Entropy value Entropy difference
Normal flow Attack traffic
5 1.04 1.62 0.58
10 1.32 2.12 0.80
50 1.83 4.25 2.42
100 3.03 5.16 2.13
200 4.63 6.07 1.44

data background as theirs. Both of the above two different dataset

formats are .pcap. The size of the detection window value is determined
by the effect of different traffic window values on the variations of
entropy values. As shown in Table 4, when the flow window value
increases to 50, the entropy difference is most significant between the
entropy value under normal traffic and the entropy value under attack
traffic, hence the traffic window is set to 50 to launch subsequent
experiments. The GCN model is trained in the detection phase with 2
graph convolutional layers, each with 64 units and a dropout of 0.3 to
reduce the overfitting, 2 fully connected layers with 32 and 16 units,
and a sigmoid layer, all of which contain the ReLu activation function.
The model has been trained for 50 epochs with repeated Stratified Kfold
technique, where the settings are 𝑛_𝑠𝑝𝑙𝑖𝑡𝑠 = 5 and 𝑛_𝑟𝑒𝑝𝑒𝑎𝑡𝑠 = 2.

4.3. Efficiency of the trusted node deployment algorithm

Ten AS raw topology data are selected from the ISP Maps dataset
to verify the effectiveness of the trusted node deployment algorithm, Fig. 7. In comparison with other deployment algorithms, the variation in the number
and the number of nodes in each AS topology is counted and then of nodes selected for deployment.
compared with the algorithm proposed by SDN-Balance [54], as shown
in Fig. 7. From the selected ten AS topologies, only the autonomous
system of AS_ID 4755 has slightly fewer nodes selected by the Balance 4.4.1. Accuracy of DDoS attacks detection model
algorithm than the deployment method proposed in this paper. In the The performances of different detection models are simulated and
other ASs, the number of nodes selected for deployment in this paper compared to verify the effectiveness of the proposed learning model
is significantly less than that of the Balance algorithm because the against DDoS flooding attacks. The performance evaluation metrics
proposed algorithm gives preference to nodes with larger degrees and utilized mainly include accuracy, precision, recall, F1-score, receiver
tries to ensure that two trusted detection nodes are not adjacent to operating characteristic curve (ROC), and Area Under Curve (AUC). The
each other, while SDN-Balance does not have this principle. When the performance metrics can be calculated by the following equations:
network topology is large, the trusted node deployment algorithm only 𝑇𝑃 + 𝑇𝑁
Accuracy = (10)
needs to select half of the nodes to monitor all link information, which 𝑇𝑃 + 𝑇𝑁 + 𝐹𝑃 + 𝐹𝑁
is better compared to SDN-Balance selection. 𝑇𝑃
A southbound interface is typically utilized to send packet headers Recall = (11)
𝑇𝑃 + 𝐹𝑁
to the control plane, where the headers are then analyzed and network
𝑇𝑃
traffic is classified. Nevertheless, excessive load on the southbound Precision = (12)
𝑇𝑃 + 𝐹𝑃
interface can affect the normal communication between the control and
( )−1
data planes. Thus with the help of P4 programmable switches, the INT 𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛−1 + 𝑅𝑒𝑐𝑎𝑙𝑙−1 (13)
F-score =
technique is deployed to achieve information awareness of the network 2
status under different attacks, as shown in Fig. 8. Running the sampling- 𝐹𝑃
False Positive Rate = (14)
enabled program on the physical P4-Tofino switches in the server 𝐹𝑃 + 𝑇𝑁
room, the comparison results in a certain consumption compared to the where 𝑇 𝑃 represents true positives which means the number of
normal switch CPU occupation, but less consumption while ensuring switches judged to contain attack traffic and actually contain attack
the effectiveness of the distributed sampling function, as shown in traffic, 𝐹 𝑃 represents false positives, which means the number of
Fig. 9. switches judged to contain attack traffic but actually do not contain
attack traffic, 𝑇 𝑁 represents true negatives, which means the number
of switches judged to not contain attack traffic and actually do not
4.4. Impact of attacks and mitigation on network performance
contain attack traffic, and 𝐹 𝑁 represents false negatives, which means
the number of switches judged to not contain attack traffic but actually
As mentioned above, feature values for link statuses and switch contain attack traffic.
statuses are extracted and identified, and then the results are utilized to The same dataset is utilized to train and test the proposed GCN
detect whether each switch in the network contains the attack traffic. model and other five different models for detecting suspicious traffic
To validate the ability of the proposed detection and mitigation scheme such as CNN, DNN, PSO-BPNN, Random Forest, and SVM, and then
for DDoS attacks, it is evaluated and analyzed by the following metrics: compare them by taking the average of their multiple experimen-
accuracy of DDoS attacks detection, the effectiveness of DDoS attacks tal results. The above performance metrics are characterized by the
mitigation, and overhead of the proposed scheme. confusion matrix, which is shown in Fig. 10. The average results of

