{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T11:01:58Z","timestamp":1768302118810,"version":"3.49.0"},"reference-count":25,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T00:00:00Z","timestamp":1768262400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T00:00:00Z","timestamp":1768262400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.62302224"],"award-info":[{"award-number":["No.62302224"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Software-Defined Networking (SDN), as a new network architecture, has brought convenience, but also suffered from the threat of Distributed Denial of Service (DDoS) attack. However, most existing DDoS attack detection schemes for SDN employ only a single detection method, leading to imbalances in detection speed, system overhead, and detection accuracy. Even though a few schemes improve detection efficiency and accuracy through two-stage detection, they still suffer from low system flexibility and do not support dynamic threshold adjustment. In order to resolve these issues, we propose an adaptive two-stage DDoS attack detection scheme with Dynamic Threshold Adjustment (ATS-DTA for short), which contains three sub-modules. More specifically, by dividing DDoS attack detection into two modules: a conditional entropy-based network traffic anomaly detection phase and a DDoS attack detection phase based on machine learning methods. Additionally, an adaptive threshold adjustment module is introduced to improve the system\u2019s flexibility. Finally, the experimental results show that our scheme, compared to related schemes, not only significantly improves detection accuracy and speed but also supports flexible and dynamic threshold adjustment. Specifically, our method achieves an average accuracy improvement of 1.91% and a precision increase of 1.23% over baseline methods, underscoring its effectiveness in adapting to complex and evolving network environments. These advantages illustrate that our ATS-DTA scheme provides a more balanced, efficient, and reliable solution for DDoS detection in dynamic network scenarios.<\/jats:p>","DOI":"10.1186\/s42400-025-00414-0","type":"journal-article","created":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T03:01:44Z","timestamp":1768273304000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Ats-dta: adaptive two-stage DDoS detection with dynamic threshold adjustment in SDN networks"],"prefix":"10.1186","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-5189-0769","authenticated-orcid":false,"given":"Tianrui","family":"Bai","sequence":"first","affiliation":[]},{"given":"Yuan","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Yiwen","family":"Gao","sequence":"additional","affiliation":[]},{"given":"Yongbin","family":"Zhou","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,1,13]]},"reference":[{"key":"414_CR1","doi-asserted-by":"crossref","unstructured":"Al\u00a0Sadi A, Savi M, Melis A, Prandini M, Callegati F (2024) Unleashing dynamic pipeline reconfiguration of p4 switches for efficient network monitoring. In: IEEE transactions on network and service management","DOI":"10.1109\/TNSM.2024.3377538"},{"key":"414_CR2","doi-asserted-by":"crossref","unstructured":"Ashodia N, Makadiya K (2022) Detection of DDoS attacks in SDN using machine learning. In 2022 international conference on electronics and renewable systems (ICEARS). IEEE, pp 1322\u20131327","DOI":"10.1109\/ICEARS53579.2022.9751879"},{"issue":"19","key":"414_CR3","doi-asserted-by":"publisher","first-page":"10743","DOI":"10.3390\/su131910743","volume":"13","author":"MJ Awan","year":"2021","unstructured":"Awan MJ, Farooq U, Babar HMA, Yasin A, Nobanee H, Hussain M, Hakeem O, Zain AM (2021) Real-time DDoS attack detection system using big data approach. Sustainability 13(19):10743","journal-title":"Sustainability"},{"key":"414_CR4","first-page":"101065","volume":"31","author":"JF Balarezo","year":"2022","unstructured":"Balarezo JF, Wang S, Chavez KG, Al-Hourani A, Kandeepan S (2022) A survey on DoS\/DDoS attacks mathematical modelling for traditional, SDN and virtual networks. Eng Sci Technol Int J 31:101065","journal-title":"Eng Sci Technol Int J"},{"key":"414_CR5","doi-asserted-by":"crossref","unstructured":"Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using nox\/openflow. In: IEEE local computer network conference. IEEE, pp 408\u2013415","DOI":"10.1109\/LCN.2010.5735752"},{"issue":"3","key":"414_CR6","doi-asserted-by":"publisher","first-page":"2395","DOI":"10.1007\/s11277-021-09000-2","volume":"122","author":"UA Bukar","year":"2022","unstructured":"Bukar UA, Othman M (2022) Architectural design, improvement, and challenges of distributed software-defined wireless sensor networks. Wireless Pers Commun 122(3):2395\u20132439","journal-title":"Wireless Pers Commun"},{"key":"414_CR7","doi-asserted-by":"publisher","DOI":"10.1002\/dac.5296","volume":"38","author":"R Chaudhary","year":"2025","unstructured":"Chaudhary R, Aujla GS, Kumar N, Chouhan PK (2025) A comprehensive survey on software-defined networking for smart communities. Int J Commun Syst 38:e5296","journal-title":"Int J Commun Syst"},{"key":"414_CR8","first-page":"103736","volume":"82","author":"A Coscia","year":"2024","unstructured":"Coscia A, Dentamaro V, Galantucci S, Maci A, Pirlo G (2024) Automatic decision tree-based nidps ruleset generation for DoS\/DDoS attacks. J Inf Secur Appl 82:103736","journal-title":"J Inf Secur Appl"},{"key":"414_CR9","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1016\/j.future.2019.02.037","volume":"97","author":"J Cui","year":"2019","unstructured":"Cui J, Wang M, Luo Y, Zhong H (2019) DDoS detection and defense mechanism based on cognitive-inspired computing in SDN. Futur Gener Comput Syst 97:275\u2013283","journal-title":"Futur Gener Comput Syst"},{"key":"414_CR10","doi-asserted-by":"crossref","unstructured":"Deng M, Wu B (2020) Self-adaptive threshold traffic anomaly detection based on entropy and the improved ewma model. In: 2020 IEEE 4th information technology, networking, electronic and automation control conference (ITNEC), vol\u00a01. IEEE, pp 725\u2013730","DOI":"10.1109\/ITNEC48623.2020.9084673"},{"key":"414_CR11","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1016\/j.comcom.2024.04.001","volume":"221","author":"UH Garba","year":"2024","unstructured":"Garba UH, Toosi AN, Pasha MF, Khan S (2024) SDN-based detection and mitigation of DDoS attacks on smart homes. Comput Commun 221:29\u201341","journal-title":"Comput Commun"},{"key":"414_CR12","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1016\/j.bjp.2013.10.014","volume":"62","author":"K Giotis","year":"2014","unstructured":"Giotis K, Argyropoulos C, Androulidakis G, Kalogeras D, Maglaris V (2014) Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw 62:122\u2013136","journal-title":"Comput Netw"},{"key":"414_CR13","doi-asserted-by":"crossref","unstructured":"Guo D, Wang Y, Luo X (2020) A SDN-based multiple mechanism DDoS attack detection trigger algorithm. In 2020 international conference on urban engineering and management science (ICUEMS). IEEE, pp 729\u2013735","DOI":"10.1109\/ICUEMS50872.2020.00159"},{"issue":"7","key":"414_CR14","doi-asserted-by":"publisher","first-page":"144","DOI":"10.23919\/JCC.2019.07.012","volume":"16","author":"Z Liu","year":"2019","unstructured":"Liu Z, He Y, Wang W, Zhang B (2019) DDoS attack detection scheme based on entropy and PSO-BP neural network in SDN. China Commun 16(7):144\u2013155","journal-title":"China Commun"},{"issue":"5","key":"414_CR15","doi-asserted-by":"publisher","first-page":"3533","DOI":"10.1109\/JIOT.2021.3097996","volume":"9","author":"X Liu","year":"2021","unstructured":"Liu X, Guo Z, Ma J, Song Y (2021) A secure authentication scheme for wireless sensor networks based on dac and intel sgx. IEEE Internet Things J 9(5):3533\u20133547","journal-title":"IEEE Internet Things J"},{"issue":"6","key":"414_CR16","doi-asserted-by":"publisher","first-page":"10537","DOI":"10.1109\/JIOT.2023.3325904","volume":"11","author":"X Liu","year":"2023","unstructured":"Liu X, Wang J, Wang M, Zhang R (2023) Improved lte-r access authentication scheme based on blockchain and secgear. IEEE Internet of Things J 11(6):10537\u201310550","journal-title":"IEEE Internet of Things J"},{"key":"414_CR17","unstructured":"Mac\u00edas SG, Gaspary LP, Botero JF (2021) Oracle: an architecture for collaboration of data and control planes to detect DDoS attacks. In: 2021 Ifip\/IEEE international symposium on integrated network management (IM). IEEE, pp 962\u2013967"},{"key":"414_CR18","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10922-021-09633-5","volume":"30","author":"F Musumeci","year":"2022","unstructured":"Musumeci F, Fidanci AC, Paolucci F, Cugini F, Tornatore M (2022) Machine-learning-enabled DDoS attacks detection in p4 programmable networks. J Netw Syst Manag 30:1\u201327","journal-title":"J Netw Syst Manag"},{"key":"414_CR19","doi-asserted-by":"crossref","unstructured":"Niu M, Feng Y, Sakurai K (2023) A two-stage detection system of DDoS attacks in SdN using a trigger with multiple features and self-adaptive thresholds. In: 2023 17th international conference on ubiquitous information management and communication (IMCOM). IEEE, pp 1\u20138","DOI":"10.1109\/IMCOM56909.2023.10035661"},{"key":"414_CR20","doi-asserted-by":"crossref","unstructured":"Puranik K, Patil K, Ghaligi G, Jannu R, Patil S, Narayan D, Kachavimath A (2023) A two-level DDoS attack detection using entropy and machine learning in SDN. In 2023 3rd international conference on intelligent technologies (CONIT). IEEE, pp 1\u20137","DOI":"10.1109\/CONIT59222.2023.10205776"},{"issue":"16","key":"414_CR21","doi-asserted-by":"publisher","first-page":"e5402","DOI":"10.1002\/cpe.5402","volume":"32","author":"R Santos","year":"2020","unstructured":"Santos R, Souza D, Santo W, Ribeiro A, Moreno E (2020) Machine learning algorithms to detect DDoS attacks in SDN. Concurr Comput Pract Exp 32(16):e5402","journal-title":"Concurr Comput Pract Exp"},{"key":"414_CR22","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1016\/j.comcom.2024.04.035","volume":"222","author":"MA Setitra","year":"2024","unstructured":"Setitra MA, Fan M, Benkhaddra I, Bensalem ZEA (2024) Dos\/DDoS attacks in software defined networks: current situation, challenges and future directions. Comput Commun 222:77\u201396","journal-title":"Comput Commun"},{"key":"414_CR23","doi-asserted-by":"crossref","unstructured":"Tao Y, Yu S (2013) DDoS attack detection at local area networks using information theoretical metrics. In: 2013 12th IEEE international conference on trust, security and privacy in computing and communications. IEEE, pp 233\u2013240","DOI":"10.1109\/TrustCom.2013.32"},{"key":"414_CR24","doi-asserted-by":"crossref","unstructured":"Wang T, Feng Y, Sakurai K (2021) Improving the two-stage detection of cyberattacks in SDN environment using dynamic thresholding. In: 2021 15th international conference on ubiquitous information management and communication (IMCOM). IEEE, pp 1\u20137","DOI":"10.1109\/IMCOM51814.2021.9377395"},{"issue":"1","key":"414_CR25","first-page":"9804061","volume":"2018","author":"J Ye","year":"2018","unstructured":"Ye J, Cheng X, Zhu J, Feng L, Song L (2018) A DDoS attack detection method based on SVM in software defined network. Security Commun Netw 2018(1):9804061","journal-title":"Security Commun Netw"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00414-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00414-0","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00414-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T03:01:51Z","timestamp":1768273311000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-025-00414-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,13]]},"references-count":25,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["414"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00414-0","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,13]]},"assertion":[{"value":"11 December 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 June 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no relevant financial or non-financial interests to disclose.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"12"}}