Huifen Feng,Xincheng Yan,Na Zhou,Zhihong Jiang,Ying Liu

DOI: https://doi.org/10.1145/3491396.3506508

2021-01-01

Abstract:At present, using a large number of unsafe IoT devices to form botnets and launching DDoS attacks have become one of the main threats to IoT security. However, most of the existing DDoS attack defense methods are limited to being implemented within a single controller management network domain. In fact, many IoT devices that attackers build botnets are usually located in the jurisdiction of different controllers. Therefore, a mechanism is needed for each domain to cooperate with each other and share information about the attack source, so as to realize the defense against DDoS attacks across multiple domains. Blockchain technology's decentralization and group trusted collaboration mechanism provide a new method for solving cross-domain DDoS attack defense. This article combines SDN and blockchain with IoT, and proposes a cross-domain collaborative DDoS defense scheme based on blockchain and SDN architecture. It allows multiple SDN-based domains to collaborate with each other and share attack source information in a decentralized manner, making collaborative DDoS attack defense across multiple domains more flexible. Experimental results show that the defense mechanism has flexibility, feasibility, and safety.

Shanqing Jiang,Lin Yang,Xianming Gao,Yuyang Zhou,Tao Feng,Yanbo Song,Kexian Liu,Guang Cheng

DOI: https://doi.org/10.1155/2022/1608689

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Software-Defined Networking (SDN) enhances the flexibility and programmability of networks by separating control plane and data plane. The logically centralized control mechanism makes the control plane vulnerable in both single and multiple controller scenarios. Malicious third parties can exploit vulnerabilities of reactive forwarding mode to launch distributed denial-of-service (DDoS) attacks against SDN controllers. Unfortunately, existing DoS/DDoS solutions under single controller can not afford effective performance under multiple controllers due to the absence of cooperative detection and mitigation. To solve the above problem, we propose a blockchain-based SDN-targeted DDoS defense framework (BSD-Guard) that can provide cooperative detection and mitigation mechanism to protect SDN controllers. BSD-Guard introduces a blockchain-based secure middle plane between control plane and data plane. The secure middle plane calculates the suspect rate of new flows based on the collected packets’ information and reports suspect lists to blockchain for immutably storing and sharing. Besides, the smart contract deployed on blockchain in advance constitutes collaborative defense strategies based on the suspect lists reported from multiple SDN domains. When receiving defense strategies, the secure middle plane converts them to specific flow table actions and installs actions into relevant switches. The experimental results indicate that BSD-Guard can efficiently detect DoS/DDoS attacks in multiple controllers scenario and issue precise defensive strategies near the source of attack by identifying the attack path.

Boren He,Futai Zou,Yue Wu

DOI: https://doi.org/10.1109/ssic.2018.8556830

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threat in current internet. Software Defined Network (SDN) is novel network structure based on the idea of separation of control plane and data plane. SDN allows us to program and monitor networks, and decide how to forward a packet, so it provides a new solution to defend DDoS attack. This paper proposes a multi-SDN Based cooperation scheme to defend DDoS attack. We adopt machine learning to detect DDoS attack, and design a protocol to enable communication among controllers. This protocol can achieve two goals, one is to build and maintain an independent network among controllers of different SDN, and the other is to enable attack information exchange among controllers, so they can find attacker and mitigate DDoS attack. The experimental results show that the proposed protocol can achieve high detection accuracy, find attackers accurately and mitigate DDoS attack traffic effectively with a relatively low cost and latency.

Hongcheng Huang,Peixin Ye,Min Hu,Jun Wu

DOI: https://doi.org/10.1016/j.dcan.2022.04.008

IF: 6.348

2022-04-01

Digital Communications and Networks

Abstract:Nowadays, a large number of intelligent devices involved in the Industrial Internet of Things (IIoT) environment are posing unprecedented cybersecurity challenges. Due to the limited budget for security protection, the IIoT devices are vulnerable and easily compromised to launch Distributed Denial-of-Service (DDoS) attacks, resulting in disastrous results. Unfortunately, considering the particularity of the IIoT environment, most of the defense solutions in traditional networks cannot be directly applied to IIoT with acceptable security performance. Therefore, in this work, we propose a multi-point collaborative defense mechanism against DDoS attacks for IIoT. Specifically, for the single point DDoS defense, we design an edge-centric mechanism termed EdgeDefense for the detection, identification, classification, and mitigation of DDoS attacks and the generation of defense information. For the practical multi-point scenario, we propose a collaborative defense model against DDoS attacks to securely share the defense information across the network through the blockchain. Besides, a fast defense information sharing mechanism is designed to reduce the delay of defense information sharing and provide a responsive cybersecurity guarantee. The simulation results indicate that the identification and classification performance of the two machine learning models designed for EdgeDefense are better than those of the state-of-the-art baseline models, and therefore EdgeDefense can defend against DDoS attacks effectively. The results also verify that the proposed fast sharing mechanism can reduce the propagation delay of the defense information blocks effectively, thereby improving the responsiveness of the multi-point collaborative DDoS defense.

