{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T18:18:54Z","timestamp":1780078734849,"version":"3.54.0"},"reference-count":35,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T00:00:00Z","timestamp":1664755200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T00:00:00Z","timestamp":1664755200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R &D Program of China","doi-asserted-by":"crossref","award":["2018YFC0806900"],"award-info":[{"award-number":["2018YFC0806900"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Software-defined networking (SDN), a novel network paradigm, separates the control plane and data plane into different network equipment to realize the flexible control of network traffic. Its excellent programmability and global view present many new opportunities. DDoS detection under the SDN context is an important and challenging research field. Some previous works attempted to collect and analyze statistics related to flows, usually recorded in switches, to address DDoS threats. In contrast, other works applied machine learning-based solutions to identify DDoS and achieved promising results. Generally, most previous works need to periodically request flow rules or packets to obtain flow statistics or features to detect stealthy exceptions. Nevertheless, the request for flow rules is very time-consuming and CPU-consuming; moreover may congest the communication channel between the controller and the switches. Therefore, we present FORT, a lightweight DDoS detection scheme, which spreads the rule-based detection algorithm at edge switches and determines whether to start it by periodically retrieving the ports state. A time-series algorithm, ARIMA, is utilized to determine the port statistics adaptively, and an SVM algorithm is applied to detect whether a DDoS attack does occur. Representative experiments demonstrate that FORT can significantly reduce the controller load and provide a reliable detection accuracy. Referring to the false alarm rate of 1.24% in the comparison scheme, the false alarm rate of this scheme is only 0.039%, which significantly reduces the probability of false alarm. Besides, by introducing the alarm mechanism, this scheme can reduce the load of the southbound channel by more than 60% in the normal state.<\/jats:p>","DOI":"10.1186\/s42400-022-00128-7","type":"journal-article","created":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T03:24:51Z","timestamp":1664767491000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["A lightweight DDoS detection scheme under SDN context"],"prefix":"10.1186","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0493-0198","authenticated-orcid":false,"given":"Kun","family":"Jia","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Chaoge","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Qixu","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Junnan","family":"Wang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jiazhi","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Feng","family":"Liu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2022,10,3]]},"reference":[{"key":"128_CR1","doi-asserted-by":"publisher","first-page":"107739","DOI":"10.1016\/j.comnet.2020.107739","volume":"186","author":"V Balasubramanian","year":"2021","unstructured":"Balasubramanian V, Aloqaily M, Reisslein M (2021) An SDN architecture for time sensitive industrial IoT. Comput Netw 186:107739","journal-title":"Comput Netw"},{"key":"128_CR2","first-page":"325","volume-title":"Time series analysis: forecasting and control","author":"GE Box","year":"2015","unstructured":"Box GE, Jenkins GM, Reinsel GC, Ljung GM (2015) Time series analysis: forecasting and control. Wiley, pp 325\u2013329"},{"key":"128_CR3","doi-asserted-by":"crossref","unstructured":"Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX\/OpenFlow. In: IEEE local computer network conference. IEEE, pp 408\u2013415","DOI":"10.1109\/LCN.2010.5735752"},{"key":"128_CR4","doi-asserted-by":"crossref","unstructured":"Chang C-W, Huang G, Lin B, Chuah C-N (2011) Leisure: a framework for load-balanced network-wide traffic measurement. In: 2011 ACM\/IEEE seventh symposium on architectures for networking and communications systems. IEEE, pp 250\u2013260","DOI":"10.1109\/ANCS.2011.47"},{"key":"128_CR5","doi-asserted-by":"crossref","unstructured":"Cortez P, Rio M, Rocha M, Sousa P (2006) Internet traffic forecasting using neural networks. In: The 2006 IEEE international joint conference on neural network proceedings. IEEE, pp 2635\u20132642","DOI":"10.1109\/IJCNN.2006.247142"},{"key":"128_CR6","unstructured":"Dao N-N, Park J, Park M, Cho S (2015) A feasible method to combat against DDoS attack in SDN network. In: 2015 international