213
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Fig. 8. The CPU utilization of P4 switches based on INT sampling under different kinds of attacks.

Table 6
The comparison of AUC of different detection schemes.
Detection Proposed Deep learning Two-level Programmable
scheme scheme scheme scheme switch-based
scheme
AUC 0.982 0.979 0.968 0.931

UDP Flood, and HTTP Flood, and then their average values are col-
lected for comparison, as shown in Fig. 11. In the comparison experi-
ments of five traditional detection schemes, the proposed scheme has
99.19%, 99.20%, and 99.17% detection accuracy for three attacks, TCP
Flood, UDP Flood, and HTTP Flood. While the programmable switch-
based detection scheme has the lowest detection accuracy for the attack
traffic. Hence, the proposed scheme based on INT sampling and GCN
model for attack traffic detection is chosen to be better than other
schemes.
The ROC and AUC of different detection schemes are also computed
for the experiments, as shown in Fig. 12. The proposed detection
Fig. 9. The CPU utilization of network state awareness with the P4 switches.
scheme has the highest curve steepness and the programmable switch-
based information entropy scheme has the lowest curve steepness. The
Table 5 deep learning detection scheme and the two-level detection scheme are
Performance of different classification algorithms.
in between the other two. The AUC value of the proposed detection
Model Accuracy (%) Precision (%) Recall (%) F1-score (%)
scheme is 0.982, the AUC value of the deep learning detection scheme
GCN 99.21 99.30 99.29 99.29
is 0.979, the AUC value of the two-level detection scheme is 0.968, and
CNN 97.02 96.97 97.64 97.28
DNN 96.57 94.63 94.36 94.49
the AUC value of the programmable switch-based information entropy
SVM 94.93 93.24 92.77 93.00 detection scheme is 0.931. As a conclusion, based on the scenario and
Random forest 89.93 90.69 95.69 93.12 detection requirements of this paper, the proposed scheme based on
PSO-BPNN 93.43 85.70 94.17 89.74 INT sampling and GCN detection model can achieve high accuracy and
fine-grained detection requirements, as shown in Table 6.

multiple experiments are shown in Table 5, since the detection model 4.4.3. Effectiveness of DDoS attacks mitigation scheme
is trained offline and will not be updated frequently, and the attacks To evaluate the effectiveness of the proposed scheme for DDoS
can cause great harm to the network, the detection model requires attack mitigation, the average network recovery delay, and the average
higher sensitivity to the attacks and lower training time concerns. network throughput are applied as performance metrics to compare the
The detection accuracy of the GCN model is 2.19%, 2.64%, 4.28%, experiments with other mitigation schemes. Three different types of
9.28%, and 5.78% higher than the other five classifiers algorithms, DDoS attacks are launched against the victim servers in the topology
respectively. Hence, the GCN model is more suitable than the other with botnets, and the attack rate increases from 0 to 30,000 pps. The
five detection models as a detection model for DDoS flooding attacks. service recovery time at the beginning of the attack is defined as the
network recovery latency and its values under various types of attacks
are shown in Fig. 13. When the network is under DDoS attacks, the ser-
4.4.2. Accuracy of DDoS attacks detection scheme vice time for a particular service of the network increases significantly
To further prove the superiority of the proposed detection model, and the network latency is high, but after the customized migration
we compare the proposed high-accuracy detection scheme based on traffic rules are installed on the programmable switch and the attack
INT sampling and GCN classification with the deep learning-based packets are quickly migrated to the mitigation agent, the network
scheme [23], the two-level detection scheme [37], the statistical immediately returns to normal.
analysis-based scheme [35], and the programmable data plane-based In the above experimental settings, DDoS flooding attacks of dif-
scheme [42] for comparison experiments. With the same dataset and ferent severities are launched and the effectiveness of the SDN-FADM
experimental environment, the detection accuracy experiments are scheme, the programmable switch-based packet loss mitigation scheme,
performed for each detection scheme against three attacks, TCP Flood, the deep reinforcement learning-based traffic engineering mitigation

214
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Fig. 10. Comparison of confusion matrix between the proposed GCN, CNN, DNN, PSO-BPNN, Random Forest, and SVM classification algorithms.

Fig. 12. The comparison of ROC of different detection schemes.

Fig. 11. In comparison with other detection schemes, the variation of detection
accuracy probability for different attack traffic.

is slower but better mitigated than the hardware-based mitigation of

solution, and the proposed scheme in terms of average network recov- attack traffic and is more suitable for SD-IoT scenarios.
ery latency are compared, as shown in Fig. 14. The deep reinforcement
learning-based traffic engineering mitigation scheme introduces more 4.4.4. Overhead of the DDoS attacks detection and mitigation scheme
delay by reconfiguring the routing policy on the network, which makes The proposed detection and mitigation scheme runs mainly on
the network recovery delay longer by handling the attack traffic with a the ONOS controller, so its operational overhead is evaluated by the
longer delay. While the programmable switch-based hardware packet average CPU utilization of the controller. To facilitate the evaluation of
loss mitigation scheme processes the attack traffic faster, resulting in the comparison schemes, the same experimental background is set up.
a faster network recovery delay. In the comparison experiments for DDoS flood attacks are launched on the victim sites in the topology for a
the average throughput of the victim sites, although the SDN-FADM time of 5 min with an attack rate of 30,000 pps, and the CPU utilization
scheme has faster throughput recovery than the scheme based on deep of the controller is monitored, as shown in Fig. 16. All three schemes
reinforcement learning traffic engineering for mitigation, there is a have very low CPU utilization in the normal state, and when the DDoS
problem of large detection errors leading to large errors in dropping attacks start at about 03:30 min, CPU utilization increases significantly.
attack packets according to the whitelist, and the late throughput is After a period of time, the CPU utilization returns to normal. The CPU
still too high and still exceeds the processing capacity of normal load, utilization of the proposed scheme and the FADM scheme is much
as shown in Fig. 15. Thus, it can be shown that the proposed scheme lower than that of the deep learning-based detection scheme. The

215
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Fig. 16. In comparison with other detection and mitigation schemes, the variation of
Fig. 13. The variation of network recovery delay under different types of DDoS attacks. average CPU utilization.

proposed scheme deploys the network state sampling function to the

INT professional server and the mitigation whitelist directly to the P4
programmable switch thus the CPU utilization of the controller is lower
than that of the FADM scheme, which will require the participation
of the controller for all functions. With the proposed attack detection
and mitigation scheme based on INT sampling and GCN model, the
network can recover in a short time, which shows that our proposed
attack detection and attack mitigation mechanism is very effective.

5. Conclusion

In this paper, a DDoS attack detection and mitigation scheme based

on INT distributed sampling and GCN learning model in SDN is pro-
posed. The P4 switch deployment problem is first discussed, and then
INT sampling and P4 switch deployment algorithms are combined. The
DDoS detection scheme can be divided into two stages, which are DDoS
detection and DDoS identification. The DDoS detection stage utilizes
a Graph Convolutional Network designed for graph-level classification
Fig. 14. In comparison with other mitigation schemes, the variation of the average tasks to fine-grained detect whether a given SD-IoT network is under
network recovery delay for different attack severities. DDoS flooding attacks. If the DDoS attacks are detected from the
first stage, the DDoS identification stage with spectral clustering is
employed to identify switches in the network that contain attack traffic,
which allows the use of an enhanced whitelist based on dynamic
thresholds and reroute fast migration mitigation policy deployed on
P4 programmable switches to intercept the attack traffic and improve
the network performance degraded by DDoS attacks. Simulation exper-
iments are run to compare the performance metrics such as accuracy,
precision, and ROC of different detection algorithms. The performance
of the proposed detection and mitigation scheme is also compared
with other schemes. The experimental results show that the proposed
scheme has high detection accuracy and efficiency, which also validates
the superiority of the proposed anomaly detection scheme in DDoS
attack scenarios. In future work, the proposed mechanisms will be
combined with blockchain and Federated machine learning to explore
further targeted research under the premise of data privacy protection.

CRediT authorship contribution statement

Jie Ma: Conceptualization, Methodology, Software, Funding acqui-

sition, Writing – review & editing. Wei Su: Validation, Formal analysis,
Investigation, Data curation, Software, Writing – original draft. Yikun
Fig. 15. In comparison with other mitigation schemes, the variation of the average
throughput at the victim sites.
Li: Project administration, Writing – review & editing. Yihua Peng:
Writing – review & editing.

216
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

Declaration of competing interest [20] V. Matta, M. Di Mauro, M. Longo, DDoS attacks with randomized traffic
innovation: Botnet identification challenges and strategies, IEEE Trans. Inf.
Forensics Secur. 12 (8) (2017) 1844–1859.
The authors declare that they have no known competing finan-
[21] Z. Liu, Y. He, W. Wang, B. Zhang, DDoS attack detection scheme based on
cial interests or personal relationships that could have appeared to
entropy and PSO-BP neural network in SDN, China Commun. 16 (7) (2019)
influence the work reported in this paper. 144–155.
[22] N. Ahuja, G. Singal, D. Mukhopadhyay, N. Kumar, Automated DDOS attack
Data availability detection in software defined networking, J. Netw. Comput. Appl. 187 (2021).
[23] S. Kianpisheh, T. Taleb, A survey on in-network computing: Programmable data
No data was used for the research described in the article. plane and technology specific applications, IEEE Commun. Surv. Tutor. 25 (1)
(2023) 701–761.
[24] L. Tan, W. Su, W. Zhang, J. Lv, Z. Zhang, J. Miao, X. Liu, N. Li, In-band network
Acknowledgments
telemetry: A survey, Comput. Netw. 186 (2021) 107763.
[25] R. Amin, M. Reisslein, N. Shah, Hybrid SDN networks: A survey of existing
This work was supported in part by the Fundamental Research approaches, IEEE Commun. Surv. Tutor. 20 (4) (2018) 3259–3306.
Funds for the Central Universities, China under Grant 2022YJS149 and [26] A.K. Sarica, P. Angin, Explainable security in SDN-based IoT networks, Sensors
the Ministry of Education Innovation Group Joint Fund 8091B042222. 20 (24) (2020).
[27] S. Siddiqui, S. Hameed, S.A. Shah, I. Ahmad, A. Aneiba, D. Draheim, S. Dustdar,
References Toward software-defined networking-based IoT frameworks: A systematic litera-
ture review, taxonomy, open challenges and prospects, IEEE Access 10 (2022)
[1] K. Fizza, A. Banerjee, P.P. Jayaraman, N. Auluck, R. Ranjan, K. Mitra, D. 70850–70901.
Georgakopoulos, A survey on evaluating the quality of autonomic internet of [28] Q. Yan, F.R. Yu, Distributed denial of service attacks in software-defined
things applications, IEEE Commun. Surv. Tutor. 25 (1) (2023) 567–590. networking with cloud computing, IEEE Commun. Mag. 53 (4) (2015) 52–59.
[2] A. Koohang, C.S. Sargent, J.H. Nord, J. Paliszkiewicz, Internet of things (IoT): [29] L. Galluccio, S. Milardo, G. Morabito, S. Palazzo, SDN-WISE: Design, prototyping
From awareness to continued use, Int. J. Inf. Manage. 62 (102442) (2022). and experimentation of a stateful SDN solution for wireless sensor networks,
[3] L.P. Rondon, L. Babun, A. Aris, K. Akkaya, A.S. Uluagac, Ivycide: Smart intrusion in: 2015 IEEE Conference on Computer Communications (INFOCOM), in: IEEE
detection system against E-IoT driver threats, IEEE Internet Things J. 10 (10) INFOCOM, IEEE, 2015, 34th IEEE Conference on Computer Communications
(2023) 8533–8546. (INFOCOM), Hong Kong, PEOPLES R CHINA, APR 26-MAY 01, 2015.
[4] J. Bhayo, R. Jafaq, A. Ahmed, S. Hameed, S.A. Shah, A time-efficient approach [30] D. Ding, M. Savi, D. Siracusa, Tracking normalized network traffic entropy to
toward DDoS attack detection in IoT network using SDN, IEEE Internet Things detect DDoS attacks in P4, IEEE Trans. Dependable Secure Comput. 19 (6) (2022)
J. 9 (5) (2022) 3612–3630. 4019–4031.
[5] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, B. Sikdar, A survey on
[31] J. Xing, W. Wu, A. Chen, Architecting programmable data plane defenses into
IoT security: Application areas, security threats, and solution architectures, IEEE
the network with FastFlex, in: Proceedings of the 18th ACM Workshop on Hot
Access 7 (2019) 82721–82743.
Topics in Networks, HotNets ’19, Association for Computing Machinery, New
[6] J. Wang, R. Wen, J. Li, F. Yan, B. Zhao, F. Yu, Detecting and mitigating target
York, NY, USA, 2019, pp. 161–169.
link-flooding attacks using SDN, IEEE Trans. Dependable Secure Comput. 16 (6)
(2019) 944–956. [32] M. Dimolianis, A. Pavlidis, V. Maglaris, A multi-feature DDoS detection schema
[7] R.F. Hayat, S. Aurangzeb, M. Aleem, G. Srivastava, J.C.-W. Lin, ML-DDoS: A on P4 network hardware, in: 2020 23RD Conference on Innovation in Clouds,
blockchain-based multilevel DDoS mitigation mechanism for IoT environments, Internet and Networks and Workshops (ICIN 2020), in: Conference on Inno-
IEEE Trans. Eng. Manage. (2022) 1–14. vations in Clouds Internet and Networks, IEEE; IEEE Commun Soc; ACM In
[8] O. Osanaiye, K.-K.R. Choo, M. Dlodlo, Distributed denial of service (DDoS) Cooperat; ACM SIGMOBILE; Orange; Huawei; NOKIA; Gandi Net, 2020, pp. 1–6,
resilience in cloud: Review and conceptual cloud DDoS mitigation framework, 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops
J. Netw. Comput. Appl. 67 (2016) 147–165. (ICIN), Paris, FRANCE, FEB 24-27, 2020.
[9] J. Wang, Y. Liu, W. Zhang, X. Yan, N. Zhou, Z. Jiang, ReLFA: Resist link flooding [33] R.M. Thomas, D. James, DDOS detection and denial using third party application
attacks via renyi entropy and deep reinforcement learning in SDN-IoT, China in SDN, in: 2017 International Conference on Energy, Communication, Data
Commun. 19 (7) (2022) 157–171. Analytics and Soft Computing (ICECDS), IEEE, 2017, pp. 3892–3897.
[10] A. Febro, H. Xiao, J. Spring, B. Christianson, Synchronizing DDoS defense at [34] K.S. Sahoo, B. Sahoo, M. Vankayala, R. Dash, Detection of control layer DDoS
network edge with P4, SDN, and blockchain, Comput. Netw. 216 (2022) 109267. attack using entropy metrics in SDN: An empirical investigation, in: 2017 Ninth
[11] NOKIA, Threat intelligence report 2023:Identifying attack trends to pro- International Conference on Advanced Computing (ICOAC), in: International
tect telecom networks and customers’data, 2023, https://linux.die.net/man/8/ Conference on Advanced Computing, 2017, pp. 281–286, 9th International
hping3. Conference on Advanced Computing (ICoAC), Chennai, INDIA, DEC 14-16, 2017.
[12] Y. Cui, Q. Qian, C. Guo, G. Shen, Y. Tian, H. Xing, L. Yan, Towards DDoS
[35] Q. Zuo, M. Chen, X. Wang, B. Liu, Online traffic anomaly detection method for
detection mechanisms in software-defined networking, J. Netw. Comput. Appl.
SDN, Xi’an Dianzi Keji Daxue Xuebao/J. Xidian Univ. 42 (1) (2015) 155–160.
190 (2021) 103156.
[13] J. Xie, F.R. Yu, T. Huang, R. Xie, J. Liu, C. Wang, Y. Liu, A survey of machine [36] M.E. Ahmed, S. Ullah, H. Kim, Statistical application fingerprinting for DDoS
learning techniques applied to software defined networking (SDN): Research attack mitigation, IEEE Trans. Inf. Forensics Secur. 14 (6) (2019) 1471–1484.
issues and challenges, IEEE Commun. Surv. Tutor. 21 (1) (2019) 393–430. [37] Y. Xu, H. Sun, F. Xiang, Z. Sun, Efficient DDoS detection based on K-FKNN in
[14] Y. Liu, T. Zhi, M. Shen, L. Wang, Y. Li, M. Wan, Software-defined DDoS detection software defined networks, IEEE Access 7 (2019) 160536–160545.
with information entropy analysis and optimized deep learning, Future Gener. [38] I. Cvitić, D. Perakovic, B.B. Gupta, K.-K.R. Choo, Boosting-based DDoS detection
Comput. Syst.-Int. J. Esci. 129 (2022) 99–114. in internet of things systems, IEEE Internet Things J. 9 (3) (2022) 2109–2123.
[15] K. Sood, S. Yu, Y. Xiang, Software-defined wireless networking opportunities and [39] R.T. Kokila, S.T. Selvi, K. Govindarajan, DDoS detection and analysis in SDN-
challenges for internet-of-things: A review, IEEE Internet Things J. 3 (4) (2016) based environment using support vector machine classifier, in: 2014 Sixth
453–463.
International Conference on Advanced Computing, in: International Conference
[16] N. Ahmed, S. Misra, Collaborative flow-identification mechanism for software-
on Advanced Computing, Anna Univ, Madras Inst Technol, Dept Comp Technol;
defined internet of things, IEEE Internet Things J. 9 (5) (2022) 3457–3464.
Univ Grants Commiss; IEEE Madras Sect; Govt India, Minist Sci & Technol, Dept
[17] K. Kalkan, L. Altay, G. Gür, F. Alagöz, JESS: Joint entropy-based DDoS defense
Sci & Technol; DST FIST, 2014, pp. 205–210, 6th International Conference on
scheme in SDN, IEEE J. Sel. Areas Commun. 36 (10) (2018) 2358–2372.
Advanced Computing (ICoAC), Chennai, INDIA, DEC 17-19, 2014.
[18] R. Wang, Z. Jia, L. Ju, An entropy-based distributed DDoS detection mechanism
in software-defined networking, in: 2015 IEEE TRUSTCOM/BIGDATASE/ISPA, [40] D. Hu, P. Hong, Y. Chen, FADM: Ddos flooding attack detection and mitigation
Vol. 1, IEEE; IEEE COMP SOC; IEEE Tech Comm Scalable Comp; Aalto Univ, Sch system in software-defined networking, in: GLOBECOM 2017 - 2017 IEEE Global
Elect Engn; Integrated Serv Networks, State Key Lab; NOKIA; SSH; ERICSSON; Communications Conference, in: IEEE Global Communications Conference, IEEE;
Tekes; Federat Finnish Learned Soc; Xidian Univ, 2015, pp. 310–317, Joint 14th Intel; Natl Instruments; Huawei; Keysight Technologies Inc; Nanyang Technol
IEEE Int Conf on Trust, Secur and Privacy in Comp and Commun / 13th IEEE Univ, Sch Elect & Elect Engn; Rohde & Schwarz, 2017, IEEE Global Telecom-
Int Symposium on Parallel and Distributed Proc with Applications / 9th IEEE munications Conference (GLOBECOM), YourSingapore, Singapore, SINGAPORE,
Int Conf on Big Data Science and Engineering (IEEE TrustCom-ISPA-BigDataSE), DEC 04-08, 2017.
Aalto Univ, Helsinki, FINLAND, AUG 20-22, 2015. [41] O. Hannache, M. Batouche, Neural network-based approach for detection and
[19] D. Kwon, H. Kim, D. An, H. Ju, DDoS attack volume forecasting using a statistical mitigation of DDoS attacks in SDN environments, Int. J. Inf. Secur. Privacy 14
approach, 2017, pp. 1083–1086. (2020) 50–71.

