Man Li,Huachun Zhou,Shuangxing Deng

DOI: https://doi.org/10.1016/j.jnca.2024.103938

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:DDoS attack have always been a popular topic in the field of network security. As an emerging networking paradigm, SDN’s characteristics such as centralized control and management and monitoring flow-based traffic make it an ideal platform to detect DDoS attacks. NFV can reduce equipment costs, simplify operation complexity, and improve operation performance, which provides a major opportunity for effective DDoS detection. Thus, with the help of SDN/NFV technology, this paper proposes a parallel path selection method to detect various types of DDoS attacks. This article virtualizes detection methods as service functions, and combines different service functions to form sequential paths. We first propose a HABS method to parallelize the service functions and construct a parallel path set. Then, we propose a PPCP method to reduce the delay between parallel branches. Next, the parallel path selection problem is formulated as a MDP. Then, we propose a QLBP method to choose the optimal path that balance detection performance, delay and load. Finally, the proposed QLBP method is deployed in a prototype system. We validate the performance of the QLBP method under various DDoS attack scenarios. Besides, we compare the path performance before and after applying the QLBP method. The experimental results indicate that this method can provide optimal parallel path against different attack types.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Man Li,Shuangxing Deng,Huachun Zhou,Yajuan Qin

DOI: https://doi.org/10.1016/j.comnet.2023.110034

IF: 5.493

2023-01-01

Computer Networks

Abstract:The SDN/NFV network is prone to different types of attacks. The Distributed Denial of Service (DDoS) attack has the most severe impact as it can overwhelm the critical components of SDN/NFV to degrade its performance. We propose a closed-loop security architecture (SFCSA) and virtualize detection methods as network service functions in this article. Combining the detection methods forms detection paths, in which different detection paths affect security performance differently. Further, we model the path selection problem as a Markov Decision Process, where the reward balances the malicious traffic detection capability and end-to-end latency. Then, an integrated deep reinforcement learning and convolution neural network path selection algorithm (CNNQ) is proposed. Furthermore, we define a total path malicious traffic detection capability metric. The defined metrics and common metrics are applied to evaluate the building prototype, with the corresponding experimental results demonstrating that the detection performance when combining multiple detection modules outperforms a single detection-based module. Besides, we verify the effectiveness of the CNNQ method under various DDoS attacks scenarios and present the fine-grained classification results of the selected detection modules.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Ihsan H. Abdulqadder,Shijie Zhou,Deqing Zou,Israa T. Aziz,Syed Muhammad Abrar Akber

DOI: https://doi.org/10.1016/j.comnet.2020.107364

IF: 5.493

2020-01-01

Computer Networks

Abstract:Software defined networking (SDN), network function virtualization (NFV), and cloud computing are receiving significant attention in 5G networks. However, this attention creates a new challenge for security provisioning in these integrated technologies. Research in the field of SDN, NFV, cloud computing, and 5G has recently focused on the intrusion detection and prevention system (IDPS). Existing IDPS solutions are inadequate, which could cause large resource wastage and several security threats. To alleviate security issues, timely detection of an attacker is important. Thus, in this paper, we propose a novel approach that is referred to as multilayered intrusion detection and prevention (ML-IDP) in an SDN/NFV-enabled cloud of 5G networks. The proposed approach defends against security attacks using artificial intelligence (AI). In this paper, we employed five layers: data acquisition layer, switches layer, domain controllers (DC) layer, smart controller (SC) layer, and virtualization layer (NFV infrastructure). User authentication is held in the first layer using the Four-Q-Curve algorithm. To address the flow table overloading attack in the switches layer, the game theory approach, which is executed in the IDP agent, is proposed. The involvement of the IDP agent is to completely avoid a flow table overloading attack by a deep reinforcement learning algorithm, and thus, it updates the current state of all switches. In the DC layer, packets are processed and classified into two classes (normal and suspicious) by a Shannon Entropy function. Normal packets are forwarded to the cloud via the SC. Suspicious packets are sent to the VNF using a growing multiple self-organization map (GM-SOM). The proposed ML-IDP system is evaluated using NS3.26 for different security attacks, including IP Spoofing, flow table overloading, DDoS, Control Plane Saturation, and host location hijacking. From the experiment results, we proved that the ML-IDP with AI-based defense mechanisms effectively detects and prevents attacks.

