This paper presents a method for detecting DDoS attacks in Software-Defined Networking (SDN) environments. Because the SDN controller has complete knowledge of the network and can generate rules for its operation, we propose configuring the controller to recognize possible DDoS activities by analyzing session details collected from logs and flow tables. The log data is sent to a dedicated Log Analysis Subsystem, where two separate analysis processes run in parallel: session traffic is first classified using an entropy-based technique, and upon detecting potential anomalies, a secondary Kullback–Leibler (KL) Divergence analysis is triggered to minimize false positives. Experimental results demonstrate that this hybrid approach significantly outperforms traditional single-metric detection, achieving a True Positive Rate (TPR) of 98.5% against TCP SYN Flood attacks and 96.0% against IP/Port randomization attacks, while reducing the False Positive Rate (FPR) to just 1.5%. Furthermore, the subsystem demonstrated high efficiency by maintaining a low controller CPU overhead of approximately 3.6% and an average detection latency of 210 ms. Once an attack is confirmed, the subsystem alerts the SDN controller to immediately isolate and block suspicious IP addresses.
Bhattacharya et al. (Sat,) studied this question.