{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T15:38:13Z","timestamp":1774539493116,"version":"3.50.1"},"reference-count":32,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2022,1,29]],"date-time":"2022-01-29T00:00:00Z","timestamp":1643414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62072051"],"award-info":[{"award-number":["62072051"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Key Project Plan of Blockchain in Ministry of Education of the People's Republic of China","award":["2020KJ010802"],"award-info":[{"award-number":["2020KJ010802"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Software-defined networking (SDN) is a new networking paradigm that realizes the fast management and optimal configuration of network resources by decoupling control logic and forwarding functions. However, centralized network architecture brings new security problems, and denial-of-service (DoS) attacks are among the most critical threats. Due to the lack of an effective message-verification mechanism in SDN, attackers can easily launch a DoS attack by faking the source address information. This paper presents DoSGuard, an efficient and protocol-independent defense framework for SDN networks to detect and mitigate such attacks. DoSGuard is a lightweight extension module on SDN controllers that mainly consists of three key components: a monitor, a detector, and a mitigator. The monitor maintains the information between the switches and the hosts for anomaly detection. The detector utilizes OpenFlow message and flow features to detect the attack. The mitigator protects networks by filtering malicious packets. We implement a prototype of DoSGuard in the floodlight controller and evaluate its effectiveness in a simulation environment. Experimental results show the DoSGuard achieves 98.72% detecion precision, and the average CPU utilization of the controller is only around 8%. The results demonstrate that DoSGuard can effectively mitigate DoS attacks against SDN with limited overhead.<\/jats:p>","DOI":"10.3390\/s22031061","type":"journal-article","created":{"date-parts":[[2022,1,30]],"date-time":"2022-01-30T00:12:56Z","timestamp":1643501576000},"page":"1061","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":23,"title":["DoSGuard: Mitigating Denial-of-Service Attacks in Software-Defined Networks"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2882-1823","authenticated-orcid":false,"given":"Jishuai","family":"Li","sequence":"first","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Tengfei","family":"Tu","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5641-7441","authenticated-orcid":false,"given":"Yongsheng","family":"Li","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Sujuan","family":"Qin","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Yijie","family":"Shi","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Qiaoyan","family":"Wen","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]}],"member":"1968","published-online":{"date-parts":[[2022,1,29]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"132021","DOI":"10.1109\/ACCESS.2020.3008250","article-title":"Hardware-Accelerated Platforms and Infrastructures for Network Functions: A Survey of Enabling Technologies and Research Studies","volume":"8","author":"Shantharama","year":"2020","journal-title":"IEEE Access"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"325","DOI":"10.1109\/COMST.2016.2618874","article-title":"Software defined networking architecture, security and energy efficiency: A survey","volume":"19","author":"Rawat","year":"2016","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"7928503:1","DOI":"10.1155\/2018\/7928503","article-title":"Network Security and Management in SDN","volume":"2018","author":"Cai","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Hong, S., Xu, L., Wang, H., and Gu, G. (2015, January 8\u201311). Poisoning network visibility in software-defined networks: New attacks and countermeasures. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2015.23283"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1109\/MCOM.2017.1600970","article-title":"Defense mechanisms against DDoS attacks in SDN environment","volume":"55","author":"Kalkan","year":"2017","journal-title":"IEEE Commun. Mag."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"209","DOI":"10.1016\/j.jnca.2018.10.011","article-title":"DoS vulnerabilities and mitigation strategies in software-defined networks","volume":"125","author":"Deng","year":"2019","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Alshamrani, A., Chowdhary, A., Pisharody, S., Lu, D., and Huang, D. (2017, January 21\u201325). A defense system for defeating DDoS attacks in SDN based networks. Proceedings of the 15th ACM International Symposium on Mobility Management and Wireless Access, Miami, FL, USA.","DOI":"10.1145\/3132062.3132074"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"695","DOI":"10.1109\/TIFS.2017.2765506","article-title":"Packet injection attack and its defense in software-defined networks","volume":"13","author":"Deng","year":"2017","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"1174","DOI":"10.1109\/LCOMM.2019.2896928","article-title":"Using inspector device to stop packet injection attack in SDN","volume":"23","author":"Seitz","year":"2019","journal-title":"IEEE Commun. Lett."},{"key":"ref_10","first-page":"140","article-title":"DDoS attack detection method based on conditional entropy and GHSOM in SDN","volume":"39","author":"Junfeng","year":"2018","journal-title":"J. Commun."