telecommunications

Jieren Cheng,Xinzhi Yao,Hui Li,Hao Lu,Naixue Xiong,Ping Luo,Le Liu,Hao Guo,Wen Feng

DOI: https://doi.org/10.32604/csse.2022.025668

IF: 4.397

2022-01-01

Computer Systems Science and Engineering

Abstract:Distributed Denial of Service (DDoS) attacks is always one of the major problems for service providers. Using blockchain to detect DDoS attacks is one of the current popular methods. However, the problems of high time overhead and cost exist in the most of the blockchain methods for detecting DDoS attacks. This paper proposes a blockchain-based collaborative detection method for DDoS attacks. First, the trained DDoS attack detection model is encrypted by the Intel Software Guard Extensions (SGX), which provides high security for uploading the DDoS attack detection model to the blockchain. Secondly, the service provider uploads the encrypted model to Inter Planetary File System (IPFS) and then a corresponding Content-ID (CID) is generated by IPFS which greatly saves the cost of uploading encrypted models to the blockchain. In addition, due to the small amount of model data, the time cost of uploading the DDoS attack detection model is greatly reduced. Finally, through the blockchain and smart contracts, the CID is distributed to other service providers, who can use the CID to download the corresponding DDoS attack detection model from IPFS. Blockchain provides a decentralized, trusted and tamper-proof environment for service providers. Besides, smart contracts and IPFS greatly improve the distribution efficiency of the model, while the distribution of CID greatly improves the efficiency of the transmission on the blockchain. In this way, the purpose of collaborative detection can be achieved, and the time cost of transmission on blockchain and IPFS can be considerably saved. We designed a blockchain-based DDoS attack collaborative detection framework to improve the data transmission efficiency on the blockchain, and use IPFS to greatly reduce the cost of the distribution model. In the experiment, compared with most blockchain-based method for DDoS attack detection, the proposed model using blockchain distribution shows the advantages of low cost and latency. The remote authentication mechanism of Intel SGX provides high security and integrity, and ensures the availability of distributed models.

computer science, theory & methods, hardware & architecture

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Yongyi Cao,Jing Wu,Bo Zhu,Hao Jiang,Yuchuan Deng,Wei Luo

DOI: https://doi.org/10.1007/978-3-030-34139-8_23

2019-01-01

Abstract:Distributed Denial of Service (DDoS) has been one of the biggest threats in the field of network security and a big problem to many researchers and large enterprises for years. In SDN, traditional DDoS attack detection mechanisms are mostly based on intermediate plug-ins or SDN controllers, most of which have problems of large southbound communication overhead, detection delay or lacking network-wide monitoring information. In this paper, we propose a cross-plane cooperative DDoS defense system (CPCS) under the architecture of SDN, which filters abnormal traffic through coarse-grained detection on the data plane and fine-grained detection on the control plane. On the data plane, a preliminary screening is performed to reduce the detection range of the control plane, and the K-means clustering algorithm is used to perform fine-grained analysis of traffic on the control plane. In addition, an anti-false positive module is added ingeniously. The proposed method captures the key characteristics of DDoS attack traffic by polling the value of counters in OpenFlow switches which leverages the computational power of OpenFlow switches that currently not fully utilized. We conducted experiments on a campus network center including OpenFlow switches and RYU controllers. The results show that the framework and traffic monitoring algorithms proposed in this paper can greatly improve detection efficiency and accuracy, and reduce detection delay and southbound communication overhead.

Meizhu Chen,Xiangyan Tang,Jieren Cheng,Naixue Xiong,Jun Li,Dong Fan

DOI: https://doi.org/10.1007/978-981-15-8086-4_64

2020-01-01

Abstract:With the emergence of smart home, smart city and smart transportation, attackers using Internet of Things (IoTs) devices to launch Distributed Denial of Service (DDoS) attacks on blockchain are also on the rise, making blockchain network become a major disaster area for DDoS attacks. To solve this problem, the paper proposes a DDoS attack defense method based on blockchain for IoTs devices. This method firstly extracts the feature of network traffic of edge nodes, further analyzes the extracted data feature, detects the abnormal behavior of terminal devices, and finally realizes DDoS attack defense by deploying smart contracts in the blockchain network for attack node information and access control strategy. The method can detect abnormal behavior on IoTs device, which is helpful to identify the attack as soon as possible. The synchronization of DDoS attack node information and defense strategy is realized by smart contract, which avoids network congestion of central node and gains time advantage for attack defense.

Zhuohao Wang,Weiting Zhang,Runhu Wang,Ying Liu,Chenyang Xu,Chengxiao Yu

DOI: https://doi.org/10.23919/jcc.fa.2023-0020.202308

2023-01-01

China Communications

Abstract:In this paper, we focus on providing data provenance auditing schemes for distributed denial of service (DDoS) defense in intelligent internet of things (IoT). To achieve effective DDoS defense, we introduce a two-layer collaborative blockchain framework to support data auditing. Specifically, using data scattered among intelligent IoT devices, switch gateways self-assemble a layer of blockchain in the local autonomous system (AS), and the main chain with controller participation can be aggregated by its associated layer of blocks once a cycle, to obtain a global security model. To optimize the processing delay of the security model, we propose a process of data pre-validation with the goal of ensuring data consistency while satisfying overhead requirements. Since the flood of identity spoofing packets, it is difficult to solve the identity consistency of data with traditional detection methods, and accountability cannot be pursued afterwards. Thus, we proposed a Packet Traceback Telemetry (PTT) scheme, based on in-band telemetry, to solve the problem. Specifically, the PTT scheme is executed on the distributed switch side, the controller to schedule and select routing policies. Moreover, a tracing probabilistic optimization is embedded into the PTT scheme to accelerate path reconstruction and save device resources. Simulation results show that the PTT scheme can reconstruct address spoofing packet forward path, reduce the resource consumption compared with existing tracing scheme. Data tracing audit method has fine-grained detection and feasible performance.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Xiaodong Xing,Tao Luo,Jianfeng Li,Yang Hu

DOI: https://doi.org/10.1109/icnidc.2016.7974530

2016-01-01

Abstract:As one of the most harmful DDoS (distributed deny of service) attacks, the DNS (domain name system) amplification attack has been a big threat to nowadays networks. Researchers have done much work to defend against this kind of attack in traditional networks. The SDN (software defined network) architecture, as a clear indication of future networking architecture, faces the same threat of DNS amplification attack. In this paper, we propose a defense mechanism consisting of three phases. The defense mechanism can easily detect the attacks, protect the victim quickly, then pinpoint all zombies and finally isolate them from the SDN network. Simulation results show that the proposed mechanism detects attacks accurately with low consumption, protects victim with quick response and has little impact on normal DNS queries of victim. Besides, after pinpointing and isolating all zombies in the network, the whole network's recovery speed is increased.

Yuming Feng,Weizhe Zhang,Zijun Feng,Xiaoxiong Zhong,Fangming Liu

DOI: https://doi.org/10.1109/iwqos61813.2024.10682921

2024-01-01

Abstract:The widespread deployment of low-cost, vulnerable IoT devices allows attackers to exploit them to generate botnets and launch distributed denial-of-service (DDoS) attacks, which has become a serious security challenge for ensuring quality of service (QoS). For cost-effective defense against DDoS, we propose a novel hybrid defense method that includes proactive moving target defense (MTD) and passive security control to resist DDoS threats at different stages in IoT networks in this paper. We construct a multi-stage Markov game model to portray the game as a competition between the attacker and the defender for the control duration of the attack surface, and design an optimal defense strategy algorithm. In particular, we introduce a new parameter of action execution interval expectation in the game and add node importance evaluation in the reward quantification so that the optimal action execution interval of each defense technique can be output. We also consider the possibility that advanced attackers may launch DDoS on the SDN controller in the game. The experimental results demonstrate that our proposed method can defend against DDoS cost-effectively and ensure the QoS in IoT networks with acceptable overhead.

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.

Chang Xu,Guoxie Jin,Rongxing Lu,Liehuang Zhu,Xiaodong Shen,Yunguo Guan,Kashif Sharif

DOI: https://doi.org/10.1109/tsc.2024.3453764

IF: 11.019

2024-10-11

IEEE Transactions on Services Computing

Abstract:The rapid development of blockchain technology has led to a constant increase in its financial and technological value. However, this has also led to malicious attacks. Distributed denial-of-service attacks pose a considerable threat to blockchain technology out of many attacks due to its effectiveness and distributed nature. To protect the blockchain from DDoS attacks, researchers have proposed a large number of defensive schemes. However, these schemes are not well-suited for use in practical situations. In this work, we propose a DDoS attack detection scheme based on centralized federated learning, where multiple participating nodes locally train models and upload them to a central node for aggregation. Additionally, we propose a more suitable method for blockchain scenarios, using decentralized federated learning technology, where multiple nodes exchange models in a peer-to-peer manner to complete model training without a central server. We simulate DDoS attacks in blockchain and generate a large dataset by combining it with traditional network layer DDoS attack data to evaluate the effectiveness of our schemes. The experimental results show that the proposed schemes perform well in classification accuracy, demonstrating that our techniques can detect DDoS attacks effectively.

