Distributed denial-of-service (DDoS) attacks pose severe threats to the reliability of software-defined networking (SDN), where centralized controllers have to process large volumes of flow statistics in real time. To address this challenge, this paper develops a rigorous system model of SDN traffic dynamics and proposes two novel detection approaches tailored to SDN environments. The first, dual-perspective anomaly detection (DPAD), integrates flow-level statistical deviations with host-level behavioral entropy to jointly capture both high-volume floods and stealthy low-rate attacks, enabling robust anomaly detection with reduced false positives. The second, lightweight statistical filtering (LSF), focuses on packet- and byte-level deviations using sliding-window statistics, providing a simplified yet effective solution with low computational overhead, suitable for resource-constrained controllers. Both approaches are designed for seamless deployment within standard SDN controllers without deep packet inspection or external learning models. Extensive simulations under varying numbers of flows demonstrate that DPAD achieves the highest accuracy, maintaining detection rates up to 0.97 under moderate loads and sustaining 0.85 to −0.90 even under heavy traffic, while LSF consistently delivers competitive performance with accuracy above 0.80 and peaks near 0.93, significantly outperforming the baseline strategy by margins of 0.15 to −0.25. These results confirm that DPAD offers maximum reliability for complex attack scenarios, while LSF provides a practical trade-off between the detection accuracy and implementation complexity, making the two approaches jointly suitable for diverse SDN deployment requirements.
You et al. (Fri,) studied this question.