Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Zhenyu Yin,Shang Liu,Guangyuan Xu

2024-09-18

Abstract:The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at <a class="link-external link-https" href="https://github.com/liuup/DrLLM" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Artificial Intelligence

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Tingxin Sun,Jiayi Cai,Kaiwei Guo,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/globecom54140.2023.10437875

2023-01-01

Abstract:In Internet Service Provider (ISP) networks, Amplified Reflection DDoS (AR-DDoS) attack is one of the main attack categories, which launches gigabytes of traffic with little effort and minimal cost. Thus, the mitigation of AR-DDoS attacks has been considered as a crucial part. In particular, such mitigation requires full coverage (i.e., mitigating AR-DDoS attacks launched from any location) and low overhead (i.e., mitigation should avoid high latency that degrades user experience). However, existing solutions suffer from either limited coverage or high overhead. In this paper, we propose Aigis, a distributed framework that offers full-coverage and low-overhead mitigation of AR-DDoS attacks. Our key idea is to co-design top-of-rack (ToR) switches and end-hosts, which offers line-rate packet processing performance and fine-grained view inherently, to jointly execute endpoint verification. Specifically, Aigis selectively offloads mitigation operations between ToR switches and end-hosts and implements a network-wide epoch synchronization mechanism to guarantee reliable verification. It efficiently coordinates ToR switches and end-hosts to execute the entire mitigation task. We have implemented Aigis on a testbed comprising 32x100 Gbps Tofino switches. Testbed experiments indicate that Aigis achieves complete full coverage and orders of magnitude lower host-side overhead compared to existing solutions.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Xiao Peng,Tao Liu,Ying Wang

2024-06-03

Abstract:Large language models (LLMs) like ChatGPT, Gemini, or LLaMA have been trending recently, demonstrating considerable advancement and generalizability power in countless domains. However, LLMs create an even bigger black box exacerbating opacity, with interpretability limited to few approaches. The uncertainty and opacity embedded in LLMs' nature restrict their application in high-stakes domains like financial fraud, phishing, etc. Current approaches mainly rely on traditional textual classification with posterior interpretable algorithms, suffering from attackers who may create versatile adversarial samples to break the system's defense, forcing users to make trade-offs between efficiency and robustness. To address this issue, we propose a novel cascading framework called Genshin (General Shield for Natural Language Processing with Large Language Models), utilizing LLMs as defensive one-time plug-ins. Unlike most applications of LLMs that try to transform text into something new or structural, Genshin uses LLMs to recover text to its original state. Genshin aims to combine the generalizability of the LLM, the discrimination of the median model, and the interpretability of the simple model. Our experiments on the task of sentimental analysis and spam detection have shown fatal flaws of the current median models and exhilarating results on LLMs' recovery ability, demonstrating that Genshin is both effective and efficient. In our ablation study, we unearth several intriguing observations. Utilizing the LLM defender, a tool derived from the 4th paradigm, we have reproduced BERT's 15% optimal mask rate results in the 3rd paradigm of NLP. Additionally, when employing the LLM as a potential adversarial tool, attackers are capable of executing effective attacks that are nearly semantically lossless.

Computation and Language,Artificial Intelligence

Francesco Musumeci,Valentina Ionata,Francesco Paolucci,Filippo Cugini,Massimo Tornatore

DOI: https://doi.org/10.1109/icc40277.2020.9149043

2020-06-01

Abstract:While Software Defined Networking (SDN) provides well-known advantages in terms of network automation, flexibility and resources utilization, it has been observed that SDN controllers may represent critical points of failure for the entire network infrastructure, especially when they are targeted by malicious cyber attacks such as Distributed Denial of Service (DDoS). To address this issue, in this paper we exploit stateful data planes, as enabled by P4 programming language, where switches maintain persistent memory of handled packets to perform attack detection directly at the data plane, with only marginal involvement of the SDN controllers. As machine learning (ML) is recognized as primary anomaly detection methodology, we perform DDoS attack detection using a MLbased classification and compare different ML algorithms in terms of classification accuracy and train/test duration. Moreover, we combine ML and P4-enab1ed stateful data planes to design a real-time DDoS attack detection module, which we evaluate in terms of latency required for the detection. Three real-time scenarios are considered, where P4-enab1ed switches elaborate the received packets in different ways, namely, packet mirroring, header mirroring , and P4 - metadata extraction . Numerical results show significant latency reduction when P4 is adopted.

