Gubei Yin,Junhua Tang,Futai Zou,Yue Wu,Jianhua Li

DOI: https://doi.org/10.1109/iccc47050.2019.9064357

2019-01-01

Abstract:Information-centric networking (ICN), which is believed to be one of the most promising technologies in the next-generation network, has drawn lots of attention from both academia and industry. While ICN solves many problems of the TCP/IP architecture, new security issues arise. The interest flooding attack is one of them. In this paper, we discuss the influences of this type of attack in Named Data Networking (NDN) and propose a novel detection and mitigation scheme. In this scheme, a controller is introduced in an NDN domain to collect routing and forwarding statistics from routers. These statistics are then analyzed by the controller to detect interest flooding attack as well as trace the adversaries and malicious prefixes. Simulation experiments are conducted using ndnSIM, and the results demonstrate that the proposed scheme is both effective and efficient.

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Jiaqing Dong,Kai Wang,Yongqiang Lyu,Libo Jiao,Hao Yin

DOI: https://doi.org/10.1007/978-3-030-05063-4_39

2018-01-01

Abstract:Interest Flooding Attack (IFA) has been one of the biggest threats for the Named Data Networking (NDN) paradigm, while it is very easy to launch but very difficult to mitigate. In this paper, we propose the InterestFence, which is a simple, direct, lightweight yet efficient IFA countermeasure, and the first one to achieve fast detection meanwhile accurate and efficient attacking traffic filtering without harming any legitimate Interests. InterestFence detects IFA based on content servers rather than routers to guarantee accurate detection. All content items with the same prefix within a content server have a hash-based security label (HSL) to claim their existence, and a HSL verification method is securely transmitted to related routers to help filtering and cleaning IFA traffic in transit networks accurately and efficiently. Performance analysis demonstrates the effectiveness of InterestFence on mitigating IFA and its lightweight feature due to the limited overhead involved.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Ren-Ting Lee,Yu-Beng Leau,Yong Jin Park,Mohammed Anbar

DOI: https://doi.org/10.1080/02564602.2021.1957029

2021-08-01

IETE Technical Review

Abstract:Internet of Things (IoT) allows all entities such as computing devices, machines, objects, people, etc., to interact with each other through their Internet Protocol (IP) addresses without human intervention. Consequently, IP addresses are being exhausted rapidly. Named-Data Networking (NDN) tends to transit the conventional host-centric network into the data-centric network. However, routing attacks such as Interest Flooding Attack (IFA) is a primary security concern. To date, far too little attention has been paid to classify the IFA detection mechanisms and further identify the key points to design an efficient detection technique. This study aimed to conduct a comprehensive survey of state-of-the-art IFA detection mechanisms and analysed the algorithms used. In this paper, we summarize the different types of possible attack models with a specific name with a description in NDN, specifically the PIT-oriented routing attack. Besides, we classified these mechanisms into nine categories with its topology used, analogy metrics and attack focus. Finally, we have highlighted and provide recommendations in some critical pieces of architecture in detection mechanism design as future challenges to secure the IoT data from IFA in NDN.

telecommunications,engineering, electrical & electronic

Alberto Compagno,Mauro Conti,Paolo Gasti,Gene Tsudik

DOI: https://doi.org/10.1109/LCN.2013.6761300

2013-08-02

Abstract:Content-Centric Networking (CCN) is an emerging networking paradigm being considered as a possible replacement for the current IP-based host-centric Internet infrastructure. In CCN, named content becomes a first-class entity. CCN focuses on content distribution, which dominates current Internet traffic and is arguably not well served by IP. Named-Data Networking (NDN) is an example of CCN. NDN is also an active research project under the NSF Future Internet Architectures (FIA) program. FIA emphasizes security and privacy from the outset and by design. To be a viable Internet architecture, NDN must be resilient against current and emerging threats. This paper focuses on distributed denial-of-service (DDoS) attacks; in particular we address interest flooding, an attack that exploits key architectural features of NDN. We show that an adversary with limited resources can implement such attack, having a significant impact on network performance. We then introduce Poseidon: a framework for detecting and mitigating interest flooding attacks. Finally, we report on results of extensive simulations assessing proposed countermeasure.