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1235","DOI":"10.1109\/TNSM.2018.2873639","article-title":"BWManager: Mitigating denial of service attacks in software-defined networks through bandwidth prediction","volume":"15","author":"Wang","year":"2018","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Dhawan, M., Poddar, R., Mahajan, K., and Mann, V. (2015, January 8\u201311). SPHINX: Detecting security attacks in software-defined networks. Proceedings of the NDSS Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2015.23064"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Zhang, M., Bi, J., Bai, J., Dong, Z., Li, Y., and Li, Z. (2017, January 21\u201325). Ftguard: A priority-aware strategy against the flow table overflow attack in sdn. Proceedings of the SIGCOMM Posters and Demos, Los Angeles, CA, USA.","DOI":"10.1145\/3123878.3132015"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Shaghaghi, A., Kaafar, M.A., and Jha, S. (2017, January 2\u20136). Wedgetail: An intrusion prevention system for the data plane of software defined networks. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates.","DOI":"10.1145\/3052973.3053039"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Abhiroop, T., Babu, S., and Manoj, B. (2018, January 25\u201328). A machine learning approach for detecting DoS attacks in SDN switches. Proceedings of the 2018 IEEE Twenty Fourth National Conference on Communications (NCC), Hyderabad, India.","DOI":"10.1109\/NCC.2018.8600196"},{"key":"ref_16","first-page":"2003","article-title":"A mechanism of taming the flow table overflow in OpenFlow switch","volume":"41","author":"Siyi","year":"2018","journal-title":"Chin. J. Comput."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"1715","DOI":"10.1109\/TNET.2018.2853593","article-title":"Security policy violations in SDN data plane","volume":"26","author":"Li","year":"2018","journal-title":"IEEE ACM Trans. Netw."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"231","DOI":"10.1109\/TSC.2016.2602861","article-title":"Defending against flow table overloading attack in software-defined networks","volume":"12","author":"Yuan","year":"2016","journal-title":"IEEE Trans. Serv. Comput."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Khamaiseh, S., Serra, E., and Xu, D. (2020, January 13\u201317). vSwitchguard: Defending openflow switches against saturation attacks. Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain.","DOI":"10.1109\/COMPSAC48688.2020.0-157"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Kl\u00f6ti, R., Kotronis, V., and Smith, P. (2013, January 7\u201310). OpenFlow: A security analysis. Proceedings of the 2013 21st IEEE International Conference on Network Protocols (ICNP), Goettingen, Germany.","DOI":"10.1109\/ICNP.2013.6733671"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Shang, G., Zhe, P., Bin, X., Aiqun, H., and Kui, R. (2017, January 1\u20134). FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. Proceedings of the IEEE INFOCOM 2017-IEEE Conference on Computer Communications, Atlanta, GA, USA.","DOI":"10.1109\/INFOCOM.2017.8057009"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Kreutz, D., Ramos, F.M., and Verissimo, P. (2013, January 16). Towards secure and dependable software-defined networks. Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, China.","DOI":"10.1145\/2491185.2491199"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"2160","DOI":"10.1109\/TIFS.2016.2573756","article-title":"On the fingerprinting of software-defined networks","volume":"11","author":"Cui","year":"2016","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_24","unstructured":"Carvalho, R.N., Bordim, J.L., and Alchieri, E.A.P. (2019, January 20\u201324). Entropy-based DoS attack identification in SDN. Proceedings of the 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), Rio de Janeiro, Brazil."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"69620","DOI":"10.1109\/ACCESS.2018.2878576","article-title":"Fast defense system against attacks in software defined networks","volume":"6","author":"Novaes","year":"2018","journal-title":"IEEE Access"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"1491","DOI":"10.1007\/s00521-018-3383-7","article-title":"LION IDS: A meta-heuristics approach to detect DDoS attacks against Software-Defined Networks","volume":"31","author":"Arivudainambi","year":"2019","journal-title":"Neural Comput. Appl."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Dridi, L., and Zhani, M.F. (2016, January 3\u20135). SDN-guard: DoS attacks mitigation in SDN networks. Proceedings of the 2016 5th IEEE International Conference on Cloud Networking (Cloudnet), Pisa, Italy.","DOI":"10.1109\/CloudNet.2016.9"},{"key":"ref_28","first-page":"7545079:1","article-title":"SDNManager: A Safeguard Architecture for SDN DoS Attacks Based on Bandwidth Prediction","volume":"2018","author":"Wang","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"1419","DOI":"10.1109\/TNET.2020.2983976","article-title":"Detection and Mitigation of DoS Attacks in Software Defined Networks","volume":"28","author":"Gao","year":"2020","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"ref_30","unstructured":"(2021, October 20). Scapy Projec. Available online: https:\/\/scapy.net\/."},{"key":"ref_31","unstructured":"(2021, October 20). Psutil. Available online: https:\/\/pypi.org\/project\/psutil\/."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"1933","DOI":"10.1109\/JSYST.2019.2927223","article-title":"DAISY: A detection and mitigation system against denial-of-service attacks in software-defined networks","volume":"14","author":"Imran","year":"2019","journal-title":"IEEE Syst. J."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/3\/1061\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:10:42Z","timestamp":1760134242000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/3\/1061"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,29]]},"references-count":32,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2022,2]]}},"alternative-id":["s22031061"],"URL":"https:\/\/doi.org\/10.3390\/s22031061","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,1,29]]}}}