conference on information networking (ICOIN). IEEE, pp 309\u2013311"},{"key":"128_CR7","doi-asserted-by":"crossref","unstructured":"Doshi R, Apthorpe N, Feamster N (2018) Machine learning DDoS detection for consumer internet of things devices. In: 2018 IEEE security and privacy workshops (SPW). IEEE, pp 29\u201335","DOI":"10.1109\/SPW.2018.00013"},{"key":"128_CR8","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1016\/j.future.2021.03.011","volume":"122","author":"LF Eliyan","year":"2021","unstructured":"Eliyan LF, Di Pietro R (2021) DoS and DDoS attacks in software defined networks: A survey of existing solutions and research challenges. Futur Gener Comput Syst 122:149\u2013171","journal-title":"Futur Gener Comput Syst"},{"key":"128_CR9","first-page":"102587","volume":"54","author":"RF Fouladi","year":"2020","unstructured":"Fouladi RF, Ermi\u015f O, Anarim E (2020) A DDoS attack detection and defense scheme using time-series analysis for SDN. J Inf Secur Appl 54:102587","journal-title":"J Inf Secur Appl"},{"key":"128_CR10","unstructured":"Foundation ON (2021) OpenFlow specification. https:\/\/www.opennetworking.org (August)"},{"key":"128_CR11","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1016\/j.bjp.2013.10.014","volume":"62","author":"K Giotis","year":"2014","unstructured":"Giotis K, Argyropoulos C, Androulidakis G, Kalogeras D, Maglaris V (2014) Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw 62:122\u2013136","journal-title":"Comput Netw"},{"key":"128_CR12","unstructured":"Group TMW (2021) MAWI Working Group Traffic Archive. http:\/\/mawi.wide.ad.jp\/mawi\/ (August)"},{"key":"128_CR13","doi-asserted-by":"crossref","unstructured":"Hu D, Hong P, Chen Y (2017) FADM: DDoS flooding attack detection and mitigation system in software-defined networking. In: GLOBECOM 2017-2017 IEEE global communications conference. IEEE, pp 1\u20137","DOI":"10.1109\/GLOCOM.2017.8254023"},{"issue":"10","key":"128_CR14","doi-asserted-by":"publisher","first-page":"2358","DOI":"10.1109\/JSAC.2018.2869997","volume":"36","author":"K Kalkan","year":"2018","unstructured":"Kalkan K, Altay L, G\u00fcr G, Alag\u00f6z F (2018) JESS: joint entropy-based DDoS defense scheme in SDN. IEEE J Sel Areas Commun 36(10):2358\u20132372","journal-title":"IEEE J Sel Areas Commun"},{"key":"128_CR15","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1016\/j.comnet.2019.05.022","volume":"161","author":"X Leng","year":"2019","unstructured":"Leng X, Hou K, Chen Y, Bu K, Song L, Li Y (2019) A lightweight policy enforcement system for resource protection and management in the SDN-based cloud. Comput Netw 161:68\u201381","journal-title":"Comput Netw"},{"key":"128_CR16","doi-asserted-by":"crossref","unstructured":"Mehr SY, Ramamurthy B (2019) An SVM based DDoS attack detection method for Ryu SDN controller. In: Proceedings of the 15th international conference on emerging networking experiments and technologies, pp 72\u201373","DOI":"10.1145\/3360468.3368183"},{"key":"128_CR17","unstructured":"NSFOCUS Telecom C (2021) 2020 DDoS report. https:\/\/www.nsfocus.com.cn (August)"},{"issue":"13","key":"128_CR18","doi-asserted-by":"publisher","first-page":"3462","DOI":"10.1109\/TSP.2017.2690388","volume":"65","author":"N Perraudin","year":"2017","unstructured":"Perraudin N, Vandergheynst P (2017) Stationary signal processing on graphs. IEEE Trans Signal Process 65(13):3462\u20133477","journal-title":"IEEE Trans Signal Process"},{"key":"128_CR19","unstructured":"Sanfilippo S (2021) hping3 tool. http:\/\/www.hping.org\/hping3.html (August)"},{"key":"128_CR20","unstructured":"Sekar V, Reiter MK, Willinger W, Zhang H, Kompella RR, Andersen DG (2008) csamp: a system for network-wide flow monitoring"},{"key":"128_CR21","doi-asserted-by":"crossref","unstructured":"Sharafaldin I, Lashkari AH, Hakak S, Ghorbani AA (2019) Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. In: 2019 international Carnahan conference on security technology (ICCST)","DOI":"10.1109\/CCST.2019.8888419"},{"key":"128_CR22","doi-asserted-by":"publisher","first-page":"509","DOI":"10.1016\/j.comcom.2020.02.085","volume":"154","author":"MP Singh","year":"2020","unstructured":"Singh MP, Bhandari A (2020) New-flow based DDoS attacks in SDN: taxonomy, rationales, and research challenges. Comput Commun 154:509\u2013527","journal-title":"Comput Commun"},{"key":"128_CR23","doi-asserted-by":"publisher","first-page":"389","DOI":"10.1007\/978-3-030-22277-2_15","volume-title":"Handbook of computer networks and cyber security","author":"T Ubale","year":"2020","unstructured":"Ubale T, Jain AK (2020) Survey on DDoS attack techniques and solutions in software-defined network. Handbook of computer networks and cyber security. Springer, Cham, pp 