Networking and Internet Architecture,Cryptography and Security

Pei Chen,Dagang Li

DOI: https://doi.org/10.1109/chinacom.2014.7054278

2014-01-01

Abstract:Information Centric Network or ICN is one of the few popular designs envisioned for the future Internet. In ICN, packets are routed by content-object names. Such names can be much more complicated as well as order of magnitude more in quantity than IP addresses, and the same content-objects might also be available for retrieval at more places in the network. As routing tables are always limited in space, it is very unlikely that they can hold the routing information for all these names at all times, therefore some kind of on-demand route discovery mechanism is always a necessity for ICN. Flooding is a safe method for such purpose that can assure route optimality, but it is very heavy in terms of incurred messaging traffic. On the other hand, large content are better retrieved and routed in chunks instead of as a complete whole for better networking efficiency, therefore a miss in the routing table might result in a series of flooding for all the chunks of the target content. In this study we call chunks of the same content as neighboring chunks, and propose a route discovery mechanism that makes use of their relationship to reduce the overhead of successive flooding: when one chunk is requested across the network, its neighboring chunks are also reported back just in case. Compared with previous work, our algorithms can achieve faster route discovery without much loss to the routing quality, which makes them suitable for different needs to the route discovery in ICN.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Yue Li,Yingjian Liu,Haoyu Yin,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.1109/jiot.2023.3297334

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Internet of Underwater Things (IoUT) needs to maintain effective communication even under the circumstances of severe environments and limited energy. Named Data Networking (NDN), a future network architecture, is starting to be used for IoUT as an effective architecture implementation. Despite having a good performance of data transmission, Underwater Named Data Networking (UNDN) nevertheless faces some security risks, such as Denial-of-Service (DoS) brought by Interest Flooding Attacks (IFAs). This paper proposes a novel DoS attack, Synergetic Denial-of-Service (SDoS), which can cause hiding damages to router’s Content Store (CS), Pending Interest Table (PIT), and Forwarding Information Base (FIB). We not only study the basic synergetic attack model of SDoS but also analyze some possible attack variants. Simulation results illustrate that SDoS entirely invalidates the only IFA detection algorithm in UNDN. Compared to ordinary IFAs, SDoS attacks increase network traffic fourfold. Furthermore, we discover a unique infection problem in UNDN and propose a countermeasure named Trident, which has meticulously designed adaptive threshold, Double Trial for attacker identification, and a self-proving mechanism based on leaky bucket. Experiment results demonstrate that Trident can detect and resist not only IFAs but also SDoS attacks effectively. Meanwhile, Trident also achieves good defense performance on the variants of SDoS and can take on burst traffic and network congestion robustly.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jie Ma,Wei Su,Yikun Li,Yihua Peng

DOI: https://doi.org/10.1016/j.future.2023.12.033

IF: 7.307

2024-01-05

Future Generation Computer Systems

Abstract:The availability of SD-IoT is now under complex and serious cyber threats, especially distributed denial-of-service attacks. However, traditional defense schemes suffer from coarse-grained centralized sampling approaches, low accuracy of detection models, and inefficient mitigation methods. In this paper, a novel DDoS defense scheme is proposed, which consists of a high-accuracy detection mechanism based on a Graph Convolutional Neural Network learning model and a mitigation mechanism based on fast traffic migration. In the detection stage, a fine-grained INT sampling approach is utilized to obtain multidimensional network topology and status information. The Graph Convolutional Neural Network learning model detects switches containing DDoS attack traffic with high accuracy because the detection model not only extracts and utilizes multiple temporal and spatial features of the collected information, but also has a better learning and representation capability. In the mitigation stage, the enhanced whitelist with dynamic threshold-based values is automatically adapted to the real-time state of the network environment for enhanced mitigation flexibility. The fast programmable segment rerouting strategy can block attack traffic in time and ensure the continuity of network services. The results of several comparison experiments show that the proposed scheme can detect DDoS attacks more accurately and mitigate them more effectively than traditional schemes.

computer science, theory & methods

J.J. Garcia-Luna-Aceves,Maziar Mirzazad-Barijough

DOI: https://doi.org/10.48550/arXiv.1603.06012

2016-03-19

Abstract:We show that the mechanisms used in the name data networking (NDN) and the original content centric networking (CCN) architectures may not detect Interest loops, even if the network in which they operate is static and no faults occur. Furthermore, we show that no correct Interest forwarding strategy can be defined that allows Interest aggregation and attempts to detect Interest looping by identifying Interests uniquely. We introduce SIFAH (Strategy for Interest Forwarding and Aggregation with Hop-Counts), the first Interest forwarding strategy shown to be correct under any operational conditions of a content centric network. SIFAH operates by having forwarding information bases (FIBs) store the next hops and number of hops to named content, and by having each Interest state the name of the requested content and the hop count from the router forwarding an Interest to the content. We present the results of simulation experiments using the ndnSIM simulator comparing CCN and NDN with SIFAH. The results of these experiments illustrate the negative impact of undetected Interest looping when Interests are aggregated in CCN and NDN, and the performance advantages of using SIFAH.