Kuofeng Gao,Tianyu Pang,Chao Du,Yong Yang,Shu-Tao Xia,Min Lin

2024-10-15

Abstract:Recent studies have shown that LLMs are vulnerable to denial-of-service (DoS) attacks, where adversarial inputs like spelling errors or non-semantic prompts trigger endless outputs without generating an [EOS] token. These attacks can potentially cause high latency and make LLM services inaccessible to other users or tasks. However, when there are speech-to-text interfaces (e.g., voice commands to a robot), executing such DoS attacks becomes challenging, as it is difficult to introduce spelling errors or non-semantic prompts through speech. A simple DoS attack in these scenarios would be to instruct the model to "Keep repeating Hello", but we observe that relying solely on natural instructions limits output length, which is bounded by the maximum length of the LLM's supervised finetuning (SFT) data. To overcome this limitation, we propose poisoning-based DoS (P-DoS) attacks for LLMs, demonstrating that injecting a single poisoned sample designed for DoS purposes can break the output length limit. For example, a poisoned sample can successfully attack GPT-4o and GPT-4o mini (via OpenAI's finetuning API) using less than $1, causing repeated outputs up to the maximum inference length (16K tokens, compared to 0.5K before poisoning). Additionally, we perform comprehensive ablation studies on open-source LLMs and extend our method to LLM agents, where attackers can control both the finetuning dataset and algorithm. Our findings underscore the urgent need for defenses against P-DoS attacks to secure LLMs. Our code is available at <a class="link-external link-https" href="https://github.com/sail-sg/P-DoS" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Computation and Language

Ziming Zhao,Zhaoxuan Li,Zhihao Zhou,Jiongchi Yu,Zhuoxue Song,Xiaofei Xie,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103663

IF: 5.105

2023-12-21

Computers & Security

Abstract:Distributed Denial of Service (DDoS) defense is a profound research problem. In recent years, adversaries tend to complicate their attack strategies by crafting vast DDoS variants. On the one hand, this trend exacerbates both extremes of classification granularity ( i.e. , binary and attack level) in existing machine learning methods. On the other hand, massive attack categories make the filter rule table bulky, as well as cause problems of slow reaction presented in the recent state-of-the-art DDoS mitigation system. Therefore, we propose the concept of a DDoS family to reconcile/cope with these issues. The specific technical roadmap includes traffic pattern characterization, attack fingerprint production, and cross-executed family partition by community detection. Through extensive evaluations, we demonstrate the benefits of the proposal in terms of portraying similarities, guiding model classification/unknown attack detection, optimizing defense strategies, and speeding filtering reactions. For instance, our results show that using only one rule can defend 15 types of attacks due to their homogeneous behavioral representation. Particularly, we find the interesting observation that counting the backward packet is more efficient and robust against some attacks ( e.g. , Tor's Hammer Attack), which is very different from previous solutions.

computer science, information systems

Qingyang Li,Yihang Zhang,Zhidong Jia,Yannan Hu,Lei Zhang,Jianrong Zhang,Yongming Xu,Yong Cui,Zongming Guo,Xinggong Zhang

2024-01-01

Abstract:It is an interesting question Can and How Large Language Models (LLMs)understand non-language network data, and help us detect unknown maliciousflows. This paper takes Carpet Bombing as a case study and shows how to exploitLLMs' powerful capability in the networking area. Carpet Bombing is a new DDoSattack that has dramatically increased in recent years, significantlythreatening network infrastructures. It targets multiple victim IPs withinsubnets, causing congestion on access links and disrupting network services fora vast number of users. Characterized by low-rates, multi-vectors, theseattacks challenge traditional DDoS defenses. We propose DoLLM, a DDoS detectionmodel utilizes open-source LLMs as backbone. By reorganizing non-contextualnetwork flows into Flow-Sequences and projecting them into LLMs semantic spaceas token embeddings, DoLLM leverages LLMs' contextual understanding to extractflow representations in overall network context. The representations are usedto improve the DDoS detection performance. We evaluate DoLLM with publicdatasets CIC-DDoS2019 and real NetFlow trace from Top-3 countrywide ISP. Thetests have proven that DoLLM possesses strong detection capabilities. Its F1score increased by up to 33.3real ISP traces.

Dan Tang,Xiyin Wang,Yudong Yan,Dongshuo Zhang,Huan Zhao

DOI: https://doi.org/10.1016/j.comcom.2021.10.007

IF: 5.047

2022-01-01

Computer Communications

Abstract:Low-rate Denial of Service (LDoS) attacks cause severe destructiveness to network security. Consequently, the implementation of detection and defense against them is a concern among the research communities. But it is formidable to deploy extension modules to detect and mitigate attacks online in traditional networks, because devices are deficient of flexibility and scalability. To address the problem, we design and implement an online attack detection and mitigation system (ADMS) framework via the scalable and programmable Software Defined Networking (SDN). ADMS is installed on SDN controllers and conforms to the OpenFlow policy without extra devices. ADMS consists of two modules: the two-phase detection module and the mitigation module. The two-phase detection module combines the new port traffic feature and the Lightgbm classifier based on flow table statistics traffic to precisely detect LDoS attacks. The mitigation module utilizes the novel Sequence Matching based Dynamic Series Analysing (SMDSA) algorithm to locate the attacker, and efficiently mitigates attack traffic by packet filter. The SMDSA algorithm distinguishes the victim port from benign ports by calculating the anomaly score of each port. Our evaluation on a prototype implementation of ADMS shows that the framework is able to precisely identify and efficiently mitigate LDoS attacks in real-time.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiacen Xu,Jack W. Stokes,Geoff McDonald,Xuesong Bai,David Marshall,Siyue Wang,Adith Swaminathan,Zhou Li

2024-03-02

Abstract:Large language models (LLMs) have demonstrated impressive results on natural language tasks, and security researchers are beginning to employ them in both offensive and defensive systems. In cyber-security, there have been multiple research efforts that utilize LLMs focusing on the pre-breach stage of attacks like phishing and malware generation. However, so far there lacks a comprehensive study regarding whether LLM-based systems can be leveraged to simulate the post-breach stage of attacks that are typically human-operated, or "hands-on-keyboard" attacks, under various attack techniques and environments.

Cryptography and Security,Artificial Intelligence

Yuan Cao,Yuan Gao,Rongjun Tan,Qingbang Han,Zhuotao Liu

DOI: https://doi.org/10.1109/ACCESS.2018.2877710

IF: 3.9

2018-01-01

IEEE Access

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. One practical approach to addressing DDoS attacks is to redirect all destination (e.g., via DNS or BGP) to a third-party, DDoS protection-as-a-service provider (e.g., Cloudflare and Akamai), which is well provisioned and equipped with proprietary filtering mechanisms to remove attack traffic before passing the remaining traffic to the destination. Although such an approach is appealing, as it requires no modification to the existing Internet infrastructure and can scale to handle very large attacks, recent industrial interviews with more than 100 interviewees from over 10 industry segments reveal that this approach alone is not sufficient, especially for large organizations (e.g., Web hosting companies and government) that cannot afford to allow third-parity security-service providers to terminate their network connections. Instead, these organizations have to rely on their ISPs to filter attack traffic. In this paper, we discuss the challenges faced by the ISPs in order to disrupt the Internet security-service market and sketch our solutions, powered by smart contracts.

Amelia Kawasaki,Andrew Davis,Houssam Abbas

2024-07-09

Abstract:The widespread adoption of Large Language Models (LLMs), exemplified by OpenAI's ChatGPT, brings to the forefront the imperative to defend against adversarial threats on these models. These attacks, which manipulate an LLM's output by introducing malicious inputs, undermine the model's integrity and the trust users place in its outputs. In response to this challenge, our paper presents an innovative defensive strategy, given white box access to an LLM, that harnesses residual activation analysis between transformer layers of the LLM. We apply a novel methodology for analyzing distinctive activation patterns in the residual streams for attack prompt classification. We curate multiple datasets to demonstrate how this method of classification has high accuracy across multiple types of attack scenarios, including our newly-created attack dataset. Furthermore, we enhance the model's resilience by integrating safety fine-tuning techniques for LLMs in order to measure its effect on our capability to detect attacks. The results underscore the effectiveness of our approach in enhancing the detection and mitigation of adversarial inputs, advancing the security framework within which LLMs operate.

Cryptography and Security,Machine Learning

Fernando Martinez,Mariyam Mapkar,Ali Alfatemi,Mohamed Rahouti,Yufeng Xin,Kaiqi Xiong,Nasir Ghani

2024-06-04

Abstract:Distributed Denial of Service (DDoS) attacks pose an increasingly substantial cybersecurity threat to organizations across the globe. In this paper, we introduce a new deep learning-based technique for detecting DDoS attacks, a paramount cybersecurity challenge with evolving complexity and scale. Specifically, we propose a new dual-space prototypical network that leverages a unique dual-space loss function to enhance detection accuracy for various attack patterns through geometric and angular similarity measures. This approach capitalizes on the strengths of representation learning within the latent space (a lower-dimensional representation of data that captures complex patterns for machine learning analysis), improving the model's adaptability and sensitivity towards varying DDoS attack vectors. Our comprehensive evaluation spans multiple training environments, including offline training, simulated online training, and prototypical network scenarios, to validate the model's robustness under diverse data abundance and scarcity conditions. The Multilayer Perceptron (MLP) with Attention, trained with our dual-space prototypical design over a reduced training set, achieves an average accuracy of 94.85% and an F1-Score of 94.71% across our tests, showcasing its effectiveness in dynamic and constrained real-world scenarios.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Walid I. Khedr,Ameer E. Gouda,Ehab R. Mohamed

DOI: https://doi.org/10.3390/math11163552

IF: 2.4

2023-08-18

Mathematics

Abstract:Distributed Denial of Service (DDoS) and Address Resolution Protocol (ARP) attacks pose significant threats to the security of Software-Defined Internet of Things (SD-IoT) networks. The standard Software-Defined Networking (SDN) architecture faces challenges in effectively detecting, preventing, and mitigating these attacks due to its centralized control and limited intelligence. In this paper, we present P4-HLDMC, a novel collaborative secure framework that combines machine learning (ML), stateful P4, and a hierarchical logically distributed multi-controller architecture. P4-HLDMC overcomes the limitations of the standard SDN architecture, ensuring scalability, performance, and an efficient response to attacks. It comprises four modules: the multi-controller dedicated interface (MCDI) for real-time attack detection through a distributed alert channel (DAC), the MSMPF, a P4-enabled stateful multi-state matching pipeline function for analyzing IoT network traffic using nine state tables, the modified ensemble voting (MEV) algorithm with six classifiers for enhanced detection of anomalies in P4-extracted traffic patterns, and an attack mitigation process distributed among multiple controllers to effectively handle larger-scale attacks. We validate our framework using diverse test cases and real-world IoT network traffic datasets, demonstrating high detection rates, low false-alarm rates, low latency, and short detection times compared to existing methods. Our work introduces the first integrated framework combining ML, stateful P4, and SDN-based multi-controller architecture for DDoS and ARP detection in IoT networks.