Morteza Sheibani,Savas Konur,Irfan Awan,Amna Qureshi

DOI: https://doi.org/10.3390/electronics13081515

IF: 2.9

2024-04-18

Electronics

Abstract:Software-defined networking (SDN) and network functions virtualisation (NFV) are crucial technologies for integration in the fifth generation of cellular networks (5G). However, they also pose new security challenges, and a timely research subject is working on intrusion detection systems (IDSs) for 5G networks. Current IDSs suffer from several limitations, resulting in a waste of resources and some security threats. This work proposes a new three-layered solution that includes forwarding and data transport, management and control, and virtualisation layers, emphasising distributed controllers in the management and control layer. The proposed solution uses entropy detection to classify arriving packets as normal or suspicious and then forwards the suspicious packets to a centralised controller for further processing using a self-organising map (SOM). A dynamic OpenFlow switch relocation method is introduced based on deep reinforcement learning to address the unbalanced burden among controllers and the static allocation of OpenFlow switches. The proposed system is analysed using the Markov decision process, and a Double Deep Q-Network (DDQN) is used to train the system. The experimental results demonstrate the effectiveness of the proposed approach in mitigating DDoS attacks, efficiently balancing controller workloads, and reducing the duration of the balancing process in 5G networks.

engineering, electrical & electronic,computer science, information systems,physics, applied

Guozhu Zhao,Lisheng Ma,Xiaohong Jiang

DOI: https://doi.org/10.1109/nana.2018.8648779

2018-01-01

Abstract:Slos (Service level objectives) has more specific requirements for network parameters such as network bandwidth, response time and delay, but user services are not always running at full capacity. This paper proposes an algorithm for predicting bandwidth changes and the usage rate of Slos capacity in SDN networks, and minimizes the impact from the disaster by making full use of the flexibility provided by optimized configuration of the path or degraded-service tolerance. In our algorithm RBF neural network is train by the data from SDN controller and switch flow table. With the help of RBF neural network, the resource occupancy of every path and node of the SDN network can be predicted and the quantitative value of the bandwidth usage of network path can be calculated in advance ε time. Once a large-scale data disaster arrives, RBF quickly feeds back the date of bandwidth usage in advance ε time, reduces the excess bandwidth of connections in the SDN, calculates the least-unavailable path providing which to SDN controller, and updates the switch flow tables to ensure the SDN network try its best to mitigate the adverse effects caused by disasters like Earthquake, Tsunami, etc. The performance of the proposed scheme is evaluated by means of SDN emulation using Mininet environment and OpenDaylight as the controller, the experimental results show that our strategy minimizes the impact from the disaster.

Daoqi Han,Honghui Li,Xueliang Fu,Shuncheng Zhou

DOI: https://doi.org/10.3390/s24134344

2024-07-04

Abstract:As 5G technology becomes more widespread, the significant improvement in network speed and connection density has introduced more challenges to network security. In particular, distributed denial of service (DDoS) attacks have become more frequent and complex in software-defined network (SDN) environments. The complexity and diversity of 5G networks result in a great deal of unnecessary features, which may introduce noise into the detection process of an intrusion detection system (IDS) and reduce the generalization ability of the model. This paper aims to improve the performance of the IDS in 5G networks, especially in terms of detection speed and accuracy. It proposes an innovative feature selection (FS) method to filter out the most representative and distinguishing features from network traffic data to improve the robustness and detection efficiency of the IDS. To confirm the suggested method's efficacy, this paper uses four common machine learning (ML) models to evaluate the InSDN, CICIDS2017, and CICIDS2018 datasets and conducts real-time DDoS attack detection on the simulation platform. According to experimental results, the suggested FS technique may match 5G network requirements for high speed and high reliability of the IDS while also drastically cutting down on detection time and preserving or improving DDoS detection accuracy.

Shuangxing Deng,Man Li,Qi Guo,Huachun Zhou

DOI: https://doi.org/10.1007/978-981-99-4430-9_7

2022-01-01

Abstract:Traffic flows can be forwarded through different security service functions based on SDN/NFV technology, which constitutes security service function chaining (SFC). However, the current deployed security service function chaining cannot be dynamically adjusted according to the state of the network environment, and cannot adapt to the rapidly changing security requirements. This paper proposes a security SFC path selection scheme based on deep reinforcement learning. The optimal path of security SFC is dynamically selected in real time using the DQN algorithm, according to the features of the traffic entering the SFC and the detection results of the security service functions. The security capability of the SFC is improved and the latency of the SFC is reduced under the optimal path. We design and implemented a prototype system of this scheme, conduct experiments with DDoS detection security function, and compare the proposed DQN algorithm with Q-learning algorithm. The results show that SFC path selection by DQN algorithm can effectively improve the average DDoS attack detection rate and reduce the latency.

Man Li,Huachun Zhou,Yajuan Qin

DOI: https://doi.org/10.1145/3592307.3592327

2023-01-01

Abstract:5G suffers from new security and privacy issues. More specifically, distributed denial-of-service (DDoS) is one of the most common and destructive attack types. The traditional network does not perform well, because they do not quickly support the deployment of new service function as well as provide network security service on demand. Recently, with the rise of Reinforcement Learning (RL), Software Defined Network (SDN)/Network Functions Virtualization (NFV), and Interface to Network Security Functions (I2NSF) techniques, they play a significant role in security enhancement. Hence, we propose a framework to integrate RL with SDN/NFV and I2NSF architecture (RL-SDNV), in which the RL agent can intelligently select suitable security function chain (SFC) under attack scenarios. Then, we model the DDoS detection problem as a Markov Decision Process (MDP), and a QLearning detection algorithm (QLSFC) is proposed, in which the designed reward includes the processing time and the malicious traffic reduction rate. Finally, we build a corresponding prototype system and verify the feasibility and effectiveness of the proposed algorithm through compared experiments with other RL algorithms.

Man Li,Huachun Zhou,Yajuan Qin

DOI: https://doi.org/10.1145/3592307.3592327

2023-01-01

Abstract:5G suffers from new security and privacy issues. More specifically, distributed denial-of-service (DDoS) is one of the most common and destructive attack types. The traditional network does not perform well, because they do not quickly support the deployment of new service function as well as provide network security service on demand. Recently, with the rise of Reinforcement Learning (RL), Software Defined Network (SDN)/Network Functions Virtualization (NFV), and Interface to Network Security Functions (I2NSF) techniques, they play a significant role in security enhancement. Hence, we propose a framework to integrate RL with SDN/NFV and I2NSF architecture (RL-SDNV), in which the RL agent can intelligently select suitable security function chain (SFC) under attack scenarios. Then, we model the DDoS detection problem as a Markov Decision Process (MDP), and a QLearning detection algorithm (QLSFC) is proposed, in which the designed reward includes the processing time and the malicious traffic reduction rate. Finally, we build a corresponding prototype system and verify the feasibility and effectiveness of the proposed algorithm through compared experiments with other RL algorithms.

W. Wei,V. Piuri,W. Pedrycz,S. H. Ahmed

DOI: https://doi.org/10.1016/j.future.2022.07.019

IF: 7.307

2022-01-01

Future Generation Computer Systems

Abstract:During the transition from traditional networks to pure Software-Defined Networks (SDNs), hybrid SDNs are derived to provide flexible services. Furthermore, developing effective failure protection algorithms is significantly urgent to improve the robustness and resilience of networks. In this paper, we propose several algorithms, including Straightforward Protection Path Selection with the Source and Destination-based Tunneling mechanism (S-PPSSDT), its simplification PPSSDT and Protection Path Selection with Load-Balancing (PPSLB) algorithms. Considering that the Protection Path Length (PPL) will affect the transmission delay of rerouted packets, S-PPSSDT leverages the source and destination-based tunneling mechanism to select optimum protection paths with the shortest length. Based on classification idea and optimization search, PPSSDT prunes unnecessary path searches in S-PPSSDT. Combining the tunneling mechanism with the priority-based Maximum Link Utilization (MLU) minimization approach, PPSLB also focuses on load balancing during failure protection to achieve potential congestion avoidance simultaneously. Besides, these algorithms redirect the traffic through various tunnels for affected paths by the non-shortest path routing capability of SDN switches. Extensive simulation results indicate that our proposed algorithms can effectively reduce the PPL and MLU of hybrid SDNs during failure protection, and have excellent performance under various network parameters compared with the state-of-the-art algorithms.

Jiahui Li,Xiaogang Qi,Yi He,Lifang Liu

DOI: https://doi.org/10.1016/j.ress.2023.109893

IF: 7.247

2024-01-04

Reliability Engineering & System Safety

Abstract:Software-Defined Networks (SDNs) have emerged as significant frameworks for enhancing the network flexibility. Currently, the migration from legacy IP networks to pure SDNs promotes the development of hybrid SDNs. However, the inevitable link failures will damage the network reliability. Therefore, this paper focuses on upgrading the legacy routers to SDN switches with minimal deployment overhead for protecting against all link failures, and selecting appropriate protection paths with the routing flexibility of these switches, thus improving the network performance and resilience. Firstly, we propose the heuristic SCS_LN algorithm for SDN Candidate Selection (SCS) that narrows the selection range of SDN candidate nodes through the link protection difficulty and selects the upgraded nodes based on the node protection capability. Secondly, we develop PPS_PM algorithm with the weight-based selection rule for adaptive Protection Path Selection (PPS), which takes interactive path parameters into account, such as Protection Path Length (PPL) and Maximum Link Utilization (MLU). Finally, extensive simulation experiments on diverse network topologies with various parameters are conducted to demonstrate that our proposed algorithms save up to 12.58% of the SDN switch deployment, and gain up to 12.15% and 7.34% improvement of the average PPL and MLU over existing algorithms, respectively.

engineering, industrial,operations research & management science

Yun Chen,Kun Lv,Changzhen Hu

DOI: https://doi.org/10.1155/2018/2058429

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Currently, many methods are available to improve the target network’s security. The vast majority of them cannot obtain an optimal attack path and interdict it dynamically and conveniently. Almost all defense strategies aim to repair known vulnerabilities or limit services in target network to improve security of network. These methods cannot response to the attacks in real-time because sometimes they need to wait for manufacturers releasing corresponding countermeasures to repair vulnerabilities. In this paper, we propose an improved Q-learning algorithm to plan an optimal attack path directly and automatically. Based on this path, we use software-defined network (SDN) to adjust routing paths and create hidden forwarding paths dynamically to filter vicious attack requests. Compared to other machine learning algorithms, Q-learning only needs to input the target state to its agents, which can avoid early complex training process. We improve Q-learning algorithm in two aspects. First, a reward function based on the weights of hosts and attack success rates of vulnerabilities is proposed, which can adapt to different network topologies precisely. Second, we remove the actions and merge them into every state that reduces complexity from O(N3) to O(N2). In experiments, after deploying hidden forwarding paths, the security of target network is boosted significantly without having to repair network vulnerabilities immediately.

Shuangxing Deng,Man Li,Huachun Zhou

DOI: https://doi.org/10.32604/iasc.2023.039985

2023-01-01

Intelligent Automation & Soft Computing

Abstract:Security service function chaining (SFC) based on software-defined networking (SDN) and network function virtualization (NFV) technology allows traffic to be forwarded sequentially among different security service functions to achieve a combination of security functions. Security SFC can be deployed according to requirements, but the current SFC is not flexible enough and lacks an effective feedback mechanism. The SFC is not traffic aware and the changes of traffic may cause the previously deployed security SFC to be invalid. How to establish a closed-loop mechanism to enhance the adaptive capability of the security SFC to malicious traffic has become an important issue. Our contribution is threefold. First, we propose a secure SFC path selection framework. The framework can accept the feedback results of traffic and security service functions in SFC, and dynamically select the optimal path for SFC based on the feedback results. It also realizes the automatic deployment of paths, forming a complete closed loop. Second, we expand the protocol of SFC to realize the security SFC with branching path, which improve flexibility of security SFC. Third, we propose a deep reinforcement learning-based dynamic path selection method for security SFC. It infers the optimal branching path by analyzing feedback from the security SFC. We have experimented with Distributed Denial of Service (DDoS) attack detection modules as security service functions. Experimental results show that our proposed method can dynamically select the optimal branching path for a security SFC based on traffic features and the state of the SFC. And it improves the accuracy of the overall malicious traffic detection of the security SFC and significantly reduces the latency and overall load of the SFC.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Trung V. Phan,Minho Park

DOI: https://doi.org/10.1109/access.2019.2896783

IF: 3.9

2019-01-01

IEEE Access

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet infrastructure to be more programmable, configurable, and manageable. However, critical cyber-threats in the SDN-based cloud environment are rising rapidly, in which distributed denial-of-service (DDoS) attack is one of the most damaging cyber attacks. In this paper, we propose an efficient solution to tackle DDoS attacks in the SDN-based cloud environment. We first introduce a new hybrid machine learning model based on support vector machine and self-organizing map algorithms to improve the traffic classification. Then, we propose an enhanced history-based IP filtering scheme ( $eHIPF$ ) to improve the attack detection rate and speed. Finally, we introduce a novel mechanism that combines both the hybrid machine learning model and the $eHIPF$ scheme to make a DDoS attack defender for the SDN-based cloud environment. The testbed is implemented in an SDN-based cloud with service function chaining. Through practical experiments, the proposed DDoS attack defender is proven to outperform existing mechanisms for DDoS attack classification and detection. The comprehensive experiments conducted with various DDoS attack levels prove that the proposed mechanism is an effective, innovative approach to defend DDoS attacks in the SDN-based cloud.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.