Networking and Internet Architecture

Wajid Rafique,Xin He,Zifan Liu,Yuhu Sun,Wanchun Dou

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00080

2019-01-01

Abstract:Managing the Internet of Things (IoT) infrastructure has become a critical challenge due to an enormous increase in the connected devices and the lack of available security solutions. Software-Defined Networking (SDN) has been extensively involved in network infrastructure management. Moreover, numerous recent studies demonstrate the use of SDN for managing IoT networks. In SDN, policy consistency and security of the data plane is maintained through Waypoint Enforcement (WPE) which ensures that the traffic traverses policy nodes/switches to implement high-level network requirements. Previous studies on SDN primarily secure SDN infrastructure against traditional Distributed Denial of Service (DDoS) attacks. However, we investigate Crossfire Attack (CFA), which is a novel DDoS attack capable of interrupting communication of data plane switches using low-rate legitimate traffic. CFA has the potential to isolate policy switch from the rest of the data plane devices which introduces many security anomalies and routing inconsistencies. We first demonstrate how CFA is lethal on policy switch attacks and then present the design and implementation of a novel CFA countermeasure called CFADefense, which employs link selection, attack detection, and malicious flows interception modules. CFADefense has been developed as an application at the application layer of the open-source Floodlight controller. Our evaluation demonstrates that CFADefense accurately detects and efficiently mitigates CFA and poses minimal overhead on the controller in dealing with this attack.

Jiayu Yang,Yuxin Chen,Kaiping Xue,Jiangping Han,Jian Li,David S. L. Wei,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tnsm.2022.3196344

2022-01-01

Abstract:As a promising implementation of Information-Centric Networking (ICN), Named Data Networking (NDN) has potential advantages over the TCP/IP network in content distribution, mobility support, etc. However, the research on NDN is still in its infancy, and congestion control, NDN’s most important functional element, poses many challenges, such as congestion detection, excessive window reduction for non-congested paths, and unfairness. In this paper, we propose an Intelligent Edge-Aided Congestion Control (IEACC) scheme for the NDN network based on Deep Reinforcement Learning (DRL). The proposed IEACC provides a proactive congestion detector that utilizes intermediate routers to transmit accurate congestion information along the path to consumers through data packets. Furthermore, considering the multi-source transmission in NDN, IEACC divides data packets into different congestion degrees by a lightweight clustering algorithm and provides suitable inputs for DRL, thereby obtaining a reasonable transmission rate. Then, it distributes the estimated bandwidth resources to consumers with transmission needs to maintain fairness. Finally, we implement our proposed scheme in the simulation platform and evaluate the performance in different scenarios. The results show that it can improve data transmission rate, reduce packet loss, and maintain fairness compared with others.

Yu -tong Guo,Yang Gao,Yan Wang,Meng-yuan Qin,Yu-jie Pu,Zeng Wang,Dan-dan Liu,Xiang-jun Chen,Tian-fng Gao,Ting-ting Lv,Zhong-chuan Fu

DOI: https://doi.org/10.1016/j.proeng.2017.01.276

2017-01-01

Procedia Engineering

Abstract:A malicious behavior detection approach which combines both the DPI (Deep Packet Inspection) and DFI (Deep Flow Inspection) is proposed, namely DPI & DFI. For the DPI & DFI method an outlier data mining method is employed. The fine-grained DPI is suitable for plaintext traffic, while DFI is a complementary for encrypted or emerging traffic. The collaborative detection approach includes three phases: DPI detection, DFI detection & comparison, and feedback. In present work, the C4.5 data-mining decision tree is adopted as classifier. The KDD Cup’99 benchmark is used and representative attack categories such as Probing, DOS, R2L (Remote to User) and U2R (User to Root) are evaluated. In-depth analysis demonstrates that the U2R and R2L attack categories lead to lower detection rate, and in particular the attack types contribute most are put forward. In future work, some other types of classifiers suitable to R2L and U2R attack categories should be investigated.

Wei Guo,Jin Xu,Yukui Pei,Liuguo Yin,Chunxiao Jiang,Ning Ge

DOI: https://doi.org/10.1109/jiot.2022.3176121

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Satellite Internet (SI) dramatically expanded the ground-based Internet, and it is also the future direction of 6G. However, due to limited computing power and bandwidth resources, Distributed Denial-of-Service (DDoS) attacks can cause more severe damage to SI, and even paralysis of the entire network. Current DDoS defense mechanisms are built on abundant computing power and bandwidth resources, making applying in the SI scenario challenging. Aiming at protecting SI from DDoS attacks, a blockchain-based distributed collaborative entrance defense (DCED) framework is proposed, in which network traffic characteristics can be recorded and aggregated at the entrances of SI. The proposed framework consists of a distributed detection digesting procedure, a digest virtual aggregation procedure, and an entrance control strategy. The former procedure detects and extracts multidimensional characteristics of DDoS attacks and pushes them onto the blockchain. The latter procedure collects block data and aggregates attack features using the MapReduce algorithm and then compares them with baseline and gives an alert. The strategy completes the filtering and interception of traffic. Experiments use the IXIA platform to generate malicious traffic, and results show that the framework can accurately identify attack traffic within 1500 ms, reaching an area of 0.99 under the receiver operating characteristic curve. The proposed framework is more effective than other similar DDoS methods, protecting the precious SI bandwidth resources.

Xiaobin Tan,Weiwei Feng,Jinyang Lv,Yang Jin,Zhifan Zhao,Jian Yang

DOI: https://doi.org/10.1109/TCOMM.2020.3007936

IF: 6.166

2020-01-01

IEEE Transactions on Communications

Abstract:As a promising candidate for future Internet architecture, Named Data Networking (NDN) can achieve significant potential advantages over current TCP/IP based Internet in content distribution and mobility support, etc. However, the communication mode in NDN that one Interest packet for pulling one data packet is likely to incur Interest packets flooding and to cause extremely large-scale Pending Interest Table (PIT) of the NDN router, which may substantially degrade the performance of NDN. Moreover, the absence of predefined connections also induces another challenge for NDN to manage the successive and concurrent requests from consumers efficiently. In this paper, we propose flow-based NDN (f-NDN) architecture capable of supporting flow transmission mode for addressing the aforementioned challenges. In the context of f-NDN, a data flow is defined as an aggregate of data packets with the same name prefix, and a flow Interest packet is introduced to pull a data flow rather than a single data packet. The PIT, CS, and FIB are re-designed to enable f-NDN to operate at the granularity of flows. Bitmap structure aided error handling mechanism is further presented for f-NDN to deal with the flow transmission's uncertain failures. The built-in flow support in f-NDN allows us to conceive a flow-level multi-path transmission regime for balancing the traffic in NDN network and reducing the time consumed for pulling the entire content. Weight-based flow Interest splitting algorithm and optimal rate control algorithm are both proposed for optimizing multi-path transmission. We illustrate the capability of the proposed architecture in supporting flow transmission and multi-path by implementing it in both simulator and prototype systems. The evaluation results are also presented to show its achievable performance.

Lin Yao,Zhenzhen Fan,Jing Deng,Xin Fan,Guowei Wu

DOI: https://doi.org/10.1109/tdsc.2018.2876257

2020-11-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Named Data Network (NDN), as a promising information-centric networking architecture, is expected to support next-generation of large-scale content distribution with open in-network cachings. However, such open in-network caches are vulnerable against Cache Pollution Attacks (CPAs) with the goal of filling cache storage with non-popular contents. The detection and defense against such attacks are especially difficult because of CPA's similarities with normal fluctuations of content requests. In this work, we use a clustering technique to detect and defend against CPAs. By clustering the content interests, our scheme is able to distinguish whether they have followed the Zipf-like distribution or not for accurate detections. Once any attack is detected, an attack table will be updated to record the abnormal requests. While such requests are still forwarded, the corresponding content chunks are not cached. Extensive simulations in ndnSIM demonstrate that our scheme can resist CPA effectively with higher cache hit, higher detecting ratio, lower hop count, and lower algorithm complexity compared to other state-of-the-art schemes.

computer science, information systems, software engineering, hardware & architecture

Kexin Chen,Hang Wang,Peilin Hong

DOI: https://doi.org/10.1109/icc45041.2023.10279833

2023-01-01

Abstract:Multi-tenancy and the vulnerabilities of network isolation make Low-Rate Distributed Denial-of-Service (LDDoS) severe threats to cloud data centers. Due to the stealthy nature of the LDDoS attack, it is not easy to detect in data center networks (DCN) with frequent Incast traffic. And the traditional Detect-Drop defense strategy may drop some benign flows, significantly reducing user experience. To this end, this paper first proposes a mathematical model that reveals the attack aggregation mechanism and queuing pattern of LDDoS attack in DCN. On this basis, this article proposes a novel defense strategy that can interfere with LDDoS attack aggregation without breaking the benign user's connection. When there is an attack detected, the information of normal and suspicious flows will be roughly grouped and notified to the preceding switch, where they will enter different switch queues separately. Afterward, the packets in the suspicious flow queue will be added with a subtle delay when dequeuing. As for the attack flows, it directly results in the inability to aggregate into large pulses. For the normal flow, it merely increases the flow completion time (FCT) by a few microseconds. It is due to this property that the method proposed can defend against attacks without affecting the connection of the normal flows. The simulation results are consistent with the theoretical analysis and show that this strategy can effectively recover the network performance. Moreover, it achieves excellent robustness at low detection accuracy, making it suitable for running in DCN.

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.