computer science, information systems, software engineering

Xiulai Li,Jieren Cheng,Chengchun Ruan,Bin Zhang,Xiangyan Tang,Mengzhe Sun

DOI: https://doi.org/10.32604/cmc.2023.045588

2023-01-01

Abstract:With the rising adoption of blockchain technology due to its decentralized, secure, and transparent features, ensuring its resilience against network threats, especially Distributed Denial of Service (DDoS) attacks, is crucial. This research addresses the vulnerability of blockchain systems to DDoS assaults, which undermine their core decentralized characteristics, posing threats to their security and reliability. We have devised a novel adaptive integration technique for the detection and identification of varied DDoS attacks. To ensure the robustness and validity of our approach, a dataset amalgamating multiple DDoS attacks was derived from the CIC-DDoS2019 dataset. Using this, our methodology was applied to detect DDoS threats and further classify them into seven unique attack subcategories. To cope with the broad spectrum of DDoS attack variations, a holistic framework has been pro posed that seamlessly integrates five machine learning models: Gate Recurrent Unit (GRU), Convolutional Neural Networks (CNN), Long-Short Term Memory (LSTM), Deep Neural Networks (DNN), and Support Vector Machine (SVM). The innovative aspect of our framework is the introduction of a dynamic weight adjustment mechanism, enhancing the system's adaptability. Experimental results substantiate the superiority of our ensemble method in comparison to singular models across various evaluation metrics. The framework displayed remarkable accuracy, with rates reaching 99.71% for detection and 87.62% for classification tasks. By developing a comprehensive and adaptive methodology, this study paves the way for strengthening the defense mechanisms of blockchain systems against DDoS attacks. The ensemble approach, combined with the dynamic weight adjustment, offers promise in ensuring blockchain's enduring security and trustworthiness

Biao Han,Xiangrui Yang,Zhigang Sun,Jinfeng Huang,Jinshu Su

DOI: https://doi.org/10.1155/2018/9649643

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Distributed Denial of Service (DDoS) attacks are one of the biggest concerns for security professionals. Traditional middle-box based DDoS attack defense is lack of network-wide monitoring flexibility. With the development of software-defined networking (SDN), it becomes prevalent to exploit centralized controllers to defend against DDoS attacks. However, current solutions suffer with serious southbound communication overhead and detection delay. In this paper, we propose a cross-plane DDoS attack defense framework in SDN, called OverWatch, which exploits collaborative intelligence between data plane and control plane with high defense efficiency. Attack detection and reaction are two key procedures of the proposed framework. We develop a collaborative DDoS attack detection mechanism, which consists of a coarse-grained flow monitoring algorithm on the data plane and a fine-grained machine learning based attack classification algorithm on the control plane. We propose a novel defense strategy offloading mechanism to dynamically deploy defense applications across the controller and switches, by which rapid attack reaction and accurate botnet location can be achieved. We conduct extensive experiments on a real-world SDN network. Experimental results validate the efficiency of our proposed OverWatch framework with high detection accuracy and real-time DDoS attack reaction, as well as reduced communication overhead on SDN southbound interface.

Tong Liu,Fariza Sabrina,Julian Jang-Jaccard,Wen Xu,Yuanyuan Wei

DOI: https://doi.org/10.3390/s22010032

2021-12-22

Abstract:A smart public transport system is expected to be an integral part of our human lives to improve our mobility and reduce the effect of our carbon footprint. The safety and ongoing maintenance of the smart public transport system from cyberattacks are vitally important. To provide more comprehensive protection against potential cyberattacks, we propose a novel approach that combines blockchain technology and a deep learning method that can better protect the smart public transport system. By the creation of signed and verified blockchain blocks and chaining of hashed blocks, the blockchain in our proposal can withstand unauthorized integrity attack that tries to forge sensitive transport maintenance data and transactions associated with it. A hybrid deep learning-based method, which combines autoencoder (AE) and multi-layer perceptron (MLP), in our proposal can effectively detect distributed denial of service (DDoS) attempts that can halt or block the urgent and critical exchange of transport maintenance data across the stakeholders. The experimental results of the hybrid deep learning evaluated on three different datasets (i.e., CICDDoS2019, CIC-IDS2017, and BoT-IoT) show that our deep learning model is effective to detect a wide range of DDoS attacks achieving more than 95% F1-score across all three datasets in average. The comparison of our approach with other similar methods confirms that our approach covers a more comprehensive range of security properties for the smart public transport system.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary