This study presents a novel three-tier defense mechanism at the software-defined networking (SDN) control plane to improve DDoS attack detection and mitigation using real-time flow table data from OpenFlow switches. The proposed method combines adaptive statistical detection, event-based activation of the ML classifier, and targeted port-level mitigation to increase accuracy and lower controller load, in contrast to current solutions that rely on static thresholds, full attack-path tracing, or continuously running machine learning models. The proposed model employs an improvised cumulative sum algorithm at the first tier with adaptive threshold and an event-based activation of decision tree classifier at second tier to swiftly and accurately detect DDoS traffic with sub-second latency without adding extra load on SDN controller. The third tier uses port connection analysis by utilizing link-layer discovery protocol (LLDP) that distinguishes direct and indirect port sources involved during attack without tracing the complete attack path. Results demonstrate that this integrated mechanism offers faster, more precise, and more resource-efficient DDoS mitigation compared with existing solutions. It outperforms traditional methods by achieving accuracy of 99.99%, reducing computational load and false positive rate by 87%, and achieve a more targeted response by reducing unnecessary mitigation actions by 94% with 0% packet loss.
Rajper et al. (Mon,) studied this question.