A DDoS attack detection method based on IQR and DFFCNN in SDN

Software-Defined Networking (SDN) is an innovative network architecture that enhances network flexibility by decoupling the data plane from the control plane. However, SDN is also faces severe security threats. One of the most damaging threats is the Distributed Denial-of-Service (DDoS) attack, which can disrupt network functionality and adversely affect legitimate users. Current solutions against DDoS attacks in SDN encounter challenges such as inadequate feature extraction, limited generalization of detection models, and frequent requests for data from network devices. These issues result in low detection accuracy and high resource consumption. We propose a DDoS attack detection method based on abnormal alarm and deep detection. First, we use the anomaly detection capability of interquartile range (IQR) to monitor the packet_in message rate of each switch and design a dynamic threshold alarm algorithm. This algorithm can preliminarily identify abnormal switches. In addition, we propose an integrated-feature-selection method to expose the most-relevant flow features, and extract new SDN flowtable features. Based on these features, we design a Deep Feature Fusion Convolutional Neural Network (DFFCNN) model to execute deep DDoS attack detection. This model combines a self-attention mechanism with multi-scale features extraction, enhancing its ability to capture data patterns. Experimental results on three typical datasets—IDS2017, IDS2018, and DDoS2019—demonstrate that the proposed method achieves an average detection accuracy of 99.54 % and a false positive rate of 0.53 %. This represents an improvement of 1.65 % over existing detection methods and reduces the false positive rate by 1.38 %. Additionally, the proposed two-stage detection method decreases CPU utilization by an average of 12.8 % to the existing polling detection method.