Two-stage DDoS attack detection method in SDN environment

Bao Xiaoan; Fan Yunlong; Tu Xiaomei; Hu Tianbin; Zhang Na; Wu Biao

doi:10.11959/j.issn.1000-0801.2026018

您当前的位置：

首页 >

文章列表页 >

Two-stage DDoS attack detection method in SDN environment

Research and Development | 更新时间：2026-03-05

- Two-stage DDoS attack detection method in SDN environment
- Telecommunications Science Vol. 42, Issue 2, Pages: 135-147(2026)
- 作者机构：
  
  1.浙江理工大学计算机科学与技术学院，浙江杭州 310018
  2.浙江广厦建设职业技术大学城乡建设学院，浙江金华 322100
  3.河海大学人工智能与自动化学院，江苏常州 213000
  4.浙江理工大学理学院，浙江杭州 310018
- 作者简介：
- 基金信息：
  
  Zhejiang Provincial Key Research and Development Program(2020C03094);Projects of Zhejiang Provincial Department of Education(Y202250706;Y202147659)
- DOI：10.11959/j.issn.1000-0801.2026018
  CLC： TP393
- Received：05 August 2025，
  
  Revised：2025-08-18，
  
  Accepted：01 September 2025，
  
  Published：20 February 2026
- 稿件说明：
移动端阅览
包晓安,范云龙,涂小妹等.SDN环境下双阶段DDoS攻击检测方法[J].电信科学,2026,42(02):135-147.

Bao Xiaoan,Fan Yunlong,Tu Xiaomei,et al.Two-stage DDoS attack detection method in SDN environment[J].Telecommunications Science,2026,42(02):135-147.
包晓安,范云龙,涂小妹等.SDN环境下双阶段DDoS攻击检测方法[J].电信科学,2026,42(02):135-147. DOI： 10.11959/j.issn.1000-0801.2026018.

Bao Xiaoan,Fan Yunlong,Tu Xiaomei,et al.Two-stage DDoS attack detection method in SDN environment[J].Telecommunications Science,2026,42(02):135-147. DOI： 10.11959/j.issn.1000-0801.2026018.

摘要

针对软件定义网络（software-defined network，SDN）中分布式拒绝服务（distributed denial of service，DDoS）攻击检测存在的特征丢失、模型计算复杂度高以及检测实时性不足等问题，提出了一种系统化的检测框架。首先，提出一种融合流级与包级双粒度信息的流量表征方法，以多尺度挖掘攻击行为的关键特征，提升流量表征信息的完整性。其次，构建基于Mamba架构的轻量级检测模型DDoSMamba。该模型首先利用状态空间建模与全局感受野机制，降低序列建模中的计算资源与内存消耗；然后引入双向信息交互机制，增强对序列前后文关系的建模能力；最后结合低秩近似分解与特征子空间划分策略，显著压缩参数规模与推理开销。最后，进一步设计双阶段DDoS攻击检测方法：第一阶段，利用Tsallis熵对粗粒度特征进行快速筛查，排除大量正常流量；第二阶段，基于细粒度特征进行高精度分类，实现快速响应与精准检测的平衡。在CIC-IDS2019数据集上的实验结果表明，本文所提方法在二分类与多分类任务中分别达到99.96%与99.93%的准确率，平均检测耗时仅为0.067 2 ms，参数量低至4.553 8 KB。

Abstract

To address issues such as feature loss

high computational complexity

and insufficient real-time performance in distributed denial of service (DDoS) attack detection within software-defined networks (SDN)

a systematic detection framework was proposed. Firstly

traffic characterization method integrateing dual-granularity information at both flow-level and packet-level was introduced to extract key features of various attack behaviors at multiple scales

thereby enhancing the completeness of traffic representation. Then

a lightweight detection model named DDoSMamba

based on the Mamba architecture

was constructed. By leveraging state space modeling and global receptive field mechanisms

the model reduced computational and memory overhead during sequence modeling. A bidirectional information interaction mechanism was introduced to enhance contextual modeling

while low-rank approximation and subspace feature decomposition strategies were employed to significantly compress parameter size and inference cost. Finally

a two-stage DDoS attack detection method was designed. In the first stage

Tsallis entropy was used to perform rapid filtering based on coarse-grained features

effectively eliminating a large amount of benign traffic. In the second stage

fine-grained features were used for high-precision classification

achieving a balance between fast response and accurate detection. Experiments conducted on the CIC-IDS2019 dataset demonstrate that the proposed method achieves 99.96% and 99.93% detection accuracy for binary and multi-class classification tasks

respectively

with an average inference latency of only 0.067 2 ms and a model size as low as 4.553 8 KB.

关键词

Keywords

references

De Melo L H , de Carvalho Bertoli G , Nogueira M , et al . Anomaly-flow: a multi-domain federated generative adversarial network for distributed denial-of-service detection [PP ] . V1. arXiv ( 2025-03-18 )[ 2025-07-05 ] . arXiv: arXiv. 2503.14618.

KöKsal S , Dalveren Y , Maiga B , et al . Distributed denial-of-service attack mitigation in network functions virtualization-based 5G networks using management and orchestration [J ] . International Journal of Communication Systems , 2021 , 34 ( 9 ): e4825 .

Han T , Jan S R U , Tan Z Y , et al . A comprehensive survey of security threats and their mitigation techniques for next-generation SDN controllers [J ] . Concurrency and Computation: Practice and Experience , 2020 , 32 ( 16 ): e5300 .

Zhu L H , Liao B C , Zhang Q , et al . Vision mamba: efficient visual representation learning with bidirectional state space model [PP ] . V3. arXiv ( 2024-11-14 )[ 2025-07-05 ] . arXiv: arXiv. 2401.09417.

Qu J , Ma X B , Li J F . TrafficGPT: breaking the token barrier for efficient long traffic analysis and generation [PP ] . V2. arXiv ( 2024-03-18 )[ 2025-07-05 ] . arXiv: arXiv. 2403.05822.

郑承蔚 , 王海凤 , 刘瑞 . SDN中DDoS攻击检测研究综述 [J ] . 计算机工程与应用 , 2024 , 60 ( 24 ): 79 - 96 .

Zheng C W , Wang H F , Liu R . Review of research on DDoS attack detection in SDN [J ] . Computer Engineering and Applications , 2024 , 60 ( 24 ): 79 - 96 .

Gu A , Dao T . Mamba: linear-time sequence modeling with selective state spaces [PP ] . V2. arXiv ( 2024-05-31 )[ 2025-07-05 ] . arXiv: arXiv. 2312.00752.

Neres Carvalho R , Luiz Bordim J , Adilio Pelinson Alchieri E . Entropy-based DoS attack identification in SDN [C ] // Proceedings of the 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW) . Piscataway : IEEE Press , 2019 : 627 - 634 .

Ujjan R M A , Pervez Z , Dahal K , et al . Entropy based features distribution for anti-DDoS model in SDN [J ] . Sustainability , 2021 , 13 ( 3 ): 1522 .

Li R Y , Wu B . Early detection of DDoS based on φ -entropy in SDN networks [C ] // Proceedings of the 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC) . Piscataway : IEEE Press , 2020 : 731 - 735 .

Hemmati Z , Mirjalily G , Mohtajollah Z . Entropy-based DDoS attack detection in SDN using dynamic threshold [C ] // Proceedings of the 2021 7th International Conference on Signal Processing and Intelligent Systems (ICSPIS) . Piscataway : IEEE Press , 2022 : 1 - 5 .

Ben Said R , Askerzade I . Attention-based CNN-BiLSTM deep learning approach for network intrusion detection system in software defined networks [C ] // Proceedings of the 2023 5th International Conference on Problems of Cybernetics and Informatics (PCI) . Piscataway : IEEE Press , 2023 : 1 - 5 .

Zainudin A , Ahakonye L A C , Akter R , et al . An efficient hybrid-DNN for DDoS detection and classification in software-defined IIoT networks [J ] . IEEE Internet of Things Journal , 2023 , 10 ( 10 )： 8491 - 8504 .

Bhutto A B , Vu X S , Elmroth E , et al . Reinforced Transformer learning for VSI-DDoS detection in edge clouds [J ] . IEEE Access , 2022 , 10 : 94677 - 94690 .

Le T T H , Heo S , Cho J , et al . DDoSBERT: Fine-tuning variant text classification bidirectional encoder representations from transformers for DDoS detection [J ] . Computer Networks , 2025 , 262 : 111150 .

Wang H M , Li W . DDosTC: a Transformer-based network attack detection hybrid mechanism in SDN [J ] . Sensors , 2021 , 21 ( 15 ): 5047 .

Madhwani P P , Kutty A P K , Mookerjea B , et al . A compact cryogenic configurable slit unit for a multi-object infrared spectrograph: Design and Development of a prototype at TIFR [PP ] . V1. arXiv ( 2023-08-31 )[ 2025-07-05 ] . arXiv: arXiv. 2309.00063.

He W , Han K , Tang Y H , et al . DenseMamba: state space models with dense hidden connection for efficient large language models [PP ] . V2. arXiv ( 2024-03-05 )[ 2025-07-05 ] . arXiv: arXiv. 2403.00818.

Bhat S . Mathematical formalism for memory compression in selective state space model [PP ] . V2. arXiv ( 2024-10-04 )[ 2025-07-05 ] . arXiv : arXiv. 2410.03158.

Dao T , Gu A . Transformers are SSMs: generalized models and efficient algorithms through structured state space duality [PP ] . V1. arXiv ( 2024-05-31 )[ 2025-07-05 ] . arXiv: arXiv. 2405.21060.

Elsayed M S , Le-Khac N A , Azer M A , et al . A flow-based anomaly detection approach with feature selection method against DDoS attacks in SDNs [J ] . IEEE Transactions on Cognitive Communications and Networking , 2022 , 8 ( 4 ): 1862 - 1880 .

Elsayed M S , Le-Khac N A , Dev S , et al . DDoSNet: a deep-learning model for detecting network attacks [C ] // Proceedings of the 2020 IEEE 21st International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM) . Piscataway : IEEE Press , 2020 : 391 - 396 .

Wei Y Y , Jang-Jaccard J , Sabrina F , et al . AE-MLP: a hybrid deep learning approach for DDoS detection and classification [J ] . IEEE Access , 2021 , 9 : 146810 - 146821 .

Salih A A , Abdulrazaq M B . Cybernet model: a new deep learning model for cyber DDoS attacks detection and recognition [J ] . Computers, Materials and Continua , 2024 , 78 ( 1 ): 1275 - 1295 .

傅友 , 邹东升 . SDN中基于条件熵和决策树的DDoS攻击检测方法 [J ] . 重庆大学学报 , 2023 , 46 ( 7 ): 1 - 8 .

Fu Y , Zou D S . A DDoS attack detection method based on conditional entropy and decision tree in SDN [J ] . Journal of Chongqing University (Natural Science Edition) , 2023 , 46 ( 7 ): 1 - 8 .

Srivastava A , Sinha D . FP-growth-based signature extraction and unknown variants of DoS/DDoS attack detection on real-time data stream [J ] . Journal of Information Security and Applications , 2025 , 89 : 103996 .

Ali M , Saleem Y , Hina S , et al . DDoSViT: IoT DDoS attack detection for fortifying firmware Over-The-Air (OTA) updates using vision transformer [J ] . Internet of Things , 2025 , 30 : 101527 .

Views

134

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Research on SDN based tactical communication network architecture

Research and application of traffic engineering algorithm based on deep learning

SDN resolve space-ground integrated network based on end side computing

Convergence of telco cloud and bearer network based computing power network orchestration

Related Author

Chao ZHU

Tai LIU

Yiming WANG

Yi CHENG

Hongqiang FANG

Feng LI

Qianchun LU

Jin QI

Related Institution

University of Science and Technology of China

State Key Laboratory of Mobile Network and Mobile Multimedia Technology

LiLAB,University of Florida,Gainesville

School of Information and Electrical Engineering,Zhejiang Gongshang University

Beijing University of Posts and Telecommunications

⁰