217
J. Ma et al. Future Generation Computer Systems 154 (2024) 206–218

[42] L.A. Quintero Gonzalez, L. Castanheira, J.A. Marques, A. Schaeffer-Filho, L.P.

Gaspary, BUNGEE: An adaptive pushback mechanism for DDoS detection and Jie Ma is currently working toward the Ph.D. degree
mitigation in P4 data planes, in: 2021 IFIP/IEEE International Symposium on with the School of Electronic and Information Engineering,
Integrated Network Management (IM 2021), IFIP; IEEE, 2021, pp. 393–401, Beijing Jiaotong University, Beijing. His research inter-
IFIP/IEEE International Symposium on Integrated Network Management (IM), ests include future network architecture, software-defined
ELECTR NETWORK, MAY 17-21, 2021. Internet of things, network security, and machine learning.
[43] F. Musumeci, V. Ionata, F. Paolucci, F. Cugini, M. Tornatore, Machine-learning-
assisted DDoS attack detection with P4 language, in: ICC 2020 - 2020 IEEE
International Conference on Communications (ICC), in: IEEE International
Conference on Communications, IEEE; Huawei; ZTE; Qualcomm, 2020, IEEE
International Conference on Communications (IEEE ICC) / Workshop on NOMA
for 5G and Beyond, ELECTR NETWORK, JUN 07-11, 2020.
[44] M. Zhang, G. Li, S. Wang, C. Liu, A. Chen, H. Hu, G. Gu, Q. Li, M. Xu, J. Wei Su got the Ph.D. degree in Communication and Infor-
Wu, Poseidon: Mitigating volumetric DDoS attacks with programmable switches, mation Systems from Beijing Jiaotong University in January
in: 27TH Annual Network and Distributed System Security Symposium (NDSS 2008. He was granted the title of professor in November
2020), 2020, 27th Annual Network and Distributed System Security Symposium 2015 and mainly engaged in researching key theories and
(NDSS), San Diego, CA, FEB 23-26, 2020. technologies for the next-generation Internet and has taken
[45] A.C. Lapolli, J.A. Marques, L.P. Gaspary, Offloading real-time DDoS attack part in many national projects such as the National Basic
detection to programmable data planes, in: 2019 IFIP/IEEE Symposium on Research Program(also called 973 Program), the Projects of
Development Plan of the State High Technology Research,
Integrated Network and Service Management (IM), IFIP; IEEE, 2019, IFIP/IEEE
the National Natural Science Foundation of China.
Symposium on Integrated Network and Service Management (IM), Arlington, VA,
APR 08-12, 2019.
[46] L. He, P. Kuang, Y. Liu, G. Ren, J. Yang, Towards securing duplicate address Yikun Li is currently pursuing the Ph.D. degree with School
detection using P4, Comput. Netw. 198 (2021) 108323. of Electronic and Information Engineering, Beijing Jiaotong
[47] J.-H. Lee, K. Singh, SwitchTree: in-network computing and traffic analyses with University, Beijing, China. His research interests include
random forests, Neural Comput. Appl. (2020). network security and deterministic networks.
[48] M. Erel, E. Teoman, Y. Ozcevik, G. Secinti, B. Canberk, Scalability analysis and
flow admission control in mininet-based SDN environment, in: IEEE Conference
on Network Function Virtualization and Software Defined Networks, IEEE, 2015,
pp. 18–19.
[49] ON.Labs, ONOS open network operating system, 2015, https://opennetworking.
org/onos/.
[50] S. Sanfilippo, Hping3(8) linux man page, 2010, https://linux.die.net/man/8/
hping3.
Yihua Peng is currently pursuing a Ph.D. degree with the
[51] CAIDA, The CAIDA UCSD anonymized internet traces, 2020, 2020, https://www.
School of Electronic and Information Engineering, Beijing
caida.org/data/passive/passive_dataset.xml.
Jiaotong University, Beijing, China. His primary research
[52] N. Spring, R. Mahajan, D. Wetherall, Measuring ISP topologies with rocketfuel,
interests include network security and in-band network
SIGCOMM Comput. Commun. Rev. 32 (4) (2002) 133–145. telemetry.
[53] G. James, D. Witten, T. Hastie, R. Tibshirani, An Introduction to Statistical
Learning, Vol. 112, Springer, 2013.
[54] J. Wang, R. Wen, J. Li, F. Yan, B. Zhao, F. Yu, Detecting and mitigating target
link-flooding attacks using SDN, IEEE Trans. Dependable Secure Comput. 16 (6)
(2019) 944–956.

218