389\u2013419"},{"key":"128_CR24","doi-asserted-by":"publisher","first-page":"308","DOI":"10.1016\/j.comnet.2015.02.026","volume":"81","author":"B Wang","year":"2015","unstructured":"Wang B, Zheng Y, Lou W, Hou YT (2015) DDoS attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308\u2013319","journal-title":"Comput Netw"},{"key":"128_CR25","doi-asserted-by":"crossref","unstructured":"Wang R, Jia Z, Ju L (2015) An entropy-based distributed DDoS detection mechanism in software-defined networking. In: 2015 IEEE Trustcom\/BigDataSE\/ISPA, vol 1. IEEE, pp 310\u2013317","DOI":"10.1109\/Trustcom.2015.389"},{"key":"128_CR26","doi-asserted-by":"crossref","unstructured":"Wang H, Yang G, Chinprutthiwong P, Xu L, Zhang Y, Gu G (2018) Towards fine-grained network security forensics and diagnosis in the SDN era. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 3\u201316","DOI":"10.1145\/3243734.3243749"},{"issue":"6","key":"128_CR27","doi-asserted-by":"publisher","first-page":"1400","DOI":"10.1109\/TPDS.2018.2883438","volume":"31","author":"D Wu","year":"2018","unstructured":"Wu D, Nie X, Asmare E, Arkhipov DI, Qin Z, Li R, McCann JA, Li K (2018) Towards distributed SDN: mobility management and flow scheduling in software defined urban IoT. IEEE Trans Parallel Distrib Syst 31(6):1400\u20131418","journal-title":"IEEE Trans Parallel Distrib Syst"},{"issue":"4","key":"128_CR28","first-page":"72","volume":"5","author":"J Xu","year":"2020","unstructured":"Xu J, Wang L, Xu Z (2020) Survey on resource consumption attacks and defenses in software-defined networking. J Cyber Secur 5(4):72\u201395","journal-title":"J Cyber Secur"},{"key":"128_CR29","doi-asserted-by":"crossref","unstructured":"Xu Y, Liu Y (2016) DDoS attack detection under SDN context. In: IEEE INFOCOM 2016-the 35th annual IEEE international conference on computer communications. IEEE, pp 1\u20139","DOI":"10.1109\/INFOCOM.2016.7524500"},{"issue":"1","key":"128_CR30","doi-asserted-by":"publisher","first-page":"602","DOI":"10.1109\/COMST.2015.2487361","volume":"18","author":"Q Yan","year":"2015","unstructured":"Yan Q, Yu FR, Gong Q, Li J (2015) Software-defined networking (SDN) and distributed denial of service (DDOS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor 18(1):602\u2013622","journal-title":"IEEE Commun Surv Tutor"},{"key":"128_CR31","first-page":"9804061","volume":"2018","author":"J Ye","year":"2018","unstructured":"Ye J, Cheng X, Zhu J, Feng L, Song L (2018) A DDoS attack detection method based on SVM in software defined network. Secur Commun Netw 2018:9804061","journal-title":"Secur Commun Netw"},{"key":"128_CR32","doi-asserted-by":"publisher","first-page":"24694","DOI":"10.1109\/ACCESS.2018.2831284","volume":"6","author":"D Yin","year":"2018","unstructured":"Yin D, Zhang L, Yang K (2018) A DDoS attack detection and mitigation with software-defined internet of things framework. IEEE Access 6:24694\u201324705","journal-title":"IEEE Access"},{"key":"128_CR33","doi-asserted-by":"crossref","unstructured":"You X, Feng Y, Sakurai K (2017) Packet in message based DDoS attack detection in SDN network using OpenFlow. In: 2017 fifth international symposium on computing and networking (CANDAR). IEEE, pp 522\u2013528","DOI":"10.1109\/CANDAR.2017.93"},{"key":"128_CR34","doi-asserted-by":"crossref","unstructured":"Zhang Y (2013) An adaptive flow counting method for anomaly detection in SDN. In: Proceedings of the ninth ACM conference on emerging networking experiments and technologies, pp 25\u201330","DOI":"10.1145\/2535372.2535411"},{"issue":"3","key":"128_CR35","doi-asserted-by":"publisher","first-page":"728","DOI":"10.1109\/TPDS.2020.3030630","volume":"32","author":"G Zhao","year":"2020","unstructured":"Zhao G, Xu H, Fan J, Huang L, Qiao C (2020) Achieving fine-grained flow management through hybrid rule placement in SDNS. IEEE Trans Parallel Distrib Syst 32(3):728\u2013742","journal-title":"IEEE Trans Parallel Distrib Syst"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00128-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00128-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00128-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T03:26:28Z","timestamp":1664767588000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00128-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,3]]},"references-count":35,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["128"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00128-7","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,10,3]]},"assertion":[{"value":"31 August 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 July 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 October 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"27"}}