mathematics

Bowen Liu,Boao Xiao,Xutong Jiang,Siyuan Cen,Xin He,Wanchun Dou

DOI: https://doi.org/10.1155/2023/8691095

IF: 1.968

2023-06-12

Security and Communication Networks

Abstract:Machine learning algorithms are at the forefront of the development of advanced information systems. The rapid progress in machine learning technology has enabled cutting-edge large language models (LLMs), represented by GPT-3 and ChatGPT, to perform a wide range of NLP tasks with a stunning performance. However, research on adversarial machine learning highlights the need for these intelligent systems to be more robust. Adversarial machine learning aims to evaluate attack and defense mechanisms to prevent the malicious exploitation of these systems. In the case of ChatGPT, adversarial induction prompt can cause the model to generate toxic texts that could pose serious security risks or propagate false information. To address this challenge, we first analyze the effectiveness of inducing attacks on ChatGPT. Then, two effective mitigating mechanisms are proposed. The first is a training-free prefix prompt mechanism to detect and prevent the generation of toxic texts. The second is a RoBERTa-based mechanism that identifies manipulative or misleading input text via external detection models. The availability of this method is demonstrated through experiments.

computer science, information systems,telecommunications

Daniel Ayzenshteyn,Roy Weiss,Yisroel Mirsky

2024-10-20

Abstract:As large language models (LLMs) continue to evolve, their potential use in automating cyberattacks becomes increasingly likely. With capabilities such as reconnaissance, exploitation, and command execution, LLMs could soon become integral to autonomous cyber agents, capable of launching highly sophisticated attacks. In this paper, we introduce novel defense strategies that exploit the inherent vulnerabilities of attacking LLMs. By targeting weaknesses such as biases, trust in input, memory limitations, and their tunnel-vision approach to problem-solving, we develop techniques to mislead, delay, or neutralize these autonomous agents. We evaluate our defenses under black-box conditions, starting with single prompt-response scenarios and progressing to real-world tests using custom-built CTF machines. Our results show defense success rates of up to 90\%, demonstrating the effectiveness of turning LLM vulnerabilities into defensive strategies against LLM-driven cyber threats.

Cryptography and Security,Artificial Intelligence

Jiaqi Xue,Mengxin Zheng,Ting Hua,Yilin Shen,Yepeng Liu,Ladislau Boloni,Qian Lou

DOI: https://doi.org/10.48550/arXiv.2306.06815

2023-10-31

Abstract:Large Language Models (LLMs) are progressively being utilized as machine learning services and interface tools for various applications. However, the security implications of LLMs, particularly in relation to adversarial and Trojan attacks, remain insufficiently examined. In this paper, we propose TrojLLM, an automatic and black-box framework to effectively generate universal and stealthy triggers. When these triggers are incorporated into the input data, the LLMs' outputs can be maliciously manipulated. Moreover, the framework also supports embedding Trojans within discrete prompts, enhancing the overall effectiveness and precision of the triggers' attacks. Specifically, we propose a trigger discovery algorithm for generating universal triggers for various inputs by querying victim LLM-based APIs using few-shot data samples. Furthermore, we introduce a novel progressive Trojan poisoning algorithm designed to generate poisoned prompts that retain efficacy and transferability across a diverse range of models. Our experiments and results demonstrate TrojLLM's capacity to effectively insert Trojans into text prompts in real-world black-box LLM APIs including GPT-3.5 and GPT-4, while maintaining exceptional performance on clean test sets. Our work sheds light on the potential security risks in current models and offers a potential defensive approach. The source code of TrojLLM is available at <a class="link-external link-https" href="https://github.com/UCF-ML-Research/TrojLLM" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Artificial Intelligence,Computation and Language,Machine Learning

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary